Slide 1

2012 ARTHUR J. GALLAGHER & CO. Linking Risk To What Matters Most Dorothy M. Gjerdrum, ARM-P, CIRM Executive Director & Risk Consultant

Slide 2

2012 ARTHUR J. GALLAGHER & CO. Agenda Linking Risk to What Matters Most How Risk Management is Evolving Attributes of Enhanced Risk Management Key Outcomes: Understanding your risks Managing risks within set criteria Linking Risk to Decision Making Consideration of Strategy, Mission, Objectives and What Matters Most

Slide 3

Traditional Risk Management Purchase insurance to cover risks Hazard-based risk identification and controls Compliance issues addressed separately Safety & emergency mgmt handled separately Silo approach risk mgmt is not integrated across the organization Risk Manager is the insurance buyer Advanced Risk Management Greater use of alternative risk financing techniques More proactive about preventing and reducing risks Integrates claims mgmt, contracts review, special event RM, insurance and risk transfer techniques Cost allocation used for education and accountability More collaboration as depts are willing Risk Manager may be the risk owner Enterprise-wide Risk Management A wide range of risks are discussed and reviewed, including reputational, human capital, strategic and operational Aligns RM process with strategy and mission May include upside risks (opportunities) Helps manage growth, allocate capital & resources Risks are owned by all & mitigated at the department level Many risk mitigation & analytical tools available Risk Manager is the risk facilitator and leader Transactional Strategic Risk is bad focus is on transferring risk Risk is an expense focus is on reducing cost-of-risk Risk is uncertainty focus is on optimizing risk to achieve goals Integrated Risk Management is Evolving

Slide 4

2012 ARTHUR J. GALLAGHER & CO. Attributes of Enhanced Risk Management Measuring Success! Key Outcomes The organization has a current, correct and comprehensive understanding of its risks The organizations risks are within its risk criteria Attributes Continual improvement Full accountability for risks Application of risk management in decision making Continual communications Full integration into governance structure Page | 4 Annex A ANSI/ASSE/ISO 31000:2009

Slide 5

2012 ARTHUR J. GALLAGHER & CO. Attributes of Enhanced Risk Management Measuring Success! Key Outcomes The organization has a current, correct and comprehensive understanding of its risks The organizations risks are within its risk criteria Attributes Continual improvement Full accountability for risks Application of risk management in decision making Continual communications Full integration into governance structure Page | 5 Annex A ANSI/ASSE/ISO 31000:2009

Slide 6

Financial Risks Strategic Risks Bank failures Stock market performance Unemployment Interest rates Budget cuts Investment limitations Tax caps Bond rating Retirement funding Capital availability Credit markets stability Currency & foreign exchange rate fluctuations Unexpected loss of revenue Health care costs Revenue & grant $$ management Counterparty risk Financial reporting Mergers & Acquisitions of key partners or vendors Ethics violations Negative media coverage Stakeholders interests Strategy & initiatives Meeting public expectations Union relations Long-term planning vs. budget limitations Public-private partnerships Health & safety violations HR & personnel actions Utilities failure Workplace violence Public support Theft Govt sanctions Accounting or internal controls failures Facilities maintenance Aging infrastructure IT system failure Business interruption Loss of key suppliers Mandated public services Code violations Operational Risks Workers comp Building security Public safety Lawsuits War Natural events & catastrophes Terrorism Fraud Governance Disease & epidemics Mold exposure Asbestos exposure Student activities Public Official & D & O liability Geopolitical risks Animal or insect infestation Pollution Contractual liability Building subsidence or collapse Hazard & 3rd Party Risks Labor practices Procurement Unfunded mandates Internal Risks External Risks Energy costs Typical purview of RM Code of Conduct Reputation

Slide 7

2012 ARTHUR J. GALLAGHER & CO. www.fox4kc.com/news September 14, 2010 Suspect in Custody Following Knife Attack The Penn Valley Dean of Student Instruction was attacked and slashed in the throat by a mentally ill student. The attacker meant to stab the governor of Missouri.

Slide 8

Financial Risks Strategic Risks Bank failures Stock market performance Unemployment Interest rates Budget cuts Investment limitations Tax caps Bond rating Retirement funding Capital availability Credit markets stability Currency & foreign exchange rate fluctuations Unexpected loss of revenue Health care costs Revenue & grant $$ management Counterparty risk Financial reporting Mergers & Acquisitions of key partners or vendors Ethics violations Negative media coverage Stakeholders interests Strategy & initiatives Meeting public expectations Union relations Long-term planning vs. budget limitations Public-private partnerships Health & safety violations HR & personnel actions Utilities failure Workplace violence Public support Theft Govt sanctions Accounting or internal controls failures Facilities maintenance Aging infrastructure IT system failure Business interruption Loss of key suppliers Mandated public services Code violations Operational Risks Workers comp Building security Public safety Lawsuits War Natural events & catastrophes Terrorism Fraud Governance Disease & epidemics Mold exposure Asbestos exposure Student activities Public Official & D & O liability Geopolitical risks Animal or insect infestation Pollution Contractual liability Building subsidence or collapse Hazard & 3rd Party Risks Labor practices Procurement Unfunded mandates Internal Risks External Risks Energy costs Typical purview of RM Code of Conduct Reputation

