1 Enterprise Risk Management and the 2010 Winter Olympic and Paralympic Games Presentation to: Date: Presenter: Casualty Actuaries of the Northwest September 28, 2012 Ron Holton Chief Risk Officer, University of British Columbia About VANOC 2 3 VANOC Mission, Vision and Values Mission To touch the soul of the nation and inspire the world by creating and delivering an extraordinary Olympic and Paralympic experience with lasting legacies Vision A stronger Canada whose spirit is raised by its passion for sport, culture and sustainability Values Team | Trust | Excellence | Sustainability | Creativity 4 Scope of the Games What’s involved in organizing the Games? Some of the many areas VANOC was responsible for planning include: • • • • • • • • • • • • • • Accommodation Accreditation Construction Culture and Ceremonies Food Services Medical Services Press Operations Security Sport Ticketing Transportation Venue Operations Volunteer Recruitment and Training Waste Management 5 Scope of the Games Stakeholders include: • • • • • • • • • • • Government of Canada Government of British Columbia Local governments International Olympic Committee International Paralympic Committee Canadian Olympic Committee Olympic Paralympic Committee Sponsors Broadcasters Spectators Athletes 6 2010 By the Numbers • Olympic athletes and team officials 6,500 • Paralympic athletes and team officials 1,350 • Participating countries—the Olympic Games 82 • Participating countries—t he Paralympic Games 42 • Tickets available for 2010 events 1.6 million • Accredited media 10,800 • Games volunteers 26,000 • Television viewers (estimated) 3.5 billion • Visits to vancouver2010.com 275 million About Enterprise Risk Management 7 8 VANOC Board Committee Responsibilities • Audit Committee – The overall VANOC Risk Management framework and elements, including Enterprise Risk Management (ERM) • Finance Committee – Budget risk, including foreign exchange risk 9 Enterprise Risk Management (ERM) A general definition: ERM is a systematic, comprehensive and ongoing approach to identifying and managing all types of risk on an organization-wide or enterprise basis Standard definition: ISO, COSO, AU / NZ ERM signifies: 1. the adoption of risk management throughout the organization; 2. the management of exposures to loss not only in conventional hazard categories, but the full spectrum of strategic, operational and administrative risk. It is essentially a decision process for managing uncertainties and effectively allocating resources. 10 Key Features of ERM • Generic and applicable to diverse lines of business • Holistic; addresses all types of risk (strategic, financial, operational, hazard, reputational) in all parts of the organization • Continuous process • Addresses both risks and opportunities • Effected by people at every level of an organization • Aims to enhance value for stakeholders • Considers established disciplines, such as contingency planning, disaster recovery planning or emergency response planning, insurance, internal audit, loss prevention, to be specific treatments within the wider ERM process. 11 Key Elements in Implementing ERM • No single best approach • Strong, visible and communicated support from the top of the organization • Each organization must develop an approach which best fits its values, objectives, culture and constraints • Build it into existing business processes and practices • Bottom-up as well as top-down • Incremental approach • Rigorous, but not overly complicated • Dynamic and responsive • Collaborative and not too prescriptive • Demonstrate value 12 Key ERM Implementation Steps • Strong, visible and communicated commitment from the board and senior management • Establishment of context and objective setting • Risk identification • Risk analysis (probability or liklihood of occurrence, severity of impact, quantification, prioritization) • Risk tolerance and risk treatment or mitigation development • Ongoing control, monitoring, review, adjustment 13 VANOC ERM • Robust – – – – – • All 53 functions All 14 construction venues All 24 operating venues, competition and major non-competition All 20 sport (test) events Global or corporate Integrated – Functional interdependences identified & communicated – Direct partner risks identified for construction venues – Shared risks (Olympic / urban domain) • Holistic – – – – – Strategic Financial Operational Reputational Hazard 14 VANOC ERM • Dynamic – Regular Risk Register review & updating – Risk retirements – New reporting • Top Down and Bottom-up – Executive, Senior Leadership, Board – Functions and venues 15 Definitions • A RISK is something that might happen which could have a negative impact on VANOC • An ISSUE is something that has happened or is happening which could have a negative impact on VANOC. 