Aligning Key Enterprise Risk to Strategic Initiatives Using Metrics

Transcription

1

2 Aligning Key Enterprise Risk to Strategic Initiatives Using Metrics SSF ID 218 Chrystina Howard, SVP, Willis Kenneth Felton, SVP, Willis

3 Learning Objectives(Ariel 44pt bold) At the end of this session, you will: (list key learning objectives and takeaways that attendees will learn) Learning Objective 1 Understand how to identify key risks that may have an impact on the achievement of organizational goals Learning Objective 2 Understand how to identify relevant quantitative and qualitative metrics to monitor performance against plan Learning Objective 3 Understand how to map key relevant risks to core strategic initiatives in order to achieve enterprise objectives

4 Agenda 1. Outline the ERM process, benefits & output 2. Demonstrate the link between ERM success and strategic objecaves 3. Using KRIs, KPIs and strategic objecaves to opamize achievement of organizaaonal goals

5 Risk Evaluation Your presentation and handouts are due by April 10 Once uploaded, changes are not permitted until onsite in New Orleans Update your profile TODAY

6 ERM Review Must Achieve the Three Es of Assessment Economy - Controlling the cost of the assessment Efficiency - CompleAng the assessment with minimum expenditure of effort EffecAveness Achieving the results or benefits based on the stated scope and goals of the assessment

7 Risk IdenAficaAon: 80/20 Rule OrganizaAons have a tendency to spend 80 percent of their Ame idenafying risks and only 20 percent of their Ame doing something to develop risk miagaaon strategies to reduce the impact on the organizaaon Flip the 80/20 Rule Spend 80 percent of your Ame fully araculaang, assessing impact and likelihood and developing risk miagaaon strategies

8 Accelerated ERM Process Steps 1. Define the objecaves and Ame scale for assessment 2. Select the opamal cross- funcaonal team for assessment acaviaes 3. Develop Universe of Risks 4. Develop broad prioriazaaon of Universe of Risks 5. IdenAfy most relevant risks for deep analysis 6. Fully araculate and assess risk 7. Develop Performance Improvement Plans 8. Execute Risk MiAgaAon plans

9 Risk Assessment The objecave is to idenafy and araculate the most relevant risks that could impact the organizaaons ability to achieve objecaves Don t Boil The Ocean How is this accomplished: Structured interviews Internal audits of risk assessments Public domain search Comprehensive on- line risk survey with write- ins Workshops

10 Define Assessment ObjecAves Defines the premise on which the assessment is based. To assess the major risks to Memorial Hospital achieving its strategic business objecaves over the next 3 years.

11 Action Required!

12 Risk PrioriAzaAon IniAal objecave to grossly prioriaze the top risks Fully ArAculate each risk Assess Impact and Likelihood

13 Risk Assessment Fully araculate the risk into component parts: Ø Most risk descripaons focus on triggering events Ø EssenAal to idenafy key drivers or exisang characterisacs that make the organizaaon vulnerable Ø List specific consequences that all stakeholders can understand Ø IdenAfy the controls currently in place to specifically address each risk

14 Risk Register Risk Assessment for : Date: Business Objective(s): Risk No. Exposure & Drivers 1 Driver 1, driver 2, driver 3 2 Drivers 7-12; driver 4 XYZ Financial Institution 1-May-14 Identify and assess major risks to XYZ achieving its strategic objects over the next 3 years Triggers Consequences Current Controls Category L I Gross Risk Triggering event; future potential Loss event due to outside exposures; loss event due to internal exposures Reduction in revenue; increase in expenses; reputation damage Brand damage; loss of equity; rework; loss of customers Policy ABC, protocol XYZ, committee 123 Gold standard; BCP and trial run off site; backups Performance Improvement Plans IT Action 1, item 2, measure 3 IT New protocols enacted by board and carried out by senior team L I Gross Risk Driver 3, exposure to significant dependence on suppliers External audit, internal audit or accounting discovery of material finding(s) Legal action; higher expenses and lower profit margin; loss of market share Substantial framework in place; management of risk; loss control steps Regulatory Incremental improvement steps; risk owners; time scale 2 3 6

15 Likelihood and Impact RaAngs FREQUENCY SEVERITY LOW MODERATE HIGH LOW MODERATE HIGH Impact Low 1 Med 2 High 3 Impact Score 5 Impact Major / Catastrophic Description If this risk were to materialize, the company would find it almost impossible to recover financially. Reputational impact would almost certainly occur. Financial Impact Financial impact greater than $10M The consequences of the risk materializing are severe but could be 4 Significant Financial impact of more than $5M but less than $10M managed to some extent. The consequences of the risk materializing are less severe and can be 3 Moderate Financial impact of more than $2M but less than $5M managed to a large extent. The consequences of the risk materializing are considered relatively 2 Low Financial impact of more than $1M but less than $2M unimportant. 1 Negligible There are no meaningful consequences if this risk materializes. Financial impact of less than $1M Probability Low 1 Med 2 High 3 Likelihood Rating Likelihood Description Frequency 5 Expected Occurs often / is to be expected ( Annual or 2 year to 3 year type event ) 4 Probable Known to occur / would not be surprising ( 5 year to 10 year event ) 3 Moderate Could occur but infrequently ( 10 year to 25 year event ) 2 Unusual Could possibly occur but would be rare ( 25 year to 50 year event ) 1 Remote Could conceivably occur but would be extremely remote ( 50+ year event )

