Risk Mgmt-Enterprise-Handout

Safety, Security & Risk Management Page 1

Selected Risk Management Program Documents

Enterprise Risk Management Presentation

Safety, Security & Risk Management Department Safety&[email protected]

March 17, 2011

SENSITIVE BUT UNCLASSIFIED PROPERTY OF SERVICESOURCE NETWORK

Copying, including electronic copying, dissemination, or distribution of any information contained herein, or any part thereof, to unauthorized persons or without written permission of ServiceSource Network is prohibited.

Safety, Security & Risk Management Page 2

Dear Attendee, It is my honor to have presented this information at the NISH Conference. Please do not hesitate to contact me for any information regarding the presentation. If you email me I will provide all of the information mentioned in their original format (e.g., Excel, Word, etc.) so that you can download and alter them to meet your needs. My email address is [email protected] With the exception of Mr. Kuhn’s spreadsheet, there are no copy right issues to worry about – just remove the ServiceSource logo information and insert yours. Mr. Kuhn’s work can be altered and used as noted on the first page. Generally, he does not mind you using the spreadsheet so long as he is credited. Alterations are fine, too. In addition to the presentation materials, I have included a selection of forms we, at ServiceSource, use as part of our process. Again, those wishing workable copies merely need to send me an email. Thank you, again, for attending. Sincerely,

Scott A Kuebler

Risk Management Issues Identification & Response Pl an

Understanding the Network’s Risk Management Identif ication & Response Plan A Risk Management Plan outlines the foreseeable risks & hazards and provides a set of actions to be taken to both prevent the risk from occurring and reduce the impact of the risk should it eventuate. More specifically, the plan includes: • A full list of identified foreseeable risks • A rating of the likelihood of each risk's occurring • A rating of the impact on the organization/program should each risk

actually occur • A priority rating of the overall importance of each risk • A set of preventative actions to eliminate or reduce the likelihood of the

risk(s) occurring • A set of contingent actions to reduce the impact should the risk eventuate • A process for managing risks & hazards over a set period of time.

The ServiceSource Network staff leadership prepares and submits the plan to our voluntary Board of Directors for review and approval so that our governing Board may be informed of risk management identification and mitigation processes. The plan should not be considered an external or independent audit of risk and risk management activities; rather, it is a management information and planning tool. However, external reviews are included in many areas of planned activities and the results are additionally provided to the Board of Directors and committees.

Risk Process It is the responsibility of all employees to identify potential operating and environmental risks to the ServiceSource Network and the services and programs of its affiliates. The process of identifying such operational and environmental risks is known as “risk analysis.” By definition, risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The identification of risk is a complicated process that involves all levels of employees. This process starts, in its organized form, with the various safety committees throughout the Network. As each safety committee is made up of a cross section of employees and management this ensures risk identification activities include all levels of employees. As issues are identified, they are discussed and reported on at regular safety committee meetings and, where appropriate, bubble up through the chain of command to the Network level.

Whenever possible, local risk issues are encouraged to be handled at the local level and only major risk issues – those either requiring Network support or having a Network wide impact – are added to this report. In addition to the local safety committee, each affiliate has a cross-functional team (see corporate policy 100.10 Cross Functional Management Team) that also has responsibility to identify risk and either act upon it or raise it to the Network level. This team also is the functional body that would often receive risk information from the local safety committee, as well as from other sources (e.g., direct employee contact, local state regulatory bodies, persons served, etc.). Understanding the above, this document will serve as the platform for the development, control and review of the risks and hazards identified for the Network – as a whole. This plan will follow the general accepted practices of any risk management analysis and reporting function, as portrayed in the following chart (reference: The Presidential/Congressional Commission on Risk Assessment and Risk Management – Framework for Environmental Health Risk Management):

In summary form, the process is as follows: • Define the problem and put it into context. • Analyze any risks associated with the problem. • Examine options addressing the risks identified. • Make informed decisions on which, if any, options to implement. • Take action to implement the decisions. • Conduct regular analysis of any actions taken to ensure the outcomes are

what was expected - if not, restart the process.

Procedures Provide a diagrammatic representation of the processes undertaken to identify and mitigate risks within the Network.

