Success Stories: Public Entities Adopt ERM Best Practices Kristina Narvaez, MBA Foreword Understanding how to apply the concept of Enterprise Risk Management (ERM) in local government is still a struggle for many entities. From talking to many government managers, we know they are trying to understand if it really means applying a new term to their existing strategic planning and operational business procedures, or if it means embarking down a different path which will require additional resources and external guidance. For this reason Success Stories: Public Entities Adopt ERM Best Practices, has been designed to help governments understand how other public entities are applying enterprise risk management in their operations. The practice of enterprise risk management uses a set of proven tools to strengthen traditional risk principles – while some current text books try to describe the process of ERM by discounting traditional risk methods, this author and the Public Entity Risk Institute choose to believe traditional methods are still the foundation for applying ERM. The fact is many managers in the public sector are expanding the role of risk management beyond the traditional focus of preventing and financing accidental losses. ERM allows all managers to mitigate challenges through the application of an organized ERM process that evaluates all possibilities of known events and identifies potential threats that may affect the organization and its community. The lack of information about enterprise risk management is a common problem. While some professionals are trying to understand the terminology, others seek a step-by-step approach to begin explaining the process to senior management. Regardless of where you fit into the mix of interests, this publication will serve as a reference to cite the concepts and share actual facts and examples from governments that have paved the way in the process. Many organizations are changing their operations to produce a more systematic approach to manage potential manmade and natural hazards that could jeopardize the organization’s assets or resources because they recognize separating risk into compartments no longer makes sense. Government officials are beginning to recognize the need to assess risks, to weigh the results of taking certain actions, or seeing the negative affect and consequences of failing to perform a given function or service. However, the culture to manage risk through a holistic approach has been a slow process. Using a holistic approach will reduce cost by: • • Encouraging an ongoing, organization-wide activity where everyone monitors risk. Evaluating the effects of uncertainty against an organization’s ability to achieve its goals. ii • Developing action plans that can respond quickly and effectively to minimize the adverse consequences of unexpected challenges. The ERM approach lets managers, and even board members, actively discuss possible risks in all situations and tries to address the total uncertainty facing an entity at any moment. Where possible it helps to eliminate the obstacles that hinder constructive performance, such as silos within governmental units; issues involving public scrutiny; a lack of resources or one-sided finances; weak data collection that isn’t shared; and a lack of common goals or incentives. Risk management is related to mission not to insurance and loss. One mission for public entities is community sustainability. Part of the planning for sustainability should be to decrease the uncertainty by incorporating a continuous review of all risks. The review should encourage prevention of loss and reduce the probability of failure, which will minimize both public scrutiny and management’s desire to ignore the value of holistic risk management to analysis, review, and improve their programs. The ERM process guides managers to identify and act on risks based on how each risk impacts another risk, and allows them to take responsible action and making policy decisions before an incident occurs. To accomplish the goal of incorporating ERM into daily processes, it is important for personnel to encourage and develop the credibility, influence, knowledge and partnerships needed to sustain your entity and the community. While the value of adding enterprise risk management will be different for each organization, the overall goal should be to maximize good results and minimize the impact of negative events within and around the organization without having personnel wondering who was responsible for any failure or unanticipated event. Integrating enterprise risk management into the planning process raises the quality of all operations, increases moral, and develops a stronger commitment to the organizational mission. The Public Entity Risk Institute was eager to find examples of enterprise concepts and tools used within governmental units. Admittedly, few public entities have fully developed programs, but the progression of knowledge and management support seems to have “taken hold” in pockets throughout the nation. The success stories found in this book are solid examples of how ERM has been implemented into strategic guidelines using tools that can be easily applied to other governments. PERI would like to thank the organizations that shared their stories of success for this book. PERI is also grateful to the author, Kristina Narvaez for her tireless effort in gathering these examples and for explaining ERM principles in a clear and understandable way. A sincere iii thank you to Jessica Hubbard for her work on this project and earnest appreciate to Colleen Gratzer of Gratzer Graphics for designing the page proofs and the cover. Mary Stewart, ARM-P, CPCU Director of Research and Development, the Public Entity Risk Institute iv Acknowledgments Grace Crickette-Chief Risk Officer at University of California Erike Young-Director of Environmental, Safety & Health at University of California Gary Langsdale- Director of Risk Management at Penn State University Chuck Gray- Director of Risk Consulting Services at Bickmore Risk Service Lisanne Sison-Risk Consultant at Bickmore Risk Service Russell McQuire-Senior Consultant at Milliman Erica Webber-Senior Managing Consultant at IBM John Bugalla-Prinicpal of ermINSIGHTS Janice Hackett-Principal of ermINSIGHTS Dr. James Kallman-Assistant Professor of Finance at St. Edwards University and Principal of Kallman Consulting Services Drew Zavatsky-State of Washington Loss Prevention/ERM Coordinator Mark Gabel-Cost Estimating Team Leader at Washington State Department of Transportation Kristen Drobris-Senior Vice President of Risk Management for MassDevelopment Debra Carson-Risk Manager at Longmont, Colorado Taud Hoopingarner-Chief Operating Officer at Dakota County, Minnesota Mike Warren-Airport Risk Manager for San Francisco International Airport Norma Essary- Vice President of Risk Management at Dallas/ Fort Worth International Airport Todd Orchard-Manager of Enterprise Risk Management at Branch of Risk Management for British Columbia Chris MacLean-Manager of Enterprise Risk Management at Branch of Risk Management for British Columbia Steve Schmutz-Director of Operations at Riskonnect Joseph Grenny-Cofounder of VitalSmarts v The Challenge for Public Entities After you finish reading this book and start implementing some of the ERM best practices of other public entities, we would like you to write back to the author (Kristina Narvaez at kristina@erm-strategies.com) and share with her your success stories of implementing ERM at your public entity. vi Table of Figures Figure 1 – Second building block of ISO 31000 (Allen 2010) ....................................................... 5 Figure 2 – COSO II Framework ..................................................................................................... 6 Figure 3 - AS/NZS 4360 risk management process (Broadleaf Capital International PTY LTD 2007) ............................................................................................................................................... 7 Figure 4 - SWOT Analysis Chart (Wikimedia Commons 2007) .................................................. 14 Figure 5 - DFW ERM Risk Council (Essary and Yip 2010) ........................................................ 21 Figure 6 - Risk Categories/Identified Risks .................................................................................. 22 Figure 7 - ERMIS Sources of Information (University of California 2010) ................................ 23 Figure 8 - ERMIS Dashboard (Need bigger screenshot) .............................................................. 25 Figure 9 - ERMIS Metrics (Need bigger images) ......................................................................... 25 Figure 10 - SFO Risk Ranking...................................................................................................... 31 Figure 11 - SFO Risk Map-Macro View (Warren 2007) .............................................................. 32 Figure 12 - SFO Risk Map-Micro View (Warren 2007) .............................................................. 33 Figure 13 - DFW Risk Scoring Template ..................................................................................... 35 Figure 14 - Spreadsheet Template Risk Register (The Security Risk Management Toolkit 2006) ....................................................................................................................................................... 36 Figure 15 - Risk Rating Chart ....................................................................................................... 40 Figure 16 - Root Cause Analysis Process Flow (Anselmo 2009) ................................................. 44 Figure 17 - Risk Based Organizational Chart (Essary and Yip 2010) .......................................... 47 Figure 18 - BP Deepwater Horizon Fault Tree (TapRoot 2010) .................................................. 56 Figure 19 - DHS Risk Management Process (Miller 2010) .......................................................... 61 Figure 20 - Integrating Risk across the DHS Enterprise (Miller 2010) ........................................ 63 Figure 21 – Veterans Administration Project Timeline 2001-02 (United States Department of Veterans Affairs 2001) .................................................................................................................. 73 Figure 22 – WSDOT Project Risk Management Chart (Washington State Department of Transportation 2010, xiv).............................................................................................................. 76 Figure 23 – Critical Risk: Mitigation Plan .................................................................................... 79 Figure 24 - UC Top Risks Associated with Higher Education (University of California Office of Risk Services 2010) ...................................................................................................................... 85 Figure 25 - IBM ERMIS Dashboard (Need larger screenshot) .....Error! Bookmark not defined. Figure 26 - Riskonnect Interrelationships Screen Captures .......................................................... 93 Figure 27 - Strategic Triangle (M. D. Moore 1995) ..................................................................... 97 Figure 28 - UCSF Medical Center at Mission Bay (University of California, San Francisco 2010) ....................................................................................................................................................... 98 vii Table of Contents Foreword by Mary Stewart ............................................................................................................. ii Acknowledgments........................................................................................................................... v The Challenge for Public Entities .................................................................................................. vi Introduction ..................................................................................................................................... 1 Traditional vs. Enterprise Risk Management.............................................................................. 1 ERM Frameworks ....................................................................................................................... 3 ISO 31000:2009 ...................................................................................................................... 3 COSO II: 2004 ........................................................................................................................ 6 AS/NZS 4360 .......................................................................................................................... 7 ERM Certification ....................................................................................................................... 8 1 Risk Culture ................................................................................................................................. 9 Three Views of Risk ................................................................................................................... 9 Public Entity Example - Longmont, Colorado ......................................................................... 10 Three Elements of Sustainable Development ........................................................................... 11 Public Entity Example – Washington State Department of Transportation ............................. 11 2 ERM Plan - Internal and External Context ................................................................................ 14 SWOT Analysis ........................................................................................................................ 14 Public Entity Example – Dakota County, Minnesota ............................................................... 15 Public Entity Example – San Francisco Airport ....................................................................... 17 Elements of a Strategic Plan ..................................................................................................... 17 Strategy Implementation ........................................................................................................... 18 Strategy Evaluation ................................................................................................................... 18 Risk Maturity Model ............................................................................................................. 19 Public Entity Example – State of Washington .......................................................................... 19 3 Risk Intelligence ........................................................................................................................ 20 Risk Categories ......................................................................................................................... 20 Public Entity Example – Dallas/Fort Worth International Airport ........................................... 21 Public Entity Example – University of California .................................................................... 22 Performance Management System ........................................................................................... 25 Public Entity Example – State of Washington .......................................................................... 25 4 Risk Assessment ........................................................................................................................ 30 Delphi Technique ...................................................................................................................... 30 Public Entity Example – San Francisco International Airport.................................................. 31 San Francisco International Airport Risk Map-Macro View ................................................ 32 San Francisco International Airport Risk Map-Micro View ................................................ 33 Causes of Loss .......................................................................................................................... 33 Level of Impact ......................................................................................................................... 34 Public Entity Example – Dallas/Fort Worth International Airport ........................................... 35 Sample Risk Register ................................................................................................................ 36 Public Entity Example – Vancouver, British Columbia ........................................................... 36 5 Root Cause Analysis .................................................................................................................. 43 Five Schools of RCA ................................................................................................................ 43 Three Basic Causes ................................................................................................................... 44 Public Entity Example – State of Washington .......................................................................... 44 6 Role & Responsibilities of a Risk Champion ............................................................................ 47 viii Risk Centers .............................................................................................................................. 47 Interview with the Risk Champion ........................................................................................... 49 Objectives: ............................................................................................................................ 49 Resources: ............................................................................................................................. 49 Strategic Questions: .............................................................................................................. 49 What Are Your Risk Mitigation Techniques for the Following: .......................................... 49 7 Dealing with Unexpected Events ............................................................................................... 51 Hurricane Katrina Critical Challenges ...................................................................................... 52 Fault Tree Analysis ................................................................................................................... 54 Continuity Plan ......................................................................................................................... 57 Public Entity Example – University of California .................................................................... 58 Public Entity Example – Center for Disease Control and Prevention ...................................... 59 8 Integrated Risk Management ..................................................................................................... 60 U.S. Department of Homeland Security ................................................................................... 60 Challenges Faced ...................................................................................................................... 64 Tactics Employed...................................................................................................................... 64 9 Using ERM in Project Management .......................................................................................... 70 Primary Activities ..................................................................................................................... 70 Buffer Time ............................................................................................................................... 72 Scheduling Tools ...................................................................................................................... 73 Example Gantt Chart............................................................................................................. 73 Project ERM Goal ..................................................................................................................... 73 Public Entity Example – Washington State Department of Transportation ............................. 74 10 Risk Communication ............................................................................................................... 80 Crisis Communication among the Government Agencies during BP Oil Spill ........................ 80 Conclusions to Government Agencies’ Response to BP Oil Spill ........................................... 82 11 Assurance in ERM ................................................................................................................... 83 Monitor and Review ................................................................................................................. 83 Public Entity Example – University of California .................................................................... 84 Addressing Gaps in ERM Program........................................................................................... 85 12 ERM Technology Solutions..................................................................................................... 87 Enterprise Risk Management Software .................................................................................... 88 IBM ERMIS ...............................................................................Error! Bookmark not defined. Riskonnect ERM ....................................................................................................................... 89 13 Risk Optimization and Value Creation .................................................................................... 95 Is All Risk Bad? ........................................................................................................................ 95 The Strategic Triangle............................................................................................................... 96 Public Entity Example – University of California, San Francisco ........................................... 98 Value Strategy......................................................................................................................... 100 Political Management ............................................................................................................. 100 Operational Capacity .............................................................................................................. 100 14. Return on Investment ............................................................................................................ 102 Areas of Review ...................................................................................................................... 102 Cost of Risk......................................................................................................................... 103 Cost of Borrowing............................................................................................................... 104 Seven Primary Questions ........................................................................................................ 104 ix Create Efficiency ................................................................................................................ 105 Reduce Redundancy............................................................................................................ 106 15. ERM’s Role in Governance .................................................................................................. 107 Public Entity Example – U.S. Department of Education ........................................................ 107 16. Getting ERM Buy-In with Decision Makers ........................................................................ 110 Sample ERM Implementation Plan (Louisot and Ketcham 2009, 14.32) .............................. 110 Public Entity Example – Penn State University ..................................................................... 114 17. Being an ERM Influencer in Your Public Entity .................................................................. 116 Conclusion .................................................................................................................................. 120 Bibliography ............................................................................................................................... 121 x Introduction In the last ten years, enterprise risk management (ERM) has received more attention from corporate America and some public entities. ERM’s systematic approach in identifying risk exposures helps everyone within the organization make better strategic decisions because risks are more clearly defined. Though still in its infancy stage with many public entities across the country, more and more organizations are looking to ERM as a way to better evaluate all of their risks. ERM provides an opportunity for organizations to see their risks from a more holistic point of view. This book will take a six step approach in introducing, developing, and ultimately implementing an ERM program within your public entity. With each step, real examples will be provided to highlight the successful implementation of these ideas from public entities in the United States and Canada. The chapters will break down ERM in the following way: 1) Chapters 1 - 3 cover risk identification, the process of taking inventory of all risks in the organization and tying them to the organization’s strategic plan. 2) Chapters 4 through 7 deals with risk assessment, a process where we determine the cause, risk event, impact, and velocity of all risk exposures. 3) Chapter 8 addresses risk analysis, which examines the interrelationship of risks both within and outside the organization. 4) Chapters 9 and 10 discuss implementation of ERM, including structure, practices, and strategies. 5) Chapters 11 and 12 examine monitoring, which is the tracking of risk information from the ERM program. 6) Chapters 13 - 17 cover evaluation which involves ascertaining the strengths and weaknesses of the ERM program with regard to the organization’s strategic goals. Traditional vs. Enterprise Risk Management There are many advantages to using an enterprise risk management approach over a traditional risk management approach. ERM is able to improve the strategic decision making of an organization by addressing strengths, weaknesses, threats, and opportunities (SWOT Analysis) in a way that integrates risk management and the strategic planning process. All public entities, no matter the size of operations, need to be aware of unplanned or emerging risks that can impact their ability to provide services to their citizens. In a traditional risk management approach, risks are classified into two risk categories, operational risks and hazard risks, with little or no attention paid to strategic risks or financial risks. The ERM process is different because it allows public entities to establish internal and external contexts, assess risks, choose appropriate treatments and then monitor the treatment to the organization’s strategic goals. This allows all stakeholders of a public entity to have a 1 clear picture of all the risks that could impact their strategic plan within their organization. By identifying all the risks, the public entity now has the ability to quantify critical risks and prioritize their risk treatment. The first step in integrating ERM with strategic planning is to consider goals for ERM as part of the public entity’s mission. The senior management, city councils, and/or board of directors need to define their vision statement, mission statement, strategic objectives and financial projections. For example, the State of Washington’s ERM goals are set with the following criteria in mind: 1) 2) 3) 4) 5) 6) 7) Clear statement of the goals Identification of the obstacles in meeting the goals Evaluation of the upside and downside of risk Prioritization of risks Determine proper risk treatment Capture risk intelligence in Risk Register Communication of results to decision makers (Zavatsky 2008). Traditional risk managers generally report to an organizational department such as finance, operations, or legal. Their focus is on pure risk management issues such as property, freedom from liability, net income, and key personnel. ERM engages all the organization’s stakeholders in the risk management process and manages events and perils that may cause variation from the achievement of specific strategic goals. A public entity with a fully integrated ERM program develops a sophisticated but user friendly way to communicate risk intelligence (see Chapter 3) throughout the organization. This risk communication includes dialogue and discussions that occur to educate all stakeholders about who is responsible for different types of risks and the way in which they will mitigate those risks. With a clear definition of roles and responsibilities of risk within a public entity, personnel are able to identify emerging risks in relation to, and in context with, specific and aggregate strategic goals. The use of valid metrics and the continuous flow of relative data are critical in risk communication. Key performance indicators, key risk indicators, and a risk register are just some of the tools that risk managers can use to identify and then communicate risk information to senior management. A risk register (see Chapter 4) is an essential tool for managing portfolios and implementing rational decisions. It leads to sound governance and contributes to the monitoring of various risk regulations. When threats and opportunities are understood across the organization, managers will make better decisions that in turn not only improve their department’s goals but also positively 2 impact the entire organization. The benefits of implementing an ERM program within your organization include the following: 1) 2) 3) 4) 5) 6) 7) Enhance Decision Making Increase Sustainability Reduce Volatility Improve Ability to Meet Strategic Goals Increase Management Accountability Breaking Silos-Seeing Risk From A Holistic Approach Develop Business Continuity (Louisot and Ketcham 2009, 1.19). A strong ERM program encourages the buy-in of an organization’s internal and external stakeholders by establishing strategies that protect the organization’s reputation and assets. Because any potential threat can have a negative impact on the public entity, crisis management and key public relations are critical in maintaining confidence among stakeholders. No risk management plan is perfect, but an organization that is prepared to identify, assess, analyze, implement, monitor, and evaluate all risks and is willing to work on improving those risk conditions will benefit from an ERM program. ERM Frameworks There are three basic ERM frameworks being used in the United States today by public entities. The first is the new ISO 31000:2009 which consists of three major parts: principles, a framework, and processes for managing risks. The second is COSO II: 2004 which defines ERM as a process driven from an organization’s board of directors that establishes an organizationwide strategy to manage risk within its risk appetite. The third is Australian/New Zealand Standard for ERM (AS/NZS 4360) that was published in 2004 as a generic framework for managing risk. ISO 31000:2009 A new International Standard, ISO 31000:2009, Risk management – Principles and guidelines, will help organizations of all types and sizes to manage risk effectively (International Standards for Business, Government and Society 2009). Rooted in risk management principles, ISO 31000:2009 is designed to provide an organized methodology to evaluate risk exposures and continuously scan and react to the environment. The framework consists of elements based on program design, implementation, and monitoring. The processes necessary for risk management emphasizes deliberate communication, context, risk evaluation and treatment, and follow-up. 3 The First Building Block of ISO 31000 states that a risk management plan should contain the following principles: Creates value – Efficiently using public entity resources. Integral part of organizational processes – Part of the public entity’s strategic plan. Part of decision-making – Improves decision making because there is a better understanding of risk exposures. Explicitly addresses uncertainty – Reduces volatility in potential claims. Systematic, structured and timely – Ability to track emerging risks. Based on the best available information – Risk information is quantified which can provide dollar amounts for potential impact. Tailored – Customized reporting systems. Takes human and cultural factors into account – Qualitative analysis of risk exposures. Transparent and inclusive – Full disclosure of potential sources of risk. Dynamic, iterative and responsive to change – Identifies changes in risk exposures. Facilitates continual improvement of the organization – Monitoring and reviewing allows the organization to identify risk gaps and opportunities for improvement. (International Standards for Business, Government and Society 2009) 4 The Second Building Block of ISO 31000 is having the right risk framework through the commitment of the Board or senior management teams. Once commitment is established, there is a loop of actions that include: 1) design of the framework, 2) implementation of risk management, 3) monitoring and review of the framework, and 4) continual improvement of the framework (International Standards for Business, Government and Society 2009). Figure 1 – Second building block of ISO 31000 (Allen 2010) The Third Building Block of ISO 31000 is adopted originally from AS/NZS 4360:2004 that assure the communication and monitoring is going through the process of establishing the context, risk assessment, and the type of risk treatment used (International Standards for Business, Government and Society 2009). 5 COSO II: 2004 COSO II’s focus is to establish ERM goals as part of the strategic management process. It does not dive into the details of risk management approaches and processes, but it addresses the threats to the organization and the applications of proper controls. Figure 2 – COSO II Framework 6 AS/NZS 4360 Australian/New Zealand Standard identifies risk management as a five step process as shown in Figure 3. Figure 3 - AS/NZS 4360 risk management process (Broadleaf Capital International PTY LTD 2007) As the diagram shows, risk identification, which is usually seen as the heart of risk management, is not the first step in the process. AS/NZS 4360 indicates that “to be able to recognize a risk it is necessary to know what is at risk” (Broadleaf Capital International PTY LTD 2007). AS/NZS 4360 is intended to provide only a broad overview of risk management. Public entities are expected to interpret this guide in the context of their own environments and to develop their own specific ERM approaches. While it is important to note that this standard has now been superseded by ISO 31000:2009, it is included because this standard was one of the most popular standards in publication and has a large range of supporting handbooks. The essential difference between ISO 31000 and COSO ERM is in the focus of assessing and managing risk: ISO 31000 is focused on consequences and provides a framework to help consider the ‘flow on’ consequences of an event occurring. It shows through risk definition the effect of uncertainty on objectives. COSO ERM is focused more on the events rather the consequences of events. It shows through risk definition the possibility that an event will occur and adversely affect the achievement of objectives. 