Executive Teams and the Use of ISO in Decision Making. Scott Wightman, ARM-E National Director Gallagher ERM Practice

Transcription

1 Executive Teams and the Use of ISO in Decision Making Scott Wightman, ARM-E National Director Gallagher ERM Practice

2 Agenda Defining ERM Mission, Objectives and Uncertainty Governance and Risk Varying Levels of ERM Implementation Using ERM in Decision-Making Role of Senior Leaders

3 Defining ERM

4 Risk Traditional Definition The possibility that something bad or unpleasant will happen. Merriam-Webster

5 Risk Management Traditional Definition Minimizing the adverse effects of accidental losses. The Institutes

6 Risk Broadened Definition

7 Risk Broadened Definition The effect of uncertainty on objectives. ISO 31000

8 Risk Management Broadened Definition Coordinated activities to direct and control an organization with regard to risk. ISO 31000

9 The Changing Focus of Risk Management Historic Risk Management Insurance Specific hazards No compliance input Separate safety & emergency management Silo approach Risk Manager = insurance buyer Advanced Risk Management Alternative risk transfer techniques Proactive prevention & risk reduction Integrated approach to claims, contracts, insurance, etc. Increased education & accountability Collaboration across departments Risk Manager may be the risk owner Enterprise-Wide Risk Management Broad range of risks analyzed Combination of risk controls & opportunities ERM alignment with strategy Helps manage growth, allocate capital & resources Risks owned by SME s Greater availability of risk mitigation and analytical tools Risk Manager = risk moderator, partner, leader; not the owner of every risk Risk is bad focus is on transferring risk Risk is an expense focus is on reducing cost-of-risk Risk is uncertainty focus is on optimizing risk to achieve goals

10 ISO The International Risk Management Standard ISO Provides the Architecture

11 ISO The International Risk Management Standard Scalable and Tailorable

12 ISO Risk Management Model

13 Mission, Objectives and Uncertainty

14 Why is Risk Management Important? 1. All organizations exist to achieve their objectives. 2. Many internal and external factors affect those objectives, causing uncertainty about whether the organization will achieve its objectives. 3. The effect this uncertainty has on an organization s objectives is risk.

15 Why is Risk Management Important? 1. All organizations exist to achieve their objectives. 2. Many internal and external factors affect those objectives, causing uncertainty about whether the organization will achieve its objectives. 3. The effect this uncertainty has on an organization s objectives is risk. In summary, the management of risk is central to the livelihood and success of all organizations.

16 The New View of Risk RISK can be a threat or opportunity

17 The New View of Risk RISK can be a threat or opportunity Anything that can harm, prevent, delay, or enhance an organization s ability to achieve objectives = RISK

18 The New View of Risk Organizational Objective Threat Opportunity Threat Opportunity Opportunity Threat Opportunity Threat Opportunity Threat

19 The New View of Risk Organizational Objective Threat Opportunity Threat Opportunity Opportunity Threat Opportunity Threat Opportunity Threat

20 Governance and Risk

21 ERM as an Integral Pillar of Governance Governance

22 Mission ERM as an Integral Pillar of Governance Governance Mission The board sets the overall mission and objectives of the entity and insists that its culture and values are aligned with that mission.

23 Mission Strategy ERM as an Integral Pillar of Governance Governance Strategy Senior leadership, in conjunction with the board, develop strategic plans to carry out the organization s mission and objectives.

24 Mission Strategy Stewardship ERM as an Integral Pillar of Governance Governance Stewardship Financial resources are developed and maintained to ensure the mission and strategic plans are adequately funded.

25 Mission Strategy Stewardship Quality ERM as an Integral Pillar of Governance Governance Quality The quality of the entity s programs are planned for and tested in order to maintain demand for the product in the long-term.

26 Mission Strategy Stewardship Quality Risk ERM as an Integral Pillar of Governance Governance Risk Risks to the entity in meeting its organizational objectives, including threats and opportunities, are identified, assessed, and treated.

27 Mission Strategy Stewardship Quality Risk ERM as an Integral Pillar of Governance Governance Assurance Assurance A strong management structure and culture is maintained to ensure proper reporting and accountability, and internal and external audits are utilized to bring board assurance.

28 Case for ERM in Decision-Making When we first began our URM (University Risk Management) program in 2013, I could not have imagined the value proposition that was about to transcend our institution. What started out as mostly defensive and guarded discussions of threats and barriers to achieving the University mission, quickly and completely turned around into a robust conversation about opportunities and strategic planning. Our senior-level risk committee meetings are lively and well-represented. It is amazing how our cross-functional committee, while staying focused on our risk and compliance-based decisioning model, is driving real innovation and progress throughout the University. Doug Huffner, J.D. Senior Director and Chief Risk Officer The Ohio State University

29 Case for ERM in Decision-Making When we first began our URM (University Risk Management) program in 2013, I could not have imagined the value proposition that was about to transcend our institution. What started out as mostly defensive and guarded discussions of threats and barriers to achieving the University mission, quickly and completely turned around into a robust conversation about opportunities and strategic planning. Our senior-level risk committee meetings are lively and well-represented. It is amazing how our cross-functional committee, while staying focused on our risk and compliance-based decisioning model, is driving real innovation and progress throughout the University. Doug Huffner, J.D. Senior Director and Chief Risk Officer The Ohio State University

30 Case for ERM in Decision-Making When we first began our URM (University Risk Management) program in 2013, I could not have imagined the value proposition that was about to transcend our institution. What started out as mostly defensive and guarded discussions of threats and barriers to achieving the University mission, quickly and completely turned around into a robust conversation about opportunities and strategic planning. Our senior-level risk committee meetings are lively and well-represented. It is amazing how our cross-functional committee, while staying focused on our risk and compliance-based decisioning model, is driving real innovation and progress throughout the University. Doug Huffner, J.D. Senior Director and Chief Risk Officer The Ohio State University

