ERM:
Are You Thinking BIG
Enough?
Betty Reed, State of WA
Dorothy Gjerdrum, Arthur J. Gallagher
STRIMA 2006
September 27, 2006
Agenda
 Compare the Approach:
Traditional RM & ERM
 Sample Program: WA State
 Tools & Ideas You Can Use
Compare the Approaches
 Definitions
 Risk Identification
 Risk Ranking & Prioritization
 Risk Response
 Understanding Risk Across the
Organization
ERM Defined:
“…a process, effected by an entity’s top
management and other personnel, applied in
strategy setting and across the enterprise,
designed to identify potential events that may
affect the entity, and manage risks to be
within its risk appetite, to provide reasonable
assurance regarding the achievement of
entity objectives.”
Source: Committee of Sponsoring Organizations (COSO) Enterprise Risk
Management – Integrated Framework, 2004.
ERM & TRM
ERM Definition:
“A rigorous approach to
assessing and addressing
the risks from all sources
that threaten the achievement of an organization’s
strategic objectives. In
addition, ERM identifies
those risks that represent
corresponding opportunities
to exploit for competitive
advantage.”
Tillinghast-Towers Perrin
Traditional Definition:
“The process of planning,
organizing, leading and
controlling the activities of an
organization in order to
minimize the adverse effects
of accidental losses on that
organization at a reasonable
cost.”
Essentials of the RM Process
ARM 54 Text
Insurance Inst. of America
Identifying Risk
 Checklists of Operations & Property
 Interviews with Key Staff
 Inspections & Site Visits
 Records of Incidents & Claims
 Complaint Forms
 Budgets, Financial Statements
 Meeting Minutes
 Property Records
 Permits & Contracts
ERM Approach to Identifying Risk
 Interviews with Key Staff
 Risk Identification Process – Across the
Organization
 Risk Ranking – High/High to Low/Low
 Performance Measures & Compliance
Audits
TRM Risk Ranking & Prioritization
Primary focus:
 Reaction to bad press or catastrophic claim(s)
 Compliance with laws, rules & regs
 Activities and departments with high losses
(frequency or severity or both)

Loss runs, complaint forms, etc.
ERM – Risk Ranking & Prioritization

Focus group identifies:



What are the biggest risks our agency is
facing?
What internal and external events could
affect the agency’s mission and the
achievement of our goals?
Then evaluates and ranks them:


To what extent would these potential events
impact our goals and what is likelihood that
they will happen?
Use a rating scale for assessing impact and
likelihood (1-3) with 1 low and 3 high
Event Identification
 Differentiates risks and opportunities
 Events that may have a negative impact
represent risks
 Events that may have a positive impact
represent opportunities, which management
channels back to strategy setting
Event Identification
 Involves identifying those incidents, occurring
internally or externally, that could affect
strategy and achievement of objectives.
 Addresses how internal and external factors
combine and interact to influence the risk
profile.
Risk Register/ Best Practices
Risk Mapping
2006 Heat Map Project – Core
Business Processes
Low Likelihood
5
High Im pact
High Likelihood
High Im pact
2
Core Business Processes
19
1 Strategic Planning
2 Board Service & Relation (Edu. & Support)
13
3 Business Continuance
16
4 Cash Management
5 Compliance
9
4
6 Contract Services (RFP's)
6
7 Corporate Governance (proxy voting)
8 Custody Operations
9 Data Integrity & Maintenance
11
10 Facility Management
24
Impact
11 Financial Reporting
12 Health & Safety
17
3
20
8
5
13 Human Resource Management
14 Internal Audit
15 Investment Accounting (Portfolio)
16 Legal
7
1
17 Performance Reporting & Measurement
18 Planning/Budgeting/Agency Accounting
19 Portfolio Pricing and Unitization
2 15 21
14 4
20 Risk Management
21 Stakeholder Mgmt. & Communication
22 Technology & Systems
23 Trade Execution
24 Trade Settlements
25 Portfolio Management
14
1
1
Low Im pact 2Low Likelihood
3
Likelihood
Low Im pact 4 High Likelihood
5
TRM Risk Response
 Avoid
 Retain
 Transfer
ERM Risk Response
 Quantification of risk exposure
 Options available:
- Accept = monitor
- Avoid = eliminate (get out of situation)
- Reduce = institute controls
- Share = partner with someone (e.g., insurance)
 Residual risk (unmitigated risk – e.g.,
unpredictable harm to vulnerable persons)
ERM Risk Response
 Identifies and evaluates possible responses
to risk
 Evaluates options in relation to entity’s risk
appetite, cost versus benefit of potential risk
responses, and degree to which a response
will reduce impact and/or likelihood
 Selects and executes response based on
evaluation of the portfolio of risks and
responses
ERM Risk Response
Control Activities:
 Policies and procedures that help ensure that
the risk responses, as well as other entity
directives, are carried out.