Responsibilities Define the roles and responsibilities of all resources involved with the identification and mitigation of risks within the Network. The first step in creating a risk plan is to identify the likely risks & hazards that may affect the Network. A series of risk categories is identified and for each category a suite of potential risks is listed. This may take place during a ‘Risk Planning’ workshop, involving key stakeholders, management representatives, employees, contractors, etc., who are involved in / affected by the operations of the organization or program. Each of the risks identified is described in detail and documented within the plan.

Definition “A risk is defined as any event which is likely to adversely affect the ability of the Network to achieve the defined objectives”. ©

Categories Identify the likely categories of risks for the Network. Each risk category is a particular aspect of the Network that is likely to experience a risk at some point in time. Currently, ServiceSource Network has identified the following categories:

• Governance

o The edifice of corporate governance includes: � the national/regional laws governing the formation of corporate

bodies � the bylaws established by the corporate body itself � the organizational structure of the corporate body

• Operations o Those activities involved in the running of a business for the purpose of

producing value for the stakeholders. • Financial

o Those activities involving balancing risk and profitability. • Information Technology (IT)

o A broad subject concerned with the use of technology in managing and processing information; including data security, backup and verification activities.

• Human Resources (HR) o Those activities associated with hiring, firing, retaining, training, and

other human capital concerns. • Contract

o Those activities concerned with the development, maintenance, performance, renewal or obligatory requirements of any contract the Network, or any of its parts, may be part of or undertake.

• Corporate Development (CD) o Those activities associated with corporate strategic planning expansion

and merger & acquisition execution. • Program Development (PD)

o Those activities associated with the development of new programs and activities, grant development and general oversight of the Network’s strategic activities to meet it stated goals and objectives.

• Safety o Those activities associated with maintaining a safe, secure and

healthful work environment. Risk Quantification & Prioritization The next step is to quantify the likelihood of each risk's eventuating along with its potential impact on the Network. This process then allows each risk to be effectively prioritized. A simple method of reviewing each issue and assigning a ranking by using the following chart assists in properly prioritizing each risk.

Impa

ct

Likelihood

High Impact/Low Likelihood

Priority 2

High Impact/High Likelihood

Priority 1

Low Impact/Low Likelihood

Priority 4

Low Impact/High Likelihood

Priority 3

Management staff, both at the Network and local levels, is provided with worksheets to help them identify and prioritize risks (copies attached to this document). This process, when completed is then summarized on a matrix and this matrix is provided to senior leadership as a tool to constantly monitor open issues. The summary of all of this work is kept in a database file by the Vice President of Safety,

Potential Risk Identification Notification

To: From: Date: Requested Reply Date:

The Risk Management Department, as part of its ongoing review of processes and practices, has identified the following issue(s) as posing a potential risk to the Network or one of its affiliates. Identification of these risks does not necessarily mean that the risks are real or even pose a valid threat to any portion of the Network – it only means that the Risk Management Department has identified the issue(s) and poses the following questions as to its validity as a risk. Please review and mark the appropriate action you and your team feel best addresses the issue(s) identified and rely back to [email protected]. Thank you.

Issue Potential Owner

Risk Department Comments Recommended Action

□ Not Considered an Issue at this Time.

□ Add to the Risk Plan

for Formal Tracking. □ Issue under Review by

the Identified Owner and Considered an Interdepartmental Issue. No Further Risk Action Required at this Time.

□ Not a Risk Item;

However Assigned as an Action Item to:

CC: Bertha Ngenge, SVP HR & Compliance Officer

Scott Kuebler Page 1 4/29/2008 C:\Documents and Settings\skuebler\My Documents\Risk Management Resources & Information\Forms & Templates\2008 Forms & Templates\ServiceSource Risk Form.doc

Risk/Hazard Identification Form RISK DETAILS ©

Risk Title: Title of the risk/hazard to which the risk relates Risk Owner: Name of the risk owner responsible for mitigating the risk

RISK DETAILS

Risk ID: Unique identifier assigned to this risk (Risk Management to provide) Raised By: Name of person who is raising the risk Date Raised: Date on which this form is completed Risk Description : Add a brief description of the risk identified and its likely impact on the organization or operation (e.g. scope, resources, deliverables, timescales and/or budgets) Risk Impact on Organization/Program: Add a brief description of the impact this risk or hazard would have on the organization/program, if it was to eventuate. Risk Likelihood, Impact & Prioritization : □ Highly Likely/High Impact – Priority 1 □ Low Likelihood/High Impact – Priority 2 □ Highly Likely/Low Impact – Priority 3 □ Low Likelihood/Low Impact – Priority 4

