A Global Trend In Local Government

Transcription

1 Enterprise Risk Management A Global Trend In Local Government By James J. Kline and Greg Hutchins

2 Risks prevent an organization from achieving its goals. Organizations benefit when management successfully identifies risks and takes steps to lessen their negative impact, and enterprise risk management (ERM) methodology makes it easier to identify and mitigate risk. ERM integrates well with other management techniques and helps organizations recognize ways to improve service and increase revenue. ERM, which was developed in the private sector, is now being used in the public sector. The U.S. federal government mandates the use of ERM, as do the states of Tennessee and Washington. Local governments in the United Kingdom and South Africa also require ERM. Around the world, many other local governments have an ERM policy, but the United States has been slower to adopt ERM than its global counterparts. This article discusses the core ERM methodology and how local governments around the world are applying it. GLOBAL AND LOCAL REACH A review of local government websites provides a rough assessment of ERM s reach into the public sector (see Exhibit 1). The United Kingdom requires local governments to perform risk assessment, an aspect of ERM, as part of its Best Value practice. Local governments in the United States lag in ERM usage: Of 132 local governments reviewed, only three (2 percent) use some aspect of ERM. The City of Houston, Texas, has an ERM policy, and in Carson City, Nevada, and Modesto, California, ERM studies are underway. Only two states, Exhibit 1: ERM in Local Governments Country Number of Percentage of Websites Reviewed Local Governments with an ERM Policy Australia 77 33% New Zealand 15 33% Canada 79 17% United States 132 2% Tennessee and Washington, require the use of ERM. At the international level, South Africa mandates ERM. In the United States, federal departments were required to implement ERM by October 2017, according to Circular A-123 issued by the Office of Management and Budget (OMB). THE ERM METHODOLOGY ERM integrates well with other management techniques and helps organizations recognize ways to improve service and increase revenue. The OMB has identified three major ERM methodologies: n Orange Book: Management of Risk Principles and Concepts, by the Enterprise Risk Management Initiative (erm.ncsu.edu) n Committee for Sponsoring Organizations of the Treadway Commission (COSO, at coso.org) n International Organization for Standardization (ISO 31000, at iso.org) The United Kingdom uses Orange Book. The private sector uses COSO, and South Africa requires its use. ISO is the international standard that is used by local governments in Australia, Canada, and New Zealand. All three ERM methodologies follow the same basic steps: n Establish Context. Identify stakeholders, risk owners, and the risk-creating elements in the environment. n Identify the Risk. Identify the threats to operational and strategic goals by evaluating available data, interviews, experience, and other inputs. n Assess the Risk. Determine the severity of each risk s impact by asking, How likely is the risk, and what is its potential effect? n Prioritize the Risk. Create a risk register by first listing the risks in order of severity of impact and then prioritizing the risks for potential treatment. n Treat the Risk. Decide how to respond to each prioritized risk: accept, mitigate, share, or transfer. n Monitor. Continually review the risk register to determine if risks must be added or deleted, or if the treatment should be changed. Exhibit 2 shows the relationship between the basic steps of the COSO methodology (listed in the left column) and other December 2017 Government Finance Review 29

