Enterprise Risk Management and the 2010 Winter Olympic and Paralympic Games Presentation to:Casualty Actuaries of the Northwest Date:September 28, 2012.

Enterprise Risk Management and the 2010 Winter Olympic and Paralympic Games

Presentation to: Casualty Actuaries of the NorthwestDate: September 28, 2012Presenter: Ron Holton

Chief Risk Officer, University of British Columbia

1

About VANOC

2

VANOC Mission, Vision and Values

Mission

To touch the soul of the nation and inspire

the world by creating and delivering an extraordinary

Olympic and Paralympic experience with lasting legacies

Vision

A stronger Canada whose spirit is raised by

its passion for sport, culture and sustainability

Values

Team | Trust | Excellence | Sustainability | Creativity

3

Scope of the Games

What’s involved in organizing the Games? Some of the many areas VANOC was responsible for planning include:• Accommodation

• Accreditation

• Construction

• Culture and Ceremonies

• Food Services

• Medical Services

• Press Operations

• Security

• Sport

• Ticketing

• Transportation

• Venue Operations

• Volunteer Recruitment and Training

• Waste Management

4

Scope of the Games

Stakeholders include: •Government of Canada

•Government of British Columbia

•Local governments

•International Olympic Committee

•International Paralympic Committee

•Canadian Olympic Committee

•Olympic Paralympic Committee

•Sponsors

•Broadcasters

•Spectators

•Athletes

5

2010 By the Numbers

• Olympic athletes and team officials 6,500

• Paralympic athletes and team officials 1,350

• Participating countries—the Olympic Games 82

• Participating countries—t he Paralympic Games 42

• Tickets available for 2010 events 1.6 million

• Accredited media 10,800

• Games volunteers 26,000

• Television viewers (estimated) 3.5 billion

• Visits to vancouver2010.com 275 million

6

About Enterprise Risk Management

7

VANOC Board Committee Responsibilities

• Audit Committee– The overall VANOC Risk Management framework and

elements, including Enterprise Risk Management (ERM)

• Finance Committee– Budget risk, including foreign exchange risk

8

Enterprise Risk Management (ERM)

A general definition: ERM is a systematic, comprehensive and ongoing approach to identifying

and managing all types of risk on an organization-wide or enterprise basis

Standard definition:ISO, COSO, AU / NZ

ERM signifies: 1. the adoption of risk management throughout the organization;2. the management of exposures to loss not only in conventional hazard

categories, but the full spectrum of strategic, operational and administrative risk. It is essentially a decision process for managing uncertainties and effectively allocating resources.

9

Key Features of ERM

• Generic and applicable to diverse lines of business• Holistic; addresses all types of risk (strategic, financial,

operational, hazard, reputational) in all parts of the organization• Continuous process• Addresses both risks and opportunities• Effected by people at every level of an organization• Aims to enhance value for stakeholders• Considers established disciplines, such as contingency

planning, disaster recovery planning or emergency response planning, insurance, internal audit, loss prevention, to be specific treatments within the wider ERM process.

10

Key Elements in Implementing ERM

• No single best approach• Strong, visible and communicated support from the top of the

organization• Each organization must develop an approach which best fits its

values, objectives, culture and constraints• Build it into existing business processes and practices• Bottom-up as well as top-down• Incremental approach• Rigorous, but not overly complicated• Dynamic and responsive• Collaborative and not too prescriptive• Demonstrate value

11

Key ERM Implementation Steps

• Strong, visible and communicated commitment from the board and senior management

• Establishment of context and objective setting• Risk identification• Risk analysis (probability or liklihood of occurrence, severity of

impact, quantification, prioritization)• Risk tolerance and risk treatment or mitigation development• Ongoing control, monitoring, review, adjustment

12

VANOC ERM• Robust

– All 53 functions– All 14 construction venues– All 24 operating venues, competition and major non-competition– All 20 sport (test) events– Global or corporate

• Integrated

– Functional interdependences identified & communicated– Direct partner risks identified for construction venues– Shared risks (Olympic / urban domain)

• Holistic

– Strategic– Financial– Operational– Reputational– Hazard

13

VANOC ERM

• Dynamic

– Regular Risk Register review & updating– Risk retirements– New reporting

• Top Down and Bottom-up

– Executive, Senior Leadership, Board– Functions and venues

14

Definitions

• A RISK is something that might happen which could have a negative impact on VANOC

• An ISSUE is something that has happened or is happening which could have a negative impact on VANOC.

