Safety, Security & Risk Management Page 1 Selected Risk Management Program Documents Enterprise Risk Management Presentation Safety, Security & Risk Management Department Safety&[email protected]March 17, 2011 SENSITIVE BUT UNCLASSIFIED PROPERTY OF SERVICESOURCE NETWORK Copying, including electronic copying, dissemination, or distribution of any information contained herein, or any part thereof, to unauthorized persons or without written permission of ServiceSource Network is prohibited.
Safety, Security & Risk Management March 17, 2011 Safety, Security & Risk Management Department [email protected] Selected Risk Management Program Documents SENSITIVE BUT UNCLASSIFIED PROPERTY OF SERVICESOURCE NETWORK Copying, including electronic copying, dissemination, or distribution of any information contained herein, or any part thereof, to unauthorized persons or without written permission of ServiceSource Network is prohibited.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Safety, Security & Risk Management Page 1
Selected Risk Management Program Documents
Enterprise Risk Management Presentation
Safety, Security & Risk Management Department Safety&[email protected]
March 17, 2011
SENSITIVE BUT UNCLASSIFIED PROPERTY OF SERVICESOURCE NETWORK
Copying, including electronic copying, dissemination, or distribution of any information contained herein, or any part thereof, to unauthorized persons or without written permission of ServiceSource Network is prohibited.
Safety, Security & Risk Management Page 2
Dear Attendee, It is my honor to have presented this information at the NISH Conference. Please do not hesitate to contact me for any information regarding the presentation. If you email me I will provide all of the information mentioned in their original format (e.g., Excel, Word, etc.) so that you can download and alter them to meet your needs. My email address is [email protected] With the exception of Mr. Kuhn’s spreadsheet, there are no copy right issues to worry about – just remove the ServiceSource logo information and insert yours. Mr. Kuhn’s work can be altered and used as noted on the first page. Generally, he does not mind you using the spreadsheet so long as he is credited. Alterations are fine, too. In addition to the presentation materials, I have included a selection of forms we, at ServiceSource, use as part of our process. Again, those wishing workable copies merely need to send me an email. Thank you, again, for attending. Sincerely,
Scott A Kuebler
Risk Management Issues Identification & Response Pl an
Understanding the Network’s Risk Management Identif ication & Response Plan A Risk Management Plan outlines the foreseeable risks & hazards and provides a set of actions to be taken to both prevent the risk from occurring and reduce the impact of the risk should it eventuate. More specifically, the plan includes: • A full list of identified foreseeable risks • A rating of the likelihood of each risk's occurring • A rating of the impact on the organization/program should each risk
actually occur • A priority rating of the overall importance of each risk • A set of preventative actions to eliminate or reduce the likelihood of the
risk(s) occurring • A set of contingent actions to reduce the impact should the risk eventuate • A process for managing risks & hazards over a set period of time.
The ServiceSource Network staff leadership prepares and submits the plan to our voluntary Board of Directors for review and approval so that our governing Board may be informed of risk management identification and mitigation processes. The plan should not be considered an external or independent audit of risk and risk management activities; rather, it is a management information and planning tool. However, external reviews are included in many areas of planned activities and the results are additionally provided to the Board of Directors and committees.
Risk Process It is the responsibility of all employees to identify potential operating and environmental risks to the ServiceSource Network and the services and programs of its affiliates. The process of identifying such operational and environmental risks is known as “risk analysis.” By definition, risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The identification of risk is a complicated process that involves all levels of employees. This process starts, in its organized form, with the various safety committees throughout the Network. As each safety committee is made up of a cross section of employees and management this ensures risk identification activities include all levels of employees. As issues are identified, they are discussed and reported on at regular safety committee meetings and, where appropriate, bubble up through the chain of command to the Network level.
