Enterprise Risk Management (ERM) Framework · 4/8/2015 · 1. Intro to Enterprise Risk Management (ERM) & Framework Given the wide range of services delivered by the Corporation

Enterprise Risk Management (ERM) Framework

Written by: Trevor Bennet Mel Douglas

Appendix I

April 8, 2015 ERM Framework Page 2

Contents

1. Intro to Enterprise Risk Management (ERM) & Framework .................................................. 3

2. Enterprise Risk Management Philosophy ................................................................................ 3

3. Enterprise Risk Management Strategy .................................................................................... 3

4. Risk Management Principles ................................................................................................... 4

5. ERM Framework: Discussion & Diagram .............................................................................. 7

A. ERM Assessments ............................................................................................................ 8

B. Council Reporting ............................................................................................................ 9

C. Levels of Service & Risk ................................................................................................. 9

D. Insurance and Liability Risk Management ....................................................................... 9

E. Health & Safety Management .......................................................................................... 9

6. Measurement Criteria ............................................................................................................ 10

7. Risk Appetite & Risk Tolerance ............................................................................................ 12

8. Risk Management Process ..................................................................................................... 14

9. Risk Universe & Definitions ................................................................................................. 16

10. Governance Structure ......................................................................................................... 17

11. Risk Reporting ................................................................................................................... 20

12. Risk Monitoring ................................................................................................................. 20

13. Definitions ......................................................................................................................... 21

Appendix A .................................................................................................................................... 23

Measurement Criteria ................................................................................................................... 23

Appendix B .................................................................................................................................... 26

Risk Universe & Definitions ........................................................................................................... 26


1. Intro to Enterprise Risk Management (ERM) & Framework

Given the wide range of services delivered by the Corporation from long-term care to park maintenance to major capital construction, it is necessary to find a tool that can compare risk across different services. Enterprise Risk Management (ERM) will give the Corporation the ability to understand and consistently measure its risks, and monitor and communicate them effectively across the organization.

The Enterprise Risk Management framework provides processes and tools to identify and manage risks faced by the Corporation. The framework establishes the structure needed to carry out the Enterprise Risk Management process.

2. Enterprise Risk Management Philosophy

ERM should not be a separate process. ERM should become an integral part of the decision making process.

It is important to assess the risks that will impede the achievement of the Corporation’s strategic goals and service delivery objectives, and to develop strategies to ensure that these goals & objectives can be met.

3. Enterprise Risk Management Strategy

The ERM strategy is to:

• Manage risks within a tolerable level to meet service level expectations. • Introduce incremental changes to the risk process and build upon existing risk

management activities. • Apply a consistent approach to risk management across the organization. • Ensure a solid base exists (i.e. critical mass of dept. risk assessments etc.) before full

corporate enforcement of policy. • Balance the cost and control of a risk to ensure the greatest value to the corporation.


4. Risk Management Principles1

The following guiding principles are outlined in ISO 31000’s risk management guidelines and are integral to the framework:

a) Risk management creates and protects value

Risk management contributes to the achievement of objectives and performance improvement. Examples include: human health and safety, security, legislative compliance, environmental protection, program/process quality, project management, operational efficiency, governance and reputation.

b) Risk management is part of and supports all organizational processes

Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and supports all organizational processes, including strategic planning, operational and all project and change management processes.

c) Risk management is part of decision making

Risk management helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action

d) Risk management addresses uncertainty and potential impacts

Risk management recognizes uncertainty, the nature of that uncertainty, the potential impacts and how they can be addressed.

e) Risk management is consistent

1 Adapted from AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines


Risk management is consistent and contributes to efficient, comparable and reliable results.

f) Risk management is based on the best available information.

Inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgment. However, decision makers should inform themselves of, and should take into account, any limitations of the data or modeling used or the possibility of divergence among experts.

g) Risk management is tailored

Risk management is aligned with the organization's external and internal context and risk profile.

h) Risk management takes human and cultural factors into account

Risk management recognizes the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organization's objectives.

i) Risk management is transparent and inclusive

Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organization, ensures that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria.

j) Risk management is dynamic, iterative and responsive to change

Risk management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and others disappear.

k) Risk management supports continuous improvement


Organizations should develop and implement strategies to improve their risk management process and practices alongside all other aspects of their organization.


