Enterprise Risk Management ServiceSource’s Risk Management Program A Plan for Success
Presented by: Scott A. Kuebler, Ph.D. Vice President Safety, Security & Risk Management ServiceSource Email: Skuebler@ourpeoplework.org V Acknowledgement Brad Kuhn – Carnegie Quality http://www.carnegiequality.com For spreadsheet design
What is a risk? Scott’s definition – “The potential for some event to have a significant negative impact on the organization, tangible or intangible, as measured by both its likelihood to occur and its resulting impact.”
What can a risk event impact? A risk event can impact – Direct cost the organization (loss of revenue, fines, etc.) Loss of valued physical assets (property loss) Injury/death to employees or others Negative impact in the organization’s reputation
Risk impact example Operation: Mail Services Risk Event: Sensitive material lost and potentially exposed to the outside world. Potential Impact: Reputation as it relates to performance. Potential Result: Contract loss; failure to qualify for additional or new.
What is not a risk? • If the event already happened – that’s history and a learning event. • If the event in question is a “certainty” – makes the event part of an existing operational, insurance or similar plan. Example, a scheduled DOL audit is not a “risk” – it is a manageable event. • If the event or issue is generally accepted as “impossible” or “improbable” (a meteor destroying your facility).
Why have a risk management plan? A risk management plan, working in partnership with an organization’s strategic plan, is like upgrading from a paper roadmap to a GPS system. While the roadmap is great at providing needed information to get from point “A” to point “B”, no one would question the wisdom of a GPS system that provides up-to-date directions, with alternatives; real time traffic reports, voice enhanced direction, etc. In short – a proactive risk management plan provides data to allow an organization to identify and then eliminate, mitigate or knowingly accept identified risks; all with the intent on making the organization more adept at success!
What does a risk management plan do? From “Framework for Environmental Health Risk Management�
The Presidential/Congressional Commission on Risk Assessment and Risk Management
Risk management process Steps in the risk management process
Planning
Risk Identification Prioritization
Control & Monitoring
Tracking, Management, Reporting
Closure & Audit
Step One - Planning
• Determine who will be involved in the process (accountability). • Gain management buy-in at every level. • Know how you are going to collect, track, trend and present information. • Align the program with the organization’s mission, vision and strategic goals/objectives.
Step One- Planning Risk Management Process
Planning
Risk Identification Prioritization
Control &
Monitoring
• Responsibilities • Methods • Buy-in • Align with: Mission Vision Strategic Plan
Closure & Audit
Step Two – Identification of Risk • Experience/History • Experts • Brainstorming • Formal Assessments • Surveys
Step Two – Risk Identification Risk Management Process
Planning
Risk Identification Prioritization
• Responsibilities • Methods • Buy-in • Align with: Mission Vision Strategic Plan
• Experience • Experts • Brainstorming • Assessments • Surveys
Control & Monitoring
Closure & Audit
Step Three – Prioritization Two criteria to examine: 1. Probability (likelihood) that the event identified will happen –
Minimal/unlikely to high/very likely
2. Consequence (impact or severity) the event would cause if it happened –
Low or minor impact to high or severe (catastrophic) impact
Step Three – Prioritization
3
Severity of Occurrence
Red 2
Yellow 1
Green 1
2
3
Probability of Occurrence
Step Three – Prioritization
Probability of Occurrence
Consequence of Occurrence Very Low
Low Moderate High Very High
Very Low Low Moderate High Very High Low Risk
Medium Risk
High Risk
Step Three â&#x20AC;&#x201C; Assessment Risk Priority Table Impact Significant Financial loss >$100,000 Impact on organization's reputation Major safety issues w/potential to harm Imposed fines, fraud, crime, etc. Liability exposure & legal actions Significant IT system issues Labor disruption, major contract issues, etc. Moderate Financial loss <$50,000 Safety issues violating OSHA, insurance, etc. Isolated criminal activity/fraud IT issues w/potential to affect ops. Multiple employee grievances Management issues affecting operations Labor & contract issues Minor Financial loss <$10,000 Isolated safety issues w/o potential to harm Non-criminal and non-liability legal issues Minor IT related issues Minor and isolated employee issues Internal audit/inspection issues Misc. issues w/potential to impact ops.