7 In general, ISO 31000 has some significant advantages over COSO: At a concise 24 pages, ISO 31000:2009 is noteworthy for its simplicity and adaptability. It can easily be adapted for used by public and private companies, organizations and individuals also applied to a range of activities, from operations and processes to services and assets. Plainly written, the document is accessible to Boards (CEOs, CIOs, CROs, Commissioners, Audit Committee, Risk Oversight Committee), risk practitioners, also controllers, to understand how to managing risk whilst exploit opportunity. The information in the standard can be adapted to develop guidelines to assess existing risk management methodologies (Christina 2010). ERM Certification For those of you who might be interested in being certified in Enterprise Risk Management, the American Institute of Chartered Property and Casualty Underwriters has added a new course to their Associates in Risk Management designation called Enterprise-Wide Risk Management: Development and Implementation. Risk and Insurance Management Society contributed to the course content and the course is now being offered nationwide. For more information, check the AICPCU’s website www.aicpcu.org to locate a class near you. 8 1 Risk Culture (Include Risk Identification Icon) To begin an enterprise risk management program we must start with focusing on risk identification practices. Risk identification is used to take inventory of all types of risk the organization faces, categorize and prioritize those risks and then link those risk exposures to the organization’s strategic plans. The first step in the risk identification process is to understand the risk culture of the organization (Louisot and Ketcham 2009, 2.3). Risk culture is the organization’s attitude toward risk. In order to achieve innovation-related goals, an organization must have a culture that encourages its stakeholders to take on risk. A culture that supports risk taking will in turn influence risk management practices by integrating the awareness of a risk culture into the overall risk management plan. The typical drivers of an organization’s risk culture are connected to its risk appetite. The risk appetite refers to the total amount of risk to be taken to achieve a given business objective. One’s risk appetite can be determined by the values and behaviors of its stakeholders. If the values and behaviors of the organization are to focus on constant improvement, the organization will value those activities and encourage those processes that will improve the performance of the operations. There are two sides of risk. The upside of risk allows for a positive return on one’s investment and a downside of risk results in a negative outcome or loss. Three Views of Risk An organization’s view of risk can be classified into three categories: 1) Risk Seeker 2) Risk Avoider 3) Risk Optimizer A risk seeker has the greatest potential for reward, but may underemphasize a risk impact, variance, and potential negative effects. A risk avoider is obsessed with risk and typically will try and transfer all risk to another entity. The goal for any organization should be to find that balance between risk seeker and risk avoider and become a risk optimizer that finds the ideal risk-reward relationship where they realistically evaluate potential outcomes and consequences (Louisot and Ketcham 2009, 2.19). Like organizations within the private sector, public entities operate in an inherently risky environment. By strategically managing their risks, public entities can reduce the chance of loss, create greater financial stability, and protect their resources so they can continue their mission 9 of providing various services to the public. Their approach to risk is to optimize their resources and use a sound set of risk controls to minimize their exposures to risk. Risk tolerance refers to specific risk limits associated with a given business activity that an organization and its stakeholders are willing to bear within a given strategic context. An organization should ask themselves what is the maximum amount of investment dollars we are willing to lose in order to reach a certain return on our investment. By establishing this risk tolerance level, senior executives can have a clear vision of the direction they should pursue before they engage in any strategic or financial decision making. An organization’s executives and management team typically establish their strategic direction using three levels of goals and objectives: 1) Strategic goals are created on the board or executive level and are general and conceptual and give the organization its direction. 2) Operational objectives are created at the staff management level and are functional in nature and cut across all departments within an organization. 3) Tactical objective are created at the line management level and represent specific tasks. These objectives relate to producing the organization’s products and services (Louisot and Ketcham 2009, 2.13). At each level moving from strategic to tactical, the goals and objectives become more specific and detailed to appropriately address each level’s scope of responsibility. A public entity’s leadership must convince those who own the various risks throughout the organization why it is vital that they create value through ERM practices. Public Entity Example - Longmont, Colorado Debra Carson, the risk manager for Longmont, Colorado, has defined the roles and responsibilities of her staff on various risk goals and objectives and assigned them with specific tasks based on their position within the organization. Her strategic team consists of the mayor, city council, city manager, city attorney and executive directors. Her operational team is made up of directors, managers, superintendents and supervisors and her tactical team is her line workers. When developing their city’s emergency plan, Debra assigned the adopting of a written emergency plan to her strategic team. The strategic team was tasked with developing the risk criteria and scope of the emergency plan. Then her operational team was assigned the responsibility of writing the emergency plan and addressing logistics, resources and implementation of the plan. Then it was the responsibility of all employees of Longmont, Colorado to receive the necessary training for all identified emergency scenarios. In this process of aligning direction and planning, all departments’ and all 10 employees’ objectives are brought together and rolled up to senior management and used to evaluate how the employees’ objectives align with the organization’s strategic mission and purpose. (Carson 2010) Longmont’s start to implementing ERM is a straightforward and simple example of how the three levels of risk goals and objectives can be adopted by a city of almost any size. In order to ensure the success of an ERM program within an organization, the risk manager must go beyond merely convincing a line manager of the benefits of ERM and must show how to incorporate the organization’s risk management goals into his/her tactical objectives. By doing so, the line manager becomes a true risk champion and risk owner. There are various methods to energize your line managers: 1) 2) 3) 4) 5) 6) Provide clear risk goals and objectives that tie into the strategic plan Create mentor/protégé program to go over the risk goals and objectives Provide the necessary training to address all risk exposures Create performance metrics with the risk manager to measure the risk exposures Create a record keeping system of all the risk control processes and training Create a budget and have employees create list of resources needed to support the risk controls 7) Regularly review with risk manager and employees on how to improve the risk controls 8) With employees, create a list of incentives and recognition for supporting ERM Three Elements of Sustainable Development As public entities grow and expand their services and operations, a key strategic objective should be maintaining a viable sustainable development plan. Sustainable development directly affects an organization’s ability to achieve its goals. By practicing sound sustainable development practices, a public entity strikes a balance by using social, environmental and economic elements to meet its current needs without compromising the ability of future generations to meet their needs (Louisot and Ketcham 2009, 2.21). There are three elements in sustainable development: 1) Social - the well-being of the society 2) Environment - all natural resources utilized, altered, affected or made into waste 3) Economic - the production, distribution, and consumption of goods and services Public Entity Example – Washington State Department of Transportation Washington State Department of Transportation (WSDOT) states one of their strategic goals is to enhance Washington’s quality of life through transportation investments that promote 11 energy conservation, enhance healthy communities and protect the environment. WSDOT has identified some objectives to obtain these environmental goals: Identified the number of storm water facilities that need to be retrofitted or constructed Remove fish passage barriers Continue to work with state agencies, regional transportation planning organizations, and other partners to create a range of climate change mitigation options for transportation. Implement, monitor and adjust strategies to reduce per capita vehicle miles traveled (VMT) and transportation related greenhouse gas emissions Establish a centrally-coordinated State Ferries’ environmental program Improve alignment and coordination with other WSDOT environmental programs Improve environmental analysis in ferries system planning Improve compliance with environmental regulations WSDOT is using new technology and innovative methods in their efforts to provide a more reliable, responsible and sustainable transportation system. WSDOT is taking steps to conserve fuel and energy, reduce carbon emissions, and protect the natural environment while keeping people and goods moving. WSDOT has developed an executive-level, cross-functional team to lead, enhance, and coordinate efforts to address sustainable transportation and climate change. This crossdivisional team is developing and employing effective, measurable, and balanced emission reduction strategies that directly involve 17 different WSDOT programs and 14 focus areas. Staff from each program is either directly responsible for or affected by the current climate change laws or committed to their transportation vision of providing an integrated transportation system that is more reliable, responsible and sustainable. This effort is chaired by Katy Taylor, Public Transportation Director, and co-chaired by Brian Smith, Strategic Planning Director, with participation from Megan White, Environmental Services Director, Chris Christopher, Maintenance and Operations Director, and Nancy Boyd, Deputy Design Engineer. “Adapting to our changing economy and environment and making our transportation system more efficient and accessible is critical and challenging. While there is no simple solution, WSDOT will continue to deliver projects and more travel options for people while finding additional ways to make the most of available resources and build a more sustainable transportation system. Sustainable transportation contributes to healthy ecosystems and communities: Cleaner water, air and soil result from WSDOT's improvement in project design, construction, maintenance and operation. Saving resources and fuel helps save taxpayer money and increasing options for people to share the ride help increase traffic flow, benefitting 12 everyone. More sustainable practices are a good investment now and in the future.” (Washington State Department of Transportation 2010) 13 2 ERM Plan - Internal and External Context (Include Risk Identification Icon) In order for a public entity to formulate their strategic plan, they need to be able to perform an internal and external analysis of their organization and the current economic environment in which they operate. To do this they need to use a SWOT Analysis (strengths, weaknesses, opportunities and threats) as shown in Figure 4 to evaluate where they stand in relationship to their strategic plan. SWOT Analysis Figure 4 - SWOT Analysis Chart (Wikimedia Commons 2007) Internal Origin: A public entity needs to list all their strengths such as their assets, competencies and attributes that enhance their performance. The next step is to prioritize those strengths based on the quality of the strength and the relative importance of the strength. It is equally important to list the lacking assets, competencies, or attributes that diminish a public entity’s 14 ability to perform. The next step is to prioritize the seriousness of those weaknesses and the relative impact of those weaknesses on the public entity. External Origin: A public entity also needs to look at the environment in which they provide services and list the conditions in which they can create opportunities to exceed current expectations. The next step is to prioritize those conditions based on the potential of exploiting the opportunities. Just as important as identifying opportunities is also being aware of conditions that could pose a threat to the public entity. Once those threats have been identified then the next step is to create a list prioritizing each threat based on it seriousness and probability of occurrence (Louisot and Ketcham 2009, 3.4). Public Entity Example – Dakota County, Minnesota Dakota County, Minnesota has created an Operations Management-Risk Management and Homeland Security Manual that is tied to their annual budget and identifies key accomplishments (strengths) by strategic objectives and challenges (weaknesses) by strategic objective (Hoopingarner 2010). Their key accomplishments are broken down into three perspectives: 1) Stakeholder 2) Financial 3) Internal From the stakeholder’s perspective, their strategic objective is to provide a safe, healthy and productive environment. The strategic objective from the financial perspective is to deliver cost effective solutions and the strategic objective from the internal perspective is to capitalize on innovation. 15 Each strategic objective lists several accomplishments that have been obtained throughout the year. For example, the following goals were achieved: 1) Recognized by Minnesota Safety Council with the Award of Honor for the County’s safety performance. The only public entity in Minnesota to receive the award four times. 2) Developed the County’s After Action Report. 3) Secured $292,750 in grant funding through 2009 Homeland Security Grant from Metropolitan Emergency Services Board from the State Radio board for a 16th radio channel for the Dakota County system. 4) Implemented the use of 800 MHZ radios by Dakota County Community Corrections intensive supervisor staff to check in with the Dakota Communications Center for personal safety checks when conducting high risk home visits. 5) Developed guidelines and training program for the use of personal protective equipment by County employees during a pandemic flu or other biological emergency. 6) Updated the Continuity of Operations Plan and exercised the plan for the departments at the Hastings Government Center. Completed training of new team members and incorporated future plan updates into a more accessible electronic format. 7) Completed awareness training on how to prevent slips and falls for all County employees. Along with the strategic objectives there are challenges and responses that are identified from the perspective of stakeholder. For example, some of these challenges are: 1) Continue to secure the time commitment from County Departments for risk management activities to actively involve departments in program/policy development and implementation. 2) Coordinate the ongoing use of Dakota County 800 MHz Radio Subsystem amongst public safety, public works and the Dakota Communication Center. 3) Continue to improve the safety of County staff and reduce the frequency and severity of injuries. 4) Establish and maintain the appropriate level of security for all county buildings in light of changing security threats in the community. 5) Respond to increasing requirements for homeland security preparedness by the Federal Government with the State of Minnesota and local government. Some forward thinking on the part of Dakota County is to respond to some of these challenges and come up with an action plan on how they will address these concerns. It is important to not only list responses to challenges, but also come up with a method to track who within the organization will be accountable for the response to the identified challenge, list the proposed 16 action that will be taken, identify what resources will be used to address challenge, and set a date when the corrective action needs to be completed. For example, Dakota County has also identified their level responses to some of their challenges listed above: 1) Provide on-going management and technical support for the Dakota County 800 MHz radio subsystem. 2) Develop investment justification for projects under the 2010 Homeland Security UASI Grant program and successfully secure grant funding. 3) Assist the County Emergency Manager in updating the All Hazard Mitigation Plan. Coordinate with internal departments to document progress made towards achieving plan objectives and developing objectives for the next 5 planning periods. 4) Utilize the After Action Reports from the FEMA Integrated Emergency Management Course and the County-wide exercise at Flint Hills Refinery in October 2009 to develop an improvement plan through the Dakota County Domestic Preparedness Committee. 5) Complete a review of the Continuity of Operations Plan after action reports for the exercises conducted at the government centers during the last several years. Develop a compiled list of plan improvements for review and implementation. Conduct a tabletop exercise with the COOP Command. Once the SWOT Analysis has been completed, the senior management can develop long-term strategies that tie into the vision and mission statements of the public entity. The vision statement should answer the question, “Where do we want to go?” While a vision statement doesn’t tell you how you are going to get there, it does set the direction for your strategic planning. A mission statement is a brief description of a public entity’s fundamental purpose. Public Entity Example – San Francisco Airport In 1981, San Francisco Airport created an Airport/Community Roundtable as a voluntary committee to address community noise impacts from aircraft operations at San Francisco International Airport. Their mission statement states that the Roundtable monitors a performance-based noise mitigation program implemented by airport staff, interprets community concerns and attempts to achieve noise mitigation through a cooperative sharing of authority among the aviation industry, the FAA, and the SFO management and local government (San Francisco International Airport/Community Roundtable 2003). Elements of a Strategic Plan When developing a strategic plan, the public entity must consider these three main elements: the suitability of the plan, the feasibility of the plan, and the acceptability of the plan. To determine the suitability of the plan requires answers to the following questions: do we have the necessary resources to implement the strategic plan? Are there obstacles that stand in the 17 way of us accomplishing the strategic goals? Will there be organizational support to proceed forward with the strategic plan? For the feasibility of the plan you need to know the following: what initial resources are needed to implement the strategy? At what point will the break-even point be realized? What is the return on investment for the proposed projects in the strategic plan? What additional investment dollars are needed to implement the strategic plan? To ascertain the acceptability of the plan you must ask the following: how will we determine the individual benefits for employees who implement the strategy? What happens if we don’t reach our expectations with the strategic plan? How much risk is the organization willing to take on? What risks do we want to avoid? How will each group of stakeholders react to the changes created by the strategy? (Louisot and Ketcham 2009, 3.5) Strategy Implementation Strategy Implementation is the process of making the strategies work within an organization. The first thing you need is to establish the risk criteria which include the standards, measures, and expectations that will be used to compare a given risk against the strategic goals of the organization. The risk criteria can include the costs and benefits, legal and statutory requirements, socioeconomic and environmental factors. The entire staff of a public entity is responsible for the implementation of the strategic plan. There are four main steps in strategic implementation: 1) Assign specific roles and responsibilities to all stakeholders. 2) Establish risk communication so that all stakeholders have a clear vision and understanding of the strategic plan. 3) Evaluate the necessary resources needed such as finance, staff, training, time, equipment, data and technology. 4) Monitor results between goals of strategic plan and actual mid-year or quarterly results and make necessary adjustments where necessary to achieve the stated goals (Louisot and Ketcham 2009, 3.6). Strategy Evaluation Strategy evaluation is crucial to measure the results of the strategic plan with the goals set in the strategic formation stage. As a result of evaluating the results of the strategic plan, there may be areas that need to be improved or adjusted in order to reach the desired result. Strategy evaluation might also show where the strategic plan’s concepts did not connect in the implementation phase and will require adjustments. Unexpected outside economic forces may change the outcome of the strategic plan (Louisot and Ketcham 2009, 3.6). 18 Risk Maturity Model One of the tools used to evaluate an ERM program is a risk maturity model that can be used as a scorecard. It reviews the ERM performance throughout the organization, tracks various attributes, and grades them on their maturity level. The Risk Maturity Model is based on the Capability Maturity Model, a methodology founded by Carnegie Melon Software Engineering Institute (SEI) in the 1980. It is used to take a snapshot of where the organization’s risk program stands today. You can then compare your personalized assessment against the full guidelines and develop a plan for improving process and increasing effectiveness in your risk management program (Risk and Insurance Management Society 2008). Public Entity Example – State of Washington The state of Washington has created a risk maturity model they call the ERM Maturity Model (ERMMM) (Office of Financial Management, State of Washington 2010). Their ERM Maturity Model is a scoring tool used yearly to measure the progress of ERM implementation on a scale from 1 (beginning) to 6 (advanced). Over time, scores should increase as ERM programs become more robust and more fully integrated into agency planning and operations. Washington’s agencies have demonstrated the expected increases over the last three scoring cycles. Although the design can vary, maturity models are routinely used as a scoring tool in ERM programs to measure progress. All maturity models acknowledge that it requires several years of commitment and practice to achieve and master the higher levels of maturity. Since 2006, Washington has used a specially developed maturity model for state agencies to score their ERM efforts. The ERMMM measures ERM implementation in five areas: o Fundamentals of risk management o Executive leadership o Integrating ERM into agency culture o Applying ERM principles, and o ERM embedded into agency strategic business operations. The scores for each measure are totaled together and the overall results translate to an ERM maturity level from 1 (beginning) to 6 (advanced). Washington agencies have increased their ERM program implementation and maturity model scores significantly over the past three years. 19 3 Risk Intelligence (Include Risk Identification Icon) One of the challenges among organizations is deciding which information is most critical in making decisions that could impact their future. Knowing what type of information to gather can seem daunting or overwhelming. After you have gathered the information on the organization’s strengths, weaknesses, opportunities and threats as discussed in the previous chapter, the next step is to organize that information into potential causes, events and impacts. The organization is then able to track the existing and emerging risks throughout the risk management program. “Risk intelligence is both a process and a product. It consists of the organizational ability to collect and collate data, statistics and information on risk and volatility. This is followed by the systematic analysis, interpretation and presentation of the information. The end goal is decision making that produces the most favorable outcomes under existing circumstances. The purpose of risk intelligence is to provide senior leadership and the board with facts, options, assessments of those options, and views as to what lies beyond the readily observable. Superior risk intelligence underlies the most effective responses and most efficient deployment of resources for addressing material and critical risks. It provides a competitive advantage to organizations that understand risk intelligence and employ it effectively. Collecting data and information about known and emerging risks is essential. However, the organization must also have an ongoing process to correctly organize access, analyze, interpret and present the information in order to enable senior management to make critical decisions.” (Bugalla, Hackett and Kallman, et al. 2010) Risk Categories Risk intelligence is only as good as the data collected. The question for many organizations is what sort of data should be collected in order to help senior management understand all the risk exposures? There are several risk categories that should be considered when taking a holistic approach to risk. Some of these categories include: 1) 2) 3) 4) 5) 6) 7) Strategic Risk - Services to citizens, capital improvement projects, maintaining growth Compliance Risk - OSHA, EPA requirements, employment practices Financial Risk - Credit rating, property taxes, balanced budgets Operational Risk - People, processes, and systems Environmental Risk - Property and premises, safety, weather conditions Human Capital Risk - Retirement, training of employees and retention of employees Reputational Risk - Activities could alter the public’s opinion of an entity 20 8) Technological Risk - Problems that could be encountered with the technology in the organization (Louisot and Ketcham 2009, 1.11). Public Entity Example – Dallas/Fort Worth International Airport Dallas/Fort Worth International Airport has an Executive Level Risk Council composed of various department heads. These department heads sat down with the Director of Risk Management at DFW, Norma Essary, in a brainstorming session and listed all the potential risks from their departments. Each department’s risks were then listed into the above risk categories with their potential risk outcomes. The risk council consists of the departments as shown in Figure 5. Figure 5 - DFW ERM Risk Council (Essary and Yip 2010) 21 DFW Airports’ Risk Council has taken the different risk categories and identified the risks that are associated with their strategic goals. This has allowed them to see how these risks and potentially new emerging risks could impact their strategic plan (Essary and Yip 2010). See Figure 6. Figure 6 - Risk Categories/Identified Risks Public Entity Example – University of California Another example of gathering risk intelligence information is the University of California. UC Systems needed a proper framework for its enterprise risk management program. Their existing reporting and decision-support system did not give a complete picture of all their risk exposures to their decision makers. UC engaged IBM to implement an Enterprise Risk Management Information System (ERMIS). The ERMIS integrates what was once isolated data into a unified system that now provides near real-time information to all levels at the University of California. 22 ERMIS is a customized information system that provides users with a wide selection of data to conduct their jobs. This information is based on what they need, how they would like to receive information, and how much data they need for analysis. The user requirements will change based on what role the users are playing at a particular time. In one instance, a user may require open access to explore a large amount of data. Perhaps in another instance, the user may simply want to review summary data on a weekly or monthly basis. Figure 7 - ERMIS Sources of Information (University of California 2010) The ERMIS system provides stakeholders with relevant and actionable information regarding their key performance indicators (KPIs). KPIs are quantifiable measurements, agreed to beforehand, that reflect the critical success factors of an organization. They will differ depending on the organization. For example, a school may focus its KPIs on graduation rates of its students. Key risk indicator (KRI), is a measure used in management to indicate how risky an activity is. It differs from a KPI in that the latter is meant as a measure of how well something is being done while the former is an indicator of the possibility of a future adverse impact. KRI gives us an early warning to identify a potential event that may harm continuity of the activity/project. UC System uses an ERMIS system as a risk intelligence tool that has become a valuable asset in the data warehousing of various sources of data within the UC System. “ERMIS integrates risk and controls to related information in a centralized data management environment to enhance analytic capabilities across the University of California. Though ERMIS is initially focused on targeted KPIs intended to lower the overall cost of risk across the enterprise, the vision is to extend ERMIS across the enterprise.” (University of California Office of Risk Services 2010) 23 The ERMIS system helps the university understand what drives subpar performance and costly losses. By providing better and more current data and analytical tools, senior officials can better understand the return-on-investment (ROI) associated with various remediation strategies and tactics. According to Grace Crickette, Chief Risk Officer for the University of California, “ERMIS significantly improves the University system’s ability to identify and manage risk. UC will be able to more effectively focus its risk management efforts and ultimately save the University money.” (Crickette 2010) When it comes to the exchange of data throughout the University of California, it is understood that internal, operational, and consumer-facing reports are the primary vehicles for the communication of information in the UC environment. Some of the capabilities of ERMIS include: 1) 2) 3) 4) 5) 6) 7) 8) 9) Standard Reports Dashboards Guided Analytics/Interactive Reports Personalized Reports Managed Ad hoc Reports Alerts and Notifications Syndicated Reports Cohort Analysis Visualizations The initial launch of dashboard reports included 11 KPIs focused on various aspects of Safety and is entitled “Safety Index”. More than 250 dashboard reports have since been created at the UC with many more in the pipeline. Rollouts have targeted enterprise-wide information, as well as information specific to individual campuses and medical center locations and departments within each. With a continued focus on risk management, subsequent KPI development activities have involved collaboration with the broad range of subject areas, for example: 1) Medical centers 2) Human resources 3) Waste reduction and recycling 4) Environmental health and safety 5) University and campus general counsel 6) External financing and debt management 7) International travel (University of California 2010) 24 Figure 8 - ERMIS Dashboard (Need bigger screenshot) Figure 9 - ERMIS Metrics (Need bigger images) Performance Management System Another way to track risk intelligence is through a performance management system. Performance management scorecards are used to summarize performance status information from multiple source systems. They enable management to monitor both the changes in financial results and progress toward key operational targets that are linked to strategic plans and goals. ERM that is incorporated into an organization’s strategic plans link operational objectives and organizational goals and allow an organization to confirm the performance accountability of an organization. Public Entity Example – State of Washington The State of Washington uses a Government Management Accountability and Performance system (GMAP) to measure and improve the performance in their state agencies. GMAP is modeled after two successful programs in major American cities-CompStat in New York City and CitiStat in Baltimore, Maryland. Washington State was the first state in the nation to adapt these data-based management models to improve the results of statewide programs and services. GMAP is a tool set designed to hold state government and agency leadership accountable to customer, taxpayers, and citizens. To improve the quality, efficiency, and effectiveness of the 25 services in Washington State government, seven principles, rooted in management theory and common sense, define the GMAP philosophy and practice. 1) GMAP stresses the personal presence of senior managers and others needed to make decisions. 2) GMAP is a management tool, not a presentation . a. Effective measures require clarity on how programs and services will influence their departments. b. How agencies will use measures to manage programs and get results. 3) Develop and use timely and accurate performance data to set targets and inform decisions. 4) Reward candor in identifying and diagnosing performance barriers and creativity and commitment. When the data indicates needed action, quickly and clearly specify what needs to be done, who will do it, and when it will be done. 5) Agency leadership should be relentlessly in following up on commitments made in action plans. They should also monitor results over time to verify change is real and sustainable. 6) Agencies should use process improvements tools to get better results (State of Washington 2010). The Governor and her leadership team hold regular, public meetings where agency directors report in person on the most critical policy challenges they face in achieving results. The meetings are organized around the Governor’s highest priorities-including public safety, economic vitality, and the protection of vulnerable children. She holds the leaders of state agencies accountable for their agencies’ results and for initiatives that require the collaboration of multiple organizations. The discussions are candid and direct, and the concept of business as usual is never automatically accepted. Decisions are based on analysis of data and evidence about what strategies work best. Agencies are held accountable to follow-up and report back on outstanding issues. The GMAP process gives the Governor and the public a clear, concise view of how government programs are working and whether citizens are receiving value for their tax dollars. Public Entity Example-Washington State Department of Transportation Washington State Department of Transportation provides five major forms of performance reporting: the Gray Notebook, the Governor’s Government Management Accountability and Performance Program, the WSDOT website, budget activity reporting and transportation goal attainment reporting. The Office of Financial Management is responsible for setting detailed 26 objectives and establishing performance measures for the six statewide transportation policy goals: (Hammond, Business Directions: WSDOT's Strategic Plan 2011-2017 2010) a) Safety- To provide for and improve the safety and security of transportation customers and the transportation system b) Preservation-To maintain, preserve and extend the life and utility of prior investments in transportation systems and services c) Mobility- To improve the predictable movement of goods and people throughout Washington state d) Environment- To enhance Washington’s quality of life through transportation investments that promote energy conservation, enhance healthy communities and protect the environment. e) Stewardship- to continuously improve the quality effectiveness and efficiency of the transportation system f) Economic Vitality-To promote and develop transportation systems that stimulate, support, and enhance the movement of people and goods to ensure a prosperous economy (Hammond, Business Directions: WSDOT's Strategic Plan 2011-2017 2010). 