Katie Yurkewicz Community Advisory Board 24 September 2015 Enterprise Risk Management

We are updating our set of identified risks to the laboratory that are serious enough to impact the lab’s science mission or possibly shut down the lab. We want to include risks identified by the CAB, and involve the CAB in discussing the impact of risks. Enterprise risk at Fermilab 9/24/15Katie Yurkewicz | Enterprise Risk Management2 Terminology:  Risk: effect of uncertainty on objectives  Enterprise Risk: effect of uncertainty on strategic objectives of an organization  Enterprise Risk Management (ERM): processes to identify, analyze, mitigate and respond to top-level risks that may impact the strategic objectives of an organization

Examples of risk events in enterprise risk register The Enterprise Risk Register constitutes a concise summary of top risks to the laboratory. Example 1: “Major accident at Lab…” Enterprise risk register contains a summary of potential accidents, their estimated probabilities and impacts, and has references to detailed ES&H mitigations and responses, safety standards, training programs, crisis response plans, etc. Example 2: “Government shutdown…” Summary of scenarios, probabilities, impacts, with links to plans for ensuring “business continuity” Example 3: “Major Project fails…” Summary of major project risks that could impact the lab’s science mission. 9/24/15Katie Yurkewicz | Enterprise Risk Management 3

Risk questions for the CAB What is the greatest risk to the lab’s reputation? (Local community, legal, scientific…) What is the greatest risk to people? (Safety, security…) What is the greatest risk to the lab’s assets? (Environment, buildings, accelerators, data…) What is the greatest political or external risk to the lab? (Government, international, geopolitics, markets…) 9/24/15Katie Yurkewicz | Enterprise Risk Management 4

9/24/15Katie Yurkewicz | Enterprise Risk Management 5

Discussion of risk impact (1 of 2) What is the impact to the lab for the following risk events? Radiation incident – accident or failure to follow radiation control procedures causes a member of the public, lab user, or employee to be overexposed with radiation Safety incident underground – accident causes death or serious injury in an underground area (on- or off-site) managed by Fermilab Security breach – computer security incident causes a loss of science data or personally identifiable information Cover up – failure to communicate or lack of transparency related to a significant negative lab event damages the lab’s reputation with the local and national public Environmental incident – an accident causes environmental damage Security posture – a change in the lab’s security posture (e.g. restricting access to members of the public) causes mistrust in the local community 9/24/15Katie Yurkewicz | Enterprise Risk Management 6

Discussion of risk impact (2 of 2) What is the impact to the lab for the following risk events? Theft – theft of high-value government property and/or radioactive material damages the lab’s reputation Infrastructure failure – failure of lab infrastructure or physical plant due to aging facilities shuts down the lab’s science program Labor action – labor union action against the lab results in adverse publicity and/or lawsuit that interferes with the lab’s ability to meet contractual obligations Funding shortage Government shutdown 9/24/15Katie Yurkewicz | Enterprise Risk Management 7