Success Stories: Public Entities Adopt ERM Best
Kristina Narvaez, MBA
Understanding how to apply the concept of Enterprise Risk Management (ERM) in local
government is still a struggle for many entities. From talking to many government managers,
we know they are trying to understand if it really means applying a new term to their existing
strategic planning and operational business procedures, or if it means embarking down a
different path which will require additional resources and external guidance. For this reason
Success Stories: Public Entities Adopt ERM Best Practices, has been designed to help
governments understand how other public entities are applying enterprise risk management in
their operations.
The practice of enterprise risk management uses a set of proven tools to strengthen traditional
risk principles – while some current text books try to describe the process of ERM by
discounting traditional risk methods, this author and the Public Entity Risk Institute choose to
believe traditional methods are still the foundation for applying ERM. The fact is many
managers in the public sector are expanding the role of risk management beyond the
traditional focus of preventing and financing accidental losses. ERM allows all managers to
mitigate challenges through the application of an organized ERM process that evaluates all
possibilities of known events and identifies potential threats that may affect the organization
and its community.
The lack of information about enterprise risk management is a common problem. While some
professionals are trying to understand the terminology, others seek a step-by-step approach to
begin explaining the process to senior management. Regardless of where you fit into the mix of
interests, this publication will serve as a reference to cite the concepts and share actual facts
and examples from governments that have paved the way in the process. Many organizations
are changing their operations to produce a more systematic approach to manage potential
manmade and natural hazards that could jeopardize the organization’s assets or resources
because they recognize separating risk into compartments no longer makes sense.
Government officials are beginning to recognize the need to assess risks, to weigh the results of
taking certain actions, or seeing the negative affect and consequences of failing to perform a
given function or service. However, the culture to manage risk through a holistic approach has
been a slow process. Using a holistic approach will reduce cost by:
Encouraging an ongoing, organization-wide activity where everyone monitors risk.
Evaluating the effects of uncertainty against an organization’s ability to achieve its goals.
Developing action plans that can respond quickly and effectively to minimize the
adverse consequences of unexpected challenges.
The ERM approach lets managers, and even board members, actively discuss possible risks in all
situations and tries to address the total uncertainty facing an entity at any moment. Where
possible it helps to eliminate the obstacles that hinder constructive performance, such as silos
within governmental units; issues involving public scrutiny; a lack of resources or one-sided
finances; weak data collection that isn’t shared; and a lack of common goals or incentives.
Risk management is related to mission not to insurance and loss.
One mission for public entities is community sustainability. Part of the planning for
sustainability should be to decrease the uncertainty by incorporating a continuous review of all
risks. The review should encourage prevention of loss and reduce the probability of failure,
which will minimize both public scrutiny and management’s desire to ignore the value of
holistic risk management to analysis, review, and improve their programs. The ERM process
guides managers to identify and act on risks based on how each risk impacts another risk, and
allows them to take responsible action and making policy decisions before an incident occurs.
To accomplish the goal of incorporating ERM into daily processes, it is important for personnel to
encourage and develop the credibility, influence, knowledge and partnerships needed to
sustain your entity and the community. While the value of adding enterprise risk management
will be different for each organization, the overall goal should be to maximize good results and
minimize the impact of negative events within and around the organization without having
personnel wondering who was responsible for any failure or unanticipated event. Integrating
enterprise risk management into the planning process raises the quality of all operations,
increases moral, and develops a stronger commitment to the organizational mission.
The Public Entity Risk Institute was eager to find examples of enterprise concepts and tools
used within governmental units. Admittedly, few public entities have fully developed programs,
but the progression of knowledge and management support seems to have “taken hold” in
pockets throughout the nation. The success stories found in this book are solid examples of
how ERM has been implemented into strategic guidelines using tools that can be easily applied
to other governments.
PERI would like to thank the organizations that shared their stories of success for this
book. PERI is also grateful to the author, Kristina Narvaez for her tireless effort in gathering
these examples and for explaining ERM principles in a clear and understandable way. A sincere
thank you to Jessica Hubbard for her work on this project and earnest appreciate to Colleen
Gratzer of Gratzer Graphics for designing the page proofs and the cover.
Mary Stewart, ARM-P, CPCU
Director of Research and Development, the Public Entity Risk Institute
Grace Crickette-Chief Risk Officer at University of California
Erike Young-Director of Environmental, Safety & Health at University of California
Gary Langsdale- Director of Risk Management at Penn State University
Chuck Gray- Director of Risk Consulting Services at Bickmore Risk Service
Lisanne Sison-Risk Consultant at Bickmore Risk Service
Russell McQuire-Senior Consultant at Milliman
Erica Webber-Senior Managing Consultant at IBM
John Bugalla-Prinicpal of ermINSIGHTS
Janice Hackett-Principal of ermINSIGHTS
Dr. James Kallman-Assistant Professor of Finance at St. Edwards University and Principal of Kallman
Consulting Services
Drew Zavatsky-State of Washington Loss Prevention/ERM Coordinator
Mark Gabel-Cost Estimating Team Leader at Washington State Department of Transportation
Kristen Drobris-Senior Vice President of Risk Management for MassDevelopment
Debra Carson-Risk Manager at Longmont, Colorado
Taud Hoopingarner-Chief Operating Officer at Dakota County, Minnesota
Mike Warren-Airport Risk Manager for San Francisco International Airport
Norma Essary- Vice President of Risk Management at Dallas/ Fort Worth International Airport
Todd Orchard-Manager of Enterprise Risk Management at Branch of Risk Management for British
Chris MacLean-Manager of Enterprise Risk Management at Branch of Risk Management for British
Steve Schmutz-Director of Operations at Riskonnect
Joseph Grenny-Cofounder of VitalSmarts
The Challenge for Public Entities
After you finish reading this book and start implementing some of the ERM best practices of
other public entities, we would like you to write back to the author (Kristina Narvaez at
[email protected]) and share with her your success stories of implementing ERM at
your public entity.
Table of Figures
Figure 1 – Second building block of ISO 31000 (Allen 2010) ....................................................... 5
Figure 2 – COSO II Framework ..................................................................................................... 6
Figure 3 - AS/NZS 4360 risk management process (Broadleaf Capital International PTY LTD
2007) ............................................................................................................................................... 7
Figure 4 - SWOT Analysis Chart (Wikimedia Commons 2007) .................................................. 14
Figure 5 - DFW ERM Risk Council (Essary and Yip 2010) ........................................................ 21
Figure 6 - Risk Categories/Identified Risks .................................................................................. 22
Figure 7 - ERMIS Sources of Information (University of California 2010) ................................ 23
Figure 8 - ERMIS Dashboard (Need bigger screenshot) .............................................................. 25
Figure 9 - ERMIS Metrics (Need bigger images) ......................................................................... 25
Figure 10 - SFO Risk Ranking...................................................................................................... 31
Figure 11 - SFO Risk Map-Macro View (Warren 2007) .............................................................. 32
Figure 12 - SFO Risk Map-Micro View (Warren 2007) .............................................................. 33
Figure 13 - DFW Risk Scoring Template ..................................................................................... 35
Figure 14 - Spreadsheet Template Risk Register (The Security Risk Management Toolkit 2006)
....................................................................................................................................................... 36
Figure 15 - Risk Rating Chart ....................................................................................................... 40
Figure 16 - Root Cause Analysis Process Flow (Anselmo 2009) ................................................. 44
Figure 17 - Risk Based Organizational Chart (Essary and Yip 2010) .......................................... 47
Figure 18 - BP Deepwater Horizon Fault Tree (TapRoot 2010) .................................................. 56
Figure 19 - DHS Risk Management Process (Miller 2010) .......................................................... 61
Figure 20 - Integrating Risk across the DHS Enterprise (Miller 2010) ........................................ 63
Figure 21 – Veterans Administration Project Timeline 2001-02 (United States Department of
Veterans Affairs 2001) .................................................................................................................. 73
Figure 22 – WSDOT Project Risk Management Chart (Washington State Department of
Transportation 2010, xiv).............................................................................................................. 76
Figure 23 – Critical Risk: Mitigation Plan .................................................................................... 79
Figure 24 - UC Top Risks Associated with Higher Education (University of California Office of
Risk Services 2010) ...................................................................................................................... 85
Figure 25 - IBM ERMIS Dashboard (Need larger screenshot) .....Error! Bookmark not defined.
Figure 26 - Riskonnect Interrelationships Screen Captures .......................................................... 93
Figure 27 - Strategic Triangle (M. D. Moore 1995) ..................................................................... 97
Figure 28 - UCSF Medical Center at Mission Bay (University of California, San Francisco 2010)
....................................................................................................................................................... 98
Table of Contents
Foreword by Mary Stewart ............................................................................................................. ii
Acknowledgments........................................................................................................................... v
The Challenge for Public Entities .................................................................................................. vi
Introduction ..................................................................................................................................... 1
Traditional vs. Enterprise Risk Management.............................................................................. 1
ERM Frameworks ....................................................................................................................... 3
ISO 31000:2009 ...................................................................................................................... 3
COSO II: 2004 ........................................................................................................................ 6
AS/NZS 4360 .......................................................................................................................... 7
ERM Certification ....................................................................................................................... 8
1 Risk Culture ................................................................................................................................. 9
Three Views of Risk ................................................................................................................... 9
Public Entity Example - Longmont, Colorado ......................................................................... 10
Three Elements of Sustainable Development ........................................................................... 11
Public Entity Example – Washington State Department of Transportation ............................. 11
2 ERM Plan - Internal and External Context ................................................................................ 14
SWOT Analysis ........................................................................................................................ 14
Public Entity Example – Dakota County, Minnesota ............................................................... 15
Public Entity Example – San Francisco Airport ....................................................................... 17
Elements of a Strategic Plan ..................................................................................................... 17
Strategy Implementation ........................................................................................................... 18
Strategy Evaluation ................................................................................................................... 18
Risk Maturity Model ............................................................................................................. 19
Public Entity Example – State of Washington .......................................................................... 19
3 Risk Intelligence ........................................................................................................................ 20
Risk Categories ......................................................................................................................... 20
Public Entity Example – Dallas/Fort Worth International Airport ........................................... 21
Public Entity Example – University of California .................................................................... 22
Performance Management System ........................................................................................... 25
Public Entity Example – State of Washington .......................................................................... 25
4 Risk Assessment ........................................................................................................................ 30
Delphi Technique ...................................................................................................................... 30
Public Entity Example – San Francisco International Airport.................................................. 31
San Francisco International Airport Risk Map-Macro View ................................................ 32
San Francisco International Airport Risk Map-Micro View ................................................ 33
Causes of Loss .......................................................................................................................... 33
Level of Impact ......................................................................................................................... 34
Public Entity Example – Dallas/Fort Worth International Airport ........................................... 35
Sample Risk Register ................................................................................................................ 36
Public Entity Example – Vancouver, British Columbia ........................................................... 36
5 Root Cause Analysis .................................................................................................................. 43
Five Schools of RCA ................................................................................................................ 43
Three Basic Causes ................................................................................................................... 44
Public Entity Example – State of Washington .......................................................................... 44
6 Role & Responsibilities of a Risk Champion ............................................................................ 47
Risk Centers .............................................................................................................................. 47
Interview with the Risk Champion ........................................................................................... 49
Objectives: ............................................................................................................................ 49
Resources: ............................................................................................................................. 49
Strategic Questions: .............................................................................................................. 49
What Are Your Risk Mitigation Techniques for the Following: .......................................... 49
7 Dealing with Unexpected Events ............................................................................................... 51
Hurricane Katrina Critical Challenges ...................................................................................... 52
Fault Tree Analysis ................................................................................................................... 54
Continuity Plan ......................................................................................................................... 57
Public Entity Example – University of California .................................................................... 58
Public Entity Example – Center for Disease Control and Prevention ...................................... 59
8 Integrated Risk Management ..................................................................................................... 60
U.S. Department of Homeland Security ................................................................................... 60
Challenges Faced ...................................................................................................................... 64
Tactics Employed...................................................................................................................... 64
9 Using ERM in Project Management .......................................................................................... 70
Primary Activities ..................................................................................................................... 70
Buffer Time ............................................................................................................................... 72
Scheduling Tools ...................................................................................................................... 73
Example Gantt Chart............................................................................................................. 73
Project ERM Goal ..................................................................................................................... 73
Public Entity Example – Washington State Department of Transportation ............................. 74
10 Risk Communication ............................................................................................................... 80
Crisis Communication among the Government Agencies during BP Oil Spill ........................ 80
Conclusions to Government Agencies’ Response to BP Oil Spill ........................................... 82
11 Assurance in ERM ................................................................................................................... 83
Monitor and Review ................................................................................................................. 83
Public Entity Example – University of California .................................................................... 84
Addressing Gaps in ERM Program........................................................................................... 85
12 ERM Technology Solutions..................................................................................................... 87
Enterprise Risk Management Software .................................................................................... 88
IBM ERMIS ...............................................................................Error! Bookmark not defined.
Riskonnect ERM ....................................................................................................................... 89
13 Risk Optimization and Value Creation .................................................................................... 95
Is All Risk Bad? ........................................................................................................................ 95
The Strategic Triangle............................................................................................................... 96
Public Entity Example – University of California, San Francisco ........................................... 98
Value Strategy......................................................................................................................... 100
Political Management ............................................................................................................. 100
Operational Capacity .............................................................................................................. 100
14. Return on Investment ............................................................................................................ 102
Areas of Review ...................................................................................................................... 102
Cost of Risk......................................................................................................................... 103
Cost of Borrowing............................................................................................................... 104
Seven Primary Questions ........................................................................................................ 104
Create Efficiency ................................................................................................................ 105
Reduce Redundancy............................................................................................................ 106
15. ERM’s Role in Governance .................................................................................................. 107
Public Entity Example – U.S. Department of Education ........................................................ 107
16. Getting ERM Buy-In with Decision Makers ........................................................................ 110
Sample ERM Implementation Plan (Louisot and Ketcham 2009, 14.32) .............................. 110
Public Entity Example – Penn State University ..................................................................... 114
17. Being an ERM Influencer in Your Public Entity .................................................................. 116
Conclusion .................................................................................................................................. 120
Bibliography ............................................................................................................................... 121
In the last ten years, enterprise risk management (ERM) has received more attention from
corporate America and some public entities. ERM’s systematic approach in identifying risk
exposures helps everyone within the organization make better strategic decisions because risks
are more clearly defined. Though still in its infancy stage with many public entities across the
country, more and more organizations are looking to ERM as a way to better evaluate all of
their risks. ERM provides an opportunity for organizations to see their risks from a more holistic
point of view.
This book will take a six step approach in introducing, developing, and ultimately implementing
an ERM program within your public entity. With each step, real examples will be provided to
highlight the successful implementation of these ideas from public entities in the United States
and Canada. The chapters will break down ERM in the following way:
1) Chapters 1 - 3 cover risk identification, the process of taking inventory of all risks in the
organization and tying them to the organization’s strategic plan.
2) Chapters 4 through 7 deals with risk assessment, a process where we determine the cause, risk
event, impact, and velocity of all risk exposures.
3) Chapter 8 addresses risk analysis, which examines the interrelationship of risks both within and
outside the organization.
4) Chapters 9 and 10 discuss implementation of ERM, including structure, practices, and strategies.
5) Chapters 11 and 12 examine monitoring, which is the tracking of risk information from the ERM
6) Chapters 13 - 17 cover evaluation which involves ascertaining the strengths and weaknesses
of the ERM program with regard to the organization’s strategic goals.
Traditional vs. Enterprise Risk Management
There are many advantages to using an enterprise risk management approach over a traditional
risk management approach. ERM is able to improve the strategic decision making of an
organization by addressing strengths, weaknesses, threats, and opportunities (SWOT Analysis)
in a way that integrates risk management and the strategic planning process. All public entities,
no matter the size of operations, need to be aware of unplanned or emerging risks that can
impact their ability to provide services to their citizens.
In a traditional risk management approach, risks are classified into two risk categories,
operational risks and hazard risks, with little or no attention paid to strategic risks or financial
risks. The ERM process is different because it allows public entities to establish internal and
external contexts, assess risks, choose appropriate treatments and then monitor the treatment
to the organization’s strategic goals. This allows all stakeholders of a public entity to have a
clear picture of all the risks that could impact their strategic plan within their organization. By
identifying all the risks, the public entity now has the ability to quantify critical risks and
prioritize their risk treatment.
The first step in integrating ERM with strategic planning is to consider goals for ERM as part of
the public entity’s mission. The senior management, city councils, and/or board of directors
need to define their vision statement, mission statement, strategic objectives and financial
projections. For example, the State of Washington’s ERM goals are set with the following
criteria in mind:
Clear statement of the goals
Identification of the obstacles in meeting the goals
Evaluation of the upside and downside of risk
Prioritization of risks
Determine proper risk treatment
Capture risk intelligence in Risk Register
Communication of results to decision makers (Zavatsky 2008).
Traditional risk managers generally report to an organizational department such as finance,
operations, or legal. Their focus is on pure risk management issues such as property, freedom
from liability, net income, and key personnel. ERM engages all the organization’s stakeholders
in the risk management process and manages events and perils that may cause variation from
the achievement of specific strategic goals.
A public entity with a fully integrated ERM program develops a sophisticated but user friendly
way to communicate risk intelligence (see Chapter 3) throughout the organization. This risk
communication includes dialogue and discussions that occur to educate all stakeholders about
who is responsible for different types of risks and the way in which they will mitigate those
risks. With a clear definition of roles and responsibilities of risk within a public entity, personnel
are able to identify emerging risks in relation to, and in context with, specific and aggregate
strategic goals.
The use of valid metrics and the continuous flow of relative data are critical in risk
communication. Key performance indicators, key risk indicators, and a risk register are just
some of the tools that risk managers can use to identify and then communicate risk information
to senior management. A risk register (see Chapter 4) is an essential tool for managing
portfolios and implementing rational decisions. It leads to sound governance and contributes to
the monitoring of various risk regulations.
When threats and opportunities are understood across the organization, managers will make
better decisions that in turn not only improve their department’s goals but also positively
impact the entire organization. The benefits of implementing an ERM program within your
organization include the following:
Enhance Decision Making
Increase Sustainability
Reduce Volatility
Improve Ability to Meet Strategic Goals
Increase Management Accountability
Breaking Silos-Seeing Risk From A Holistic Approach
Develop Business Continuity (Louisot and Ketcham 2009, 1.19).
A strong ERM program encourages the buy-in of an organization’s internal and external
stakeholders by establishing strategies that protect the organization’s reputation and assets.
Because any potential threat can have a negative impact on the public entity, crisis
management and key public relations are critical in maintaining confidence among
stakeholders. No risk management plan is perfect, but an organization that is prepared to
identify, assess, analyze, implement, monitor, and evaluate all risks and is willing to work on
improving those risk conditions will benefit from an ERM program.
ERM Frameworks
There are three basic ERM frameworks being used in the United States today by public entities.
The first is the new ISO 31000:2009 which consists of three major parts: principles, a
framework, and processes for managing risks. The second is COSO II: 2004 which defines ERM
as a process driven from an organization’s board of directors that establishes an organizationwide strategy to manage risk within its risk appetite. The third is Australian/New Zealand
Standard for ERM (AS/NZS 4360) that was published in 2004 as a generic framework for
managing risk.
ISO 31000:2009
A new International Standard, ISO 31000:2009, Risk management – Principles and guidelines,
will help organizations of all types and sizes to manage risk effectively (International Standards
for Business, Government and Society 2009). Rooted in risk management principles, ISO
31000:2009 is designed to provide an organized methodology to evaluate risk exposures and
continuously scan and react to the environment. The framework consists of elements based on
program design, implementation, and monitoring. The processes necessary for risk
management emphasizes deliberate communication, context, risk evaluation and treatment,
and follow-up.
The First Building Block of ISO 31000 states that a risk management plan should contain the
following principles:
Creates value – Efficiently using public entity resources.
Integral part of organizational processes – Part of the public entity’s strategic plan.
Part of decision-making – Improves decision making because there is a better
understanding of risk exposures.
Explicitly addresses uncertainty – Reduces volatility in potential claims.
Systematic, structured and timely – Ability to track emerging risks.
Based on the best available information – Risk information is quantified which can
provide dollar amounts for potential impact.
Tailored – Customized reporting systems.
Takes human and cultural factors into account – Qualitative analysis of risk exposures.
Transparent and inclusive – Full disclosure of potential sources of risk.
Dynamic, iterative and responsive to change – Identifies changes in risk exposures.
Facilitates continual improvement of the organization – Monitoring and reviewing
allows the organization to identify risk gaps and opportunities for improvement.
(International Standards for Business, Government and Society 2009)
The Second Building Block of ISO 31000 is having the right risk framework through the
commitment of the Board or senior management teams. Once commitment is established,
there is a loop of actions that include: 1) design of the framework, 2) implementation of risk
management, 3) monitoring and review of the framework, and 4) continual improvement of the
framework (International Standards for Business, Government and Society 2009).
Figure 1 – Second building block of ISO 31000 (Allen 2010)
The Third Building Block of ISO 31000 is adopted originally from AS/NZS 4360:2004 that assure the
communication and monitoring is going through the process of establishing the context, risk
assessment, and the type of risk treatment used (International Standards for Business,
Government and Society 2009).
COSO II: 2004
COSO II’s focus is to establish ERM goals as part of the strategic management process. It does
not dive into the details of risk management approaches and processes, but it addresses the
threats to the organization and the applications of proper controls.
Figure 2 – COSO II Framework
AS/NZS 4360
Australian/New Zealand Standard identifies risk management as a five step process as shown in
Figure 3.
Figure 3 - AS/NZS 4360 risk management process (Broadleaf Capital International PTY LTD 2007)
As the diagram shows, risk identification, which is usually seen as the heart of risk
management, is not the first step in the process. AS/NZS 4360 indicates that “to be able to
recognize a risk it is necessary to know what is at risk” (Broadleaf Capital International PTY LTD
2007). AS/NZS 4360 is intended to provide only a broad overview of risk management. Public
entities are expected to interpret this guide in the context of their own environments and to
develop their own specific ERM approaches. While it is important to note that this standard has
now been superseded by ISO 31000:2009, it is included because this standard was one of the
most popular standards in publication and has a large range of supporting handbooks.
The essential difference between ISO 31000 and COSO ERM is in the focus of assessing and
managing risk:
ISO 31000 is focused on consequences and provides a framework to help consider the ‘flow on’
consequences of an event occurring. It shows through risk definition the effect of uncertainty
on objectives.
COSO ERM is focused more on the events rather the consequences of events. It shows through
risk definition the possibility that an event will occur and adversely affect the achievement of
In general, ISO 31000 has some significant advantages over COSO:
At a concise 24 pages, ISO 31000:2009 is noteworthy for its simplicity and adaptability. It
can easily be adapted for used by public and private companies, organizations and
individuals also applied to a range of activities, from operations and processes to
services and assets.
Plainly written, the document is accessible to Boards (CEOs, CIOs, CROs, Commissioners,
Audit Committee, Risk Oversight Committee), risk practitioners, also controllers, to
understand how to managing risk whilst exploit opportunity.
The information in the standard can be adapted to develop guidelines to assess existing
risk management methodologies (Christina 2010).
ERM Certification
For those of you who might be interested in being certified in Enterprise Risk Management, the
American Institute of Chartered Property and Casualty Underwriters has added a new course to
their Associates in Risk Management designation called Enterprise-Wide Risk Management:
Development and Implementation. Risk and Insurance Management Society contributed to the
course content and the course is now being offered nationwide. For more information, check
the AICPCU’s website to locate a class near you.
1 Risk Culture
(Include Risk Identification Icon)
To begin an enterprise risk management program we must start with focusing on risk
identification practices. Risk identification is used to take inventory of all types of risk the
organization faces, categorize and prioritize those risks and then link those risk exposures to the
organization’s strategic plans. The first step in the risk identification process is to understand
the risk culture of the organization (Louisot and Ketcham 2009, 2.3).
Risk culture is the organization’s attitude toward risk. In order to achieve innovation-related
goals, an organization must have a culture that encourages its stakeholders to take on risk. A
culture that supports risk taking will in turn influence risk management practices by integrating
the awareness of a risk culture into the overall risk management plan.
The typical drivers of an organization’s risk culture are connected to its risk appetite. The risk
appetite refers to the total amount of risk to be taken to achieve a given business objective.
One’s risk appetite can be determined by the values and behaviors of its stakeholders. If the
values and behaviors of the organization are to focus on constant improvement, the
organization will value those activities and encourage those processes that will improve the
performance of the operations. There are two sides of risk. The upside of risk allows for a
positive return on one’s investment and a downside of risk results in a negative outcome or
Three Views of Risk
An organization’s view of risk can be classified into three categories:
1) Risk Seeker
2) Risk Avoider
3) Risk Optimizer
A risk seeker has the greatest potential for reward, but may underemphasize a risk impact,
variance, and potential negative effects. A risk avoider is obsessed with risk and typically will try
and transfer all risk to another entity. The goal for any organization should be to find that
balance between risk seeker and risk avoider and become a risk optimizer that finds the ideal
risk-reward relationship where they realistically evaluate potential outcomes and consequences
(Louisot and Ketcham 2009, 2.19).
Like organizations within the private sector, public entities operate in an inherently risky
environment. By strategically managing their risks, public entities can reduce the chance of loss,
create greater financial stability, and protect their resources so they can continue their mission
of providing various services to the public. Their approach to risk is to optimize their resources
and use a sound set of risk controls to minimize their exposures to risk.
Risk tolerance refers to specific risk limits associated with a given business activity that an
organization and its stakeholders are willing to bear within a given strategic context. An
organization should ask themselves what is the maximum amount of investment dollars we are
willing to lose in order to reach a certain return on our investment. By establishing this risk
tolerance level, senior executives can have a clear vision of the direction they should pursue
before they engage in any strategic or financial decision making.
An organization’s executives and management team typically establish their strategic direction
using three levels of goals and objectives:
1) Strategic goals are created on the board or executive level and are general and
conceptual and give the organization its direction.
2) Operational objectives are created at the staff management level and are functional in
nature and cut across all departments within an organization.
3) Tactical objective are created at the line management level and represent specific tasks.
