Enterprise Risk Management - Specialist School

Welcome to the Enterprise Risk Management course

This training course contains audio which will begin on the next slide.

let's Begin

You may mute the audio at any time using the Sound Icon in the bottom right corner of this presentation. (Not recommended)

Enterprise Risk Management

Managing Risks and Maximizing Opportunities

Start

Getting Started

Click the home button top right to return to the Table of Contents

You can hover over select images to learn more

Use the left or right arrows to move between slides

Living in a Riskier World

Summary & Top Tips

ERM Overview & Benefits

Additional Resources

Table of Contents

ERM Process

ERM Quiz

Riskier World:

Big Picture

Riskier World:

to Local Picture

Big Picture

Younger generations are the most informed and demand action, such as:

Replacing diesel vehicles with electric

Improving the energy efficiency of buildings

Reducing Carbon Footprint

Sustainable supply chains

Establishing a sustainability forum to generate new ideas

Adopting energy efficient working practices

Riskier World:

Local Picture

• Public Health Issues
• Technology & Data Security
• Funding / Investments
• Health & Safety Incidents
• Recruitment & Retention
• Changing needs
• Climate Change & Sustainability
• Safeguarding
• Regulation

• Maintenance
• Partnerships
• Supply Chains
• Crime
• Terrorism
• Livelihood crisis
• Extreme Weather
• Reputation

ERM is an integrated and joined up approach to managing risk across an organization and its extended networks

ERM:

A Quick Overview

Source: Institute of Risk Management

Traditional Risk Management

Enterprise Risk Management

Insurable

Non Insurable (mostly)

One-dimensional assessment (severity)

Multi-dimensional assessment

Manage risks one by one

Analyzes risks & how they relate to each other

Occurs within one business unit (siloed)

Spans the entire organization (holistic)

Reactive & sporadic

Proactive & continuous

Disjoined activities

Embedded in culture & mindset

Standardized (compliance)

Standards (enabler)

Risk Averse

Informed decision making and risk taking

Good business acumen

The Benefits of ERM

Supports achievement of objectives by managing risks and maximizing opportunities

Greater assurance

Informed decision making and risk taking

Good governance

Enhanced performance and better service outcomes

Protects the organization's reputation

Reduce operational losses and less organizational disruption

Risk Identification

The ERM Process

Risk Analysis

Risk Monitoring

Establishing the Risk Context

Risk Prioritization

Risk Mitigation

Risk Identification

Risk Identification

ERM PROCESS

Risk Monitoring

Risk Analysis

Enterprise Risk Management

Risk Prioritization

Risk Mitigation

How many legs does this elephant have?

Risk Identification

Risk Identification

ERM PROCESS

Risk Monitoring

Risk Analysis

Enterprise Risk Management

Risk Prioritization

Risk Mitigation

Identifying those key risks facing the organization

• Physical
• Financial
• Environmental
• Competition & Markets
• Regulation
• Reputation

• Political
• Social
• Technology
• Legal
• Processes
• People

• What could stop the organization from achieving its objectives, priorities and plans?
• What concerns you the most?

Risk Analysis

Risk Identification

CAUSE

ERM PROCESS

An event or situation that could occur which results in a negative impact

Risk Monitoring

Risk Analysis

Enterprise Risk Management

Think:

• Underlying root cause or trigger?
• Failure to… ?

Risk Prioritization

Risk Mitigation

CONSEQUENCES

The negative result

Analyzing those headline risks in more detail e.g. cause & consequences

Think:

• How big?
• How bad?
• How much?
• Knock-on effects?

Risk Prioritization

Risk Identification

Risks are assessed on an inherent (before controls are put in place) and a residual (after controls) basis ​ The residual risk assessment is used to prioritize risks identified against your risk appetite (how much risk you are willing to take as an organization)​ This will enable you to identify your ‘key’ risks which require the most focus.