16 Risk Map 6 Current Controls N.B. - Bubble size shows how many risks intersect at that point 5 RISK LOW MOD HIGH LOW MOD HIGH Risk 1 Risk 1 Financial Risk 2 Risk 2 Likelihood Research Risk 5 Risk 8 Risk 5 Risk 8 Center Risk 6 Risk 6 Risk 7 Risk 7 Employment Risk 3 Risk 3 Practices Likelihood Impact Green Risk 4 Risk 4 Lab Risk 9 Risk 9 Risk 10 Risk 10 Risk 11 Risk 11 Patient- Risk 12 Risk 13 Risk 15 Risk 15 Risk 16 Risk 12 Oriented Risk 14 Risk 16 Risk 13 Risk 17 Research Risk 17 Risk 14 Expected 5 2, 3 1 Control Causes Immediate Action Probable , 11, 12, 13, 14 4, 5 Possible , 8, 9 6 Commodity Risk 19 Risk 18 Risk 18 Risk 19 Monitor Contingency Plans Unusual Remote Impact Negligible Low Moderate Significant Catastrophic

17 Source of Risk Technology / Industry change Strategy and policy Products / Services Processes Political / Social People Natural events Investments Econom ic Analysis by Source of Risk and Stratified by Risk Rank Category Count Average Score Economic 5 8 Investments 2 5 Natural Events 0 6 People 7 10 Political / Social 6 10 Processes 2 6 Products / Services 2 8 Strategy and Policy 2 15 Technology / Industry change <RR<=25 15<RR<=20 10<RR<=15 5<RR<=10 RR<=5

18 Performance Improvement Plan PracAcal RealisAc Impaccul Measurable Risk No.: 4 Risk Scores Likelihood Impact Gross Risk Risk Rank Underlying Vulnerabilities: Triggers: Consequences: Current Controls: Critical patient wait time in ED for room assignment/treatment; Excessive length of stay across hospital; CMS core measure; Appropriate and competent staffing Extended stay in the ER; Overcrowding Patient safety; Lost revenue; Clinical and patient dissatisfaction; Poor patient outcome; ED diversion; Increased costs; Damaged relationship with FD and EMS; Reputation damage Lean Six Sigma; Monitor ED Throughput; Data Transparency; Rounding Before Improvement After Improvement Likelihood 5: 4: 3: 2: 1: Before Risk Number: Risk Description: 4 ER Service line / Patient flow Action Early phlebotomy and lab results Continue Current Patient Assignment Program New Clinical Bed Management Program Deliverables Lab results delivered prior to 9:00 A.M. / Analysis of results Re-education for appropriate assignment of patient intensity Implement Program (including Orienting of 2.0 FTEs and Redesign patient throughput plan) Responsible: Jake 1: 2: 3: 4: 5: Impact Measure of Success Documented proof that 90% of A.M. labs by 9:00 A.M. Reduced treat and release times Decreased holding times (DTA to Depart) Allocated to Target Date John Completed / Ongoing Tom / ED Nurse Manager Ongoing Kathy 9/1/2013 Increase in Provider FTEs Physician extenders available (Pending approval) Decreased percent of patients leaving without being seen (LWBS) Tom / ED Nurse Manager Ongoing Continue RN and Patient Care Associate (PCA) Staffing Recruit and retain / Increase RN and PCA staffing ratios Decreased RN and PCA turnover Kathy 9/1/2013

19 What ERM Achieves SystemaAc & objecave management of mulaple and cross- enterprise risks Reduce operaaonal surprises to beder seize opportuniaes Improves business performance Links risk management to organizaaonal performance and aligns with strategic planning Increases risk awareness throughout the organizaaon

20 What ERM Achieves Increased decision support for resource allocaaon ReducAon in the total cost of risk OpAmizes capital efficiency Improves organizaaonal value and sustainable compeaave advantage ERM aligns strategy, people, processes, technology, knowledge, with the objecave of conanuously improving the organizaaons risk management capabiliaes over Ame

21 OrganizaAonal ObjecAve Seeng If you don t know where you re going, then any road will get you there. This line from Alice in Wonderland is true for many organizaaons 1 The importance of seeng appropriate objecaves is itself an organizaaonal objecave. Strategy seeng is a fluid and dynamic process. The Importance and Value of OrganizaAonal Goal Seeng, Managing and Achieving OrganizaAonal Goals, pg. 1.