31 Case for ERM in Decision-Making When we first began our URM (University Risk Management) program in 2013, I could not have imagined the value proposition that was about to transcend our institution. What started out as mostly defensive and guarded discussions of threats and barriers to achieving the University mission, quickly and completely turned around into a robust conversation about opportunities and strategic planning. Our senior-level risk committee meetings are lively and well-represented. It is amazing how our cross-functional committee, while staying focused on our risk and compliance-based decisioning model, is driving real innovation and progress throughout the University. Doug Huffner, J.D. Senior Director and Chief Risk Officer The Ohio State University

32 What Makes ERM Work? Focuses on mission and objectives

33 What Makes ERM Work? Focuses on mission and objectives Focuses on mission and objectives

34 What Makes ERM Work? Focuses on mission and objectives Preserves and creates value

35 What Makes ERM Work? Focuses on mission and objectives Preserves Preserves and creates value and creates value

36 What Makes ERM Work? Focuses on mission and objectives Preserves and creates value Emboldens innovation

37 What Makes ERM Work? Focuses on mission and objectives Preserves and creates value Emboldens innovation Emboldens innovation

38 What Makes ERM Work? Focuses on mission and objectives Preserves and creates value Emboldens innovation Enhances agility and resilience

39 What Makes ERM Work? Focuses on mission and objectives Preserves and creates value Emboldens innovation Enhances agility and resilience agility and resilience

40 What Makes ERM Work? Focuses on mission and objectives Preserves and creates value Emboldens innovation Enhances agility and resilience Formalizes process and governance

41 What Makes ERM Work? Focuses on mission and objectives Preserves and creates value Emboldens innovation Enhances agility and resilience Formalizes process and process governance and governance

42 What Makes ERM Work? Focuses on mission and objectives Preserves and creates value Emboldens innovation Enhances agility and resilience Improves quality of decisions Formalizes process and governance

43 What Makes ERM Work? Focuses on mission and objectives Preserves and creates value Emboldens innovation Enhances agility and resilience Improves quality of decisions quality of decisions Formalizes process and governance

44 What Makes ERM Work? Focuses on mission and objectives Preserves and creates value Emboldens innovation Enhances agility and resilience Helps in allocation of resources Formalizes process and governance Improves quality of decisions

45 What Makes ERM Work? Focuses on mission and objectives Preserves and creates value Emboldens innovation Enhances agility and resilience Helps in allocation in allocation of resources of resources Formalizes process and governance Improves quality of decisions

46 What Makes ERM Work? Focuses on mission and objectives Preserves and creates value Emboldens innovation Enhances agility and resilience Empowers subject matter experts Formalizes process and governance Improves quality of decisions Helps in allocation of resources

47 What Makes ERM Work? Focuses on mission and objectives Preserves and creates value Emboldens innovation Enhances agility and resilience Empowers subject matter subject experts matter experts Formalizes process and governance Improves quality of decisions Helps in allocation of resources

48 What Makes ERM Work? Focuses on mission and objectives Preserves and creates value Emboldens innovation Enhances agility and resilience Formalizes process and governance Improves quality of decisions Helps in allocation of resources Empowers subject matter experts Improves stakeholder confidence and trust

49 What Makes ERM Work? Focuses on mission and objectives Preserves and creates value Emboldens innovation Enhances agility and resilience Formalizes process and governance Improves quality of decisions Helps in allocation of resources Empowers subject matter experts Improves stakeholder confidence and trust Improves stakeholder confidence and trust

50 What Makes ERM Work? Focuses on mission and objectives Preserves and creates value Emboldens innovation Enhances agility and resilience Formalizes process and governance Improves quality of decisions Helps in allocation of resources Empowers subject matter experts Improves stakeholder confidence and trust

51 Varying Levels of ERM Implementation

52 Three Levels of Risk to Consider

53 Strategic Three Levels of Risk to Consider

54 Three Levels of Risk to Consider Strategic Operational

55 Three Levels of Risk to Consider Strategic Operational Decision- Making

56 Using ERM in Decision-Making

57 ISO Risk Management Model

58 ISO Risk Management Model

59 ISO Risk Management Model

60 ISO Risk Management Model

61 ISO Risk Management Model

62 ISO Risk Management Model

63 ISO Risk Management Model

64 ISO Risk Management Model

65 ISO Risk Management Model

66 Role of Senior Leaders

67 Implementation Centralized Oversight- Decentralized Implementation Oversight Centralized Decentralized Centralized Where some have developed, but centralized implementation requires significant staff and does not take advantage of current subject matter expertise Decentralized Oversight is at highest levels, including board, but implementation is pushed out to experienced subject matter experts through risk and compliance ownership Where most entities have been, although with some limited departmental oversight, but does not incorporate board-level reporting and accountability

68 Integrated into Existing Business Practices Not new functions Incorporated into: - Strategic Planning - Quality Improvement - Budgeting - Employee Engagement - Committee Structure - Decision-Making -..

69 Employment of Ownership Model is Critical Pushing work out to subject matter experts is essential to success Risk owners: - Develop risk treatment plans - Assemble work teams - Communicate and report - Monitor and evaluate At what level of the organization should ownership reside?

70 Reporting & Accountability Clearly Addressed Accountability Pushes Down Reporting Flows Up

71 Support & Commitment Tone at the Top Role of Senior Leaders Board Reporting Build in Accountability Risk-Aware Culture & Decision Making Continual Improvement

72 Questions?