Slide 9

2012 ARTHUR J. GALLAGHER & CO. Why should we take a broader approach to risk? Only 20-30% (?!) of all risks are insurable Global interconnectedness forces us to think more broadly for example: Pandemic flu Cyber attacks World economy & supply chain risks Now more than ever, we need all stakeholders to be risk aware

Slide 10

2012 ARTHUR J. GALLAGHER & CO. What Can You Do Starting Right Now? Educate yourself ISO, CSA trainings, PRIMA Develop your elevator speech about taking a broader approach to risk and find supporters Interviews and discussion opportunities Compile an inventory of risks and think beyond insurable and beyond local could you take this to the next level? 10

Slide 11

2012 ARTHUR J. GALLAGHER & CO. Attributes of Enhanced Risk Management Measuring Success! Key Outcomes The organization has a current, correct and comprehensive understanding of its risks The organizations risks are within its risk criteria Attributes Continual improvement Full accountability for risks Application of risk management in decision making Continual communications Full integration into governance structure Page | 11 Annex A ANSI/ASSE/ISO 31000:2009

Slide 12

2012 ARTHUR J. GALLAGHER & CO. Risk Criteria As Defined in ANSI/ASSE/ISO 31000 Risk Criteria the terms of reference against which the significance of a risk is evaluated Notes: Risk criteria are based on organizational objectives and external and internal context Risk criteria can be derived from standards, laws, policies and other requirements Page | 12

Slide 13

2012 ARTHUR J. GALLAGHER & CO. Defining Risk Criteria One axis will be likelihood The other will be consequence It doesnt have to be a 5x5 grid (3x310x10) You define the values in the grid Likelihood Consequence or Severity

Slide 14

2012 ARTHUR J. GALLAGHER & CO. Sample Impact Service Disruption, Affect Upon Funds or Process Reputation Failure to Meet Legal Obligations People 5 Extreme Total failure of service, extremely expensive $$$$ National publicity >3 days, resignations Multiple civil & criminal suits. Claim or fine above $5m Fatality of 1+ employees or citizens 4 Very High Serious disruption to service, high $$$ National public or press interest Litigation, claim or fine of $500k-5m Serious injury or disability of 1 + people 3 Medium Disruption to service, will cost $$ Local public and press interest Litigation, claim or fine $100k-500k Major injury to people 2 Low Some minor impact on service, minor $ impact Contained within the dept but known by entity Litigation, claim or fine $10k 100k Minor injuries to people 1 Negligible Annoyance, small or no $ impact Contained within the dept Litigation, claim or fine < $10k Minor injury to individual

Slide 15

2012 ARTHUR J. GALLAGHER & CO. Sample Likelihood How Likely?% of TimeHow often?Frequency 5 Certain or Almost Certain >75% Expected to occur in most circumstances Daily, weekly 4 Likely50 75% Will likely occur in most circumstances Monthly 3 Possible25 50% Fairly likely to occur at some time Once a year 2 Unlikely5 25% Could occur at some time Once a decade 1 Rare0 5% Will occur only under special circumstances 10 years or >

Slide 16

2012 ARTHUR J. GALLAGHER & CO. Low Moderate Significant Serious Severe Remote Unlikely Possible Likely Certain Consequence Likelihood 1 23 4 6 7 8 9 10 5

Slide 17

2012 ARTHUR J. GALLAGHER & CO. Low Moderate Significant Serious Severe Remote Unlikely Possible Likely Certain Consequence Likelihood 1 23 4 6 7 8 9 10 5 Risk Tolerance Level

Slide 18

2012 ARTHUR J. GALLAGHER & CO. Why Do It? Risk Maps Guide Risk Mitigation Efforts Low/Remote ModerateHigh/Certain Minor Moderate Significant Considerable management required Must manage and Monitor risks Extensive management essential Risks may be worth accepting with monitoring Management effort worthwhile Management effort required Accept risks Accept, but monitor risks Manage and monitor risks Consequence Likelihood

Slide 19

2012 ARTHUR J. GALLAGHER & CO. Developed by a Major University

Slide 20

2012 ARTHUR J. GALLAGHER & CO. Risk Register Straw Man Human Resources Institutional RisksUnit-Level Risks Failure to prevent significant lawsuits and claims relating to professional liability, discrimination or equal opportunity noncompliance Failure to prevent inappropriate alcohol or drug use by employees Inability to recruit and retain top faculty, staff and senior administrators Incidences of sexual harassment or misconduct by faculty or staff Inability to meet targets in staff and faculty diversity Inadequate procedures or controls re background checks Inability to offer a competitive benefits package Failure to comply with overtime and minimum wage regs (FLSA) Inability to retain faculty and staff due to employee dissatisfaction Failure to establish mediation or conflict resolution channels Failure to secure favorable collective bargaining outcomes Arduous promotion or tenure policies University Business Executive Roundtable A Practical Approach to Institutional Risk Management The Education Advisory Board, 2012

