CSU Fitting the Pieces Together Risk Conference April 28, André Le Duc Executive Director Enterprise Risk Services University of Oregon

Transcription

1 Creating Resilient Universities Advancing ERM & Organizational Resilience on Campus CSU Fitting the Pieces Together Risk Conference April 28, 2015 André Le Duc Executive Director Enterprise Risk Services University of Oregon

2 Learning Objectives Understand the core differences and strengths/weaknesses of enterprise risk management (ERM) and Organization Resilience (OR) models and philosophies. Learn ways to integrate ERM and OR to help achieve programmatic and institutional directives. Review simple tools and resources to help start or advance the process of building a more resilient university. 2

3 Presentation Overview Concepts Integration Examples 3

4 Defining the concepts Enterprise Risk Management Organizational Resilience The concept of resilience encourages us to ask a different set of questions about the way we manage our resources-and therefore ourselves. Brian Walker Defining the Buzz words Communication Coordination Collaboration "Coming together is a beginning, staying together is progress, and working together is success." - Henry Ford 4

5 Among a growing number of scientists, social innovators, community leaders, non-governmental organizations, philanthropies, governments and corporations, a new dialogue is emerging around a new idea, resilience: how to help vulnerable people, organizations and systems persist, perhaps even thrive, amid unforeseeable disruptions. Where sustainability aims to put the world back into balance, resilience looks for ways to manage in an imbalanced world. Andrew Zolli Source: 5

6 Bringing the concepts together It is not about which approach or process is right and which one is wrong. It is an evolution in our thinking and processes to address the dynamic and complex environments in which we operate. Organizational Resilience Enterprise Risk Management Traditional Risk Management 6

7 Hey, what do you say we both be independent together! 7

8 Defining the three C s Understanding the concept of shared risk and shared reward Communication Informal Relationships Information shared only No clearly defined mission, structure, or planning effort Resources kept separate Autonomous authority retained Coordination More formalized Relationships Understanding of shared mission Coordination occurs around a specific effort or program Open communication channels between organizations Resources are made available to participate Rewards are shared Collaboration More durable relationships Share vision and mission Comprehensive planning required Well-defined communication on all levels Each member contributes resources and reputation Collaborative structure determines authority Partners pool or jointly secure resources Results and rewards are shared Risks are much greater 8 Virtually no risk Risk increases

9 Enterprise Risk Management (ERM) 9 Image Source:

10 ERM Defined Enterprise risk management is a strategy setting process applied across the enterprise. Enterprise risk management is designed to identify potential events that may affect the entity, manage risk to be within its risk appetite, and to provide reasonable assurance regarding the achievement of entity objectives. 10

11 ERM Key Concepts An ongoing process that flows throughout the organization or governance structure. Realized not just by policy manuals and forms, but by peoples actions at every level of an organization. Applied in strategy setting and across the organization. Expected to provide reasonable assurance, not absolute assurance, to an entity s management and board or community leadership. Designed to achieve strategic objectives in one or more separate but overlapping categories. Source: Committee of Sponsoring Organizations of the Treadway Commission 11

12 ERM Framework Leadership Process Management & Integration Culture Board of Directors ERM Committee ERM Management Group Identify Risk Exposures Quantify Risk Exposures Plan for Risk Reduction Respond to Risk Strategic Planning Internal Audit Compliance Risk Transfer Budgeting Process Capital Allocation Common Language Risk Awareness Communication Information Sharing Risk Ownership Monitor & Report Results Learn & Improve 12

13 The Goal is a Holistic View of Risks Source:

14 Ability to Plot and Track Risk Source: Evolving Risk Management: Fundamental Tools, chapter 4 from the book Enterprise and Individual Risk Management

15 The Concept of Resilience Originally conceived as a way to think about ecosystems and the dynamic processes and occur within a system Adaptive Change! 15

16 So what is Organizational Resilience? A resilient organization is one that is still able to achieve its core objectives in the face of adversity. This means not only reducing the size and frequency of crises (vulnerability), but also improving the ability and speed of the organization to manage crises effectively (adaptive capacity). To effectively manage crises, organizations also need to recognize and evolve in response to the complex system within which the organization operates (situation awareness) and to seek out new opportunities even in times of crisis. Source: Building Organizational Resilience: A Summary of Key Research Findings, Resilient Organizations Program, New Zealand