These objectives relate to producing the organization’s products and services (Louisot
and Ketcham 2009, 2.13).
At each level moving from strategic to tactical, the goals and objectives become more specific
and detailed to appropriately address each level’s scope of responsibility. A public entity’s
leadership must convince those who own the various risks throughout the organization why it is
vital that they create value through ERM practices.
Public Entity Example - Longmont, Colorado
Debra Carson, the risk manager for Longmont, Colorado, has defined the roles and
responsibilities of her staff on various risk goals and objectives and assigned them with specific
tasks based on their position within the organization.
Her strategic team consists of the mayor, city council, city manager, city attorney and executive
directors. Her operational team is made up of directors, managers, superintendents and
supervisors and her tactical team is her line workers. When developing their city’s emergency
plan, Debra assigned the adopting of a written emergency plan to her strategic team. The
strategic team was tasked with developing the risk criteria and scope of the emergency plan.
Then her operational team was assigned the responsibility of writing the emergency plan and
addressing logistics, resources and implementation of the plan. Then it was the responsibility of
all employees of Longmont, Colorado to receive the necessary training for all identified
emergency scenarios. In this process of aligning direction and planning, all departments’ and all
employees’ objectives are brought together and rolled up to senior management and used to
evaluate how the employees’ objectives align with the organization’s strategic mission and
purpose. (Carson 2010)
Longmont’s start to implementing ERM is a straightforward and simple example of how the
three levels of risk goals and objectives can be adopted by a city of almost any size. In order to
ensure the success of an ERM program within an organization, the risk manager must go
beyond merely convincing a line manager of the benefits of ERM and must show how to
incorporate the organization’s risk management goals into his/her tactical objectives. By doing
so, the line manager becomes a true risk champion and risk owner. There are various methods
to energize your line managers:
Provide clear risk goals and objectives that tie into the strategic plan
Create mentor/protégé program to go over the risk goals and objectives
Provide the necessary training to address all risk exposures
Create performance metrics with the risk manager to measure the risk exposures
Create a record keeping system of all the risk control processes and training
Create a budget and have employees create list of resources needed to support the risk
7) Regularly review with risk manager and employees on how to improve the risk controls
8) With employees, create a list of incentives and recognition for supporting ERM
Three Elements of Sustainable Development
As public entities grow and expand their services and operations, a key strategic objective
should be maintaining a viable sustainable development plan. Sustainable development directly
affects an organization’s ability to achieve its goals. By practicing sound sustainable
development practices, a public entity strikes a balance by using social, environmental and
economic elements to meet its current needs without compromising the ability of future
generations to meet their needs (Louisot and Ketcham 2009, 2.21). There are three elements in
sustainable development:
1) Social - the well-being of the society
2) Environment - all natural resources utilized, altered, affected or made into waste
3) Economic - the production, distribution, and consumption of goods and services
Public Entity Example – Washington State Department of
Washington State Department of Transportation (WSDOT) states one of their strategic goals is
to enhance Washington’s quality of life through transportation investments that promote
energy conservation, enhance healthy communities and protect the environment. WSDOT has
identified some objectives to obtain these environmental goals:
Identified the number of storm water facilities that need to be retrofitted or
Remove fish passage barriers
Continue to work with state agencies, regional transportation planning organizations,
and other partners to create a range of climate change mitigation options for
Implement, monitor and adjust strategies to reduce per capita vehicle miles traveled
(VMT) and transportation related greenhouse gas emissions
Establish a centrally-coordinated State Ferries’ environmental program
Improve alignment and coordination with other WSDOT environmental programs
Improve environmental analysis in ferries system planning
Improve compliance with environmental regulations
WSDOT is using new technology and innovative methods in their efforts to provide a more
reliable, responsible and sustainable transportation system. WSDOT is taking steps to conserve
fuel and energy, reduce carbon emissions, and protect the natural environment while keeping
people and goods moving.
WSDOT has developed an executive-level, cross-functional team to lead, enhance, and
coordinate efforts to address sustainable transportation and climate change. This crossdivisional team is developing and employing effective, measurable, and balanced emission
reduction strategies that directly involve 17 different WSDOT programs and 14 focus areas.
Staff from each program is either directly responsible for or affected by the current climate
change laws or committed to their transportation vision of providing an integrated
transportation system that is more reliable, responsible and sustainable. This effort is chaired
by Katy Taylor, Public Transportation Director, and co-chaired by Brian Smith, Strategic Planning
Director, with participation from Megan White, Environmental Services Director, Chris
Christopher, Maintenance and Operations Director, and Nancy Boyd, Deputy Design Engineer.
“Adapting to our changing economy and environment and making our transportation system
more efficient and accessible is critical and challenging. While there is no simple solution,
WSDOT will continue to deliver projects and more travel options for people while finding
additional ways to make the most of available resources and build a more sustainable
transportation system. Sustainable transportation contributes to healthy ecosystems and
communities: Cleaner water, air and soil result from WSDOT's improvement in project design,
construction, maintenance and operation. Saving resources and fuel helps save taxpayer money
and increasing options for people to share the ride help increase traffic flow, benefitting
everyone. More sustainable practices are a good investment now and in the future.”
(Washington State Department of Transportation 2010)
2 ERM Plan - Internal and External Context
(Include Risk Identification Icon)
In order for a public entity to formulate their strategic plan, they need to be able to perform an
internal and external analysis of their organization and the current economic environment in
which they operate. To do this they need to use a SWOT Analysis (strengths, weaknesses,
opportunities and threats) as shown in Figure 4 to evaluate where they stand in relationship to
their strategic plan.
SWOT Analysis
Figure 4 - SWOT Analysis Chart (Wikimedia Commons 2007)
Internal Origin: A public entity needs to list all their strengths such as their assets, competencies
and attributes that enhance their performance. The next step is to prioritize those strengths
based on the quality of the strength and the relative importance of the strength. It is equally
important to list the lacking assets, competencies, or attributes that diminish a public entity’s
ability to perform. The next step is to prioritize the seriousness of those weaknesses and the
relative impact of those weaknesses on the public entity.
External Origin: A public entity also needs to look at the environment in which they provide
services and list the conditions in which they can create opportunities to exceed current
expectations. The next step is to prioritize those conditions based on the potential of exploiting
the opportunities. Just as important as identifying opportunities is also being aware of
conditions that could pose a threat to the public entity. Once those threats have been identified
then the next step is to create a list prioritizing each threat based on it seriousness and
probability of occurrence (Louisot and Ketcham 2009, 3.4).
Public Entity Example – Dakota County, Minnesota
Dakota County, Minnesota has created an Operations Management-Risk Management and
Homeland Security Manual that is tied to their annual budget and identifies key
accomplishments (strengths) by strategic objectives and challenges (weaknesses) by strategic
objective (Hoopingarner 2010). Their key accomplishments are broken down into three
1) Stakeholder
2) Financial
3) Internal
From the stakeholder’s perspective, their strategic objective is to provide a safe, healthy and
productive environment. The strategic objective from the financial perspective is to deliver cost
effective solutions and the strategic objective from the internal perspective is to capitalize on
Each strategic objective lists several accomplishments that have been obtained throughout the
year. For example, the following goals were achieved:
1) Recognized by Minnesota Safety Council with the Award of Honor for the County’s
safety performance. The only public entity in Minnesota to receive the award four
2) Developed the County’s After Action Report.
3) Secured $292,750 in grant funding through 2009 Homeland Security Grant from
Metropolitan Emergency Services Board from the State Radio board for a 16th radio
channel for the Dakota County system.
4) Implemented the use of 800 MHZ radios by Dakota County Community Corrections
intensive supervisor staff to check in with the Dakota Communications Center for
personal safety checks when conducting high risk home visits.
5) Developed guidelines and training program for the use of personal protective
equipment by County employees during a pandemic flu or other biological emergency.
6) Updated the Continuity of Operations Plan and exercised the plan for the departments
at the Hastings Government Center. Completed training of new team members and
incorporated future plan updates into a more accessible electronic format.
7) Completed awareness training on how to prevent slips and falls for all County
Along with the strategic objectives there are challenges and responses that are identified from
the perspective of stakeholder. For example, some of these challenges are:
1) Continue to secure the time commitment from County Departments for risk
management activities to actively involve departments in program/policy development
and implementation.
2) Coordinate the ongoing use of Dakota County 800 MHz Radio Subsystem amongst public
safety, public works and the Dakota Communication Center.
3) Continue to improve the safety of County staff and reduce the frequency and severity of
4) Establish and maintain the appropriate level of security for all county buildings in light of
changing security threats in the community.
5) Respond to increasing requirements for homeland security preparedness by the Federal
Government with the State of Minnesota and local government.
Some forward thinking on the part of Dakota County is to respond to some of these challenges
and come up with an action plan on how they will address these concerns. It is important to not
only list responses to challenges, but also come up with a method to track who within the
organization will be accountable for the response to the identified challenge, list the proposed
action that will be taken, identify what resources will be used to address challenge, and set a
date when the corrective action needs to be completed. For example, Dakota County has also
identified their level responses to some of their challenges listed above:
1) Provide on-going management and technical support for the Dakota County 800 MHz
radio subsystem.
2) Develop investment justification for projects under the 2010 Homeland Security UASI
Grant program and successfully secure grant funding.
3) Assist the County Emergency Manager in updating the All Hazard Mitigation Plan.
Coordinate with internal departments to document progress made towards achieving
plan objectives and developing objectives for the next 5 planning periods.
4) Utilize the After Action Reports from the FEMA Integrated Emergency Management
Course and the County-wide exercise at Flint Hills Refinery in October 2009 to develop
an improvement plan through the Dakota County Domestic Preparedness Committee.
5) Complete a review of the Continuity of Operations Plan after action reports for the
exercises conducted at the government centers during the last several years. Develop a
compiled list of plan improvements for review and implementation. Conduct a tabletop
exercise with the COOP Command.
Once the SWOT Analysis has been completed, the senior management can develop long-term
strategies that tie into the vision and mission statements of the public entity. The vision
statement should answer the question, “Where do we want to go?” While a vision statement
doesn’t tell you how you are going to get there, it does set the direction for your strategic
planning. A mission statement is a brief description of a public entity’s fundamental purpose.
Public Entity Example – San Francisco Airport
In 1981, San Francisco Airport created an Airport/Community Roundtable as a voluntary
committee to address community noise impacts from aircraft operations at San Francisco
International Airport. Their mission statement states that the Roundtable monitors a
performance-based noise mitigation program implemented by airport staff, interprets
community concerns and attempts to achieve noise mitigation through a cooperative sharing of
authority among the aviation industry, the FAA, and the SFO management and local
government (San Francisco International Airport/Community Roundtable 2003).
Elements of a Strategic Plan
When developing a strategic plan, the public entity must consider these three main elements:
the suitability of the plan, the feasibility of the plan, and the acceptability of the plan.
To determine the suitability of the plan requires answers to the following questions: do we have
the necessary resources to implement the strategic plan? Are there obstacles that stand in the
way of us accomplishing the strategic goals? Will there be organizational support to proceed
forward with the strategic plan?
For the feasibility of the plan you need to know the following: what initial resources are needed to
implement the strategy? At what point will the break-even point be realized? What is the
return on investment for the proposed projects in the strategic plan? What additional
investment dollars are needed to implement the strategic plan?
To ascertain the acceptability of the plan you must ask the following: how will we determine the
individual benefits for employees who implement the strategy? What happens if we don’t
reach our expectations with the strategic plan? How much risk is the organization willing to
take on? What risks do we want to avoid? How will each group of stakeholders react to the
changes created by the strategy? (Louisot and Ketcham 2009, 3.5)
Strategy Implementation
Strategy Implementation is the process of making the strategies work within an organization. The
first thing you need is to establish the risk criteria which include the standards, measures, and
expectations that will be used to compare a given risk against the strategic goals of the
organization. The risk criteria can include the costs and benefits, legal and statutory
requirements, socioeconomic and environmental factors. The entire staff of a public entity is
responsible for the implementation of the strategic plan. There are four main steps in strategic
1) Assign specific roles and responsibilities to all stakeholders.
2) Establish risk communication so that all stakeholders have a clear vision and
understanding of the strategic plan.
3) Evaluate the necessary resources needed such as finance, staff, training, time,
equipment, data and technology.
4) Monitor results between goals of strategic plan and actual mid-year or quarterly results
and make necessary adjustments where necessary to achieve the stated goals (Louisot
and Ketcham 2009, 3.6).
Strategy Evaluation
Strategy evaluation is crucial to measure the results of the strategic plan with the goals set in
the strategic formation stage. As a result of evaluating the results of the strategic plan, there
may be areas that need to be improved or adjusted in order to reach the desired result.
Strategy evaluation might also show where the strategic plan’s concepts did not connect in the
implementation phase and will require adjustments. Unexpected outside economic forces may
change the outcome of the strategic plan (Louisot and Ketcham 2009, 3.6).
Risk Maturity Model
One of the tools used to evaluate an ERM program is a risk maturity model that can be used as a
scorecard. It reviews the ERM performance throughout the organization, tracks various
attributes, and grades them on their maturity level. The Risk Maturity Model is based on the
Capability Maturity Model, a methodology founded by Carnegie Melon Software Engineering
Institute (SEI) in the 1980. It is used to take a snapshot of where the organization’s risk program
stands today. You can then compare your personalized assessment against the full guidelines
and develop a plan for improving process and increasing effectiveness in your risk management
program (Risk and Insurance Management Society 2008).
Public Entity Example – State of Washington
The state of Washington has created a risk maturity model they call the ERM Maturity Model
(ERMMM) (Office of Financial Management, State of Washington 2010). Their ERM Maturity
Model is a scoring tool used yearly to measure the progress of ERM implementation on a scale
from 1 (beginning) to 6 (advanced).
Over time, scores should increase as ERM programs become more robust and more fully
integrated into agency planning and operations. Washington’s agencies have
demonstrated the expected increases over the last three scoring cycles.
Although the design can vary, maturity models are routinely used as a scoring tool in
ERM programs to measure progress. All maturity models acknowledge that it requires
several years of commitment and practice to achieve and master the higher levels of
Since 2006, Washington has used a specially developed maturity model for state
agencies to score their ERM efforts. The ERMMM measures ERM implementation in five
o Fundamentals of risk management
o Executive leadership
o Integrating ERM into agency culture
o Applying ERM principles, and
o ERM embedded into agency strategic business operations.
The scores for each measure are totaled together and the overall results translate to an
ERM maturity level from 1 (beginning) to 6 (advanced).
Washington agencies have increased their ERM program implementation and maturity
model scores significantly over the past three years.
3 Risk Intelligence
(Include Risk Identification Icon)
One of the challenges among organizations is deciding which information is most critical in making
decisions that could impact their future. Knowing what type of information to gather can seem
daunting or overwhelming. After you have gathered the information on the organization’s strengths,
weaknesses, opportunities and threats as discussed in the previous chapter, the next step is to organize
that information into potential causes, events and impacts. The organization is then able to track the
existing and emerging risks throughout the risk management program.
“Risk intelligence is both a process and a product. It consists of the organizational ability to
collect and collate data, statistics and information on risk and volatility. This is followed by the
systematic analysis, interpretation and presentation of the information. The end goal is decision
making that produces the most favorable outcomes under existing circumstances.
The purpose of risk intelligence is to provide senior leadership and the board with facts,
options, assessments of those options, and views as to what lies beyond the readily observable.
Superior risk intelligence underlies the most effective responses and most efficient deployment
of resources for addressing material and critical risks. It provides a competitive advantage to
organizations that understand risk intelligence and employ it effectively.
Collecting data and information about known and emerging risks is essential. However, the
organization must also have an ongoing process to correctly organize access, analyze, interpret
and present the information in order to enable senior management to make critical decisions.”
(Bugalla, Hackett and Kallman, et al. 2010)
Risk Categories
Risk intelligence is only as good as the data collected. The question for many organizations is
what sort of data should be collected in order to help senior management understand all the
risk exposures? There are several risk categories that should be considered when taking a
holistic approach to risk. Some of these categories include:
Strategic Risk - Services to citizens, capital improvement projects, maintaining growth
Compliance Risk - OSHA, EPA requirements, employment practices
Financial Risk - Credit rating, property taxes, balanced budgets
Operational Risk - People, processes, and systems
Environmental Risk - Property and premises, safety, weather conditions
Human Capital Risk - Retirement, training of employees and retention of employees
Reputational Risk - Activities could alter the public’s opinion of an entity
8) Technological Risk - Problems that could be encountered with the technology in the
organization (Louisot and Ketcham 2009, 1.11).
Public Entity Example – Dallas/Fort Worth International Airport
Dallas/Fort Worth International Airport has an Executive Level Risk Council composed of various
department heads. These department heads sat down with the Director of Risk Management at
DFW, Norma Essary, in a brainstorming session and listed all the potential risks from their
departments. Each department’s risks were then listed into the above risk categories with their
potential risk outcomes. The risk council consists of the departments as shown in Figure 5.
Figure 5 - DFW ERM Risk Council (Essary and Yip 2010)
DFW Airports’ Risk Council has taken the different risk categories and identified the risks that
are associated with their strategic goals. This has allowed them to see how these risks and
potentially new emerging risks could impact their strategic plan (Essary and Yip 2010). See
Figure 6.
Figure 6 - Risk Categories/Identified Risks
Public Entity Example – University of California
Another example of gathering risk intelligence information is the University of California. UC
Systems needed a proper framework for its enterprise risk management program. Their existing
reporting and decision-support system did not give a complete picture of all their risk exposures
to their decision makers. UC engaged IBM to implement an Enterprise Risk Management
Information System (ERMIS). The ERMIS integrates what was once isolated data into a unified
system that now provides near real-time information to all levels at the University of California.
ERMIS is a customized information system that provides users with a wide selection of data to
conduct their jobs. This information is based on what they need, how they would like to
receive information, and how much data they need for analysis. The user requirements will
change based on what role the users are playing at a particular time. In one instance, a user
may require open access to explore a large amount of data. Perhaps in another instance, the
user may simply want to review summary data on a weekly or monthly basis.
Figure 7 - ERMIS Sources of Information (University of California 2010)
The ERMIS system provides stakeholders with relevant and actionable information regarding
their key performance indicators (KPIs). KPIs are quantifiable measurements, agreed to
beforehand, that reflect the critical success factors of an organization. They will differ
depending on the organization. For example, a school may focus its KPIs on graduation rates of
its students.
Key risk indicator (KRI), is a measure used in management to indicate how risky an activity is. It
differs from a KPI in that the latter is meant as a measure of how well something is being done
while the former is an indicator of the possibility of a future adverse impact. KRI gives us an
early warning to identify a potential event that may harm continuity of the activity/project.
UC System uses an ERMIS system as a risk intelligence tool that has become a valuable asset in
the data warehousing of various sources of data within the UC System. “ERMIS integrates risk
and controls to related information in a centralized data management environment to enhance
analytic capabilities across the University of California. Though ERMIS is initially focused on
targeted KPIs intended to lower the overall cost of risk across the enterprise, the vision is to
extend ERMIS across the enterprise.” (University of California Office of Risk Services 2010)
The ERMIS system helps the university understand what drives subpar performance and costly
losses. By providing better and more current data and analytical tools, senior officials can better
understand the return-on-investment (ROI) associated with various remediation strategies and
tactics. According to Grace Crickette, Chief Risk Officer for the University of California, “ERMIS
significantly improves the University system’s ability to identify and manage risk. UC will be able
to more effectively focus its risk management efforts and ultimately save the University
money.” (Crickette 2010)
When it comes to the exchange of data throughout the University of California, it is understood
that internal, operational, and consumer-facing reports are the primary vehicles for the
communication of information in the UC environment. Some of the capabilities of ERMIS
Standard Reports
Guided Analytics/Interactive Reports
Personalized Reports
Managed Ad hoc Reports
Alerts and Notifications
Syndicated Reports
Cohort Analysis
The initial launch of dashboard reports included 11 KPIs focused on various aspects of Safety
and is entitled “Safety Index”. More than 250 dashboard reports have since been created at the
UC with many more in the pipeline. Rollouts have targeted enterprise-wide information, as
well as information specific to individual campuses and medical center locations and
departments within each. With a continued focus on risk management, subsequent KPI
development activities have involved collaboration with the broad range of subject areas, for
1) Medical centers
2) Human resources
3) Waste reduction and recycling
4) Environmental health and safety
5) University and campus general counsel
6) External financing and debt management
7) International travel (University of California 2010)
Figure 8 - ERMIS Dashboard (Need bigger screenshot)
Figure 9 - ERMIS Metrics (Need bigger images)
Performance Management System
Another way to track risk intelligence is through a performance management system.
Performance management scorecards are used to summarize performance status information
from multiple source systems. They enable management to monitor both the changes in
financial results and progress toward key operational targets that are linked to strategic plans
and goals. ERM that is incorporated into an organization’s strategic plans link operational
objectives and organizational goals and allow an organization to confirm the performance
accountability of an organization.
Public Entity Example – State of Washington
The State of Washington uses a Government Management Accountability and Performance
system (GMAP) to measure and improve the performance in their state agencies. GMAP is
modeled after two successful programs in major American cities-CompStat in New York City
and CitiStat in Baltimore, Maryland. Washington State was the first state in the nation to adapt
these data-based management models to improve the results of statewide programs and
GMAP is a tool set designed to hold state government and agency leadership accountable to
customer, taxpayers, and citizens. To improve the quality, efficiency, and effectiveness of the
services in Washington State government, seven principles, rooted in management theory and
common sense, define the GMAP philosophy and practice.
1) GMAP stresses the personal presence of senior managers and others needed to make
2) GMAP is a management tool, not a presentation .
a. Effective measures require clarity on how programs and services will influence
their departments.
b. How agencies will use measures to manage programs and get results.
3) Develop and use timely and accurate performance data to set targets and inform
4) Reward candor in identifying and diagnosing performance barriers and creativity and
commitment. When the data indicates needed action, quickly and clearly specify what
needs to be done, who will do it, and when it will be done.
5) Agency leadership should be relentlessly in following up on commitments made in
action plans. They should also monitor results over time to verify change is real and
6) Agencies should use process improvements tools to get better results (State of
Washington 2010).
The Governor and her leadership team hold regular, public meetings where agency directors
report in person on the most critical policy challenges they face in achieving results. The
meetings are organized around the Governor’s highest priorities-including public safety,
economic vitality, and the protection of vulnerable children. She holds the leaders of state
agencies accountable for their agencies’ results and for initiatives that require the collaboration
of multiple organizations.
The discussions are candid and direct, and the concept of business as usual is never
automatically accepted. Decisions are based on analysis of data and evidence about what
strategies work best. Agencies are held accountable to follow-up and report back on
outstanding issues. The GMAP process gives the Governor and the public a clear, concise view
of how government programs are working and whether citizens are receiving value for their tax
Public Entity Example-Washington State Department of Transportation
Washington State Department of Transportation provides five major forms of performance
reporting: the Gray Notebook, the Governor’s Government Management Accountability and
Performance Program, the WSDOT website, budget activity reporting and transportation goal
attainment reporting. The Office of Financial Management is responsible for setting detailed
objectives and establishing performance measures for the six statewide transportation policy
goals: (Hammond, Business Directions: WSDOT's Strategic Plan 2011-2017 2010)
a) Safety- To provide for and improve the safety and security of transportation customers
and the transportation system
b) Preservation-To maintain, preserve and extend the life and utility of prior investments
in transportation systems and services
c) Mobility- To improve the predictable movement of goods and people throughout
Washington state
d) Environment- To enhance Washington’s quality of life through transportation
investments that promote energy conservation, enhance healthy communities and
protect the environment.
e) Stewardship- to continuously improve the quality effectiveness and efficiency of the
transportation system
f) Economic Vitality-To promote and develop transportation systems that stimulate,
support, and enhance the movement of people and goods to ensure a prosperous
economy (Hammond, Business Directions: WSDOT's Strategic Plan 2011-2017 2010).
These six goals become the foundation of the WSDOT Strategic Plan 2011-2017. With the
strategic goal of safety, WSDOT has identified eight objectives to vigilantly reduce risks and
increase safety on all state-owned transportation modes and reduce fatalities and serious
injuries. Here is a list of their objectives and action plan to achieve those objectives:
1) Highway Safety: Reduce fatal and serious injury collisions by 50 % over the next ten
years, moving towards Target Zero-Work with partners, including Federal Highway
Administration Washington State Traffic Safety Commission, Washington State Patrol,
and local agencies to identify and address priority highway safety needs.
Ferries Safety: Improve safety on state ferry vessels and terminals. Improve vessel lifesaving capabilities, improve the post-accident investigation process, and expand ferries’
Safety Management System.
Airport Safety: Improve safety at 16 state-managed airports. Remove physical obstacles
such as trees that intrude into critical airspace.
Rail Safety: Improve the safety and security of rail transit systems, including light rail,
street cars, and monorails. Administer federal rail transit safety oversight requirements
for rail transit systems, including light rail, street cars, and monorails.
Workers Safety: Continue to advocate WSDOT’s worker safety program to attain injury
and illness reduction targets with the goal of zero work-related injuries and illnesses by
2019. Enhance communication of workers safety expectations and goals within WSDOT
and with partners and establish a comprehensive return-to-work program.
Bridge Risk Reduction: Reduce the risk of bridge collapse due to earthquakes,
liquefaction, and foundation scour during high water flows. Complete bridge seismic
retrofit projects funded by the Transportation Partnership Account to reduce seismic
risks. Develop and begin implementing the I-5 lifeline corridor plan to provide for safety
and mobility during catastrophic events.
System and Facility Security: Improve WSDOT’s ability to prevent, mitigate, and
respond to acts of terrorism on transportation systems and facilities. Implement highpriority infrastructure “hardening” capital projects identified in vulnerability
assessments. Improve ferry vessel security.
Continuity of Operations and Emergency Management and Response: Increase
WSDOT’s ability to respond to, recover from, and deliver vital services during
emergencies and disasters- Improve planning and coordination with local and regional
partners. Improve WSDOT’s emergency response capabilities.
Senior management’s performance results are shown in how well they are able to use risk
intelligence information to establish and manage ERM oversight roles. Their annual reporting of
internal risk controls to the public must demonstrate integrity. The systematic approach of ERM
allows public entities to illustrate to regulators that ERM principles originate at the senior
management level and are practiced through all levels of the organization. A public entity’s
senior management and board of directors are responsible for the risk management oversight,
including identification and evaluation of all emerging risks.
