IMPLEMENTING PUBLIC SECTOR ENTERPRISE RISK MANAGEMENT. Oh, Please Tell Me More!

Transcription

1 IMPLEMENTING PUBLIC SECTOR ENTERPRISE RISK MANAGEMENT Oh, Please Tell Me More!

2 Implementing Public Sector ERM 2 ERM Definition of Risk Internal and external factors that influence outcomes and determine whether an organization will achieve its goals/objectives.

3 Implementing Public Sector ERM 3 DAS Definition of ERM A sustainable and repeatable process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of strategic goals and objectives.

4 Implementing Public Sector ERM 4 Why Launch ERM? Traditional RM Reactive Insular Exclusionary Harm-driven Disaster-based Static ERM Proactive Broad-based Integrated Collaborative Strategy-driven Opportunity-based Flexible Evolutionary

5 Implementing Public Sector ERM 5 ERM Launch Sequence Identify stakeholders Define objectives for stakeholders Select key threats Quantify key threat scenarios Focus mitigation efforts Determine risk appetite and risk limits Inform decision-making

6 Implementing Public Sector ERM 6 Recipe for Success Keep it SIMPLE Attack threats one at a time Empower ERM working groups Report and implement Follow-up and refine Reaffirm risk priorities Reassess periodically and adjust

7 Implementing Public Sector ERM 7 DAS Goals Improve efficiency and effectiveness of operations Develop a quality, high-performing workforce Improve customer relations and communications Institutionalize cyber security and emergency preparedness

8 Implementing Public Sector ERM 8 Initial Survey Questions What threats are likely to prevent DAS from reaching its top 5 goals? How can these threats be addressed? What opportunities will be realized if DAS mitigates the threats you ve identified?

9 Implementing Public Sector ERM 9 Survey Responses 1. Reduction of benefits 2. Low morale 3. Budget cuts 4. Poor communication 5. Lack of support/trust from stakeholders 6. Employee turnover 7. Insufficient employee training/support 8. Failure to demonstrate operational effectiveness 9. Failure to plan for disruption of operations 10. Failure to understand customer needs 11. Insufficient resources to meet job expectations 12. Lack of teamwork 13. Legal and regulatory uncertainty 14. Wasteful/ineffective spending

10 Implementing Public Sector ERM 10 Opportunity Responses A strong, unified department that can endure the challenges the future may bring. DAS will be the model for other programs in the State. DAS services will be viewed as essential by internal and external customers.

11 Implementing Public Sector ERM 11 Threat Ranking Risk Scorecard - Combined Risk ID R1 R2 R3 Identified Risk Reduction of benefits (pay, retirement, health insurance Low employee morale Budget cuts Data: RISK ID Likelihood Impact R R4 R5 Poor communication between all levels Lack of support/trust from our partners R R R R R R R R R R Impact R14 R13 R9 R10 R8 R11 R12 R7 R6 R4 R5 R2 R3 R1 R6 R7 R8 R9 R10 R11 Employee turnover (for any reason) resulting in increased workload for remaining employees Lack of support in training employees and maintaining expertise Failure to demonstrate value or operational efficiencies Failure to plan effectively for a major disruption of operations Insufficient understanding of our customer's needs Lack of resources to effectively meet job expectations R R R R12 R13 Uncertainty about changes to State Rules, State laws, or federal regulations that might impact employee's job or job duties Ineffective or no teamwork among employees Likelihood R14 Wasteful or ineffective spending

12 Measuring Progress Implementing Public Sector ERM 12

13 Implementing Public Sector ERM 13 Monitoring Risk Register

14 Implementing Public Sector ERM 14 Monitoring Risk Register

15 Implementing Public Sector ERM 15 Monitoring Risk Register

16 Implementing Public Sector ERM 16 Risk Response Strategies Avoidance: eliminating the activities giving rise to risk Reduction: taking action to reduce the likelihood or impact related to the risk Share or insure: transferring or sharing a portion of the risk, or financing it Accept: no action is taken, due to a cost/benefit decision

17 Implementing Public Sector ERM 17 Employee Survey Participation Jun-11 Sep-12 Jun-13 Sep-14 Sep-15 Jan Survey Participants

18 Implementing Public Sector ERM 18

19 Implementing Public Sector ERM 19

20 Implementing Public Sector ERM 20

21 Implementing Public Sector ERM 21 Survey Progression EMPLOYEE SURVEY RESULTS - THREAT RANKING THREATS RISK ID 11-Jun 12-Sep 13-Jun 14-Sep 15-Sep 27-Jan Reduction of Employee Benefits R Insufficient Operational Efficiency/Value Compared to Private Sector/Competition R Budget Cuts R Failure to Engage in Continuity Planning R Wasteful/Ineffective Use of Resources R Lack of Support/Trust from Customers, Legislature, Governor's Office, etc. R Insufficient Understanding of Customers' Needs R Poor Agency-Wide Communication R Failure to Mitigate for Cyber Liability and Reputational Threats R6 N/A Low Employee Morale, High Turnover, Lack of Training and Teamwork R

22 Implementing Public Sector ERM R1: REDUCTION OF EMPLOYEE BENEFITS RANKING Year

23 Implementing Public Sector ERM R2: LOW EMPLOYEE MORALE, HIGH TURNOVER, LACK OF TRAINING AND TEAMWORK RANKING Year

24 Implementing Public Sector ERM R3: BUDGET CUTS RANKING Year

25 Implementing Public Sector ERM R4: POOR AGENCY-WIDE COMMUNICATION RANKING Year

26 Implementing Public Sector ERM R5: LACK OF SUPPORT OR TRUST FROM CUSTOMERS, LEGISLATURE OR GOVERNOR'S OFFICE, ETC. RANKING Year

27 Implementing Public Sector ERM R6: FAILURE TO MITIGATE FOR CYBER LIABILITY AND REPUTATIONAL THREATS RANKING Year

28 Implementing Public Sector ERM R7: WASTEFUL OR INEFFECTIVE USE OF RESOURCES RANKING Year

29 Implementing Public Sector ERM R8: INSUFFICIENT OPERATIONAL EFFICIENCY OR VALUE COMPARED TO PRIVATE SECTOR/COMPETITION RANKING Year

30 Implementing Public Sector ERM R9: INSUFFICIENT UNDERSTANDING OF CUSTOMERS' NEEDS RANKING Year

31 Implementing Public Sector ERM 31 R10: FAILURE TO ENGAGE IN CONTINUITY PLANNING RANKING Year

32 Implementing Public Sector ERM 32

33 Implementing Public Sector ERM 33 ERM Phase Two Consider new priorities Evaluate other stakeholders Credible worst case scenarios (SME s) Rank credible worst case scenarios Compare to qualitative risk assessments Re-assess priorities

34 Implementing Public Sector ERM 34 DAS ERM Deliverables HR Council IT Council Shared Services Consolidation TOC/TOS Training State of Department Briefings Cyber Insurance Leadership Academy GOMB/Legislative Training COOP Planning/DEM Collaboration DAS University (DASU) Employee Policies ECO Passes Wellness Walks Non-cash Incentives

35 Implementing Public Sector ERM 35 Questions? Brian Nelson, Director Utah Division of Risk Management 5120 State Office Building Salt Lake City, UT (801)