17 Organizational Resilience Core Concepts Vulnerability Adaptive capacity Situation awareness The ability to survive a crisis and thrive in a world of uncertainty 17

18 Graphing Resilience 1. Initial Condition 2. Extreme Event 3. Absorb Shock 4. Disaster Threshold 5. Recovery Time 6. Learn from Experience

19 Source: Copyright 2012 Resilient Organisations Research Programme Auckland New Zealand,

20 The takeaways for both ERM & OR Both require Strong leadership commitment. Meaningful staff engagement, buy-in and empowerment. Comprehensive understanding of vulnerability and risks. Simple yet productive process for ID of vulnerability and risks and taking action. 20

21 The takeaways for both ERM & OR ERM tends to focus more on: Risk tolerance, risk appetite, risk acceptance and risk mitigation as it is related to achieving the strategic initiatives. Compliance issues Profit driven OR emphasizes the following Adaptive capacity and using networks and partnerships Situational awareness and readiness to change in the face of adversity Future focuses and legacy driven 21

22 University of Oregon Integrating ERM & Organizational Resilience 22

23 Three Elements to UO s Experience Formation of the Enterprise Risk Services Unit (2012) EMC Developed in 2007 ORM formed in 2009 EHS has over a 20-year history but was part of Campus Operations Commitment from leadership Development of tools, processes, resources, feedback loops, and continual improvement for process evolution 23

24 24

25 University of Oregon Enterprise Risk Services 25

26 Enterprise Risk Services: Mission To collaborate with the campus community to safeguard life & human health and reduce the university s vulnerability to conditions adversely affecting its ability to achieve the core mission of instruction, research, and public service. 26

27 Enterprise Risk Services: Core Goal Promote a risk-aware culture... without creating a risk-averse climate 27

28 Leadership President's Strategic Enterprise Risk Management & Compliance (SERMC) Committee President s Charge to the Committee: 1) Develop tools and processes to actively identify, evaluate, and manage University risks. 2) Ensure that systems and processes are in place to provide accountability for compliance with the University s legal and policy obligations. 3) Encourage communication, problem-solving and collaboration across divisions, units and departments. 28

29 The Process Develop and Implemented Enterprise Risk Assessment Process Utilized Association of Governing Boards and United Educators Thematic Risk Areas Senior Leadership ranked risks Narrowed scope from over 100 indicated risks to 23 in various thematic risk areas Facilitated 10 different workshops, one for each thematic area with subject matter experts across campus to validate risks, identify any new risk, and indicate short and long term mitigation strategies 29

30 Integrating with existing teams / processes Build Awareness Information Sharing Collaborations and partnerships Short term actions Long term strategies Don t let perfect get in the way of good "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein 30

31 Integrating the teams / processes Enterprise Risk Assessment Compliance Committees Campus Vulnerability Assessment Team Occupational & Research Safety Behavioral Threat Assessment Team Incident Management Team 31

32 Campus Vulnerability Assessment Team (CVAT) Meets monthly to discuss site-specific vulnerability assessments and campus-wide issues. The team develops a site-specific comprehensive report that highlights issues or concerns, as well as provides recommendations and proposed actions that the department or unit may choose to implement. Team Members Emergency Management and Continuity Campus Planning and Real Estate Campus Operations Office of Risk Management UO Police Department Environmental Health and Safety Department of Geography -- InfoGraphics Lab 32

33 33

34 34

35 Campus Incident Management Team (IMT) The UO Incident Management Team (UO-IMT) provides the command and control infrastructure that is required to manage the logistical, fiscal, planning, operational, safety and campus issues related to any and all incidents/emergencies. All IMT members hold or are working toward FEMA All Hazards Type III position specific certification. 35

36 36

37 37

38 Examples Incidents Work Stoppage Winter Storms Power Failures Fires Academic Programs International Programs Source: TrackTown USA / University of Oregon Emergency Management & Continuity Program Large Scale Event Football US Track & Field Olympic Trials 2008, 2012, 2016 World Juniors 170 Countries

39 Creating Resilient Universities Advancing ERM & Organizational Resilience on Campus Questions André Le Duc Executive Director, Enterprise Risk Services University of Oregon