A New Framework for Risk Management JOHN MCLAUGHLIN, MANAGING DIRECTOR, ARTHUR J. GALLAGHER & CO.
Traditional Risk Management Without guidance an organization s risk strategy will be made and repeatedly redefined accidentally by dozens of everyday financial and business decisions. McKinsey Survey 2
Enterprise Risk Management Approach ERM is a process that seeks to preserve and create value Protection of Assets Effective Utilization of Resources Optimization of Results Risk is defined as the effect of uncertainty on objectives Ultimate goal is to create a risk aware culture where consideration of risk is part of the decision making process 3
Commitment Tone at the top matters; Champions are essential Principles and Mandate (SAMPLE) The University is committed to developing and supporting an ERM policy that: a) incorporates a consistent approach to risk management into the culture and strategic planning processes of the university that supports decision making and resource allocation at both the strategic and operational levels. Or b) applies a consistent approach to risk management to support the college s governance responsibilities for innovation and responsible risk-taking, policy development, programs and objectives. In all cases, appropriate measures will be put in place to address unfavorable impacts from risks and favorable benefits from opportunities. Understand and embrace specific roles, while building bridges across campus Question sacred cows Incorporate RM into planning Annual, strategic and project planning Ask questions, require annual updates, establish accountability 4
Framework A business process that expands the core (traditional) concepts of risk management: Identify risks and opportunities across the enterprise Assess the impact of the risks to the plans and mission Develop and test mitigation plans Monitor identified risks and consistently scan for emerging risks Repeat and improve 5
Risk Management Process (ISO 31000) Establishing the context Risk assessment Risk identification Communication and consultation Risk analysis Monitoring and review Risk evaluation Risk treatment 6
Roles Senior Administration Owns ERM Department heads involved in operational risks Full Board/Executive Committee Sets tone, addresses strategic and governance risks and fills in gaps Standing Committees Understand programs and risks Audit Committee Owns specific risks and process 7
College Risk Register 1. Reputational Risk: a) Assessments and outcomes not meeting expectations b) Governance c) Effective crisis planning/communication 2. Strategic Risk: a) Aging workforce, lack of succession planning b) Misalignment between operations and strategic plans c) Expanding mission to four year degree programs d) Uncertain economic environment e) IT infrastructure investments f) Changing regulatory environment g) Implement Program to support Full Spectrum Learning 8
College Risk Register 3. Operational Risk: a) Lack of disaster preparedness and BCP b) Minors on campus c) Outside violence coming to campus d) Title IX and sexual assault e) Cyber Security/Breach Response f) International risks 9
In To Action (5 STEP PROCESS) 1. Establish Organizational Principles and Mandate - COMMITMENT 2. Establish leadership Structure and Discussion of erm context - FRAMEWORK 3. Conduct risk assessment and assign of Risk Owners RISK ASSESSMENT/OWNERS 4. Begin risk treatment and Organizational integration RISK TREATMENT 5. Follow Consistent Process to MONITOR and IMPROVE 10
1. Commitment Building the case for ERM Discussion of mandate & commitment Definition of roles Begin meeting with ERM leaders to discuss organizational goals and objectives Develop description of benefits and reasons to implement ERM Discuss broad roles of senior administration, risk management, legal, internal audit, and compliance Establish advisory group composition, meeting schedule and initial agenda 11
2. Leadership, Framework & Context ERM leaders and advisory group establish framework, describe context, stakeholders, roles and responsibilities, and implementation plan Facilitation of ½-day workshop focused on development of framework, description of context, identification of internal/external stakeholders, discussion of risk criteria and performance measures Establish roles and responsibilities of administrators and other key stakeholders Develop implementation plan 12
3. Risk Assessment & Ownership Begin risk assessment including scope and process, assignment of risk owners, planning for data management, reporting and communication Consult and advise, or facilitate, the risk assessment process through surveys, interviews, and/or workshops Oversee development of risk register in relationship to organizational objectives Facilitate the risk analysis and evaluation/prioritization process Assist in the assignment of risk owners Sample reports developed for advisory group, senior admin, and governing boards 13
4. Risk Treatment & Integration Development and approval of risk treatment plans, training of supervisors, integration into position descriptions, reviews, and employee onboarding Beginning of work on risk treatment plans including risk owner training Leadership approval of priority risk treatment plans Supervisor training materials drafted Position description wording drafted and approved New employee orientation materials developed 14
5. Monitor & Improve Development and incorporation of continuous improvement model, monitoring and review of progress, and assessing communication and engagement Review existing ERM program Report on congruence with best practices and suggest improvements Evaluate performance management objectives and outcomes Assess progress of risk treatment plans Evaluate accountability and reporting chains Incorporate lessons learned 15
Culinary Adventures USE THE ERM PROCESS TO HELP MAKE INFORMED DECISION College A at the height of the Arab Spring is invited to a culinary arts symposium in Dubai. 2 faculty members and 5 stds. are invited. Symposium concludes with an Int l cook off competition! College wants to attend but concerned about safety and cost. College B is considering opening a high end restaurant, staffed by professionals as means to attract community members, support functions at Performing Arts Center, expose students to classic restaurant operations. Major financial investment that does not directly support educational mission. 16
Culinary Adventures College A Mission Consistent Risk Owner Financial Reputational Strategic Compliance Hazard/life safety Risk Treatment College B Mission Consistent Risk Owner Financial Reputational Strategic Compliance Hazard/life safety Risk Treatment 17
Lessons learned from others: Focus on high-impact risks Focus on mitigation/continuity plans Take on the tough issues and sacred cows All risks must have owners Involve other departments in risk register and responses It s a process and business tool, not a project Set yourself up for some near terms wins 18
Stay Connected 19