ERM PROCESS

Risk Monitoring

Risk Analysis

Enterprise Risk Management

Risk Prioritization

Risk Mitigation

Prioritizing the risks (considering existing controls) against your risk criteria in terms of impact & likelihood

Risk Mitigation

Risk Identification

There are generally 4 strategies to manage risks. (The 4 ‘T’s)​

ERM PROCESS

Risk Monitoring

Risk Analysis

It is important to capture both existing controls in place and additional actions required to mitigate the risk to acceptable levels. This may include the introduction of new controls.

Enterprise Risk Management

Risk Prioritization

Risk Mitigation

Tolerate

Treat

Transfer

Consider how you want to manage each risk? What more could you do?

Terminate

Risk Mitigation

Risk Identification

ERM PROCESS

Tolerate

Risk Monitoring

Risk Analysis

This is about accepting the risk exposure. There will be some risks where your current control measures are sufficient to reduce the likelihood and impact to a tolerable level and there is no added value in doing more, for example, it is not cost effective or realistic to try and manage it any further. Alternatively, there are some risks that are outside of your control and the organization has no influence over them, for example, government introducing new legislation that has a negative impact. You must accept that these risks exist, monitor them, and take limited action if/when needed.

Enterprise Risk Management

Risk Prioritization

Risk Mitigation

Consider how you want to manage each risk? What more could you do?

Risk Mitigation

Risk Identification

ERM PROCESS

Treat

Risk Monitoring

Risk Analysis

This is about putting in place ongoing controls or actions to reduce either the likelihood of the risk occurring and/or the impact if it does occur. This is the most likely form of management for most risks. Often preventative controls are used to mitigate likelihood, to ensure something does not happen, for example, training so that staff do not do something in the wrong way or firewalls to prevent computer virus attacks. The impact is often mitigated with contingency, for example, alternative service providers or alternative service arrangements.

Enterprise Risk Management

Risk Prioritization

Risk Mitigation

Consider how you want to manage each risk? What more could you do?

Risk Mitigation

Risk Identification

ERM PROCESS

Transfer

Risk Monitoring

Risk Analysis

This is about passing the risk typically through insurance or to a third party. Insurance, although essential for many types of risk, will not be applicable for all types of risks you may face. Outsourcing or entering partnerships may allow you to transfer certain risks – however by entering such arrangements you will inevitably be faced with new and different risks which will have to be managed.

Enterprise Risk Management

Risk Prioritization

Risk Mitigation

Consider how you want to manage each risk? What more could you do?

Risk Mitigation

Risk Identification

ERM PROCESS

Terminate

Risk Monitoring

Risk Analysis

This is about stopping the activity that is generating the risk. In some instances, a risk could be so serious that there is no other option but to terminate the activity that is generating the risk.

Enterprise Risk Management

Risk Prioritization

Risk Mitigation

Consider how you want to manage each risk? What more could you do?

Risk Monitoring

Risk Identification

ERM PROCESS

Monitoring activity and outputs should be:​

Risk Monitoring

Risk Analysis

Embedded in existing organizational meetings and performance monitoring​ Focus on those risks above the tolerance line (outside of risk appetite) – top right-hand corner of the risk matrix Delegate monitoring to certain responsible bodies e.g. Board, Senior Leadership Team​

Enterprise Risk Management

Risk Prioritization

Risk Mitigation

What risk reporting and monitoring would work best for the organization?

Typical Risk Register

Risk IDRisk CategoryRisk OwnerRisk DescriptionRisk CauseRisk ConsequencesRisk Score (before controls)Key ControlsRisk Score (after controls)ActionsTarget DateMovement in Risk Score

Summary & Top Tips

Identify a champion at a senior level to embed and drive risk management throughout the organization

1.

Use your risk management approach and strategic risk register to help you achieve your objectives and support informed decision making and risk taking

4.

Keep your risk management approach pragmatic and proportionate to the size and shape of the organization

2.

