Best Practices in ENTERPRISE RISK MANAGEMENT [ Managing Risks Holistically ]
INTRODUCTIONS MODERATOR: Bob Lipps, JD, CPA PANELISTS: Ron Wilcox Abel Pomar Karen Gordon, Esq.
THE EVOLUTION OF RISK
Traditional definitions: RISK The possibility that something bad or unpleasant will happen. [ Merriam-Webster ] Minimizing the adverse effects of accidental losses. [ The Institutes ]
Broadened definitions: RISK The effect of uncertainty on objectives. [ ISO 31000 ] Coordinated activities to direct and control an organization with regard to risk. [ ISO 31000 ]
TRADITIONAL RISK MANAGEMENT APPROACH
THE NEW VIEW OF RISK RISK can be a threat or an opportunity. Risk = Any uncertainty that can harm, prevent, delay, or enhance an organization s ability to achieve objectives.
Risk Treatment Strategies RISK Avoid Mitigate Transfer Retain/Accept Exploit
T H E C H A N G I N G F O C U S O F R I S K M A N A G E M E N T T R A N S A C T I O N A L Historic Risk Management Insurance Specific hazards No compliance input Separate safety & emergency management Silo approach Risk Manager = insurance buyer I N T E G R A T E D Advanced Risk Management Alternative risk transfer techniques Proactive prevention & risk reduction Integrated approach to claims, contracts, insurance, etc. Increased education & accountability Collaboration across departments Risk Manager may be the risk owner S T R A T E G I C Enterprise-Wide Risk Management Broad range of risks analyzed Combination of risk mitigation and opportunities ERM alignment with strategy Helps manage growth, allocate capital & resources Risks owned by SME s Greater availability of risk mitigation and analytical tools Risk Manager = risk moderator, partner, leader; not the owner of every risk Risk is bad focus is on transferring risk Risk is an expense focus is on reducing cost-of-risk Risk is uncertainty focus is on optimizing risk to achieve goals
WHAT IS ENTERPRISE RISK MANAGEMENT (ERM)? The Risk and Insurance Management Society defines ERM as: A strategic business discipline that supports the achievement of an organization s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.
ENTERPRISE RISK MANAGEMENT (ERM) Types of Questions to Ask What would cause us to be unable to achieve our objectives or allow us to operate according to our values? Describe a scenario of what could go wrong and how we would respond today? What controls are currently in place? What should be done better? What risks should we consider over the next 12-18 months? What risks will be important for our sustainability ten years from now? How severe can the risk be and what is the likelihood of it occurring? What are the consequences to your organization if the risk occurs? What are the early warning signs that the risk may occur?
A HOLISTIC APPROACH TO MULTIFACETED RISKS, ERM Arms leaders with consolidated information to improve decision-making. Organizes risk information from across the organization. Involves creating a culture of risk management and risk ownership. Recognizes that one person alone cannot own every risk.
WHAT DOES ERM DO? In a nutshell, ERM is a process that: Identifies Evaluates Mitigates Assigns risk ownership and accountability Monitors risk mitigation strategies Reports to leadership potential and emerging risks to the organization and promotes a culture of risk awareness.
Scan Organizational Environment Enterprise Risk Management Framework and Process Model Top Leadership, Risk Appetite, & Accountability Monitor Risks; Assure Compliance & Continued Alignment with ABS Objectives. Revisit Mitigation Strategy, if needed [with legal & SLT] [Risk management w/ internal audit] Identify Risks & Risk Owners [w/ Business Managers] Align and Embed in Culture Mitigate or Eliminate Risks [w/ Business Managers & Others] Analyze Risks [w/ Business Operations & Risk Management/Legal] SWOT Analysis = Framework = Process = Recurring process Communications & Reporting to Stakeholders & Top Management Audit When Critical Risks Identified Resource Allocation
Governance Corporate Strategy C-Suite Examples of how Organizational Operations Relate to Enterprise Risk Management (ERM) Compliance Legal Finance Internal Audit Strategic Planning Corporate Strategy C-Suite Managers ERM Business Operations Managers Staff Performance Management HR Managers Staff Internal Control C-Suite Internal Audit Legal Risk Management Legal Internal Audit Process Management C-Suite Managers
ROLE OF THE ENTERPRISE RISK MANAGER OR CHIEF RISK OFFICER (CRO) To create a risk aware culture; To ensure ERM activities are aligned with mission objectives; To bring consideration of risk into strategic decision-making; To develop a center of excellence for managing risk, drawing on the expertise of SME s, who, in turn, are similar to risk managers for their unique areas; To facilitate and coordinate holistic risk management; To communicate clearly to stakeholders; and To be advisor and partner to other executives and managers.