22 Links Between Strategy and Risk The company s management and its board of directors should analyze the links between various strategic opaons and the risks they entail when entering into a strategic planning process (Smith,2012). Risks are constantly changing there is an increasing demand for Amely and relevant informaaon Walid Ben- Amar1, Ameur Boujenoui1 & Daniel Zéghal1, The RelaAonship between Corporate Strategy and Enterprise Risk Management: Evidence from Canada, Journal of Management and Strategy Vol. 5, No. 1; 2014, pg.1

23 Goals 1. Understand the relaaonships between objecave- seeng, the management of risks to those objecaves, and the internal controls that manage those risks to acceptable levels. 2. Understand that it is important to idenafy, understand, and manage risks to the seeng of objecaves, and that is achieved by effecave related internal control. 3. Ensure you have an effecave set of processes for idenafying, understanding, and assessing risks to the seeng and achievement of objecaves.

24 EffecAve KRIs The selecaon of effecave (KRIs) Key Risk Indicators starts with a firm understanding of organizaaonal objecaves and risks related events and uncertainaes that may affect the achievement of those objecaves.

25 KRIs (Key Risk Indicators) v. KPIs ( Key Performance Indicators) The two types of indicators should be implemented by any enterprise that wants to be effecave in its management KPIs are key performance indicators focused especially on the historical performance of the enterprise or its key operaaons. KPIs tell us if we will achieve our goals KRIs provide a real- Ame indicators that offers informaaon about emerging risks. KRIs help us understand changes in risk profile, impact and likelihood to achieve our goals. Emil Scarlat, PhD, Nora CHIRITA, PhD Indicators and Metrics used in the Enterprise Risk Management(ERM),

26 Four Categories of Indicators Coincident indicators can be thought of as a proxy measure of a loss event and can include internal error metrics or near misses. Causal indicators are metrics that are aligned with root causes of the risk event, such as system down Ame Control effecaveness indicators provide ongoing monitoring of the performance of controls. Measures may include control effecaveness, such as percent of supplier base bypassing controls, such as dollars spent with non approved suppliers. Volume indicators (someames called inherent risk indicators) frequently are tracked as key performance indicators; however, they also can serve as a KRI. As volume indicators change, they can increase the likelihood and/or impact of an associated risk event. Aravind Immaneni, Chris Mastro and Michael Haubenstock, A Structured Approach to Building Predictive Key Risk Indicators, Operational Risk: A Special Edition of The RMA Journal May 2004, pg. 42.

27 OrganizaAonal Efficiency OrganizaAons Exist to create value 1. When an organizaaon adds value with minimal resources it becomes efficient 2. Six Sigma is a quality management process to control defects and produces an efficiency of % 3. Six Sigma is when the upper and lower specificaaon limits are at a distance 6 (σ) Standard DeviaAons from the (µ)mean 4. Normal distribuaon - values lying that far from the mean are considered very unlikely to occur 5. DMAIC (Define- Measure- Analyze- Improve- Control)

28 CQI and Your Metrics Use a six- step process that incorporates various Six Sigma tools: 1. IdenAfy exisang metrics. 2. Assess gaps. 3. Improve metrics. 4. Validate and determine trigger levels. 5. Design dashboard. 6. Establish control plan. Aravind Immaneni, Chris Mastro and Michael Haubenstock, A Structured Approach to Building Predictive Key Risk Indicators by Operational Risk: A Special Edition of The RMA Journal May 2004, pg. 43.

29 Action Required!

30 Action Required! Maximo Schliemann, Establishing Key Risk Indicators for IT,, July 31, 2012, slide 25.

31 Action Required! COSO Developing Key Risk Indicators to Strengthen Enterprise Risk Management, December 2010, pg. 5.

32 Strategic Risk Model

33 Metrics offers mulaple benefits Early idenaficaaon of trends and issues Represents a source of criacal informaaon for control Provides informaaon about the likelihood of achieving target sites, Helps to make decisions based on informaaon Helps in evaluaang performance Walid Ben- Amar1, Ameur Boujenoui1 & Daniel Zéghal1, The RelaAonship between Corporate Strategy and Enterprise Risk Management: Evidence from Canada, Journal of Management and Strategy Vol. 5, No. 1; 2014, pg.1

34 Metrics offers mulaple benefits Leads to a proacave management Improves future esamates and performance Evaluates success and failure Improves customer saasfacaon. Walid Ben- Amar1, Ameur Boujenoui1 & Daniel Zéghal1, The RelaAonship between Corporate Strategy and Enterprise Risk Management: Evidence from Canada, Journal of Management and Strategy Vol. 5, No. 1; 2014, pg.1

35 The Value of Metrics on ERM Conclusion: Organizing, monitoring, reviewing and communicaang KRIs progress and their impact on KPIs provide a holisac risk management strategy which increases the value of the business. These metrics align performance with Amely decision making, resource allocaaon and the achievement of strategic iniaaaves.

36 Just in Case