Best Practices
in
ENTERPRISE
RISK MANAGEMENT
[ Managing Risks Holistically ]
INTRODUCTIONS
• MODERATOR: Bob Lipps, JD, CPA
• PANELISTS:
– Ron Wilcox
– Abel Pomar
– Karen Gordon, Esq.
THE EVOLUTION OF RISK
RISK
• Traditional definitions:
– The possibility that something bad or unpleasant will happen.
[ Merriam-Webster ]
– Minimizing the adverse effects of accidental losses.[ The Institutes ]
RISK
• Broadened definitions:
– The effect of uncertainty on objectives.
[ ISO 31000 ]
– Coordinated activities to direct and control an organization with
regard to risk.[ ISO 31000 ]
TRADITIONAL
RISK MANAGEMENT APPROACH
THE NEW VIEW OF RISK
• RISK can be a threat or an opportunity.
• Risk = Any uncertainty that can harm, prevent, delay,
or enhance an organization’s ability to achieve
objectives.
RISK
Avoid
Mitigate
Transfer
Retain/Accept
Exploit
Risk
Treatment
Strategies
T H E C H AN G I N G F O C U S
O F R I S K M AN A G E M E N T
T R A N S A C T I O N A L
Historic Risk Management
• Insurance
• Specific hazards
• No compliance input
• Separate safety & emergency
management
• “Silo” approach
• Risk Manager = insurance buyer
I N T E G R A T E D
Advanced Risk Management
• Alternative risk transfer techniques
• Proactive prevention & risk
reduction
• Integrated approach to claims,
contracts, insurance, etc.
• Increased education &
accountability
• Collaboration across departments
• Risk Manager may be the risk
owner
S T R A T E G I C
Enterprise-Wide Risk Management
• Broad range of risks analyzed
• Combination of risk mitigation and
opportunities
• ERM alignment with strategy
• Helps manage growth, allocate
capital & resources
• Risks owned by SME’s
• Greater availability of risk
mitigation and analytical tools
• Risk Manager = risk moderator,
partner, leader; not the owner of
every risk
Risk is bad – focus is on
transferring risk
Risk is an expense – focus is on
reducing cost-of-risk
Risk is uncertainty – focus is on
optimizing risk to achieve goals
WHAT IS
ENTERPRISE RISK MANAGEMENT (ERM)?
• The Risk and Insurance Management Society
defines ERM as:
– A strategic business discipline that supports the achievement of
an organization’s objectives by addressing the full spectrum of
its risks and managing the combined impact of those risks as an
interrelated risk portfolio.
ENTERPRISE RISK MANAGEMENT (ERM)
• Types of Questions to Ask
– What would cause us to be unable to achieve our objectives or allow us to operate according
to our values?
– Describe a scenario of what could go wrong and how we would respond today?
– What controls are currently in place? What should be done better?
– What risks should we consider over the next 12-18 months?
– What risks will be important for our sustainability ten years from now?
– How severe can the risk be and what is the likelihood of it occurring?
– What are the consequences to your organization if the risk occurs?
– What are the early warning signs that the risk may occur?
A HOLISTIC APPROACH TO
MULTIFACETED RISKS, ERM
• Arms leaders with consolidated information to improve
decision-making.
• Organizes risk information from across the organization.
• Involves creating a culture of risk management and risk
ownership.
• Recognizes that one person alone cannot own every risk.
WHAT DOES ERM DO?
• In a nutshell, ERM is a process that:
– Identifies
– Evaluates
– Mitigates
– Assigns risk ownership and accountability
– Monitors risk mitigation strategies
– Reports to leadership
potential and emerging risks to the organization and promotes a culture of
risk awareness.