27 These six goals become the foundation of the WSDOT Strategic Plan 2011-2017. With the strategic goal of safety, WSDOT has identified eight objectives to vigilantly reduce risks and increase safety on all state-owned transportation modes and reduce fatalities and serious injuries. Here is a list of their objectives and action plan to achieve those objectives: 1) Highway Safety: Reduce fatal and serious injury collisions by 50 % over the next ten 2) 3) 4) 5) 6) 7) 8) years, moving towards Target Zero-Work with partners, including Federal Highway Administration Washington State Traffic Safety Commission, Washington State Patrol, and local agencies to identify and address priority highway safety needs. Ferries Safety: Improve safety on state ferry vessels and terminals. Improve vessel lifesaving capabilities, improve the post-accident investigation process, and expand ferries’ Safety Management System. Airport Safety: Improve safety at 16 state-managed airports. Remove physical obstacles such as trees that intrude into critical airspace. Rail Safety: Improve the safety and security of rail transit systems, including light rail, street cars, and monorails. Administer federal rail transit safety oversight requirements for rail transit systems, including light rail, street cars, and monorails. Workers Safety: Continue to advocate WSDOT’s worker safety program to attain injury and illness reduction targets with the goal of zero work-related injuries and illnesses by 2019. Enhance communication of workers safety expectations and goals within WSDOT and with partners and establish a comprehensive return-to-work program. Bridge Risk Reduction: Reduce the risk of bridge collapse due to earthquakes, liquefaction, and foundation scour during high water flows. Complete bridge seismic retrofit projects funded by the Transportation Partnership Account to reduce seismic risks. Develop and begin implementing the I-5 lifeline corridor plan to provide for safety and mobility during catastrophic events. System and Facility Security: Improve WSDOT’s ability to prevent, mitigate, and respond to acts of terrorism on transportation systems and facilities. Implement highpriority infrastructure “hardening” capital projects identified in vulnerability assessments. Improve ferry vessel security. Continuity of Operations and Emergency Management and Response: Increase WSDOT’s ability to respond to, recover from, and deliver vital services during emergencies and disasters- Improve planning and coordination with local and regional partners. Improve WSDOT’s emergency response capabilities. Senior management’s performance results are shown in how well they are able to use risk intelligence information to establish and manage ERM oversight roles. Their annual reporting of internal risk controls to the public must demonstrate integrity. The systematic approach of ERM allows public entities to illustrate to regulators that ERM principles originate at the senior 28 management level and are practiced through all levels of the organization. A public entity’s senior management and board of directors are responsible for the risk management oversight, including identification and evaluation of all emerging risks. Traditional management reporting only explains risk factors in a narrative format and doesn’t drill down to cause and impact. ERM allows senior management to exam a risk based on its cause and impact and to see the link to the automated or manual risk control activities that are designed to prevent a potential loss. Regulatory bodies are proposing greater accountability for maintaining ERM governance standards at the board of directors’ oversight level. Board endorsement and sign-off on an organization’s ERM program will be evaluated in the context of three management principles now firmly incorporated into rational policy objectives: 1) Accountability 2) Transparency 3) Audit integrity WSDOT has been the subject of several external assessments over the past 10 years by the Joint Legislative Audit Committee, Transportation Performance Audit Board, and most recently the State Auditor’s Office. WSDOT values recommendations to improve its operations, and has developed comprehensive action plans to address those recommendations within is control. WSDOT action in response to the audit produced a new change order management process, reduced costs, improved project management and cost tracking, and improved maintenance project management. 29 4 Risk Assessment (Include Risk Assessment ICON) Now that the risks have been identified, we need to discuss the various elements involved in conducting a proper risk assessment of your public entity. We’ll start by covering the basics of risk assessment and then we’ll introduce various tools that can be used to determine your level of risk. Finally we’ll cover assessment reports that can be used to show a public entity's vulnerabilities and the estimated cost of recovery in the event of damage. Risk assessment involves identifying the cause of a risk event, the risk event itself, and the impact and the velocity of the risk event. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat. Part of the difficulty of risk management is that measurement of the quantities in which risk assessment is concerned - potential loss and probability of occurrence - can be very difficult to measure. The chance of error in the measurement of these two concepts is large. A risk with a large potential loss and a low probability of occurring is often treated differently from one with a low potential loss and a high likelihood of occurring. In theory, both are of equal importance. However, in practice it can be very difficult to manage the first situation when faced with the scarcity of resources, especially time, in which to conduct the risk management process. This leads to the first type of risk not being addressed soon enough before it is too big to manage effectively. Delphi Technique To help assess the significant levels of risk, the Delphi Technique can be used to survey the organization and come up with what the group feels are the top risks of the organization. How the Delphi Technique works is each individual in the group is asked a series of questions to assess the top risks in the organization. Based on a quantitative or qualitative value assigned, the risks are categorized from greatest risk to least risk. A survey is given to each individual again with instructions to consider revising their responses based on the results reported to the entire group. This method continues until the group comes to a consensus (Louisot and Ketcham 2009, 6.18). Once a public entity has assessed its enterprise risks, risk information can be mapped. Risk information mapping connects or “maps” enterprise risk information source application to the organization’s reporting cycles and process responsibilities for managing risk control activities at specific points. Risk mapping uses a two-dimensional graph to identify, evaluate and prioritize a group of enterprise risks which could significantly impact an organization’s ability to accomplish its business strategies (Louisot and Ketcham 2009, 4.20). 30 Public Entity Example – San Francisco International Airport San Francisco International Airport uses risk mapping in their risk assessment activities. The risk manager, Mike Warren, interviews senior management and key staff and asks them a series of questions to identify various risks within their departments. Those risks are then rolled up to the “Top 20 Risks” in the organization and then through anonymous voting the “Top 20 Risks” are prioritized in a list from the greatest risk score to least. The risks in Figure 10 are ranked from highest to lowest based on their risk scores. The risk score is calculated by multiplying the average impact and likelihood scores for each risk (Warren 2007). 1) U.S Airline 2) Concentration 3) Environmental 4) Long Term Cap 5) Recruit/Retain 6) Short Term Cap 7) Natural Disaster 8) Asset Management 9) Succession Plan 10) IT-Security 11) Physical Security 12) Construction Management 13) Legal 14) Cost Containment 15) Business Model Chances 16) IT-Governance 17) Competition 18) Health & Safety 19) Third Party 20) Reg Compliance 45.54 43.55 42.92 42.90 39.65 38.35 37.52 36.48 33.60 32.48 32.33 32.33 30.55 29.28 29.07 26.46 23.03 21.93 20.24 15.96 Figure 10 - SFO Risk Ranking 31 In Figure 11 we see the values plotted in a graph to get different visual representation of their relationships between impact and likelihood. San Francisco International Airport Risk Map-Macro View Figure 11 - SFO Risk Map-Macro View (Warren 2007) 32 In Figure 12 we see a zoomed in view of the same data where the scale has been narrowed down to where we can still see all the risks but we get a better focus on the fact that likelihood is more dominant than impact. San Francisco International Airport Risk Map-Micro View Figure 12 - SFO Risk Map-Micro View (Warren 2007) Causes of Loss There are various classes of loss that an organization can experience. Here is an example of six potential causes of loss: 1) 2) 3) 4) 5) 6) Human Cause - All personnel linked to an organization Technical Cause - Tangible assets under direct control of the organization Information Cause - All information that flows throughout the organization Key Business Relationship - Involves relationship with others outside the organization Financial Causes - Financial streams that flow in and out of the organization Free Causes - Received from the environment without direct financial compensation (Louisot and Ketcham 2009, 5.8) 33 After identifying the types of causes of loss, the next step is to identify the types of events that could take place. Here is an example of four potential event categories: 1) 2) 3) 4) Economic event - Dramatic changes in the economy Natural event - Generally weather related Industrial event - Overall activity within an organization Human event - Fall into two general categories involuntary and voluntary (Louisot and Ketcham 2009, 5.11) Level of Impact The level of impact for an event can be viewed as primary or tertiary. Primary impacts are those that affect the organization’s resources. Tertiary impacts are those that affect third parties. The impact on resources is measured in quantitative and qualitative aspects. The quantitative aspects are expressed by frequency, magnitude, expected value, variation or time. The qualitative aspects include effects on culture, stakeholders, and goals. (Louisot and Ketcham 2009, 5.17) 34 Public Entity Example – Dallas/Fort Worth International Airport Dallas/Fort Worth International Airport has used a risk assessment scoring template to track their various risk exposures. Figure 13 is a sample of what their risk assessment scoring template looks like: Name__________________________ Title___________________________ Department______________________ Risk Category Risk Name Risk Definition Likelihood Financial Decline in air travel Reduced # of air travelers Human Capital Aging workforce Loss in top leadership Legal Emerging legislation Ability to comply Operational Aging infrastructure Declining condition of assets Strategic Use agreement Understanding obligations required Technology Data Privacy Protect sensitive data Reputational Media Inquiries Ability to respond timely and accurately Impact Figure 13 - DFW Risk Scoring Template Dallas/Fort Worth International Airport then evaluates the risk list using their rating scale and links the top risk to their Strategic Plan. The Executive Level Risk Council reviews these top risks and focuses with the department heads on initiatives to better mitigate these risks exposures. Risk champions are assigned to each of the risks and risk metrics are put in place to measure their progress. The next step is to decide the acceptance levels of the risk relative to the achievement of the strategic objectives. (Essary and Yip 2010) Using a risk register is another way of looking at risk from a holistic standpoint. A risk register is a tool developed at the risk champion level that links specific activities, processes, projects, or plans to a list of identified risks and results. A risk register is a living document that is continually updated and used to track and monitor risk. It allows the risk manager to view events in a larger context while focusing on the more essential individual risks to an organization. The risk register is an essential tool for managing and implementing rational 35 decisions and becomes the foundation for sound governance. (Louisot and Ketcham 2009, 5.15) Sample Risk Register A risk register can be as simple as a spreadsheet as shown in Figure 14 or it can be a part of a complete enterprise risk information system. The main emphasis here is that the risk register does not have to be complex to be effective. The risk register allows the senior management to evaluate the processes controlling their risks and determine if the right risk controls are in place to do so. Figure 14 - Spreadsheet Template Risk Register (The Security Risk Management Toolkit 2006) Public Entity Example – Vancouver, British Columbia (First Printed in Risk Management Magazine April 2011) Prior to the 2010 Olympic Winter Games in Vancouver, many organizations across British Columbia’s multiple jurisdictions were involved with the Games’ risk, event, project, security and financial management. These organizations included the Integrated Security Unit from the City of Vancouver, the Resort Municipality of Whistler, City of Richmond, Olympic Games Secretariat and several ministries of provincial government of British Columbia, Vancouver Organizing Committee (VANOC), and the International Olympic Committee among others. Long before the Games opened in February, 2010, planning for this event had been underway for more than a decade beginning with the formation of the Vancouver Bid Society in 1998. The main objective of elected leaders and government officials was to ensure that Gamesrelated functions, services and programs were ready on time and within budget while continuing to provide day-to-day services to citizens. They recognized the value of monitoring preparedness through an enterprise risk management (ERM) lens and asked the Risk 36 Management Branch and Government Security Office (RMB) to lead the 2010 Winter Olympics Games ERM program on behalf of the provincial government. The Olympics risk initiative became the largest coordinated enterprise-wide risk management effort undertaken by the Province to date. The RMB project team, which included Todd Orchard, Chris MacLean and Sharon White, compiled, collated and analyzed risks identified by dedicated staff within 29 provincial ministries, Crown corporations, and central agencies. This team produced biweekly reports for ministry executives and financial oversight bodies. They participated in weekly consultations with the Olympic Game Secretariat in its role as provider of project management oversight of the Province’s infrastructure and cultural commitments. They also liaised periodically with VANOC, which ran its own extensive and sophisticated risk management regime. The reporting provided a rolled-up view of over 300 risks and 400 mitigation activities. It brought attention to critical vulnerabilities and created a mechanism for escalation of issues which required further action by government officials. This reporting system also identified interdependencies and interrelationships among the branches of government. Ask RMB’s Todd Orchard and Chris MacLean how they were able to administer an ERM program of such complexity, and they will say it begins with a clear understanding of the objectives. “All risk management efforts should link the goals and objectives of the organization to an event, project, or program” says Todd Orchard. The decision to focus first on objectives, before considering the risks, resulted in two deviations from the way risk management had previously been handled in British Columbia. The first difference was to depart from the typical risk categories such as financial, reputational, and legal as aids for risk identification. Instead ministry officials were asked to organize their risks into operational “buckets” based on the province’s Olympic-related objectives: 1) Services directed to the Games (e.g., food and water safety inspections to venues), 2) Olympic-related programs (e.g., risks to community celebrations, business hosting activities), and 3) Normal government service delivery to citizens (e.g., child welfare, hockey). As a result, instead of starting with a risk category, they started with an objective – the service they needed to provide – and later decided how it was best categorized. The second difference was a move from the more conventional cause and effect risk statement to a format which identified and separated the distinct elements of risk into risk event, cause, and impact. Many of the initial “cause and effect” risk statements missed tying the risk to an objective, leaving the question “so what?” Instead, by using an “event, cause, and impact” risk 37 statement objectives were explicitly incorporated into the risk identification, allowing for an easier understanding of severity and a more natural progression to mitigation strategies. A risk event is something occurring which stands in the way of meeting a goal. For example, a risk event could be failure to maintain normal delivery of services to citizens. Causes are triggers to an event. These are situations or circumstances that could increase the likelihood of a risk event occurring. For example, transportation gridlock or changes to transit routes during the Games could prevent staff from accessing their work sites resulting in reduced service delivery to citizens. Impacts are unintended consequences of the event occurring. Separating these risk elements improved the ability to analyze and report from an enterprise perspective. They could identify commonly occurring events, causes, and impacts and relate mitigation efforts to specific causes. Reporting on areas of biggest concern – such as service delivery, privacy issues or budget constraints – in both statistical and narrative format enabled the RMB to share information about the status of games preparedness with decision makers in a more natural manner. Chris MacLean provides a real-life example of the benefits of such an approach. “One particular ministry has an office in Vancouver close to the venues and was worried about the effect of increased security and traffic congestion.” One of their initial risk statements was “security and traffic prevents or delays employees from getting to work.” When the risk was analyzed; however, it proved to be less significant than originally thought. After all, the ministry was responsible for delivering a service to a vulnerable population, not just getting employees in to the office on time. The risk event is a situation that could prevent delivery of service. Security restrictions and traffic congestion are only some of the potential causes. But, concentrating on a specific cause rather than the objective to be accomplished could result in overlooking mitigation strategies that would allow service to continue despite the disruption. For example, working remotely from home or finding temporary work space away from the events could mitigate the risk in this situation. It would allow the essential service to continue despite employees not getting to their usual office location. One of the biggest challenges faced by the RMB project team was helping the various Ministries think through the consequences of “what if scenarios.” Ministries were initially asked to consider impacts relative to the larger Games-related objectives, but few had enough information to accurately assess the value of their contribution to an event as large and far reaching in scope as the Winter Olympics. Understandably, individual Ministries would often either exaggerate the significance of their program or underestimate its importance. In response to difficulties assessing impact, the RMB team asked reporting ministries and agencies to consider the consequences in terms of impact on their program objectives. A 38 catastrophic loss for a program was the total dissolution of that program. It was then up to the RMB team to assess how loss of a program would impact overall Games objectives and adjust the severity rating accordingly. The change was a call for increased reporting of mitigation implementation including target risk ratings and current risk ratings. Target risk was the predicted remaining level of exposure once all planned mitigations were in place. Current risk involved re-rating their risk based on mitigation implemented to date. This is where the risk register evolved from a risk identification tool to an assurance tool by providing senior decision makers with evidence that risks were being sufficiently managed and that the overall risk profile was improving. By all accounts the ERM initiative was a success. Government officials were provided evidence and assurance of game readiness. The full risk register was updated monthly and contained the reporting information of all impacted ministries and agencies, including current risk rating and status of mitigation activities. The graphical representations provided an easy to understand status of mitigation activities, narrative reports provided greater explanation and context for decision making, and a bi-weekly ”top ten” brought attention to immediate issues. Having all ministry information on a single form provided an enterprise perspective and provoked some healthy competition as ministry executives sought to be the first to move their risk status from red to green. There was significant value in identifying and analyzing interrelationships and gaps from an enterprise perspective. Chris MacLean explains that, “Our birds-eye view of risks allowed the team to see where the efforts of one group could create unintended consequences for another group. For example, one government ministry was responsible for supporting a huge Olympic celebration in downtown Vancouver. The venue, however, was next to one of British Columbia’s largest courthouses, and the Ministry of the Attorney General identified resulting risks to the safe and secure transfer of prisoners to and from trial. By rolling up risks from across different ministries, government as a whole was better able to coordinate planning across organizations, set overarching priorities, and allocate resources accordingly.” The reporting format supported rational and pragmatic decision making because impacts were clearly described. The economy was slowing and government had declared that it would meet its obligations within budget. Any decisions or changes that could affect budgets or schedules received significant scrutiny. While these constraints might have extinguished some last minute big ideas, it also ensured that the Province was prepared when the Olympic flame was lit. Reporting bodies tell us the process provided an effective route for escalation of issues beyond their control. Several agencies providing life-safety services identified potential capacity shortfalls due to the additional resources they needed to commit in direct support of the 39 Games. By clearly identifying risks posed by this shortage of resources and by using the same methodology the rest of government was using to identify and rate risk, they were able to communicate the urgency of their requirements to senior decision makers and secure the necessary resources. Figure 15 - Risk Rating Chart Target risk rating is the risk rating expected or predicted once all proposed mitigation are in place. This is an important step, as it allows executives to see whether the proposed mitigation are likely to achieve a result that is satisfactory, if the expected risk reduction is worth the required resources, or if even more resources should be committed to lower the risk further. Current risk rating is when risk management is applied to a project on an ongoing basis with regular feedback and updating on risk mitigation implementation the periodic rating of current risk allows executives to see the progress made to date. Ideally, current risk rating approaches target risk overtime. If not, this can serve as an important flag that a change of strategy and /or more resources are required Risk tolerance rating is the maximum level of risk executives are willing to accept for an event. This should be provided by the executives after having been briefed on the risk existing and planned mitigation and associated costs. It is closely related to target risk rating. When target risk and risk tolerance rating are congruent, they know that the risk mitigation strategy should lower risk to a level the executives are comfortable with. The project was not without its bumps. Reporting bodies found the changing information needs challenging and confusing at times. In their defense, Todd Orchard said, “with no precedent and because of the unique nature of this event, the team couldn’t fully anticipate information needs and formats in advance.” As such, both the information being sought and the tools on which it was recorded evolved over the duration of the project. 40 Compounding this situation was the introduction of a new approach to identifying risks. Orchard tells us, “Even for those agencies with a more mature risk management culture, this change in methodology -- segmenting event, causes and impacts -- sometimes required significant unplanned effort and adjustment.” Reporting agencies told us they were frustrated on occasion by a seemingly one-way information flow: “We didn’t do as well as we could at informing agencies who reported significant risks about the steps being taken at higher levels to mitigate those risks.” For example, risk related to protests, shared funding, extreme weather or catastrophic events were often beyond the scope of an agency to handle but steps were being taken at more senior levels of government, or responsibility for the mitigation was assigned to a different department. As such, not everyone was aware of what was being done by others to mitigate risks they had identified. “A fair compliant certainly as the team’s focus was the provision of timely, accurate and useful information to executive government. We sometimes failed to report back to the risk owner on the status of the actions they sought. We could have done better job of that.” Managing a large amount of data via spreadsheet was time-consuming, error-prone and constraining. Significant effort went into organizing information and formatting the spreadsheet for presentation to executives. Todd and Chris recommend a system solution for a project of this size or for a unit performing a chief risk function. A relatively simple relational database would suffice for the collection, collation, analysis and reporting of information. Commercial risk management software, if used, should be well tested and familiar to users beforehand. The Branch provided risk identification assistance initially at bid development but did not become significantly re-involved until this project was initiated a number of years later. In the intervening years, the risk environment changed including significant changes to the global security scene, games delivery, programming, venues, economic conditions and so forth. It is prudent to understand exposures at the earliest opportunity to discuss tolerance and solutions and adapt/adjust as needed. The cross-government approach to risk management was new to many of the executives and senior managers receiving the reports. In addition, the Olympics were a unique, complex and “one-off” event for the province. To paraphrase, executives didn’t know what they didn’t know. As such, they initially didn’t know what information to request. In the absence of such guidance and feedback, the team often assumed that no news was good news. Much of the practices developed through the 2010 Winter Olympic Games risk management initiative have become regular practice for the RMB. Todd and Chris host risk management 41 workshops and assist BC public entities with risk identification projects, processes, programs and so forth. Identifying discrete events, causes and impacts improves reporting, particularly from an enterprise perspective because it allows risk managers to see common root causes, even if the events are seemingly unrelated. In addition, by closely linking risk identification to the organizations’ goals and objectives, the objectives themselves are reinforced. “Sometimes were so busy doing what we do,” says Chris, “that we forget why we’re doing it. By identifying risk events in terms of organizational objectives, it reminds us what our goals are about and why we’re in the Public Sector.” In the end, the Games were a success, and this initiative contributed positively to that outcome. It provided assurance of preparedness, allowed executives to be confident of progress, established a process for reporting agencies to escalate their issues, and served to advance risk maturity in the BC public sector. (Bugalla, Hackett and Narvaez, ERM in the Vancouver Winter Olympics 2011) 42 5 Root Cause Analysis (Include Risk Assessment Icon) Root cause analysis (RCA) is a problem solving method aimed at identifying the root cause of a problem or incident. The practice of RCA is predicated on the belief that problems are best solved by attempting to correct or eliminate root causes as opposed to merely addressing the immediately obvious symptoms. By directing corrective measures at root causes, it is hoped that the likelihood of the recurrence of the problem will be minimized. Beginning RCA is a reactive method of problem detection and solving. This means that the analysis is done after an incident has occurred. By gaining expertise in RCA it becomes a proactive method. RCA can be used to forecast the possibility of an incident even before it occurs. Five Schools of RCA Root cause analysis is not a specific, sharply defined methodology; there are many different tools, processes, and philosophies of RCA in existence. However, most of these can be classified into five, very-broadly defined “schools” that are named by their basic fields of origin: 1) Safety-based RCA comes from the fields of accident analysis and occupational safety and health. 2) Production-based RCA has its origins in the field of quality control for industrial manufacturing. 3) Process-based RCA follows production-based RCA, but with a scope that has been expanded to include business processes. 4) Failure-based RCA is rooted in the practice of failure analysis as employed in engineering and maintenance. 5) Systems-based RCA has emerged as an amalgamation of the proceeding schools, along with ideas taken from the fields of change management, risk management and systems analysis. (Duffy, Moran and Riley 2010, 1) The primary aim of RCA is to identify the root cause of a problem in order to create effective corrective actions that will prevent that problem from ever re-occurring, otherwise known as the ‘100 year fix’. In order to be effective in RCA, an organization should perform a systematic investigation where their conclusions as to the root cause are backed up by documented evidence. There is always one true root cause for any given problem. The difficult part is having the stamina to reach it. To be effective in the analysis, a sequence of events or timeline is needed to understand the relationships between the contributory factors, the root cause, and the defined problem. 43 A sample RCA process flow chart shows the evaluation steps in the analysis. Figure 16 - Root Cause Analysis Process Flow (Anselmo 2009) Three Basic Causes As you begin the process of finding the true root of the problem, you'll usually find three basic types of causes: 1) Physical causes – A tangible or material item failed in some way. For example, a car's brakes stopped working. 2) Human causes - People did something wrong or did not doing something that was required. Human causes typically lead to physical causes. For example, no one filled the brake fluid or the brake pads where not changed which led to the brakes failing. 3) Organizational causes - A system, process, or policy that people use to make decisions in doing their work is faulty. For example, no one person was responsible for vehicle maintenance and everyone assumed someone else had filled the brake fluid or changed the brake pads. (Duffy, Moran and Riley 2010, 3) Public Entity Example – State of Washington The State of Washington is using root cause analysis to help their state agencies avoid not just treating symptoms and to encourage drilling down to problems that contribute to risk events. 