Category Archives: Risk Management

RMORSA Part 4: Risk Monitoring, Control & Action Plans

Posted on by

The fourth step of ORSA implementation, risk monitoring, control, and action plans illustrates the importance of adhering to best practices when executing risk culture and governance, identification and prioritization, and risk appetite and tolerances.

With the necessary structure in place to track and collect risk intelligence, the next step involves orchestrating a plan for improvement. Why is a plan for improvement so critical? Besides limiting the risk exposure of your organization, consider that under the SEC Rule Proxy Disclosure Enhancements, boards of directors and executive leadership can be found negligent for having inadequate or ineffective ERM programs. Having a demonstrable plan for improvement, however, can greatly reduce or even exempt companies from penalties under the Federal Sentencing Guidelines.

The Right Way to Monitor Control Activities

Boards and CEOs are depending on risk managers to monitor key risk indicators at the business process level. This can be accomplished one of two ways: testing or business metrics.

Testing provides a high level overview of whether a control is occurring, usually in the form of a simple pass/fail. Testing does not, however, provide actionable steps to take in order to improve a mitigation activity. The result is that many organizations are only testing compliance with internal policies, which may or may not tie back to the specific risks that the policies were designed to mitigate.

Here’s an example: an insurance organization with an online customer service system is experiencing unacceptable downtimes, and the appropriate staff members never seem to be available to fix the problem. The organization implements what would appear to be a reasonable control activity, by insisting that every member of the support team be trained to refresh the system.

The company tests internal compliance with this policy by tracking whether the online training has been completed. Unfortunately, even if everyone takes the training, the company has no idea whether this control is fulfilling its purpose.

In testing compliance to the policy, the organization has lost sight of the risk. If they had tracked a business metric, like system downtime, however, they would have realized that the controls in place made no difference to the impact or likelihood of system failure. Business metrics may have indicated that the system was going down during peak usage hours, like lunch, when staff was unavailable. With no business metric tracking, the organization continued with a Band-Aid approach when money might have been better spent upgrading system memory.

Developing the Action Plan

To avoid this common pitfall, your key business metrics need to be aligned not only with the control activities you’ve designed, but the risks they were designed for. Keeping track of these linkages can be impossible with two dimensional spreadsheets, but is critical to monitoring the risks you’ve identified so that your action plans and control activities are meaningful and measurable.

As a risk manager, approach process owners in need of assistance with mitigation plans geared toward their most severe risks. As you develop actionable plans for improvement, don’t lose sight of the end goal or fall into the trap of testing controls rather than monitoring risks.

Interested in the best way to monitor or audit your risk management program?

buy tadalista online medilaw.com/wp-content/uploads/2015/03/jpg/tadalista.html no prescription pharmacy

Check out the RIMS Risk Maturity Model Audit Guide, also available through the RIMS Risk Maturity Model.

California Town Must Improve Risk Management or Lose Insurance Coverage

Posted on by

Insured City

One southern California town has officially been warned that their insurance will be cut off if city officials do not adopt risk management policies.

Irwindale’s insurer, the California Joint Powers Insurance Authority, issued a performance improvement plan on August 28 and said city liability and workers compensation insurance will be terminated if it does not adopt the measures. Allegations of corruption have cast a pall over the police department and local government, and the city has been forced into almost $2 million in settlement payouts over the past five years, according to the Pasadena Star News.

“They’re on notice that they need to improve their risk management practices within the city’s operations, specifically in the police department, to maintain their insurance coverage with our agency,” JPIA’s risk management program manager Bob May told the paper.

Irwindale has been mired in controversy over the past few years.

Of 24 police officers, three are on paid administrative leave and the department is conducting 14 internal affairs investigations. A local woman recently filed a $20 million lawsuit against the city, alleging that an officer sexually assaulted her during a traffic stop. Police Lt. Mario Camacho has been accused of retaliation by an officer under his command and of sexual harassment by a female cadet. Four city officials are charged with of misappropriation of public funds, embezzlement and conflict of interest resulting from a series of lavish trips to New York City that utilized over $200,000 of public funds.

Under the guidelines from JPIA, the city must hire a permanent human resources manager and council members must complete training on council relations and cooperation. If they do not complete the improvement plan, they risk losing coverage and will have to go to the open market or self-insure.

In September 2011, the JPIA issued a similar warning to the city of La Puente, Calif. As part of the “healthy members program” criteria, which outlines what members should do to stay within risk management guidelines, Insurance Journal reported that the town’s performance improvement plan required that La Puente “hire a permanent city manager, give notice of any harassment and retaliation complaints, and send council members to etiquette classes to learn how to get along.” The city recently completed the program and remains insured.

buy tamiflu online https://silvermancare.com/wp-content/uploads/2023/10/jpg/tamiflu.html no prescription pharmacy

So far, the only town to be officially cut off by the California Joint Powers Insurance Authority is Maywood. The city was dropped in 2010 and the lack of insurance forced the local government to lay off almost all of its employees and disband the police department.