Traditional management reporting only explains risk factors in a narrative format and doesn’t
drill down to cause and impact. ERM allows senior management to exam a risk based on its
cause and impact and to see the link to the automated or manual risk control activities that are
designed to prevent a potential loss. Regulatory bodies are proposing greater accountability for
maintaining ERM governance standards at the board of directors’ oversight level. Board
endorsement and sign-off on an organization’s ERM program will be evaluated in the context of
three management principles now firmly incorporated into rational policy objectives:
1) Accountability
2) Transparency
3) Audit integrity
WSDOT has been the subject of several external assessments over the past 10 years by the Joint
Legislative Audit Committee, Transportation Performance Audit Board, and most recently the
State Auditor’s Office. WSDOT values recommendations to improve its operations, and has
developed comprehensive action plans to address those recommendations within is control.
WSDOT action in response to the audit produced a new change order management process,
reduced costs, improved project management and cost tracking, and improved maintenance
project management.
4 Risk Assessment
(Include Risk Assessment ICON)
Now that the risks have been identified, we need to discuss the various elements involved in
conducting a proper risk assessment of your public entity. We’ll start by covering the basics of
risk assessment and then we’ll introduce various tools that can be used to determine your level
of risk. Finally we’ll cover assessment reports that can be used to show a public entity's
vulnerabilities and the estimated cost of recovery in the event of damage.
Risk assessment involves identifying the cause of a risk event, the risk event itself, and the impact
and the velocity of the risk event. Risk assessment is the determination of quantitative or
qualitative value of risk related to a concrete situation and a recognized threat. Part of the
difficulty of risk management is that measurement of the quantities in which risk assessment is
concerned - potential loss and probability of occurrence - can be very difficult to measure. The
chance of error in the measurement of these two concepts is large.
A risk with a large potential loss and a low probability of occurring is often treated differently
from one with a low potential loss and a high likelihood of occurring. In theory, both are of
equal importance. However, in practice it can be very difficult to manage the first situation
when faced with the scarcity of resources, especially time, in which to conduct the risk
management process. This leads to the first type of risk not being addressed soon enough
before it is too big to manage effectively.
Delphi Technique
To help assess the significant levels of risk, the Delphi Technique can be used to survey the
organization and come up with what the group feels are the top risks of the organization. How
the Delphi Technique works is each individual in the group is asked a series of questions to
assess the top risks in the organization. Based on a quantitative or qualitative value assigned,
the risks are categorized from greatest risk to least risk. A survey is given to each individual
again with instructions to consider revising their responses based on the results reported to the
entire group. This method continues until the group comes to a consensus (Louisot and
Ketcham 2009, 6.18).
Once a public entity has assessed its enterprise risks, risk information can be mapped. Risk
information mapping connects or “maps” enterprise risk information source application to the
organization’s reporting cycles and process responsibilities for managing risk control activities
at specific points. Risk mapping uses a two-dimensional graph to identify, evaluate and
prioritize a group of enterprise risks which could significantly impact an organization’s ability to
accomplish its business strategies (Louisot and Ketcham 2009, 4.20).
Public Entity Example – San Francisco International Airport
San Francisco International Airport uses risk mapping in their risk assessment activities. The risk
manager, Mike Warren, interviews senior management and key staff and asks them a series of
questions to identify various risks within their departments. Those risks are then rolled up to
the “Top 20 Risks” in the organization and then through anonymous voting the “Top 20 Risks”
are prioritized in a list from the greatest risk score to least. The risks in Figure 10 are ranked
from highest to lowest based on their risk scores. The risk score is calculated by multiplying the
average impact and likelihood scores for each risk (Warren 2007).
1) U.S Airline
2) Concentration
3) Environmental
4) Long Term Cap
5) Recruit/Retain
6) Short Term Cap
7) Natural Disaster
8) Asset Management
9) Succession Plan
10) IT-Security
11) Physical Security
12) Construction Management
13) Legal
14) Cost Containment
15) Business Model Chances
16) IT-Governance
17) Competition
18) Health & Safety
19) Third Party
20) Reg Compliance
Figure 10 - SFO Risk Ranking
In Figure 11 we see the values plotted in a graph to get different visual representation of their
relationships between impact and likelihood.
San Francisco International Airport Risk Map-Macro View
Figure 11 - SFO Risk Map-Macro View (Warren 2007)
In Figure 12 we see a zoomed in view of the same data where the scale has been narrowed
down to where we can still see all the risks but we get a better focus on the fact that likelihood
is more dominant than impact.
San Francisco International Airport Risk Map-Micro View
Figure 12 - SFO Risk Map-Micro View (Warren 2007)
Causes of Loss
There are various classes of loss that an organization can experience. Here is an example of six
potential causes of loss:
Human Cause - All personnel linked to an organization
Technical Cause - Tangible assets under direct control of the organization
Information Cause - All information that flows throughout the organization
Key Business Relationship - Involves relationship with others outside the organization
Financial Causes - Financial streams that flow in and out of the organization
Free Causes - Received from the environment without direct financial compensation
(Louisot and Ketcham 2009, 5.8)
After identifying the types of causes of loss, the next step is to identify the types of events that
could take place. Here is an example of four potential event categories:
Economic event - Dramatic changes in the economy
Natural event - Generally weather related
Industrial event - Overall activity within an organization
Human event - Fall into two general categories involuntary and voluntary (Louisot and
Ketcham 2009, 5.11)
Level of Impact
The level of impact for an event can be viewed as primary or tertiary. Primary impacts are those
that affect the organization’s resources. Tertiary impacts are those that affect third parties. The
impact on resources is measured in quantitative and qualitative aspects. The quantitative
aspects are expressed by frequency, magnitude, expected value, variation or time. The
qualitative aspects include effects on culture, stakeholders, and goals. (Louisot and Ketcham
2009, 5.17)
Public Entity Example – Dallas/Fort Worth International Airport
Dallas/Fort Worth International Airport has used a risk assessment scoring template to track
their various risk exposures. Figure 13 is a sample of what their risk assessment scoring template
looks like:
Risk Category
Risk Name
Risk Definition
Decline in air travel
Reduced # of air travelers
Human Capital
Aging workforce
Loss in top leadership
Emerging legislation Ability to comply
Aging infrastructure Declining condition of assets
Use agreement
Understanding obligations required
Data Privacy
Protect sensitive data
Media Inquiries
Ability to respond timely and accurately
Figure 13 - DFW Risk Scoring Template
Dallas/Fort Worth International Airport then evaluates the risk list using their rating scale and
links the top risk to their Strategic Plan. The Executive Level Risk Council reviews these top risks
and focuses with the department heads on initiatives to better mitigate these risks exposures.
Risk champions are assigned to each of the risks and risk metrics are put in place to measure
their progress. The next step is to decide the acceptance levels of the risk relative to the
achievement of the strategic objectives. (Essary and Yip 2010)
Using a risk register is another way of looking at risk from a holistic standpoint. A risk register is
a tool developed at the risk champion level that links specific activities, processes, projects, or
plans to a list of identified risks and results. A risk register is a living document that is
continually updated and used to track and monitor risk. It allows the risk manager to view
events in a larger context while focusing on the more essential individual risks to an
organization. The risk register is an essential tool for managing and implementing rational
decisions and becomes the foundation for sound governance. (Louisot and Ketcham 2009,
Sample Risk Register
A risk register can be as simple as a spreadsheet as shown in Figure 14 or it can be a part of a
complete enterprise risk information system. The main emphasis here is that the risk register
does not have to be complex to be effective. The risk register allows the senior management to
evaluate the processes controlling their risks and determine if the right risk controls are in place
to do so.
Figure 14 - Spreadsheet Template Risk Register (The Security Risk Management Toolkit 2006)
Public Entity Example – Vancouver, British Columbia
(First Printed in Risk Management Magazine April 2011)
Prior to the 2010 Olympic Winter Games in Vancouver, many organizations across British
Columbia’s multiple jurisdictions were involved with the Games’ risk, event, project, security
and financial management. These organizations included the Integrated Security Unit from the
City of Vancouver, the Resort Municipality of Whistler, City of Richmond, Olympic Games
Secretariat and several ministries of provincial government of British Columbia, Vancouver
Organizing Committee (VANOC), and the International Olympic Committee among others. Long
before the Games opened in February, 2010, planning for this event had been underway for
more than a decade beginning with the formation of the Vancouver Bid Society in 1998.
The main objective of elected leaders and government officials was to ensure that Gamesrelated functions, services and programs were ready on time and within budget while
continuing to provide day-to-day services to citizens. They recognized the value of monitoring
preparedness through an enterprise risk management (ERM) lens and asked the Risk
Management Branch and Government Security Office (RMB) to lead the 2010 Winter Olympics
Games ERM program on behalf of the provincial government.
The Olympics risk initiative became the largest coordinated enterprise-wide risk management
effort undertaken by the Province to date. The RMB project team, which included Todd
Orchard, Chris MacLean and Sharon White, compiled, collated and analyzed risks identified by
dedicated staff within 29 provincial ministries, Crown corporations, and central agencies. This
team produced biweekly reports for ministry executives and financial oversight bodies. They
participated in weekly consultations with the Olympic Game Secretariat in its role as provider of
project management oversight of the Province’s infrastructure and cultural commitments. They
also liaised periodically with VANOC, which ran its own extensive and sophisticated risk
management regime.
The reporting provided a rolled-up view of over 300 risks and 400 mitigation activities. It
brought attention to critical vulnerabilities and created a mechanism for escalation of issues
which required further action by government officials. This reporting system also identified
interdependencies and interrelationships among the branches of government.
Ask RMB’s Todd Orchard and Chris MacLean how they were able to administer an ERM program
of such complexity, and they will say it begins with a clear understanding of the objectives. “All
risk management efforts should link the goals and objectives of the organization to an event,
project, or program” says Todd Orchard. The decision to focus first on objectives, before
considering the risks, resulted in two deviations from the way risk management had previously
been handled in British Columbia.
The first difference was to depart from the typical risk categories such as financial, reputational,
and legal as aids for risk identification. Instead ministry officials were asked to organize their
risks into operational “buckets” based on the province’s Olympic-related objectives:
1) Services directed to the Games (e.g., food and water safety inspections to venues),
2) Olympic-related programs (e.g., risks to community celebrations, business hosting
activities), and
3) Normal government service delivery to citizens (e.g., child welfare, hockey).
As a result, instead of starting with a risk category, they started with an objective – the service
they needed to provide – and later decided how it was best categorized.
The second difference was a move from the more conventional cause and effect risk statement
to a format which identified and separated the distinct elements of risk into risk event, cause,
and impact. Many of the initial “cause and effect” risk statements missed tying the risk to an
objective, leaving the question “so what?” Instead, by using an “event, cause, and impact” risk
statement objectives were explicitly incorporated into the risk identification, allowing for an
easier understanding of severity and a more natural progression to mitigation strategies.
A risk event is something occurring which stands in the way of meeting a goal. For example, a
risk event could be failure to maintain normal delivery of services to citizens. Causes are
triggers to an event. These are situations or circumstances that could increase the likelihood of
a risk event occurring. For example, transportation gridlock or changes to transit routes during
the Games could prevent staff from accessing their work sites resulting in reduced service
delivery to citizens. Impacts are unintended consequences of the event occurring.
Separating these risk elements improved the ability to analyze and report from an enterprise
perspective. They could identify commonly occurring events, causes, and impacts and relate
mitigation efforts to specific causes. Reporting on areas of biggest concern – such as service
delivery, privacy issues or budget constraints – in both statistical and narrative format enabled
the RMB to share information about the status of games preparedness with decision makers in
a more natural manner.
Chris MacLean provides a real-life example of the benefits of such an approach. “One particular
ministry has an office in Vancouver close to the venues and was worried about the effect of
increased security and traffic congestion.” One of their initial risk statements was “security and
traffic prevents or delays employees from getting to work.” When the risk was analyzed;
however, it proved to be less significant than originally thought. After all, the ministry was
responsible for delivering a service to a vulnerable population, not just getting employees in to
the office on time. The risk event is a situation that could prevent delivery of service. Security
restrictions and traffic congestion are only some of the potential causes. But, concentrating on
a specific cause rather than the objective to be accomplished could result in overlooking
mitigation strategies that would allow service to continue despite the disruption.
For example, working remotely from home or finding temporary work space away from the
events could mitigate the risk in this situation. It would allow the essential service to continue
despite employees not getting to their usual office location. One of the biggest challenges faced
by the RMB project team was helping the various Ministries think through the consequences of
“what if scenarios.” Ministries were initially asked to consider impacts relative to the larger
Games-related objectives, but few had enough information to accurately assess the value of
their contribution to an event as large and far reaching in scope as the Winter Olympics.
Understandably, individual Ministries would often either exaggerate the significance of their
program or underestimate its importance.
In response to difficulties assessing impact, the RMB team asked reporting ministries and
agencies to consider the consequences in terms of impact on their program objectives. A
catastrophic loss for a program was the total dissolution of that program. It was then up to the
RMB team to assess how loss of a program would impact overall Games objectives and adjust
the severity rating accordingly.
The change was a call for increased reporting of mitigation implementation including target risk
ratings and current risk ratings. Target risk was the predicted remaining level of exposure once
all planned mitigations were in place. Current risk involved re-rating their risk based on
mitigation implemented to date. This is where the risk register evolved from a risk identification
tool to an assurance tool by providing senior decision makers with evidence that risks were
being sufficiently managed and that the overall risk profile was improving.
By all accounts the ERM initiative was a success. Government officials were provided evidence
and assurance of game readiness. The full risk register was updated monthly and contained the
reporting information of all impacted ministries and agencies, including current risk rating and
status of mitigation activities. The graphical representations provided an easy to understand
status of mitigation activities, narrative reports provided greater explanation and context for
decision making, and a bi-weekly ”top ten” brought attention to immediate issues. Having all
ministry information on a single form provided an enterprise perspective and provoked some
healthy competition as ministry executives sought to be the first to move their risk status from
red to green.
There was significant value in identifying and analyzing interrelationships and gaps from an
enterprise perspective. Chris MacLean explains that, “Our birds-eye view of risks allowed the
team to see where the efforts of one group could create unintended consequences for another
group. For example, one government ministry was responsible for supporting a huge Olympic
celebration in downtown Vancouver. The venue, however, was next to one of British
Columbia’s largest courthouses, and the Ministry of the Attorney General identified resulting
risks to the safe and secure transfer of prisoners to and from trial. By rolling up risks from
across different ministries, government as a whole was better able to coordinate planning
across organizations, set overarching priorities, and allocate resources accordingly.”
The reporting format supported rational and pragmatic decision making because impacts were
clearly described. The economy was slowing and government had declared that it would meet
its obligations within budget. Any decisions or changes that could affect budgets or schedules
received significant scrutiny. While these constraints might have extinguished some last minute
big ideas, it also ensured that the Province was prepared when the Olympic flame was lit.
Reporting bodies tell us the process provided an effective route for escalation of issues beyond
their control. Several agencies providing life-safety services identified potential capacity
shortfalls due to the additional resources they needed to commit in direct support of the
Games. By clearly identifying risks posed by this shortage of resources and by using the same
methodology the rest of government was using to identify and rate risk, they were able to
communicate the urgency of their requirements to senior decision makers and secure the
necessary resources.
Figure 15 - Risk Rating Chart
Target risk rating is the risk rating expected or predicted once all proposed mitigation are in
place. This is an important step, as it allows executives to see whether the proposed mitigation
are likely to achieve a result that is satisfactory, if the expected risk reduction is worth the
required resources, or if even more resources should be committed to lower the risk further.
Current risk rating is when risk management is applied to a project on an ongoing basis with
regular feedback and updating on risk mitigation implementation the periodic rating of current
risk allows executives to see the progress made to date. Ideally, current risk rating approaches
target risk overtime. If not, this can serve as an important flag that a change of strategy and /or
more resources are required
Risk tolerance rating is the maximum level of risk executives are willing to accept for an event.
This should be provided by the executives after having been briefed on the risk existing and
planned mitigation and associated costs. It is closely related to target risk rating. When target
risk and risk tolerance rating are congruent, they know that the risk mitigation strategy should
lower risk to a level the executives are comfortable with.
The project was not without its bumps. Reporting bodies found the changing information needs
challenging and confusing at times. In their defense, Todd Orchard said, “with no precedent and
because of the unique nature of this event, the team couldn’t fully anticipate information needs
and formats in advance.” As such, both the information being sought and the tools on which it
was recorded evolved over the duration of the project.
Compounding this situation was the introduction of a new approach to identifying risks.
Orchard tells us, “Even for those agencies with a more mature risk management culture, this
change in methodology -- segmenting event, causes and impacts -- sometimes required
significant unplanned effort and adjustment.”
Reporting agencies told us they were frustrated on occasion by a seemingly one-way
information flow: “We didn’t do as well as we could at informing agencies who reported
significant risks about the steps being taken at higher levels to mitigate those risks.” For
example, risk related to protests, shared funding, extreme weather or catastrophic events were
often beyond the scope of an agency to handle but steps were being taken at more senior
levels of government, or responsibility for the mitigation was assigned to a different
department. As such, not everyone was aware of what was being done by others to mitigate
risks they had identified. “A fair compliant certainly as the team’s focus was the provision of
timely, accurate and useful information to executive government. We sometimes failed to
report back to the risk owner on the status of the actions they sought. We could have done
better job of that.”
Managing a large amount of data via spreadsheet was time-consuming, error-prone and
constraining. Significant effort went into organizing information and formatting the
spreadsheet for presentation to executives. Todd and Chris recommend a system solution for a
project of this size or for a unit performing a chief risk function. A relatively simple relational
database would suffice for the collection, collation, analysis and reporting of information.
Commercial risk management software, if used, should be well tested and familiar to users
The Branch provided risk identification assistance initially at bid development but did not
become significantly re-involved until this project was initiated a number of years later. In the
intervening years, the risk environment changed including significant changes to the global
security scene, games delivery, programming, venues, economic conditions and so forth. It is
prudent to understand exposures at the earliest opportunity to discuss tolerance and solutions
and adapt/adjust as needed.
The cross-government approach to risk management was new to many of the executives and
senior managers receiving the reports. In addition, the Olympics were a unique, complex and
“one-off” event for the province. To paraphrase, executives didn’t know what they didn’t
know. As such, they initially didn’t know what information to request. In the absence of such
guidance and feedback, the team often assumed that no news was good news.
Much of the practices developed through the 2010 Winter Olympic Games risk management
initiative have become regular practice for the RMB. Todd and Chris host risk management
workshops and assist BC public entities with risk identification projects, processes, programs
and so forth. Identifying discrete events, causes and impacts improves reporting, particularly
from an enterprise perspective because it allows risk managers to see common root causes,
even if the events are seemingly unrelated. In addition, by closely linking risk identification to
the organizations’ goals and objectives, the objectives themselves are reinforced. “Sometimes
were so busy doing what we do,” says Chris, “that we forget why we’re doing it. By identifying
risk events in terms of organizational objectives, it reminds us what our goals are about and
why we’re in the Public Sector.”
In the end, the Games were a success, and this initiative contributed positively to that outcome.
It provided assurance of preparedness, allowed executives to be confident of progress,
established a process for reporting agencies to escalate their issues, and served to advance risk
maturity in the BC public sector. (Bugalla, Hackett and Narvaez, ERM in the Vancouver Winter
Olympics 2011)
5 Root Cause Analysis
(Include Risk Assessment Icon)
Root cause analysis (RCA) is a problem solving method aimed at identifying the root cause of a
problem or incident. The practice of RCA is predicated on the belief that problems are best
solved by attempting to correct or eliminate root causes as opposed to merely addressing the
immediately obvious symptoms. By directing corrective measures at root causes, it is hoped
that the likelihood of the recurrence of the problem will be minimized.
Beginning RCA is a reactive method of problem detection and solving. This means that the
analysis is done after an incident has occurred. By gaining expertise in RCA it becomes a proactive method. RCA can be used to forecast the possibility of an incident even before it occurs.
Five Schools of RCA
Root cause analysis is not a specific, sharply defined methodology; there are many different
tools, processes, and philosophies of RCA in existence. However, most of these can be classified
into five, very-broadly defined “schools” that are named by their basic fields of origin:
1) Safety-based RCA comes from the fields of accident analysis and occupational safety and
2) Production-based RCA has its origins in the field of quality control for industrial
3) Process-based RCA follows production-based RCA, but with a scope that has been
expanded to include business processes.
4) Failure-based RCA is rooted in the practice of failure analysis as employed in engineering
and maintenance.
5) Systems-based RCA has emerged as an amalgamation of the proceeding schools, along
with ideas taken from the fields of change management, risk management and systems
analysis. (Duffy, Moran and Riley 2010, 1)
The primary aim of RCA is to identify the root cause of a problem in order to create effective
corrective actions that will prevent that problem from ever re-occurring, otherwise known as
the ‘100 year fix’. In order to be effective in RCA, an organization should perform a systematic
investigation where their conclusions as to the root cause are backed up by documented
evidence. There is always one true root cause for any given problem. The difficult part is having
the stamina to reach it. To be effective in the analysis, a sequence of events or timeline is
needed to understand the relationships between the contributory factors, the root cause, and
the defined problem.
A sample RCA process flow chart shows the evaluation steps in the analysis.
Figure 16 - Root Cause Analysis Process Flow (Anselmo 2009)
Three Basic Causes
As you begin the process of finding the true root of the problem, you'll usually find three basic
types of causes:
1) Physical causes – A tangible or material item failed in some way. For example, a car's
brakes stopped working.
2) Human causes - People did something wrong or did not doing something that was
required. Human causes typically lead to physical causes. For example, no one filled the
brake fluid or the brake pads where not changed which led to the brakes failing.
3) Organizational causes - A system, process, or policy that people use to make decisions in
doing their work is faulty. For example, no one person was responsible for vehicle
maintenance and everyone assumed someone else had filled the brake fluid or changed
the brake pads. (Duffy, Moran and Riley 2010, 3)
Public Entity Example – State of Washington
The State of Washington is using root cause analysis to help their state agencies avoid not just
treating symptoms and to encourage drilling down to problems that contribute to risk events.
In order to effectively treat a risk, it is necessary to know its root cause. The primary goal of
using RCA is to analyze problems or events to identify the following: What happened, how it
happened, and why it happened so that actions for preventing reoccurrence are developed.
They have a nine step approach to RCA which includes:
Verify the incident and define the problem
Map a timeline of events
Identify critical events
Analyze the critical event’s cause and impact
Identify root causes
Support each root cause with evidence
Identify and select the best solutions
Develop recommendations
Track implementation of solutions
RCA is not a one-size-fits-all methodology. There are many different tools, processes, and
philosophies of accomplishing RCA. In fact, it was born out of a need to analyze various
enterprise activities such as:
Accident analysis and occupational safety and health
Quality control
Efficient business process
Engineering and maintenance failure analysis
Various systems-based processes, including change management and risk management
The process of discovering the real source of a problem can help transform a pattern of
behavior where people react to problems into a society that solves problems before they
become major incidents/accidents. The root cause is secondary to the goal of prevention, but
without the root cause, one cannot determine what an effective corrective action for the
defined problem will be. The nature of RCA is to identify all contributing factors to a problem or
event. Some of the analysis methods used in RCA include:
The “5-Whys” Analysis - A simple problem-solving technique that helps users get to the
root of the problem quickly. It was made popular in the 1970s by the Toyota Production
System. This strategy involves looking at a problem and asking “why” and “what” caused
this problem? Often the answer to the first ‘why’ prompts a second ‘why’ and so onproviding the basis for the “5-Whys”analysis.
Barrier Analysis - Investigation or design method that involves the training of pathways
by which a target is adversely affected by a hazard, including the identification of any
failed or missing countermeasures that could or should have prevented the undesired
Change Analysis - Looks systematically for possible risk impacts and appropriate risk
management strategies in situation where change is occurring. This includes situations
in which system configurations are changed, operating practices or policies are revised,
new or different activities will be performed, etc.
Casual Factor Tree Analysis - An investigation and analysis technique used to record and
display, in a logical, tree-structured hierarchy, all the actions and conditions that were
necessary and sufficient for a given consequence to have occurred.
Failure Mode Effect Analysis - A ‘system engineering’ process that examines failures in
products or processes.
Fish-Bone Diagram or Ishikawa Diagram - Derived from the quality management process,
it’s an analysis tool that provides a systematic way of looking at effects and the causes
that create or contribute to those effects. Because of the function of the fishbone
diagram, it may be referred to as a cause –and-effect diagram. The design of the
diagram looks much like the skeleton of a fish.
Parent Analysis - A statistical technique in decision making that is used for analysis of
selected and limited number of tasks that produce significant overall effect. The premise
is that 80% of problems are produced by a few critical causes (20%).
Fault Tree Analysis - The event is placed at the root (top event) of a ‘tree of logic’. Each
situation causing effect is added to the tree as a series of logic expressions. (Office of
Financial Management, State of Washington 2010)
Some benefits the State of Washington has seen by implementing RCA among its agencies are
that they can now identify barriers and the causes of problems so that permanent solutions can
be found. Agencies are now developing a logical approach to problem-solving using data that
they already have. Each agency is identifying current and future needs for organizational
improvement. The agencies are establishing repeatable, step-by-step processes, in which one
process can confirm the results of another. (State of Washington Office of Financial
Management 2010)
6 Role & Responsibilities of a Risk Champion
(Include Risk Assessment Icon)
In an ERM framework, risk managers are charged with assessing risk across the organization
using a holistic perspective. The risk manager of the public entity leads the ERM efforts and
divides their organization into risk centers with designated risks. A risk center is a department
or unit within the organization charged with the risk exposures that are related to their duties
and responsibilities. The risk champion is the individual accountable for the identification,
assessment, analysis, and implementation of an ERM program and for monitoring risk in that
department or unit. (Louisot and Ketcham 2009, 6.7)
Figure 17 - Risk Based Organizational Chart (Essary and Yip 2010)
Risk Centers
The advantage of dividing the public entity into various risk centers is the risk champion
becomes the eyes and ears for the risk manager on the emerging risks in their department or
unit. The risk champion is not necessarily responsible for performing actual risk management
activities, but they must have the authority necessary to ensure that others in their department
carry out all the required tasks. Developing risk centers also allows for the involvement of
operational managers who have valuable knowledge and a different perspective that can
contribute to the risk analysis process.