5. ERM Framework: Discussion & Diagram

The ERM framework, as outlined in this document, sets out all the necessary components to carry out the enterprise risk activities within the Corporation. It is important to note that this framework is not meant to supersede any of the existing processes but rather allow for a common frame of reference for risk.

This framework outlines:

a) Philosophy, strategy and principles of ERM: These are the underlying values that direct how ERM will be conducted.

b) Tools to implement ERM: The measurement criteria, risk appetite, and risk process are provided to ensure a consistent approach and evaluation throughout all activities associated with risk.

c) Governance structure: A clear understanding of roles and responsibilities are required to ensure that identified risks are managed and communicated effectively.

d) Classification system for risks: The risk universe provides a method of classifying risks based on their impact to assist in the tracking and evaluation of risk.

The Framework is not a static document. Throughout the implementation of Enterprise Risk Management, the framework itself should be monitored and reviewed to ensure continual improvement.


Figure 1- ERM Framework Diagram

As Figure 1 shows, there are 5 main areas within the Corporation that contribute to the management of risk.

A. ERM Assessments

This area deals with the assessment and evaluation of risks at various levels of the corporation. It helps facilitate:

• Enterprise Risk Assessment: Risks evaluated that are strategic in nature or cross multiple departments or affect the entire corporation.

• Department Risk Assessment: Risk assessment performed at the departmental level to identify and track risks to departmental objectives.


B. Council Reporting

A Risk Analysis section is now a standard part of a council report. Guidelines for the information contained in this section are found in the Council Report Writing Guide. Critical and significant risks (as identified in the Risk Appetite section) are to be noted and discussed within the report.

C. Levels of Service & Risk

Levels of Service & Risk assessment will utilize the risk measurement criteria to assist in prioritization of asset planning and funding. Council will receive reports detailing the results.

D. Insurance and Liability Risk Management

Insurance & Liability Risk Management assists in mitigating risk of insurable loss to the corporation, including public hazard risk and risk of property loss. This is done by advising the Corporation on risk mitigation and risk financing options, investigating and resolving claims to reduce the consequence to the Corporation, and recovering losses from third parties. This division will provide feedback to areas of the Corporation to reduce risk of claims and litigation exposure.

E. Health & Safety Management

Health & Safety helps avoid risk in the corporation as a result of injury or illness.


6. Measurement Criteria

The measurement criteria define the scale that is used to assess a risk.

The Measurement Criteria for Risk Assessment can be found in Appendix A. Most risk assessments (e.g. departmental risk assessment, council report risk analysis) will use the “Simple Measurement Criteria” . The more complex “Measurement Criteria for the Risk Assessment Tool” will be used for Levels of Service & Risk evaluation and major projects.

The two key factors in a risk assessment are:

PROBABILITY: The likelihood that the risk will occur.

&

CONSEQUENCE: The potential impact to the corporation if the risk occurred.

The consequence factor is further subdivided into different types of impacts but, ultimately, only the highest score in all the subcategories is used.

Both the Probability and Consequence are given a score from 1 to 5. Based on the two scores, a risk level is determined. The risk levels are shown in Figure 2 and are, as follows:

• Critical • Significant • Moderate • Low

As an example, a risk that has a probability score of 3 and a consequence score of 4 would be rated a “Significant” risk.

The Measurement Criteria is important because it allows every risk across the Corporation to be measured on the same scale and prioritized accordingly.


Figure 2- Levels of Risk

Consequence

Insignificant (1)

Minor (2)

Moderate (3)

Major (4)

Severe (5)

Prob

abili

ty

Almost Certain

(5)

Moderate Significant Significant Critical Critical

Likely (4)

Moderate Moderate Significant Significant Critical

Possible (3)

Low Moderate Moderate Significant Significant

Unlikely (2)

Low Low Moderate Moderate Significant

Rare (1)

Low Low Low Moderate Moderate


7. Risk Appetite & Risk Tolerance

Risk appetite refers to the level of risk, set by Council, that the corporation is willing to accept, which influences how risks are assessed and treated.

The Corporation is most concerned with Significant and Critical risks. Any risk identified as significant or critical should have a:

a) Mitigating Strategy - A plan must be developed to mitigate, transfer or avoid the risk.

b) Risk Owner - The person responsible to ensure that the risk level is monitored and the mitigating strategy is carried out.

