Enterprise Risk Management: Understanding Enterprise Risk Management: An Overview 07/2014
What is Enterprise Risk Management (ERM)? Risk Management is a defined set of coordinated activities to direct and control an organization with regard to risk. Risk Management allows an organization to identify risk mitigation strategies so the organization can achieve its goals.
Principles of Risk Management Enterprise Risk Management Principles of Risk Management Risk Management creates and protects value. Risk Management is an integral part of all organizational processes. Risk Management is part of decision making. Risk Management takes human and cultural factors into account. Risk Management is systematic, structured and timely. Risk Management is based on the best available information. Risk Management is transparent and inclusive. Risk Management facilitates continual improvement of the organization.
What role do you play in ERM at NYU? Enterprise Risk Management What role do you play in ERM at NYU? NYU staff members play a vital role in identifying and managing the University’s risks. You are the expert in your area of responsibilities. As the expert, we need your guidance, input, and advice with regards to the risks NYU faces and their impact on the organization. What are the objectives for this process? To identify both institutional/business unit risks and address them through mitigation activities with the goal of managing the risks to a more tolerant level. To establish understanding and organizational awareness around the risk management process and the importance of thinking through risks on a continual/regular basis. To help NYU’s Administrative and Educational functions improve performance and achieve their own stated goals and objectives.
Two Types of Risk Insurable Risk Operational Risk Enterprise Risk Management Two Types of Risk Insurable Risk Operational Risk
Components of the Enterprise Risk Management Program Support from the Senior Management Team Implement Risk Management in the Organization Define the risk criteria Risk identification Risk Analysis Risk Treatment Monitoring and Review
Some questions to ask yourself: Factors to consider include: Enterprise Risk Management Risk Identification Every organization faces risk(s). Every department within an organization faces risk(s). And every person working for an organization is responsible for the risks that affect his/her role and activities. At NYU we identify risks on two levels: Institutional risks are those that impact the whole organization, its high-level goals and objectives. Unit risks are those that impact a particular department’s goals and objectives. We also categorize the risks based on the areas they address. Below is a list of our official categories: Strategic Financial Operational Compliance Human (Health and Safety) Information Technology Some questions to ask yourself: What events or conditions could disrupt this organization/department/individual operations and activities? What type of events or incidents could impact NYU’s reputation? (News Headlines) Do you use any systems for automation of tasks? Are there any risks that would impact the University’s financially or legally? Factors to consider include: NYUWSQ vs. Global sites Does the risk address students, faculty or staff? Does the risk you identified impact other departments?
Integration into the Organizational Processes Enterprise Risk Management Integration into the Organizational Processes Risk management should be embedded in all the organization's practices and processes in a way that it is relevant, effective and efficient. The risk management process should become part of, and not separate from, those organizational processes. In particular, risk management should be embedded into the policy development, business and strategic planning and review, and change management processes.
Financial Strategic Market Operations Environmental Political Enterprise Risk Management Financial Foreign exchange risk Currency inflation Repatriation of funds Cash management Economic decline Financial statements Strategic Campuses Abroad New degree programs Attraction of top talent Leadership succession plans Market Rise of online degrees Student loans Operations No use of NYU Traveler Global research exposure Cyber risk Business continuity Lack of student housing Security on campus Lack of resources Theft of university property Environmental Asbestos Pollution/Waste handling Hazardous material storage Climate conditions Natural disaster Political Partnerships at NYU international sites Health & Safety Infectious illnesses/disease Missing students Employee injury Emergency evacuation plans Student suicide Compliance Data breaches Changes in governmental regulations Research compliance OFAC laws Export/Import laws
Cross functional & Emerging View of Risks Enterprise Risk Management Cross functional & Emerging View of Risks Legal Financial Business/ strategic Operational Safety/ security Audit Brand Reputation Service Alliances Expansion Technology Info Security E-business Continuity Revenue Fuel Interest Foreign Exchange Insurance/Financing Civil Criminal Regulatory Contractual Safety Environment Employee safety Security Financial controls Process risks Disclosure Fraud Functional Risk View The challenge is to address cross functional and forward looking “horizon” risks.