Once risk centers have been identified, the next step is to identify and assess the risks that each
risk center faces by listing the resources used by each risk center, the threats to each of those
resources, and the opportunities they may present. There are various resources that a public
entity can use to identify risk exposures:
Create surveys to be used to assess the organization’s risks
Brainstorm on potential ‘What if’ scenarios
Review balance sheets and income statements
Review supporting documentation on operational processes
Evaluate the operational flowcharts and organizational charts
Conduct personal inspections and interviews (Louisot and Ketcham 2009, 6.9)
Of these resources, the balance sheet and income statements become critical for a public entity
in revealing risk exposures. The balance sheet lists a lot of the public entities’ assets, liabilities,
and resulting net worth as of a particular date. The senior management team bases their
assessment of the financial condition of the public entity on their cash position and their
balance sheet. The balance sheet can help senior management see the importance of risk
management at each risk centers by identifying assets and liabilities impacted at each risk
A simplified balance sheet method of risk identification examines the balance sheet through
four main categories: short-term assets, long-term assets, short-term liabilities, and long-term
liabilities. For example, balance sheet’s list of assets can be used to identify property values
that are exposed to risk. One flaw to the simplified balance sheet method is that it does not
capture exposures that cannot be tracked through the accounting system such as
environmental, reputation, strategic, etc. It also focuses on the downside of a decrease in
assets and an increase in liabilities by approaching risk from insurable loss perspective. (Louisot
and Ketcham 2009, 6.9)
The public entity’s goal in developing risk centers should not be to create isolated silos. Risk
champions should be cautious when creating their risk center’s goals and objectives so that
they do not focus solely on their own department’s risk exposures. They need to see how their
risks as well as the risks of other risk centers may impact the whole organization. This
organization-wide approach to evaluation risks is referred to as integrated risks. Integrated risks
are those risks that have a potential impact across many levels of the organization. In an
organization that applies ERM, all risk champions will be able to identify and address risks not
only within their own department but between departments.
It is important that the risk manager maintain effective communication with all the risk
champions within the organization. The risk manager should conduct regular interview with
each risk champion. These interviews will enable the risk manager to identify critical resourcesrelated risks by asking the “how”, “who”, “where from”, and “where to” elements of the
organization’s work flow process as well as determine the effectiveness of the organization’s
communication plan.
Interview with the Risk Champion
1) Review with the risk champion their departmental objectives and how those objectives
tie to the organization’s strategic goals.
2) Are their new emerging risks that the department should be aware of?
3) How are these new emerging risks being quantified in the ERM program?
How is your department organized?
Who works in your department and what are their job responsibilities?
What resources are used in your department?
What products or services does your department create?
How do you share information within your department?
Strategic Questions:
1) How would you operate tomorrow if your building and contents were destroyed?
2) If there was a labor strike or a natural disaster, what are your plans to continue
3) How does your organization identify and address emerging risks or potential
opportunities for growth?
What Are Your Risk Mitigation Techniques for the Following:
Safety prevention and reduction
Integrated risks
Continuance plans
Crisis management
Reputational risk (Louisot and Ketcham 2009, 6.11)
While minor risks are managed at the risk center level, the more significant risks to the
organization needs to be addressed are at the senior management level. A risk might be more
complex then what the risk center understands and therefore should be rolled up to the senior
management team to evaluate all the potential consequences of the risk exposure. For
example, a decision to make a change in the everyday work flow process might be handled well
at the risk center level, yet a decision to change a supplier of key component part would be best
addressed at the senior management level.
While senior managers are responsible for the organization’s successful management of threats
and opportunities, they cannot oversee every risk. They can only integrate risk management
with existing culture. The responsibility of risk management must be owned at various levels of
Middle management must have authority to manage risk it is responsible and accountable for
at the operational level. It must have the appropriate level of risk achieved through specific
processes and people. The middle managers then report to senior management and
communicate their finding and recommendations. If problems occur, senior management can
then assist in the addressing the internal threats and opportunities.
Line management consists of department heads, supervisors and functional managers who
operate as risk champions within their department. They are in a best position to understand
and manage their risks. Risk responsibility at this level is essential in an ERM program.
Risk responsibility for a specific risk should be assigned to the stakeholder who either creates
the risk or is primarily affected by its volatility, because he or she is often in the best position to
manage the risk and motivate others to control the risk. Assigning risk responsibility to
individuals should be a thoughtful process. Individuals who are assigned risks should have the
competency and skill set to provide training, incentives and tools to manage the risk.
Risk champions must follow the organization’s risk appetite and follow the established rules
regarding how the organization manages risk. Their understanding of the organization’s goals
and objectives helps them promote safety and risk awareness. The greater the person’s
motivation to do their best, the harder he or she will strive to obtain their objectives. (Louisot
and Ketcham 2009, 13.10)
7 Dealing with Unexpected Events
(Include Risk Assessment Icon)
Organizations experience some type of unexpected event daily. Some unexpected events such
as citizens complaining about garbage pickup are very basic and easy to remedy. Other
disruptions, like Hurricane Katrina or a major earthquake, are more severe and interrupt
normal business activities. So the question we need to ask is “How severe does an unexpected
event need to be before the services of a public entity cease?”
There are four system level definitions to describe the degree of severity of an unexpected
1) Simple State System - The unexpected event can be resolved through routine decisions.
2) Complicated State System - The unexpected event is more difficult to resolve than a
simple system’s, but is not unusual.
3) Complex State System - The unexpected event is unusual, potentially critical to the
4) Chaotic State System - The unexpected event is a dramatic, unforeseen situation that
threatens the organization’s survival. (Louisot and Ketcham 2009, 7.4)
The simple state system assumes that normal day-to-day activities of the public entity are not
interrupted because senior decision makers have plans in place to address the unexpected
event. The decision on how to solve problems can be easily made based on current staff’s
experience and knowledge. Best practices are in place and contain highly regulated processes
and procedures. Risk communication between decision makers and line workers is swift and
The complicated state system entails events that involve both known and unknown pieces of
information. Best practices may not resolve the problem created by the unexpected event. The
solution to the unexpected event might not be immediately apparent to decision makers.
Leaders of the organization might need to investigate their options before deciding on the best
solution. Risk communication is essential between decision makers and line workers. It is
important that communication is flowing in both directions between decision makers and line
It becomes a little harder to identify the solutions to a complex state system. The situation in a
complex state system is not predictable and little thought has been placed on a possible
solution. A complex state system has a combination of known and unknown facts and requires
flexibility in finding the correct solution. Risk communication must be free flowing and senior
management to gather all necessary information to find the best solution.
A chaotic state system, like a natural disaster, that threatens the organization’s survival must be
communicated from the top down only. Organizational leaders must quickly gain control of the
situation and salvage as much as possible. An unexpected event at this level should be
addressed through crisis management procedures. The immediate goal of the leadership is to
restore the organization to its normal operational system. Hurricane Katrina is a good example
of a chaotic state system. The results of the hurricane were a substantial loss of life, lack of
essential services and destruction of many homes and business. It took time for local, county,
state and federal government bodies to manage the impact of Hurricane Katrina. The question
is what lessons were learned from the event?
Hurricane Katrina Critical Challenges
with recommendations to President Bush in February of 2006 on how to better handle a natural
disaster. The report lists several key breakdowns in the system that needed improvement for a
future natural disaster event:
1. National Preparedness
2. Integrated Use of Military Capabilities
3. Communications
4. Logistics and Evacuations
5. Search and Rescue
6. Public Safety and Security
7. Public Health and Medical Support
8. Human Services
9. Mass Care and Housing
10. Public Communications
11. Critical Infrastructure and Impact Assessment
12. Environmental Hazards and Debris Removal
13. Foreign Assistance
14. Non-Governmental Aid
15. Training, Exercises, and Lessons Learned
16. Homeland Security Professional Development and Education
17. Citizen and Community Preparedness (Townsend 2006, 51)
These 17 challenges did affect the ability of the Federal Government to response to the events
surrounding Hurricane Katrina. The crisis management structure in place did not adequately
respond to a hurricane of this magnitude and clearly there were flaws in the system. These
flaws included a) unified management of the national response b) command and control
structures with the Federal government c) understanding of the preparedness plan and d)
regional planning and coordination. “Soon after Katrina made landfall, State and local
authorities understood the devastation was serious but, due to the destruction of
infrastructure and response capabilities, lacked the ability to communicate with each other and
coordinate a response. Federal officials struggled to perform responsibilities generally
conducted by State and local authorities, such as the rescue of citizens stranded by the rising
floodwaters, provision of law enforcement, and evacuation of the remaining population of New
Orleans, all without the benefit of prior planning or a functioning State/local incident command
structure to guide their efforts.” (Townsend 2006, 52)
The Federal government cannot be the Nation’s first responder. State and local governments
are best positioned by their logistics to play a larger role in disaster response. The Federal
government is best suited to assist local and state governments in their effort of disaster
recovery. But when local and state governments are overwhelmed or incapacitated by an event
that has reached a catastrophic outcome, only the Federal government has the resources and
capabilities to respond. The Federal government must therefore plan, train, and provide the
necessary resources to meet the requirements for responding to a catastrophic event.
(Townsend 2006, 52)
The National Response Plan’s Mission Assignment process proved to be far too bureaucratic to
support the response to a catastrophe. Melvin Holden, Mayor-President of Baton Rouge,
Louisiana, noted that, “requirements for paper work and form completions hindered
immediate action and deployment of people and materials to assist in rescue and recovery
efforts.” (Melvin “Kip” Holden 2005) Far too often, the process required numerous time
consuming approval signatures and data processing steps prior to any action, delaying the
response. As a result, many agencies took action under their own independent authorities
while also responding to mission assignments from the Federal Emergency Management
Agency (FEMA), creating further process confusion and potential duplication of efforts.
This lack of coordination at the Federal headquarters-level reflected confusing organizational
structures in the field. Federal resource manager had difficulty determining what resources
were needed, what resources they already had, and where to locate those resources at any
given point. Even when Federal managers had a clear understanding of what was needed, they
often had a challenge determining whether the Federal government had that necessary asset to
help in the recovery. At the most fundamental level, part of the explanation for why the
response to Katrina did not go as planned is that key decision-makers at all levels simply were
not familiar with the plans. The National Response Plan (NRP) was relatively new to many at the
Federal, State, and local levels before the events of Hurricane Katrina. This lack of
understanding of the “National” plan not surprisingly resulted in ineffective coordination of the
Federal, State, and local response. Additionally, the NRP itself provides only the ‘base plan’
outlining the overall elements of a response: Federal departments and agencies were required
to develop supporting operational plans and standard operating procedures (SOPs) to integrate
their activities into the national response. In almost all cases, the integrating SOPs were either
non-existent or still under development when Hurricane Katrina hit. Consequently, some of the
specific procedures and processes of the NRP were not properly implemented, and Federal
partners had to operate without any prescribed guidelines or chains of command.” (Townsend
Traditional crisis management in general is to write down policies and procedures in manuals
and periodically update those manuals to maintain a current state of preparedness. The
problem with this process is that manuals are intended to provide directions for managers in
the exact scenarios addressed. However, the reality is that events might occur that have never
been thought of before. Therefore crisis management by following standard operating
procedures or just checking off the steps as outlined for preconceived emergencies is not
effective. Who’s going to read the manual during the crisis?
Enterprise crisis management begins well before the potential unexpected event. It focuses on
what the organization needs in place in order to survive and requires involvement of senior
leadership to run through the worst case scenarios. A key component to enterprise crisis
management is training the employees of an organization to expect challenges and to
understand how to react in a crisis situation.
Fault Tree Analysis
Fault Tree Analysis (FTA) is considered one of the more useful analytical tools to identify those
events that can or must occur in order to realize a certain outcome. The FTA starts with the
crisis event and drills down to the specific details of the cause of that event. The FTA
methodology is used often because of its ability to distinguish between those risk causes that
must occur, represented by an AND gate, for example a fire is started by three components:
heat, oxygen and an ignition source or those events that simply can occur, represented by an
OR gate, a leaking underground storage tank can leak either by corrosion or by puncture to the
tank. These causes of loss can be traced back to the risk event.
The information charted on a fault tree provides a qualitative analysis by demonstrating how
specific events will affect an outcome. By placing each contributing factor in its respective
location on the tree, the investigator can accurately identify where any breakdowns in a system
occurred, what relationship exists between events, and what interface occurred. If probability
data is known for these events, then the FTA can also provide quantitative information to
further evaluate the likelihood of achieving the top event.
Once developed, the fault areas that are responsible for yielding an undesired, or desired,
event can be evaluated on the micro rather that the macro level and this detailed information
can help senior leadership respond correctly to a crisis event. Decision makers are then able to
evaluate the chain reaction of events that can lead to the disaster and see where the weak
areas in response are taking place. (Vincoli 1993, 135)
During the course of the investigation of the BP Oil Spill, the investigation team used fault tree
analysis to define and consider various scenarios of failure modes and possible contributing
factors. Through the fault tree analysis, the investigation team found eight key findings related
to the causes of the accident. Here is a sample of the fault tree analysis that was used in the
Figure 18 - BP Deepwater Horizon Fault Tree (TapRoot 2010)
Continuity Plan
The senior management of the public entity should emphasize the importance of a Continuity
Plan outlining how the organization will survive and succeed after an unexpected event. The
Continuity Plan should direct each department in formulating a departmental plan that will
coordinate with the entire organization. Each department’s plan should include the following:
Statement of acceptable level of functioning
Recovery time objectives, resources needed and potential failure points
Tasks and activities required
Procedures and processes
Supporting documentation and information
Structure to support the plan
Description of personnel duties and responsibilities
Describe of the interdependencies among the various departments (Louisot and Ketcham
2009, 7.25)
An organization has an integrated combination of processes between the organization itself, its
message, and it stakeholders’ expectations. An organization’s reputation can be enhanced or
damaged as a consequence of the interactions. An ERM approach to risk of reputation involves
a carefully managing the public entities’ interactions with the general public, its stakeholders,
and its employees.
Public Entities are under great pressure to be transparent in all their actions because they use
taxpayer’s money. It is in the best interest of the public entity to develop a communication
policy that includes periodic messages to stakeholders about the decisions of senior
management regarding their business plans, its values, and its goals. Risks to reputation are
revealed when the organization’s message does not match up with stakeholders’ expectations.
In order to address risk to reputation a thorough analysis of roles and responsibilities must be
clearly defined in the organization. Obstacles to the successful management of one’s reputation
usually stem from a lack of clarity, resources and awareness. For example, an organization
might place a low value on reputation as an asset while choosing to focus more on tangible
When a disaster occurs, whether it is caused by natural or economic events, an organization
needs to be careful on how it receives the information and shares that information with
internal and external stakeholders. Examples of such scenarios include the use of contaminated
blood at a public hospital, an explosion at a public works building or the lack of personal
protective equipment used by public entity employees. When an organization responds poorly
to a crisis, its stakeholders can lose trust and confidence in the public entity’s ability to provide
needed services to the public.
Public Entity Example – University of California
The University of California has a department dedicated to continuity planning. The Office of
Continuity Planning was championed and funded by the Office of Risk Service at the University
of California. It has a clear goal to promote a comprehensive approach to event-readiness
across the System. Although the initial focus of the Office of Continuity Planning is to develop
continuity planning at all UC locations, the long-term goal is broader. They aim to exploit the
synergies among the three comprehensive preparedness methodologies: risk management,
emergency management and continuity planning.
Continuity planning has proved a difficult fit for the structure and culture of higher education.
The most successful and initiated adaptation of continuity planning for higher education has
been achieved at the Berkeley campus. Berkeley’s program was conceived in the year 2001, by
a broad-based campus committee and has been sponsored ever since by Associate Vice
Chancellor Ron Coley. Currently 108 departments at Berkeley have completed continuity plans,
and an additional 129 have plans in progress. 70% of these departments are academic or
research units.
The cornerstone of Berkeley’s success is its unique web application, UC Ready. Designed and
built in-house, this do-it-yourself tool enables departments to create continuity plans with
minimal coaching. The tool works equally well for all types for departments-instructional,
research, libraries, museums, administrative, and other support units. It produces, within the
plan, a list of action items for readiness. Annual follow up sessions are done to update the plan
and track completion of the lists.
“The Berkeley tool has attracted national attention: more than 30 universities outside UC have
adopted it for use; it received a National Association of College and University Business Officers
(NACUBO) 2007 Innovation Award and the UC System’s 2007 Sautter Award; the Kuali
Foundation is incorporating it into its suite of open-source tools for the higher education
community; and the Mellon Foundation is funding its adaptation to the national arts
community.” (Diamond 2009)
In order to protect their reputation, a public entity needs to be proactive in exceeding the
stakeholders’ expectations. A public entity with a great reputation might attract high-potential
employees who in turn can increase the overall value of the organization. Identifying key
sources of risk to reputation will enable the public entity to better protect that asset.
Public Entity Example – Center for Disease Control and Prevention
“The Center for Disease Control and Prevention’s mission is to promote health and quality of
life by preventing and controlling disease, injury, and disability. CDC’s, credibility is of high
priority to the agency. Leaders within CDC believe that how they are perceived is in direct
relationship to how they communicate as an organization. Their reputation is perceived by
many interested persons or groups that closely watch the agency’s characteristics,
achievements, and behaviors. From the CDC’s perspective, managing the agency’s reputation is
important because the agency must have the public’s trust to do its mission, or risk of:
1) Increased disease, injury, and death
2) Demands for the misallocation of limited resources
3) Circumvented public health policies
The CDC is very concerned about their reputation and has developed and proposed a separate
risk assessment strategy to measure credibility. The tool CDC is using is referred to as RiskSmart
or Credibility Risk Management and is an active continuous and ethics-based assessment and
engagement with all stakeholders to safeguard and enhance the agency’s credibility.
“According to the Canadian Integrated Risk Management Framework, a risk smart workforce
and environment in the public service is one that supports responsible risk management, where
risk management is built into existing governance and organizational structure, and planning
and operational process. An essential element of a risk smart environment is to ensure that the
workplace has the capacity and tolls to be innovative while recognizing and respecting the need
to be prudent in protecting the public interest and maintaining public trust.
The CDC identifies its reputation as the primary driver for implementing ERM. All agencies have
this intangible asset, but few emphasize its importance. Other organizations also share this
endeavor. Industry experts note that intangible assets such as brand equity and goodwill
account for 70%-80% of a company’s market value. Yet, most companies don’t proactively
manage reputation risk until after their reputation suffers damage. Many organizations tend to
focus their energies on handling threats to their reputation that have already surfaced. This is
not risk management; it is crisis management.” (Hardy 2010)
8 Integrated Risk Management
(Include Risk Analysis Icon)
Integrated risk management is the integration of the management of risk at each level of management
into all business and strategic planning and decision-making processes. It allows an organization to
analyze the interrelationships of their risk exposures within and between departments and
helps senior management see the impact of combined risk exposures.
U.S. Department of Homeland Security
According to the U.S. Department of Homeland Security, integrated risk management “is a structured
approach that enables the distribution and employment of shared risk information and analysis
and the synchronization of independent yet complimentary risk management strategies to
unify efforts across the enterprise. The goal of this policy is for DHS to work with its partners to
use IRM as an approach to address the uncertainty inherent in this complex mission space, and
help make the tough decisions necessary to keep the nation resilient and secure with limited
resources. The policy is based on the premise that partnerships can enable the most effective
risk management.” (Kolasky 2011, 1)
Figure 19 - DHS Risk Management Process (Miller 2010)
The Department of Homeland Security issued a memorandum by Secretary Janet Napolitano
on May 27, 2010 that states the Department’s adoption of Integrated Risk Management as a
fundamental concept that will guide its efforts within and across the homeland security
enterprise. The goal of this policy is for DHS to use IRM to inform strategies, processes and
decisions to enhance security and to work in a unified manner to manage risks to the Nation’s
homeland security.
DHS plays a leadership role in the Nation’s unified effort to manage risks working across the
homeland security enterprise which includes Federal, state, local, tribal, territorial,
nongovernmental and private sector partners. IRM is based on the premise that security
partners working together can most effectively manage risk. IRM is integrated in that it includes
the following:
1) Unifying efforts among all homeland security partners to ensure that strategies and
actions are informed by a common understanding of homeland security risks
2) Ensuring that information and analysis about homeland security risks are incorporated
into strategic and operational decision-making processes
3) Building a common understanding of risk management through development of a risk
lexicon, risk-informed planning process, training and standards of practice
4) Providing mechanisms to share risk data, risk assessment, and risk management
decision support and analysis tools across the homeland security enterprise. (Miller
Homeland security risks are inherently uncertain and risk analysis will not always yield precise
answers. The Department uses risk information and analysis to make its assumptions more
transparent, encourage creative thinking, and provide defensible decisions made with the best
available tools and information for the best achievable outcomes.
DHS Risk Management Process will develop methodologies, where appropriate, to determine
the extent to which its programs and activities manage and reduce risks to the Nation. DHS will
use this information, among other inputs, to measure the Department’s progress toward
achieving strategic goals, inform decision makers, build its budget, help guide the allocation of
limited resources, and promote understanding and collaboration among homeland security
enterprise partners.
DHS’s Directive for Integrated Risk Management includes the following:
1) Incorporating risk management into component business practices
2) Establishing risk management capabilities, policies, processes, and practices consistent
with DHS IRM policy
3) Appoint a lead executive with responsibility for integrating risk management
4) A periodic assessment of the department’s risk management capability
5) A risk knowledge management system (Miller 2010)
“If an approach to integrated risk management can be successfully developed and
implemented, the opportunities for improving the quality and utility of risk analyses carried out
by many components of DHS and by many partners should be extensive.” (National Research
Council of the National Academies 2010)
Figure 20 - Integrating Risk across the DHS Enterprise (Miller 2010)
The value of IRM for Homeland Security includes the following:
1) Allows for more transparent and defensible decision making
2) Contextualizes homeland security threats, showing which are the most likely and which
have the highest impact
3) Informs prioritization decisions among terrorism, natural disasters, cyber, pandemics
and border security hazards
4) Provides a performance measure for programs across the homeland security mission
5) Identifies opportunities for reducing or transferring risk (Miller 2010)
Department of Homeland Security (DHS) Office of Risk Management and Analysis (RMA)
conducted a study of risk management practices in public and private organizations between
May and July 2010. The purpose of the study was to help guide RMA and Risk Steering
Committee efforts to build a risk management program for DHS. The study consisted of over 20
one-hour interviews with executive-level risk practitioners at Fortune 500 companies, stafflevel risk practitioners at government agencies, and individuals from other organizations who
are familiar with risk management. (Office of Risk Management and Analysis, Department of
Homeland Security 2010)
The study’s key findings can be summed up with the following:
1) Risk management and analysis is being integrated across organizations.
2) Risk management activities are aligned to organizations’ structure and processes.
3) Organizations use specific methods to improve the conduct and communication of risk
Challenges Faced
Numerous participants from the public sector expressed difficulty in achieving consistent support with
their ERM initiatives. Many of these participants linked this to the high rate of turnover among the
political appointees tasked with leading federal agencies. Several participants reported having efforts to
implement a risk management program derailed because of leadership changes at their organization.
Other public sector participants reported problems implementing risk management programs when
dealing with risks that had politically controversial implications. These are generally risks that the private
sector does not face because they have different mandates than government agencies, or these are risks
that they rely on the government to manage. Many participants said their leaders were unwilling to
consider risk management principles when considering these issues, such as risk positions or tradeoffs.
For example one participant said that leaders at his agency were unwilling to say they would accept risks
to the safety of their personnel. Interviewees also said that legislative mandates interfered with their
ability to manage risk.
Some private sector organizations managed their risk on a holistic, enterprise-wide basis while many
public agencies were managing risks on an uncoordinated, ad hoc basis. For example, attempts to
coordinate interviews with participants from one government agency were complicated by the fact that
disparate groups were responsible for overseeing the management of related risks.
The lack of a link between risk management and an agency’s ability to achieve its objectives could be
related to why the public sector has lagged behind the private sector in adopting enterprise risk
management. Many of the Federal agencies are focused on risk simply as uncertainty or bad things that
could happen to the agency or the public.
Tactics Employed
Given the challenges faced by the public sector, what are some tactics that can be employed to
move IRM adoption forward? Many interviewees said they were seeking to integrate the
management and analysis of risk across their organization. The study found organizations
employed several tactics:
1) Organizations are increasingly seeking to understand and manage risk on a holistic enterprisewide level - The interviewees noted that risk management strategies could affect their
business units unequally and that a good decision for one business unit could be a bad
decision for another. They also said that without an enterprise-wide understanding of
risk, business units may accept more risk than the organization’s leadership is willing
accept, either on an individual or collective basis.
2) Risk is commonly understood and assessed as it relates to an organization’s objectives - The
vast majority of interviewees said their organizations consider risk in relation to how it
affects the organization’s ability to achieve its objectives. One interviewee said he thinks
“enterprise risk management is enterprise goal management.”
3) Risk management is incorporated into strategic planning - Almost every participant in the
study recognized the importance of linking strategic planning and risk management,
although participant said they had done so successfully at their organization. One
participant in the study reinforced this focus, saying “strategy and risk need to be
playing the same game.”
4) Organizations regularly track and monitor the risks they face - Participants wanted to find
factors that were correlated to their organizations’ risks, which could be tracked on a
more regular basis and give warning that exposure to risks were changing.
5) An organization’s leadership must be aware of its risks - Participants expressed concerns
that if there were layers between risk information and leadership, then the risk
information could be censored before leadership had a chance to review it. Most
interviewees said risk executives should have either direct access or regular meetings
with key leaders, such as a Chief Executive Office or Board of Directors.
6) Organizations attempt to facilitate cascading communication of risk - Many interviewees
emphasized that risk information should flow up, down and across their organization.