In reports to City Council, significant and critical risks must be identified within the risk analysis section of the report. Mitigating strategies and risk owners should also be included.

Consequence

Insignificant (1)

Minor (2)

Moderate (3)

Major (4)

Severe (5)

Prob

abili

ty

Almost Certain

(5)

Moderate Significant Significant Critical Critical

Likely (4)

Moderate Moderate Significant Significant Critical

Possible (3)

Low Moderate Moderate Significant Significant

Unlikely (2)

Low Low Moderate Moderate Significant

Rare (1)

Low Low Low Moderate Moderate


Figure 3- Risk Appetite

Risk Tolerance refers to level of risk that the corporation decides is acceptable after the risk has been evaluated and all stakeholders have been consulted on possible treatments.

This framework and risk appetite are tools for risk management. Judgement should also be applied when evaluating risks at any level. Low and moderate risks may benefit from employing a mitigating strategy and risk owner. In some cases, after risk stakeholders are consulted, it may make sense for a significant risk to be tolerated because the mitigating strategies are more costly than the consequence of the risk.


8. Risk Management Process

The Enterprise Risk Management Process is used to manage risks faced by the corporation. A visual representation of the process is shown in Figure 4. It includes five key components that can be integrated at any level of the organization: Establishing context, conducting a risk assessment, the treatment of risks, monitoring and reviewing risks, and communication of risks.

1) Establishing a context –The objectives of the service or project are identified. All risks that are identified within this process should have a direct affect on an identified objective. Also required to establish the context of the risk assessment is to understand the internal and external environment, and the use of corporate standardized risk evaluation criteria.

2) Risk Assessment – The heart of the process is the risk assessment. By determining levels of risk, treatment plans can be developed to influence risks to a more tolerable level. There are 3 steps in the process:

i. Identify risks ii. Analyse risks, and

iii. Evaluate risks.

3) Risk Treatment – Risks that are outside a tolerable level should be addressed through one of four approaches:

i. Treated by implementing controls and/or mitigation strategies, ii. Transferring the risk to a 3rd party (e.g. an insurance company),

iii. Tolerated (i.e. the Corporation assumes the risk), OR iv. Terminated (i.e. the Corporation discontinues current action or opts not to

take further action).

4) Monitoring and Reviewing Risks – Risks are a dynamic entity and change due to their nature, the environment surrounding them, and the enablers that impact them. Monitoring risks ensure risk owners are responsible for the prudent management of their risks. Reviewing risks involve a more collective process of ensuring risks still exist, are being accurately assessed, and the treatment plans are still relevant to mitigating them.

5) Communicate Risks – Timely and accurate communication of risks is a key element to the Enterprise Risk Management Framework. Communication takes place at all steps of the framework both horizontally across departments and vertical (bottom up & top down).


Figure 4- Enterprise Risk Management Process

Establish Context

Identify Risks

Analyze Risks

Evaluate Risks

Treat RisksM

onit

or &

Rev

iew

Com

mun

icat

ion

Risk Assessment


9. Risk Universe & Definitions

A Risk Universe is a list of different sources of risk that could potentially produce risks to the corporation. The complete list and the definitions assigned to them can be found in Appendix B. There are six main categories and each of those is further divided into subcategories. The six main categories are:

1) External 2) Strategic 3) Operational 4) Organizational 5) Financial 6) Legal/Compliance

The advantage to having the risk universe is that it allows for consistent reporting when consolidating types of risk across the corporation.

As the ERM program within the corporation matures, these definitions may need to be adjusted in order to accommodate additional risk events.


10. Governance Structure

The following governance structure will assist senior management in ensuring appropriate management and mitigation of significant risks:

Figure 5- Enterprise Risk Management governance structure

Enterprise Risk Governance Committee

Enterprise Risk Management

Working Committee

Corporate Risk Register

Risk Treatment Plans

Department / Service Business Plans – Risk Registers

Manager of Corporate Initiatives

Service Owners / Risk Owners


The following roles and responsibilities will support the ERM governance structure:

a) Enterprise Risk Management Governance Committee – Acts as a Steering Committee for the Enterprise Risk Management framework by providing support and direction to achieve the Corporate Enterprise Risk Management Strategy. The Committee will be comprised of the Chief Administrative Officer and the Corporate Leadership Team. Their responsibilities are to:

Review reports from the Enterprise Risk Management Working Committee and provide direction accordingly.