15

VANOC Risk Identification

• Risk Statement: cause and effect

• Internal and external

• Various sources

16

VANOC Risk Measurement

• For each identified risk:– Probability of Occurrence

→ Scale of 1 (very unlikely) to 5 (almost certain)

– Severity of Impact

→ Scale of 1 (minimal) to 5 (massive)

→ Common measures established

– Overall Risk Rating

→ Probability of occurrence X severity of impact

→ Scale of 1 to 25

→ Ratings of 12 and above = Top Risks

17

Risk Quantification and Prioritization

• Financial risks tend to be more easily quantified

• Subjective ranking may be all that can be done for some risks – don’t overly complicate!

• Quantifying can be particularly difficult for low probability / high severity risks

18

Risk Tolerance and Risk Treatment

• Risk tolerance often defined in terms of impact on earnings or budgets; revenue loss and/or cost increase relevant for VANOC, also reputation and operational readiness

• With VANOC’s risk tolerance as a guide; evaluate risks and decide to:– Monitor– Treat or mitigate

• Reduce probability of occurrence

• Reduce severity of impact

• Transfer

– Avoid• Develop strategies and action plans to treat the risks

19

VANOC Risk Register

Risk Dependencies

Risk ID Division Functional Area Risk Statement

Dependencies / Coordination

with other Functional

Areas Op

era

tio

na

l

Fin

an

cia

l

Ha

zard

Str

ate

gic

Pro

ba

bili

ty o

f O

cc

urr

ing

Se

ve

rity

of

Imp

ac

t

Ov

era

ll R

ati

ng

(O

ut

of

25

)

Re

ve

nu

e L

os

s

Co

st

Inc

rea

se

Ga

me

s-t

ime

Re

ad

ine

ss

Ath

lete

Pe

rfo

rma

nc

e

Re

pu

tati

on

Lo

ss

Su

sta

ina

bili

ty o

r O

the

r Im

pa

ct

Pre

-Ga

me

s

Ga

me

s

Po

st

Ga

me

s

Glo

ba

l

Co

mp

eti

tio

n

No

n-C

om

pe

titi

on

Existing Controls and Risk Mitigation Measures

(e.g. insurance, contingency plans)

Ex

isti

ng

Co

ntr

ol R

ati

ng

(O

ut

of

5)

Risk Tolerance / Acceptance (M: monitor, T: treat, A:

avoid)

Additional Risk Mitigation

Recommendations

Risk Mitigation

Owner

Target Completion

Date

Risk Identification Risk Class

VANOC Risk Register

Risk ControlsPrimary Type of Impact Timing Extent of RiskFunctional Area

Risk Rating

• Ongoing risk identification, treatment tracking and monitoring tool

20

Risk Register Review

• Major Risk Report– The “Global” or corporate risks – Reviewed monthly with the Executive Team and updated as

required

• Top Risks Summary Report– By division/function– Risks with an overall rating of 12 or higher– Include low probability/high severity risks– Reviewed monthly by each EVP for his/her division

21

Risk Register Review

• Function and Venue Construction Risk Register

– For all 53 Functional Areas and each construction venue– Plus a Global Risks section– In-depth review and updating with Functional Areas and division

heads on a six-month rotating divisional schedule

• Venue Operating Risk Registers created in tandem with Venue Operating Plans

22

Risk Register Review

• Overdue, Current and Pending Risk Mitigation Actions Report– Reviewed monthly by Executive Team– Executive Team sees the report for all divisions

• Register of Retired Risks– Reviewed with each division during six-month in-depth reviews– Indicates date and reason risk was retired, and by whose

authority

23

VANOC Assurance Services

• Internal Audits - Annual Audit Plan—approved by Audit Committee

- Regular in camera meetings with Audit Committee

• Consulting Reviews- Proactive reviews initiated at the request of Management

24

VANOC Business Continuity

• Loss Control/Prevention

• Crisis Management Plan

• Disaster Recovery Plan

• Contingency Plans

• Emergency Response Plans

– for all venues, for both construction and operational phases

25

VANOC and Risk Management

• This was a complex and risky project– Many moving parts– Many stakeholders– Many external and shared risks

• How to handle?– Emphasis on identifying all types of risks and mitigating / managing

them– Monthly meetings with Executive Team to review major risks– Rotating monthly in-depth reviews with functions—every six months– Monthly reporting of top risks, and overdue/current/pending mitigation

actions to all divisions and functions– Risk-based approach for internal audit and business continuity planning– Plans for managing risks which could not be fully mitigated

26

ERM Challenges, Successes

– In a fast-paced, very diverse organization, keeping ERM current, relevant, and useful at all levels.

- Some risks became issues.

- VANOC was the first OCOG to fully implement and sustain an ERM framework. This has been recognized by the IOC and other OCOGs, and the VANOC model has become the standard to be followed.

- The 2010 Games are regarded as having been highly successful—ERM and the strong risk management culture which was pervasive in VANOC contributed to this outcome.

27

28