WHY IS ENTERPRISE RISK MANAGEMENT IMPORTANT? 1. All organizations exist to achieve their objectives. 2. Many internal and external factors affect those objectives, causing uncertainty about whether the organization will achieve them. 3. The effect this uncertainty has on an organization s goals is risk.
WHY IS ENTERPRISE RISK MANAGEMENT IMPORTANT? 1. All organizations exist to achieve their objectives. 2. Many internal and external factors affect those objectives, 3. The effect this uncertainty has In summary, the holistic management of risk is on an organization s central to the success causing of all organizations. goals is risk. uncertainty about whether the organization will achieve them.
THREE LEVELS OF ERM IMPACT Strategic Operational Decision- Making
ERM IMPLEMENTATION PROCESS Design ERM Framework. Equip ERM Committee. Perform Initial Assessment. Assign Ownership. Develop Treatment Plans. Plan Data and Workflow Management. Set Procedures for Strategy & Decisions. Develop Reporting & Accountability.
ENTERPRISE RISK MANAGEMENT (ERM) Phase I Phase II Phase III Phase IV Advance Preparation Risk Identification / Assessment Process Data Analysis Risk Drill-Down
ENTERPRISE RISK MANAGEMENT (ERM) Phase I Phase II Phase III Phase IV Advance Preparation Risk Identification / Assessment Process Data Analysis Risk Drill-Down Develop initial risk profile with help from a professional Prepare a risk survey questionnaire Compile information from the questionnaire Prepare additional information as required
ENTERPRISE RISK MANAGEMENT (ERM) Phase I Phase II Phase III Phase IV Advance Preparation Risk Identification / Assessment Process Data Analysis Risk Drill-Down Identify key risks Prioritize risks Rate likelihood of severity for top risks Assess current risk management controls for key risks Discuss aggravating and mitigating risk factors Identify risk owners Develop potential action plan
RISK IDENTIFICATION & ASSESSMENT PROCESS Rating Criteria: Severity, Likelihood, and Manifestation Ratings Score Severity Description Likelihood Description Manifestation 1 Minimal significance 1 event per 10 years Greater than 5 years 2 Somewhat significant 1 event per 5 years Between 4 and 5 years 3 Significant 1 event per 2 years Between 3 and 4 years 4 Very significant 1 event per year Between 1 and 3 years 5 Extremely significant Regularly occurring Less than 1 year Your ministry Top Risks and Owners Risk Severity Likelihood Manifestation Total Meet Healthcare Needs 3 5 5 13 Donor Longevity/Commitment 4 4 1 9 Maintain Mission/Vision 5 5 1 11 Having Quality Staff 4 5 3 12 Manage Data Systems 3 2 3 8 Legal Compliance 4 5 4 13 Insufficient Funding 5 2 3 10 Competition with Others 2 5 4 11 Risk Description Current Risk Owner(s) Current Risk Management Activities Future Action Plan New Risk Owner(s) Legal Compliance Meeting Healthcare Needs Having Quality Staff Maintain Mission/Vision Competition GC/CFO VP HR VP HR CEO CEO/COO
ENTERPRISE RISK MANAGEMENT (ERM) Phase I Phase II Phase III Phase IV Advance Preparation Risk Identification / Assessment Process Data Analysis Risk Drill-Down You should prepare a summary of findings/results of activities from Phase II, including: Executive Summary Identified Risks Risk Ratings Proposed Action Plan
ENTERPRISE RISK MANAGEMENT (ERM) Phase I Phase II Phase III Phase IV Advance Preparation Risk Identification / Assessment Process Data Analysis Risk Drill-Down Specific risk areas may need to be further addressed
LOWER OVERALL COST OF RISK Remember to follow the ERM process Identify & Prioritize Risks Proactively manage risks through risk owners/managers Integrate risk management into the overall business plan
ERM INTEGRATED INTO EXISTING BUSINESS PRACTICES ERM becomes incorporated into: The Organization s Culture Strategic Planning Quality Improvement Budgeting Employee Engagement Committee Structure Decision-Making
ERM IMPLEMENTATION IN ACTION
Evangelical Christian Credit Union Abel Pomar President, Chief Executive Officer
RISK PHILOSOPHY We strive to do the right thing as we seek to fully understand and manage risk in the pursuit of value for our members. This is an ongoing process, where everyone in the organization is responsible for understanding and managing risk.