Provide direction for significant and critical risks elevated to the Committee and/or refer to Council.

Perform annual review of enterprise risks. Approve changes, as necessary, to the Enterprise Risk Management

framework, risk measurement criteria, risk universe and definitions, and governance structure.

b) Enterprise Risk Management Working Committee – A working committee that regularly reviews the significant and critical risks from a corporate perspective. The Committee will be chaired by the Manager of the Corporate Initiatives, and comprised of the Corporate Initiatives Analyst, a representative from Legal’s Risk Management division, a representative from Asset Management division, a representative from Human Resources’ Corporate Health & Safety Division, and at least two other management representatives as directed by the CAO. Their responsibilities are to:

Review the Corporate Risk Register and risk treatment plans for significant and critical risks; and recommend further actions to mitigate risks, if necessary.

Provide quarterly reports (or as deemed necessary) to the Enterprise Risk Governance Committee regarding the Corporation’s risks and identify risk owners.

Elevate significant and critical risks, as necessary, to the Enterprise Risk Governance Committee for direction/action.

Develop procedures to ensure effective implementation of this framework.

c) Manager of Corporate Initiatives – Manages the Enterprise Risk Management framework. This includes developing the Enterprise Risk Management framework to support the Corporation’s Enterprise Risk Management strategy, implementing and monitoring the elements of the framework, and continuously improving the elements of the framework as required. Their responsibilities are to:

Provide training on the ERM framework & its processes. Facilitate risk assessments as directed.


Manage the Corporate risk register, which includes significant & critical risks.

Monitor risk treatment plans that mitigate significant & critical risks. Assist in elevating significant & critical risks upward for direction/action.

d) Service Owners, Department Heads and Project Managers– Manage the risk

profile through the risk management process to achieve their objectives. Their responsibilities are to:

Understand and follow the Enterprise Risk Management process Maintain and monitor their service risk register Designate a primary person to act as a Risk contact to coordinate risk

monitoring & communication within designated service, department or project.

Establish the objectives for the service, department or major project being evaluated. Objectives must be developed in relation to the Corporate Strategic Action Plan.

Communicate significant & critical risks to the Manager of Corporate Initiatives; and where necessary request it to be elevated to the Enterprise Risk Governance Committee

Monitor changes of the risk profile and the planning & implementation of treatment plans

e) Risk Owners – Manages individual risks according to the mitigating strategies

developed for those risks. Their responsibilities are to:

Recommend a risk tolerance level for a risk through consultation of the risk’s stakeholders.

Develop and manage risk treatment plans to mitigate risk, specifically significant & critical risks.

Monitor changes of risks and the implementation of treatment plans


11. Risk Reporting

The communication of risk is essential to the success of the Corporation’s governance of its risks. A Risk Reporting Procedure will be developed through the Manager of Corporate Initiatives and the Enterprise Risk Management Working Committee. The Risk Reporting procedure will be approved by the Enterprise Risk Governance Committee.

12. Risk Monitoring

Existing risks listed in a Risk Register should be monitored on a periodic basis that ensures prudent management of the risks. New risks need to be added and evaluated to the risk register upon their discovery. The following is a guideline for effective risk monitoring:

• Strategic level risks should be monitored quarterly and prior to the beginning of strategic planning exercises.

• Operational & process level risks should be monitored periodically by risk owners to ensure treatment plans for Significant or Critical level risks are mitigating as planned. Low or moderate level risks (particularly with upward trends) should be monitored to ensure they do not evolve into Significant or Critical level risks.

• Risks that become urgent and require an immediate treatment are elevated to the Manager of Corporate Initiatives, who will direct to Enterprise Risk Governance Committee.


13. Definitions 2

• Risks – the likelihood that there will be a positive or negative deviation from the expected objective. Risk is inherent in any business venture. Risks can be threats or opportunities and are measured by likelihood or probability of occurrence and the impact or consequences to people or property should they occur. Risks will be classified as low, moderate, significant or critical.

• Enterprise Risk Management (ERM) – the coordinated activities to direct and control risks

within an organization.. This includes assessing risks, communicating risks, assigning responsibility for risks, identifying mitigating strategies to avoid or lessen risk, planning risk response strategies for reacting when risk occurs and reviewing and improving risk management based on lessons learned from risk experience.