Enterprise Risk
Management
Framework and
Process Model
Scan Organizational Environment
[Risk management w/ internal audit]
Identify Risks & Risk Owners [w/ Business
Managers]
Analyze Risks [w/ Business Operations & Risk
Management/Legal] SWOT Analysis
Audit When Critical Risks Identified
Mitigate or Eliminate Risks [w/ Business Managers &
Others]
Monitor Risks; Assure Compliance & Continued
Alignment with ABS Objectives. Revisit
Mitigation Strategy, if needed [with legal & SLT]
Top Leadership, Risk Appetite, &
Accountability
Communications & Reporting to
Stakeholders & Top Management
Align and Embed in Culture
Resource Allocation
= Framework
= Process
= Recurring process
Examples of how Organizational
Operations Relate to Enterprise Risk
Management (ERM)
ERM
Governance
• Corporate Strategy
• C-Suite
Business Operations
• Managers
• Staff
Performance Management
• HR
• Managers
• Staff
Process Management
• C-Suite
• Managers
Risk Management
• Legal
• Internal Audit
Internal Control
• C-Suite
• Internal Audit
• Legal
Compliance
• Legal
• Finance
• Internal Audit
Strategic Planning
• Corporate Strategy
• C-Suite
• Managers
ROLE OF THE ENTERPRISE RISK
MANAGER OR CHIEF RISK OFFICER (CRO)
• To create a risk aware culture;
• To ensure ERM activities are aligned with mission objectives;
• To bring consideration of risk into strategic decision-making;
• To develop a center of excellence for managing risk, drawing on the expertise of
SME’s, who, in turn, are similar to risk managers for their unique areas;
• To facilitate and coordinate holistic risk management;
• To communicate clearly to stakeholders; and
• To be advisor and partner to other executives and managers.
WHY IS ENTERPRISE RISK
MANAGEMENT IMPORTANT?
1.All organizations
exist to achieve
their objectives.
2.Many internal and
external factors
affect those
objectives,
causing
uncertainty about
whether the
organization will
achieve them.
3.The effect this
uncertainty has
on an
organization’s
goals is “risk.”
WHY IS ENTERPRISE RISK
MANAGEMENT IMPORTANT?
1.All organizations
exist to achieve
their objectives.
2.Many internal and
external factors
affect those
objectives,
causing
uncertainty about
whether the
organization will
achieve them.
3.The effect this
uncertainty has
on an
organization’s
goals is “risk.”
In summary, the holistic management of risk is central to the success of all organizations.
THREE LEVELS OF ERM IMPACT
Strategic OperationalDecision-
Making
ERM IMPLEMENTATION PROCESS
• Design ERM Framework.
• Equip ERM Committee.
• Perform Initial Assessment.
• Assign Ownership.
• Develop Treatment Plans.
• Plan Data and Workflow Management.
• Set Procedures for Strategy & Decisions.
• Develop Reporting & Accountability.
ENTERPRISE RISK MANAGEMENT (ERM)
Phase I
Advance Preparation
Phase II
Risk Identification / Assessment Process
Phase III
Data Analysis
Phase IV
Risk Drill-Down
ENTERPRISE RISK MANAGEMENT (ERM)
Phase I
Advance Preparation
Phase II
Risk Identification / Assessment Process
Phase III
Data Analysis
Phase IV
Risk Drill-Down
• Develop initial risk profile with help from a professional
• Prepare a risk survey questionnaire
• Compile information from the questionnaire
• Prepare additional information as required
ENTERPRISE RISK MANAGEMENT (ERM)
Phase I
Advance Preparation
Phase II
Risk Identification / Assessment Process
Phase III
Data Analysis
Phase IV
Risk Drill-Down
• Identify key risks
• Prioritize risks
• Rate likelihood of severity for top risks
• Assess current risk management controls for
key risks
• Discuss aggravating and mitigating risk
factors
• Identify risk owners
• Develop potential action plan
Score Severity Description Likelihood Description Manifestation
1 Minimal significance 1 event per 10 years Greater than 5 years
2 Somewhat significant 1 event per 5 years Between 4 and 5 years
3 Significant 1 event per 2 years Between 3 and 4 years
4 Very significant 1 event per year Between 1 and 3 years
5 Extremely significant Regularly occurring Less than 1 year
Rating Criteria: Severity, Likelihood, and Manifestation
Risk Severity Likelihood Manifestation Total
Meet Healthcare Needs 3 5 5 13
Donor Longevity/Commitment 4 4 1 9
Maintain Mission/Vision 5 5 1 11
Having Quality Staff 4 5 3 12
Manage Data Systems 3 2 3 8
Legal Compliance 4 5 4 13
Insufficient Funding 5 2 3 10
Competition with Others 2 5 4 11
Ratings
Risk Description Current Risk Owner(s)Current Risk
Management ActivitiesFuture Action
Plan New Risk Owner(s)
Legal Compliance GC/CFO
Meeting Healthcare Needs VP HR