Interviewees said business units and project managers were responsible for using this
information to develop implementation strategies. Interviewees emphasized that
leadership could not set its priorities however, without understanding the risks that
their business units and project managers face. As a result, interviewees said that it was
important that the business units and project managers communicate risks to
leadership, particularly when changing situations could merit altering risk management
There were several commonalities between private and public sector in the manner
organizations structured themselves to manage and analyze risk most effectively. Some of
these structured decisions lend themselves to better understanding and communicating risks,
while others reinforced the aforementioned desire to analyze and manage risk in an integrated
fashion. These commonalities include:
1) Organizations customize risk management programs to fit their needs and culture. Each
organization had different contexts in which their risk management programs were
designed and implemented. While they acknowledged general standards that were used
in the development of their risk management programs, interviewees noted that it is
important that a risk management program match the culture and operations of the
organizations it is designed to serve.
2) Leaders at the executive level must endorse and sponsor a risk management program Interviewees repeatedly emphasized the importance of executive sponsorship of a risk
management program. They noted that risk management programs require participants
at all levels of an organization, and said executive sponsorship encourages that
participation. Many participants noted that a risk management program is only effective
if it is used to inform decision making. This means that leaders must support the
program and incorporate the information coming from it when they are making
3) Accountability for risk management should be clearly defined and risks should be managed by
the unit closest to the risks - Organizations with very developed risk management
programs had clearly defined who in the organization was accountable for actually
managing risks. In fact, many interviewees indicated that during the initial
implementation of their risk management program, one of their first steps was to define
accountability in their organization for what business units or executives were
responsible for managing risks.
4) Central risk management offices and committees have been established at many
organizations - Interviewees said the central risk management offices and risk
committees share responsibility of overseeing their organizations process for
identifying, assessing, and managing risk, creating tools and training to help business
units with those processes, facilitating enterprise-wide discussions and decisions about
cross cutting risks, monitoring indicators related to risk, briefing organizational
leadership about risk, and identifying emerging risks.
5) Risk management programs are facilitated by an executive at the organization - Interviewees
at organizations that have central risk management programs usually said their
organization tasked an executive with facilitating the implementation of the risk
management program. However, interviewees cautioned that it was not enough to
simply have an executive tasked with overseeing the organization’s risk management
framework- the organization must act on the framework as well.
6) Many programs start with a limited scope - When developing a risk management program,
many interviewees said they started with a limited program. They pointed to a number
of factors driving this, including limited resources, a desire to prove value before
expanding, and the number of risks that would need to be considered if a program is not
bounded. Then broaden the scope of their risk management program after the initial
7) Organizations rely on comparative studies and maturity models to assess their risk
management activities - It was found that organizations interviewed were using either a
COSO or ISO framework. Many organizations also used a maturity model to measure
their risk management capabilities. However, interviews were not able to point to a
common benchmark standard that organizations could use to assess their relative
8) Organizations should work to instill a culture of risk management throughout its staff Participants emphasized that their goal was not to generate a risk management
program that sat outside the organization’s standard management processes, but was
instead incorporated into those processes. Therefore, the emphasis of risk management
efforts should not just be on developing a very functioning and efficient risk
management program, but also to change the approach members of the organization
take when making decisions.
There were also several common methods and principles interviewees mentioned when they
analyze and communicate risk within their organizations. They said these methods were
important to ensure decision makers understood risk analyses and were enabled to make riskinformed decisions.
1) Risk practitioners attempt to present risk in a simple and relevant manner - Numerous
participants emphasized that risk information must be presented in a simple and
relevant way. They warned that risk practitioners must not present information in a
technocratic manner, lest their recommendations be misunderstood or ignored.
2) There are few strong metrics to measure the success of risk management program - Every
participant in the study said they had difficulty in developing metrics that can be used to
assess a risk management program. They said the benefits of risk management could
largely only be assessed on a qualitative basis, as attempting to illustrate that an
organization avoided risks is proving a negative. Some interviewees proposed outputtype measures such as whether a risk management decision process is being used, while
others proposed proxy measures such as the number of surprise risk events that affect
an organization.
3) Formal risk positions are difficult to establish, but it is important for an organization to
attempt to do so - Organizations often have trouble explicitly determining a position for
the amount of risk they are willing to accept that could affect their ability to achieve
their goals. This is similar to the concepts of setting risk appetite, risk tolerance or risk
threshold. Many interviewees said they could not set an explicit risk position due to
concerns from their legal departments or a simple unwillingness of leadership to say
they were willing to accept risk. However, most study participants believed
organizations should establish a risk position.
4) The identification of emerging risks is a priority for many organizations - Many participants
noted that a key value of risk management is to help an organization anticipate risks
before they happen. Although risk mangers cannot see into the future and will likely not
be able to anticipate every risk that could affect an organization, the participants said
risk managers should try to provide their leadership with as much warning as possible
about new risks that could affect the organization.
5) When identifying and assessing risk, it is important to provide anonymity - Many
interviewees expressed a belief that anonymity is important when attempting to
identify and assess risk. They identified several reasons for this, such as the danger of
developing a groupthink and individual’s fear to mention risks or mistakes to regulators
or leaders. These participants took great pains to provide anonymity to people in their
organization who participate in risk identification and assessment.
6) Practitioners should encourage diversity of thought when considering risk - Several
participants indicated that diversity of thought was not only important for risk
assessment, but also a key benefit of risk assessment. They said risk analyses are only as
good as the cross section of individuals involved in the process, to ensure a wide range
of backgrounds and viewpoints were incorporated into the analyses.
Because managing homeland security risks depends on a concerted, unified effort from a
diverse set of organizations, DHS has established a Department-level Risk Steering Committee
(RSC) that serves as the primary body for risk governance and provides a forum for all DHS
Components to discuss and advance integrated risk management. The RSC has published a
number of guidance documents to assist partners in conducting defensible, coordinated risk
analysis, including the DHS Risk Lexicon (2010) (DHS Risk Steering Committee 2010) and Risk
Management Guidelines (Department of Homeland Security 2010). The DHS Risk Lexicon, which
contains 123 terms related to the practice of homeland security risk management, improves
communications, understanding, and information exchange among homeland security partners.
One of the tools the RMA created is the Risk Assessment Process for Informed Decisionmaking (RAPID), a quantitative multi-hazard assessment of risk designed to provide information
to Department leadership on homeland security risks and the risk reduced by homeland
security programs in support of policy and resource allocation decisions. At its core, RAPID is a
probabilistic risk assessment that examines how programs across the Department work
together to manage anticipated risks associated with the top-priority DHS strategic goals and
objectives, ensuring that future resources allocated to DHS programs are influenced by the
programs’ risk-reduction values. RAPID currently covers 12 hazard types and more than 30 DHS
high-level programs. In 2009, RAPID was launched as a full-scale strategic risk assessment with
production quality decision support, and its results were used in the FY 2012-2016 DHS budget
planning process.
In addition to RAPID, RMA has developed a number of methodologies to address specific
homeland security challenges. Notably, RMA leads the assessment of risk to special events
nationwide. Using a multi-hazard methodology that takes into account attendance and specific
vulnerabilities of the venue, RMA helps assign relative risk scores to over 8000 special events
annually. These risk scores are used by federal law enforcement agencies to determine the
allocation of security resources for each event. At a more strategic level, RMA has also
developed a methodology for conducting national level risk assessments to provide a
comparative assessment of homeland security risks to our national strategic interests. (Kolasky
Integrated risk management is a vital tool that can assist not only homeland security but also
the broader general public sector agencies on how to best allocate limited resources and
effectively manage risks.
9 Using ERM in Project Management
(Include Implementation Icon)
In this chapter we will discuss the implementation of the ERM program utilizing the concepts
and ideas from the previous chapters to develop an initial ERM project. The scope of this
project should be set by the senior management of the organization and focus on specific risk
criteria that can be measured and managed within a certain time period. This will allow the
public entity an opportunity to get their feet wet with a smaller ERM project before
implementing a more broad approach of ERM in their public entity.
Project management provides a systematic approach through which an organization can
understand the scope of their responsibilities regarding the project. ERM helps identify the
disciplines necessary for organizations to achieve their goals within that project and schedules
key milestone for the planning and completion of that project. Using ERM in project
management can help a project manager anticipate potential risks associated the project’s
objectives and to organize and control activities so that the project is completed successfully.
Primary Activities
A project manager must master a number of disciplines including stakeholder management,
resource management, task management, and quality management to realize a project goal
within time, budget, and boundary constraints and with acceptable quality. These disciplines of
managing the project team and communicating project information and progress become
critical for the success of the project. Managing risks in a project is similar to managing risks in
an organization, but it requires an increased focus on time and budget. Project risk
management involves four primary activities: (Louisot and Ketcham 2009, 14.4)
1) Use the risk management process within the scope of the project
2) Focus on common project losses
3) Address the risks on the project’s critical path-which is the longest duration path
through the work plan.
4) Control Scope Creep-which are unplanned activities that are added to the project
The purpose of project risk management is to ensure that the levels of risk are optimized so
that the project’s goal is achieved. The team assigned to a project might have an informal or
formal project risk management plan. Larger projects require a more formal and detailed risk
management scope than do smaller projects. Here are the risk management processes to a
1) Establish the internal and external contexts- the context of the project in relation to the
strategic goals of the organization and its relationship to its stakeholders
2) Risk assessment-identification, analysis and evaluation
3) Risk treatment-selecting and implementing appropriate risk management techniques
4) Monitor result and revise
5) Communicate and consult with all internal and external stakeholders (Louisot and
Ketcham 2009, 14.12)
By applying ERM process techniques to a project, the organization aligns its strategy and risk
management with the strategic goals and operational objectives of the project. The first step in
the ERM process is to ensure that the project plan and charter are associated with the mission,
vision, and goals of the organization. If a project represents a change in strategy, this
information should be communicated to all stakeholders.
Some risks are common to projects. By anticipating these common risks, a project manager can
treat them early and address the concerns and impact to the project. Some of the internal risks
to a project will include the project scope, human resources, and operational risks. The lack of
clearly defined project scope can be the starting point for design flaws that could plague a
project. The farther the project progresses, the more costly it is to bring the project back on
Team members and project participants are important resources to completing the project. The
loss of a key team member can derail a project. Operational risk can arise from the company’s
business functions and inadequate or failed internal processes, people and systems. If a project
depends on any organizational operations for project completion, it should consider the ways in
which failures in those operations could jeopardize the completion of the project.
Some of the external risks that should be considered in project management are the natural
perils, political risks, commercial and social expectations, and technology obsolescence. Natural
perils are events outside human controls and include floods, windstorms, volcanic eruptions
and earthquakes. Political risks refers to complications that result from decisions made by
political or regulatory bodies that anticipate expected outcomes that might make it more
difficult to achieve business goals. (Louisot and Ketcham 2009, 14.16)
Commercial and social expectations can be altered due to failure to meet their needs. The
project team can mitigate failings to meet a need by conducting adequate surveys before the
project design and repeating the surveys throughout the project. For long-term project, there is
a possibility of technology becoming obsolete. To mitigate such a risk, the project team should
scan the technology possibilities and select the best technology for the project.
Another item the project manager should budget for in the project is for the unexpected losses.
A good rule of thumb is to place about 10% of the total project cost in an account for potential
losses. This way the project manager can have a resource in which to pay for unexpected losses
without having to ask decision makers for additional monies to pay for these losses. If there is
money left over after the project, the money can be returned to the organization.
Buffer Time
Time estimates for project activities are not exact. Start and finish times for any activity might
be early or late. This is a result of slack time, which is the amount of time by which an activity
can be delayed without affecting the overall completion time of the project. The sum of all slack
times for activities on a critical path is the buffer available in the critical path. Throughout the
project, the project manager monitors the days remaining in the buffer. If the buffer becomes
critically low, resources can be added to the critical path activities to ensure the entire project
is accomplished by the target deadline.
In regularly scheduled meetings, progress and problems with activities are discussed. Resources
are identified that can resolve bottlenecks. If necessary, the project’s sponsor may be asked to
assist in resolving organizational issues. When an organization recognizes that change is
needed, it first has to articulate the need for the change. For example, organizational threats
could lead to the articulation of the need for change. (Louisot and Ketcham 2009, 14.18)
Scheduling Tools
There are two scheduling tools that are widely used in project management to help project
managers track their projects. One is the Gantt chart which is a bar chart that displays the
amount of time required for each activity in a project and shows the sequences of activities to
be performed and provides the current status of those activities. The second tool is Program
and Evaluation and Review Technique (PERT) which is a technique that identifies a project’s
necessary events, and identifies the events that must be finished and those events that are
most time sensitive. (Louisot and Ketcham 2009, 14.7)
Example Gantt Chart
Figure 21 – Veterans Administration Project Timeline 2001-02 (United States Department of Veterans Affairs
Project ERM Goal
The goal of ERM is to embed risk recognition into every business decision. Too often,
organizations have a status approach to risk management that deteriorates into a narrow
compliance based on efforts that leads to underperformance. If properly executed, ERM
projects can establish more reliable decision making and foster innovation to sustain
It is critical for the success of a project to have leadership from the top of the organization have
buy-in to the scope and mission of the project. If the scope, mission, or risk criteria are not
clearly spelled out, there can be confusion and disorganization. Board and executive leaders
need to be aware of the risk criteria of the project and understand how delays to time and
schedule can impact the project.
It is essential that the board and senior executives drive the implementation of ERM project
because ERM involves the commitment of the entire organization. A common mistake in
initiating an ERM project is failing to get complete buy-in from all key stakeholders. This
executive group should ensure that all stakeholders understand the impact and scope of ERM
and support the required changes so that ERM becomes the standard. (Louisot and Ketcham
2009, 14.3)
Public Entity Example – Washington State Department of
Providing reliable estimates is a fundamental responsibility of the Washington State
Department of Transportation, WSDOT. The importance of estimating the costs and schedules
of their transportation projects has never been greater. Equal in importance to project
estimates are project risk and uncertainty. In order to more fully convey the characteristics of a
project they determine the uncertainty and risk associated with the project. WSDOT
determines its tolerance for risk, which becomes an integral part of their project management.
Traditional estimating practices tend to produce “the number” for a project, but a single
number can mask the critical risk and variation assumptions made implicitly or explicitly for a
particular project. A single number estimate implies a sense of precision beyond what can be
achieved during planning, scoping or early design phases. Project engineers, project managers,
business managers, and executives need to be prepared to answer three basic questions raised
by the public and others about the project:
1) How much will this project cost?
2) How long will this project take?
3) Why are we doing this project?
WSDOT has found that the answer to these fundamental questions rests in the fact that an
estimate is more properly expressed as a range. The range is comprised of two components:
the base project estimate with the appropriate variability and a risk component. By holding
collaborative workshops with all parties involved in the project, WSDOT has been able to
recognize the possibilities of risk and uncertainty. These workshops offer project teams the
opportunity to insure that real communication about the project issues is taking place. In fact
many project managers find that the workshop discussions are the most valuable part of the
The WSDOT commitment to risk-based estimating and aggressive project risk management is
demonstrated by the increasing use of e-tools that provide key updates:
Formalizes the use of risk reserves
Regular updates of project cost estimates
Consistent use of 4% construction contingency in base estimates
Project documentation which must include the basis of estimate.
WSDOT’s project managers are engaging in proactive management of project risks more
frequently and with greater enthusiasm. In addition, the project teams monitor and track the
effectiveness of their risk response actions. WSDOT project managers are directed to conduct
risk based estimating workshops of all projects over $10 million, total of preliminary
engineering, right of way, and construction. These workshops provide information to project
managers that can help them control scope, cost schedule and manage risks for all projects.
Frequent Cost of Risk Categories:
Right of way acquisition
Structure & geotech
Construction related
Seismic design criteria
Design related and access issues
Maintenance of traffic
Frequent Schedule Risk Categories
Right of way acquisition
Delayed decision-making
Multiple contracts
Tribal issues
Restricted work windows (Hammond, Publications 2008)
For many of the projects that WSDOT undertakes, it is possible to mitigate risk by specific
actions taken by the project team or others in accordance with established risk management
procedures. For example, an investment to gather additional design information can change the
understanding of a risk. From soil boring to removing large boulders, unforeseen risk exposures
can impact the outcome of the construction project. Appropriate risk response actions can then
be taken to reduce the risk exposures of the project.
In order for a project to be successful, Enterprise Risk Management must commence early in
the project development and proceed as project knowledge evolves and project information
increases in quantity and quality. Monitoring project development and risk exposure continues
formal risk assessment of risk may occur several times through the life of the project.
(Washington State Department of Transportation 2010)
Figure 22 – WSDOT Project Risk Management Chart (Washington State Department of Transportation
2010, xiv)
Public Entity Example- MassDevelopment
MassDevelopment is the Massachusetts’ state finance and development authority. It acts as
both a lender and developer and works with private and public-sector clients to stimulate
growth by eliminating blight, preparing key sites for development, creating jobs, and increasing
the state’s housing supply. Since 2004, MassDevelopment has financed more than 1,100
projects in nearly 200 communities statewide representing an investment of more than $10.6
billion in Massachusetts. These projects are supporting the creation of more than 11,000
housing units and an estimated 50,000 permanent and construction-related jobs.
In 2006, MassDevelopment’s municipal real estate services staff helped facilitate a national
panel of experts from the Urban Land Institute to create a strategy for the revitalization of
Springfield, Massachusetts. The adaptive re-use of the former federal office building at 1550
Main Street was a key recommendation of the ULI’s strategy to revitalize the downtown area
and secure its place as a vibrant urban center offering the neighborhood various cultural
activities. (MassDevelopment n.d.)
In early 2007, MassDevelopment engaged a team of consulting architects and engineers to
develop rehabilitation and reuse plan for 1550 Main Street in Springfield. The architects looked
at various plans for potential use of the building. The end result was the City of Springfield and
MassDevelopment decided that the best option for the building was a mix of private and public
tenants which included the Springfield School Department, General Services Administration and
Baystate Medical Center.
MassDevelopment has the following questions they ask themselves when starting a new
1) What are the requirements of the project?
2) Do they have enough money to meet the requirements?
3) Who's providing the requirements?
The purchase and rehabilitation of the project cost $11 million. Some of the key aspects of the
construction project included:
New entrance, lighting and signs
Modernization/replacement of all four elevators
Upgrades to all of the building’s restrooms
Exterior/building envelope repairs
Significant renovation to tenant space on 2nd, 3rd and 5th floors
Some of the Enterprise Risks MassDevelopment addressed in this project were:
- Political risk – ensuring proper communication and sign off was provided by local members of
the city government and state government.
To avoid any political pressures or concerns, the project manager, senior executives and the
communication department documented the key political contracts within the city, state and
federal levels. Each month a status call would provide the key contacts with updates on the
project. This mitigation resulted in open communication among all parties by the project and
ensured there was no impact to the cost or schedule.
- Vendor risk – ensuring that we followed proper state procurement requirements for all
vendors and all vendors met MDFA’s insurance requirements.
Due to the project manager’s experience and knowledge of the procurement process, she was
able to start the vendor RFP process within a short time period in order for the project to kick
off within the project timeframe. If the project manager waited it would have impacted the
opening of the building, the impact on the community, and increase the cost and lengthen the
schedule of the project.
- Safety risk – risk management reviewed the construction site and provided proper input into
safety measures to ensure the public was not impacted by the atrium construction.
The project manager involved risk management throughout the project life cycle. As a result,
the risk team was able to identify safety concerns with fencing that was around the outside
construction area. This mitigation provided better safety for visitors and onlookers watching
the outside construction. This mitigation saved the project in insurance losses and incurring
fines from OSHA.
- Security risk – They needed to ensure they kept the same security since they were leasing to
the Federal Government. They implemented a new security system that was less restrictive but
provide more coverage since they were requiring a picture id and security controls around the
elevators and garage.
They needed to ensure they kept the same security since they were leasing to the Federal
Government. They implemented a new security system that was less restrictive, but provided
more coverage since they were requiring a picture id and security controls around the elevators
and garage. This impacted the cost of the project, but drove increase revenue since the federal
tenants remained in the building. This process also set precedence for security in the area
which provided support to the local community.
It is important to note that ERM was executed on the program management level whereas risk
management was used on the project level. The project manager was not the owner of the risk
rather the senior executive team were owners to the risks. The project manager's responsibility
was managing and monitoring the risks throughout the project and senior management was
responsible for how those risks could impact their strategic plans. MassDevelopment also
included a contingency reserve, which was 10% of their budget, which was used to offset the
cost of risk mitigation and issue resolution. (Drobris 2011)
Figure 23 – Critical Risk: Mitigation Plan
The process to identify the critical risk starts after the scope completion phase of the project.
The critical risk is identified from the risk list associated with the project. The risk identification
takes place through a risk measurement tool measuring likelihood and impact of the risk on the
project. The tool simple uses a 5 scale scoring method to identify likelihood and then a similar
scoring method to identify impact.
Then a simple calculation to get your risk is done by multiplying the likelihood score by the
impact score. The project then sets a threshold usually (.42) and above so any risk with a risk
score of this value would be considered a critical risk and the need for mitigation and
contingency document was be completed by a risk owner. Also, in order to determine the
likelihood and impact, the project key stakeholders meet and have a brainstorming session to
identify the risks and consequences to the project and the rate them by the risk measurement
tool. (Drobris 2011)
10 Risk Communication
(Include Implementation Icon)
An organization’s ability to communicate plans of proposed activities to stakeholders during a
crisis is critical to overcoming the situation and it will greatly contribute to its ability to recover
from such a disaster. Crisis management that is properly handled will mitigate organizational
risk on several levels. Good communication with stakeholders is a key element in managing a
When an organization implements its crisis management plan, its prime objective is to survive
the crisis event. Its survival is dependent on its speedy return to normal operations. The most
important element in crisis management is to establish trust among internal and external
stakeholders. When a crisis does occur, the public entity’s message to all stakeholders must be
clear, address the pressing issues, and engage all the stakeholders to be diligent in the plans of
Communication must demonstrate that senior management is committed to maintaining an
environment of transparency in its decision making. All crisis communication must be
consistent. The message must demonstrate integrity and authenticity. Even if corrections will
need to be made to the recovery plan, candor and honesty in the public entity’s performance
during the crisis will regain trust among stakeholders. (Louisot and Ketcham 2009, 8.7)
Crisis Communication among the Government Agencies during BP
Oil Spill
In March 2011, the U.S. Coast Guard posted a report that offers the first major assessment of
the federal government’s communication efforts during the BP Oil Spill that commenced on
April 20, 2010 and has been titled the worst oil spill in U.S. history. The report states that
effective crisis communication was hampered by the “several layers of review and approval by
the White House and Department of Homeland Security”. Many critics of President Barack
Obama’s Administration say that the Administration “looked at this as a political problem and
not an operational problem”. “After all”, one source says, “the 2010 midterm elections were
drawing closer as the oil spill crisis deepened, and the White House went into campaign mode.”
An administrative official, however, strongly disputed that contention, saying “the involvement
from the White House and DHS in Washington was a necessary step after what was first
thought a relatively routine Coast Guard response became a unique and unprecedented
government-wide effort”(Levine 2011). More than 47,000 people from federal, state and local
agencies, private industry and NGOs took part in the response.
“It was imperative given all the moving pieces that information remained consistent. We
worked very hard throughout the course of the spill and executed a successful effort to
consolidate the release of information among 17 federal agencies,” said the U.S. Coast Guard
official. DHS appointed outgoing Coast Guard Commandant Thad Allen to be the National
Incident Commander and he was seen among many of his peers as “a credible spokesman who
proved to be an effective means of communicating a unified message to the public.” (Levine
At the same time, the Coast Guard’s report reads that the Coast Guard lacked “enough senior
personnel with the requisite crisis communication training and, or experience to effectively
manage the public affairs campaign for an incident of this magnitude.” (Levine 2011) There
were some crisis communication missteps and one in particular was when Rear Admiral Mary
Landry, then the head of the response effort in the Gulf Region, told reporters, “We do not see
a major spill emanating from this incident.” (Levine 2011) The statement was later retracted by
the U.S. Coast Guard and showed the general public a lack of a unified message from the Coast
Guard’s senior management team.
Investigators found that federal agencies had pursued a “dysfunctional” communication
strategy during the spill, with administration officials overturning existing protocols and
exerting final authority over all public communication related to the spill response. The panel
found that this strategy delayed the distribution of information, causing confusion and
frustration among news media outlets and the public.
Much of the daily updates to the BP Oil Spill were channeled up to the Unified Area Command
and then it was “ packaged and released after review and approval” from the DHS public affairs
office in Washington, the report reads. Some of the senior Coast Guard officials expressed
frustration with the process because the additional handling and approval process to release
information to the media often prevented the response organization to provide real-time
information and some in the media perceived the Coast Guard of withholding information from
the American public. (Levine 2011)
“We clearly point out that the contingency planning was not adequate, certainly not for a spill
of this size,” said Roger Rufe, a retired Coast Guard vice admiral and the chairman of the team
that produced the review. ”There was a complacency that this was not going to happen at this
scale.” The report found that both the government and private sector “demonstrated a serious
deficiency in planning and preparedness for an uncontrolled release of oil from an offshore
drilling operation.” (Robertson and Rudolf 2011)
The failure to master and monitor the planning process led to a lack of coordination between
the unified command, which managed the response operation, and the state and local officials,
who in some cases pursued separate response plans that were at odds with the overall
operations. The report clearly states that the absence of local and state officials from pre-spill
planning process led to high-profile disagreements and some ill-advised response strategies
during the spill.
The report suggests that the command structure itself worked, but that many people were
unfamiliar with this command structure. The Department of Homeland Security has requested
an additional $11.5 million in its 2012 budget to help bolster the Coast Guard’s ability to
respond to major spills, a department official said. (Robertson and Rudolf 2011)
Conclusions to Government Agencies’ Response to BP Oil Spill
Quality of crisis communication is essential to its resiliency
Message must be candid, address prominent issues, and engage all stakeholders
Open dialogue with the media
All communication must be consistent and truthful
Unit and operational managers must be made aware of ongoing risks
Establish role and responsibilities of agency employees who will respond to crisis
Senior management must be kept current on developments to strategic exposures,
governance issues and long-term resilience
11 Assurance in ERM
(Include Monitoring Icon)
An ERM program is only as good as the information collected. Having the right monitoring tools
in place will allow the public entity to capture the necessary data for risk identification, risk
assessment and risk analysis.