3 Exhibit 2: The Relationship between COSO and Other Approaches COSO Process Inputs Types of Approaches Outputs Risk Identification n Strategy and objectives n Data tracking n Risk universe n Risk appetite and acceptable n Interviews variation in performance n Facilitated workshops n Questionnaires/surveys n Process analysis n Leading indicators Assessment n Risk universe n Probabilistic modeling n Risk assessment results n Risk severity measures n Non-probabilistic modeling (sensitivity analysis) n Judgmental evaluation n Benchmarking n Heat map Prioritizing Risk n Prioritized risk assessment results n Judgmental evaluations n Prioritized risk n Prioritization criteria n Quantitative scoring methods assessment results Responding to Risk n Prioritized risk assessment results n Risk profile templates n Develop risk response or pro forma risk profiles n Residual risk n Cost-benefit analysis assessment results Developing a Portfolio View n Residual risk assessment results n Judgmental evaluations n Portfolio view of risk n Quantitative scoring methods Monitoring Performance n Residual risk assessment results n Dashboards n Corrective actions n Performance reports Source: Figure 8.1 COSO June 2016 Public Exposure risk assessment approaches. Many of these techniques will be new to both finance and accounting professionals. ISO s risk assessment manual (ISO 31010) lists 31 similar methods, and seven of these are common quality improvement techniques. Other approaches include environment risk assessment, structured interviews, business impact analysis, and the Consequence-Probability Matrix. THE RISK REGISTER The risk register is a key product of the ERM methodology. It lists the identified risks by severity and provides information that helps the user develop an operational and strategic plan. Exhibit 3 provides an example based on a risk register created by the Eden Municipal District Fire Department of South Africa. The risk register is a key product of the ERM methodology. It lists the identified risks by severity and provides information that helps the user develop an operational and strategic plan. THE MANAGEMENT PROCESS AND ERM The standalone ERM methodology is just one part of the management toolkit. The City of Oshawa, Ontario, provides a good example of how different tools can be used together. Oshawa uses a core service review and a continuous improvement framework, which includes Lean initiatives, internal audits, service reviews, and risk management. Exhibit 4 shows the four continuous improvement framework tools and how they work together, in relationship to the city s strategic direction and the annual departmental budgets. Each tool fulfills a different purpose: n The core service review helps determine which services (and level of services) the city can and should 30 Government Finance Review December 2017

4 Exhibit 3: A Risk Register Risk Type Risk Category Risk Level Cause of Risk (Root Cause) Impact Strategic Skills and Capacity High Shortage of staff Catastrophic Operational Service Delivery High Shortage of funds to attend forums, Catastrophic where best practice models are discussed (internal and external political interference) Strategic Governance High Lack of strategic leadership Catastrophic Operational Governance Extreme Lack of skills development and training Catastrophic Operational Compliance Extreme Lack of internal coordination Catastrophic (shortage of budget, capacity, and tools) Source: Eden Municipal District Fire Department Risk Register, South Africa provide. It includes two categories: mandated/legislated and discretionary. n Lean initiatives are used to continually improve customer service and decrease waste and costs. n Internal audits provide assurance that the city s processes, governance, and risk management are consistent with prescribed practices. They are also used to evaluate specific operations. n Service reviews, which are less formal than Lean initiatives, also seek to increase efficiency, reduce costs, and improve customer service. n Risk management provides a planned and consistent approach to identifying and reducing the impact of risks. Oshawa s Lean initiatives program demonstrates the impact of the continuous improvement framework, improving customer service and operational efficiency. For example, a Exhibit 4: Continuous Improvement Framework Tools in Relationship with a City s Strategic Direction and Annual Budget Strategic Direction There is corporate alignment with the strategic direction found in the Oshawa strategic plan and the financial strategy. Lean Initiatives Processes are streamlined, redundancies eliminated, and new opportunities identified while tapping into front-line knowledge and experience. Service Reviews Attention is given to what services the city provides and how they are provided, while respecting the role of government, public interest, affordability, and value for money. Leadership Competencies Internal Audit The city s auditing firm, in cooperation with city staff, undertakes evidence-based research to ensure efficient and effective service delivery, accountability, and consistent and clear policy direction. Risk Management A clearly defined corporate risk management policy and procedure helps the corporate leadership team and departments proactively identify, assess, and manage risk. Annual Department Business Plans and Budget Process Strategic direction and identified opportunities inform the annual budget process and are implemented by the departments. Source: City Core Service Review and the City s Continuous Improvement Framework, the City of Oshawa, Ontario. December 2017 Government Finance Review 31

