I’m still forming the thought here and want to get some feedback. I pose this question not because I think the public sector is better than private at managing risk. I pose it because it’s easier (sometimes mandated) that the public sector share data with the taxpayers. Which industry is going to step forward and start sharing examples of risk program structure, tools, deliverables, metrics, etc?
Thanks to Justin Somaini for his pointer to the University of CA ERM program. Yesterday I had Grace Cricket’s webinar on ERM running in the background. When something caught my ear, I’d check it out on UC’s fantastic Resources site. Below are some notes I jotted down. Huge disclaimer: I didn’t take the time to listen to everything or view all the resources. The purpose of the this post and these notes are to incite interest and Thank Grace and co for sharing!
Begin rough notes and soundbites:
“How do you know if you’re doing well?” Develop KPI’s, find the data. Instead of asking (stakeholders) what keeps them up at night. Ask them how they measure success. (me: Brilliant!). In the past, data was ad hoc and manual, not repeatable. Need technology to manage information. Selected IBM to develop solution.
Developed ERM maturity model. Use S&P rating methodology.
Retrospective reviews of impacts > $50k. (me: great source of evidence)
ERM is basically a COE to cross pillars of risk management.
Developed an ERMIS: single portal, organizes information for monitoring performance.
Developed Risk Assessment workbooks. (me: these are simple but a great starting point. I fully expect their use isn’t consistent, not always data driven, subject to politics, etc. but it’s a start for them)
Probably could have spend a lot of money on fancy tools but folks are able to use simple tools, empower them to use something familiar e.g. xls
Combination of pull surveys vs. push assessments (me: the xls workbooks). complement by ERM maturity rating e.g. rims.org? 107 ERM activities across 5 categories. Self rate cmm like scale to rate ERM program itself.
Question from audience: what’s the motivation to start: 1. need an overall champion e.g. CRO. 2. need for a unified response to catastrophic incidents
(52 mins in) ERM tracking: identified ~40 Ent. Risks across broad categories e.g. the one IT risk entry: Title “Decentralization of systems leading to data inconsistencies and fragmentation.
Mitigation: Senior leadership has recently put in place storage contols in this area;
Development and Maintenance Standards and (hard to hear?) local policies.
Data, Monitoring & Reporting: Reported at local level; Programing quality assurance and testing: approvals by programming managers and users before moving new systems or changes to production.
Advice: identify lowest hanging fruit, iterate
About 700 KPI’s across ERM (me: I assume across the whole UC ecosystem)
Risk Appetite: to begin, just show performance against average of institutions across UC system e.g. yellow is 5% of average.
Question from audience: Do you charge each institution for ERM services? No, funded centrally.
Can ERM quantify it’s benefit e.g. “elminimated cost of claims system @ $4M, ERM costs 2.5M/year. Improved credit rating.
1:08 in: First big win was workers comp. “cost of risk for fy09/10 reduced from $18.46 to $14.76” ??
First win was leveraging individual risk assessment tools. Next win will probably be to leverage the portal roll-up.
How is CRO perceived e.g. auditors? Depends. Use qualitative to get past “sin factor.” Need to leverage qual and quant. Not an audit, no overlap from compliance. Focused on helping individual owners manage risk more effectively.
CRO is a generalist to break down silos e.g. Financial, Safety, Compliance, IT Governance.
End rough notes and soundbites.
I don’t know if UC’s ERM program is good or bad. I do know I appreciate the insight. I also know we need more sharing. Please let me know as you come across great examples we can all learn from.
Thanks again Grace!