 Occur throughout the organization at all
levels and in all functions.
 Include application and general information
technology controls.
Understanding Risk Across the
Organization – TRM
 Risk is managed through separate “silos”
 Lack of full coordination or accountability
Risk Silos
Law
Enforcement
Human
Resources
Regulatory
Compiance
Transportation
Emergency
Preparedness
University
Systems
Hospitals &
Mental Health
Understanding Risk Across the
Organization – ERM
ERM takes a portfolio view of risk:
 Risks considered during strategic planning
 Determine the entity’s “risk appetite” – a
high-level view of how much risk the entity is
willing to accept
 Risk tolerance, the acceptable level of
variation around objectives, is aligned with
risk appetite
The State Needs to Manage Its Risk
Above the Line As Well As Below
 Catastrophic risk
RISK: Any event that
 Non-tort litigation risk
interferes with the
 Compliance risk
state achieving its
strategic objectives
 Reputational risk
 Emerging/shifting risk
 Systemic causes of incidents
 Financial risk
 Operational risk
 Human capital risk
2
2
 Liability, Negligence – GL/AL
ERM Innovation: Responsibility
 Who “owns” the risk in your
organization? (If the spit hits the fan,
who will take a spit bath?)
 CHALLENGE: What would it look like
to have everyone in the organization
take ownership?
ERM Innovation: Accountability
 Some of the most successful ERM
initiatives have been able to link risk
mitigation & management to performance
reviews – making managers responsible
for risk control & measurement
 CHALLENGE: What would be a
reasonable measurement of compliance?
Innovation: Strategic Goals
 ERM is linked to an entity’s strategic
objectives & part of the strategic planning
process. It goes beyond the protection of
financial assets.
 CHALLENGE: What would it take to get
risk management to that table?
How does this work in the real world?
State of WA ERM Initiative
2001
 Risk Management Task Force
 Risk Management Executive Order
2002
 RM Division moved to OFM
2003
 Budgeting through Priorities in Government
 Policy Level Budget Proposal for SelfInsurance Premium
State of WA ERM Initiative
2004
 Risk Summits with key agencies
2005
 Gov’t Management and Accountability
Program – risk focus
 Strategic Planning must include risk focus
 ERM introduced by Governor at new
executive-level Risk Management
Conference
State of WA ERM Initiative
2006
 Maturity Model adopted to assess and track
agency progress
 Risk Specialist positions created to move
agencies toward ERM
 ERM featured throughout 2006 monthly and
quarterly risk publications and training
Sample ERM Criteria
 Risk Manager reports to Director, Secretary
30
or Deputy Director
 Centralized RM responsibilities assigned as
100% of an FTE (where agency size or risk
character warrants)
 Agency performs annual risk assessment
 Agency evaluates incidents using varying
depth of analysis based on severity of
outcome or potential outcome
 Agency develops practice and process
changes, or other corrections based on root
cause analysis of identified incidents
Moving Toward Enterprise Risk
Management Mastery:
6
Mastery
5
4
Enterprise
Risk
Management
Started
Most Risk Is
Managed at
Varying Levels
3
Better Defined
Program
2
Part of a
Basic Program
1
Pays Premium
31
Action Plan:
■ Use OFM ERM maturity model
to measure agency progress.
■ Move agencies forward 20%
on continuum by February 2007.
Washington State Investment Board
Enterprise Risk Management
Excerpts from a
Presentation to the
Washington State Investment Board
Washington State Investment Board
WSIB Overview
The Washington State Investment Board manages investments for 14 separate retirement
funds for public employees, teachers, school employees, law enforcement officers,
firefighters, and judges. We also manage investments for 19 other public funds that
support or benefit industrial insurance, colleges and universities, developmental
disabilities, and wildlife protection.