• ERM Framework - the suite of policies, procedures, tools and training that support Enterprise Risk Management within the Corporation.

The ERM Framework includes the ERM policy, ERM Assessments and supporting procedures, the Council Report Writing Guide with respect to the risk section of Council Reports, the evaluation and results from the Levels of Service & Risk assessment as directed by the Senior Manager of Asset Planning, the insurance policy or policies carried by the Corporation, the policies and procedures directed by the Manager of Risk and Insurance with respect to insurance risk management and the avoidance of loss or damage to people or property, health and safety policies and procedures as directed by the Executive Director of Human Resources and any other policies, procedures and tools implemented by Council or Administration to manage risk.

• Risk Appetite – the general amount of risk the Corporation is willing to accept, which has an influence how risks are assessed and treated. Knowing the Risk Attitude assists the Corporation in developing risk mitigation and risk response strategies appropriate to the Corporation’s needs.

2 Many of the definitions include parts that were adapted from ISO 31000: 2009 Risk Management – Principles and Guidelines – Definitions


• Insurance & Liability Risk Management – A component of Enterprise Risk Management where the purchase and management of insurance is used to transfer the risk to a 3rd party. Insurance & Liability Risk Management is managed by the Risk and Insurance division.

• Service – The delivery of an output or benefit to a client as defined in the Inventory of

Programs and Services of the Corporation of the City of Windsor.

• Enterprise risks-: Risks that affect or are prevalent throughout the entire corporation. Succession might be an example of an enterprise risk. Enterprise risks are often strategic in nature.

• Departmental risks: Risks that affect a departments strategic or service objectives.

Departmental risks are often operational in nature. • Project risks: Risks that affect the objectives defined in the scope of the project. The risk

should be measured at an enterprise level as to how it will affect the organization or service objective..


Appendix A

Measurement Criteria

• Simple Measurement Criteria (2 pages) • Measurement Criteria for the Risk Assessment Tool


Financial Operational Reputational Health & Safety

Descriptions Cost to City Impact on the ability to sustain operations

Impact on the way stakeholders regard the City

Impact on any stakeholder

5SEVERE

> $3M Widespread or long-term shut down of

operations

Sustained, serious loss of confidence in management of City

Death

4MAJOR

$500k - $3M

Significant, sustained

operational issue

Major impact on public confidence that is difficult to

regain

Permanent disability or

Widespread Illness

3MODERATE

$250k - $500k

Moderate operational

challenge in size or duration

Significant impact on public confidence

that damages City’s image

Moderate health & safety

event

2MINOR

$25K -$250k

Modest operational inefficiency or

situation

Modest, localized impact on City image

Minor health & safety

event

1INSIGNIFICANT

< $25K Small operational inefficiency

Limited impact on City image

Low significance event

Simple Measurement Criteria

Simple Measurement Criteria (cont’d)

Scale % Factors to consider for Likelihood

5ALMOST CERTAIN

90 – 100% • Maturity / complexity of the process or system

• Past occurrences of the risk event• External factors• Experience of management / employees • Performance indicators / industry trends• Recent audit reports• Effectiveness of training• Adherence to policies & procedures• Current controls, or lack of controls• Management’s understanding of / focus on

the risk

4LIKELY

60 – 90%

3POSSIBLE

40 – 60%

2UNLIKELY

10 – 40%

1RARE

0 – 10%

Rating - Descriptor 1 - Rare 2 - Unlikely 3 - Possible 4 - Likely 5 - Almost Certain

Description - Frequency or approximate probability

May only occur in certain conditions.Every 10 + years or 0% to 10%

Could occur some time.Every 5 to 10 years or 10% to 40%

Might occur at some time.Every 3 to 5 years or 40% to 60%

Will probably occur in most circumstances.

Every 2 to 3 years or 60% to 90%

Almost certain to occur.Annually or more frequently or 90% to

100%

Rating - Descriptor 1 - Insignificant 2 - Minor 3 - Moderate 4 - Major 5 - Severe

Health & Safety - injuries to staff, public or stakeholders

No treatment requiredMinor injury or illness requiring medical

treatmentSerious injury or illness requiring medical

treatmentPermanent disability or widespread

illness Death

Legal Liability - incur $ (claims, lawsuits, etc.)

