Part One

A Practical Approach
to Strategic Risk Management

Part One of a three-part Strategic Risk Management training program

Katharine Hullinger, ARM

Risk Manager
California State University Channel Islands
Revised 3/13/2018
The only alternative to risk management is crisis management --- and
crisis management is much more expensive, time consuming and
embarrassing.
JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003

Risk management means more than preparing for the worst; it also means
taking advantage of opportunities to improve services or lower costs.
Sheila Fraser, Auditor General of Canada
3
Keep it simple
 Outline
 Objectives of Part One

 Conversation Starters

 A Quick Risk Exercise

 Principles and Basics

 Why SRM?

 The Risk Inventory Tool/template

 Considerations Back at the Office

 Q &A
A Practical Approach to Strategic Risk Management (SRM)

Training Introduction to SRM Participant Outcomes

Components
     Understanding of risk management process
Introduction to the risk management  Understanding of how risk management is
process and terminologies already incorporated in day-to-day work
Introduction to the SRM framework  Understanding the reasons for SRM
Introduction to Risk Assessments  SRM roles and responsibilities clearly defined
Discuss best way to implementation  Awareness of SRM tools
SRM in work area  Commitment to SRM implementation in area of
Clarify roles & responsibilities for work
SRM  Commitment to continuous risk communication
& learning
 Conversation Starters

 Who is accountable for risks?

 How do we talk about risk? Do we have a common
language in the department, across divisions, across the
campus, across the CSU?
 Are we taking too much risk? Or not enough?
 Are the right people taking the right risks at the right time?
 What’s our risk culture? Are we risk-adverse, risk-takers,
or somewhere in between?
 A Quick Risk Exercise

 Identify risks (threats and opportunities) that a cyclist

faces in cycling to campus for work.
 How would you mitigate the threats?
 How would you maximize the opportunity?
 Report back
 Identifying the risks in cycling
Threats: Opportunities:
 Injury  Exercise and good health
 Death  Fresh air

 Reputation  Reputation
 Financial savings
 Financial expense
 Role model
 Damage or theft
 Environmental impact
 Weather Issues
 Mitigation strategies for threats associated with cycling

 Injury and death – helmet, bright clothes, lights, bell, obey traffic laws,
stay alert
 Reputation – great biking outfit, change of clothes, openly promote
alternative transportation
 Financial – inexpensive transportation, avoid traffic citations
 Damage or theft – regular maintenance, know the route, avoid
obstacles and things that puncture tires, high quality lock
 Weather issues – carry filled water bottle, warm/waterproof outerwear
and gloves
 The Risk Management Principles

Risk is the uncertainty that surrounds future events and outcomes.

Risk is the expression of the likelihood and impact of any event with the
potential to influence the achievement of an organization’s objectives.
 Risk Management Basics
 Risk (uncertainty) may affect the achievement of objectives.

 Effective mitigation strategies and controls can reduce negative risks (threats)
or increase opportunities.

 Residual risk is the level of risk remaining after applying risk controls.

 Acceptance and action should be based on residual risk levels.

Definition of Strategic Risk Management

“… a process, effected by an entity's board of directors,

management and other personnel, applied in a strategic setting
and across the enterprise, designed to identify potential events
that may affect the entity, and manage those events within its risk
appetite, to provide reasonable assurance regarding the
achievement of entity objectives.”

Source: COSO Enterprise Risk Management – Integrated Framework. 2004.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Why are we implementing SRM?
 SRM removes silo-based decision making

 SRM becomes embedded in key processes such as strategic, budgeting and project planning

 Identify and understand risks that positively or negatively impact the achievement of strategic goals

 Evaluate risk priorities and allocate resources strategically

 Improve overall risk tolerance

 Promote a healthy risk culture, where risk is a routine and expected topic
of conversation.

 Develop a common and consistent approach to addressing risk across the

institution

 Practice proactivity rather than reactivity

 Identify new risk and develop appropriate strategies for mitigating or

profiting from it

 Establish accountability, transparency and responsibility

 Realize programmatic success, defined as implementation and practice

throughout the entire organization
Establish
Objectives

CSUCI has established its Strategic

Objectives
CSUCI 2015-2020 STRATEGIC OBJECTIVES

Facilitate Student Success

• Provide University access to students who bring diverse perspectives
• Provide a mission-driven education that prepares students for individual success
• Provide support for degree completion

Provide High Quality Education

• Hire and support quality faculty and staff who are committed to the mission of the University
• Infuse integrative approaches, community engagement, multicultural learning, and international perspectives
into all aspects of learning
• Engage undergraduate and graduate students in research and creative activities