44 In order to effectively treat a risk, it is necessary to know its root cause. The primary goal of using RCA is to analyze problems or events to identify the following: What happened, how it happened, and why it happened so that actions for preventing reoccurrence are developed. They have a nine step approach to RCA which includes: 1) 2) 3) 4) 5) 6) 7) 8) 9) Verify the incident and define the problem Map a timeline of events Identify critical events Analyze the critical event’s cause and impact Identify root causes Support each root cause with evidence Identify and select the best solutions Develop recommendations Track implementation of solutions RCA is not a one-size-fits-all methodology. There are many different tools, processes, and philosophies of accomplishing RCA. In fact, it was born out of a need to analyze various enterprise activities such as: Accident analysis and occupational safety and health Quality control Efficient business process Engineering and maintenance failure analysis Various systems-based processes, including change management and risk management The process of discovering the real source of a problem can help transform a pattern of behavior where people react to problems into a society that solves problems before they become major incidents/accidents. The root cause is secondary to the goal of prevention, but without the root cause, one cannot determine what an effective corrective action for the defined problem will be. The nature of RCA is to identify all contributing factors to a problem or event. Some of the analysis methods used in RCA include: The “5-Whys” Analysis - A simple problem-solving technique that helps users get to the root of the problem quickly. It was made popular in the 1970s by the Toyota Production System. This strategy involves looking at a problem and asking “why” and “what” caused this problem? Often the answer to the first ‘why’ prompts a second ‘why’ and so onproviding the basis for the “5-Whys”analysis. Barrier Analysis - Investigation or design method that involves the training of pathways by which a target is adversely affected by a hazard, including the identification of any 45 failed or missing countermeasures that could or should have prevented the undesired effects. Change Analysis - Looks systematically for possible risk impacts and appropriate risk management strategies in situation where change is occurring. This includes situations in which system configurations are changed, operating practices or policies are revised, new or different activities will be performed, etc. Casual Factor Tree Analysis - An investigation and analysis technique used to record and display, in a logical, tree-structured hierarchy, all the actions and conditions that were necessary and sufficient for a given consequence to have occurred. Failure Mode Effect Analysis - A ‘system engineering’ process that examines failures in products or processes. Fish-Bone Diagram or Ishikawa Diagram - Derived from the quality management process, it’s an analysis tool that provides a systematic way of looking at effects and the causes that create or contribute to those effects. Because of the function of the fishbone diagram, it may be referred to as a cause –and-effect diagram. The design of the diagram looks much like the skeleton of a fish. Parent Analysis - A statistical technique in decision making that is used for analysis of selected and limited number of tasks that produce significant overall effect. The premise is that 80% of problems are produced by a few critical causes (20%). Fault Tree Analysis - The event is placed at the root (top event) of a ‘tree of logic’. Each situation causing effect is added to the tree as a series of logic expressions. (Office of Financial Management, State of Washington 2010) Some benefits the State of Washington has seen by implementing RCA among its agencies are that they can now identify barriers and the causes of problems so that permanent solutions can be found. Agencies are now developing a logical approach to problem-solving using data that they already have. Each agency is identifying current and future needs for organizational improvement. The agencies are establishing repeatable, step-by-step processes, in which one process can confirm the results of another. (State of Washington Office of Financial Management 2010) 46 6 Role & Responsibilities of a Risk Champion (Include Risk Assessment Icon) In an ERM framework, risk managers are charged with assessing risk across the organization using a holistic perspective. The risk manager of the public entity leads the ERM efforts and divides their organization into risk centers with designated risks. A risk center is a department or unit within the organization charged with the risk exposures that are related to their duties and responsibilities. The risk champion is the individual accountable for the identification, assessment, analysis, and implementation of an ERM program and for monitoring risk in that department or unit. (Louisot and Ketcham 2009, 6.7) Figure 17 - Risk Based Organizational Chart (Essary and Yip 2010) Risk Centers The advantage of dividing the public entity into various risk centers is the risk champion becomes the eyes and ears for the risk manager on the emerging risks in their department or unit. The risk champion is not necessarily responsible for performing actual risk management activities, but they must have the authority necessary to ensure that others in their department carry out all the required tasks. Developing risk centers also allows for the involvement of 47 operational managers who have valuable knowledge and a different perspective that can contribute to the risk analysis process. Once risk centers have been identified, the next step is to identify and assess the risks that each risk center faces by listing the resources used by each risk center, the threats to each of those resources, and the opportunities they may present. There are various resources that a public entity can use to identify risk exposures: 1) 2) 3) 4) 5) 6) Create surveys to be used to assess the organization’s risks Brainstorm on potential ‘What if’ scenarios Review balance sheets and income statements Review supporting documentation on operational processes Evaluate the operational flowcharts and organizational charts Conduct personal inspections and interviews (Louisot and Ketcham 2009, 6.9) Of these resources, the balance sheet and income statements become critical for a public entity in revealing risk exposures. The balance sheet lists a lot of the public entities’ assets, liabilities, and resulting net worth as of a particular date. The senior management team bases their assessment of the financial condition of the public entity on their cash position and their balance sheet. The balance sheet can help senior management see the importance of risk management at each risk centers by identifying assets and liabilities impacted at each risk center. A simplified balance sheet method of risk identification examines the balance sheet through four main categories: short-term assets, long-term assets, short-term liabilities, and long-term liabilities. For example, balance sheet’s list of assets can be used to identify property values that are exposed to risk. One flaw to the simplified balance sheet method is that it does not capture exposures that cannot be tracked through the accounting system such as environmental, reputation, strategic, etc. It also focuses on the downside of a decrease in assets and an increase in liabilities by approaching risk from insurable loss perspective. (Louisot and Ketcham 2009, 6.9) The public entity’s goal in developing risk centers should not be to create isolated silos. Risk champions should be cautious when creating their risk center’s goals and objectives so that they do not focus solely on their own department’s risk exposures. They need to see how their risks as well as the risks of other risk centers may impact the whole organization. This organization-wide approach to evaluation risks is referred to as integrated risks. Integrated risks are those risks that have a potential impact across many levels of the organization. In an organization that applies ERM, all risk champions will be able to identify and address risks not only within their own department but between departments. 48 It is important that the risk manager maintain effective communication with all the risk champions within the organization. The risk manager should conduct regular interview with each risk champion. These interviews will enable the risk manager to identify critical resourcesrelated risks by asking the “how”, “who”, “where from”, and “where to” elements of the organization’s work flow process as well as determine the effectiveness of the organization’s communication plan. Interview with the Risk Champion Objectives: 1) Review with the risk champion their departmental objectives and how those objectives tie to the organization’s strategic goals. 2) Are their new emerging risks that the department should be aware of? 3) How are these new emerging risks being quantified in the ERM program? Resources: 1) 2) 3) 4) 5) How is your department organized? Who works in your department and what are their job responsibilities? What resources are used in your department? What products or services does your department create? How do you share information within your department? Strategic Questions: 1) How would you operate tomorrow if your building and contents were destroyed? 2) If there was a labor strike or a natural disaster, what are your plans to continue operations? 3) How does your organization identify and address emerging risks or potential opportunities for growth? What Are Your Risk Mitigation Techniques for the Following: 1) 2) 3) 4) 5) Safety prevention and reduction Integrated risks Continuance plans Crisis management Reputational risk (Louisot and Ketcham 2009, 6.11) While minor risks are managed at the risk center level, the more significant risks to the organization needs to be addressed are at the senior management level. A risk might be more complex then what the risk center understands and therefore should be rolled up to the senior management team to evaluate all the potential consequences of the risk exposure. For 49 example, a decision to make a change in the everyday work flow process might be handled well at the risk center level, yet a decision to change a supplier of key component part would be best addressed at the senior management level. While senior managers are responsible for the organization’s successful management of threats and opportunities, they cannot oversee every risk. They can only integrate risk management with existing culture. The responsibility of risk management must be owned at various levels of management. Middle management must have authority to manage risk it is responsible and accountable for at the operational level. It must have the appropriate level of risk achieved through specific processes and people. The middle managers then report to senior management and communicate their finding and recommendations. If problems occur, senior management can then assist in the addressing the internal threats and opportunities. Line management consists of department heads, supervisors and functional managers who operate as risk champions within their department. They are in a best position to understand and manage their risks. Risk responsibility at this level is essential in an ERM program. Risk responsibility for a specific risk should be assigned to the stakeholder who either creates the risk or is primarily affected by its volatility, because he or she is often in the best position to manage the risk and motivate others to control the risk. Assigning risk responsibility to individuals should be a thoughtful process. Individuals who are assigned risks should have the competency and skill set to provide training, incentives and tools to manage the risk. Risk champions must follow the organization’s risk appetite and follow the established rules regarding how the organization manages risk. Their understanding of the organization’s goals and objectives helps them promote safety and risk awareness. The greater the person’s motivation to do their best, the harder he or she will strive to obtain their objectives. (Louisot and Ketcham 2009, 13.10) 50 7 Dealing with Unexpected Events (Include Risk Assessment Icon) Organizations experience some type of unexpected event daily. Some unexpected events such as citizens complaining about garbage pickup are very basic and easy to remedy. Other disruptions, like Hurricane Katrina or a major earthquake, are more severe and interrupt normal business activities. So the question we need to ask is “How severe does an unexpected event need to be before the services of a public entity cease?” There are four system level definitions to describe the degree of severity of an unexpected event: 1) Simple State System - The unexpected event can be resolved through routine decisions. 2) Complicated State System - The unexpected event is more difficult to resolve than a simple system’s, but is not unusual. 3) Complex State System - The unexpected event is unusual, potentially critical to the organization. 4) Chaotic State System - The unexpected event is a dramatic, unforeseen situation that threatens the organization’s survival. (Louisot and Ketcham 2009, 7.4) The simple state system assumes that normal day-to-day activities of the public entity are not interrupted because senior decision makers have plans in place to address the unexpected event. The decision on how to solve problems can be easily made based on current staff’s experience and knowledge. Best practices are in place and contain highly regulated processes and procedures. Risk communication between decision makers and line workers is swift and easy. The complicated state system entails events that involve both known and unknown pieces of information. Best practices may not resolve the problem created by the unexpected event. The solution to the unexpected event might not be immediately apparent to decision makers. Leaders of the organization might need to investigate their options before deciding on the best solution. Risk communication is essential between decision makers and line workers. It is important that communication is flowing in both directions between decision makers and line workers. It becomes a little harder to identify the solutions to a complex state system. The situation in a complex state system is not predictable and little thought has been placed on a possible solution. A complex state system has a combination of known and unknown facts and requires flexibility in finding the correct solution. Risk communication must be free flowing and senior management to gather all necessary information to find the best solution. 51 A chaotic state system, like a natural disaster, that threatens the organization’s survival must be communicated from the top down only. Organizational leaders must quickly gain control of the situation and salvage as much as possible. An unexpected event at this level should be addressed through crisis management procedures. The immediate goal of the leadership is to restore the organization to its normal operational system. Hurricane Katrina is a good example of a chaotic state system. The results of the hurricane were a substantial loss of life, lack of essential services and destruction of many homes and business. It took time for local, county, state and federal government bodies to manage the impact of Hurricane Katrina. The question is what lessons were learned from the event? Hurricane Katrina Critical Challenges THE FEDERAL RESPONSE TO H URRICANE KATRINA LESSONS LEARNED report (Townsend 2006) came out with recommendations to President Bush in February of 2006 on how to better handle a natural disaster. The report lists several key breakdowns in the system that needed improvement for a future natural disaster event: 1. National Preparedness 2. Integrated Use of Military Capabilities 3. Communications 4. Logistics and Evacuations 5. Search and Rescue 6. Public Safety and Security 7. Public Health and Medical Support 8. Human Services 9. Mass Care and Housing 10. Public Communications 11. Critical Infrastructure and Impact Assessment 12. Environmental Hazards and Debris Removal 13. Foreign Assistance 14. Non-Governmental Aid 15. Training, Exercises, and Lessons Learned 16. Homeland Security Professional Development and Education 17. Citizen and Community Preparedness (Townsend 2006, 51) These 17 challenges did affect the ability of the Federal Government to response to the events surrounding Hurricane Katrina. The crisis management structure in place did not adequately respond to a hurricane of this magnitude and clearly there were flaws in the system. These flaws included a) unified management of the national response b) command and control structures with the Federal government c) understanding of the preparedness plan and d) 52 regional planning and coordination. “Soon after Katrina made landfall, State and local authorities understood the devastation was serious but, due to the destruction of infrastructure and response capabilities, lacked the ability to communicate with each other and coordinate a response. Federal officials struggled to perform responsibilities generally conducted by State and local authorities, such as the rescue of citizens stranded by the rising floodwaters, provision of law enforcement, and evacuation of the remaining population of New Orleans, all without the benefit of prior planning or a functioning State/local incident command structure to guide their efforts.” (Townsend 2006, 52) The Federal government cannot be the Nation’s first responder. State and local governments are best positioned by their logistics to play a larger role in disaster response. The Federal government is best suited to assist local and state governments in their effort of disaster recovery. But when local and state governments are overwhelmed or incapacitated by an event that has reached a catastrophic outcome, only the Federal government has the resources and capabilities to respond. The Federal government must therefore plan, train, and provide the necessary resources to meet the requirements for responding to a catastrophic event. (Townsend 2006, 52) The National Response Plan’s Mission Assignment process proved to be far too bureaucratic to support the response to a catastrophe. Melvin Holden, Mayor-President of Baton Rouge, Louisiana, noted that, “requirements for paper work and form completions hindered immediate action and deployment of people and materials to assist in rescue and recovery efforts.” (Melvin “Kip” Holden 2005) Far too often, the process required numerous time consuming approval signatures and data processing steps prior to any action, delaying the response. As a result, many agencies took action under their own independent authorities while also responding to mission assignments from the Federal Emergency Management Agency (FEMA), creating further process confusion and potential duplication of efforts. This lack of coordination at the Federal headquarters-level reflected confusing organizational structures in the field. Federal resource manager had difficulty determining what resources were needed, what resources they already had, and where to locate those resources at any given point. Even when Federal managers had a clear understanding of what was needed, they often had a challenge determining whether the Federal government had that necessary asset to help in the recovery. At the most fundamental level, part of the explanation for why the response to Katrina did not go as planned is that key decision-makers at all levels simply were not familiar with the plans. The National Response Plan (NRP) was relatively new to many at the Federal, State, and local levels before the events of Hurricane Katrina. This lack of understanding of the “National” plan not surprisingly resulted in ineffective coordination of the Federal, State, and local response. Additionally, the NRP itself provides only the ‘base plan’ 53 outlining the overall elements of a response: Federal departments and agencies were required to develop supporting operational plans and standard operating procedures (SOPs) to integrate their activities into the national response. In almost all cases, the integrating SOPs were either non-existent or still under development when Hurricane Katrina hit. Consequently, some of the specific procedures and processes of the NRP were not properly implemented, and Federal partners had to operate without any prescribed guidelines or chains of command.” (Townsend 2006) Traditional crisis management in general is to write down policies and procedures in manuals and periodically update those manuals to maintain a current state of preparedness. The problem with this process is that manuals are intended to provide directions for managers in the exact scenarios addressed. However, the reality is that events might occur that have never been thought of before. Therefore crisis management by following standard operating procedures or just checking off the steps as outlined for preconceived emergencies is not effective. Who’s going to read the manual during the crisis? Enterprise crisis management begins well before the potential unexpected event. It focuses on what the organization needs in place in order to survive and requires involvement of senior leadership to run through the worst case scenarios. A key component to enterprise crisis management is training the employees of an organization to expect challenges and to understand how to react in a crisis situation. Fault Tree Analysis Fault Tree Analysis (FTA) is considered one of the more useful analytical tools to identify those events that can or must occur in order to realize a certain outcome. The FTA starts with the crisis event and drills down to the specific details of the cause of that event. The FTA methodology is used often because of its ability to distinguish between those risk causes that must occur, represented by an AND gate, for example a fire is started by three components: heat, oxygen and an ignition source or those events that simply can occur, represented by an OR gate, a leaking underground storage tank can leak either by corrosion or by puncture to the tank. These causes of loss can be traced back to the risk event. The information charted on a fault tree provides a qualitative analysis by demonstrating how specific events will affect an outcome. By placing each contributing factor in its respective location on the tree, the investigator can accurately identify where any breakdowns in a system occurred, what relationship exists between events, and what interface occurred. If probability data is known for these events, then the FTA can also provide quantitative information to further evaluate the likelihood of achieving the top event. 54 Once developed, the fault areas that are responsible for yielding an undesired, or desired, event can be evaluated on the micro rather that the macro level and this detailed information can help senior leadership respond correctly to a crisis event. Decision makers are then able to evaluate the chain reaction of events that can lead to the disaster and see where the weak areas in response are taking place. (Vincoli 1993, 135) During the course of the investigation of the BP Oil Spill, the investigation team used fault tree analysis to define and consider various scenarios of failure modes and possible contributing factors. Through the fault tree analysis, the investigation team found eight key findings related to the causes of the accident. Here is a sample of the fault tree analysis that was used in the investigation. 55 Figure 18 - BP Deepwater Horizon Fault Tree (TapRoot 2010) 56 Continuity Plan The senior management of the public entity should emphasize the importance of a Continuity Plan outlining how the organization will survive and succeed after an unexpected event. The Continuity Plan should direct each department in formulating a departmental plan that will coordinate with the entire organization. Each department’s plan should include the following: 1) 2) 3) 4) 5) 6) 7) 8) Statement of acceptable level of functioning Recovery time objectives, resources needed and potential failure points Tasks and activities required Procedures and processes Supporting documentation and information Structure to support the plan Description of personnel duties and responsibilities Describe of the interdependencies among the various departments (Louisot and Ketcham 2009, 7.25) An organization has an integrated combination of processes between the organization itself, its message, and it stakeholders’ expectations. An organization’s reputation can be enhanced or damaged as a consequence of the interactions. An ERM approach to risk of reputation involves a carefully managing the public entities’ interactions with the general public, its stakeholders, and its employees. Public Entities are under great pressure to be transparent in all their actions because they use taxpayer’s money. It is in the best interest of the public entity to develop a communication policy that includes periodic messages to stakeholders about the decisions of senior management regarding their business plans, its values, and its goals. Risks to reputation are revealed when the organization’s message does not match up with stakeholders’ expectations. In order to address risk to reputation a thorough analysis of roles and responsibilities must be clearly defined in the organization. Obstacles to the successful management of one’s reputation usually stem from a lack of clarity, resources and awareness. For example, an organization might place a low value on reputation as an asset while choosing to focus more on tangible assets. When a disaster occurs, whether it is caused by natural or economic events, an organization needs to be careful on how it receives the information and shares that information with internal and external stakeholders. Examples of such scenarios include the use of contaminated blood at a public hospital, an explosion at a public works building or the lack of personal protective equipment used by public entity employees. When an organization responds poorly 57 to a crisis, its stakeholders can lose trust and confidence in the public entity’s ability to provide needed services to the public. Public Entity Example – University of California The University of California has a department dedicated to continuity planning. The Office of Continuity Planning was championed and funded by the Office of Risk Service at the University of California. It has a clear goal to promote a comprehensive approach to event-readiness across the System. Although the initial focus of the Office of Continuity Planning is to develop continuity planning at all UC locations, the long-term goal is broader. They aim to exploit the synergies among the three comprehensive preparedness methodologies: risk management, emergency management and continuity planning. Continuity planning has proved a difficult fit for the structure and culture of higher education. The most successful and initiated adaptation of continuity planning for higher education has been achieved at the Berkeley campus. Berkeley’s program was conceived in the year 2001, by a broad-based campus committee and has been sponsored ever since by Associate Vice Chancellor Ron Coley. Currently 108 departments at Berkeley have completed continuity plans, and an additional 129 have plans in progress. 70% of these departments are academic or research units. The cornerstone of Berkeley’s success is its unique web application, UC Ready. Designed and built in-house, this do-it-yourself tool enables departments to create continuity plans with minimal coaching. The tool works equally well for all types for departments-instructional, research, libraries, museums, administrative, and other support units. It produces, within the plan, a list of action items for readiness. Annual follow up sessions are done to update the plan and track completion of the lists. “The Berkeley tool has attracted national attention: more than 30 universities outside UC have adopted it for use; it received a National Association of College and University Business Officers (NACUBO) 2007 Innovation Award and the UC System’s 2007 Sautter Award; the Kuali Foundation is incorporating it into its suite of open-source tools for the higher education community; and the Mellon Foundation is funding its adaptation to the national arts community.” (Diamond 2009) In order to protect their reputation, a public entity needs to be proactive in exceeding the stakeholders’ expectations. A public entity with a great reputation might attract high-potential employees who in turn can increase the overall value of the organization. Identifying key sources of risk to reputation will enable the public entity to better protect that asset. 58 Public Entity Example – Center for Disease Control and Prevention “The Center for Disease Control and Prevention’s mission is to promote health and quality of life by preventing and controlling disease, injury, and disability. CDC’s, credibility is of high priority to the agency. Leaders within CDC believe that how they are perceived is in direct relationship to how they communicate as an organization. Their reputation is perceived by many interested persons or groups that closely watch the agency’s characteristics, achievements, and behaviors. From the CDC’s perspective, managing the agency’s reputation is important because the agency must have the public’s trust to do its mission, or risk of: 1) Increased disease, injury, and death 2) Demands for the misallocation of limited resources 3) Circumvented public health policies The CDC is very concerned about their reputation and has developed and proposed a separate risk assessment strategy to measure credibility. The tool CDC is using is referred to as RiskSmart or Credibility Risk Management and is an active continuous and ethics-based assessment and engagement with all stakeholders to safeguard and enhance the agency’s credibility. “According to the Canadian Integrated Risk Management Framework, a risk smart workforce and environment in the public service is one that supports responsible risk management, where risk management is built into existing governance and organizational structure, and planning and operational process. An essential element of a risk smart environment is to ensure that the workplace has the capacity and tolls to be innovative while recognizing and respecting the need to be prudent in protecting the public interest and maintaining public trust. The CDC identifies its reputation as the primary driver for implementing ERM. All agencies have this intangible asset, but few emphasize its importance. Other organizations also share this endeavor. Industry experts note that intangible assets such as brand equity and goodwill account for 70%-80% of a company’s market value. Yet, most companies don’t proactively manage reputation risk until after their reputation suffers damage. Many organizations tend to focus their energies on handling threats to their reputation that have already surfaced. This is not risk management; it is crisis management.” (Hardy 2010) 59 8 Integrated Risk Management (Include Risk Analysis Icon) Integrated risk management is the integration of the management of risk at each level of management into all business and strategic planning and decision-making processes. It allows an organization to analyze the interrelationships of their risk exposures within and between departments and helps senior management see the impact of combined risk exposures. U.S. Department of Homeland Security According to the U.S. Department of Homeland Security, integrated risk management “is a structured approach that enables the distribution and employment of shared risk information and analysis and the synchronization of independent yet complimentary risk management strategies to unify efforts across the enterprise. The goal of this policy is for DHS to work with its partners to use IRM as an approach to address the uncertainty inherent in this complex mission space, and help make the tough decisions necessary to keep the nation resilient and secure with limited resources. The policy is based on the premise that partnerships can enable the most effective risk management.” (Kolasky 2011, 1) 60 Figure 19 - DHS Risk Management Process (Miller 2010) The Department of Homeland Security issued a memorandum by Secretary Janet Napolitano on May 27, 2010 that states the Department’s adoption of Integrated Risk Management as a fundamental concept that will guide its efforts within and across the homeland security enterprise. The goal of this policy is for DHS to use IRM to inform strategies, processes and decisions to enhance security and to work in a unified manner to manage risks to the Nation’s homeland security. 61 DHS plays a leadership role in the Nation’s unified effort to manage risks working across the homeland security enterprise which includes Federal, state, local, tribal, territorial, nongovernmental and private sector partners. IRM is based on the premise that security partners working together can most effectively manage risk. IRM is integrated in that it includes the following: 1) Unifying efforts among all homeland security partners to ensure that strategies and actions are informed by a common understanding of homeland security risks 2) Ensuring that information and analysis about homeland security risks are incorporated into strategic and operational decision-making processes 3) Building a common understanding of risk management through development of a risk lexicon, risk-informed planning process, training and standards of practice 4) Providing mechanisms to share risk data, risk assessment, and risk management decision support and analysis tools across the homeland security enterprise. (Miller 2010) Homeland security risks are inherently uncertain and risk analysis will not always yield precise answers. The Department uses risk information and analysis to make its assumptions more transparent, encourage creative thinking, and provide defensible decisions made with the best available tools and information for the best achievable outcomes. DHS Risk Management Process will develop methodologies, where appropriate, to determine the extent to which its programs and activities manage and reduce risks to the Nation. DHS will use this information, among other inputs, to measure the Department’s progress toward achieving strategic goals, inform decision makers, build its budget, help guide the allocation of limited resources, and promote understanding and collaboration among homeland security enterprise partners. DHS’s Directive for Integrated Risk Management includes the following: 1) Incorporating risk management into component business practices 2) Establishing risk management capabilities, policies, processes, and practices consistent with DHS IRM policy 3) Appoint a lead executive with responsibility for integrating risk management 4) A periodic assessment of the department’s risk management capability 5) A risk knowledge management system (Miller 2010) 6) “If an approach to integrated risk management can be successfully developed and implemented, the opportunities for improving the quality and utility of risk analyses carried out 62 by many components of DHS and by many partners should be extensive.” (National Research Council of the National Academies 2010) Figure 20 - Integrating Risk across the DHS Enterprise (Miller 2010) The value of IRM for Homeland Security includes the following: 1) Allows for more transparent and defensible decision making 2) Contextualizes homeland security threats, showing which are the most likely and which have the highest impact 3) Informs prioritization decisions among terrorism, natural disasters, cyber, pandemics and border security hazards 4) Provides a performance measure for programs across the homeland security mission space 5) Identifies opportunities for reducing or transferring risk (Miller 2010) Department of Homeland Security (DHS) Office of Risk Management and Analysis (RMA) conducted a study of risk management practices in public and private organizations between 63 May and July 2010. The purpose of the study was to help guide RMA and Risk Steering Committee efforts to build a risk management program for DHS. The study consisted of over 20 one-hour interviews with executive-level risk practitioners at Fortune 500 companies, stafflevel risk practitioners at government agencies, and individuals from other organizations who are familiar with risk management. (Office of Risk Management and Analysis, Department of Homeland Security 2010) The study’s key findings can be summed up with the following: 1) Risk management and analysis is being integrated across organizations. 2) Risk management activities are aligned to organizations’ structure and processes. 3) Organizations use specific methods to improve the conduct and communication of risk analysis. Challenges Faced Numerous participants from the public sector expressed difficulty in achieving consistent support with their ERM initiatives. Many of these participants linked this to the high rate of turnover among the political appointees tasked with leading federal agencies. Several participants reported having efforts to implement a risk management program derailed because of leadership changes at their organization. Other public sector participants reported problems implementing risk management programs when dealing with risks that had politically controversial implications. These are generally risks that the private sector does not face because they have different mandates than government agencies, or these are risks that they rely on the government to manage. Many participants said their leaders were unwilling to consider risk management principles when considering these issues, such as risk positions or tradeoffs. For example one participant said that leaders at his agency were unwilling to say they would accept risks to the safety of their personnel. Interviewees also said that legislative mandates interfered with their ability to manage risk. Some private sector organizations managed their risk on a holistic, enterprise-wide basis while many public agencies were managing risks on an uncoordinated, ad hoc basis. For example, attempts to coordinate interviews with participants from one government agency were complicated by the fact that disparate groups were responsible for overseeing the management of related risks. The lack of a link between risk management and an agency’s ability to achieve its objectives could be related to why the public sector has lagged behind the private sector in adopting enterprise risk management. Many of the Federal agencies are focused on risk simply as uncertainty or bad things that could happen to the agency or the public. Tactics Employed Given the challenges faced by the public sector, what are some tactics that can be employed to move IRM adoption forward? Many interviewees said they were seeking to integrate the 64 management and analysis of risk across their organization. The study found organizations employed several tactics: 1) Organizations are increasingly seeking to understand and manage risk on a holistic enterprisewide level - The interviewees noted that risk management strategies could affect their business units unequally and that a good decision for one business unit could be a bad decision for another. They also said that without an enterprise-wide understanding of risk, business units may accept more risk than the organization’s leadership is willing accept, either on an individual or collective basis. 