< $25K $25K-250K $250K-500K $500K-3M > $3M

Physical Assets - replacement of Replaceable worth < $25k Replaceable worth $25k-250k Replaceable worth $250k-500k Replaceable worth $500k-3M Replaceable worth over $3M or significant asset is irreplaceable

Environment - damage toNegligible event, non-permanent impact requiring no clean-up measures @ ($0-25K)

Minor event, non-permanent impact requiring very little clean up effort @ ($25-250k)

Major event, some permanent impact requiring moderate clean-up effort @ ($250k-500k)

Major event, some permanent impact requiring extensive clean-up effort @ ($500k-3M)

Severe event, permanent impact requiring significant clean-up @ (> $3M)

Availability - number of people impacted by service failure

Under 1% of customers 2%-25% of customers 26%-50% of customers 51%-100% of customers 100% of customers for sustained period of time

Limited impact to overall quality of discretionary service

Moderate or localized impact to overall quality of discretionary service OR

Serious or widespread disruption to overall quality of discretionary service OR

Inability to provide an discretionary service OR

Limited impact to overall quality of essential service

Moderate or localized impact to overall quality of essential service

Serious or widespread impact to overall quality of essential service

Inability to provide an essential service

Budget - cost overuns or reallocation of funds for service or project

< $25K $25K-250K $250K-500K $500K-3M > $3M

Funding - loss of external funding or revenue (e.g. grants, leasing revenue, user fees)

< $25K $25K-250K $250K-500K $500K-3M > $3M

Public Trust / Media Attention - negative attention

Limited attention by media, limited impact on public confidence

Local media coverage, department official fielding media questions, moderate impact on public confidence

Regional media coverage, significant impact on public confidence that damages City's image

National or Provincial media coverage, external agency inquiry, major impact on public confidence that is difficult to regain

Significant National or Provincial media coverage, external agency criminal investigation, sustained serious loss of confidence in management of City

Governance - management oversightSome unfavourable comments by governing body (I.e. Management or Council)

Request for change recommendations by governing body (I.e. Management or Council)

Senior governing body issues reccomendations for change (I.e. Federal or Provincial)

Senior governing body demanding immediate changes to status quo (I.e. Federal or Provincial)

Senior governing body imposing temporary leadership (I.e. Federal or Provincial)

Legislative - violation of legislation Infraction of legislation with limited penalties (under $25k)

Minor infraction of legislation with penalties ($25k-$250k)

Moderate infraction of legislation with penalties ($250k-$500k)

Major violation of legislation with signficant penalties ($500k-$3M), high profile trial

Multiple major violations of legislation with significant penalties (over $3M), public inquiry & high profile trial

Strategic - negative effect on corporate strategic goals

Impairment of 1 corporate strategic goal Failure of 1 corporate strategic goal Failure of 2 or more corporate strategic goals.

Majority of corporate strategic goals fail. Failure of corporate strategic goals.

Note: Evaluate project risks based on impact to affected discretionary or essential service.

Measurement Criteria for the Risk Assessment Tool - DRAFT March 31, 2015

Consequence

Probability

Quality -impact or disruption to overall quality of service delivered

Appendix B

Risk Universe & Definitions

• Risk Universe (1 page) • Risk Universe Definitions

City of Windsor Enterprise Risk Management – Draft Risk Universe

External Strategic

Operational Organizational Financial Legal/Compliance 1. Legislative &

Regulatory 2. Funding 3. Socio-Cultural 4. Economic Factors 5. Terrorism 6. Vandalism 7. Health Epidemic 8. Natural Disaster 9. External Technology

Changes

10. Changes in Strategy 11. Governance 12. Planning & Resource

Allocation 13. Conflicting Priorities/

Demands 14. Transparency

15. Service Failure 16. Substandard Service

Delivery 17. Technology Fails 18. Privacy/Security

Breach 19. Third-Party

Performance 20. Infrastructure 21. Material Resources 22. Implementation/

Transition

23. Inter-Departmental Coordination

24. Organizational Culture

25. Employee Turnover 26. Health & Safety

Incident 27. Human Resources

Capacity 28. Labour Relations

29. Treasury/Liquidity 30. Accounting &

Reporting 31. Fraud & Corruption 32. Budget Breach

33. Compliance 34. Litigation

Enterprise Risk Management - Universe Definitions

# Risk Label Risk Name Risk Context Impact

EXTERNAL

1

Legislative & Regulatory

Changes in legislation/regulations significantly change the City's operations

Operations include: -Mandate -Financial Models

-Service Operations

-City has to redirect resources

2 Funding Funding is significantly cut Funding models and allocations can change. -Unplanned reductions in services -Inability to react in a timely manner