5 Exhibit 5: The Impact of the Continuous Improvement Framework Criteria Core Service Review Lean Initiatives Internal Audit Service Reviews Risk Management Frequency Infrequent Ongoing Ongoing Ongoing Ongoing (1 in 10 years) Categorizes High High High High Low Services Engages Low High High High Medium Front-Line Staff Evidence-Based Medium High High High Medium Accountability Medium High High High High Focus on Efficiency Medium High High High High and Effectiveness Focus on Medium High High High Medium Innovation Reduces Risk Low High High High High Exposure Success Rate Low High High High High Source: City of Oshawa Core Service Review and the City s Continuous Improvement Framework finance department project reduced the processing time for contracted waste services payments, and a Human Resources project streamlined the recruitment process. Evaluating and refining the planning applications approval process resulted in shorter approval times and improved customer relations. Annual budgets incorporate these efficiency improvements, and strategic decisions are based on the prioritization. The city completed 32 initiatives between 2014 and 2017, and now has 14 underway and 9 planned. Exhibit 5 shows these activities categorized by operational criteria. Core services review is done once every 10 years, and the other activities are ongoing. All activities, with the exception of risk management, provide a high level of service assessment (i.e., evaluation). Risk management, however, reduces risk exposure and increases success rates, efficiency and effectiveness, and accountability at high levels. COST AND BENEFIT OF ERM Even though ERM is a defined methodology that complements other management practices, cost versus benefit remains a common concern. Below, we will look at two examples of the benefits of risk mitigation. The City of Windsor, Ontario, evaluated the benefits of ERM by forecasting risk events, while the Electric Power Board of Chattanooga, Tennessee, demonstrated the real financial benefits of avoiding risk. City of Windsor. In 2014, the city conducted an ERM cost benefit study after the auditor recommended adopting the methodology. Exhibit 6 shows the aggregate cost breakdown. 32 Government Finance Review December 2017

6 Exhibit 6: Aggregate Breakdown of ERM Cost Benefit Study Estimated Costs One-Time Annual Development Phase Staff Time $51,780 Consulting time for $24,603 training and assistance Operational Phase Staffing, software, etc. $43,347 Total Cost $76,383 $43,347 Source: City of Windsor Cost Benefit Analysis of Enterprise Risk Management The city evaluated the ERM development costs, which included consultant fees and staff time, and determined that cash carryover from the previous year could pay for the consultant costs ($24,603). Because ERM benefitted the whole organization, management approved a shift of staff time ($51,780). Electric Power Board of Chattanooga. The Electric Power Board (EPB) of Chattanooga actually saved money by avoiding risk. EPB upgraded its system after Volkswagen proposed building a plant in the Chattanooga area, but was concerned about frequent power outages caused by tornados. EPB wanted to help ensure the plant s development, so the agency agreed to upgrade to fiber optics and include automated switching to reduce the chances of power outages. Automated switching for one storm in 2012 saved more $1 million in overtime costs. The system upgrade also included automatic meter reading, which provided an annual saving of $1.6 million, and high speed Internet, which significantly increased the revenue stream. By mitigating the risk of power outages caused by tornados, EPB enhanced the efficiency of its system, saved money, and increased revenue. CONCLUSIONS The basic elements of ERM are well defined, although various models exist. ERM integrates well with other management techniques to provide value to an organization. The ERM process of risk identification and mitigation can reduce the adverse impact of risk events and also help identify additional ways to improve service and enhance revenue. y The city evaluated the feasibility of ERM by considering the operational costs and identifying the potential financial consequences of risk events. The operational cost was estimated at $43,347. The cost of risk events fell into three categories: high (more than $500,000), medium ($25,000 to $500,000), and low (less than $25,000). In order for ERM to be beneficial, the city determined that it would have to identify and avoid one high risk every 10 years, one medium risk every five years, and two low risks every year. After comparing actual past risk events to the potential for avoiding risk events with ERM, the city decided to adopt ERM. The standalone ERM methodology is just one part of the management toolkit; different tools can be used together. One city, for example, uses a core service review and a continuous improvement framework, which includes Lean initiatives, internal audits, service reviews, and risk management. JAMES J. KLINE is a senior member of the American Society for Quality, a Six Sigma green belt, a manager of quality/organizational excellence, and a certified enterprise risk manager. He has more than ten years of supervisory and managerial experience in both the public and private sector and has consulted on economic, quality, and workforce development issues for state and local governments. He can be reached at jeffreyk12011@ live.com. GREG HUTCHINS is the chief executive officer of QualityPlusEngineering, a quality and risk consulting firm, and cofounder of the CERMAcademy, which publishes Risk Insights, a risk e-magazine, and provides enterprise risk management training and certification. He has conducted quality and risk studies for Fortune 500 companies, the State of Oregon and the Federal Aviation Administration. He has written a number of books, including Value Added Auditing, ISO: Risk Based Thinking, and ISO 31000: Enterprise Risk Management. He can be reached at gregh@qualityplusengineering.com. December 2017 Government Finance Review 33