Monitor and Review
When establishing an ERM program, it is important the organization builds in monitoring
opportunities to evaluate the success of the program. How is the ERM program working? Are
the goals still appropriate based on the internal and external environment? Is the right risk
intelligence being gathered to make informed decisions? Within the ERM framework, the
organization must periodically measure performance against established goals and key
performance indicators. Key performance indicators can include:
1) Reductions in total risk costs
2) Status of specific goals
3) Implementation of risk treatment recommendations (Louisot and Ketcham 2009, 12.3)
The reason for reviewing the ERM program is to identify deficiencies and to establish an action
plan to correct the problem areas. The action plan should designate who the responsible
parties will be to make the corrections and a deadline for the actions to be completed. Also
after an incident or accident the organization should conduct their own review of the risk
event-cause-impact of the event and determine what went wrong and what needs to be
corrected. Review and monitoring of the program can occur at various levels:
1) Self-assessment - also known as feedback loops are lower-level assessments
2) Audits - Internal audits are lower-level assessments while financial audits are higherlevel assessments
3) Compliance - External compliance reviews are higher-level assessments and can involve
fines, restitution, loss of license, or other administrative proceedings.
4) Legal proceedings - The adjudication process is the highest-level assessment whether
through administrative law courts, tort law, or criminal law. (Louisot and Ketcham 2009,
Organizations use these evaluation methods to measure and encourage results as well as to
accomplish goals for various processes, including their ERM program. Specific procedures are
required to link activities to results to show progress of activities. The ERM assurance process
provides valuable information to stakeholders in their decision making process. It demonstrates
strengthens and weakness in the risk control measures and provides insights to where
improvements can be made.
Public Entity Example – University of California
University of California Office of Risk Services presented the results of a study conducted to
identify some of the most common risks facing the higher education industry. They reviewed
internal documents, searched through existing risk assessments, and looked up records that
were searchable on the internet to find the risks that were most commonly talked about by UC,
organizations associated with higher education, and other associations in the country. Once
they completed this information gathering, they created a list of the top risks grouped by
Risk Category
Sample Risks
Hazard Risk
Financial Risks
Information Technology Risks
Human Resource Risks
Domestic terrorism (Animal rights activists, ecoterrorists, stem-cell research opponents, etc.)
Catastrophic natural event (earthquake, flood, fire)
Laboratory safety
Facilities and Grounds Safety
Conflicts of interest in financial transactions and
Budget impairment
Ineffective service center / auxiliary management
Non-compliant cost transfers
Insufficient oversight over third party vendors
Improper governmental activities including fraud,
embezzlement, or misuse of university resources
Unauthorized modification of data
Decentralization of systems leading to data
inconsistencies and fragmentation
Disclosure of confidential information (e.g.,
Personally Identifying Information (PII)
and health care information)*
Obsolescence of systems / technology
Lack of common data definitions
Inability to recover from system loss or extended
Lack of comfort with third-party vendor system
Personnel issues or workplace violence
Professional Liability Claims
Workers Compensation Claims
Research Risks
Contract and Grant Risks
Student Life Risks
Facilities and Maintenance Risks
Employee recruitment and retention
Research misconduct, such as falsification of data or
results, or non-disclosure of research dangers
Intellectual property infringement
Inadequate lab processes and practices for the
promotion of Environmental Health and Safety
Unethical / unapproved human/animal subject
Threats to safety of researchers
Regulatory fines or penalties
Non-compliance with sponsoring agency regulations
and agreement terms and conditions*
Cost sharing procedures are not compliant with
federal requirements
Effort reports inaccurate, insufficient, or incomplete*
Agreement terms and conditions not met, but funds
Failure to maintain equipment inventories in
accordance with grant requirements
Sub-recipients not managed appropriately
Sports / Public Event disturbances
Student mental health
Inappropriate athletic recruiting
Safety and security of students on and off campus
Deferred maintenance
Increase in energy costs
Equipment / facility malfunction
* FY 2009/10 System wide Compliance Risk Priorities, per the System wide Compliance Plan
Figure 24 - UC Top Risks Associated with Higher Education (University of California Office of Risk Services
Once you complete a risk assessment like this one, you will be able to identify the risks most
relevant to your organization. This will allow you to focus your attention on the areas of highest
risk and direct limited resources to those items which are most important.
Addressing Gaps in ERM Program
Addressing the gaps in an organization’s ERM program starts with removing the inconsistencies
in the administration of the ERM program. These inconsistencies include how the ERM program
identifies risk, measures risk, and manages those risks. If there are inconsistent procedures and
policies surrounding how the organizations executes their ERM program, there needs to be an
action plan in place to correct these gaps. Some organizations might think because they are in
compliance with various rules and regulations that they are practicing good ERM.
ERM is not limited to following government laws and regulations. A robust ERM program will
provide decision makers with the most accurate and detailed account of all risk exposures and
their potential impact on the organization. The benefits of investing in a strong ERM program
are the direct relationship to the organization’s risk culture and its ability to make good
strategic decisions. The risk management culture and strategic risk management decision
making capability are the two widely accepted aspects of an ERM program that Standard and
Poor’s examines when assess how successful an organization has been in implementing their
ERM program. (Louisot and Ketcham 2009, 12.12)
12 ERM Technology Solutions
(Include Monitoring Icon)
All organizations face risks. So how do organizations succeed year after year and come back
quickly from major disruptions? Those entities that have formalized processes and embedded
risk technology solutions that allow them to identify and also mitigate those risks. While
spreadsheets are a useful tool in the initial stages of ERM adoption, as the organization evolves,
so does the need to move beyond spreadsheets.
Many public entities may already use a Risk Management Information System (RIMS), but an
Enterprise Risk Management Information System has some additional features not found in
traditional RMIS. RMIS products are designed to provide their insured organizations and their
brokers with basic policy and claim information via electronic access, and most recently, via the
Internet. This information is essential for managing individual claims, identifying trends,
marketing an insurance program, loss forecasting, actuarial studies and internal loss data
communication within a client organization. RMIS may also provide the tracking and
management reporting capabilities to enable one to monitor and control overall cost of risk in
an efficient and cost-effective manner.
ERMIS products are designed to provide organizations with an understanding of their risks,
ability to prioritize their risks, measure risks qualitatively and some ERMIS do that
quantitatively, improve communication across all business units, create a positive ROI, and
instill confidence among shareholders. ERMIS takes a comprehensive approach to managing
risk throughout the organization by both mitigating risk and optimizing overall business
performance. The approach enables organization to be able to go beyond regulatory
compliance and provide visibility into the organization’s risk landscape and empower business
managers to make smarter decision that maximize value.
Performance and risks are interconnected. Many ERM programs are nothing more than audit
and compliance based like Sarbanes-Oxley and financial controls with little to no view of
enterprise-wide risks. Many ERM programs fail because they fail to meet the organization’s
strategic goals, they fail to bring value to the organization, they fail to break down the silos of
risk management across the organization and they fail to improve communication around risks.
The need for a risk management work platform to help executives understand and manage
their enterprise risk in real time is clear. ERM is not Governance Risk and Compliance (GRC).
GRC operates at the higher unit level far from the front-line and is isolated to individual entity
silos. Organizations at this level do not tie operational activities to business strategy. When risk
activities and organizational goals are misaligned gaps remain hidden and effectiveness cannot
be assured.
Although GRC claims to address the same problems as ERM and has exploited the right
buzzwords, the execution and results between GRC and ERM are very different. ERM empowers
managers from the mail room to the board room and provides a holistic view of organizational
risks. In contrast, GRC embraces compliance as a separate activity for each business silo
resulting largely in form over substance compliance.
ERM is about strategically assessing and managing risk to ensure effective use of resources to
maximize risk reduction. ERM is all about delivering measurable value by tying front line
operational activities to organizational goals. By organizing risk activities at the process level,
ERM can reach the front-line where risks actually occur and connect those risks across entity
silos all the way to the enterprise level. This approach also links the consequences and
dependencies between risks so managers can fill gaps and eliminate redundancies.ERM is more
than a plan. It's a strategic process. In the past ERM has been relegated to a one-time
consulting engagement. This is hardly adequate given today's ever-changing risk environment.
In order to stay on top of risk exposure and mitigation, successful organizations will have to
embrace ERM as a strategic undertaking. After all, it can make the difference between strategic
goals being met or not.
Enterprise Risk Management Software
Embedding a risk culture with risk awareness throughout the organization is imperative.
Technology that facilitates this can propel your program to a more mature level. All areas
within the public entity are related. If the interconnectedness of emerging or key risks is not a
part of the risk assessment, organization decisions cannot be nearly as strategic or
opportunistic. This is where information systems designed specifically for ERM in order to
improve risk awareness and communication and move the organization forward toward its
goals becomes crucial.
While there are many risk management information systems, there are not that many designed
specifically as ERM solutions. We have briefly mentioned the IBM ERMIS solution employed at
the University of California. This is an example of a public entity working directly with a
developer to design and customize a solution specifically for their needs. While that system is
customized for UC, IBM has built in flexibility to make it useable by many other organizations
and businesses as well. Another example of a commercial ERM solution is from Riskonnect and
their Riskonnect ERM system.
IBM Enterprise Risk Management Information System (ERMIS)
The Enterprise Risk Management Information System that University of California (UC) is using
to address their claims costs and claim frequency is tied directly to their risk management
strategies. IBM’s ERMIS has helped the UC identify risk trends from workers compensation and
campus traffic accidents to financial data fraud and student privacy requirements. IBM’s ERMIS
is a suite of applications that provides institutions any combination of risk monitoring, risk
mitigation monitoring, distributed controls certification and monitoring, planning/budgeting,
risk identification (surveying), and risk-related data collection. The suite is designed to identify,
track and evaluate risks, and help facilitate an effective risk management and response
strategy. The first step in IBM’s ERMIS is to pull data from multiple data sources such as:
Human resources
Medical center
Waste management and recycling
Safety and insurable risk areas
Government fines and citations
Not only is the ERMIS integrating data from multiple, disparate sources, but it is also conducting
data analysis and facilitating interpretation of the results. The resulting functionality has made
analytical information securely accessible to all levels and locations of the University via the
Web. ERMIS enables automated updates to provide transparency, trending, and up-to-date
information. Trends and dashboards allow for users to drill-down into the results to conduct
root-cause analysis, in turn supporting decision-making and efficient resource allocation.
Stakeholders across the UC use that information to implement strategies that help better
manage future risk events (Webber 2011).
Figure 23 - IBM ERMIS Dashboard (Need larger screenshot)
ERMIS provides a suite of services to the University of California. For example, it can provide indepth views into operations, including those institutions that have medical centers. Central to
the solution is a data warehouse, which is a data repository for risk and controls-related data
and information such as:
Annual insurance expenditures
Claims losses
Student and employee headcount
Annual emergency management compliance
Medical center data
Workers compensation
Financial performance data
Contracts and grants compliance
Public safety and police data
Campus fleet management
Building maintenance and construction data
Legal matters
ERMIS provides the ability to integrate and link claims losses and university risk exposures to a
number of other data sources to create a centralized data management environment. ERMIS is
built on IBM’s Cognos Web-based business intelligence solutions. The system can help quantify
and track new and predefined key performance indicators such as operational and campus
hazards, financial risk data, privacy compliance and other areas of risk. IBM’s ERMIS
implementation at the UC includes the following systems:
Cognos Business Intelligence - Delivers a complete range of business intelligence
capabilities, including reporting, analysis, dashboards and scorecards.
IBM DB2 - An optimized database designed to deliver performance across multiple
workloads, while lowering administration, storage, development, and server costs. This
software is used for the ERM data warehouse.
IBM WebSphere Application Server (WAS) - A custom, web-based controls certification
and monitoring application was developed using IBM WAS.
IBM Lotus Portal - Allows partners, employees and customers a tailored user experience
with personalized applications based on role, context, actions, location, preferences and team
collaboration needs
IBM InfoSphere – Provides information integration and master data management to
help the institution achieve real-time access to business information and an enterprise-wide
view of critical business data.
IBM Lotus Forms - Enables data collection, process automation and a reduction in both
data transaction times and error rates. It supports “Go Green” initiatives and related
environmental impacts by further reducing the storage, printing and distribution of paper.
Despite significant inclusion of IBM software products in the UC ERMIS implementation, IBM’s
ERMIS is a services and technology solution that is software agnostic. So long as each of the key
components (e.g., business intelligence platform or database) is sufficiently flexible, any market
leading software could be utilized within the solution (Webber, 2011).
Sample Benefits to the University of California of IBM’s ERMIS
Better information allows greater awareness and management of high risk areas
Reduction in the overall cost of risk through preventive and proactive decisions and
more efficient resource allocation
Campuses pay less in internal premiums to fund the cost of risk, allowing them to
deliver those funds directly to the University missions of teaching, research and public service.
The ERMIS allows for reports to be run in seconds that used to take weeks to manually
Reduction in the cost of debt. Rating agencies are now taking a careful look at an
organization’s ERM program to determine creditworthiness. Given the multibillion bond debt
of the UC, even a .01% change in the cost of debt represents a significant savings for the
institution. Figure X provides a quote from Standard & Poor’s about the UC’s ERMIS.
The flexible IBM framework integrates data from many systems and lets many different user
types share analyses, reports and information across multiple locations (IBM 2010). This
flexibility generates another benefit experienced at the UC, the reduction and prevention of IT
redundancy. Implementation of an ERMIS allows an institution to integrate data from systems
that have been previously unable to ‘talk’ and provides sophisticated, enterprise-wide business
intelligence without requiring expensive replacement or custom integration of existing systems.
Figure X.
Riskonnect ERM
Riskonnect ERM is a comprehensive, web-based ERM system that gathers diverse risk data
from across the enterprise in a highly visual manner so that risks are easily identified, assessed,
and mitigated. It represents a quantum leap beyond commonly used tools like spreadsheets.
Riskonnect’s ERM software enables users to enter and dynamically visualize risk relationships,
communicate risk assessment and mitigation activities, and see the impacts of risk on
objectives and financials. (McQuire 2011)
Riskonnect empowers executives to make forward-looking decisions based on real-time,
enterprise-wide, comprehensive risk information. Riskonnect ERM is a comprehensive, webbased Enterprise Risk Management system that gathers diverse risk data from across the
enterprise in a highly visual manner so that risks are easily identified, assessed, and mitigated.
Figure 25 - Riskonnect Interrelationships Screen Captures
Riskonnect ERM simplifies enterprise-wide strategic risk management and helps your
organization quickly realize the value and opportunities of integrating a strategic ERM program
throughout your organization. The Riskonnect ERM process and workflow offers unique
Dynamic visualizations of risks
Ability to visualize risk relationships and impact
Ability to understand cumulative impact of risks
Ability to drill down to observe the causes of risk
Drag and drop assessment of risks allows for real-time discussion and re-assessment of
Workflow and tracking of all activities and mitigation across the enterprise
Quantify risks for senior management and board level discussion
Flexibility to adapt to your business process and your ERM framework of choice
(Riskonnect 2011)
13 Risk Optimization and Value Creation
(Include Evaluation Icon)
An ERM program is an evolving process that needs to stay current with emerging and
integrating risks. The evaluation of an ERM program is an ongoing process that needs the
attention of the senior management team.
Is All Risk Bad?
Though much media attention has been placed on those organizations that got into financial
trouble by taking on too much risk, is all risk taking bad? Is there a proper balance of risk that
organizations can take to benefit from the upside of risk taking and yet be cautious to avoid the
downside effects of taking on too much risk? An organization must achieve a balance between
assuming too much risk and taking on too little risk while simultaneously practicing fiscal
The first step for an organization is to determine what their attitude towards risk is. Meaning,
are they seen as an organization of risk seekers, risk avoiders, or the better of the two- risk
optimizers? Defining one's risk attitude is key to determining what kind of risk/or risks the
organization is willing to take on. Those organizations whose risk attitude is to take on more
risk have benefits of greater gain, but must also have the right risk controls in place to not fail.
Other organizations that are risk averse might be missing opportunities for growth.
Risk-seeking decision making tends to quickly seek a bottom-line explanation and to install an
action plan/solution that anticipates positive results. Many times these same individuals may
under emphasize a risk's impact, variances, and potential negative effects. They believe that the
risk decision will reap significant rewards worth taking on the risk. Entrepreneurs, salespersons,
product developers, and researchers often embody a risk-seeking attitude.
Individuals with a risk-avoiding attitude are at the opposite end of risk continuum. They over
emphasize risk or are obsessed with avoiding risk because they typically see the downside of
risk taking. They seek methods of transferring risk to another entity or to avoid risk altogether.
They prefer to continue traditional methods of business operations rather than innovate.
Every organization has an overall risk tolerance that reflects its readiness to bear both the
upside and the downside of risk. Individuals with risk-optimizing attitudes assess risk
strategically based on an organization's vision, mission, goals, values and beliefs. They weigh
the risk-reward relationship while realistically evaluating potential outcomes and consequences
and are selective regarding risks that they ask the organization to assume.
The risk-return relationship is a critical component of an organization's strategic and financial
decision making. In order for an organization's management to invest in projects that entail a
higher degree of risk, it must be assured of a higher return. Conversely, an organization and its
management should be satisfied with a lower rate of return on investments in projects that
entail less risk. (Louisot and Ketcham 2009, 2.11)
To optimize its risk, an organization should be diligent in its investigation of new or potential
innovations. These investigations should thoroughly explore the upside and downside of the
risks involved. The executive management team needs to research several strategic alternatives
with various assessments of different scenarios of risk and return. By exploring various riskreturn outcomes, the executive management team can provide more meaningful input and
contribute to a sound decision-making process.
The goal of risk optimization is not to reduce an organization’s risk to zero because that would
be cost prohibited. Rather the goal with risk optimization is to evaluate the risk controls in place
and decide the best use of one’s financial resources to provide the organization with needed
protection. Once an organization has evaluated the effectiveness of their risk controls the next
question is to ask themselves “Is the method of risk controls selected the most cost effective
and efficient way to manage these risks?”
Is it possible to be spending too much money on a risk control? Yes, it is possible that an
organization can spend too much on a risk control with little additional benefit. That is why it is
important in the ERM process to monitor the risk controls and evaluate their effectiveness.
New innovations in the marketplace might present themselves as a better risk control and be a
better financial investment to the organization.
The Strategic Triangle
The concept of value creation in a public entity has often left many public administrators
scratching their head trying to figure out how this can be done. Dr. Mark Moore from Harvard
University wrote about “The Strategic Triangle” (M. H. Moore 1995) to explain how public
entities can create value. The Strategic Triangle talks about three issues:
1) Value Strategy - What is valuable for the agency to do in relation to its public sector
2) Political Management - What are the expectations of various political stakeholders and
how can the managers of a public entity work together to manage the political
environment: thereby ensuring that resources and authority will flow
3) Operational Capacity - What is feasible for the manager to push the organization to
accomplish, and what capacity needs to be developed to move forward on the strategy
of value creation (M. H. Moore 1995)
Figure 26 - Strategic Triangle (M. D. Moore 1995)
The advantages of this model include the following. First, the focus of the process should be on
the manager’s ability to identify and measure those critical elements that they need to achieve
their objective – public value. Traditional strategic planning models have been more focused on
the process of bringing in stakeholders and getting the entire staff “on board” than for the
attainment of ongoing outcomes related to guiding the organization’s strategic decisions.
Secondly, the performance measures developed in many traditional strategic planning
processes are not as effective, because the manager needs to change as situations change more
quickly than the plan can be changed. In an environment of rapid change, public managers
need to concentrate on creating value not on just how to implement mandated policies
consistently and efficiently. The public sector strategy model described here recognizes the
value of vision, mission and goals, but emphasizes entrepreneurial imagination as the key to
value creation. Dr. Moore asserts that, “good strategic managers learn not only how to plan
actions, but as important, how to exploit unanticipated opportunities as they arise.” (M. H.
Moore 1995) Therefore, it is important that the performance management system actually
encourages the manager to respond to new opportunities, not to overlook them because they
are not listed as one of their outcomes.
As a result, managers using this more agile planning process should concentrate on the critical
Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs). However, these KPIs and KRIs
still need to measure all of the three areas of the triangle that are necessary for successful
implementation. Most of the past performance measures concentrate only on the operational
capacity area of the triangle. In addition to operational capacity it is important for the public
manager to keep track of the progress they are making in the political arena as well as most
importantly the value they are creating for the public. Setting up an information system to
check the three areas of the Strategic Triangle is the key to the successful implementation of
this management framework. Finally outcomes, which are normally used by government
agencies, are mandated by the legislature and usually measure specific processes.
Public Entity Example – University of California, San Francisco
The University of California, San Francisco, is an academic health science campus that is part of
University of California System. Space is very limited at this urban campus. UCSF regularly
monitors and benchmarks research dollars per assignable square foot of space available for
research. Upon discovering it was one of the nation’s highest concentrations of research dollars
for a higher education institution (as a measure of amount research activity per square foot of
space); UCSF determined that in order to continue to grow its research enterprise it would have
to obtain more space. Space was the growth-limiting factor, slowing or preventing additional
value creation in regards to their research mission.
Figure 27 - UCSF Medical Center at Mission Bay (University of California, San Francisco 2010)
"When the Mission Bay campus was originally conceived, we were thinking this would be
primarily a basic science and research campus," UCSF Planner Lori Yamauchi said," With the
decision to build an extension hospital here, we decided that we wanted to move clinical and
translation research here. Expansion of the campus's focus from laboratory-based basic
sciences follows a nationwide trend driven by increases in clinical and translational research
funding provided by the National Institutes of Health." (San Francisco Examiner 2009)
The UCSF Medical Center's new Mission Bay Campus is being built on 43 acres of land that was
donated by the city of San Francisco and developers. Roads, sewers and other infrastructures
were provided by developers, and a school, library, police station, firehouse and 6,000 units of
housing have been planned for the fast -growing neighborhood. The research campus has
helped attract more than a dozen biotechnology companies to the surrounding Mission Bay
neighborhood, a 303-acre former industrial wasteland that officials have been redeveloping
south of AT&T Park since the late 1990s
The new campus carries on the UCSF tradition of research collaboration. UCSF Genentech Hall
and the other Mission Bay campus buildings are designed to stimulate interaction—both formal
and informal—between scientists in related disciplines, based on the belief repeatedly
confirmed at UCSF, that collaboration between scientists is the surest catalyst for discovery.
Genentech Hall’s fifth floor, for example, brings chemists and chemical biologists together.
Chemists can subtly modify the structure of molecules active in cells, or create new molecules
to determine, for example, the role specific proteins play in signaling between and within cells.
This detailed knowledge is vital both to understand living systems at a molecular level and to
develop drugs that can counter malfunctions. The building’s Center for Advanced Technologies
supports new and experimental research methodologies with potential use to many labs.
Research in Genentech Hall focuses on structural and chemical biology as well as molecular and
development biology and related fields.
A second campus structure, the Genetics, Development and Behavioral Sciences Buildings was
completed for occupancy in November 2003. In late 2004, researchers and administrators
moved into the new Institute for Quantitative Biomedical Research (dubbed QB3), the third
research building in UCSF Mission Bay’s initial phase of development. QB3 is a partnership
between UCSF, UC Berkeley and UC Santa Cruz—one of the California Institutes for Science and
Innovation developed at the initiative of Governor Gray Davis. The UCSF building is the QB3
headquarters. The institute brings together expertise in the physical sciences, engineering and
mathematics to help tackle biological problems of such complexity that they simply can’t be
approached with the tools of just one discipline.
UCSF broke ground for its new campus in 1999. The three research buildings, along with a
community center, student and faculty housing facility and an open space quad larger than
downtown San Francisco’s Union Square make up the first phase of the new campus. About
half of the program space in the campus is used for research uses, mainly in the basic sciences.
The balance of the space will be used for instruction, academic support, campus administration,
campus community activities, housing and space for logistical operations.
Erica Webber, former Assistant Controller for UCSF, pointed out how UCSF’s expansion project
at Mission Bay corresponds to Dr. Mark Moore’s third leg of his Strategic Triangle-operational
capacity. Her views on the tie in with value strategy and political management as additional
components of value creation are also commented on in the following remarks:
Value Strategy
What is valuable for an institution is driven directly by that institution’s mission. For private and
for profit organizations, maximizing profits, net income, and shareholder value are key parts of
the mission of the organization. In contrast, in public entities, maximizing net income is only a
means to fulfill the mission. For those entities, revenues come from diverse fund sources, e.g.
philanthropy, government appropriations, fee for service, government and private grants. For
the most part, the fund sources are directly tied to mission fulfillment. Value for the public
entity is maximizing its funding and resources for mission fulfillment while minimizing the cost
of doing business. The latter includes, for example, cost of risk, cost of debt, cost of technology
infrastructure, and cost of human resources. A robust ERM program identifies and tracks
metrics related to highest value activities as well as key cost of doing business areas and makes
this information quickly available to decision-makers throughout the organization. Sample
mission metrics for higher education include graduation rates, employment rates of graduates,
job creation, skilled workforce availability in the state, creative output from research including
the number of patents, and first author journal articles from faculty or researchers. Also,
remember that everything that minimizes the cost of doing business frees more resources to
allocate to value creation through mission fulfillment.
Political Management
For a public university, political stakeholders include taxpayers, state government, students,
faculty, labor, and federal agencies. An ERM program considers and seeks to accurately
measure reputational risk with key stakeholder groups. Each type of stakeholder has a
perspective on what it wants from the institution. When those perspectives conflict, say
between labor and taxpayers, an ERM program with a strong monitoring system can regularly
produce data, trends, and analyses to show the institution is maximizing resources for its
mission, obtaining good results in its mission, and minimizing the cost of doing business. This
information, along with the information about the actions the institution has or will be taking to
maintain or improve the results, can be extremely effective at managing internal and external
politics. Specifically, publicizing relevant information from the ERM monitoring program helps
conflicting stakeholder’s group’s compromise on their demands from the institution.