2) Risk is commonly understood and assessed as it relates to an organization’s objectives - The vast majority of interviewees said their organizations consider risk in relation to how it affects the organization’s ability to achieve its objectives. One interviewee said he thinks “enterprise risk management is enterprise goal management.” 3) Risk management is incorporated into strategic planning - Almost every participant in the study recognized the importance of linking strategic planning and risk management, although participant said they had done so successfully at their organization. One participant in the study reinforced this focus, saying “strategy and risk need to be playing the same game.” 4) Organizations regularly track and monitor the risks they face - Participants wanted to find factors that were correlated to their organizations’ risks, which could be tracked on a more regular basis and give warning that exposure to risks were changing. 5) An organization’s leadership must be aware of its risks - Participants expressed concerns that if there were layers between risk information and leadership, then the risk information could be censored before leadership had a chance to review it. Most interviewees said risk executives should have either direct access or regular meetings with key leaders, such as a Chief Executive Office or Board of Directors. 6) Organizations attempt to facilitate cascading communication of risk - Many interviewees emphasized that risk information should flow up, down and across their organization. Interviewees said business units and project managers were responsible for using this information to develop implementation strategies. Interviewees emphasized that leadership could not set its priorities however, without understanding the risks that their business units and project managers face. As a result, interviewees said that it was important that the business units and project managers communicate risks to leadership, particularly when changing situations could merit altering risk management strategies. There were several commonalities between private and public sector in the manner organizations structured themselves to manage and analyze risk most effectively. Some of these structured decisions lend themselves to better understanding and communicating risks, 65 while others reinforced the aforementioned desire to analyze and manage risk in an integrated fashion. These commonalities include: 1) Organizations customize risk management programs to fit their needs and culture. Each organization had different contexts in which their risk management programs were designed and implemented. While they acknowledged general standards that were used in the development of their risk management programs, interviewees noted that it is important that a risk management program match the culture and operations of the organizations it is designed to serve. 2) Leaders at the executive level must endorse and sponsor a risk management program Interviewees repeatedly emphasized the importance of executive sponsorship of a risk management program. They noted that risk management programs require participants at all levels of an organization, and said executive sponsorship encourages that participation. Many participants noted that a risk management program is only effective if it is used to inform decision making. This means that leaders must support the program and incorporate the information coming from it when they are making decisions. 3) Accountability for risk management should be clearly defined and risks should be managed by the unit closest to the risks - Organizations with very developed risk management programs had clearly defined who in the organization was accountable for actually managing risks. In fact, many interviewees indicated that during the initial implementation of their risk management program, one of their first steps was to define accountability in their organization for what business units or executives were responsible for managing risks. 4) Central risk management offices and committees have been established at many organizations - Interviewees said the central risk management offices and risk committees share responsibility of overseeing their organizations process for identifying, assessing, and managing risk, creating tools and training to help business units with those processes, facilitating enterprise-wide discussions and decisions about cross cutting risks, monitoring indicators related to risk, briefing organizational leadership about risk, and identifying emerging risks. 5) Risk management programs are facilitated by an executive at the organization - Interviewees at organizations that have central risk management programs usually said their organization tasked an executive with facilitating the implementation of the risk management program. However, interviewees cautioned that it was not enough to simply have an executive tasked with overseeing the organization’s risk management framework- the organization must act on the framework as well. 6) Many programs start with a limited scope - When developing a risk management program, many interviewees said they started with a limited program. They pointed to a number 66 of factors driving this, including limited resources, a desire to prove value before expanding, and the number of risks that would need to be considered if a program is not bounded. Then broaden the scope of their risk management program after the initial implementation. 7) Organizations rely on comparative studies and maturity models to assess their risk management activities - It was found that organizations interviewed were using either a COSO or ISO framework. Many organizations also used a maturity model to measure their risk management capabilities. However, interviews were not able to point to a common benchmark standard that organizations could use to assess their relative maturity. 8) Organizations should work to instill a culture of risk management throughout its staff Participants emphasized that their goal was not to generate a risk management program that sat outside the organization’s standard management processes, but was instead incorporated into those processes. Therefore, the emphasis of risk management efforts should not just be on developing a very functioning and efficient risk management program, but also to change the approach members of the organization take when making decisions. There were also several common methods and principles interviewees mentioned when they analyze and communicate risk within their organizations. They said these methods were important to ensure decision makers understood risk analyses and were enabled to make riskinformed decisions. 1) Risk practitioners attempt to present risk in a simple and relevant manner - Numerous participants emphasized that risk information must be presented in a simple and relevant way. They warned that risk practitioners must not present information in a technocratic manner, lest their recommendations be misunderstood or ignored. 2) There are few strong metrics to measure the success of risk management program - Every participant in the study said they had difficulty in developing metrics that can be used to assess a risk management program. They said the benefits of risk management could largely only be assessed on a qualitative basis, as attempting to illustrate that an organization avoided risks is proving a negative. Some interviewees proposed outputtype measures such as whether a risk management decision process is being used, while others proposed proxy measures such as the number of surprise risk events that affect an organization. 3) Formal risk positions are difficult to establish, but it is important for an organization to attempt to do so - Organizations often have trouble explicitly determining a position for the amount of risk they are willing to accept that could affect their ability to achieve their goals. This is similar to the concepts of setting risk appetite, risk tolerance or risk 67 threshold. Many interviewees said they could not set an explicit risk position due to concerns from their legal departments or a simple unwillingness of leadership to say they were willing to accept risk. However, most study participants believed organizations should establish a risk position. 4) The identification of emerging risks is a priority for many organizations - Many participants noted that a key value of risk management is to help an organization anticipate risks before they happen. Although risk mangers cannot see into the future and will likely not be able to anticipate every risk that could affect an organization, the participants said risk managers should try to provide their leadership with as much warning as possible about new risks that could affect the organization. 5) When identifying and assessing risk, it is important to provide anonymity - Many interviewees expressed a belief that anonymity is important when attempting to identify and assess risk. They identified several reasons for this, such as the danger of developing a groupthink and individual’s fear to mention risks or mistakes to regulators or leaders. These participants took great pains to provide anonymity to people in their organization who participate in risk identification and assessment. 6) Practitioners should encourage diversity of thought when considering risk - Several participants indicated that diversity of thought was not only important for risk assessment, but also a key benefit of risk assessment. They said risk analyses are only as good as the cross section of individuals involved in the process, to ensure a wide range of backgrounds and viewpoints were incorporated into the analyses. Because managing homeland security risks depends on a concerted, unified effort from a diverse set of organizations, DHS has established a Department-level Risk Steering Committee (RSC) that serves as the primary body for risk governance and provides a forum for all DHS Components to discuss and advance integrated risk management. The RSC has published a number of guidance documents to assist partners in conducting defensible, coordinated risk analysis, including the DHS Risk Lexicon (2010) (DHS Risk Steering Committee 2010) and Risk Management Guidelines (Department of Homeland Security 2010). The DHS Risk Lexicon, which contains 123 terms related to the practice of homeland security risk management, improves communications, understanding, and information exchange among homeland security partners. One of the tools the RMA created is the Risk Assessment Process for Informed Decisionmaking (RAPID), a quantitative multi-hazard assessment of risk designed to provide information to Department leadership on homeland security risks and the risk reduced by homeland security programs in support of policy and resource allocation decisions. At its core, RAPID is a probabilistic risk assessment that examines how programs across the Department work together to manage anticipated risks associated with the top-priority DHS strategic goals and objectives, ensuring that future resources allocated to DHS programs are influenced by the 68 programs’ risk-reduction values. RAPID currently covers 12 hazard types and more than 30 DHS high-level programs. In 2009, RAPID was launched as a full-scale strategic risk assessment with production quality decision support, and its results were used in the FY 2012-2016 DHS budget planning process. In addition to RAPID, RMA has developed a number of methodologies to address specific homeland security challenges. Notably, RMA leads the assessment of risk to special events nationwide. Using a multi-hazard methodology that takes into account attendance and specific vulnerabilities of the venue, RMA helps assign relative risk scores to over 8000 special events annually. These risk scores are used by federal law enforcement agencies to determine the allocation of security resources for each event. At a more strategic level, RMA has also developed a methodology for conducting national level risk assessments to provide a comparative assessment of homeland security risks to our national strategic interests. (Kolasky 2011) Integrated risk management is a vital tool that can assist not only homeland security but also the broader general public sector agencies on how to best allocate limited resources and effectively manage risks. 69 9 Using ERM in Project Management (Include Implementation Icon) In this chapter we will discuss the implementation of the ERM program utilizing the concepts and ideas from the previous chapters to develop an initial ERM project. The scope of this project should be set by the senior management of the organization and focus on specific risk criteria that can be measured and managed within a certain time period. This will allow the public entity an opportunity to get their feet wet with a smaller ERM project before implementing a more broad approach of ERM in their public entity. Project management provides a systematic approach through which an organization can understand the scope of their responsibilities regarding the project. ERM helps identify the disciplines necessary for organizations to achieve their goals within that project and schedules key milestone for the planning and completion of that project. Using ERM in project management can help a project manager anticipate potential risks associated the project’s objectives and to organize and control activities so that the project is completed successfully. Primary Activities A project manager must master a number of disciplines including stakeholder management, resource management, task management, and quality management to realize a project goal within time, budget, and boundary constraints and with acceptable quality. These disciplines of managing the project team and communicating project information and progress become critical for the success of the project. Managing risks in a project is similar to managing risks in an organization, but it requires an increased focus on time and budget. Project risk management involves four primary activities: (Louisot and Ketcham 2009, 14.4) 1) Use the risk management process within the scope of the project 2) Focus on common project losses 3) Address the risks on the project’s critical path-which is the longest duration path through the work plan. 4) Control Scope Creep-which are unplanned activities that are added to the project The purpose of project risk management is to ensure that the levels of risk are optimized so that the project’s goal is achieved. The team assigned to a project might have an informal or formal project risk management plan. Larger projects require a more formal and detailed risk management scope than do smaller projects. Here are the risk management processes to a project: 70 1) Establish the internal and external contexts- the context of the project in relation to the strategic goals of the organization and its relationship to its stakeholders 2) Risk assessment-identification, analysis and evaluation 3) Risk treatment-selecting and implementing appropriate risk management techniques 4) Monitor result and revise 5) Communicate and consult with all internal and external stakeholders (Louisot and Ketcham 2009, 14.12) By applying ERM process techniques to a project, the organization aligns its strategy and risk management with the strategic goals and operational objectives of the project. The first step in the ERM process is to ensure that the project plan and charter are associated with the mission, vision, and goals of the organization. If a project represents a change in strategy, this information should be communicated to all stakeholders. Some risks are common to projects. By anticipating these common risks, a project manager can treat them early and address the concerns and impact to the project. Some of the internal risks to a project will include the project scope, human resources, and operational risks. The lack of clearly defined project scope can be the starting point for design flaws that could plague a project. The farther the project progresses, the more costly it is to bring the project back on track. Team members and project participants are important resources to completing the project. The loss of a key team member can derail a project. Operational risk can arise from the company’s business functions and inadequate or failed internal processes, people and systems. If a project depends on any organizational operations for project completion, it should consider the ways in which failures in those operations could jeopardize the completion of the project. Some of the external risks that should be considered in project management are the natural perils, political risks, commercial and social expectations, and technology obsolescence. Natural perils are events outside human controls and include floods, windstorms, volcanic eruptions and earthquakes. Political risks refers to complications that result from decisions made by political or regulatory bodies that anticipate expected outcomes that might make it more difficult to achieve business goals. (Louisot and Ketcham 2009, 14.16) Commercial and social expectations can be altered due to failure to meet their needs. The project team can mitigate failings to meet a need by conducting adequate surveys before the project design and repeating the surveys throughout the project. For long-term project, there is a possibility of technology becoming obsolete. To mitigate such a risk, the project team should scan the technology possibilities and select the best technology for the project. 71 Another item the project manager should budget for in the project is for the unexpected losses. A good rule of thumb is to place about 10% of the total project cost in an account for potential losses. This way the project manager can have a resource in which to pay for unexpected losses without having to ask decision makers for additional monies to pay for these losses. If there is money left over after the project, the money can be returned to the organization. Buffer Time Time estimates for project activities are not exact. Start and finish times for any activity might be early or late. This is a result of slack time, which is the amount of time by which an activity can be delayed without affecting the overall completion time of the project. The sum of all slack times for activities on a critical path is the buffer available in the critical path. Throughout the project, the project manager monitors the days remaining in the buffer. If the buffer becomes critically low, resources can be added to the critical path activities to ensure the entire project is accomplished by the target deadline. In regularly scheduled meetings, progress and problems with activities are discussed. Resources are identified that can resolve bottlenecks. If necessary, the project’s sponsor may be asked to assist in resolving organizational issues. When an organization recognizes that change is needed, it first has to articulate the need for the change. For example, organizational threats could lead to the articulation of the need for change. (Louisot and Ketcham 2009, 14.18) 72 Scheduling Tools There are two scheduling tools that are widely used in project management to help project managers track their projects. One is the Gantt chart which is a bar chart that displays the amount of time required for each activity in a project and shows the sequences of activities to be performed and provides the current status of those activities. The second tool is Program and Evaluation and Review Technique (PERT) which is a technique that identifies a project’s necessary events, and identifies the events that must be finished and those events that are most time sensitive. (Louisot and Ketcham 2009, 14.7) Example Gantt Chart Figure 21 – Veterans Administration Project Timeline 2001-02 (United States Department of Veterans Affairs 2001) Project ERM Goal The goal of ERM is to embed risk recognition into every business decision. Too often, organizations have a status approach to risk management that deteriorates into a narrow compliance based on efforts that leads to underperformance. If properly executed, ERM projects can establish more reliable decision making and foster innovation to sustain performance. It is critical for the success of a project to have leadership from the top of the organization have buy-in to the scope and mission of the project. If the scope, mission, or risk criteria are not clearly spelled out, there can be confusion and disorganization. Board and executive leaders need to be aware of the risk criteria of the project and understand how delays to time and schedule can impact the project. 73 It is essential that the board and senior executives drive the implementation of ERM project because ERM involves the commitment of the entire organization. A common mistake in initiating an ERM project is failing to get complete buy-in from all key stakeholders. This executive group should ensure that all stakeholders understand the impact and scope of ERM and support the required changes so that ERM becomes the standard. (Louisot and Ketcham 2009, 14.3) Public Entity Example – Washington State Department of Transportation Providing reliable estimates is a fundamental responsibility of the Washington State Department of Transportation, WSDOT. The importance of estimating the costs and schedules of their transportation projects has never been greater. Equal in importance to project estimates are project risk and uncertainty. In order to more fully convey the characteristics of a project they determine the uncertainty and risk associated with the project. WSDOT determines its tolerance for risk, which becomes an integral part of their project management. Traditional estimating practices tend to produce “the number” for a project, but a single number can mask the critical risk and variation assumptions made implicitly or explicitly for a particular project. A single number estimate implies a sense of precision beyond what can be achieved during planning, scoping or early design phases. Project engineers, project managers, business managers, and executives need to be prepared to answer three basic questions raised by the public and others about the project: 1) How much will this project cost? 2) How long will this project take? 3) Why are we doing this project? WSDOT has found that the answer to these fundamental questions rests in the fact that an estimate is more properly expressed as a range. The range is comprised of two components: the base project estimate with the appropriate variability and a risk component. By holding collaborative workshops with all parties involved in the project, WSDOT has been able to recognize the possibilities of risk and uncertainty. These workshops offer project teams the opportunity to insure that real communication about the project issues is taking place. In fact many project managers find that the workshop discussions are the most valuable part of the process. 74 The WSDOT commitment to risk-based estimating and aggressive project risk management is demonstrated by the increasing use of e-tools that provide key updates: 1) 2) 3) 4) Formalizes the use of risk reserves Regular updates of project cost estimates Consistent use of 4% construction contingency in base estimates Project documentation which must include the basis of estimate. WSDOT’s project managers are engaging in proactive management of project risks more frequently and with greater enthusiasm. In addition, the project teams monitor and track the effectiveness of their risk response actions. WSDOT project managers are directed to conduct risk based estimating workshops of all projects over $10 million, total of preliminary engineering, right of way, and construction. These workshops provide information to project managers that can help them control scope, cost schedule and manage risks for all projects. Frequent Cost of Risk Categories: 1) 2) 3) 4) 5) 6) 7) 8) Right of way acquisition Structure & geotech Environmental Construction related Seismic design criteria Design related and access issues Stormwater Maintenance of traffic Frequent Schedule Risk Categories 1) 2) 3) 4) 5) 6) 7) 8) Environmental Permits Right of way acquisition Delayed decision-making Political Multiple contracts Tribal issues Restricted work windows (Hammond, Publications 2008) For many of the projects that WSDOT undertakes, it is possible to mitigate risk by specific actions taken by the project team or others in accordance with established risk management procedures. For example, an investment to gather additional design information can change the understanding of a risk. From soil boring to removing large boulders, unforeseen risk exposures 75 can impact the outcome of the construction project. Appropriate risk response actions can then be taken to reduce the risk exposures of the project. In order for a project to be successful, Enterprise Risk Management must commence early in the project development and proceed as project knowledge evolves and project information increases in quantity and quality. Monitoring project development and risk exposure continues formal risk assessment of risk may occur several times through the life of the project. (Washington State Department of Transportation 2010) Figure 22 – WSDOT Project Risk Management Chart (Washington State Department of Transportation 2010, xiv) Public Entity Example- MassDevelopment MassDevelopment is the Massachusetts’ state finance and development authority. It acts as both a lender and developer and works with private and public-sector clients to stimulate growth by eliminating blight, preparing key sites for development, creating jobs, and increasing 76 the state’s housing supply. Since 2004, MassDevelopment has financed more than 1,100 projects in nearly 200 communities statewide representing an investment of more than $10.6 billion in Massachusetts. These projects are supporting the creation of more than 11,000 housing units and an estimated 50,000 permanent and construction-related jobs. In 2006, MassDevelopment’s municipal real estate services staff helped facilitate a national panel of experts from the Urban Land Institute to create a strategy for the revitalization of Springfield, Massachusetts. The adaptive re-use of the former federal office building at 1550 Main Street was a key recommendation of the ULI’s strategy to revitalize the downtown area and secure its place as a vibrant urban center offering the neighborhood various cultural activities. (MassDevelopment n.d.) In early 2007, MassDevelopment engaged a team of consulting architects and engineers to develop rehabilitation and reuse plan for 1550 Main Street in Springfield. The architects looked at various plans for potential use of the building. The end result was the City of Springfield and MassDevelopment decided that the best option for the building was a mix of private and public tenants which included the Springfield School Department, General Services Administration and Baystate Medical Center. MassDevelopment has the following questions they ask themselves when starting a new project: 1) What are the requirements of the project? 2) Do they have enough money to meet the requirements? 3) Who's providing the requirements? The purchase and rehabilitation of the project cost $11 million. Some of the key aspects of the construction project included: 1) 2) 3) 4) 5) 6) New entrance, lighting and signs Lobby/atrium Modernization/replacement of all four elevators Upgrades to all of the building’s restrooms Exterior/building envelope repairs Significant renovation to tenant space on 2nd, 3rd and 5th floors Some of the Enterprise Risks MassDevelopment addressed in this project were: - Political risk – ensuring proper communication and sign off was provided by local members of the city government and state government. 77 To avoid any political pressures or concerns, the project manager, senior executives and the communication department documented the key political contracts within the city, state and federal levels. Each month a status call would provide the key contacts with updates on the project. This mitigation resulted in open communication among all parties by the project and ensured there was no impact to the cost or schedule. - Vendor risk – ensuring that we followed proper state procurement requirements for all vendors and all vendors met MDFA’s insurance requirements. Due to the project manager’s experience and knowledge of the procurement process, she was able to start the vendor RFP process within a short time period in order for the project to kick off within the project timeframe. If the project manager waited it would have impacted the opening of the building, the impact on the community, and increase the cost and lengthen the schedule of the project. - Safety risk – risk management reviewed the construction site and provided proper input into safety measures to ensure the public was not impacted by the atrium construction. The project manager involved risk management throughout the project life cycle. As a result, the risk team was able to identify safety concerns with fencing that was around the outside construction area. This mitigation provided better safety for visitors and onlookers watching the outside construction. This mitigation saved the project in insurance losses and incurring fines from OSHA. - Security risk – They needed to ensure they kept the same security since they were leasing to the Federal Government. They implemented a new security system that was less restrictive but provide more coverage since they were requiring a picture id and security controls around the elevators and garage. They needed to ensure they kept the same security since they were leasing to the Federal Government. They implemented a new security system that was less restrictive, but provided more coverage since they were requiring a picture id and security controls around the elevators and garage. This impacted the cost of the project, but drove increase revenue since the federal tenants remained in the building. This process also set precedence for security in the area which provided support to the local community. It is important to note that ERM was executed on the program management level whereas risk management was used on the project level. The project manager was not the owner of the risk rather the senior executive team were owners to the risks. The project manager's responsibility 78 was managing and monitoring the risks throughout the project and senior management was responsible for how those risks could impact their strategic plans. MassDevelopment also included a contingency reserve, which was 10% of their budget, which was used to offset the cost of risk mitigation and issue resolution. (Drobris 2011) Figure 23 – Critical Risk: Mitigation Plan The process to identify the critical risk starts after the scope completion phase of the project. The critical risk is identified from the risk list associated with the project. The risk identification takes place through a risk measurement tool measuring likelihood and impact of the risk on the project. The tool simple uses a 5 scale scoring method to identify likelihood and then a similar scoring method to identify impact. Then a simple calculation to get your risk is done by multiplying the likelihood score by the impact score. The project then sets a threshold usually (.42) and above so any risk with a risk score of this value would be considered a critical risk and the need for mitigation and contingency document was be completed by a risk owner. Also, in order to determine the likelihood and impact, the project key stakeholders meet and have a brainstorming session to identify the risks and consequences to the project and the rate them by the risk measurement tool. (Drobris 2011) 79 10 Risk Communication (Include Implementation Icon) An organization’s ability to communicate plans of proposed activities to stakeholders during a crisis is critical to overcoming the situation and it will greatly contribute to its ability to recover from such a disaster. Crisis management that is properly handled will mitigate organizational risk on several levels. Good communication with stakeholders is a key element in managing a crisis. When an organization implements its crisis management plan, its prime objective is to survive the crisis event. Its survival is dependent on its speedy return to normal operations. The most important element in crisis management is to establish trust among internal and external stakeholders. When a crisis does occur, the public entity’s message to all stakeholders must be clear, address the pressing issues, and engage all the stakeholders to be diligent in the plans of recovery. Communication must demonstrate that senior management is committed to maintaining an environment of transparency in its decision making. All crisis communication must be consistent. The message must demonstrate integrity and authenticity. Even if corrections will need to be made to the recovery plan, candor and honesty in the public entity’s performance during the crisis will regain trust among stakeholders. (Louisot and Ketcham 2009, 8.7) Crisis Communication among the Government Agencies during BP Oil Spill In March 2011, the U.S. Coast Guard posted a report that offers the first major assessment of the federal government’s communication efforts during the BP Oil Spill that commenced on April 20, 2010 and has been titled the worst oil spill in U.S. history. The report states that effective crisis communication was hampered by the “several layers of review and approval by the White House and Department of Homeland Security”. Many critics of President Barack Obama’s Administration say that the Administration “looked at this as a political problem and not an operational problem”. “After all”, one source says, “the 2010 midterm elections were drawing closer as the oil spill crisis deepened, and the White House went into campaign mode.” An administrative official, however, strongly disputed that contention, saying “the involvement from the White House and DHS in Washington was a necessary step after what was first thought a relatively routine Coast Guard response became a unique and unprecedented government-wide effort”(Levine 2011). More than 47,000 people from federal, state and local agencies, private industry and NGOs took part in the response. 