Realize Our Future

• Build infrastructure capacity
• Leverage the use of technology
• Seek, cultivate, and steward resources, both public and private
• Implement collaborative planning and accountability processes
The Risk Inventory Tool
 Risk Inventory

Identification Assess and Take Action –

Prioritize Mitigate or Accept

Target Date for

Completion
Existing Risk Controls/Measures Impact Likeli- hood Resources Mitigation
Risk Number Risk Short Name Risk Description Outcome Impact Likelihood Net Score Risk Mitigation Actions Responsibility Cost Estimate Complete
in Place Score Score Needed

EXAMPLE Access To High Hazard Areas The risk of unauthorized *Perimeter doors have *Some buildings with high hazard areas Serious Likely 4 3 12 *Installation of electronic door locks (proxy John Doe $3,000   3/14/2015
access to hazardous areas mechanical locks that are are open to the public, increasing the cards) will allow 24/7 security control as only
outside of normal business randomly spot checked by police chances of unauthorized or accidental authorized users will have access to the area.
hours after normal business hours. access to high hazard areas
*Random spot checks not adequate
considering the life/safety risks in some
areas.

1             #N/A #N/A #N/A      

   
2             #N/A #N/A #N/A      
   
3             #N/A #N/A #N/A      
   
4           #N/A #N/A #N/A      
     
5             #N/A #N/A #N/A      
   
6           #N/A #N/A #N/A      
     
7             #N/A #N/A #N/A      
   
8             #N/A #N/A #N/A      
   
9             #N/A #N/A #N/A      
   
Identify Risks
Identification of Risk
 Financial Risk - unplanned losses or expenses
 Service Delivery/Operational Risk - lapses in continuity of operations
 HR Risk – Employment practices; retention
 Strategic Risk – untapped opportunities
 Reputational Risk – damage to relationship with community at large
(loss of revenue)
 Legal/Compliance Risk – noncompliance with statutory or regulatory
obligations
 Technology/Privacy Risk – threats to and breaches in IT security
 Governance Risk – wide-spread non-compliance with policies and
standards
 Physical Security/or Hazard Risk – harm or damage to people, property
or environment
 Identification of Risks – Creating a Risk Inventory

A B C D E

Risk Number Risk Short Name Risk Description Existing Risk Controls/Measures in Place Outcome

1 Access To High The risk of unauthorized access Perimeter doors have mechanical *Some buildings with high hazard areas are open to
Hazard Areas to hazardous areas outside of locks that are randomly spot the public, increasing the chances of unauthorized or
normal business hours checked by police after normal accidental access to high hazard areas
*Random spot checks not adequate considering the
business hours.
life/safety risks in some areas.

2
Risk #2
3
Risk #3
4
Risk #4
5 Risk #5
6 Risk #6
7
Risk #7
8
Risk #8
9
Risk #9
 Prioritize

Risk Assessment – Consider Impact and Likelihood to

Prioritize Risks

Impact - level of damage sustained when Likelihood of a risk event occurring

a risk event occurs
 5 Expected: Is almost certain to occur
 5 Critical: Threatens the success of the
project
 4 Highly Likely: Is likely to occur
 4 Serious: Substantial impact on time, cost
or quality

 3 Likely: Is as likely as not to occur

 3 Moderate: Notable impact on time,
cost or quality

  2 Not Likely: May occur occasionally

2 Minor: Minor impact on time, cost or
quality

 1 Insignificant: Negligible impact  1 None/Slight: Unlikely to occur

Slide 22
 Assessing Risks – Considering the Likelihood and Impact

F G H I J
Scoring risks Likeli-
Impact Likelihood Impact Score hood Net Score
Score
Impact: Serious Likely 4 3 12

Critical - 5

Serious - 4
Moderate -
3
Minor - 2 #N/A #N/A #N/A

Likelihood: #N/A #N/A #N/A

Insignificant - 1 #N/A #N/A #N/A

Expected - 5 #N/A #N/A #N/A

Highly Likely - 4 #N/A #N/A #N/A

Likely - 3 #N/A #N/A #N/A

Not Likely - 2 #N/A #N/A #N/A

None/Slight - 1 #N/A #N/A #N/A

Take Action

Mitigating or Treating Risks – Accept? Alter? Transfer?

Decline?