Having Quality Staff VP HR
Maintain Mission/Vision CEO
Competition CEO/COO
Your ministry – Top Risks and Owners
RISK IDENTIFICATION &
ASSESSMENT PROCESS
ENTERPRISE RISK MANAGEMENT (ERM)
Phase I
Advance Preparation
Phase II
Risk Identification / Assessment Process
Phase III
Data Analysis
Phase IV
Risk Drill-Down
• You should prepare a summary of findings/results of
activities from Phase II, including:
– Executive Summary
– Identified Risks
– Risk Ratings
– Proposed Action Plan
ENTERPRISE RISK MANAGEMENT (ERM)
Phase I
Advance Preparation
Phase II
Risk Identification / Assessment Process
Phase III
Data Analysis
Phase IV
Risk Drill-Down
• Specific risk areas may need to be further addressed
LOWER OVERALL COST OF RISK
• Remember to follow the ERM process
– Identify & Prioritize Risks
– Proactively manage risks through risk owners/managers
– Integrate risk management into the overall business plan
ERM INTEGRATED INTO EXISTING
BUSINESS PRACTICES
• ERM becomes incorporated into:
– The Organization’s Culture
– Strategic Planning
– Quality Improvement
– Budgeting
– Employee Engagement
– Committee Structure
– Decision-Making
ERM
IMPLEMENTATION
IN ACTION
Abel Pomar
President, Chief Executive Officer
Evangelical Christian Credit Union
RISK PHILOSOPHY
• We strive to do the right thing
as we seek to fully understand
and manage risk in the pursuit
of value for our members. This
is an ongoing process, where
everyone in the organization is
responsible for understanding
and managing risk.
TOOLS USED
• Risk Matrix
• Enterprise Risk
Management
Committee
• KRI/KPI Reporting
• System
Business Area
Sub-Business Area
Risk Ratings
Cre
dit
Inte
rest
Rat
eLi
qu
idit
yO
pe
rati
on
alC
om
plia
nce
Co
nce
ntr
atio
nM
arke
tSt
rate
gic
Re
pu
tati
on
al
Membership
Ministry L L L L L M M H M
Small Business L L L M L L M H L
Consumer M L L L L L M H M
Foreign
Funding Sources
Small Business Insured Deposits
L L L L L L L M L
Small Business Uninsured Deposits
L L L L L L L L L
Consumer Insured Deposits L L L L L L H H L
Consumer Uninsured Deposits
L L L L L L L L L
MBL Participations M L M M L L L M M
CU Certificates L L L L L H L L L
OBSERVABLE OUTCOMES
• Improved Business Monitoring
• Stronger Business Processes
• Intentional Focus for Strategic Planning
• Improved Business Prioritization
• Minimizes Financial Losses for the Organization
• Identifying Emerging Risks
Ron Wilcox
Chief Operating Officer
Samaritan’s Purse
KEY ELEMENTS OF THE PROCESS
• Establishment of leadership groups, ground rules and commitment to process
• Identification of risks and contributing factors
• Leadership to agree and rank major risks and assign owners
• Risk owners develop written goals and plans for addressing risks
• Review and approval of goals and plans by CEO, reporting to board for oversight
• Communication and implementation
• Monitoring and reporting
HISTORY OF RISK MANAGEMENT AT
SAMARITAN’S PURSE
• Step 1 – “Director Group” Meetings:
– This group’s task is to take information identifying ministry risks from past RM efforts, updated submissions by the SP VPs, and their own lists of ministry risks; review and discuss it all, and consolidate it into one list of ministry risks. Each member of the group must agree on or support each risk in order for it to remain on the list. The “Director Group” met multiple times, in person and via e-mail exchanges, during April and May to discuss and clarify the nature of each risk and the factors contributing to the risks; and to compile a final Risk List.The “Director Group” finalized the Risk List and forwarded to the COO for distribution to the VP Group.
HISTORY OF RISK MANAGEMENT AT
SAMARITAN’S PURSE
• Step 2 - Continued Meetings with “VP Group”– VP Group Tasks:1st task – go through the list, score and plot each
risk on a scale. The parameters for each risk are Likelihood of Occurrence and Severity of Impact. 2nd task – assign individual risks to owners. The owner of each risk should be the Operational Department that has the greatest ability to manage the risk in question. Some risk owners acknowledge collaborative efforts with other departments, but for accountability purposes, each risk needs one designated owner.3rd task – each risk owner develops a Summary Risk Management Plan for each risk it “owns”. These plans answer the question of how do you go about addressing this risk if you are its owner. Each owner turned in their plans.
HISTORY OF RISK MANAGEMENT AT
SAMARITAN’S PURSE
• Step 3:– RM list and plans are presented to senior leadership.