80 “It was imperative given all the moving pieces that information remained consistent. We worked very hard throughout the course of the spill and executed a successful effort to consolidate the release of information among 17 federal agencies,” said the U.S. Coast Guard official. DHS appointed outgoing Coast Guard Commandant Thad Allen to be the National Incident Commander and he was seen among many of his peers as “a credible spokesman who proved to be an effective means of communicating a unified message to the public.” (Levine 2011) At the same time, the Coast Guard’s report reads that the Coast Guard lacked “enough senior personnel with the requisite crisis communication training and, or experience to effectively manage the public affairs campaign for an incident of this magnitude.” (Levine 2011) There were some crisis communication missteps and one in particular was when Rear Admiral Mary Landry, then the head of the response effort in the Gulf Region, told reporters, “We do not see a major spill emanating from this incident.” (Levine 2011) The statement was later retracted by the U.S. Coast Guard and showed the general public a lack of a unified message from the Coast Guard’s senior management team. Investigators found that federal agencies had pursued a “dysfunctional” communication strategy during the spill, with administration officials overturning existing protocols and exerting final authority over all public communication related to the spill response. The panel found that this strategy delayed the distribution of information, causing confusion and frustration among news media outlets and the public. Much of the daily updates to the BP Oil Spill were channeled up to the Unified Area Command and then it was “ packaged and released after review and approval” from the DHS public affairs office in Washington, the report reads. Some of the senior Coast Guard officials expressed frustration with the process because the additional handling and approval process to release information to the media often prevented the response organization to provide real-time information and some in the media perceived the Coast Guard of withholding information from the American public. (Levine 2011) “We clearly point out that the contingency planning was not adequate, certainly not for a spill of this size,” said Roger Rufe, a retired Coast Guard vice admiral and the chairman of the team that produced the review. ”There was a complacency that this was not going to happen at this scale.” The report found that both the government and private sector “demonstrated a serious deficiency in planning and preparedness for an uncontrolled release of oil from an offshore drilling operation.” (Robertson and Rudolf 2011) 81 The failure to master and monitor the planning process led to a lack of coordination between the unified command, which managed the response operation, and the state and local officials, who in some cases pursued separate response plans that were at odds with the overall operations. The report clearly states that the absence of local and state officials from pre-spill planning process led to high-profile disagreements and some ill-advised response strategies during the spill. The report suggests that the command structure itself worked, but that many people were unfamiliar with this command structure. The Department of Homeland Security has requested an additional $11.5 million in its 2012 budget to help bolster the Coast Guard’s ability to respond to major spills, a department official said. (Robertson and Rudolf 2011) Conclusions to Government Agencies’ Response to BP Oil Spill 1) 2) 3) 4) 5) 6) 7) Quality of crisis communication is essential to its resiliency Message must be candid, address prominent issues, and engage all stakeholders Open dialogue with the media All communication must be consistent and truthful Unit and operational managers must be made aware of ongoing risks Establish role and responsibilities of agency employees who will respond to crisis Senior management must be kept current on developments to strategic exposures, governance issues and long-term resilience 82 11 Assurance in ERM (Include Monitoring Icon) An ERM program is only as good as the information collected. Having the right monitoring tools in place will allow the public entity to capture the necessary data for risk identification, risk assessment and risk analysis. Monitor and Review When establishing an ERM program, it is important the organization builds in monitoring opportunities to evaluate the success of the program. How is the ERM program working? Are the goals still appropriate based on the internal and external environment? Is the right risk intelligence being gathered to make informed decisions? Within the ERM framework, the organization must periodically measure performance against established goals and key performance indicators. Key performance indicators can include: 1) Reductions in total risk costs 2) Status of specific goals 3) Implementation of risk treatment recommendations (Louisot and Ketcham 2009, 12.3) The reason for reviewing the ERM program is to identify deficiencies and to establish an action plan to correct the problem areas. The action plan should designate who the responsible parties will be to make the corrections and a deadline for the actions to be completed. Also after an incident or accident the organization should conduct their own review of the risk event-cause-impact of the event and determine what went wrong and what needs to be corrected. Review and monitoring of the program can occur at various levels: 1) Self-assessment - also known as feedback loops are lower-level assessments 2) Audits - Internal audits are lower-level assessments while financial audits are higherlevel assessments 3) Compliance - External compliance reviews are higher-level assessments and can involve fines, restitution, loss of license, or other administrative proceedings. 4) Legal proceedings - The adjudication process is the highest-level assessment whether through administrative law courts, tort law, or criminal law. (Louisot and Ketcham 2009, 12.4) Organizations use these evaluation methods to measure and encourage results as well as to accomplish goals for various processes, including their ERM program. Specific procedures are required to link activities to results to show progress of activities. The ERM assurance process 83 provides valuable information to stakeholders in their decision making process. It demonstrates strengthens and weakness in the risk control measures and provides insights to where improvements can be made. Public Entity Example – University of California University of California Office of Risk Services presented the results of a study conducted to identify some of the most common risks facing the higher education industry. They reviewed internal documents, searched through existing risk assessments, and looked up records that were searchable on the internet to find the risks that were most commonly talked about by UC, organizations associated with higher education, and other associations in the country. Once they completed this information gathering, they created a list of the top risks grouped by categories: Risk Category Sample Risks Hazard Risk Financial Risks Information Technology Risks Human Resource Risks Domestic terrorism (Animal rights activists, ecoterrorists, stem-cell research opponents, etc.) Catastrophic natural event (earthquake, flood, fire) Pandemic Laboratory safety Facilities and Grounds Safety Conflicts of interest in financial transactions and agreements* Budget impairment Ineffective service center / auxiliary management Non-compliant cost transfers Insufficient oversight over third party vendors Improper governmental activities including fraud, embezzlement, or misuse of university resources Unauthorized modification of data Decentralization of systems leading to data inconsistencies and fragmentation Disclosure of confidential information (e.g., Personally Identifying Information (PII) and health care information)* Obsolescence of systems / technology Lack of common data definitions Inability to recover from system loss or extended downtime Lack of comfort with third-party vendor system security Personnel issues or workplace violence Professional Liability Claims Workers Compensation Claims 84 Research Risks Contract and Grant Risks Student Life Risks Facilities and Maintenance Risks Employee recruitment and retention Research misconduct, such as falsification of data or results, or non-disclosure of research dangers Intellectual property infringement Inadequate lab processes and practices for the promotion of Environmental Health and Safety (EH&S) Unethical / unapproved human/animal subject research Threats to safety of researchers Regulatory fines or penalties Non-compliance with sponsoring agency regulations and agreement terms and conditions* Cost sharing procedures are not compliant with federal requirements Effort reports inaccurate, insufficient, or incomplete* Agreement terms and conditions not met, but funds used Failure to maintain equipment inventories in accordance with grant requirements Sub-recipients not managed appropriately Sports / Public Event disturbances Student mental health Inappropriate athletic recruiting Safety and security of students on and off campus Deferred maintenance Increase in energy costs Equipment / facility malfunction * FY 2009/10 System wide Compliance Risk Priorities, per the System wide Compliance Plan Figure 24 - UC Top Risks Associated with Higher Education (University of California Office of Risk Services 2010) Once you complete a risk assessment like this one, you will be able to identify the risks most relevant to your organization. This will allow you to focus your attention on the areas of highest risk and direct limited resources to those items which are most important. Addressing Gaps in ERM Program Addressing the gaps in an organization’s ERM program starts with removing the inconsistencies in the administration of the ERM program. These inconsistencies include how the ERM program identifies risk, measures risk, and manages those risks. If there are inconsistent procedures and policies surrounding how the organizations executes their ERM program, there needs to be an 85 action plan in place to correct these gaps. Some organizations might think because they are in compliance with various rules and regulations that they are practicing good ERM. ERM is not limited to following government laws and regulations. A robust ERM program will provide decision makers with the most accurate and detailed account of all risk exposures and their potential impact on the organization. The benefits of investing in a strong ERM program are the direct relationship to the organization’s risk culture and its ability to make good strategic decisions. The risk management culture and strategic risk management decision making capability are the two widely accepted aspects of an ERM program that Standard and Poor’s examines when assess how successful an organization has been in implementing their ERM program. (Louisot and Ketcham 2009, 12.12) 86 12 ERM Technology Solutions (Include Monitoring Icon) All organizations face risks. So how do organizations succeed year after year and come back quickly from major disruptions? Those entities that have formalized processes and embedded risk technology solutions that allow them to identify and also mitigate those risks. While spreadsheets are a useful tool in the initial stages of ERM adoption, as the organization evolves, so does the need to move beyond spreadsheets. Many public entities may already use a Risk Management Information System (RIMS), but an Enterprise Risk Management Information System has some additional features not found in traditional RMIS. RMIS products are designed to provide their insured organizations and their brokers with basic policy and claim information via electronic access, and most recently, via the Internet. This information is essential for managing individual claims, identifying trends, marketing an insurance program, loss forecasting, actuarial studies and internal loss data communication within a client organization. RMIS may also provide the tracking and management reporting capabilities to enable one to monitor and control overall cost of risk in an efficient and cost-effective manner. ERMIS products are designed to provide organizations with an understanding of their risks, ability to prioritize their risks, measure risks qualitatively and some ERMIS do that quantitatively, improve communication across all business units, create a positive ROI, and instill confidence among shareholders. ERMIS takes a comprehensive approach to managing risk throughout the organization by both mitigating risk and optimizing overall business performance. The approach enables organization to be able to go beyond regulatory compliance and provide visibility into the organization’s risk landscape and empower business managers to make smarter decision that maximize value. Performance and risks are interconnected. Many ERM programs are nothing more than audit and compliance based like Sarbanes-Oxley and financial controls with little to no view of enterprise-wide risks. Many ERM programs fail because they fail to meet the organization’s strategic goals, they fail to bring value to the organization, they fail to break down the silos of risk management across the organization and they fail to improve communication around risks. The need for a risk management work platform to help executives understand and manage their enterprise risk in real time is clear. ERM is not Governance Risk and Compliance (GRC). GRC operates at the higher unit level far from the front-line and is isolated to individual entity silos. Organizations at this level do not tie operational activities to business strategy. When risk 87 activities and organizational goals are misaligned gaps remain hidden and effectiveness cannot be assured. Although GRC claims to address the same problems as ERM and has exploited the right buzzwords, the execution and results between GRC and ERM are very different. ERM empowers managers from the mail room to the board room and provides a holistic view of organizational risks. In contrast, GRC embraces compliance as a separate activity for each business silo resulting largely in form over substance compliance. ERM is about strategically assessing and managing risk to ensure effective use of resources to maximize risk reduction. ERM is all about delivering measurable value by tying front line operational activities to organizational goals. By organizing risk activities at the process level, ERM can reach the front-line where risks actually occur and connect those risks across entity silos all the way to the enterprise level. This approach also links the consequences and dependencies between risks so managers can fill gaps and eliminate redundancies.ERM is more than a plan. It's a strategic process. In the past ERM has been relegated to a one-time consulting engagement. This is hardly adequate given today's ever-changing risk environment. In order to stay on top of risk exposure and mitigation, successful organizations will have to embrace ERM as a strategic undertaking. After all, it can make the difference between strategic goals being met or not. Enterprise Risk Management Software Embedding a risk culture with risk awareness throughout the organization is imperative. Technology that facilitates this can propel your program to a more mature level. All areas within the public entity are related. If the interconnectedness of emerging or key risks is not a part of the risk assessment, organization decisions cannot be nearly as strategic or opportunistic. This is where information systems designed specifically for ERM in order to improve risk awareness and communication and move the organization forward toward its goals becomes crucial. While there are many risk management information systems, there are not that many designed specifically as ERM solutions. We have briefly mentioned the IBM ERMIS solution employed at the University of California. This is an example of a public entity working directly with a developer to design and customize a solution specifically for their needs. While that system is customized for UC, IBM has built in flexibility to make it useable by many other organizations and businesses as well. Another example of a commercial ERM solution is from Riskonnect and their Riskonnect ERM system. 88 IBM Enterprise Risk Management Information System (ERMIS) The Enterprise Risk Management Information System that University of California (UC) is using to address their claims costs and claim frequency is tied directly to their risk management strategies. IBM’s ERMIS has helped the UC identify risk trends from workers compensation and campus traffic accidents to financial data fraud and student privacy requirements. IBM’s ERMIS is a suite of applications that provides institutions any combination of risk monitoring, risk mitigation monitoring, distributed controls certification and monitoring, planning/budgeting, risk identification (surveying), and risk-related data collection. The suite is designed to identify, track and evaluate risks, and help facilitate an effective risk management and response strategy. The first step in IBM’s ERMIS is to pull data from multiple data sources such as: 1) Human resources 2) Medical center 3) Waste management and recycling 4) Finance 5) Safety and insurable risk areas 6) Government fines and citations Not only is the ERMIS integrating data from multiple, disparate sources, but it is also conducting data analysis and facilitating interpretation of the results. The resulting functionality has made analytical information securely accessible to all levels and locations of the University via the Web. ERMIS enables automated updates to provide transparency, trending, and up-to-date information. Trends and dashboards allow for users to drill-down into the results to conduct root-cause analysis, in turn supporting decision-making and efficient resource allocation. Stakeholders across the UC use that information to implement strategies that help better manage future risk events (Webber 2011). Figure 23 - IBM ERMIS Dashboard (Need larger screenshot) ERMIS provides a suite of services to the University of California. For example, it can provide indepth views into operations, including those institutions that have medical centers. Central to the solution is a data warehouse, which is a data repository for risk and controls-related data and information such as: 1) Annual insurance expenditures 2) Claims losses 3) Student and employee headcount 89 4) Annual emergency management compliance 5) Medical center data 6) Workers compensation 7) Financial performance data 8) Contracts and grants compliance 9) Public safety and police data 10) Campus fleet management 11) Building maintenance and construction data 12) Legal matters ERMIS provides the ability to integrate and link claims losses and university risk exposures to a number of other data sources to create a centralized data management environment. ERMIS is built on IBM’s Cognos Web-based business intelligence solutions. The system can help quantify and track new and predefined key performance indicators such as operational and campus hazards, financial risk data, privacy compliance and other areas of risk. IBM’s ERMIS implementation at the UC includes the following systems: 1) Cognos Business Intelligence - Delivers a complete range of business intelligence capabilities, including reporting, analysis, dashboards and scorecards. 2) IBM DB2 - An optimized database designed to deliver performance across multiple workloads, while lowering administration, storage, development, and server costs. This software is used for the ERM data warehouse. 3) IBM WebSphere Application Server (WAS) - A custom, web-based controls certification and monitoring application was developed using IBM WAS. 4) IBM Lotus Portal - Allows partners, employees and customers a tailored user experience with personalized applications based on role, context, actions, location, preferences and team collaboration needs 5) IBM InfoSphere – Provides information integration and master data management to help the institution achieve real-time access to business information and an enterprise-wide view of critical business data. 6) IBM Lotus Forms - Enables data collection, process automation and a reduction in both data transaction times and error rates. It supports “Go Green” initiatives and related environmental impacts by further reducing the storage, printing and distribution of paper. 90 Despite significant inclusion of IBM software products in the UC ERMIS implementation, IBM’s ERMIS is a services and technology solution that is software agnostic. So long as each of the key components (e.g., business intelligence platform or database) is sufficiently flexible, any market leading software could be utilized within the solution (Webber, 2011). Sample Benefits to the University of California of IBM’s ERMIS 1) Better information allows greater awareness and management of high risk areas 2) Reduction in the overall cost of risk through preventive and proactive decisions and more efficient resource allocation 3) Campuses pay less in internal premiums to fund the cost of risk, allowing them to deliver those funds directly to the University missions of teaching, research and public service. 4) The ERMIS allows for reports to be run in seconds that used to take weeks to manually compile. 5) Reduction in the cost of debt. Rating agencies are now taking a careful look at an organization’s ERM program to determine creditworthiness. Given the multibillion bond debt of the UC, even a .01% change in the cost of debt represents a significant savings for the institution. Figure X provides a quote from Standard & Poor’s about the UC’s ERMIS. The flexible IBM framework integrates data from many systems and lets many different user types share analyses, reports and information across multiple locations (IBM 2010). This flexibility generates another benefit experienced at the UC, the reduction and prevention of IT redundancy. Implementation of an ERMIS allows an institution to integrate data from systems that have been previously unable to ‘talk’ and provides sophisticated, enterprise-wide business intelligence without requiring expensive replacement or custom integration of existing systems. Figure X. 91 Riskonnect ERM Riskonnect ERM is a comprehensive, web-based ERM system that gathers diverse risk data from across the enterprise in a highly visual manner so that risks are easily identified, assessed, and mitigated. It represents a quantum leap beyond commonly used tools like spreadsheets. Riskonnect’s ERM software enables users to enter and dynamically visualize risk relationships, communicate risk assessment and mitigation activities, and see the impacts of risk on objectives and financials. (McQuire 2011) Riskonnect empowers executives to make forward-looking decisions based on real-time, enterprise-wide, comprehensive risk information. Riskonnect ERM is a comprehensive, webbased Enterprise Risk Management system that gathers diverse risk data from across the enterprise in a highly visual manner so that risks are easily identified, assessed, and mitigated. 92 Figure 25 - Riskonnect Interrelationships Screen Captures Riskonnect ERM simplifies enterprise-wide strategic risk management and helps your organization quickly realize the value and opportunities of integrating a strategic ERM program throughout your organization. The Riskonnect ERM process and workflow offers unique functionality: Dynamic visualizations of risks Ability to visualize risk relationships and impact Ability to understand cumulative impact of risks Ability to drill down to observe the causes of risk Drag and drop assessment of risks allows for real-time discussion and re-assessment of risk Workflow and tracking of all activities and mitigation across the enterprise Dashboards Quantify risks for senior management and board level discussion Flexibility to adapt to your business process and your ERM framework of choice (Riskonnect 2011) 93 94 13 Risk Optimization and Value Creation (Include Evaluation Icon) An ERM program is an evolving process that needs to stay current with emerging and integrating risks. The evaluation of an ERM program is an ongoing process that needs the attention of the senior management team. Is All Risk Bad? Though much media attention has been placed on those organizations that got into financial trouble by taking on too much risk, is all risk taking bad? Is there a proper balance of risk that organizations can take to benefit from the upside of risk taking and yet be cautious to avoid the downside effects of taking on too much risk? An organization must achieve a balance between assuming too much risk and taking on too little risk while simultaneously practicing fiscal responsibility. The first step for an organization is to determine what their attitude towards risk is. Meaning, are they seen as an organization of risk seekers, risk avoiders, or the better of the two- risk optimizers? Defining one's risk attitude is key to determining what kind of risk/or risks the organization is willing to take on. Those organizations whose risk attitude is to take on more risk have benefits of greater gain, but must also have the right risk controls in place to not fail. Other organizations that are risk averse might be missing opportunities for growth. Risk-seeking decision making tends to quickly seek a bottom-line explanation and to install an action plan/solution that anticipates positive results. Many times these same individuals may under emphasize a risk's impact, variances, and potential negative effects. They believe that the risk decision will reap significant rewards worth taking on the risk. Entrepreneurs, salespersons, product developers, and researchers often embody a risk-seeking attitude. Individuals with a risk-avoiding attitude are at the opposite end of risk continuum. They over emphasize risk or are obsessed with avoiding risk because they typically see the downside of risk taking. They seek methods of transferring risk to another entity or to avoid risk altogether. They prefer to continue traditional methods of business operations rather than innovate. Every organization has an overall risk tolerance that reflects its readiness to bear both the upside and the downside of risk. Individuals with risk-optimizing attitudes assess risk strategically based on an organization's vision, mission, goals, values and beliefs. They weigh the risk-reward relationship while realistically evaluating potential outcomes and consequences and are selective regarding risks that they ask the organization to assume. 95 The risk-return relationship is a critical component of an organization's strategic and financial decision making. In order for an organization's management to invest in projects that entail a higher degree of risk, it must be assured of a higher return. Conversely, an organization and its management should be satisfied with a lower rate of return on investments in projects that entail less risk. (Louisot and Ketcham 2009, 2.11) To optimize its risk, an organization should be diligent in its investigation of new or potential innovations. These investigations should thoroughly explore the upside and downside of the risks involved. The executive management team needs to research several strategic alternatives with various assessments of different scenarios of risk and return. By exploring various riskreturn outcomes, the executive management team can provide more meaningful input and contribute to a sound decision-making process. The goal of risk optimization is not to reduce an organization’s risk to zero because that would be cost prohibited. Rather the goal with risk optimization is to evaluate the risk controls in place and decide the best use of one’s financial resources to provide the organization with needed protection. Once an organization has evaluated the effectiveness of their risk controls the next question is to ask themselves “Is the method of risk controls selected the most cost effective and efficient way to manage these risks?” Is it possible to be spending too much money on a risk control? Yes, it is possible that an organization can spend too much on a risk control with little additional benefit. That is why it is important in the ERM process to monitor the risk controls and evaluate their effectiveness. New innovations in the marketplace might present themselves as a better risk control and be a better financial investment to the organization. The Strategic Triangle The concept of value creation in a public entity has often left many public administrators scratching their head trying to figure out how this can be done. Dr. Mark Moore from Harvard University wrote about “The Strategic Triangle” (M. H. Moore 1995) to explain how public entities can create value. The Strategic Triangle talks about three issues: 1) Value Strategy - What is valuable for the agency to do in relation to its public sector mission 2) Political Management - What are the expectations of various political stakeholders and how can the managers of a public entity work together to manage the political environment: thereby ensuring that resources and authority will flow 3) Operational Capacity - What is feasible for the manager to push the organization to accomplish, and what capacity needs to be developed to move forward on the strategy of value creation (M. H. Moore 1995) 96 Figure 26 - Strategic Triangle (M. D. Moore 1995) The advantages of this model include the following. First, the focus of the process should be on the manager’s ability to identify and measure those critical elements that they need to achieve their objective – public value. Traditional strategic planning models have been more focused on the process of bringing in stakeholders and getting the entire staff “on board” than for the attainment of ongoing outcomes related to guiding the organization’s strategic decisions. Secondly, the performance measures developed in many traditional strategic planning processes are not as effective, because the manager needs to change as situations change more quickly than the plan can be changed. In an environment of rapid change, public managers need to concentrate on creating value not on just how to implement mandated policies consistently and efficiently. The public sector strategy model described here recognizes the value of vision, mission and goals, but emphasizes entrepreneurial imagination as the key to value creation. Dr. Moore asserts that, “good strategic managers learn not only how to plan actions, but as important, how to exploit unanticipated opportunities as they arise.” (M. H. Moore 1995) Therefore, it is important that the performance management system actually encourages the manager to respond to new opportunities, not to overlook them because they are not listed as one of their outcomes. As a result, managers using this more agile planning process should concentrate on the critical Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs). However, these KPIs and KRIs still need to measure all of the three areas of the triangle that are necessary for successful implementation. Most of the past performance measures concentrate only on the operational 97 capacity area of the triangle. In addition to operational capacity it is important for the public manager to keep track of the progress they are making in the political arena as well as most importantly the value they are creating for the public. Setting up an information system to check the three areas of the Strategic Triangle is the key to the successful implementation of this management framework. Finally outcomes, which are normally used by government agencies, are mandated by the legislature and usually measure specific processes. Public Entity Example – University of California, San Francisco The University of California, San Francisco, is an academic health science campus that is part of University of California System. Space is very limited at this urban campus. UCSF regularly monitors and benchmarks research dollars per assignable square foot of space available for research. Upon discovering it was one of the nation’s highest concentrations of research dollars for a higher education institution (as a measure of amount research activity per square foot of space); UCSF determined that in order to continue to grow its research enterprise it would have to obtain more space. Space was the growth-limiting factor, slowing or preventing additional value creation in regards to their research mission. Figure 27 - UCSF Medical Center at Mission Bay (University of California, San Francisco 2010) "When the Mission Bay campus was originally conceived, we were thinking this would be primarily a basic science and research campus," UCSF Planner Lori Yamauchi said," With the decision to build an extension hospital here, we decided that we wanted to move clinical and translation research here. Expansion of the campus's focus from laboratory-based basic sciences follows a nationwide trend driven by increases in clinical and translational research funding provided by the National Institutes of Health." (San Francisco Examiner 2009) 98 The UCSF Medical Center's new Mission Bay Campus is being built on 43 acres of land that was donated by the city of San Francisco and developers. Roads, sewers and other infrastructures were provided by developers, and a school, library, police station, firehouse and 6,000 units of housing have been planned for the fast -growing neighborhood. The research campus has helped attract more than a dozen biotechnology companies to the surrounding Mission Bay neighborhood, a 303-acre former industrial wasteland that officials have been redeveloping south of AT&T Park since the late 1990s The new campus carries on the UCSF tradition of research collaboration. UCSF Genentech Hall and the other Mission Bay campus buildings are designed to stimulate interaction—both formal and informal—between scientists in related disciplines, based on the belief repeatedly confirmed at UCSF, that collaboration between scientists is the surest catalyst for discovery. Genentech Hall’s fifth floor, for example, brings chemists and chemical biologists together. Chemists can subtly modify the structure of molecules active in cells, or create new molecules to determine, for example, the role specific proteins play in signaling between and within cells. This detailed knowledge is vital both to understand living systems at a molecular level and to develop drugs that can counter malfunctions. The building’s Center for Advanced Technologies supports new and experimental research methodologies with potential use to many labs. Research in Genentech Hall focuses on structural and chemical biology as well as molecular and development biology and related fields. A second campus structure, the Genetics, Development and Behavioral Sciences Buildings was completed for occupancy in November 2003. In late 2004, researchers and administrators moved into the new Institute for Quantitative Biomedical Research (dubbed QB3), the third research building in UCSF Mission Bay’s initial phase of development. QB3 is a partnership between UCSF, UC Berkeley and UC Santa Cruz—one of the California Institutes for Science and Innovation developed at the initiative of Governor Gray Davis. The UCSF building is the QB3 headquarters. The institute brings together expertise in the physical sciences, engineering and mathematics to help tackle biological problems of such complexity that they simply can’t be approached with the tools of just one discipline. UCSF broke ground for its new campus in 1999. The three research buildings, along with a community center, student and faculty housing facility and an open space quad larger than downtown San Francisco’s Union Square make up the first phase of the new campus. About half of the program space in the campus is used for research uses, mainly in the basic sciences. The balance of the space will be used for instruction, academic support, campus administration, campus community activities, housing and space for logistical operations. 