RISK CATEGORY

Risk Category: Select the appropriate risk category based on the following descriptors: □ Governance

o The edifice of corporate governance includes: � the national/regional laws governing the formation of corporate bodies � the bylaws established by the corporate body itself � the organizational structure of the corporate body

□ Operations o Those activities involved in the running of a business for the purpose of producing value

for the stakeholders. □ Financia l

o Those activities involving balancing risk and profitability. □ Information Technology (IT)

o A broad subject concerned with the use of technology in managing and processing information; including data security, backup and verification activities.

□ Human Resources (HR) o Those activities dealing with hiring, firing, training, and other personnel issues.

Scott Kuebler Page 2 4/29/2008 C:\Documents and Settings\skuebler\My Documents\Risk Management Resources & Information\Forms & Templates\2008 Forms & Templates\ServiceSource Risk Form.doc

□ Contract o Those activities concerned with the development, maintenance, performance, renewal or

obligatory requirements of any contract the Network, or any of its parts, may be part of or undertake.

□ Corporate Development (CD) o Those activities associated with corporate strategic planning expansion and merger &

acquisition execution. □ Program Development (PD)

o Those activities associated with the development of new programs and activities, grant development and general oversight of the Network’s strategic activities to meet it stated goals and objectives.

□ Safety o Those activities associated with maintaining a safe, secure and healthful work

environment.

RISK RESPONSE STRATEGY

Strategy: The appropriate leadership team identifying the hazard or risk should identify the best strategy to handle the issue. These strategies include: □ Avoidance – the leadership team decides that the best practice to handle this particular hazard

or risk is to eliminate it or its impact. This may be achieved by changing operational activities or policies, adding resources, extending time frames, or otherwise removing the opportunities for the hazard or risk to manifest itself.

□ Transference – the leadership transfers the hazard or risk to another (e.g., purchasing insurance coverage is an example).

□ Mitigation – the leadership team understands that the risk or hazard cannot be completely eliminated or transferred; however they implement process, policies, and methods to reduce the probability or the consequences of the hazard or risk, in the event it manifests itself.

□ Acceptance – the leadership team, after careful review, decides to accept the risk and decide to not develop or implement any strategy or specific response, other than to agree to address the issue if and when it occurs.

RISK MITIGATION

Based on the strategy chosen, explain how the ident ified hazard or risk will be handled: Recommended Preventative Actions: Add a brief description of any actions that should be taken to prevent the risk from eventuating Recommended Time Specific Actions: Specify and describe any actions, along with an estimated completion date, that should be taken, in the event that the risk happens, to minimize its impact on the organization or program Signature: Date: _______________________ ___/___/____

PLEASE FORWARD THIS FORM TO THE DIRECTOR OF SAFETY & RISK MANAGEMENT

Scott Kuebler Page 1 4/29/2008 C:\Documents and Settings\skuebler\My Documents\Risk Management Resources & Information\Forms & Templates\2008 Forms & Templates\ServiceSource Risk Status Form.doc

Risk Status Form RISK IDENTIFICATION DETAILS ©

Risk ID#: Number assigned by Safety & Risk Management Risk Title: Title of the risk/hazard to which the risk relates Risk Owner: Name of the risk owner responsible for mitigating the risk Date of Report: Date this form completed Person Submitting: Name of person submitting this report

RISK DESCRIPTION DETAILS

Risk Description: Add a brief description of the risk identified and its likely impact on the organization or operation (e.g. scope, resources, deliverables, timescales and/or budgets) Risk Impact on Organization/Program: Add a brief description of the impact this risk or hazard would have on the organization/program, if it was to eventuate.