16 VANOC Risk Identification • Risk Statement: cause and effect • Internal and external • Various sources 17 VANOC Risk Measurement • For each identified risk: – Probability of Occurrence → Scale of 1 (very unlikely) to 5 (almost certain) – Severity of Impact → Scale of 1 (minimal) to 5 (massive) → Common measures established – Overall Risk Rating → Probability of occurrence X severity of impact → Scale of 1 to 25 → Ratings of 12 and above = Top Risks 18 Risk Quantification and Prioritization • Financial risks tend to be more easily quantified • Subjective ranking may be all that can be done for some risks – don’t overly complicate! • Quantifying can be particularly difficult for low probability / high severity risks 19 Risk Tolerance and Risk Treatment • Risk tolerance often defined in terms of impact on earnings or budgets; revenue loss and/or cost increase relevant for VANOC, also reputation and operational readiness • With VANOC’s risk tolerance as a guide; evaluate risks and decide to: – Monitor – Treat or mitigate • Reduce probability of occurrence • Reduce severity of impact • Transfer – Avoid • Develop strategies and action plans to treat the risks 20 VANOC Risk Register VANOC Risk Register Risk Controls Existing Controls and Risk Mitigation Measures (e.g. insurance, contingency plans) Existing Control Rating (Out of 5) Non-Competition Global Extent of Risk Competition Games Pre-Games Post Games Reputation Loss Timing Sustainability or Other Impact Athlete Performance Cost Increase Games-time Readiness Primary Type of Impact Revenue Loss Severity of Impact Overall Rating (Out of 25) Risk Statement Functional Area Risk Rating Probability of Occurring Functional Area Hazard Division Risk Class Financial Risk ID Dependencies / Coordination with other Functional Areas Strategic Risk Identification Operational Risk Dependencies Risk Tolerance / Acceptance (M: monitor, T: treat, A: avoid) Additional Risk Mitigation Recommendations Risk Mitigation Owner Target Completion Date • Ongoing risk identification, treatment tracking and monitoring tool 21 Risk Register Review • Major Risk Report – The “Global” or corporate risks – Reviewed monthly with the Executive Team and updated as required • Top Risks Summary Report – By division/function – Risks with an overall rating of 12 or higher – Include low probability/high severity risks – Reviewed monthly by each EVP for his/her division 22 Risk Register Review • Function and Venue Construction Risk Register – For all 53 Functional Areas and each construction venue – Plus a Global Risks section – In-depth review and updating with Functional Areas and division heads on a six-month rotating divisional schedule • Venue Operating Risk Registers created in tandem with Venue Operating Plans 23 Risk Register Review • Overdue, Current and Pending Risk Mitigation Actions Report – Reviewed monthly by Executive Team – Executive Team sees the report for all divisions • Register of Retired Risks – Reviewed with each division during six-month in-depth reviews – Indicates date and reason risk was retired, and by whose authority 24 VANOC Assurance Services • Internal Audits - Annual Audit Plan—approved by Audit Committee - Regular in camera meetings with Audit Committee • Consulting Reviews - Proactive reviews initiated at the request of Management 25 VANOC Business Continuity • Loss Control/Prevention • Crisis Management Plan • Disaster Recovery Plan • Contingency Plans • Emergency Response Plans – for all venues, for both construction and operational phases 26 VANOC and Risk Management • This was a complex and risky project – Many moving parts – Many stakeholders – Many external and shared risks • How to handle? – Emphasis on identifying all types of risks and mitigating / managing them – Monthly meetings with Executive Team to review major risks – Rotating monthly in-depth reviews with functions—every six months – Monthly reporting of top risks, and overdue/current/pending mitigation actions to all divisions and functions – Risk-based approach for internal audit and business continuity planning – Plans for managing risks which could not be fully mitigated 27 ERM Challenges, Successes – In a fast-paced, very diverse organization, keeping ERM current, relevant, and useful at all levels. - Some risks became issues. - VANOC was the first OCOG to fully implement and sustain an ERM framework. This has been recognized by the IOC and other OCOGs, and the VANOC model has become the standard to be followed. - The 2010 Games are regarded as having been highly successful—ERM and the strong risk management culture which was pervasive in VANOC contributed to this outcome. 28