99 Erica Webber, former Assistant Controller for UCSF, pointed out how UCSF’s expansion project at Mission Bay corresponds to Dr. Mark Moore’s third leg of his Strategic Triangle-operational capacity. Her views on the tie in with value strategy and political management as additional components of value creation are also commented on in the following remarks: Value Strategy What is valuable for an institution is driven directly by that institution’s mission. For private and for profit organizations, maximizing profits, net income, and shareholder value are key parts of the mission of the organization. In contrast, in public entities, maximizing net income is only a means to fulfill the mission. For those entities, revenues come from diverse fund sources, e.g. philanthropy, government appropriations, fee for service, government and private grants. For the most part, the fund sources are directly tied to mission fulfillment. Value for the public entity is maximizing its funding and resources for mission fulfillment while minimizing the cost of doing business. The latter includes, for example, cost of risk, cost of debt, cost of technology infrastructure, and cost of human resources. A robust ERM program identifies and tracks metrics related to highest value activities as well as key cost of doing business areas and makes this information quickly available to decision-makers throughout the organization. Sample mission metrics for higher education include graduation rates, employment rates of graduates, job creation, skilled workforce availability in the state, creative output from research including the number of patents, and first author journal articles from faculty or researchers. Also, remember that everything that minimizes the cost of doing business frees more resources to allocate to value creation through mission fulfillment. Political Management For a public university, political stakeholders include taxpayers, state government, students, faculty, labor, and federal agencies. An ERM program considers and seeks to accurately measure reputational risk with key stakeholder groups. Each type of stakeholder has a perspective on what it wants from the institution. When those perspectives conflict, say between labor and taxpayers, an ERM program with a strong monitoring system can regularly produce data, trends, and analyses to show the institution is maximizing resources for its mission, obtaining good results in its mission, and minimizing the cost of doing business. This information, along with the information about the actions the institution has or will be taking to maintain or improve the results, can be extremely effective at managing internal and external politics. Specifically, publicizing relevant information from the ERM monitoring program helps conflicting stakeholder’s group’s compromise on their demands from the institution. Operational Capacity An agency’s ERM monitoring system will facilitate benchmarking human resources, funding, and other resources per mission metrics with other like agencies. For example, a public 100 university might monitor and benchmark administrative Full Time Faculty per student, faculty per student, or external research dollars per assignable square foot of lab space. This benchmarking shows where there is need or possibility for improvement in the allocation of resources and efficient use of resources. The benchmarking activity can be prohibitively costly, however, without the structure of an ERM program to define and automate production of key performance indicators and key risk indicators. (Webber 2011) 101 14. Return on Investment (Include Evaluation Icon) Return on Investment (ROI) is a performance measure used to evaluate the efficiency of an investment or to compare the efficiency of a number of different investments. To calculate ROI, the benefit (return) of an investment is divided by the cost of the investment; the result is expressed as a percentage or a ratio. (ROI) = (Gain of Investment-Cost of Investment) / Cost of Investment Keep in mind that the calculation for return on investment and, therefore the definition, can be modified to suit the situation. It all depends on what you include as returns and costs. The definition of the term in the broadest sense just attempts to measure the profitability of an investment and, as such, there is no one "right" calculation. Committee of Sponsoring Organizations (COSO) defines Enterprise Risk Management as “a process affected by an entity’s board for directors, management, and other personnel, applied in the strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” (Committee of Sponsoring Organizations 2010) For UC Universities, ERM is the framework by which the University can identify and evaluate some of their major risks. UC Universities uses ERM to help them facilitate the correct risk response to ensure that they can meet their goals of teaching, researching, and public services. Areas of Review The foundation of UC’s ERM program is the people who are actively managing risk. One of the key supports of their risk intelligence is their ERM Information System which gives campus stakeholders at various levels access to information they need to facilitate business decision in a timely and effective manner. Bickmore Risk Services, the University’s Actuary, is working with the Office of the President and the Office of Risk Services to develop an ongoing method of review to track the value and savings of the ERM program. The areas of review include: 1) 2) 3) 4) Cost of Risk Cost of Borrowing Create Efficiency Reduce IT Redundancy 102 Cost of Risk The cost of risk is the quantitative measurement of the total costs (losses, risk control costs, financing costs, and administration costs) associated with the risk management function, as compared to a business's sales, assets, and number of employees. The purpose of such a comparison is to determine whether the total costs of the risk management function are increasing, decreasing, or remaining constant as a function of the business's economic activity. After the quantitative measurement has been derived, a comparison can be made between the cost of risk of that business and the cost of risk of its peer groups. The cost of risk will allow the business to focus on the areas of operation that will have the greatest long-term effects on its total risk management function costs. The ERM program and ERMIS at UC Universities provides stakeholders with easy to use tools including Risk Assessments, a Risk Maturity Work Plan and a variety of other resources to help users identify and manage their risk. These programs at not limited to hazard risks, but are able to identify all risks such as: operational, compliance, financial, reputational, communication and strategic. UC Universities has the most complete risk intelligence on their hazard risk and have been able to identify their savings and value with their ERM program. The annual direct cost for UC’s hazard risks (workers’ compensation, general liability, employment practice liability, professional liability, auto liability and property) is over $250 million. Then estimate that their indirect costs can range from 1:1 or 2:1 or even higher. This means that the true cost of risk for hazard risk at UC Universities could be greater than $500 million. The Total Cost of Risk for UC Universities would include losses not included in the selfinsured program, such as employee grievances, human subject injury, and other operational risk as well as regulatory risk (fines) business risk (grant, patents) reputation risk, governance, and other events that may adversely affect the University, whether due to negative consequences or failure to achieve positive consequences due to missed opportunities. By identifying and analyzing the full cost of risk, UC Universities will develop strategic plans to reduce the cost and free up resources to be used for meeting the University’s mission. The prevention of just one claim can result in significant savings to a department, campus, and/or medical center. This can result exponentially in even greater overall savings across the system. UC’s ERM program and the ERMIs vastly improve the information managers can use to identify and manage risk. For example, they provide management with current information on key performance indicators in minutes, allowing managers to identify trends, spot areas which need improvement and track results that may be desired. 103 Cost of Borrowing The cost of borrowing is incurred when an organization borrows money. Interest payments are an example of borrowing costs. In accounting, borrowing costs may be recognized as an expense when incurred or capitalized as part of the cost of an asset. On July 22, 2009 Standard & Poor’s (S&P) released a progress report regarding enhancement of its global rating process for non-financial companies by including enterprise risk management assessments in its ratings. S&P hope that the addition of ERM factors into its credit analysis will improve the overall quality of S&P’s ratings by enhancing its opinions on management of borrowers. S&P views ERM as an organizing tool for assessments of management, helping it create a more systematic framework and common language for an inherently subjective topic and the ability to benchmark organizations against each other over time. S&P continues to focus primarily on “risk culture” and strategic risk management. S&P assesses evidence of each organization’s risk culture through a review of communications, risk management roles, risk policies and procedures, and the influence of risk management on strategic decisions. S&P defines strategic risk management as the identification of main risks and how these risks are managed, updated, and impact decisions. (Standard and Poor's 2010) Seven Primary Questions Standard and Poor’s is asking these seven questions of organizations about their risk management programs: 1) What are the organization’s top risks, how big are they, and how often are they likely to occur? How often is the list of top risks updated? 2) What is management doing about top risks? 3) What size quarterly operating or cash loss has management and the board agreed to tolerable? 4) Describe the staff responsible for risk management programs and their place in the organization chart. How do you measure the success of risk management activities? 5) How would a loss from a key risk affect incentive compensation of top management and planning/budgeting? 6) What discussions about risk management have taken place at the board level or among top management when strategic decisions were made in the past? 7) Give an example of how your company responded to a recent “surprise” in your industry. How did the surprise end up affecting your company differently than others? (Standard and Poor's 2011) 104 Organizations that adopt an enterprise view of risk often do so because this offers value through better awareness and control of risks, improved resource efficiency and enhanced ability to take additional risk. Organizations that have implemented successful ERM frameworks often achieve improved consistency in risk management practices and better response to escalating corporate governance requirements, regulatory pressure, capital availability and cost, capital deployment and market pressure through improved understanding of risk and mitigation options. The rating agency S&P has recognized UC for its ERM program and stated, “The UC has implemented a system-wide enterprise risk management information system, which, in our opinion, is a credit strength.” UC’s ability to borrow is crucial to its success. In 2008, UC’s total debt exceeded $10 billion. Key factors affecting the cost of borrowing are ratings provided by credit rating agencies such as Moody’s, Fitch and Standard & Poor’s. All of these agencies now explicitly look for an organization’s approach to managing enterprise or holistic risk as part of the process in developing ratings. UC’s proactive approach to ERM has helped them with their credit rating with S&P. Standard & Poor’s has given them a higher rating which in turn has given them a .1% decrease in interest rates that UC pays on its debt load which represents over $10 million in savings. (Standard and Poor's 2011) Create Efficiency UC Universities is seeking ways to improve efficiency. Statement on Auditing Standards No. 115 (SAS 112/115) supersedes the Statement on Auditing Standards No. 112 and establishes standards and provides guidance on communicating matters related to an entity's internal control over financial reporting identified in an audit of financial statements.: Pubic entities are working hard to make sure that they are identifying and documenting key controls related to the preparation of financial reports. “SAS 112/115 raises the bar for internal controls compliance and documentation… The University must effectively demonstrate to external auditors that an internal control framework has been established and is practiced at all levels in University business administration. The effect of internal control weaknesses being reported by UC Universities’ auditors under SAS 112/115 could include negative impacts on research funding & credit ratings, additional federal audits, and reputational damage.” (University of California 2010) In 2002, the UC Controller’s Office estimated that automating SAS 112/115 requirements would cost UC between $500,000 and $2.5 million. Knowing that key financial controls are working requires information currently stored in several systems (some examples include campus financial and payroll systems) and input from the people performing and certifying the controls. By centralizing data from many sources, UC’s ERMIS creates a foundation of information which 105 is accessible, automatically updated, transparent and less prone to error. This addresses some of the key requirement of SAS 112/115 with also creating administrative savings. The creation of automated reports within the ERMIS will increase workforce efficiency. The staff at UC Universities spends significant amounts of time currently developing and updating reports. The UC Environmental Health and Safety Staff, Risk Manager, Controller, Human Resource Managers, and other are developing automated reports that will reduce staff time spent in updating information provided monthly to University leadership. These automated reports will provide more reliable information that is updated more frequently and is readily available without staff support. Further, as noted above, as the type of data available is expanded and the correlating measurements metrics mature, more in-depth analysis of data will be able to be easily performed. Reduce Redundancy Redundancy can be reduced by the creation of automated reports made readily available to those with a need to know. Instead of having the same or similar reports being developed and maintained without the benefit of shared knowledge at different divisions, departments, schools, campuses, medical center and other locations, the ERMIS enables sharing of analyses and information easily and efficiently across multiple different locations. (University of California 2010) 106 15. ERM’s Role in Governance (Include Evaluation Icon) Governance is the activity of governing. It relates to decisions that define expectations, grants power, or verifies performance. It establishes the structure, set the policies, procedures, processes and measurements standards, and determines the mission, values and the culture of the organization. Governance determines an organization’s direction and, therefore, defines the scope of potential risks to which it is exposed. Good governance helps an organization manage risk by ensuring that its goals are achieved and its interests are served and protected. Without good governance, conflicts of interest can arise, stakeholders expectations might not be met, and there could be negative outcomes from management’s decision making process. Good governance integrated with enterprise risk management can manage uncertainty and risk. The primary goal of governance is to build measurable value through a framework of ethical behavior, fairness, transparency, fiscal accountability and social responsibility. Governance also offers a holistic perspective regarding an organization’s altruistic reasons for existence and its role in the community in which it operates. An organization’s governance practices should focus on ethical, fair, and transparent behavior. It should also strive for fair treatment of employees, compliance with government regulations, limited impact on the surrounding environment (pollution issues) and sustainable development. (Louisot and Ketcham 2009, 11.6) Public Entity Example – U.S. Department of Education The mission of the U.S. Department of Education is to promote student achievement and preparation for global competiveness by fostering educational excellence and ensuring equal access. The Department must be a high-performing organization internally to achieve its national policy goals. From now through 2012, the Department of Education will build upon a series of clean audit opinion to sustain high quality financial oversight and identify and reduce risk in internal management activities. Achievement of targets for performance measures will engender trust among Americans in the integrity of the Department’s financial activities, support informed management and policy decision-making. Support for ERM governance and the ERM program comes first and foremost from the head of Federal Student Aid’s (FSA) chief operating officer (COO). While the Chief Risk Officer (CRO) reports administratively to the general manager of Enterprise Performance Management services, he has a dotted line relationship to COO and meets regularly with the COO to discuss risk management and internal review issues facing the organization. 107 FSA has established an ERM committee consistent with the roles and responsibilities identified in the COSO framework. The ERM Committee is comprised of five executive: 1) 2) 3) 4) 5) Chief financial officer Chief information officer Chief business operations officer Chief of staff to the chief operating officer Chief risk officer The purpose of the ERM committee is to assist the chief operating in: 1) 2) 3) 4) Assessing and evaluating major strategic risks Establishing the organization’s risk profile and setting risk tolerance Reviewing and approving Federal Student Aid’s ERM Strategy Monitoring and implementation of FSA’s ERM Program and framework” (Hardy 2010) In addition to having an ERM committee on the executive management level, another idea is to establish a risk committee on the board level of some public entities. The board level risk committee, while not yet common among public entities, can function as a risk oversight body to be responsible for assessing and providing oversight to management relating to the identification and evaluation of major strategic, operational, regulatory, information and external risks inherent in the public entity. The board level risk committee’s duties and responsibilities would include: 1) Review and evaluate management’s identification of all major risks to the public entity. 2) Assess the adequacy of management’s risk assessment, its plans for risk control or mitigation, and disclosure. 3) Together with the audit committee, review, assess and discuss with general counsel, the chief financial officer and the independent auditor any significant risks or exposures, the steps management has taken to minimize such risks or exposures; and the public entity’s underlying policies with respect to risk assessment and risk management. (Bugalla, Hackett and Kallman, et al. 2010) Another crucial member to the risk governance agenda is a chief risk officer (CRO). The CRO should chair the executive level risk committee or serve as its chief of staff and have duel reporting lines to both the Directors of the public entity and the board level risk committee. One of the key goals of the risk committees on the executive and board levels is to prevent a risk intelligence gap. Lessons learned from Hurricane Katrina and the 9/11 terrorist attacks 108 demonstrate the need for good risk intelligence and the importance of providing decision makers with all the necessary information to help them plan for and implement the best strategy to mitigate their risk exposures. Here are some suggestions on getting started with the conversation of risk governance among your public entity: 1) Understand the public entity’s key drivers of success. 2) Assess the risk in the public entity’s strategy. 3) Define the role of the full board and its standing committees with regard to risk oversight. 4) Consider whether the company’s risk management system, including people and processes, is appropriate and has sufficient resources. 5) Work with senior management to understand and agree on the types (and format) of risk information the board requires. 6) Encourage a dynamic and constructive risk dialogue between management and the board, including a willingness to challenge assumptions. 7) Closely monitor the potential risks in the public entity’s culture and its incentive structure. 8) Monitor critical alignments of strategy, risk, controls, compliance, incentives, and people. 9) Consider emerging and interrelated risks. 10) Periodically assess the board’s risk oversight processes: Do they enable the board to achieve its risk oversight objectives? (Bugalla, Hackett and Kallman, et al. 2010) 109 16. Getting ERM Buy-In with Decision Makers (Include Evaluation Icon) The goal of ERM is to embed risk recognition into every business decision of the organization. Too many times, organizations have a very static approach to risk management that falls into a narrow compliance-based effort that leads to underperformance. However, those organizations that can fully implement ERM can establish more reliable decision making and create innovation to sustain performance. ERM should be embedded into all of an organization’s strategic planning, business decisions, and performance management. Without this integration, ERM may be perceived as imposing an additional layer of bureaucracy rather than as being integral to how the operation is run. It is essential that the board and senior executives drive the implementation of ERM because ERM involves the commitment of the entire organization. The senior management should ensure that all stakeholders understand the impact and scope of ERM and visibly work to support the required changes so that ERM becomes the standard. Included here is a sample ERM implementation plan that can be used to give a clear and concise message to senior management to help them see what will be involved in implementing an ERM program: Sample ERM Implementation Plan (Louisot and Ketcham 2009, 14.32) 1. Defining Scope of ERM a. Why do we need ERM? b. What resources do we need to commit to the project? c. How do we measure success for ERM? d. Whom should we put in charge of the project and ERM for the organization? e. What can go wrong with the project and ERM? 2. Planning Phase of ERM a. How will the process for accomplishing the implementation be documented and communicated b. Which stakeholders should be involved in planning and executing the implementation c. How should ERM be incorporated throughout the organization to support proactive business decisions at all level? 110 3. 4. 5. 6. d. What information do employees need to make risk aware decisions and how can that information be presented effectively? e. What information do external stakeholders, customers, and regulators need, and how can that information best be communicated? f. What policies and procedures are needed to make ERM operationally integrated? Inception of ERM a. Establish risk committee with an executive-level sponsor and board level sponsor to review and revise framework established b. Train the board and upper management in ERM and why it is important. c. Articulate expected benefits and costs d. Support for the project should be made highly visible Develop a risk management policy a. Understand the risk appetites of key supporters and stakeholders b. Align risk appetites of all stakeholders groups with the organization's strategic objectives and strategies. Express risk appetite boundaries for the project in the project scope statement where possible c. Articulate and communicate risk management policy of the organization in the project scope statement Articulate goals for ERM project a. Develop goals that address the traditional risk management loss exposures categories of property, liability, net income and personnel b. Develop goals that address ERM issues of strategic risks, effectiveness, accountability, business process, compliance, employee empowerment, cultural identity, reputation and competitive c. Include all project goals in the project scope statement d. Include all project constraints, regarding quality, timeliness, budget, and boundaries in the project scope statement Planning a. Design frameworks for identifying, assessing, and managing risks b. Design framework for internal and external communication c. Determine how accountability, resource, communication, and reporting ( internal and external ) will be managed d. Establish clear organization-wide risk management strategies for achieving the project goals e. At functional levels of the organization, establish risk management objectives to the extent that they have a substantive effect on the organization's result and should be integrated into processes 111 7. Execution a. Develop an organization-wide ERM vocabulary b. Develop and enforce the use of communications framework to support identification of changes to changing KPIs c. Identify KPIs and external indicators of changes in risks that are to be monitored continuously d. Identify measurement issues associated with key event indicators and methodologies or technical issues in reporting them. e. Determine the best technological methods of disseminating information about changes in KPIs f. Create and deploy a risk "nervous system" for communication reporting and monitoring progress of the information collected in the communication framework g. Determine persons responsible for monitoring key event indicators and how action will be taken based on the changes h. Develop and enforce the use of risk assessment and risk treatment frameworks that are responsive to information disseminated in the communication framework i. Inventory current risk management processes and then build on them j. Develop tools to identify and evaluate risks and ensure that all business units use the same tools and terminology k. Ensure that risk assessment focuses on enterprise-wide risks as well as traditional loss exposures l. Create a matrix or another tool to prioritize each risk in terms of its likelihood (frequency) and potential impact to the organization. Focus treatment on the most serious risks. m. Establish methods for continuously and incrementally treating internal and external prioritized risks throughout the organization based on information distributed through the communication framework n. Record risk treatments o. Create a risk management culture p. Train all employees on what ERM is and why it is important q. Continually communicate the importance of risk management throughout the organization r. Design human resource policies and practice to support identification and reporting of risk-related information at all levels s. Emphasize employee commitment to the risk management culture and include performance measures and incentives to promote that commitment 112 8. Monitoring a. Document and communicate ERM effectiveness b. Conduct periodic review of the KPIs and external factors and make required changes c. Empower the committee to revise the substance and details of the communication and risk assessment and treatment framework in response to sweeping changes in the internal and external environments d. Because the ERM process is iterative and recursive, and ERM implementation must become part of the ongoing and continuous organizational strategy Since 1996, the University of California has been moving towards an enterprise approach to identifying and managing their risks. The implementation of an ERM program at UC requires a creative approach which includes delivering a variety of tools to risk owners to enable them to better identify and manage their particular risks. The foundation of UC’s ERM program is the COSO ERM Framework and ERM Tools designed to be implemented at all levels of the UC organization system wide, campus, medical center, college, school division, department and individual levels. By managing their risks across the enterprise in a strategic manner, they have reduced the cost of borrowing, created efficiency, reduced IT redundancy, and reduced the cost of risk. How has the University of California reduced the cost of risk? By investing in loss prevention and loss control programs as part of their overall ERM strategy they have achieved a cost avoidance savings of $420 million. The foundation of UC’s ERM program is to have people actively manage their various risks. The ERMIS provides a variety of qualitative and quantitative tools to help UC locations identify their risks and determine where to strategically deploy resources. It can define, highlight, and predict risk and trends to allow managers to intervene before problems arise, and it is a data rich construct that can be adapted to other sectors, such as programmatic, personnel, and operational programs. “The UC has implemented a system-wide enterprise risk management information system, which, in our opinion, is a credit strength.” (Standard and Poor's 2010) In addition to ERMIS, UC Systems uses a few other tools to provide users solutions through which they can access and analyze information related to their specific areas: UC Action - enhances the efficiency of monitoring controls established in response to specific incidences through continuous monitoring and automated follow-up. 113 UC Tracker - has taken a manual process and provided a software tool that facilitates the review and documentation of key financial controls related to the preparation of the university’s financial statements. Taking this process from manual to electronic format improves transparency and accuracy of information and creates efficiencies. Risk Assessment Workbooks - have been created to support risk assessments at each of the UC locations. University of California solutions allow them to take on new opportunities and, by managing risk strategically, it ensures an optimum outcome. They have learned that by focusing on developing tools that address a broad array of risks, both frequent and infrequent but catastrophic events, they have created a more efficient and effective program. Public Entity Example – Penn State University At Penn State, the Corporate Controller’s Office is a service organization within Finance and Business that supports Penn State students, faculty and the public. They are responsible for providing quality financial, accounting and information services that foster a culture of responsible stewardship and sound fiscal management of University resources. The Corporate Controller’s Office at Penn State has three primary strategic goals for 2009-2013. The first goal is to foster a University-wide culture of responsible financial stewardship and riskbased decision making. Their objective to carry out this goal is to enhance and improve the accuracy and timeliness of financial information provided to The Board of Trustees, its committees and subcommittees and University senior management to encourage transparency and accountability at the University. (Corporate Controller - Penn State University 2009) In order to succeed, an ERM program must link closely with the organization’s strategic management processes. In fact, the measure of success of any ERM implementation is how much value it adds to the shareholders (publicly held companies and other stakeholders of the organization). In the case of Penn State, the university’s key stakeholders include students, faculty and staff consumers of research, members of the community, and the general public. As with any successful strategic implementation, in order to link closely with strategic management processes and measure the value added by the process, implementation must understand the overall characteristics of the organization and environment within which it competes, including: 1) The organization’s strategic, long term objectives 114 2) The industry within which the organization competes, its key competitors, and its stage of development (example of growth, maturity, and decline) 3) Its competitive landscape and scope of competition 4) The organizational culture 5) The primary risks perceived by members of the organization Penn State’s strategic goals reflect excellence in three areas-teaching, research, and service, and addresses the needs of students, faculty and staff and society. All of this is spelled out in Penn State’s Strategic Plan. Therefore, a successful ERM program must address the risks to attaining the long term goals in each of those areas. (Lermack 2008) 115 17. Being an ERM Influencer in Your Public Entity (Include Evaluation Icon) Once your public entity has identified the importance of ERM, the next challenge is figuring out how you can be a positive ERM influencer within your organization. Where do you start in developing the positive ERM influence among your co-workers in your public entity? It starts with the flow of information of ERM within your organization. The key here is to make the information about ERM ready available to your fellow co-workers. “The fact that different groups of employees are exposed to wildly different data information helps explain why people often have such different priorities and passions. Different groups, departments, and levels of employees worry about very different aspects of the organization’s success, not because they hold different values, but because they’re exposed to different data. For example, frontline employees who interface with complaining (citizens) usually become (citizen) advocates. (Senior management) who are constantly poring over financial statements and new legislation (become subject to the regulators and legislative bodies). The problem with passion for a single stakeholder group isn’t that employees care greatly about someone or something, it’s just that it’s hard to expect people to act in balanced ways when they have access to only one data stream.