Our mission is to invest with integrity, prudence, and skill to meet or exceed the financial
objectives of those we serve.
As of March 31, 2006
Total assets under management = $69.9 billion
Asset Class
Market Value
U.S. Equity
$ 18,144,911,062
International Equity
$ 14,049,805,711
Fixed Income
$ 21,693,865,409
Private Equity
$ 8,836,013,772
Real Estate
$ 5,402,592,759
Cash
$ 1,804,476,772
33
Washington State Investment Board
Enterprise Risk Management (ERM) – What is it?
A systematic process for identifying, assessing and prioritizing
potential events that may affect the organization
Needs support and encouragement from executive management
Enterprise-wide participation of event identification and risk
response
A tool to help management achieve its objectives
In short, it’s a process for identifying and managing what may
happen that could prevent you from achieving the agency
mission
34
Washington State Investment Board
ERM Roadmap
In 2003
With a strong commitment from the Executive Director, Joe Dear, staff conducted
an initial risk assessment which kicked-off the first discussion of enterprise risk
management capabilities and effectiveness
In 2004
The core of the new risk management strategy was the establishment of an ERM
team tasked with defining the ERM key dimensions, principles, core business
processes, and common ERM risks
In 2005
Risk Director position was created
ERM team developed a risk management database system
Annual risk assessment questionnaire was developed
ERM education was provided to staff
In 2006
ERM team benchmarked risk activities against COSO
Quantitative evaluation of risk impact and likelihood were added to the database
Risk heat map was developed
Agency key risks were summarized in a written document
35
Washington State Investment Board
ERM Structure
Board Governance
Audit Committee
WSIB Board
Executive Management and ERM Team
Executive
Management Team
Deputy Director for
Operations
(Executive Sponsor)
ERM Team
ERM Framework and Tools
Risk Assessment
Risk Management
System
Board Policy
COSO
Framework
Education
Risk Management
Principles
Risk Reporting
36
Washington State Investment Board
WSIB Risk Management Principles – Our guide to track risk events
Key Dim ensions
Globality
Business Integration
Human Resources
Technology
Reputation and Fiduciary Responsibility
Investment Management Skill
Legal and Compliance Environment
Business Continuity
These define all aspects of an
organization's activities to ensure a
comprehensive approach is taken in a
risk management program.
Principles
15
22
31
28
25
13
37
4
14
12
32
16
23
30
21
10
24
35
36
34
29
33
26
11
19
3
7
9
27
5
18
6
1
2
8
20
17
Adherence to Investment Guidelines
Asset Control and Maintenance
Cash Management
Compliance
Credit Risk Management
Customer Communications/Reporting
Data Integrity & Maintenance
Evaluation of Control Effectiveness
Fair Dealing
Fiduciary Responsibility
Financial Accounting
Fund/Client Taxation
Human Resources
Internal Audit
Investment Accounting
Investment Strategy Research Standards
Investment/Benchmark Risk
IT Developments
IT Security
IT Systems Capabilities
Legal Enforceability
Management Accounting
Market Liquidity
Model Management & Validation
Performance Target
Policies & Procedures
Product Evaluation & Authorization
Project Management
Risk Consolidation
Risk Limits
Risk/Rew ard Analysis
Role of Risk Management Group
Role of the Board
Staff Organization
Strategic Planning & Budgeting
Trade Management
Valuation
Core Business Processes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Each principle defines standards that an
organization strives to achieve.
Asset Allocation/Strategic Planning
Board Service & Relation (Edu. & Support)
Business Continuance
Cash Management
Compliance
Contract Services (RFP's)
Corporate Governance (proxy voting)
Custody Operations
Data Integrity & Maintenance
Facility Management
Financial Reporting
Health & Safety
Human Resource Management
Internal Audit
Investment Accounting (Portfolio)
Legal
Performance Reporting & Measurement
Planning/Budgeting/Agency Accounting
Portfolio Pricing and Unitization
Risk Management
Stakeholder Mgmt. & Communication
Technology & Systems
Trade Execution
Trade Settlements
Portfolio Management*
-Deal Sourcing/Screening
-Investment Strategy Research
-Tactical Planning/Portfolio Construction
-Investment Manager Selection
-Broker/Consultant Relation/Mgmnt
-Due Diligence
-Monitoring
-Legal/Deal Completion
-Compliance
-Trading
-Data Management
-Manager Termination
These core areas represent the business
processes w ithin the WSIB's structure.