RISK MITIGATION ACTIVITY DETAILS

Describe any activity either completed or currently in progress that addresses the risk/hazard identified: Recommended Preventative Actions Identified: Add a brief description of any actions that have been taken to prevent the risk from eventuating Recommended Time Specific Actions: Specify and describe any actions taken to either prevent or mitigate the identified risk/hazard

APPROVAL DETAILS ©

Issue status: □ Open □ Closed

Issue priority change (current status is Yellow): □ Green □ Yellow □ Red Supporting Documentation: Reference any supporting documentation used to substantiate

Signature: Date: _______________________ ___/___/____

PLEASE FORWARD THIS FORM TO THE DIRECTOR OF SAFETY & RISK MANAGEMENT

RISK MANAGEMENT MATRIX Name of Program/Area

RISK IMPACT PRIORITY MITIGATION PLAN ACTIONS PROGRESS COMMENTS

� Highly Likely/High Impact (Priority 1) � Low Likelihood/High Impact (Priority 2) � Highly Likely/Low Impact (Priority 3) � Low Likelihood/Low Impact (Priority 4)






ReadMe

Author: Brad Kuhn - Carnegie Quality http://www.carnegiequality.comVersion: 1Version Date: 6/13/2007Copyright: Copyright © 2007 by Brad Kuhn

Some rights reserved.This work is licensed under a Creative Commons License.You are free:

- to copy, distribute, and transmit the work- to make derivative works

Under the following conditions:- Attribution. You must attribute the work in the manner specified by the author or licensor.- You may not use this work for commercial purposes.- If you alter, transform, or build upon this work, you may distribute the resulting work only

under the same or similar license to this one.- Any of these conditions can be waived if you get permission from the copyright holder

LegendRisk Category Select from categories as defined in the values list in cells A36:A64.Affiliate/Operation Iderntify the appropriate affiliate/operation affected.Potential Outcome What happens if the risk occurs - usually written in the form "then <this outcome occurs>".Raised By Person who identified the risk.Raised Date Date risk identified.Source Source of risk - who or what process identified it.Impact Qualitative ranking of impact to project, using scales defined in the Risk Management Plan. You will find the

values list in cells E47:F51.Probability Probability of risk being realized, using scales defined in the Risk Management Plan. You will find the

values list in cells E54:F58.Matrix Score This is calculated once you select the Impact and Probability. These cells use conditional formatting to display color

shadings as defined in cells E61:G64.Qualitative Impact Space for further description of potential impact.Risk Strategy Select from strategies as defined by the Risk Management Plan. You will find the values list in cells H36:H41.Response Notes Additional notes about the response plan.Owner Risk owner.Status Risk status. You will find the values list in cells H44:H52.Trigger Date If the risk was triggered (occurred), the date the trigger occurred.Notes Additional notes.

3/17/2011 1:23 PM Risk Matrix FY11.xlsx Page 1 of 1

Risk RegisterServiceSource Network

Risk ID Risk Category Affiliate/Operation Risk Description Raised By

Date Raised Source Impact

Prob- ability

Matrix Score Qualitative Impact

Risk Strategy Response Notes/Plan Owner Status

Trigger Date Notes

0.000.000.000.000.00

6 0.007 0.008 0.009 0.0010 0.0011 0.0012 0.0013 0.0014 0.0015 0.0016 0.0017 0.0018 0.0019 0.0020 0.0021 0.0022 0.0023 0.0024 0.0025 0.0026 0.0027 0.0028 0.00

Insert Rows Above This Line Only Insert Rows Above This Line Only

Risk Monitoring and ControlRisk Identification Risk Analysis Response Planning





Prob- ability


Risk Strategy

Risk Category Risk Source Risk Strategy

Governance

Relates to corporate bylaws, government regulation, organizational structure, required certifications/licenses

Local Management Avoid

OperationsRelates to any activities involved in operating/managing sites, contracts, programs, etc.

External Audit/Review Transfer

Finance

Relates to finance & accounting risks (e.g., fraud, misuse, taxes, budget, expenditures, revenues, etc.) Internal Audit/Review Mitigate

Information Technology

Relates to the use of technology, processing of information, data transmission or storage, electronic data security, etc. Stakeholder Accept

Human Resource

Related to the hiring, firing, retaining, training, etc., of employees, participants & volunteers. Other

Contract

Related to the development, maintenance, performance, renewal or any obligatory requirements of any contract.