“ (Grenny, et al. 2006) For instance, the Board of Directors of a major international airport might only be receiving certain information on the airport’s expansion project that is geared to the completion of the project and the forecasted revenues that the new expansion project might bring to the major international airport authority. Since the risk manager was not part of the discussion of the potential risks to the expansion project, the Board of Directors is not given the necessary information to evaluate the risk exposures to the expansion project. Therefore, the Board of Directors is not taking into consideration the impact of such risks on the projected future revenues of the expansion project. In order to change the Board of Directors’ understanding of potential risks to the expansion project, we change the data stream and provide the Board of Directors with the necessary data to make an informed decision on the potential outcome of the expansion project. One warning about data: too much of a good thing can be bad. ERM influencers need to be concise and not complicate the data they give to their stakeholders. “The incessant flow of reports, printouts, and e-mail-one heaped upon the other-transforms into a numbing and incoherent background of noise. Influence masters never make this mistake. They’re focused and deliberate about the 116 data they share. They understand that the only reason for gathering or publishing any data is to reinforce vital behavior.” (Grenny, et al. 2006) University of California, Office of the President, Office of Risk Services, implemented a Be Smart about Safety campaign in the 2006-2007 academic year. Since then, the program has shown significant cost savings across the campuses taking advantage of the funding, according to a study presented at the March 2009 Risk Summit by the University’s Sacramento-based actuaries, Bickmore Risk Services. (University of California 2009) The analysis showed that while occupational injuries and illnesses surged among California employers between the 2005-2006 and 2007-2008 fiscal years, University of California locations implementing programs with BSAS funds in the 2006-2007 fiscal year outperformed employers across the state in terms of numbers of injuries per 100 employees, average cost per claim, and cost of claims as a share of payroll. The number of claims per 100 employees in California fell by 15.6% between the 2005-2006 fiscal years’, but the University of California locations outperformed this already favorable indicator with a decrease of 17.1% in the number of claims per 100 employees. The average cost per claim across the state increased 27.4% in the same time frame, but locations participating in BSAS saw an increase of just about half that size 14.2%. Similarly, while the cost of claims as a share of payroll increased 7.6% for most California employers, BSAS participants saw the cost of claims as a share of payroll decrease 2.5%. Grace Crickette, Chief Risk Officer at University of California, has held a Risk Summit for all UC campuses and medical centers every year since she took office at the end of 2004. In June 2010, the University of California System held their 6th Annual Risk Summit with more than 370 UC employees attending. During the Risk Summit, they have an awards ceremony with recognition awards given to specific programs based on their efforts in reducing the cost of risk in the following categories: 1) Workers Compensation (One award for campuses and one award for medical centers) a. Best Improvement/Performance b. Best Reduction in Workers Compensation Rate c. Best Workers Compensation Rate 2) Property (One award for campuses and one award for medical centers) a. Best Practices/Timely Claims Reporting b. Most Improved Timely Claims Reporting 3) Professional Liability (One award for campuses and one award for medical centers ) a. Best Performance/Highest Rate of Return on Rebate 117 4) General and Employment Liability (One award for campuses and one award for medical centers) a. Best Practices/Timely Claims Reporting 5) Automobile a. Best Practices/Timely Claims Reporting b. Most Improved/Timely Claims Reporting 6) Environmental Health & Safety a. Lowest OSHA Total Recordable Cases 7) Innovative Risk Management a. Voted Best Presentation from Attendees Each year the University of California Risk Summit has a theme. In 2009, the theme was “Leading Through Change” to focus on making change, addressing difficulties, and facing challenges head on and doing all of this by finding creative ways to do more with less during these economic times. The emphasis was that as leaders they must continue their efforts towards a common goal of reducing the cost of risk and in order to do so they must move forward through change. Each campus and medical location was given the opportunity for their leaders to speak about initiatives at their locations that have led to a positive change, a way to share valuable knowledge that can be used throughout the University of California System. Attendees voted on the presentations and the Innovative Risk Management Award went to the one with the most votes. UC Riverside was the winner with Campus Risk Manager, Steve LaShier, providing a very motivational speech about “leading through change” initiative at the Riverside campus and how one person, as a leader, can make a difference. Some challenging subjects and significant emerging risks were addressed in the 2009 Risk Summit, such as threat and security, foreign business operations, travel abroad, and business continuity planning. This was a forum to share ideas and best practices to prepare to face the challenges of the coming year. It is essential that their leaders have the right knowledge and strong relationships with those whom they can call upon for assistance. The Risk Summit brings leaders together for this purpose and enables their leaders to be better armed to act quickly, make the right decisions, and be “leading through change.” The Risk Summit also provides a forum for updates and open discussion on current system-wide initiatives that were core elements to “leading through change” such as Be Smart About Safety program, “What Be Smart About Safety Can Do for UC,” “Helping Employees Be Smart About Safety With the Right Equipment: Tools and Training,” Enterprise Risk Management, and UC Ready (Business Continuity Planning): Getting Ready …with UC Ready (online tool to do 118 business continuity planning ). All these programs helped University of California motivate their employees to see how their individual behavior and attention to their risk exposures in their departments plays in the bigger picture of how UC measures and manages risks for the entire UC System. Each year, the “Excellence Award for Best Risk Management Practices” is presented to the campus and the medical center with the lowest overall cost of risk. The awards were received this year by the UC Santa Barbara campus and the UC San Diego medical center. The annual “University of California President’s Award for Excellence in Environment, Health and Safety” was presented to UC Santa Cruz campus. This award is based on a compilation of injury and illness performance measures that are adjusted by Cal/OSHA according to the size of their workforce and awarded to the location with the best overall score. (University of California 2009) 119 Conclusion Enterprise Risk Management ensures that a public entity identifies and understands the key dangers that it may face. This can help the public entity to make and implement necessary plans to prevent the downside of risk, but also allow the organization to exploit the opportunities for growth. Some of the benefits of ERM include the following: Enhance Decision Making- Public administrator, board of directors, City Councils, and senior management teams within a public entity will make more informed decisions having a clearer understanding of what their risk exposures are and the potential impact of those risk exposures. Decisions will be evaluated on their internal and external context and proper mitigation plans can be established to minimize any future loss. Promotes Effective Communication- Enterprise risk management enhances communication within the entire public entity. The reason for this is that risks will be tackled by several departments and not seen in silos. Departments will not only see the interrelationship of risk exposures among their department, but they will also see the relationship of their risk exposures to other departments within the public entity. This encourages better communication among employees, internal and external stakeholders and senior management regarding how risks are being controlled. Risk Awareness & Accountability- Being unable to identify a risk until it happens can really affect the public entity negatively. Not only could there be tangible losses, but intangible losses such as public trust. It may even result in a decrease in internal morale as well as destroying the public entity’s reputation. Nevertheless, enterprise risk management enables managers to identify risk early, empowering them to assign accountability of risk exposures, develop proper mitigation plans, and have a clear course of action in case of a disruption to services. Improve Ability to Achieve Strategic Goals- Enterprise risk management allows public entities the ability to improve on meeting their strategic goals by finding the best mix of risk controls to protect their assets and yet be fiscally responsible to all their stakeholders. By doing so, public entities are able to reduce volatility and develop plans for growth that are sustainable. 120 Bibliography Allen, Mathew. Building a Common Approach to Managing Risk - The Challenge of ISO 31000. January 2010. http://www.mmc.com/knowledgecenter/viewpoint/Building_a_Common_Approach_to_Managi ng_Risk_The_Challenge_of_ISO_31000.php. Anselmo, Clay. Failure Investigation and Root Cause Analysis. Denver, December 31, 2009. Broadleaf Capital International PTY LTD. "Tutorial Notes: The Australian and New Zealand Standard on Risk Management, AS/NZS 4360:2004." Broadleaf Capital International PTY LTD. 2007. http://www.broadleaf.com.au/pdfs/trng_tuts/tut.standard.pdf. Bugalla, John, Janice Hackett, and Kristina Narvaez. "ERM in the Vancouver Winter Olympics." Risk Management Magazine, Aprill 2011: 22-28. Bugalla, John, Janice Hackett, James Kallman, and Kristina Narvaez. "Putting Board Risk Committees to Work." The Corporate Board, November 2010: 21-25. Carson, Debra, interview by Kristina Narvaez. Risk Manager - Longmont, Colorado (September 2010). Christina, Diane. Dissecting the Anatomy of ISO 31000. February 5, 2010. http://dianechristina.wordpress.com/2010/02/05/dissecting-the-anatomy-of-iso-31000. Committee of Sponsoring Organizations. Resources. 2010. http://www.coso.org/resources.htm. Corporate Controller - Penn State University. "Strategic Plan." Office of the Corporate Controller. 2009. http://www.controller.psu.edu/Divisions/ControllersOffice/docs/StrategicPlanBrochure.pdf. Crickette, Grace. IBM Case Study - University of California – Office of the President. October 7, 2010. http://www-01.ibm.com/software/success/cssdb.nsf/CS/CARD89YNQK?OpenDocument&Site=default&cty=en_us. Department of Homeland Security. "DHS Risk Management Guidelines." Lessons Learned Information Sharing. February 25, 2010. https://www.llis.dhs.gov/docdetails/details.do?contentID=49295. DHS Risk Steering Committee. "DHS Risk Lexicon." Department of Homeland Security. September 2010. http://www.dhs.gov/xlibrary/assets/dhs-risk-lexicon-2010.pdf. Diamond, Paul. "Newsletters." University of California Office of the Chief Financial Officer. 2009. http://www.ucop.edu/riskmgt/documents/nwsltr_sum09.pdf. Drobris, Kristen, interview by Kristina Narvaez. MassDevelopmetn Uses ERM in Project Management (May 25, 2011). 121 Duffy, Grace, John Moran, and William Riley. "Solve the Real Problem Using Root Cause Analysis." ASQQuality Management Division. January 24, 2010. http://www.asqqm.org/resourcesmodule/download_resource/id/394/src/@random4bb23e8065112/. Essary, Norma, and Michael Yip. Enterprise Risk Management "In Action" PowerPoint Presentation. January 2010. Grenny, Joseph, Kerry Patterson, David Maxfield, Ron McMillion, and Al Switzler. Influencer: The Power to Change Anything. McGraw-Hill, 2006. Hammond, Paula J. "Business Directions: WSDOT's Strategic Plan 2011-2017." Washington State Department of Transportation. September 2010. http://www.wsdot.wa.gov/NR/rdonlyres/533F8188-9F2B-4DAD-BF917590086A7904/0/StrategicPlan1117.pdf. —. "Publications." Washington State Department of Transportation. December 10 2008. http://www.wsdot.wa.gov/publications/fulltext/cevp/1053policy.pdf. Hardy, Karen, Dr. "Managing Risk in Government: An Introduction to Enterprise Risk Management." IBM Center for the Business of Government. 2010. http://www.businessofgovernment.org/sites/default/files/RiskinGovernment.pdf. Hoopingarner, Taud, interview by Kristina Narvaez. Chief Operating Officer, Dakota County, Minnesota (September 2010). IBM. Enterprise Risk Management. 2010. http://www-01.ibm.com/software/data/cognos/enterpriserisk-management.html. International Standards for Business, Government and Society. New ISO standard for effective management of risk. November 18, 2009. http://www.iso.org/iso/pressrelease.htm?refid=Ref1266. Kolasky, Bob. "Public Entity Risk Institute Resource Library." Public Entity Risk Institute. March 4, 2011. https://www.riskinstitute.org/peri/index2.php?option=com_content&do_pdf=1&id=1083. Lermack, Harvey B. "Enterprise Risk Management at Pennsylvania State University - Strategy Implmentation in a Decentralized Organization." Faculty Websites - Philadelphia University. 2008. http://faculty.philau.edu/lermackh/PSU%20Case%20%28A%29%20308-372-1.pdf. Levine, Mike. "While Slowing BP Oil Spill, Administration Slowed Flow of Information Too, Claims Coast Guard Report." Fox News. Fox News, March 28, 2011. Louisot, Jean-Paul, and Christopher Ketcham. Enterprise-Wide Risk Management: Developing and Implementing. Pennsylvania: American Institute for Chartered property Casualty Underwriters/Insurance Institute of America, 2009. 122 MassDevelopment. MassDevelopment. n.d. www.massdevelopment.com. McQuire, Russell, interview by Kristina Narvaez. Senior Consultant - Milliman (January 2011). Melvin “Kip” Holden, Mayor-President of Baton Rouge. written statement for a hearing on Recovering from Hurricane Katrina: Responding to the Immediate Needs of Its Victims. Washington, D.C., September 28, 2005. Miller, Allen S. Ph.D. Integrating Risk Management Across the Homeland Security Enterprise. Los Angeles, November 16, 2010. Moore, Mark Dr. Emerald - Research You Can Use. 1995. http://www.emeraldinsight.com/content_images/fig/0420200706001.png. Moore, Mark H. Dr. Creating public value: strategic management in government. Cambridge: Harvard University Press, 1995. National Research Council of the National Academies. Review of the Department of Homeland Security's Approach to Risk Analysis. Washington, D.C.: The National Academies Press, 2010. Office of Financial Management, State of Washington. "ERM Best Practices." Office of Financial Management. November 10, 2010. http://www.ofm.wa.gov/rmd/erm/erm_best_practices.pdf. Office of Risk Management and Analysis, Department of Homeland Security. Risk Management Practices in the Public and Private Sector: Executive Summary. Washington, D.C., September 2010. Risk and Insurance Management Society. 2008. http://www.rmmag.com/Content/Navigationmenu/ERM/Risk_Maturity. Riskonnect. Enterprise Risk Management | Riskonnect. 2011. http://www.riskonnect.com/solutions/enterprise-risk-management. Robertson, Campbell, and John Collins Rudolf. "Report Says Coast Guard was Unprepared for Spill." The New York Times. The New York Times, April 8, 2011. San Francisco Examiner. UCSF Expansion Making Mission Bay a Biotech Giant. November 8, 2009. http://www.sfexaminer.com/news/science-and-technology/ucsf-expansion-making-missionbay-biotech-giant. San Francisco International Airport/Community Roundtable. About Us. October 1, 2003. http://www.sforoundtable.org/about%20us.html. Schmutz, Steve, interview by Kristina Narvaez. Director of Operations at Riskonnect (February 2011). Standard and Poor's. Global Credit Portal. September 9, 2010. http://www.standardandpoors.com/products-services/Global-Credit-Portal/en/us. 123 —. Ratings Enterprise Risk Management. 2011. http://www.standardandpoors.com/ratings/erm/en/us. State of Washington. About GMAP. 2010. http://www.accountability.wa.gov/main/about.asp. State of Washington Office of Financial Management. Root Cause Analysis. 2010. http://www.ofm.wa.gov/rmd/erm/root.asp. TapRoot. "Root Cause Analysis Blog." TapRoot. July 1, 2010. http://www.taproot.com/wordpress/wpcontent/uploads/2010/07/BPFaultTree.pdf. The Security Risk Management Toolkit. A Sample Corporate Risk Register. June 11, 2006. http://www.risk.biz/register.html. Townsend, Frances. "The Federal Response to Hurricane Katrina: Lessons Learned." St. Mary's University Library. February 2006. http://library.stmarytx.edu/acadlib/edocs/katrinawh.pdf. United States Department of Veterans Affairs. Wikimedia Commons. August 2001. http://commons.wikimedia.org/wiki/File:VA_One_AE_Preliminary_Project_Timeline_200102.jpg. University of California. Background of ERMIS. September 1, 2010. http://www.ucop.edu/riskmgt/erm/backgrd.html. —. Documents. March 10, 2010. http://www.ucop.edu/riskmgt/erm/documents/bulletin_10.pdf. —. Enterprise Risk Management. August 10, 2010. http://www.ucop.edu/riskmgt/erm/welcome.html. University of California Office of Risk Services. "Enterprise Risk Management." University of California. August 2010. http://www.ucop.edu/riskmgt/erm/documents/superuser_profile.pdf. —. "ERM Resources." University of California. May 18, 2010. http://www.ucop.edu/riskmgt/erm/documents/bulletin_12.doc. University of California. "Risk Services Today Newsletter." Office of the President. 2009. http://www.ucop.edu/riskmgt/documents/nwsltr_sum09.pdf. University of California, San Francisco. Our Vision. 2010. http://missionbayhospitals.ucsf.edu/ourvision.php. Vincoli, Jeffrey W., CSP. Basic Guide to System Safety. New York: Van Nostrand Reinhold, 1993. Warren, Mike. "ACI-NA." Airports Council International - North America. November 2007. http://www.aci-na.org/static/entransit/General%20Session%206%20%20Mike%20Warren1.pdf. 124 Washington State Department of Transportation. "Publications." Washington State Department of Transportation. July 2010. http://www.wsdot.wa.gov/publications/fulltext/cevp/ProjectRiskManagement.pdf. —. Sustainable Transportation. 2010. http://www.wsdot.wa.gov/sustainabletransportation/. Webber, Erica, interview by Kristina Narvaez. Associate Partner, IBM Global Services (February 14, 2011). Wikimedia Commons. File: SWOT. September 30, 2007. http://commons.wikimedia.org/wiki/File:SWOT_en.svg. Zavatsky, Drew. Implementing Enterprise Risk Management in Washington State Government. November 7, 2008. http://www.poole.ncsu.edu/erm/index.php/articles/entry/drew-zavatskyroundtable/. 125 Glossary Term Definition Business Continuity Pre-loss activities performed by an organization to eliminate interruption of a critical business function in the event of a major loss. These activities involve a scheduled approach to maintain continual service and provide consistency across project tasks and system backups. Centers for Disease Control and Prevention (CDC) The Centers for Disease Control and Prevention (CDC) is one of the major operating components within the U. S. Department of Health and Human Services. CDC’s mission is to coordinate resources with the expertise, information, and tools that help people and communities protect their health by providing material on injury and disability, prevention of disease, health promotion, and preparedness for new health threats. Cause of Loss Refers to the primary cause of loss used in the source claims system. Chaotic State System One of four system levels used to describe the degree of severity of an unexpected event. Under a chaotic state system the unexpected event is a dramatic, unforeseen situation that threatens the organization’s survival. Claim A request for payment for benefits received or services rendered as covered under workers’ compensation, or a request for payment and/or actionable item to restore or replace damaged property or compensate for injury associated with a liability exposure. Complex State System One of four system levels used to describe the degree of severity of an unexpected event. In a complex state system the unexpected event is unusual, potentially critical to the organization. Compliance Risk Compliance risk evaluates situations where an organization must comply with laws and governing rules. The process assesses whether internal policies and procedures conform to laws and regulations, such as federal and state OSHA laws, EPA requirements, and employment practices. Complicated State System One of four system levels used to describe the degree of severity of an unexpected event. In a complicated state system the unexpected event is more difficult to resolve that a simple system’s, but is not unusual. Continuity Plan Continuity plan outline how the organization will survive and succeed after an unexpected event. The Continuity plan should direct each department in formulating a departmental plan that will coordinate with the entire organization. 126 Crisis A crucial turning point in the course of any event, an unstable condition in which an abrupt or decisive change is impending; a major, unpredictable event that has potentially negative results. The event and its aftermath may significantly damage an organization and its employees, products, services, financial condition, and reputation. Delphi Technique A communication technique employing a panel of experts to assess the top risks in the organization. The panel answers a series of questions and based on a quantitative or qualitative value assigned, the risks are categorized from greatest risk to least risk. The responses are revised until the entire group reaches a consensus. Disaster ManagementThe process of preparation, mitigation, and response to handle wide spread destruction and distress caused by a catastrophic loss. Management must work with emergency personnel to coordinate planning and response from multiple organizations within the community and demands a timely response from internal and external sources. Emergency An unexpected event, which places life and/or property in danger and requires an immediate response through the use of routine community (or organizational) resources and procedures. Emergency Management The management of the governmental and nongovernmental preparedness and response at federal, state, and local levels, including non-governmental organizations to unplanned events that affect public health and safety and that destroy property. Enterprise Risk Management (ERM) An approach to risk management that addresses all of an organization's risks as one unit, throughout the organization, and that considers both the potential gains and potential losses from risk. Enterprise risk management avoids separating the management of risks based on whether they are insurable, or which operations or activities generate them. Enterprise Risk Management Process The ERM process allows an organization to establish internal and external contexts, assess risks, choose appropriate treatments and then monitor the treatment to the organization’s strategic goals. This allows all stakeholders to have a clear picture of all the risks that could impact their strategic plan within their organization and offers the ability to quantify critical risks and prioritize risk treatment. ERM Maturity Model A scoring tool created by the State of Washington’s Office of Financial Management used yearly to measure the progress of ERM implementation on a scale from 1 (beginning) to 6 (advanced). Over time, scores should increase as ERM programs become more robust and more fully integrated into agency planning and operations. Environmental Risk Conditions affecting the environment (air, water, or ground) which could be damaged or destroyed by pollution or a hazardous substance. 127 Fault Tree Analysis (FTA) FTA is an analytical tool that identifies actions and conditions are constructed with “gates” to force an organized flow of incidents that lead upward to the final event. The “and” “or” gates show what happened before the failure sequence progresses to the next level. FTA starts with the crisis event and drills down to the specific details of the cause of that event. It is now one of the most common hierarchical systems used to study cause and affect relationships. Financial Risk The possible risk related to the fall of an investment, reduced income, failure or unfunded financing instrument or insurance policy. Examples of financial risk are credit risk, property taxes, or a dissolved insurance carrier. Two related risks are investment risk (with possibility of actual return less than expected return) and business risk where the cash flow is significantly reduced. Frequency A measurement of how often a certain type of loss usually occurs during a given time period, such as a year. It is normally identified as a probability of occurrence, such as low, moderate or high frequency, and associated with a potential size of loss. Goal A statement describing the purpose of a program, function, or activity that is part of an organization's overall mission. Hazard An event or physical condition that has the potential to cause fatalities, injuries, property damage, infrastructure damage, agricultural loss, damage to the environment, interruption of business, or other types of harm or loss. In risk management, a hazard is not really an event – it is the object, force or condition that creates the potential for an event. So the potential for earthquakes is a hazard. An actual, specific earthquake is an event. Human Capital Risk Evaluation of a company’s greatest asset, which is its key employees and overall workforce. This risk examines skills, talent, gaps in knowledge, and most threatening exposures to prepare for planned events, such as retirements and relocations, and unforeseen changes like sudden drop in retention or loss of key employees. Human CausesDamage known to have been caused by human error. Circumstance where human intervention was the primary contributing factor resulting in an accident or major loss. Human causes typically lead to physical causes. Key Performance Indicators (KPI) A type of performance measure used to evaluate the success of a particular activity (i.e., specific operation, program or service, expenditure, sales, etc.) within an organization. Because KPIs evaluate past activity, they should be used to promote the identification of potential improvement. Key Risk Indicators (KRI) Key risk indicators (KRI) are specific operational or financial metrics used to measure possible losses. A KRI identifies possible harmful events and the probability of each event, which is different from a key performance indicator that measures the success or failure of what has already occurred. 128 Mission Statement A mission statement should explain why an organization exists, what it does, and how it provides services or products to its customers or community. National Emergency Management Association (NEMA) NEMA is a professional association of emergency managers. The primary purpose of NEMA is to be the source of information, support and expertise for emergency management professionals at all levels of government and the private sector that prepares for, mitigate, respond to, recover from and provide products and services for all emergencies, disasters and threats to the nation’s security. Operational Objective Specific milestones created at the staff management level in order to reach pre-set executive level goals. An operational objective should be functional in nature and cut across all departments within an organization. Organizational Causes When a system, process, or policy is found to be at fault and has the potential to cause damage or injury. The faulty document or procedure is used to make decisions, and those decisions later contributed to a loss. Operational Risk A risk caused by the actions of a company’s personnel, internal process, or a company system that leads to a loss in one or more parts of the company's business functions. Performance Measurement A tool used to improve a specific process. Performance measures should monitor tasks or work load production and create resulting facts that can be used for internal and external comparison. Most measurements are either (a) workload measurements; (b) effectiveness and ratio measurements, or (c) productivity and results measurements. Plan of Action Creating a written policy to address a series of concerns. A plan of action should explain several areas, such as listing responses to challenges; identifying a method to track who within the organization will be accountable for each response; stating proposed action that will be taken; identifying what resources will be used to address challenge; and setting a timetable for corrective action to be completed. Pure Risk A risk of loss where there is no possibility of gain. The risk of fire damage to a building, collision with an automobile, or slipping on a wet floor are examples of pure risk. Reputational Risk A type of risk related to the trustworthiness of a company or governmental business. The risk can result in the destruction of a company's reputation, negative opinion, and the loss of revenue or shareholder’s value. Reputational risk can lead to the removal of a product or corporate bankruptcy. Risk Center A risk center is a department or unit within the organization charged with the risk exposures that are related to their duties and responsibilities. 129 Risk ChampionThe risk champion is the individual accountable for the identification, assessment, analysis, implementation of ERM program and monitoring of risk in that department or unit. Risk The measurement of the potential for deviation from an expected result, which may have negative consequences, such as loss or injury, or positive consequences, such as financial gain from an investment. Risk Analysis The determination of the likelihood of an event occurring (probability) and the consequences of its occurrence (impact) for the purpose of comparing possible risks and making risk management decisions. Risk Appetite Reflects the level of risk tolerance acceptable to management based on a risk response strategy established for specific risks. It is the total amount of risk permitted within a given function or operational area. Management may select one or more risk treatments and chose to monitor performance through internal controls. Risk Assessment The combination of vulnerability analysis and risk analysis; the determination and presentation (usually in quantitative form) of the potential hazards, and the likelihood and the extent of harm that may result from these hazards. The process of risk assessment includes estimating the likely consequences of potential risk events. This involves determining which risk exposures to address first. Risk Assessment Process for Informed Decision-making (RAPID) RAPID is a quantitative risk assessment tool designed for Department of Homeland Security to provide information about multiple hazards to managers or leaders on security risks. The tool examines how programs across different departments work together to manage anticipated risks associated with DHS strategic goals and objectives. It ensures that future resources allocated to DHS programs are influenced by the programs’ risk-reduction values. Risk Avoider A person whose attitude is obsessed with the potential harm associated in a given risk and will typically try to transfer all risk to another party. Risk Criteria Reference documentation, such as standards, measures, and expectations, which will be used to compare a given risk against the strategic goals of the organization. The risk criteria can include the costs and benefits, legal and statutory requirements, socioeconomic and environmental factors. Risk Culture The organization’s attitude towards risk – which then defines the level of acceptable risk, or risk appetite. An organization that encourages its stakeholders to take on risk will be better prepared to adapt to new hazards and incorporate risk treatments for those hazards into the overall risk management plan. 130 Risk Evaluation An evaluation of possible sources of risk which involves ascertaining the strengths and weaknesses of the Enterprise Risk Management program with regard to the organization’s strategic goals. Risk Event An incident or occurrence that stands in the way of meeting a goal. For example, a risk event could be failure to maintain normal delivery of services to citizens. Risk Exposure The possibility of a given loss. The probability to a specific risk exposure will change as related variables are present. For example, exposure to fire can be decreased by adding protection in the area affected by the hazard. Risk Identification The process of taking inventory of all risks in the organization and tying them to the organization’s strategic plan. Risk Impacts Risk impacts are unintended consequences after an event occurs. The size of the impact will vary in cost and area affected; the impact personnel may relate to health, changing skills, or some other critical factor. Risk Intelligence Risk intelligence is both a process and a product. It consists of the organizational ability to collect and collate data, statistics and information on risk and volatility. This is followed by the systematic analysis, interpretation and presentation of the information. The end goal is decision making that produces the most favorable outcomes under existing circumstances. Risk Management Process Five step approach to developing and maintaining a risk management program. The five steps are: (1) identify and analyze the entity’s risks, (2) evaluate risk management techniques that may address those risks, (3) select the most appropriate techniques, (4) implement the selected techniques, and (5) monitor and change the risk management program as needed. Risk Management Program The systematic process of planning, organizing, implementing and monitoring efforts to minimize potential losses and to make arrangements to deal with the losses that do occur. Steps include identifying the exposures, determining the risk techniques available, selecting and implementing the best method, and monitoring the results. Risk Mapping Risk mapping is a communication technique that is used to visualize identified risks, plot relationships, and determine what actions should be taken toward those risks. Maps chart the severity of possible events (on the X axis) and possible frequency (on the Y axis). Risk Maturity Model The Risk Maturity Model is based on the Capability Maturity Model, a methodology founded by Carnegie Melon Software Engineering Institute (SEI) in the 1980. It is used to take a snapshot of where the organization’s risk program stands today and can be used 131 as a scorecard. It reviews the ERM performance throughout the organization, tracks various attributes, and grades them on their maturity level. Risk Optimizer People who follow a risk optimizer attitude realistically evaluate potential outcomes and consequences to follow the organization’s goals and objectives. A risk optimizer will balance the risk (over emphasized by a risk seeker) and the reward (under used by the risk avoider) to have the best assessment for each identified risk. Risk Register A management tool used to connect activities and projects to plans and processes. A risk register leads to sound governance and contributes to the monitoring of various risk regulations. Risk Seeker A person dominated by a risk seeker attitude may search for the end result in an activity or process. A risk seeker has the greatest potential for reward, but may underemphasize a risk impact, variance, and potential negative effects. Risk Tolerance Specific risk limits associated with a given business activity that an organization and its stakeholders are willing to bear within a given strategic context. By establishing a risk tolerance level, senior executives can have a clear vision of the direction they should pursue before they engage in any strategic or financial decision making. Risk Treatment Utilizing one or more risk management techniques to reduce the probability of a loss (frequency) and the damages that result from losses (severity). Examples of a treatment are: avoidance, risk reduction, insurance, or acceptance of the risk. The treatment should address all potential threats. Root cause analysis (RCA) A problem solving method aimed at identifying the root cause of problems or incidents. Supporters of RCA solve problems by attempting to correct or eliminate root causes to reduce the likelihood of the recurrence of the problem will be minimized. Return On Investment (ROI) Return on Investment is a performance measure used to evaluate the efficiency of an investment or to compare the efficiency of a number of different investments. To calculate ROI, the benefit (return) of an investment is divided by the cost of the investment; the result is expressed as a percentage or a ratio. Severity Severity refers to the size of each loss. Combined with frequency these two factors can help estimate the expected cost of each loss exposure over a given time. Simple State System One of four system levels used to describe the degree of severity of an unexpected event. In a simple state system the unexpected event can be resolved through routine decisions. Stakeholder’s Perspective Recognizing and supporting an integrated perspective between management and its stakeholders comprised of individuals, groups, member of the public or 132 private firms. ERM suggests that an organization must work together with the stakeholder environment to intertwine with multiple stakeholder interests in such a way that the interests of shareholders and management’s decisions cannot be entirely split. Strategic Goal A goal created by the board or executive staff that is general and/or conceptual, yet defines direction for the organization. Strategic Plan An action plan containing strategies, goals, and objectives used to achieve the purpose defined in the mission statement. Strategic Risk Services to citizens, capital improvement projects, maintaining growth Strategic Triangle The strategic triangle applies three “learning aspects” to the planning process: value strategy, political management, and operational capacity. The interactions between these aspects help to delineate the organization’s strengths and weaknesses. Sustainable Development A key strategic objective that recognizes a pattern of resource use aimed at preservation of the environment while meeting the needs in human consumption. Sustainable development directly affects an organization’s ability to achieve its goals while striking a balance by using social, environmental and economic elements to meet its current needs without compromising the ability of future generations to meet their needs. SWOT Analysis A process used in enterprise risk management to improve the strategic decision making of an organization by addressing its strengths, weaknesses, threats, and opportunities (SWOT Analysis). The SWOT analysis integrates risk management and the strategic planning process to increase the awareness of unplanned or emerging risks that can impact their ability to provide services. Tactical Objective An objective created at the line management level to represent specific tasks. These objectives relate to the output of the organization’s products and services. Technological Risk Potential losses arising out of technology systems and operations, such as engineering, manufacturing, design processes, and system development. Technological risk evaluates key processes within a company’s core business to determine relative priorities in the production, delivery, and management of its products, services, and support operations. Vision Statement An organization’s vision statement should answer the question, “Where do we want to go?” While a vision statement doesn’t explain how to get where you want to go, it does set the direction for your strategic plan. 133