Don’t forget the upside of risk! — Look for those opportunities as part of your ERM approach

5.

Embed risk management into existing ways of working – do NOT create a separate process and additional bureaucracy

3.

Additional Resources

Click on an image below for more information.

ERM Working Group Terms of Reference

ERM Toolkit

ERM on ecclesiastical.ca

ERM Getting StartedGuide

Enterprise Risk Management Training

Quiz

Start

- Question 1 -

What is Enterprise Risk Management?

A way of completing a Health and Safety Risk Assessment

A plan to share information with the public in the event of an emergency

An integrated and joined up approach to managing risk across an organization

1/10

- Question 1 -

What is Enterprise Risk Management?

A way of completing a Health and Safety Risk Assessment

A plan to share information with the public in the event of an emergency

An integrated and joined up approach to managing risk across an organization

Correct!

Next

1/10

- Question 1 -

What is Enterprise Risk Management?

A way of completing a Health and Safety Risk Assessment

A plan to share information with the public in the event of an emergency

An integrated and joined up approach to managing risk across an organization

Incorrect

Return

1/10

- Question 2 -

Which of the following is true?

Both of the above

ERM looks at the connections between risk

ERM focuses mainly on non-insurable risks

2/10

- Question 2 -

Which of the following is true?

ERM looks at the connections between risk

ERM focuses mainly on non-insurable risks

Correct!

Both of the above

Next

2/10

- Question 2 -

Which of the following is true?

ERM looks at the connections between risk

ERM focuses mainly on non-insurable risks

Incorrect

Both of the above

Return

2/10

- Question 3 -

Which point is NOT a benefit of ERM?

Helps to manage organizational risks and maximize opportunities

Provides an opportunity to identify those individuals who are underperforming

Supports informed decision making and risk taking

Both of the above

3/10

- Question 3 -

Which point is NOT a benefit of ERM?

Helps to manage organizational risks and maximize opportunities

Provides an opportunity to identify those individuals who are underperforming

Supports informed decision making and risk taking

Correct!

Both of the above

Next

3/10

- Question 3 -

Which point is NOT a benefit of ERM?

Helps to manage organizational risks and maximize opportunities

Provides an opportunity to identify those individuals who are underperforming

Supports informed decision making and risk taking

Incorrect

Both of the above

Return

3/10

- Question 4 -

Which statement is

true?

A typical risk management cycle contains

A typical risk management cycle contains

5 steps

10 steps

A typical risk management cycle contains

2 steps

Both of the above

4/10

- Question 4 -

Which statement is

true?

A typical risk management cycle contains

A typical risk management cycle contains

5 steps

10 steps

A typical risk management cycle contains

2 steps

Correct!

Both of the above

Next

4/10

- Question 4 -

Which statement is

true?

A typical risk management cycle contains

A typical risk management cycle contains

5 steps

10 steps

A typical risk management cycle contains

2 steps

Incorrect

Both of the above

Return

4/10

- Question 5 -

Which is NOT part of the risk management cycle?

Risk Identification

Risk Mitigation

Risk Abdication

Both of the above

5/10

- Question 5 -

Which is NOT part of the risk management cycle?

Correct!

Risk Mitigation

Risk Identification

Risk Abdication

Both of the above

Next

5/10

- Question 5 -

Which is NOT part of the risk management cycle?

Incorrect

Risk Mitigation

Risk Identification

Risk Abdication

Both of the above

Return

5/10

- Question 6 -

Which statement is

true?

Risk analysis helps to understand root cause of the risk and possible consequences

Risk analysis must be under-taken by someone external to the organization

Risk analysis and cost benefits analysis are the same thing

Both of the above

6/10

- Question 6 -

Which statement is

true?

Risk analysis helps to understand root cause of the risk and possible consequences

Risk analysis must be under-taken by someone external to the organization

Correct!