Warning: Be careful adding/removing rows in the following section - these values are used for data validation





Prob- ability


Risk Strategy

Corporate Development

Related to activities associated with corporate strategic planning, expansion and merger & acquisition activities.

Program Development

Activities associated with the development or maintenance of service programs, grants and any activities related to the organizations strategic activities to meet it's stated goal and objectives. Status

Safety/Security

Related to those activities associated with maintaining a safe, secure and healthful work environment. Identified

Analysis CompleteImpact Values Planning CompleteVery Low 0.05 TriggeredLow 0.10 ResolvedModerate 0.20 RetiredHigh 0.40 OpenVery High 0.80

Probability ValuesVery Low 0.10Low 0.30Moderate 0.50High 0.70Very High 0.90


3/17/2011

1

Enterprise Risk Management

ServiceSource’s Risk Management Program

A Plan for Success

Presented by:

Scott A. Kuebler, Ph.D.Vice President

Safety, Security & Risk ManagementServiceSource

Email: [email protected]

V

Acknowledgement

Brad Kuhn – Carnegie Quality http://www.carnegiequality.comFor spreadsheet design

What is a risk?

Scott’s definition –

“The potential for some event to have a significant negative impact on the organization, tangible or intangible, as measured by both its likelihood to

occur and its resulting impact.”

3/17/2011

2

What can a risk event impact?

A risk event can impact –

� Direct cost the organization (loss of revenue, fines, etc.)

�Loss of valued physical assets (property loss)

� Injury/death to employees or others

�Negative impact in the organization’s reputation

Risk impact example

Operation: Mail Services

Risk Event: Sensitive material lost and potentially exposed to the outside world.

Potential Impact: Reputation as it relates to performance.

Potential Result: Contract loss; failure to qualify for additional or new.

What is not a risk?

• If the event already happened - that’s history and a learning event.

• If the event in question is a “certainty” – makes the event part of an existing operational, insurance or similar plan. Example, a scheduled DOL audit is not a “risk” – it is a manageable event.

• If the event or issue is generally accepted as “impossible” or “improbable” (a meteor destroying your facility).

3/17/2011

3

Why have a risk management plan?

A risk management plan, working in partnership with an organization’s strategic plan, is like upgrading from a paper roadmap to a GPS system. While the roadmap is great at providing needed information to get from point “A” to point “B”, no one would question the wisdom of a GPS system that provides up-to-date directions, with alternatives; real time traffic reports, voice enhanced direction, etc.

In short – a proactive risk management plan provides data to allow an organization to identify and then eliminate, mitigate or knowingly accept identified risks; all with the intent on making the organization more adept at success!

What does a risk management plan do?

From “Framework for Environmental Health Risk Management”

The Presidential/Congressional Commission on Risk Assessment and Risk Management

Risk management process

Steps in the risk management process

Planning RiskIdentification

PrioritizationControl & Monitoring Closure &

Audit

Tracking, Management, Reporting

3/17/2011

4

Step One - Planning

� Determine who will be involved in the process (accountability).

�Gain management buy-in at every level.

� Know how you are going to collect, track, trend and present information.

� Align the program with the organization’s mission, vision and strategic goals/objectives.

Risk Management Process


PrioritizationControl &

Monitoring Closure &Audit

• Responsibilities• Methods• Buy-in• Align with:

MissionVisionStrategic Plan

Step Two – Identification of Risk

�Experience/History

�Experts

�Brainstorming

�Formal Assessments

�Surveys

3/17/2011

5

Step Two – Identification of Risk


PrioritizationControl &

MonitoringClosure &

Audit



• Experience• Experts• Brainstorming• Assessments• Surveys

Step Three - Prioritization

Two criteria to examine:

1.Probability (likelihood) that the event identified will happen– Minimal/unlikely to high/very likely

2.Consequence (impact or severity) the event would cause if it happened– Low or minor impact to high or severe (catastrophic)

impact


1 2 3

1

2

3

Probability of Occurrence

Severity of Occurrence

Green

Yellow

Red

3/17/2011

6


Consequence of OccurrenceProbabilityof Occurrence

Very Low

Low

Moderate

High

Very High

Very Low Low Moderate High Very High

Low Risk High RiskMedium Risk

Step Three - AssessmentRisk Priority Table

Impact ProbabilitySignificant

Impact high likelihood low

impact = 7 probability = 3

Impact high likelihood moderate


Impact high likelihood high


Financial loss >$100,000Impact on organization's reputation

Major safety issues w/potential to harmImposed fines, fraud, crime, etc.Liability exposure & legal actions

Significant IT system issues

Labor disruption, major contract issues, etc.