Probability
Impact high likelihood low impact = 7 probability = 3
Impact high likelihood moderate impact = 7 probability = 7
Impact high likelihood high impact = 10 probability = 10
Impact moderate likelihood low impact = 3 probability = 3
Impact moderate likelihood moderate impact = 5 probability = 5
Impact moderate likelihood high impact = 5 probability = 10
Impact low likelihood low impact = 1 probability = 1
Impact low likelihood moderate impact = 3 probability = 5
Impact low likelihood high impact = 3 probability = 10
Likelihood
Step Three – Prioritization Risk Management Process
Planning
Risk Identification Prioritization
• Responsibilities • Methods • Buy-in • Align with: Mission Vision Strategic Plan
• Experience • Probability • Experts • Impact • Brainstorming • Rating System • Assessments Consistent • Surveys Easy Understandable
Control & Monitoring
Closure & Audit
Step Four – Control & Monitoring Four Methods to Control Risk: • Transfer • Mitigate • Accept • Avoid
Step Four â&#x20AC;&#x201C; Control & Monitoring Risk Identification Risk ID
Risk Category
Affiliate/Operation
Risk Description
Owner
Date Raised
Source
1 Operations
Housing boards do not have D&O coverage.
11/01/10
Internal Audit/Review
2 Operations
CARF Certification
11/01/10
Internal Audit/Review
3 Finance
Formalized expenditure and revenue approval process.
11/01/10
External Audit/Review
4 Information Technology
Lack of a readily available method to transmit sensitive data.
11/01/10
Internal Audit/Review
5 Human Resource
Ethics Training Requirements
11/01/01
Internal Audit/Review
6 Operations
Paint booth is out of compliance with NFPA codes
11/01.201External Audit/Review 0
7 Human Resource
Current policy titled "Code of Ethics, Conduct and Corporate Compliance" (300.38) does not contain proper "whistleblower" protection.
11/01/10
Internal Audit/Review
Step Four - Prioritization Impact 5
9
4
Risk Analysis Prob- Matrix ability Score Qualitative Impact 0
3
4
5.00
D&O exposure without coverage and potential risk of losing directors.
12.00
Loss of certification; loss of income streams where this is required; and loss of reputation.
8.00
Lack of a formalized and consistent approval matrix governing expenditures/revenue leaves the organization vulnerable to misuse or misappropriation of funds.
Response Planning Risk Strategy
Response Notes/Plan
Risk Monitoring and Control Status
Notes
Worked with Housing management and our D&O policy in Transfer brokers/carriers to develop Resolved place. and implement an insurance solution. Mitigate
New Quality Manager will be working with each affiliate to ensure CARF compliance.
Mitigate
CFO team is developing a formalized process that will include an authority matrix.
TBD
Issue has been referred to the IT team.
Mitigate
Open
SSRM Team has started safety audits.
Authority matrix Resolved approved and published.
Open
HR developed and implemented a vigorous ethics program with ongoing training. All employees are Resolved now required to receive this training upon hire and then, must take a refresher course annually.
Step Four – Control & Monitoring Risk Management Process
Planning
Risk Identification Prioritization
• Responsibilities • Methods • Buy-in • Align with: Mission Vision Strategic Plan
Control & Monitoring
• Experience • Probability • Experts • Impact • Brainstorming • Rating System • Assessments Consistent • Surveys Easy Understandable
• Categorized • Described • Assigned • Prioritized • Response • Monitored
Closure & Audit
Step Five – Closure Closure or Status Possibilities: • Resolved • Retired • Open • Triggered
Understanding Closure: •
Know in advance what elements are required to “qualify” an issue for closure!
•
Update the organization’s Risk Management Plan to account for issue closure.
•
Maintain archives for future reference, auditing and “proof” when required.