Credit Interest Rate Liquidity Operational Compliance Concentration Market Strategic Reputational TOOLS USED Risk Matrix Enterprise Risk Management Committee KRI/KPI Reporting System Business Area Membership Funding Sources Sub-Business Area Risk Ratings Ministry L L L L L M M H M Small Business L L L M L L M H L Consumer M L L L L L M H M Foreign Small Business Insured Deposits L L L L L L L M L Small Business Uninsured Deposits L L L L L L L L L Consumer Insured Deposits L L L L L L H H L Consumer Uninsured Deposits L L L L L L L L L MBL Participations M L M M L L L M M CU Certificates L L L L L H L L L
OBSERVABLE OUTCOMES Improved Business Monitoring Stronger Business Processes Intentional Focus for Strategic Planning Improved Business Prioritization Minimizes Financial Losses for the Organization Identifying Emerging Risks
Samaritan s Purse Ron Wilcox Chief Operating Officer
KEY ELEMENTS OF THE PROCESS Establishment of leadership groups, ground rules and commitment to process Identification of risks and contributing factors Leadership to agree and rank major risks and assign owners Risk owners develop written goals and plans for addressing risks Review and approval of goals and plans by CEO, reporting to board for oversight Communication and implementation Monitoring and reporting
HISTORY OF RISK MANAGEMENT AT SAMARITAN S PURSE Step 1 Director Group Meetings: This group s task is to take information identifying ministry risks from past RM efforts, updated submissions by the SP VPs, and their own lists of ministry risks; review and discuss it all, and consolidate it into one list of ministry risks. Each member of the group must agree on or support each risk in order for it to remain on the list. The Director Group met multiple times, in person and via e-mail exchanges, during April and May to discuss and clarify the nature of each risk and the factors contributing to the risks; and to compile a final Risk List.The Director Group finalized the Risk List and forwarded to the COO for distribution to the VP Group.
HISTORY OF RISK MANAGEMENT AT SAMARITAN S PURSE Step 2 - Continued Meetings with VP Group VP Group Tasks:1st task go through the list, score and plot each risk on a scale. The parameters for each risk are Likelihood of Occurrence and Severity of Impact. 2nd task assign individual risks to owners. The owner of each risk should be the Operational Department that has the greatest ability to manage the risk in question. Some risk owners acknowledge collaborative efforts with other departments, but for accountability purposes, each risk needs one designated owner.3rd task each risk owner develops a Summary Risk Management Plan for each risk it owns. These plans answer the question of how do you go about addressing this risk if you are its owner. Each owner turned in their plans.
HISTORY OF RISK MANAGEMENT AT SAMARITAN S PURSE Step 3: RM list and plans are presented to senior leadership. Appropriate revisions are made and decision is finalized to move forward with full support. Step 4: Quarterly meetings are calendared with all staff who were involved in the process. At the meetings, risk owners present their plans and give updates on their process to the group. Accountability remains with the group, with oversight by the COO.