ModerateFinancial loss <$50,000

Impact moderate likelihood low


Impact moderate likelihood moderate


Impact moderate likelihood high


Safety issues violating OSHA, insurance, etc.

Isolated criminal activity/fraudIT issues w/potential to affect ops.

Multiple employee grievancesManagement issues affecting operations

Labor & contract issuesMinor

Financial loss <$10,000

Impact low likelihood low


Impact low likelihood moderate


Impact low likelihood high


Isolated safety issues w/o potential to harm

Non-criminal and non-liability legal issuesMinor IT related issues

Minor and isolated employee issuesInternal audit/inspection issues

Misc. issues w/potential to impact ops.Likelihood



PrioritizationControl &Monitoring Closure &

Audit

Risk Management Process Steps




• Probability• Impact• Rating System

ConsistentEasyUnderstandable

3/17/2011

7

Step Four – Control & Monitoring

Four Methods to Control Risk:

�Transfer

�Mitigate

�Accept

�Avoid

Step Four – Control & MonitoringRisk Identification

Risk ID Risk Category Affiliate/Operation Risk Description O wner

Date Raised Source

1 OperationsHousing boards do not have D&O coverage.

11/01/10Internal Audit/Review

2 Operations CARF Certification 11/01/10Internal Audit/Review

3 FinanceFormalized expenditure and revenue approval process.

11/01/10External Audit/Review

4 Information TechnologyLack of a readily available method to transmit sensitive data.


5 Human ResourceEthics Training Requirements


6 OperationsPaint booth is out of compliance with NFPA codes

11/01.2010

External Audit/Review

7 Human Resource

Current policy titled "Code of Ethics, Conduct and Corporate Compliance" (300.38) does not contain proper "whistleblower" protection.


Step Four - Prioritization

Risk Analysis

ImpactProb-ability

Matrix Score

Qualitative Impact

5 0 5.00

D&O exposure without coverage and potential risk of losing directors.

9 3 12.00

Loss of certification; loss of income streams where this is required; and loss of reputation.

4 4 8.00

Lack of a formalized and consistent approval matrix governing expenditures/revenue leaves the organization vulnerable to misuse or misappropriation of funds.

3/17/2011

8

Response PlanningRisk Monitoring and

ControlRisk

Strategy Response Notes/Plan Status Notes

Transfer

Worked with Housing management and our brokers/carriers to develop and implement an insurance solution.

ResolvedD&O policy in place.

MitigateNew Quality Manager will be working with each affiliate to ensure CARF compliance.

OpenSSRM Team has started safety audits.

MitigateCFO team is developing a formalized process that will include an authority matrix.

ResolvedAuthority matrix approved and published.

TBDIssue has been referred to the IT team.

Open

Mitigate

HR developed and implemented a vigorous ethics program with ongoing training. All employees are now required to receive this training upon hire and then, must take a refresher course annually.

Resolved

Step Four – Control & Monitoring




Audit






• Categorized• Described• Assigned• Prioritized• Response• Monitored

Step Five - Closure

Closure or Status Possibilities:

� Resolved

� Retired

� Open

� Triggered

3/17/2011

9

Understanding Closure:

� Know in advance what elements are required to “qualify” an issue for closure!� Update the organization’s Risk Management

Plan to account for issue closure.� Maintain archives for future reference, auditing

and “proof” when required.� External Audit

Step Three -




Audit






• Categorized• Described• Assigned• Prioritized• Response• Monitored

• Understand• Update Plans• Archive• External Review

Resources

• Ethics Resource Center - http://www.ethics.org/

• Carnegie Quality - http://www.carnegiequality.com/

• Committee of Sponsoring Organizations of the Treadway Commission (COSO) - http://www.coso.org/

• Nonprofit Risk Management Center - http://www.nonprofitrisk.org/

Scott A. Kuebler

Vice President

Safety, Security & Risk Management

ServiceSource

[email protected]