Risk Managers Gain Foothold as ERM Program Drivers

Posted on by

Fewer boards of directors are seen as their company’s top ERM program drivers, dropping to 26% in 2013 from 34% in 2011, according to the 2013 RIMS Enterprise Risk Management Survey, released today. This year risk managers came in as the second driver at 17%. By comparison, the second highest category in the 2011 report, which did not include risk management as an option, was “other” at 19%. Commenting on the 2011 report, Carol Fox, RIMS director of strategic & enterprise risk practice confirmed that many respondents wrote in their comments, that “other” was a risk management department initiative. “While I can’t do a direct comparison to this year’s 17%, I’d say it may be a shift as risk professionals take more of a leadership role in instituting ERM programs,” she said.

In 2011, in fact, part of the survey’s response was that “risk managers needed to take more of a leadership role with ERM. And since board leadership showed a drop [in 2013], risk managers may have taken up the slack,” she said.

Fox observed that concerns about rating agency requirements resulting from the financial crisis of 2008—that were some of the drivers for ERM in 2011—were also lower. “In 2013 ‘regulatory drivers’ for implementing ERM was 14%, dropping from 18% in 2011—so it is a shift,” she said.

What this means, she explained, is that more organizations understand the value of ERM. “It’s no longer about compliance with regulations or pressure from the rating agencies. They’re seeing the value in ERM itself.”

The board is still the largest driver, however. “That hasn’t changed, ERM is still very much top of mind for the board. As you look at the types of risk that can affect the objectives of the organization, they are mostly strategic. They are still the primary driver, but they were a higher driver in years past,” she said, adding, “This doesn’t say the board is less interested. The primary driver is the leadership role the risk professional is bringing.”

The 2013 RIMS ERM Survey was produced with Advisen LTD as a follow up to previous surveys in 2009 and 2011. The survey is free for both RIMS members and non-members and can be downloaded in RIMS newly revamped Risk Knowledge library at www.rims.org/RiskKnowledge.

 

RMORSA Part 3: Risk Appetite and Tolerance Statement

Posted on by

The third step in the Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) is the implementation of a risk appetite and tolerance statement. This step is meant to sets boundaries on how much risk your organization is prepared to accept in the pursuit of its strategic objectives.

An organization-wide risk appetite statement provides direction for your organization and is a mandatory part of your assessment. As defined by COSO (one of the risk management standards measured in the RIMS Risk Maturity Model umbrella framework), the risk appetite statement allows organizations to “introduce operational policies that assure the board and themselves that they are pursuing objectives within reasonable risk limits.” A risk appetite statement should be reflective of your organization’s strategic objectives and serve as a starting point for risk policies and procedures.

Once your organization has documented your risk appetite (and received the Board’s approval), the question becomes how do you measure whether your organization is adhering to it? The answer is to implement risk tolerances.

While risk appetite is a higher level statement that broadly considers the levels of risk that management deems acceptable, risk tolerances set acceptable levels of variation around risk. For example, a company that says it does not accept risks that could result in a significant loss of its revenue base is expressing appetite.  When the same company says that it does wish to accept risks that would cause revenue from its top 10 customers to decline by more than 1%, it is expressing a tolerance.

Why Set Tolerance Levels?

Operating within risk tolerances provides management with greater assurance that the company remains within its risk appetite, which in turn provides a higher degree of comfort that the organization will achieve its objectives.

The second step of RMORSA, Risk Identification and Prioritization, outlines a risk assessment process for your organization that provides quantitative language for risk based decision making. This standardized scale allows you to discuss the resulting assessment indexes to determine a uniform tolerance throughout the organization. It may not be possible to set accurate tolerances until risk intelligence has been collected over a period of time, but eventually you’ll be able to prioritize resources to the risks with the highest variation.

The process of articulating a risk appetite statement and setting tolerances brings your ERM program into alignment. Every day, process owners make operational decisions about risk far from the organization’s risk appetite statement, which is set at a senior executive level. By setting tolerances, process owners are provided benchmarks they can use to measure their performance.

Align with Strategic Goals

When risk tolerances are aligned with both overall risk appetite and strategic goals, they will improve risk mitigation effectiveness and contribute to achieving your strategic goals. It is important to remember that risk appetite and tolerance levels are not static. They should be reviewed and reconsidered periodically by senior executives to keep your organization moving in the right direction.

To learn more about risk appetite and risk tolerance statements, look for the complimentary LogicManager webinar, “ORSA Compliance: 5 Steps You Need to Take” in 2014.

http://info.logicmanager.com/918-orsa-compliance-erm-framework