Appropriate revisions are made and decision is finalized to move forward with full support.
• Step 4:– Quarterly meetings are calendared with all staff who were
involved in the process. At the meetings, risk owners present their plans and give updates on their process to the group. Accountability remains with the group, with oversight by the COO.
RISK MAPPING
#1 Cybersecurity-4.2,4.6
#2 Hiring Difficulty-4.4,3.6
#3 Bureaucracy-4.6,3.2
#4 Reputation -2.6,4.8
#5 Workplace Safety -2.8,4.4
#6 Communication-3.8,3.2
#7 Major Cris is2.6,4.4
#8 Mission Focus -2.2,4.8
#9 Volunteer Issues -3.4,3.2
#10 Theft and Fraud -3.2,3.4
#12 Insurance,2.6,3.8
#13 Tra ining -2.6.2.8
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
2
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
3
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
5
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 2 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 3 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 4 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 5
Seve
rity o
f Im
pact
Likelihood of Occurrence
Risk Map
4Very High
3Moderate
2Low
1Rare
3Moderate
2Unlikely
4Likely
1 Negligible
5 Almost Certain
0
5Extreme
0
#11 Vendor Instability 2.8,3.8
CREATION OF
RISK MANAGEMENT SYNOPSIS
Risk Management SynopsisRanking Risk Title Assigned Owner
1 Cyber-Security threats Information Technology
2 Hiring or placing qualified candidates in necessary positions Human Resources
3Avoidance of procedures or "work - around" actions by staff to get their work done
COO/Legal
4Damage to the ministry’s reputation significantly erodes donor support.
Quality Control/Donor Ministries
5Workplace safety and security threats, including physical threats to employees and facilities, domestic and international. Security
OVERVIEW OF OUR ERM APPROACH• We recommend an approach that focuses on a “culture of risk management”
within the organization:
• Both a top down and bottom up enculturated in all team members.
• Oversight by the board.
• Monitoring and accountability owned by the CEO.
• Ownership at the VP level.
• Training and development of a process that includes intentional identification, consideration and documentation of all risks and priorities that can be insured, mitigated, accepted, or eliminated.
• Quarterly review and update by risk owners.
• Quarterly coordination between risk owners and COO.
• Periodic review and advice by subject matter experts.
Karen Gordon, Esq.
Director of Enterprise Risk Management & Compliance
American Bible Society
ERM IMPLEMENTATION AT ABS
Nascent Stage
C-suite Support Critical
Obtaining C-suite buy-in
Combination of Business Continuity Planning & ERM
Capitalizing on similarities
Volunteer test group
Track investment of time and people
Process overview and outcomes to C-suite
BUSINESS CONTINUITY
BCP & ERM COMMONALITIES
ERMBCP
Critical Highly recommended
Must be done
Typically led by Risk Management
Vital to sustainability
Should be done
Promotes strategic
alignment with mission
Legal involvement
Risk assessment
Far reaching consequences if not done right
Business impact analysis
Centrally managed but individual risk
owners Ensures Mission
Continuance
TIMELINE
Enterprise Risk Management
Disaster Recovery
Business Continuity
Pre-incident Immediate Incident Response
Post Disaster Recovery (Hours)
Post Disaster Operations and Restoration (days to weeks)
Resumption of Business (on-site and/org alternate site)
Disaster Strikes
SAMPLE RISK INVENTORY LOGINHERENT RISK
Risk Category Sub-Category Risk Element
Risk Tolerance
Likelihood (L)
Impact (I)
Severity (LxI)
Risk Response
Risk Response Tactics Value of Response
Tactics
Residual Risk
Further Action Required & Plan
Risk Ownership
Status
Operational Technology System outages
5 5 25Mitigate System monitoring; service level agreements; back-up & recovery procedures; system testing; database mirroring; firewalls. Uninterruptable power supply.
Moderate. (7)
18Institute rigorous testing of recovery procedures
CTO Monitor
Operational Personnel Attracting & retaining qualified staff
4 5 20Mitigate Performance evaluations; HR development & training; hiring criteria; compensation plans.
High (8) 12SLT approval of risk SVP, HR Monitor
CASE STUDY – THE PROCESS
• Tables identified by name of department:
– Human Resources
– Legal
– Risk Management
– IT
– Internal Audit
– Finance
• Attendees collaborate in identifying and addressing issues.
CASE STUDY – THE PLAYERS