3 Socio-Cultural Significant socio-cultural changes occur in the City

Socio-cultural factors include: -Unemployment -Migration of workers -Demographics

-Society/citizen/business expectations

-Required redirection in public policy, funding and management attention

4 Economic Factors

Significant changes in economic factors occur

Economic factors include: -inflation

-foreign exchange

-Current and future revenue streams and public needs change


-interest rates

-employment rates, and

-business start-up/creation/departure rates

5 Terrorism Significant acts of terror occur Potential targets could include international border crossings - Ambassador Bridge and Detroit-Windsor Tunnel

-Harm to citizens -Increased need for emergency services and funding from City sources

6 Vandalism Significant acts of vandalism occur City experiences significant incidence of vandalism that causes damage to property or assets and/or detracts from public image.

-Negative public reaction -Increased need for social services and funding from City sources to clean it up

7 Health Epidemic A significant health epidemic occurs Health epidemics include: -contagious disease -widespread contamination occurrence

-Harm to citizens -Trigger emergency plan response and associated costs -Potential impact to city staff and service delivery protocols -Negative public reaction

8 Natural Disaster A significant natural disaster occurs Significant natural disasters include: -Environmental degradation -Environmental spillage

-Flooding

-Negative public reaction -Trigger emergency plan response and associated costs -Harm to citizens


-Earthquake

-Severe storm events

9 Technology Changes

Significant external technological change occurs

Significant technological changes could include advancements in software and/or hardware that lead to obseletion.

-Unplanned replacement costs and/or process changes


STRATEGIC

10 Changes in Strategy

Unexpected change in strategic direction occurs

Frequent or unexpected change in strategic direction.

-City has to redirect resources -Strategic goal impairment

-Change in strategic goals

11 Governance City governance mechanisms fail Governance failure includes: -improper controls

-inefficiency -poor financial management, and -nepotism

-Culture of awareness decreased -Cost of remedial actions -Potential costs of response (e.g. Increased oversight) -Inconsistent values exhibited -Impairment of reputation -Negative public reaction


12 Planning & Resource Allocation

Poor planning and resource allocation decisions are made

Planning activities and/or allocation of resources inhibit achievement of operational and strategic objectives. Includes situations where value creation/enhancement opportunities are not known, missed or under exploited. City finances are run based on budgets set at the beginning of the year.

-Unnecessary expenditures -Impairment of value -Misalignment of resources from priorities

-Strategic goal impairment

13 Conflicting Priorities/ Demands

A significant conflict occurs between stakeholders

Differing priorities and demands between citizen, council, administration as well as federal and provincial bodies

-Stalemate, inability to act

-Lost resources -Delayed project delivery

-Delayed service delivery


14 Transparency Accusation of a lack of transparency Citizen, federal, provincial and business partner expectations of transparency are difficult to meet. Citizenry is sensitive to potential breaches of transparency, corruption and misappropriation of assets.

-Potential costs of response (e.g. Increased oversight) -Impairment of reputation


OPERATIONAL

15 Service Failure Significant failure of City services City Services include: -public services

-policies -administrative directives

-Negative public reaction -City has to react with unplanned attention and resource deployment -Public safety incident


16 Substandard Service Delivery

City service delivery does not meet agreed upon standards

City's delivery of services is faulty, delayed and/or ineffective.

-Failed projects -Cost and time overruns -Recurring scope/cost/timing changes -Increased costs -Impairment of reputation -Increased scrutiny

17 Technology Fails City's technology fails to meet needs Choice and implementation; failure could be in relation to needs or expectations

-Business process efficiencies are not realized

18 Privacy / Security Breach

Confidential information is publicly released

Confidential information made available to the public /media Information is improperly accessed, modified or disclosed Citizenry is sensitive to potential breaches, corruption and misappropriation of assets

-Unnecessary resource allocation and costs to fix -Public scrutiny -Legal action -Impairment of reputation -Increased oversight required -Operational costs


19 Third Party Performance

Third party service providers fail to perform

Failure can include: -missing agreed to services levels

-not rendering service in time

-not rendering the correct service

-inadequate/poor service delivery -misalignment of public service needs and private sector profits.