Severity of Impact RISK MAPPING Risk Map 5 Extreme5 4.9 4.8 #4 Reputation -2.6,4.8 4.7 #8 Mission Focus -2.2,4.8 4.6 4.5 #1 Cybersecurity-4.2,4.6 4.4 #5 Workplace Safety -2.8,4.4 4.3 #7 Major Crisis2.6,4.4 4.2 4.14 Very High 4 3.9 3.8 #12 Insurance,2.6,3.8 #11 Vendor Instability 2.8,3.8 3.7 3.6 3.5 #2 Hiring Difficulty-4.4,3.6 3.4 #10 Theft and Fraud -3.2,3.4 3.3 3.2 3.13 #9 Volunteer Issues -3.4,3.2 #6 Communication-3.8,3.2 #3 Bureaucracy-4.6,3.2 Moderate 3 2.9 2.8 #13 Training -2.6.2.8 2.7 2.6 2.5 2.4 2.3 2.2 2.12 Low2 1.9 1.8 1.7 1.6 1.5 1.4 1.3 1.2 1.11 Negligible 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0 0 1 2 2 3 3 4 4 5 5 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 Rare Unlikely Moderate Almost Certain Likely Likelihood of Occurrence
CREATION OF RISK MANAGEMENT SYNOPSIS Risk Management Synopsis Ranking Risk Title Assigned Owner 1 Cyber-Security threats Information Technology 2 Hiring or placing qualified candidates in necessary positions Human Resources 3 4 Avoidance of procedures or "work - around" actions by staff to get their work done Damage to the ministry s reputation significantly erodes donor support. COO/ Legal Quality Control/ Donor Ministries 5 Workplace safety and security threats, including physical threats to employees and facilities, domestic and international. Security
OVERVIEW OF OUR ERM APPROACH We recommend an approach that focuses on a culture of risk management within the organization: Both a top down and bottom up enculturated in all team members. Oversight by the board. Monitoring and accountability owned by the CEO. Ownership at the VP level. Training and development of a process that includes intentional identification, consideration and documentation of all risks and priorities that can be insured, mitigated, accepted, or eliminated. Quarterly review and update by risk owners. Quarterly coordination between risk owners and COO. Periodic review and advice by subject matter experts.
American Bible Society Karen Gordon, Esq. Director of Enterprise Risk Management & Compliance
ERM IMPLEMENTATION AT ABS Nascent Stage C-suite Support Critical Obtaining C-suite buy-in Combination of Business Continuity Planning & ERM Capitalizing on similarities Volunteer test group Track investment of time and people Process overview and outcomes to C-suite
BUSINESS CONTINUITY
BCP & ERM COMMONALITIES Critical Typically led by Risk Management Highly recommended Must be done Legal involvement Risk assessment Vital to sustainability BCP Ensures Mission Continuance Far reaching consequences if not done right Centrally managed but individual risk owners Business impact analysis Should be done Promotes strategic alignment with mission ERM
TIMELINE Enterprise Risk Management Disaster Recovery Business Continuity Pre-incident Immediate Incident Response Post Disaster Recovery (Hours) Post Disaster Operations and Restoration (days to weeks) Resumption of Business (on-site and/org alternate site) Disaster Strikes
SAMPLE RISK INVENTORY LOG Risk Category Sub-Category Risk Element Risk Tolerance Likelihood (L) INHERENT RISK Impact (I) Severity (LxI) Risk Response Risk Response Tactics Value of Response Tactics Residual Risk Further Action Required & Plan Risk Ownership Status Operational Technology System outages 5 5 25Mitigate System monitoring; service level agreements; back-up & recovery procedures; system testing; database mirroring; firewalls. Uninterruptable power supply. Moderate. (7) 18Institute rigorous testing of recovery procedures CTO Monitor Operational Personnel Attracting & retaining qualified staff 4 5 20Mitigate Performance evaluations; HR development & training; hiring criteria; compensation plans. High (8) 12SLT approval of risk SVP, HR Monitor
CASE STUDY THE PROCESS Tables identified by name of department: Human Resources Legal Risk Management IT Internal Audit Finance Attendees collaborate in identifying and addressing issues.
CASE STUDY THE PLAYERS