Operational Capacity
An agency’s ERM monitoring system will facilitate benchmarking human resources, funding,
and other resources per mission metrics with other like agencies. For example, a public
university might monitor and benchmark administrative Full Time Faculty per student, faculty
per student, or external research dollars per assignable square foot of lab space. This
benchmarking shows where there is need or possibility for improvement in the allocation of
resources and efficient use of resources. The benchmarking activity can be prohibitively costly,
however, without the structure of an ERM program to define and automate production of key
performance indicators and key risk indicators. (Webber 2011)
14. Return on Investment
(Include Evaluation Icon)
Return on Investment (ROI) is a performance measure used to evaluate the efficiency of an
investment or to compare the efficiency of a number of different investments. To calculate ROI,
the benefit (return) of an investment is divided by the cost of the investment; the result is
expressed as a percentage or a ratio.
(ROI) = (Gain of Investment-Cost of Investment) / Cost of Investment
Keep in mind that the calculation for return on investment and, therefore the definition, can be
modified to suit the situation. It all depends on what you include as returns and costs. The
definition of the term in the broadest sense just attempts to measure the profitability of an
investment and, as such, there is no one "right" calculation.
Committee of Sponsoring Organizations (COSO) defines Enterprise Risk Management as “a
process affected by an entity’s board for directors, management, and other personnel, applied
in the strategy-setting and across the enterprise, designed to identify potential events that may
affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.” (Committee of Sponsoring Organizations 2010)
For UC Universities, ERM is the framework by which the University can identify and evaluate
some of their major risks. UC Universities uses ERM to help them facilitate the correct risk
response to ensure that they can meet their goals of teaching, researching, and public services.
Areas of Review
The foundation of UC’s ERM program is the people who are actively managing risk. One of the
key supports of their risk intelligence is their ERM Information System which gives campus
stakeholders at various levels access to information they need to facilitate business decision in
a timely and effective manner. Bickmore Risk Services, the University’s Actuary, is working with
the Office of the President and the Office of Risk Services to develop an ongoing method of
review to track the value and savings of the ERM program. The areas of review include:
Cost of Risk
Cost of Borrowing
Create Efficiency
Reduce IT Redundancy
Cost of Risk
The cost of risk is the quantitative measurement of the total costs (losses, risk control costs,
financing costs, and administration costs) associated with the risk management function, as
compared to a business's sales, assets, and number of employees. The purpose of such a
comparison is to determine whether the total costs of the risk management function are
increasing, decreasing, or remaining constant as a function of the business's economic activity.
After the quantitative measurement has been derived, a comparison can be made between the
cost of risk of that business and the cost of risk of its peer groups. The cost of risk will allow the
business to focus on the areas of operation that will have the greatest long-term effects on its
total risk management function costs.
The ERM program and ERMIS at UC Universities provides stakeholders with easy to use tools
including Risk Assessments, a Risk Maturity Work Plan and a variety of other resources to help
users identify and manage their risk. These programs at not limited to hazard risks, but are able
to identify all risks such as: operational, compliance, financial, reputational, communication and
strategic. UC Universities has the most complete risk intelligence on their hazard risk and have
been able to identify their savings and value with their ERM program.
The annual direct cost for UC’s hazard risks (workers’ compensation, general liability,
employment practice liability, professional liability, auto liability and property) is over $250
million. Then estimate that their indirect costs can range from 1:1 or 2:1 or even higher. This
means that the true cost of risk for hazard risk at UC Universities could be greater than $500
million. The Total Cost of Risk for UC Universities would include losses not included in the selfinsured program, such as employee grievances, human subject injury, and other operational
risk as well as regulatory risk (fines) business risk (grant, patents) reputation risk, governance,
and other events that may adversely affect the University, whether due to negative
consequences or failure to achieve positive consequences due to missed opportunities. By
identifying and analyzing the full cost of risk, UC Universities will develop strategic plans to
reduce the cost and free up resources to be used for meeting the University’s mission.
The prevention of just one claim can result in significant savings to a department, campus,
and/or medical center. This can result exponentially in even greater overall savings across the
system. UC’s ERM program and the ERMIs vastly improve the information managers can use to
identify and manage risk. For example, they provide management with current information on
key performance indicators in minutes, allowing managers to identify trends, spot areas which
need improvement and track results that may be desired.
Cost of Borrowing
The cost of borrowing is incurred when an organization borrows money. Interest payments are
an example of borrowing costs. In accounting, borrowing costs may be recognized as an
expense when incurred or capitalized as part of the cost of an asset.
On July 22, 2009 Standard & Poor’s (S&P) released a progress report regarding enhancement of
its global rating process for non-financial companies by including enterprise risk management
assessments in its ratings. S&P hope that the addition of ERM factors into its credit analysis will
improve the overall quality of S&P’s ratings by enhancing its opinions on management of
borrowers. S&P views ERM as an organizing tool for assessments of management, helping it
create a more systematic framework and common language for an inherently subjective topic
and the ability to benchmark organizations against each other over time.
S&P continues to focus primarily on “risk culture” and strategic risk management. S&P assesses
evidence of each organization’s risk culture through a review of communications, risk
management roles, risk policies and procedures, and the influence of risk management on
strategic decisions. S&P defines strategic risk management as the identification of main risks
and how these risks are managed, updated, and impact decisions. (Standard and Poor's 2010)
Seven Primary Questions
Standard and Poor’s is asking these seven questions of organizations about their risk
management programs:
1) What are the organization’s top risks, how big are they, and how often are they likely to
occur? How often is the list of top risks updated?
2) What is management doing about top risks?
3) What size quarterly operating or cash loss has management and the board agreed to
4) Describe the staff responsible for risk management programs and their place in the
organization chart. How do you measure the success of risk management activities?
5) How would a loss from a key risk affect incentive compensation of top management and
6) What discussions about risk management have taken place at the board level or among
top management when strategic decisions were made in the past?
7) Give an example of how your company responded to a recent “surprise” in your
industry. How did the surprise end up affecting your company differently than others?
(Standard and Poor's 2011)
Organizations that adopt an enterprise view of risk often do so because this offers value
through better awareness and control of risks, improved resource efficiency and enhanced
ability to take additional risk. Organizations that have implemented successful ERM frameworks
often achieve improved consistency in risk management practices and better response to
escalating corporate governance requirements, regulatory pressure, capital availability and
cost, capital deployment and market pressure through improved understanding of risk and
mitigation options.
The rating agency S&P has recognized UC for its ERM program and stated, “The UC has
implemented a system-wide enterprise risk management information system, which, in our
opinion, is a credit strength.” UC’s ability to borrow is crucial to its success. In 2008, UC’s total
debt exceeded $10 billion. Key factors affecting the cost of borrowing are ratings provided by
credit rating agencies such as Moody’s, Fitch and Standard & Poor’s. All of these agencies now
explicitly look for an organization’s approach to managing enterprise or holistic risk as part of
the process in developing ratings. UC’s proactive approach to ERM has helped them with their
credit rating with S&P. Standard & Poor’s has given them a higher rating which in turn has given
them a .1% decrease in interest rates that UC pays on its debt load which represents over $10
million in savings. (Standard and Poor's 2011)
Create Efficiency
UC Universities is seeking ways to improve efficiency. Statement on Auditing Standards No. 115
(SAS 112/115) supersedes the Statement on Auditing Standards No. 112 and establishes
standards and provides guidance on communicating matters related to an entity's internal
control over financial reporting identified in an audit of financial statements.: Pubic entities are
working hard to make sure that they are identifying and documenting key controls related to
the preparation of financial reports. “SAS 112/115 raises the bar for internal controls
compliance and documentation… The University must effectively demonstrate to external
auditors that an internal control framework has been established and is practiced at all levels in
University business administration. The effect of internal control weaknesses being reported by
UC Universities’ auditors under SAS 112/115 could include negative impacts on research
funding & credit ratings, additional federal audits, and reputational damage.” (University of
California 2010)
In 2002, the UC Controller’s Office estimated that automating SAS 112/115 requirements would
cost UC between $500,000 and $2.5 million. Knowing that key financial controls are working
requires information currently stored in several systems (some examples include campus
financial and payroll systems) and input from the people performing and certifying the controls.
By centralizing data from many sources, UC’s ERMIS creates a foundation of information which
is accessible, automatically updated, transparent and less prone to error. This addresses some
of the key requirement of SAS 112/115 with also creating administrative savings.
The creation of automated reports within the ERMIS will increase workforce efficiency. The
staff at UC Universities spends significant amounts of time currently developing and updating
reports. The UC Environmental Health and Safety Staff, Risk Manager, Controller, Human
Resource Managers, and other are developing automated reports that will reduce staff time
spent in updating information provided monthly to University leadership. These automated
reports will provide more reliable information that is updated more frequently and is readily
available without staff support. Further, as noted above, as the type of data available is
expanded and the correlating measurements metrics mature, more in-depth analysis of data
will be able to be easily performed.
Reduce Redundancy
Redundancy can be reduced by the creation of automated reports made readily available to
those with a need to know. Instead of having the same or similar reports being developed and
maintained without the benefit of shared knowledge at different divisions, departments,
schools, campuses, medical center and other locations, the ERMIS enables sharing of analyses
and information easily and efficiently across multiple different locations. (University of
California 2010)
15. ERM’s Role in Governance
(Include Evaluation Icon)
Governance is the activity of governing. It relates to decisions that define expectations, grants
power, or verifies performance. It establishes the structure, set the policies, procedures,
processes and measurements standards, and determines the mission, values and the culture of
the organization. Governance determines an organization’s direction and, therefore, defines
the scope of potential risks to which it is exposed.
Good governance helps an organization manage risk by ensuring that its goals are achieved and
its interests are served and protected. Without good governance, conflicts of interest can arise,
stakeholders expectations might not be met, and there could be negative outcomes from
management’s decision making process. Good governance integrated with enterprise risk
management can manage uncertainty and risk.
The primary goal of governance is to build measurable value through a framework of ethical
behavior, fairness, transparency, fiscal accountability and social responsibility. Governance also
offers a holistic perspective regarding an organization’s altruistic reasons for existence and its
role in the community in which it operates. An organization’s governance practices should focus
on ethical, fair, and transparent behavior. It should also strive for fair treatment of employees,
compliance with government regulations, limited impact on the surrounding environment
(pollution issues) and sustainable development. (Louisot and Ketcham 2009, 11.6)
Public Entity Example – U.S. Department of Education
The mission of the U.S. Department of Education is to promote student achievement and
preparation for global competiveness by fostering educational excellence and ensuring equal
access. The Department must be a high-performing organization internally to achieve its
national policy goals. From now through 2012, the Department of Education will build upon a
series of clean audit opinion to sustain high quality financial oversight and identify and reduce
risk in internal management activities. Achievement of targets for performance measures will
engender trust among Americans in the integrity of the Department’s financial activities,
support informed management and policy decision-making.
Support for ERM governance and the ERM program comes first and foremost from the head of
Federal Student Aid’s (FSA) chief operating officer (COO). While the Chief Risk Officer (CRO)
reports administratively to the general manager of Enterprise Performance Management
services, he has a dotted line relationship to COO and meets regularly with the COO to discuss
risk management and internal review issues facing the organization.
FSA has established an ERM committee consistent with the roles and responsibilities identified
in the COSO framework. The ERM Committee is comprised of five executive:
Chief financial officer
Chief information officer
Chief business operations officer
Chief of staff to the chief operating officer
Chief risk officer
The purpose of the ERM committee is to assist the chief operating in:
Assessing and evaluating major strategic risks
Establishing the organization’s risk profile and setting risk tolerance
Reviewing and approving Federal Student Aid’s ERM Strategy
Monitoring and implementation of FSA’s ERM Program and framework” (Hardy 2010)
In addition to having an ERM committee on the executive management level, another idea is to
establish a risk committee on the board level of some public entities. The board level risk
committee, while not yet common among public entities, can function as a risk oversight body
to be responsible for assessing and providing oversight to management relating to the
identification and evaluation of major strategic, operational, regulatory, information and
external risks inherent in the public entity.
The board level risk committee’s duties and responsibilities would include:
1) Review and evaluate management’s identification of all major risks to the public entity.
2) Assess the adequacy of management’s risk assessment, its plans for risk control or
mitigation, and disclosure.
3) Together with the audit committee, review, assess and discuss with general counsel, the
chief financial officer and the independent auditor any significant risks or exposures, the
steps management has taken to minimize such risks or exposures; and the public
entity’s underlying policies with respect to risk assessment and risk management.
(Bugalla, Hackett and Kallman, et al. 2010)
Another crucial member to the risk governance agenda is a chief risk officer (CRO). The CRO
should chair the executive level risk committee or serve as its chief of staff and have duel
reporting lines to both the Directors of the public entity and the board level risk committee.
One of the key goals of the risk committees on the executive and board levels is to prevent a
risk intelligence gap. Lessons learned from Hurricane Katrina and the 9/11 terrorist attacks
demonstrate the need for good risk intelligence and the importance of providing decision
makers with all the necessary information to help them plan for and implement the best
strategy to mitigate their risk exposures. Here are some suggestions on getting started with the
conversation of risk governance among your public entity:
1) Understand the public entity’s key drivers of success.
2) Assess the risk in the public entity’s strategy.
3) Define the role of the full board and its standing committees with regard to risk
4) Consider whether the company’s risk management system, including people and
processes, is appropriate and has sufficient resources.
5) Work with senior management to understand and agree on the types (and format) of
risk information the board requires.
6) Encourage a dynamic and constructive risk dialogue between management and the
board, including a willingness to challenge assumptions.
7) Closely monitor the potential risks in the public entity’s culture and its incentive
8) Monitor critical alignments of strategy, risk, controls, compliance, incentives, and
9) Consider emerging and interrelated risks.
10) Periodically assess the board’s risk oversight processes: Do they enable the board to
achieve its risk oversight objectives? (Bugalla, Hackett and Kallman, et al. 2010)
16. Getting ERM Buy-In with Decision
(Include Evaluation Icon)
The goal of ERM is to embed risk recognition into every business decision of the organization.
Too many times, organizations have a very static approach to risk management that falls into a
narrow compliance-based effort that leads to underperformance. However, those organizations
that can fully implement ERM can establish more reliable decision making and create
innovation to sustain performance.
ERM should be embedded into all of an organization’s strategic planning, business decisions,
and performance management. Without this integration, ERM may be perceived as imposing an
additional layer of bureaucracy rather than as being integral to how the operation is run. It is
essential that the board and senior executives drive the implementation of ERM because ERM
involves the commitment of the entire organization. The senior management should ensure
that all stakeholders understand the impact and scope of ERM and visibly work to support the
required changes so that ERM becomes the standard.
Included here is a sample ERM implementation plan that can be used to give a clear and concise
message to senior management to help them see what will be involved in implementing an
ERM program:
Sample ERM Implementation Plan (Louisot and Ketcham 2009, 14.32)
1. Defining Scope of ERM
a. Why do we need ERM?
b. What resources do we need to commit to the project?
c. How do we measure success for ERM?
d. Whom should we put in charge of the project and ERM for the organization?
e. What can go wrong with the project and ERM?
2. Planning Phase of ERM
a. How will the process for accomplishing the implementation be documented and
b. Which stakeholders should be involved in planning and executing the
c. How should ERM be incorporated throughout the organization to support
proactive business decisions at all level?
d. What information do employees need to make risk aware decisions and how can
that information be presented effectively?
e. What information do external stakeholders, customers, and regulators need, and
how can that information best be communicated?
f. What policies and procedures are needed to make ERM operationally
Inception of ERM
a. Establish risk committee with an executive-level sponsor and board level sponsor
to review and revise framework established
b. Train the board and upper management in ERM and why it is important.
c. Articulate expected benefits and costs
d. Support for the project should be made highly visible
Develop a risk management policy
a. Understand the risk appetites of key supporters and stakeholders
b. Align risk appetites of all stakeholders groups with the organization's strategic
objectives and strategies. Express risk appetite boundaries for the project in the
project scope statement where possible
c. Articulate and communicate risk management policy of the organization in the
project scope statement
Articulate goals for ERM project
a. Develop goals that address the traditional risk management loss exposures
categories of property, liability, net income and personnel
b. Develop goals that address ERM issues of strategic risks, effectiveness,
accountability, business process, compliance, employee empowerment, cultural
identity, reputation and competitive
c. Include all project goals in the project scope statement
d. Include all project constraints, regarding quality, timeliness, budget, and
boundaries in the project scope statement
a. Design frameworks for identifying, assessing, and managing risks
b. Design framework for internal and external communication
c. Determine how accountability, resource, communication, and reporting (
internal and external ) will be managed
d. Establish clear organization-wide risk management strategies for achieving the
project goals
e. At functional levels of the organization, establish risk management objectives to
the extent that they have a substantive effect on the organization's result and
should be integrated into processes
7. Execution
a. Develop an organization-wide ERM vocabulary
b. Develop and enforce the use of communications framework to support
identification of changes to changing KPIs
c. Identify KPIs and external indicators of changes in risks that are to be monitored
d. Identify measurement issues associated with key event indicators and
methodologies or technical issues in reporting them.
e. Determine the best technological methods of disseminating information about
changes in KPIs
f. Create and deploy a risk "nervous system" for communication reporting and
monitoring progress of the information collected in the communication
g. Determine persons responsible for monitoring key event indicators and how
action will be taken based on the changes
h. Develop and enforce the use of risk assessment and risk treatment frameworks
that are responsive to information disseminated in the communication
i. Inventory current risk management processes and then build on them
j. Develop tools to identify and evaluate risks and ensure that all business units use
the same tools and terminology
k. Ensure that risk assessment focuses on enterprise-wide risks as well as
traditional loss exposures
l. Create a matrix or another tool to prioritize each risk in terms of its likelihood
(frequency) and potential impact to the organization. Focus treatment on the
most serious risks.
m. Establish methods for continuously and incrementally treating internal and
external prioritized risks throughout the organization based on information
distributed through the communication framework
n. Record risk treatments
o. Create a risk management culture
p. Train all employees on what ERM is and why it is important
q. Continually communicate the importance of risk management throughout the
r. Design human resource policies and practice to support identification and
reporting of risk-related information at all levels
s. Emphasize employee commitment to the risk management culture and include
performance measures and incentives to promote that commitment
8. Monitoring
a. Document and communicate ERM effectiveness
b. Conduct periodic review of the KPIs and external factors and make required
c. Empower the committee to revise the substance and details of the
communication and risk assessment and treatment framework in response to
sweeping changes in the internal and external environments
d. Because the ERM process is iterative and recursive, and ERM implementation
must become part of the ongoing and continuous organizational strategy
Since 1996, the University of California has been moving towards an enterprise approach to
identifying and managing their risks. The implementation of an ERM program at UC requires a
creative approach which includes delivering a variety of tools to risk owners to enable them to
better identify and manage their particular risks. The foundation of UC’s ERM program is the
COSO ERM Framework and ERM Tools designed to be implemented at all levels of the UC
organization system wide, campus, medical center, college, school division, department and
individual levels.
By managing their risks across the enterprise in a strategic manner, they have reduced the cost
of borrowing, created efficiency, reduced IT redundancy, and reduced the cost of risk. How has
the University of California reduced the cost of risk? By investing in loss prevention and loss
control programs as part of their overall ERM strategy they have achieved a cost avoidance
savings of $420 million.
The foundation of UC’s ERM program is to have people actively manage their various risks. The
ERMIS provides a variety of qualitative and quantitative tools to help UC locations identify their
risks and determine where to strategically deploy resources. It can define, highlight, and predict
risk and trends to allow managers to intervene before problems arise, and it is a data rich
construct that can be adapted to other sectors, such as programmatic, personnel, and
operational programs. “The UC has implemented a system-wide enterprise risk management
information system, which, in our opinion, is a credit strength.” (Standard and Poor's 2010)
In addition to ERMIS, UC Systems uses a few other tools to provide users solutions through
which they can access and analyze information related to their specific areas:
UC Action - enhances the efficiency of monitoring controls established in response to specific
incidences through continuous monitoring and automated follow-up.
UC Tracker - has taken a manual process and provided a software tool that facilitates the
review and documentation of key financial controls related to the preparation of the
university’s financial statements. Taking this process from manual to electronic format
improves transparency and accuracy of information and creates efficiencies.
Risk Assessment Workbooks - have been created to support risk assessments at each of the UC
University of California solutions allow them to take on new opportunities and, by managing
risk strategically, it ensures an optimum outcome. They have learned that by focusing on
developing tools that address a broad array of risks, both frequent and infrequent but
catastrophic events, they have created a more efficient and effective program.
Public Entity Example – Penn State University
At Penn State, the Corporate Controller’s Office is a service organization within Finance and
Business that supports Penn State students, faculty and the public. They are responsible for
providing quality financial, accounting and information services that foster a culture of
responsible stewardship and sound fiscal management of University resources.
The Corporate Controller’s Office at Penn State has three primary strategic goals for 2009-2013.
The first goal is to foster a University-wide culture of responsible financial stewardship and riskbased decision making. Their objective to carry out this goal is to enhance and improve the
accuracy and timeliness of financial information provided to The Board of Trustees, its
committees and subcommittees and University senior management to encourage transparency
and accountability at the University. (Corporate Controller - Penn State University 2009)
In order to succeed, an ERM program must link closely with the organization’s strategic
management processes. In fact, the measure of success of any ERM implementation is how
much value it adds to the shareholders (publicly held companies and other stakeholders of the
organization). In the case of Penn State, the university’s key stakeholders include students,
faculty and staff consumers of research, members of the community, and the general public.
As with any successful strategic implementation, in order to link closely with strategic
management processes and measure the value added by the process, implementation must
understand the overall characteristics of the organization and environment within which it
competes, including:
1) The organization’s strategic, long term objectives
2) The industry within which the organization competes, its key competitors, and its stage
of development (example of growth, maturity, and decline)
3) Its competitive landscape and scope of competition
4) The organizational culture
5) The primary risks perceived by members of the organization
Penn State’s strategic goals reflect excellence in three areas-teaching, research, and service,
and addresses the needs of students, faculty and staff and society. All of this is spelled out in
Penn State’s Strategic Plan. Therefore, a successful ERM program must address the risks to
attaining the long term goals in each of those areas. (Lermack 2008)
17. Being an ERM Influencer in Your Public
(Include Evaluation Icon)
Once your public entity has identified the importance of ERM, the next challenge is figuring out
how you can be a positive ERM influencer within your organization. Where do you start in
developing the positive ERM influence among your co-workers in your public entity? It starts
with the flow of information of ERM within your organization. The key here is to make the
information about ERM ready available to your fellow co-workers.
“The fact that different groups of employees are exposed to wildly different data information
helps explain why people often have such different priorities and passions. Different groups,
departments, and levels of employees worry about very different aspects of the organization’s
success, not because they hold different values, but because they’re exposed to different data.
For example, frontline employees who interface with complaining (citizens) usually become
(citizen) advocates. (Senior management) who are constantly poring over financial statements
and new legislation (become subject to the regulators and legislative bodies).
The problem with passion for a single stakeholder group isn’t that employees care greatly about
someone or something, it’s just that it’s hard to expect people to act in balanced ways when
they have access to only one data stream.“ (Grenny, et al. 2006) For instance, the Board of
Directors of a major international airport might only be receiving certain information on the
airport’s expansion project that is geared to the completion of the project and the forecasted
revenues that the new expansion project might bring to the major international airport
authority. Since the risk manager was not part of the discussion of the potential risks to the
expansion project, the Board of Directors is not given the necessary information to evaluate the
risk exposures to the expansion project. Therefore, the Board of Directors is not taking into
consideration the impact of such risks on the projected future revenues of the expansion
In order to change the Board of Directors’ understanding of potential risks to the expansion
project, we change the data stream and provide the Board of Directors with the necessary data
to make an informed decision on the potential outcome of the expansion project. One warning
about data: too much of a good thing can be bad. ERM influencers need to be concise and not
complicate the data they give to their stakeholders. “The incessant flow of reports, printouts,
and e-mail-one heaped upon the other-transforms into a numbing and incoherent background
of noise. Influence masters never make this mistake. They’re focused and deliberate about the
data they share. They understand that the only reason for gathering or publishing any data is to
reinforce vital behavior.” (Grenny, et al. 2006)
University of California, Office of the President, Office of Risk Services, implemented a Be Smart
about Safety campaign in the 2006-2007 academic year. Since then, the program has shown
significant cost savings across the campuses taking advantage of the funding, according to a
study presented at the March 2009 Risk Summit by the University’s Sacramento-based
actuaries, Bickmore Risk Services. (University of California 2009)
The analysis showed that while occupational injuries and illnesses surged among California
employers between the 2005-2006 and 2007-2008 fiscal years, University of California locations
implementing programs with BSAS funds in the 2006-2007 fiscal year outperformed employers
across the state in terms of numbers of injuries per 100 employees, average cost per claim, and
cost of claims as a share of payroll.
The number of claims per 100 employees in California fell by 15.6% between the 2005-2006
fiscal years’, but the University of California locations outperformed this already favorable
indicator with a decrease of 17.1% in the number of claims per 100 employees. The average
cost per claim across the state increased 27.4% in the same time frame, but locations
participating in BSAS saw an increase of just about half that size 14.2%. Similarly, while the cost
of claims as a share of payroll increased 7.6% for most California employers, BSAS participants
saw the cost of claims as a share of payroll decrease 2.5%.
Grace Crickette, Chief Risk Officer at University of California, has held a Risk Summit for all UC
campuses and medical centers every year since she took office at the end of 2004. In June 2010,
the University of California System held their 6th Annual Risk Summit with more than 370 UC
employees attending. During the Risk Summit, they have an awards ceremony with recognition
awards given to specific programs based on their efforts in reducing the cost of risk in the
following categories:
1) Workers Compensation (One award for campuses and one award for medical centers)
a. Best Improvement/Performance
b. Best Reduction in Workers Compensation Rate
c. Best Workers Compensation Rate
2) Property (One award for campuses and one award for medical centers)
a. Best Practices/Timely Claims Reporting
b. Most Improved Timely Claims Reporting
3) Professional Liability (One award for campuses and one award for medical centers )
a. Best Performance/Highest Rate of Return on Rebate
4) General and Employment Liability (One award for campuses and one award for medical
a. Best Practices/Timely Claims Reporting
5) Automobile
a. Best Practices/Timely Claims Reporting
b. Most Improved/Timely Claims Reporting
6) Environmental Health & Safety
a. Lowest OSHA Total Recordable Cases
7) Innovative Risk Management
a. Voted Best Presentation from Attendees
Each year the University of California Risk Summit has a theme. In 2009, the theme was
“Leading Through Change” to focus on making change, addressing difficulties, and facing
challenges head on and doing all of this by finding creative ways to do more with less during
these economic times. The emphasis was that as leaders they must continue their efforts
towards a common goal of reducing the cost of risk and in order to do so they must move
forward through change.