Third party service providers include vendors, agencies, boards, commissions and partnerships.

Examples of major contracts include: Garbage collection, Winter Control

-Lost revenues

-Increased operational costs

-Lost time -Negative public reaction -Increased oversight -Impairment of reputation

20 Infrastructure Infrastructure fails to meet the City’s needs Infrastructure is not available, able to be maintained or suitable for current and operational needs

-Impairment of reputation -Reduced business investments


21 Material Resources

Material resources are unavailable when required

Material resources needed to enable operations: -are not available

-are costly to attain

-cannot be acquired in a timely manner

-are wasted Material refers to tangible resources

-Wasted costs -Project delays -Impaired or delayed service delivery

22 Implementation/ Transition

Program change management fails Even if program delivery is successful, there could be a failure to implement the end result as a sustainable solution that realize the original business case due to:

-poor change management

-adoption challenges

-inadequate functionality

-transition failure from project to ongoing process/program.

-Business case of programs not met

-Deficient service delivery

ORGANIZATIONAL


23 Inter-Departmental Coordination

Cross-departmental coordination is delayed or ineffective

Departments need to work together in a seamless manner to enable effective and efficient service delivery. Structure is not conducive to service delivery

-Deficient or ineffective service delivery -Project delays -Increased costs -Impairment of reputation


24 Organizational Culture

City's corporate culture inhibits the achievement of strategic objectives

Strategic objectives include corporate values or use of resources. Factors to consider include: -communication channels and effectiveness -cultural integration -ethics and values -goal alignment -management style -tone at the top -organization structure


-Elevated employee turnover

-Impairment of reputation

25 Employee Turnover

Employee turnover rate increases above generally accepted level

Employee turnover increases (including staff retirements)

-Service delivery deficiencies

-Loss of key competencies and skills -Knowledge loss

26 Health & Safety Incident

Abnormal health and safety incident occurs Health and safety incident occurs leading to injury, illness or death.

-Impairment of reputation -Exposure to liability


27 Human Resources Capacity

City does not have proper human resources to fill key positions

Management resources could fail to meet strategic and operational requirements due to limited capacity, departures and retirements with limited to no backup or alternative plans (i.e. Succession Planning)

-Loss of key competencies and skills -Knowledge loss

-Cost or time overruns (additional training, project delays, etc.)

-Impaired or delayed service delivery

28 Labour Relations Labour relations action occurs Dispute between employees and City. Labour relations actions include: -strikes -lockouts -other activities that disrupt service

-Impaired or delayed service delivery


-Service delivery failure

-Financial impact -Increased scrutiny

FINANCIAL

29 Treasury/ Liquidity

City experiences cash flow shortage Inadequate cash flow due to improper management, investment, collection, planning or wasteful spending.

-Inability to deliver services -Impairment of reputation -Increased carrying costs


30 Accounting & Reporting

Financial reporting errors occur Impairment in financial statements or public reporting integrity.

-Impairment of reputation -Restricted ability to borrow

31 Budget Breach Department or project exceeds budget dramatically

Department or project budget exceeded dramatically

-Impairment of reputation -Financial impact

32 Fraud & Corruption

Publicized Illegal or improper acts by employees occur

Includes theft or loss of assets -Loss of City's assets or resources -Impairment of reputation

LEGAL / COMPLIANCE


33 Compliance Compliance breach occurs Failure to maintain an awareness of compliance requirements, monitor compliance, enforce compliance, implement and maintain enabling mechanisms Failure to maintain awareness and compliance with provincial or federal public policy requirements

-Consequences of non-compliance – reputation, funding, fines, penalties -Increased costs


-Loss of resources -Increased scrutiny

34 Litigation City involved in a lawsuit that has a significant impact

Losses may emanate from: -Claims by employees, the public, service providers and other third parties -Expenses associated with participation in a lawsuit -Failure by the City to exercise certain rights to its advantages

-Significant lawsuit involves uninsured risks & reputational impacts

-Financial impact -Impairment of reputation

Documents

Enterprise Risk Management (ERM) Framework · 4/8/2015 · 1. Intro to Enterprise Risk Management (ERM) & Framework Given the wide range of services delivered by the Corporation