Risk Register Enterprise Risk Management Risks identified and assessed should be documented in a risk register for the organization. We use Microsoft Excel to build out the University’s risks registers (e.g., risk maps). We provide a risk register template to all risk owners who have participated in ERM training. Executive Owner –Leader of function or school (e.g., V.P., E.V.P, Dean, or Director ) Risk Owner – Person(s) who are responsible for managing mitigation of the risk. The risk owner(s) are usually people whose responsibilities are directly related or impacted by the risk. That being said, risks may have multiple risk owners. Risk Owner Department – Department that risk and risk owner are assigned to. Risk Name – Two to four word description of risk. Risk Description – A sentence or two describing the risk event. Expected/Residual/Current Likelihood Expected/Residual/Current Impact Risk Tolerance Risk Velocity Management Preparedness Comments – Further details or background information regarding the risk. How did the risk come to be? Are there any previous instances of the risk occurring? Please see “Risk Analysis” slide for definitions
Risk Analysis Enterprise Risk Management Following risk identification, stakeholders have to assess the risk using predetermined metrics. The Enterprise Risk Management function created criteria and a scoring system to prioritize the risks. The criteria established are: Likelihood – How likely is the risk to occur? Impact – If the risk were to occur, how much impact would it have on the organization? Tolerance – How much risk is the organization willing to tolerate (e.g., impact and/or likelihood of risk occurring)? Velocity – If the risk were to occur, how long would it be before the organization was impacted? Management Preparedness – How prepared or aware is management of the risk? Please note: It is very important that you are honest and open when scoring the risks. History has shown that organizations tend to falter when risks were not identified or addressed properly.
1 Risk Tolerance 2 3 4 5 Enterprise Risk Management Definition: The amount of risk an organization is willing to tolerate. Also known as risk attitude and/or risk appetite. 1 Tolerance The organization can tolerate 100% chance of the risk occurring. The organization will sustain minor impact or disruption. 2 The organization can tolerate 80-99% chance of the risk occurring. 3 The organization can tolerate 50-79% chance of the risk occurring. The organization will sustain moderate impact or disruption. 4 The organization can tolerate 20-49% chance of the risk occurring. The organization will sustain major impact or disruption. 5 The organization can tolerate 0-19% chance of the risk occurring. The organization will sustain extreme impact or disruption. No Tolerance Accept the risk Do not accept the risk Risk Tolerance Impact Likelihood
Current Likelihood x Current Impact = Current Risk Score Enterprise Risk Management Risk Score Current Risk: What the Risk level is under current controls. Risk Score is calculated by using the following values and formulas. Assuming the controls that are in place work as expected. Current Risk Current Likelihood x Current Impact = Current Risk Score
Risk Mitigation Plan Enterprise Risk Management Following risk identification, stakeholders have to assess the risk using predetermined metrics. Risk Monitoring Timeline 12 Month Check-Up: Re-score and Documentation Mitigation Complete 6 Month Check-Up: Documentation Integration
Enterprise Risk Management Risk Example 1
Risk Example 1 (continued from slide 15) Enterprise Risk Management Risk Example 1 (continued from slide 15)
RISK SUB-RISKS OUTCOMES RISK: Weather Risk Human Error Risk Enterprise Risk Management RISK SUB-RISKS OUTCOMES Causes the Risk to occur The results if the risk occurs Example: Weather Risk Icy conditions, flooding Human Error Risk Driver inattention, distraction Mechanical Risk Brake fails, stuck accelerator RISK: Multi-vehicle accident Health & Safety Risk Injury, loss of life Financial Loss Risk Possible litigation, increased insurance premiums Property Damage Risk Surrounding environment, vehicles
Contact Information Michael Liebowitz Senior Director Insurance and Enterprise Risk Management 212-998-2757 Michael.Liebowitz@nyu.edu Ashleigh Shelton Enterprise Risk Management Analyst 212-998-2748 Ashleigh.Shelton@nyu.edu