37
Enterprise Risks
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Bad information
Booking error
Breaching investment guidelines
Breaching regulatory compliance requirements
Cash flow risk
Stakeholder dissatisfaction
Control failure
Correlation risk
Counterparty Risk
Currency convertibility risk
Dividend Risk
Documentation/contract risk
Equity Price Risk
Exceeding limits
Execution error
Fraud
Foreign Exchange rate
Human resource risk
Inadequate information system
Inadequate recovery planning
Interest rate basis/spread risk
IT system failure
Legal risk
Liquidity risk
Missing processes, policies & controls
Model/methodology error
Money laundering
Operational inefficiency risk
Other Risks
Portfolio concentration - Instrument
Processing risk
Product Complexity
Programming error
Regulatory change
Reputation risk
Rogue trading
Security risk (Building, IT & general security)
Settlement error
Settlement Risk
Taxation risk
Telecommunication failure
Tracking error
Underperforming a benchmark
These are common types of risks that are used
to assess the organization's control structure.
Washington State Investment Board
Risk Management System
Reporting Database
Tool to capture errors, incidents, or potential risks on a daily basis
Timely resolution of reported items, resulting in minimized business impact
Better understanding of the
impact incidents/errors have on
the overall agency
Accurate information on the
incidents that are occurring
Increased availability of
information for management
review
38
Washington State Investment Board
Annual Risk Assessment Questionnaire Example
Core Business Process
Principle * 17
Pricing & Unitization CTF and Daily Valued Funds
Valuation
Scale = 1 - 5
Question 1
Question 2
Risks *
1
7
9
18
19
20
22
25
26
28
29
37
What is the likelihood of an error occurring in the pricing or unitization of the
CTF and Daily Funds?
What is the likelihood an error will occur because of:
bad information
control failure
a counterparty
human resource limitations
inadequate information system
inadequate business recovery planning
IT system failure
missing process, policies, or controls
methodology modeling error
operational inefficiencies
other risks
a breach in security
Average Likelihood
Question 3
What is the impact to the agency if there is an error in the valuation?
*Numbers correspond to ERM Framework
Likelihood Scale
Impact Scale
2
1
1
1
2
1
2
1
2
3
1
1
1
1.5
5
1 = Low unlikely to occur
1 = Minor impact
3 = Medium might occur
5 = Event is expected to happen
3 = Moderate impact, loss, disruption,
5 = Significant impact, loss, disruption
39
Washington State Investment Board
2006 Heat Map Project – Core Business Processes
Core Business Processes
Low Likelihood
5
High Im pact
High Likelihood
1 Strategic Planning
High Im pact
2 Board Service & Relation (Edu. & Support)
2
19
3 Business Continuance
13
4 Cash Management
16
5 Compliance
6 Contract Services (RFP's)
7 Corporate Governance (proxy voting)
9
4
6
8 Custody Operations
9 Data Integrity & Maintenance
11
10 Facility Management
Impact
24
11 Financial Reporting
12 Health & Safety
17
3
20
8
5
13 Human Resource Management
14 Internal Audit
15 Investment Accounting (Portfolio)
7
16 Legal
1
17 Performance Reporting & Measurement
2 15 21
18 Planning/Budgeting/Agency Accounting
14 4
19 Portfolio Pricing and Unitization
20 Risk Management
21 Stakeholder Mgmt. & Communication
22 Technology & Systems
23 Trade Execution
1
1
Low Im pact 2Low Likelihood
3
Likelihood
Low Im pact 4 High Likelihood
5
24 Trade Settlements
25 Portfolio Management
40
Washington State Investment Board
2006 COSO* ERM Standard – Process & Categories
*Committee of Sponsoring Organizations of the Treadway Commission
41
Washington State Investment Board
2006 COSO* ERM Benchmarking Project
What we are doing well in relation to the COSO ERM
Framework:
We have a strong ethical culture and internal
environment, a commitment to competence, and a
Board that provides oversight
We have an established mission with strategic
objectives so that all staff are working towards a
common goal
We have an established process to identify events,
assess risk, and respond
We have strong control activities
Our ERM process is dynamic and constantly
changing ensuring that it remains relevant to the
business of the agency
*Committee of Sponsoring Organizations of the Treadway Commission
42
Washington State Investment Board
2006 COSO ERM Benchmarking Project (cont’d.)
What we want to improve on:
Be more explicit in our risk management philosophy
Establish succinct risk appetite and tolerance levels
Analyze likelihood and impact – then assign risk level
Assign risk responses into one of four categories
 Avoidance
 Reduction
 Sharing
 Acceptance
Increase staff participation on risk identification
Education on risk terminology, risk assessment, and
risk response
43
ERM Tools
 Risk Rating Tool
 Raise Risk Awareness – Across the
Organization
 Facilitated Discussion of Risk
 Discussion of the “Upside” of Risk –
Opportunities! – and a Wider Discussion
Involving Your Community
A Simple Risk Rating Tool
Risk Assessment
Wallet Tool –
Maricopa County (AZ)
Community College
District MIRA Project
Risk Assessment Tool
Frequency of
Occurrence
I
Catastrophic
II
Critical
III
Marginal
IV
Negligible
A. Frequent
1A
2A
3A
4A
B. Probable
1B
2B
3B
4B
C. Occasional
1C
2C
3C
4C
D. Remote
1D
2D
3D
4D
E. Improbable
1E
2E
3E
4E
Facilitated Discussion of Risk
Before you begin:
1.
Make a list of risks you currently don’t
manage – include those SMEs
Make a list of key players and SMEs
representing all areas of operation &
functionality – Who should be at the table?
3. List the barriers to conducting this discussion
2.
ERM Tools
Facilitated Discussion of Risk
 Cross section of personnel
 Subject matter experts (SMEs)
 “What’s the worst that could happen?” “What
is it that we cannot allow to happen?”
 What we learn from school shootings –
someone always knows that “something’s not
right”
Upside Risks/Wider View
Identify:
 Current or new projects – your entity
 Current or new projects – your community
 Social trends in your community
 Economic development in your community –
is it booming? – faltering?
(Within a crisis, there is opportunity for change)
RIMS Survey: ERM Success Factors
 Leadership
 Change is hard: make it simple &
understandable
 Ownership, commitment, sponsorship (and
cross functional)
 Disciplined & flexible structure
 Dedicated time & resources
 Continuous process for feedback & revisions
RIMS Survey: Keys to Success
 Appropriate leadership & exec. sponsorship
 Phased work plan – especially at the start
 Dedicate full-time resources & cross
functional teams
 Early, quick, visible “wins”
 Balance qualitative & quantitative
 Integrate ERM into key decision-making
processes
ERM Implementation Steps
• Defined process
• Assigned
responsibilities
• Common language
• Dedicated
resources
• ID Leaders
• Risk
Identification
• Risk management
policy
• Policy guidelines
followed across the
organization
• Risk measurement
• Consistent risk
reporting
Sources: Excerpted from James W. DeLoach, Toronto 2001
• Enterprise-wide
risk strategies
• Risk measures
applied to
business
performance
goals
It’s All About the Journey…
 Remember that risk management is a
continuous process, not a one-time event
 To be truly successful, risk management
must become embedded in your
organization deeply, with ownership and
implementation at every level of the
organization
“The significant problems
we have cannot be solved
at the same level of
thinking with which we
created them.”
Albert Einstein
Resources
 RIMS ERM Center of Excellence is evolving
at www.rims.org
 COSO – www.coso.org
 IIA (Internal Auditors) www.theiia.org
 Check out the Australian Standard – NZS
4360 at www.riskmanagement.com/au
 URMIA Journal – multiple articles –
www.urmia.org
Speaker Contact Info
Betty Reed
Risk Management Administrator
Risk Management Division of Office of Financial Mgmt.
State of WA
360.902.7304
[email protected]
Dorothy Gjerdrum, ARM-P
Executive Director, Public Entity & Scholastic Division
Arthur J. Gallagher Broker & Risk Management Services
952.918.3951
[email protected]