Slide 21

2012 ARTHUR J. GALLAGHER & CO. What Can You Do Starting Right Now? What inventories of risk exist right now? Could they be integrated expanded? How is information about risk communicated? If youre going to build it get help! Recognize where risk is being managed well as important as problems or threats A quick note about risk appetite attitude 21

Slide 22

2012 ARTHUR J. GALLAGHER & CO. Attributes of Enhanced Risk Management Measuring Success! Key Outcomes The organization has a current, correct and comprehensive understanding of its risks The organizations risks are within its risk criteria Attributes Continual improvement Full accountability for risks Application of risk management in decision making Continual communications Full integration into governance structure Page | 22 Annex A ANSI/ASSE/ISO 31000:2009

Slide 23

2012 ARTHUR J. GALLAGHER & CO. Example from a Community College ERM Supports Opportunities A Potential International Culinary Competition: A key ingredient in a culinary arts training program An important opportunity for students, but the event occurred during uprisings in Egypt

Slide 24

2012 ARTHUR J. GALLAGHER & CO. The Middle East and Northern Africa During the Arab Spring

Slide 25

2012 ARTHUR J. GALLAGHER & CO. Results of the Discussion of the Opportunity and Key Risks The college decided to support the trip Six students & one faculty member participated Plans were developed to minimize the threats, including training on the appropriate code of conduct and cultural context, supervision by an experienced traveler & the purchase of travel abroad insurance Result: Awarded silver medal!

Slide 26

2012 ARTHUR J. GALLAGHER & CO. RAP Tool Outline 1.Preparation a.Consistent language, risk criteria, context b.Involve appropriate stakeholders c.Facilitator & recorder, consistent process 2.Discussing the Project, Risk or Opportunity a.Goals & strategy for entity & for decision b.Context & stakeholders c.Opportunities & benefits d.Threats 26 SAMPLE

Slide 27

2012 ARTHUR J. GALLAGHER & CO. RAP Tool 3.Assessing the Risks a.Using risk criteria b.Consideration of connected risks 4.Decision Making a.Can you effectively treat the threats? b.Can the opportunity be supported and enhanced? c.Assign risk owners 5.Next Steps a.Communication, monitoring & review 27 SAMPLE

Slide 28

2012 ARTHUR J. GALLAGHER & CO. Risk Workshop Agenda Purpose of the workshop Overview of risk Linking to strategy & key goals Context and stakeholders Key definitions Brainstorm and rank key risks Whats next SAMPLE

Slide 29

2012 ARTHUR J. GALLAGHER & CO. Questions re Effectiveness Principle c) Risk Management is Part of Decision Making Risk management helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action. Page | 29 How are decisions made? Who is involved? Who should be involved? What knowledge and skill do decision makers need in order to incorporate risk management in the process? How would external/internal stakeholders be affected by decisions? Is there consistency re metrics and values? How are decisions communicated and implemented?

Slide 30

2012 ARTHUR J. GALLAGHER & CO. What Can You Do Starting Right Now? Answer the questions re effectiveness Are there opportunities to incorporate risk into decision making in your organization? How could you apply this to your decision making or your department? A pilot project? Online tools? (www.ucop.edu/enterprise-risk- management/ )www.ucop.edu/enterprise-risk- management/ 30

Slide 31

2012 ARTHUR J. GALLAGHER & CO. APQC Best Practices re ERM Clarity of purpose ERM increases and protects value Understand that pursuit of strategy carries risk ERM assists in making good choices and managing risk Effective risk management is a competitive advantage American Productivity & Quality Center

Slide 32

2012 ARTHUR J. GALLAGHER & CO. What Best Practice Organizations Do Risk assessment process is robust, with clear criteria, guidelines for escalation, inclusion of dissenting opinions & thinking the unthinkable Use standardized language and processes Use simple, user friendly tools to encourage adoption Integrate ERM with strategic planning and existing processes Embrace continuous improvement & communication

Slide 33

2012 ARTHUR J. GALLAGHER & CO. Page | 33

Slide 34

2012 ARTHUR J. GALLAGHER & CO. Brainstorm Mission statement? Strategic goals? Management initiatives? New projects or programs? 34

Slide 35

2012 ARTHUR J. GALLAGHER & CO. Specific Action Plan For You Educate yourself, develop your elevator speech, build your network of peers Create an inventory of risk management practices across all operations; can you build support for integration? Seek opportunities for a broader approach to risk; can you help with decision making? Develop tools and resources and develop your leadership skills Be patient its a journey, not a destination!

Slide 36

2012 ARTHUR J. GALLAGHER & CO. Page | 36