Both of the above

Next

Risk analysis and cost benefits analysis are the same thing

6/10

- Question 6 -

Which statement is

true?

Risk analysis helps to understand root cause of the risk and possible consequences

Risk analysis must be under-taken by someone external to the organization

Incorrect

Both of the above

Return

Risk analysis and cost benefits analysis are the same thing

6/10

- Question 7 -

Which statement is

true?

Risk prioritization helps an organization focus on the key risks

Risk prioritization is achieved by looking only at the likelihood of the risk

Risk prioritization ensures all risks are terminated

Both of the above

7/10

- Question 7 -

Which statement is

true?

Risk prioritization is achieved by looking only at the likelihood of the risk

Correct!

Both of the above

Next

Risk prioritization helps an organization focus on the key risks

Risk prioritization ensures all risks are terminated

7/10

- Question 7 -

Which statement is

true?

Risk prioritization is achieved by looking only at the likelihood of the risk

Incorrect

Both of the above

Return

Risk prioritization helps an organization focus on the key risks

Risk prioritization ensures all risks are terminated

7/10

- Question 8 -

Which statement is

true?

The 4 Ts are

toleratetreat transfer terminate

The 4 Ts are

treattransferterminate trash

The 4 Ts are

toleratetrain transfer teach

The 4 Ts are

toleratetrain transfer teach

Both of the above

8/10

- Question 8 -

Which statement is

true?

The 4 Ts are

toleratetreat transfer terminate

The 4 Ts are

treattransferterminate trash

The 4 Ts are

toleratetrain transfer teach

The 4 Ts are

Correct!

toleratetrain transfer teach

Both of the above

Next

8/10

- Question 8 -

Which statement is

true?

The 4 Ts are

toleratetreat transfer terminate

The 4 Ts are

treattransferterminate trash

The 4 Ts are

toleratetrain transfer teach

The 4 Ts are

Incorrect

toleratetrain transfer teach

Both of the above

Return

8/10

- Question 9 -

Which statement is

true?

Risk reporting should be developed in isolation of other working practices

Risk Reporting should be embedded into existing meetings and performance updates

Risk reporting should be always kept confidential

Both of the above

9/10

- Question 9 -

Which statement is

true?

Risk Reporting should be embedded into existing meetings and performance updates

Correct!

Both of the above

Next

Risk reporting should be developed in isolation of other working practices

Risk reporting should be always kept confidential

9/10

- Question 9 -

Which statement is

true?

Risk Reporting should be embedded into existing meetings and performance updates

Incorrect

Both of the above

Return

Risk reporting should be developed in isolation of other working practices

Risk reporting should be always kept confidential

9/10

- Question 10 -

Which statement is

true?

All of the above

ERM also looks at the upside of risk.

A risk champion at a senior level will help embed management within the organization

ERM should not drive a separate business process.

10/10

- Question 10 -

Which statement is

true?

All of the above

Correct!

NEXT

A risk champion at a senior level will help embed management within the organization

ERM should not drive a separate business process.

ERM also looks at the upside of risk.

10/10

- Question 10 -

Which statement is

true?

All of the above

Incorrect

Return

A risk champion at a senior level will help embed management within the organization

ERM should not drive a separate business process.

ERM also looks at the upside of risk.

10/10

Congratulations on completing our quiz!

Please click here to download your certificate of completion.

Have Questions?

Contact training@ecclesiastical.cafor more information

Help keep colleagues and associates safe - Share our training using the links below:

Ecclesiastical Insurance is a specialist provider of unique insurance solutions and services dedicated to the protection and preservation of Canada's distinct communities, cultures, and heritage. We are proud to be part of the Benefact Group - a charity owned, international family of financial services companies that gives all available profits to charity and good causes. We are rated "A" (Excellent) by A.M. Best and "A-" by Standard and Poor's. For more information on our products and unique Risk Management services, please visit www.ecclesiastical.ca.