K L M N O
Target Date for
Resources Completion
Risk Mitigation Actions Responsibility Cost Estimate
Needed Mitigation
Complete
*Installation of electronic door locks John Doe $3,000 3/14/2015
(proxy cards) will allow 24/7 security
control as only authorized users will
have access to the area.
 Risk Inventory

Identification Assessment Mitigation

or Treatment

Target Date for

Completion
Existing Risk Controls/Measures Impact Likeli- hood Resources Mitigation
Risk Number Risk Short Name Risk Description Outcome Impact Likelihood Net Score Risk Mitigation Actions Responsibility Cost Estimate Complete
in Place Score Score Needed

EXAMPLE Access To High Hazard Areas The risk of unauthorized *Perimeter doors have *Some buildings with high hazard areas Serious Likely 4 3 12 *Installation of electronic door locks (proxy John Doe $3,000   3/14/2015
access to hazardous areas mechanical locks that are are open to the public, increasing the cards) will allow 24/7 security control as only
outside of normal business randomly spot checked by police chances of unauthorized or accidental authorized users will have access to the area.
hours after normal business hours. access to high hazard areas
*Random spot checks not adequate
considering the life/safety risks in some
areas.

1             #N/A #N/A #N/A      

   
2             #N/A #N/A #N/A      
   
3             #N/A #N/A #N/A      
   
4           #N/A #N/A #N/A      
     
5             #N/A #N/A #N/A      
   
6           #N/A #N/A #N/A      
     
7             #N/A #N/A #N/A      
   
8             #N/A #N/A #N/A      
   
9             #N/A #N/A #N/A      
   
 Risk Heat Map

RISK PRIORITIZATION MATRIX

RISK
4 IxL
IMPACT

RISK
3 IxL

RISK
1 IxL

1 2 3 4 5

LIKELIHOOD
 Risk reporting and communications

Risk Level Action and Level of Involvement Required

 Inform Cabinet
Critical Risk
 Immediate action required

 Inform division Vice President

High Risk  Attention is essential to manage risks – provide report to VP as
directed

 Inform relevant administrators

Moderate Risk
 Mitigation and ongoing monitoring by managers is required

 Accept, but monitor risks

Low Risk
 Manage by routine procedures within the program or department
Monitor and
Reassess

Monitoring and Reassessing – Examples of Key Risk

Indicators
Personnel Resources Finance
•Average time to fill vacant positions • Reporting deadlines missed (#)
•Staff absenteeism /sick time rates • Incomplete P&L sign-offs (#, aged)
•Percentage of staff appraisals below
“satisfactory”
•Age demographics of key managers
Legal/Compliance
Information Technology • Number and cost of litigated cases
• Systems usage versus capacity • Compliance investigations (#)
• Number of system upgrades/version releases • Customer complaints (#)
• Number of help desk calls

Audit Risk management

• Outstanding high risk issues (no., aged) • Risk Management overrides
• Audit findings (no., severity) • Limit Breaches (#, amounts)
• Revised target dates for clearing findings (no.)
 Monitor, Measure and Report SRM
Implementation Progress
• Advanced capabilities to identify, measure, manage all risk exposures within tolerances
Excellent • Advanced implementation, development and execution of SRM parameters
• Consistently optimizing risk adjusted returns throughout the organization

• Clear vision of risk tolerance and overall risk profile

• Risk controls in place for most major risks
Strong
• Robust processes to identify and prepare for emerging risks
• Incorporates risk management and decision making to optimize risk

• Risk controls in place for some of identified major risks

• May lack a robust process for identifying and preparing for emerging risks
Adequate
• Performing solid classical “silo” based risk management
• No fully developed process to optimize risk opportunities

• Incomplete control process for at least major risk

Weak
• Inconsistent or limited capabilities to identify, measure or manage major risk exposures
 Ask questions and develop your approach

 Do we understand our major risks? Do we know what is

causing our risks to increase, decrease or stay the same?
 Have we assessed the likelihood and impact of our risks?
 Have we identified the sources and causes of our risks?
 How well are we managing our risks?
 Are we trying to prevent the downside of risk, or are we
seemingly trying to recover from them?
 Considerations back at the office
 Why is the organization interested in SRM? What are we hoping will
be achieved with its implementation?
 Who is doing what? Roles and responsibilities must be clearly
defined. Leadership must support SRM and use SRM results to when
making decisions. Everyone is a risk manager. Make sure that all risks
have owners and the responsibilities for mitigation are assigned.
 How will it be implemented? What is your framework? How will risks
be measured and reported? Who is your champion?
 Where will you start? Where you can most easily succeed, or where
it is needed the most?
 When will it be implemented? SRM is a journey, not a destination;
risks should be continually assessed and mitigation methods re-
considered. Change is inevitable; recognize new risks and
opportunities.
 Questions?

Thank you for participating!