Each campus and medical location was given the opportunity for their leaders to speak about
initiatives at their locations that have led to a positive change, a way to share valuable
knowledge that can be used throughout the University of California System. Attendees voted
on the presentations and the Innovative Risk Management Award went to the one with the
most votes. UC Riverside was the winner with Campus Risk Manager, Steve LaShier, providing a
very motivational speech about “leading through change” initiative at the Riverside campus
and how one person, as a leader, can make a difference.
Some challenging subjects and significant emerging risks were addressed in the 2009 Risk
Summit, such as threat and security, foreign business operations, travel abroad, and business
continuity planning. This was a forum to share ideas and best practices to prepare to face the
challenges of the coming year. It is essential that their leaders have the right knowledge and
strong relationships with those whom they can call upon for assistance. The Risk Summit brings
leaders together for this purpose and enables their leaders to be better armed to act quickly,
make the right decisions, and be “leading through change.”
The Risk Summit also provides a forum for updates and open discussion on current system-wide
initiatives that were core elements to “leading through change” such as Be Smart About Safety
program, “What Be Smart About Safety Can Do for UC,” “Helping Employees Be Smart About
Safety With the Right Equipment: Tools and Training,” Enterprise Risk Management, and UC
Ready (Business Continuity Planning): Getting Ready …with UC Ready (online tool to do
business continuity planning ). All these programs helped University of California motivate their
employees to see how their individual behavior and attention to their risk exposures in their
departments plays in the bigger picture of how UC measures and manages risks for the entire
UC System.
Each year, the “Excellence Award for Best Risk Management Practices” is presented to the
campus and the medical center with the lowest overall cost of risk. The awards were received
this year by the UC Santa Barbara campus and the UC San Diego medical center. The annual
“University of California President’s Award for Excellence in Environment, Health and Safety”
was presented to UC Santa Cruz campus. This award is based on a compilation of injury and
illness performance measures that are adjusted by Cal/OSHA according to the size of their
workforce and awarded to the location with the best overall score. (University of California
Enterprise Risk Management ensures that a public entity identifies and understands the key
dangers that it may face. This can help the public entity to make and implement necessary
plans to prevent the downside of risk, but also allow the organization to exploit the
opportunities for growth. Some of the benefits of ERM include the following:
Enhance Decision Making- Public administrator, board of directors, City Councils, and senior
management teams within a public entity will make more informed decisions having a clearer
understanding of what their risk exposures are and the potential impact of those risk
exposures. Decisions will be evaluated on their internal and external context and proper
mitigation plans can be established to minimize any future loss.
Promotes Effective Communication- Enterprise risk management enhances communication
within the entire public entity. The reason for this is that risks will be tackled by several
departments and not seen in silos. Departments will not only see the interrelationship of risk
exposures among their department, but they will also see the relationship of their risk
exposures to other departments within the public entity. This encourages better
communication among employees, internal and external stakeholders and senior management
regarding how risks are being controlled.
Risk Awareness & Accountability- Being unable to identify a risk until it happens can really
affect the public entity negatively. Not only could there be tangible losses, but intangible losses
such as public trust. It may even result in a decrease in internal morale as well as destroying the
public entity’s reputation. Nevertheless, enterprise risk management enables managers to
identify risk early, empowering them to assign accountability of risk exposures, develop proper
mitigation plans, and have a clear course of action in case of a disruption to services.
Improve Ability to Achieve Strategic Goals- Enterprise risk management allows public entities
the ability to improve on meeting their strategic goals by finding the best mix of risk controls to
protect their assets and yet be fiscally responsible to all their stakeholders. By doing so, public
entities are able to reduce volatility and develop plans for growth that are sustainable.
Allen, Mathew. Building a Common Approach to Managing Risk - The Challenge of ISO 31000. January
Anselmo, Clay. Failure Investigation and Root Cause Analysis. Denver, December 31, 2009.
Broadleaf Capital International PTY LTD. "Tutorial Notes: The Australian and New Zealand Standard on
Risk Management, AS/NZS 4360:2004." Broadleaf Capital International PTY LTD. 2007.
Bugalla, John, Janice Hackett, and Kristina Narvaez. "ERM in the Vancouver Winter Olympics." Risk
Management Magazine, Aprill 2011: 22-28.
Bugalla, John, Janice Hackett, James Kallman, and Kristina Narvaez. "Putting Board Risk Committees to
Work." The Corporate Board, November 2010: 21-25.
Carson, Debra, interview by Kristina Narvaez. Risk Manager - Longmont, Colorado (September 2010).
Christina, Diane. Dissecting the Anatomy of ISO 31000. February 5, 2010.
Committee of Sponsoring Organizations. Resources. 2010.
Corporate Controller - Penn State University. "Strategic Plan." Office of the Corporate Controller. 2009.
Crickette, Grace. IBM Case Study - University of California – Office of the President. October 7, 2010.
Department of Homeland Security. "DHS Risk Management Guidelines." Lessons Learned Information
Sharing. February 25, 2010.
DHS Risk Steering Committee. "DHS Risk Lexicon." Department of Homeland Security. September 2010.
Diamond, Paul. "Newsletters." University of California Office of the Chief Financial Officer. 2009.
Drobris, Kristen, interview by Kristina Narvaez. MassDevelopmetn Uses ERM in Project Management
(May 25, 2011).
Duffy, Grace, John Moran, and William Riley. "Solve the Real Problem Using Root Cause Analysis." ASQQuality Management Division. January 24, 2010.
Essary, Norma, and Michael Yip. Enterprise Risk Management "In Action" PowerPoint Presentation.
January 2010.
Grenny, Joseph, Kerry Patterson, David Maxfield, Ron McMillion, and Al Switzler. Influencer: The Power
to Change Anything. McGraw-Hill, 2006.
Hammond, Paula J. "Business Directions: WSDOT's Strategic Plan 2011-2017." Washington State
Department of Transportation. September 2010.
—. "Publications." Washington State Department of Transportation. December 10 2008.
Hardy, Karen, Dr. "Managing Risk in Government: An Introduction to Enterprise Risk Management." IBM
Center for the Business of Government. 2010.
Hoopingarner, Taud, interview by Kristina Narvaez. Chief Operating Officer, Dakota County, Minnesota
(September 2010).
IBM. Enterprise Risk Management. 2010.
International Standards for Business, Government and Society. New ISO standard for effective
management of risk. November 18, 2009.
Kolasky, Bob. "Public Entity Risk Institute Resource Library." Public Entity Risk Institute. March 4, 2011.
Lermack, Harvey B. "Enterprise Risk Management at Pennsylvania State University - Strategy
Implmentation in a Decentralized Organization." Faculty Websites - Philadelphia University.
Levine, Mike. "While Slowing BP Oil Spill, Administration Slowed Flow of Information Too, Claims Coast
Guard Report." Fox News. Fox News, March 28, 2011.
Louisot, Jean-Paul, and Christopher Ketcham. Enterprise-Wide Risk Management: Developing and
Implementing. Pennsylvania: American Institute for Chartered property Casualty
Underwriters/Insurance Institute of America, 2009.
MassDevelopment. MassDevelopment. n.d.
McQuire, Russell, interview by Kristina Narvaez. Senior Consultant - Milliman (January 2011).
Melvin “Kip” Holden, Mayor-President of Baton Rouge. written statement for a hearing on Recovering
from Hurricane Katrina: Responding to the Immediate Needs of Its Victims. Washington, D.C.,
September 28, 2005.
Miller, Allen S. Ph.D. Integrating Risk Management Across the Homeland Security Enterprise. Los
Angeles, November 16, 2010.
Moore, Mark Dr. Emerald - Research You Can Use. 1995.
Moore, Mark H. Dr. Creating public value: strategic management in government. Cambridge: Harvard
University Press, 1995.
National Research Council of the National Academies. Review of the Department of Homeland Security's
Approach to Risk Analysis. Washington, D.C.: The National Academies Press, 2010.
Office of Financial Management, State of Washington. "ERM Best Practices." Office of Financial
Management. November 10, 2010.
Office of Risk Management and Analysis, Department of Homeland Security. Risk Management Practices
in the Public and Private Sector: Executive Summary. Washington, D.C., September 2010.
Risk and Insurance Management Society. 2008.
Riskonnect. Enterprise Risk Management | Riskonnect. 2011.
Robertson, Campbell, and John Collins Rudolf. "Report Says Coast Guard was Unprepared for Spill." The
New York Times. The New York Times, April 8, 2011.
San Francisco Examiner. UCSF Expansion Making Mission Bay a Biotech Giant. November 8, 2009.
San Francisco International Airport/Community Roundtable. About Us. October 1, 2003.
Schmutz, Steve, interview by Kristina Narvaez. Director of Operations at Riskonnect (February 2011).
Standard and Poor's. Global Credit Portal. September 9, 2010.
—. Ratings Enterprise Risk Management. 2011.
State of Washington. About GMAP. 2010.
State of Washington Office of Financial Management. Root Cause Analysis. 2010.
TapRoot. "Root Cause Analysis Blog." TapRoot. July 1, 2010.
The Security Risk Management Toolkit. A Sample Corporate Risk Register. June 11, 2006.
Townsend, Frances. "The Federal Response to Hurricane Katrina: Lessons Learned." St. Mary's University
Library. February 2006.
United States Department of Veterans Affairs. Wikimedia Commons. August 2001.
University of California. Background of ERMIS. September 1, 2010.
—. Documents. March 10, 2010.
—. Enterprise Risk Management. August 10, 2010.
University of California Office of Risk Services. "Enterprise Risk Management." University of California.
August 2010.
—. "ERM Resources." University of California. May 18, 2010.
University of California. "Risk Services Today Newsletter." Office of the President. 2009.
University of California, San Francisco. Our Vision. 2010.
Vincoli, Jeffrey W., CSP. Basic Guide to System Safety. New York: Van Nostrand Reinhold, 1993.
Warren, Mike. "ACI-NA." Airports Council International - North America. November 2007.
Washington State Department of Transportation. "Publications." Washington State Department of
Transportation. July 2010.
—. Sustainable Transportation. 2010.
Webber, Erica, interview by Kristina Narvaez. Associate Partner, IBM Global Services (February 14, 2011).
Wikimedia Commons. File: SWOT. September 30, 2007.
Zavatsky, Drew. Implementing Enterprise Risk Management in Washington State Government.
November 7, 2008.
Business Continuity Pre-loss activities performed by an organization to eliminate interruption
of a critical business function in the event of a major loss. These activities involve a scheduled
approach to maintain continual service and provide consistency across project tasks and system
Centers for Disease Control and Prevention (CDC) The Centers for Disease Control and
Prevention (CDC) is one of the major operating components within the U. S. Department of
Health and Human Services. CDC’s mission is to coordinate resources with the expertise,
information, and tools that help people and communities protect their health by providing
material on injury and disability, prevention of disease, health promotion, and preparedness for
new health threats.
Cause of Loss Refers to the primary cause of loss used in the source claims system.
Chaotic State System One of four system levels used to describe the degree of severity of an
unexpected event. Under a chaotic state system the unexpected event is a dramatic,
unforeseen situation that threatens the organization’s survival.
Claim A request for payment for benefits received or services rendered as covered under
workers’ compensation, or a request for payment and/or actionable item to restore or replace
damaged property or compensate for injury associated with a liability exposure.
Complex State System
One of four system levels used to describe the degree of severity
of an unexpected event. In a complex state system the unexpected event is unusual, potentially
critical to the organization.
Compliance Risk
Compliance risk evaluates situations where an organization must comply
with laws and governing rules. The process assesses whether internal policies and procedures
conform to laws and regulations, such as federal and state OSHA laws, EPA requirements, and
employment practices.
Complicated State System One of four system levels used to describe the degree of severity
of an unexpected event. In a complicated state system the unexpected event is more difficult to
resolve that a simple system’s, but is not unusual.
Continuity Plan
Continuity plan outline how the organization will survive and succeed
after an unexpected event. The Continuity plan should direct each department in formulating a
departmental plan that will coordinate with the entire organization.
Crisis A crucial turning point in the course of any event, an unstable condition in which an
abrupt or decisive change is impending; a major, unpredictable event that has potentially
negative results. The event and its aftermath may significantly damage an organization and its
employees, products, services, financial condition, and reputation.
Delphi Technique
A communication technique employing a panel of experts to assess the
top risks in the organization. The panel answers a series of questions and based on a
quantitative or qualitative value assigned, the risks are categorized from greatest risk to least
risk. The responses are revised until the entire group reaches a consensus.
Disaster ManagementThe process of preparation, mitigation, and response to handle wide
spread destruction and distress caused by a catastrophic loss. Management must work with
emergency personnel to coordinate planning and response from multiple organizations within
the community and demands a timely response from internal and external sources.
Emergency An unexpected event, which places life and/or property in danger and requires
an immediate response through the use of routine community (or organizational) resources
and procedures.
Emergency Management
The management of the governmental and nongovernmental
preparedness and response at federal, state, and local levels, including non-governmental
organizations to unplanned events that affect public health and safety and that destroy
Enterprise Risk Management (ERM) An approach to risk management that addresses all of an
organization's risks as one unit, throughout the organization, and that considers both the
potential gains and potential losses from risk. Enterprise risk management avoids separating
the management of risks based on whether they are insurable, or which operations or activities
generate them.
Enterprise Risk Management Process
The ERM process allows an organization to
establish internal and external contexts, assess risks, choose appropriate treatments and then
monitor the treatment to the organization’s strategic goals. This allows all stakeholders to have
a clear picture of all the risks that could impact their strategic plan within their organization and
offers the ability to quantify critical risks and prioritize risk treatment.
ERM Maturity Model A scoring tool created by the State of Washington’s Office of Financial
Management used yearly to measure the progress of ERM implementation on a scale from 1
(beginning) to 6 (advanced). Over time, scores should increase as ERM programs become more
robust and more fully integrated into agency planning and operations.
Environmental Risk Conditions affecting the environment (air, water, or ground) which could
be damaged or destroyed by pollution or a hazardous substance.
Fault Tree Analysis (FTA)
FTA is an analytical tool that identifies actions and conditions are
constructed with “gates” to force an organized flow of incidents that lead upward to the final
event. The “and” “or” gates show what happened before the failure sequence progresses to the
next level. FTA starts with the crisis event and drills down to the specific details of the cause of
that event. It is now one of the most common hierarchical systems used to study cause and
affect relationships.
Financial Risk The possible risk related to the fall of an investment, reduced income, failure or
unfunded financing instrument or insurance policy. Examples of financial risk are credit risk,
property taxes, or a dissolved insurance carrier. Two related risks are investment risk (with
possibility of actual return less than expected return) and business risk where the cash flow is
significantly reduced.
A measurement of how often a certain type of loss usually occurs during a given
time period, such as a year. It is normally identified as a probability of occurrence, such as low,
moderate or high frequency, and associated with a potential size of loss.
Goal A statement describing the purpose of a program, function, or activity that is part of an
organization's overall mission.
Hazard An event or physical condition that has the potential to cause fatalities, injuries,
property damage, infrastructure damage, agricultural loss, damage to the environment,
interruption of business, or other types of harm or loss. In risk management, a hazard is not
really an event – it is the object, force or condition that creates the potential for an event. So
the potential for earthquakes is a hazard. An actual, specific earthquake is an event.
Human Capital Risk Evaluation of a company’s greatest asset, which is its key employees and
overall workforce. This risk examines skills, talent, gaps in knowledge, and most threatening
exposures to prepare for planned events, such as retirements and relocations, and unforeseen
changes like sudden drop in retention or loss of key employees.
Human CausesDamage known to have been caused by human error. Circumstance where
human intervention was the primary contributing factor resulting in an accident or major loss.
Human causes typically lead to physical causes.
Key Performance Indicators (KPI)
A type of performance measure used to evaluate the
success of a particular activity (i.e., specific operation, program or service, expenditure, sales,
etc.) within an organization. Because KPIs evaluate past activity, they should be used to
promote the identification of potential improvement.
Key Risk Indicators (KRI)
Key risk indicators (KRI) are specific operational or financial
metrics used to measure possible losses. A KRI identifies possible harmful events and the
probability of each event, which is different from a key performance indicator that measures
the success or failure of what has already occurred.
Mission Statement A mission statement should explain why an organization exists, what it
does, and how it provides services or products to its customers or community.
National Emergency Management Association (NEMA)
NEMA is a professional association
of emergency managers. The primary purpose of NEMA is to be the source of information,
support and expertise for emergency management professionals at all levels of government
and the private sector that prepares for, mitigate, respond to, recover from and provide
products and services for all emergencies, disasters and threats to the nation’s security.
Operational Objective Specific milestones created at the staff management level in order to
reach pre-set executive level goals. An operational objective should be functional in nature and
cut across all departments within an organization.
Organizational Causes When a system, process, or policy is found to be at fault and has the
potential to cause damage or injury. The faulty document or procedure is used to make
decisions, and those decisions later contributed to a loss.
Operational Risk
A risk caused by the actions of a company’s personnel, internal process,
or a company system that leads to a loss in one or more parts of the company's business
Performance Measurement A tool used to improve a specific process. Performance measures
should monitor tasks or work load production and create resulting facts that can be used for
internal and external comparison. Most measurements are either (a) workload measurements;
(b) effectiveness and ratio measurements, or (c) productivity and results measurements.
Plan of Action Creating a written policy to address a series of concerns. A plan of action should
explain several areas, such as listing responses to challenges; identifying a method to track who
within the organization will be accountable for each response; stating proposed action that will
be taken; identifying what resources will be used to address challenge; and setting a timetable
for corrective action to be completed.
Pure Risk
A risk of loss where there is no possibility of gain. The risk of fire damage to a
building, collision with an automobile, or slipping on a wet floor are examples of pure risk.
Reputational Risk
A type of risk related to the trustworthiness of a company or
governmental business. The risk can result in the destruction of a company's reputation,
negative opinion, and the loss of revenue or shareholder’s value. Reputational risk can lead to
the removal of a product or corporate bankruptcy.
Risk Center A risk center is a department or unit within the organization charged with the
risk exposures that are related to their duties and responsibilities.
Risk ChampionThe risk champion is the individual accountable for the identification,
assessment, analysis, implementation of ERM program and monitoring of risk in that
department or unit.
Risk The measurement of the potential for deviation from an expected result, which may
have negative consequences, such as loss or injury, or positive consequences, such as financial
gain from an investment.
Risk Analysis The determination of the likelihood of an event occurring (probability) and the
consequences of its occurrence (impact) for the purpose of comparing possible risks and
making risk management decisions.
Risk Appetite Reflects the level of risk tolerance acceptable to management based on a risk
response strategy established for specific risks. It is the total amount of risk permitted within a
given function or operational area. Management may select one or more risk treatments and
chose to monitor performance through internal controls.
Risk Assessment
The combination of vulnerability analysis and risk analysis; the
determination and presentation (usually in quantitative form) of the potential hazards, and the
likelihood and the extent of harm that may result from these hazards. The process of risk
assessment includes estimating the likely consequences of potential risk events. This involves
determining which risk exposures to address first.
Risk Assessment Process for Informed Decision-making (RAPID) RAPID is a quantitative risk
assessment tool designed for Department of Homeland Security to provide information about
multiple hazards to managers or leaders on security risks. The tool examines how programs
across different departments work together to manage anticipated risks associated with DHS
strategic goals and objectives. It ensures that future resources allocated to DHS programs are
influenced by the programs’ risk-reduction values.
Risk Avoider A person whose attitude is obsessed with the potential harm associated in a
given risk and will typically try to transfer all risk to another party.
Risk Criteria Reference documentation, such as standards, measures, and expectations,
which will be used to compare a given risk against the strategic goals of the organization. The
risk criteria can include the costs and benefits, legal and statutory requirements, socioeconomic
and environmental factors.
Risk Culture The organization’s attitude towards risk – which then defines the level of
acceptable risk, or risk appetite. An organization that encourages its stakeholders to take on
risk will be better prepared to adapt to new hazards and incorporate risk treatments for those
hazards into the overall risk management plan.
Risk Evaluation
An evaluation of possible sources of risk which involves ascertaining the
strengths and weaknesses of the Enterprise Risk Management program with regard to the
organization’s strategic goals.
Risk Event
An incident or occurrence that stands in the way of meeting a goal. For example,
a risk event could be failure to maintain normal delivery of services to citizens.
Risk Exposure The possibility of a given loss. The probability to a specific risk exposure will
change as related variables are present. For example, exposure to fire can be decreased by
adding protection in the area affected by the hazard.
Risk Identification
The process of taking inventory of all risks in the organization and tying
them to the organization’s strategic plan.
Risk Impacts Risk impacts are unintended consequences after an event occurs.
The size of the impact will vary in cost and area affected; the impact personnel may relate to
health, changing skills, or some other critical factor.
Risk Intelligence
Risk intelligence is both a process and a product. It consists of the
organizational ability to collect and collate data, statistics and information on risk and volatility.
This is followed by the systematic analysis, interpretation and presentation of the information.
The end goal is decision making that produces the most favorable outcomes under existing
Risk Management Process Five step approach to developing and maintaining a risk
management program. The five steps are: (1) identify and analyze the entity’s risks, (2)
evaluate risk management techniques that may address those risks, (3) select the most
appropriate techniques, (4) implement the selected techniques, and (5) monitor and change
the risk management program as needed.
Risk Management Program The systematic process of planning, organizing, implementing and
monitoring efforts to minimize potential losses and to make arrangements to deal with the
losses that do occur. Steps include identifying the exposures, determining the risk techniques
available, selecting and implementing the best method, and monitoring the results.
Risk Mapping Risk mapping is a communication technique that is used to visualize identified
risks, plot relationships, and determine what actions should be taken toward those risks. Maps
chart the severity of possible events (on the X axis) and possible frequency (on the Y axis).
Risk Maturity Model The Risk Maturity Model is based on the Capability Maturity Model, a
methodology founded by Carnegie Melon Software Engineering Institute (SEI) in the 1980. It is
used to take a snapshot of where the organization’s risk program stands today and can be used
as a scorecard. It reviews the ERM performance throughout the organization, tracks various
attributes, and grades them on their maturity level.
Risk Optimizer People who follow a risk optimizer attitude realistically evaluate potential
outcomes and consequences to follow the organization’s goals and objectives. A risk optimizer
will balance the risk (over emphasized by a risk seeker) and the reward (under used by the risk
avoider) to have the best assessment for each identified risk.
Risk Register A management tool used to connect activities and projects to plans and
processes. A risk register leads to sound governance and contributes to the monitoring of
various risk regulations.
Risk Seeker A person dominated by a risk seeker attitude may search for the end result in an
activity or process. A risk seeker has the greatest potential for reward, but may
underemphasize a risk impact, variance, and potential negative effects.
Risk Tolerance Specific risk limits associated with a given business activity that an organization
and its stakeholders are willing to bear within a given strategic context. By establishing a risk
tolerance level, senior executives can have a clear vision of the direction they should pursue
before they engage in any strategic or financial decision making.
Risk Treatment
Utilizing one or more risk management techniques to reduce the
probability of a loss (frequency) and the damages that result from losses (severity). Examples of
a treatment are: avoidance, risk reduction, insurance, or acceptance of the risk. The treatment
should address all potential threats.
Root cause analysis (RCA)
A problem solving method aimed at identifying the root cause of
problems or incidents. Supporters of RCA solve problems by attempting to correct or eliminate
root causes to reduce the likelihood of the recurrence of the problem will be minimized.
Return On Investment (ROI) Return on Investment is a performance measure used to evaluate
the efficiency of an investment or to compare the efficiency of a number of different
investments. To calculate ROI, the benefit (return) of an investment is divided by the cost of the
investment; the result is expressed as a percentage or a ratio.
Severity refers to the size of each loss. Combined with frequency these two
factors can help estimate the expected cost of each loss exposure over a given time.
Simple State System One of four system levels used to describe the degree of severity of an
unexpected event. In a simple state system the unexpected event can be resolved through
routine decisions.
Stakeholder’s Perspective
Recognizing and supporting an integrated perspective between
management and its stakeholders comprised of individuals, groups, member of the public or
private firms. ERM suggests that an organization must work together with the stakeholder
environment to intertwine with multiple stakeholder interests in such a way that the interests
of shareholders and management’s decisions cannot be entirely split.
Strategic Goal A goal created by the board or executive staff that is general and/or conceptual,
yet defines direction for the organization.
Strategic Plan An action plan containing strategies, goals, and objectives used to achieve the
purpose defined in the mission statement.
Strategic Risk Services to citizens, capital improvement projects, maintaining growth
Strategic Triangle
The strategic triangle applies three “learning aspects” to the planning
process: value strategy, political management, and operational capacity. The interactions
between these aspects help to delineate the organization’s strengths and weaknesses.
Sustainable Development
A key strategic objective that recognizes a pattern of resource use
aimed at preservation of the environment while meeting the needs in human consumption.
Sustainable development directly affects an organization’s ability to achieve its goals while
striking a balance by using social, environmental and economic elements to meet its current
needs without compromising the ability of future generations to meet their needs.
SWOT Analysis
A process used in enterprise risk management to improve the strategic
decision making of an organization by addressing its strengths, weaknesses, threats, and
opportunities (SWOT Analysis). The SWOT analysis integrates risk management and the
strategic planning process to increase the awareness of unplanned or emerging risks that can
impact their ability to provide services.
Tactical Objective
An objective created at the line management level to represent specific
tasks. These objectives relate to the output of the organization’s products and services.
Technological Risk
Potential losses arising out of technology systems and operations, such as
engineering, manufacturing, design processes, and system development. Technological risk
evaluates key processes within a company’s core business to determine relative priorities in the
production, delivery, and management of its products, services, and support operations.
Vision Statement
An organization’s vision statement should answer the question, “Where
do we want to go?” While a vision statement doesn’t explain how to get where you want to go,
it does set the direction for your strategic plan.

Success Stories: Public Entities Adopt ERM Best Practices