•
External Audit
Step Five – Closure & Audit Risk Management Process
Planning
Risk Identification Prioritization
• Responsibilities • Methods • Buy-in • Align with: Mission Vision Strategic Plan
• Experience • Probability • Experts • Impact • Brainstorming • Rating System • Assessments Consistent • Surveys Easy Understandable
Control & Monitoring
• Categorized • Described • Assigned • Prioritized • Response • Monitored
Closure & Audit
• Understand • Update Plans • Archive • External Review
Resources • Ethics Resource Center - http://www.ethics.org/ • Carnegie Quality - http://www.carnegiequality.com/ • Committee of Sponsoring Organizations of the Treadway Commission (COSO) - http://www.coso.org/ • Nonprofit Risk Management Center - http://www.nonprofitrisk.org/
Scott A. Kuebler Vice President Safety, Security & Risk Management ServiceSource skuebler@ourpoeplework.org
Enterprise Risk Management A Real Life Example Peckham, Inc
Presented By
Jo Sinha Corporate Vice President
Really? Plan for Risk?
• Planning begins with a systematic approach to identification – Simple matrix of potential exposures for various classes of assets/resources • • • • •
Describes the risk Assigns priority level Designates and documents the control mechanism Assigns owners Reporting periods
Risk Identification • Formal Process – Matrix e-mailed to all management staff – Summary of previous year’s events and plan – Facility Team, Safety Team, Cross Team Involvement • Informal Process – Basic question – what keeps you awake at night? – Asked across all levels of the organization – Easier for folks to identify with
Risk Planning • Update the matrix with responses from formal and informal process – example Service Delivery Exposure
Priority
Description
Control
Economic conditions
High
Funding for WIA, PWI, Medicaid, MPRI, JET, SE all at risk
• • • • • • • • •
Visits with elected officials Get out the Vote ACCSES membership Parent group list serve Launch client intranet site for education resources Train more staff in advocacy Train more staff in grant writing Service staff hiring freeze Outcome information available
Internalizing Risk Management • Incorporated into our Business Plan • Integrated into day-to-day operations • Part of our strategy map and balanced scorecard process • Quarterly reporting
Control Mechanisms • Examples Risk = HR identifies national increase in rates of employee lawsuits Controls – Transfer the risk by purchasing Employment Practices insurance – Mitigate the risk by increasing supervisor training
Control Mechanisms • Examples (continued) Risk = High incidences of slip and fall on the apparel floor due to threads and fleece dust Control – Avoid the risk by analyzing cost of slip and fall – New anti-slip floor coating pays for itself, install new floor
Control Mechanisms • Examples (continued) Risk = Misconduct by employees Controls • Mitigate – – – – – –
Annual ethics training Segregation of duties in accounting/strong internal controls Active Board Audit committee EthicsPoint Reporting options Corporate Compliance program Internal audit programs for CARF, ISO standards and MIOSHA
• Transfer – Liability Umbrella
• Avoid – Background and reference checks before hire
Contract/Corporate Compliance â&#x20AC;˘ Know your FAR Clauses
Integrate into Business Systems • ISO Quality Management – – – – –
Supplier performance Contract reviews Document control Standardized processes Internal and external audits
• CARF Accreditation – Standards for Governance, Legal Practices, Risk Management, Corporate Compliance, Quality of programs and services
Strategic Risk Management • Managing risk while maximizing opportunity – Risk inherent in every opportunity – Don’t bet the farm – Take small calculated risks and measure results • Peckham Farms – Purchased extra land for warehouse project – 60 acres available for farming – Planting 3 acres this year – Measure the results against revenue goals – 1-2 year plan, 3-5 year plan, 5-10 year plan
Strategic Risk Management • Last thoughts – – – – –
Share information Look for trends Stay informed Ask questions Build infrastructure to manage risk
Questions? Scott A. Kuebler Vice President Safety, Security & Risk Management ServiceSource skuebler@ourpoeplework.org Jo Sinha Corporate Vice President Peckham, Inc jsinha@peckham.org
Session Evaluation Information
SESSION TITLE: Risk Mgmt SESSION CODE: L-T300