Whenever possible, local risk issues are encouraged to be handled at the local level and only major risk issues – those either requiring Network support or having a Network wide impact – are added to this report. In addition to the local safety committee, each affiliate has a cross-functional team (see corporate policy 100.10 Cross Functional Management Team) that also has responsibility to identify risk and either act upon it or raise it to the Network level. This team also is the functional body that would often receive risk information from the local safety committee, as well as from other sources (e.g., direct employee contact, local state regulatory bodies, persons served, etc.). Understanding the above, this document will serve as the platform for the development, control and review of the risks and hazards identified for the Network – as a whole. This plan will follow the general accepted practices of any risk management analysis and reporting function, as portrayed in the following chart (reference: The Presidential/Congressional Commission on Risk Assessment and Risk Management – Framework for Environmental Health Risk Management):
In summary form, the process is as follows: • Define the problem and put it into context. • Analyze any risks associated with the problem. • Examine options addressing the risks identified. • Make informed decisions on which, if any, options to implement. • Take action to implement the decisions. • Conduct regular analysis of any actions taken to ensure the outcomes are
what was expected - if not, restart the process.
Procedures Provide a diagrammatic representation of the processes undertaken to identify and mitigate risks within the Network.
Responsibilities Define the roles and responsibilities of all resources involved with the identification and mitigation of risks within the Network. The first step in creating a risk plan is to identify the likely risks & hazards that may affect the Network. A series of risk categories is identified and for each category a suite of potential risks is listed. This may take place during a ‘Risk Planning’ workshop, involving key stakeholders, management representatives, employees, contractors, etc., who are involved in / affected by the operations of the organization or program. Each of the risks identified is described in detail and documented within the plan.
Categories Identify the likely categories of risks for the Network. Each risk category is a particular aspect of the Network that is likely to experience a risk at some point in time. Currently, ServiceSource Network has identified the following categories:
• Governance
o The edifice of corporate governance includes: � the national/regional laws governing the formation of corporate
bodies � the bylaws established by the corporate body itself � the organizational structure of the corporate body
• Operations o Those activities involved in the running of a business for the purpose of
producing value for the stakeholders. • Financial
o Those activities involving balancing risk and profitability. • Information Technology (IT)
o A broad subject concerned with the use of technology in managing and processing information; including data security, backup and verification activities.
• Human Resources (HR) o Those activities associated with hiring, firing, retaining, training, and
other human capital concerns. • Contract
o Those activities concerned with the development, maintenance, performance, renewal or obligatory requirements of any contract the Network, or any of its parts, may be part of or undertake.
• Corporate Development (CD) o Those activities associated with corporate strategic planning expansion
and merger & acquisition execution. • Program Development (PD)
o Those activities associated with the development of new programs and activities, grant development and general oversight of the Network’s strategic activities to meet it stated goals and objectives.
• Safety o Those activities associated with maintaining a safe, secure and
healthful work environment. Risk Quantification & Prioritization The next step is to quantify the likelihood of each risk's eventuating along with its potential impact on the Network. This process then allows each risk to be effectively prioritized. A simple method of reviewing each issue and assigning a ranking by using the following chart assists in properly prioritizing each risk.
Impa
ct
Likelihood
High Impact/Low Likelihood
Priority 2
High Impact/High Likelihood
Priority 1
Low Impact/Low Likelihood
Priority 4
Low Impact/High Likelihood
Priority 3
Management staff, both at the Network and local levels, is provided with worksheets to help them identify and prioritize risks (copies attached to this document). This process, when completed is then summarized on a matrix and this matrix is provided to senior leadership as a tool to constantly monitor open issues. The summary of all of this work is kept in a database file by the Vice President of Safety,
Potential Risk Identification Notification
To: From: Date: Requested Reply Date:
The Risk Management Department, as part of its ongoing review of processes and practices, has identified the following issue(s) as posing a potential risk to the Network or one of its affiliates. Identification of these risks does not necessarily mean that the risks are real or even pose a valid threat to any portion of the Network – it only means that the Risk Management Department has identified the issue(s) and poses the following questions as to its validity as a risk. Please review and mark the appropriate action you and your team feel best addresses the issue(s) identified and rely back to [email protected]. Thank you.
Issue Potential Owner
Risk Department Comments Recommended Action
□ Not Considered an Issue at this Time.
□ Add to the Risk Plan
for Formal Tracking. □ Issue under Review by
the Identified Owner and Considered an Interdepartmental Issue. No Further Risk Action Required at this Time.
□ Not a Risk Item;
However Assigned as an Action Item to:
CC: Bertha Ngenge, SVP HR & Compliance Officer
Scott Kuebler Page 1 4/29/2008 C:\Documents and Settings\skuebler\My Documents\Risk Management Resources & Information\Forms & Templates\2008 Forms & Templates\ServiceSource Risk Form.doc
Risk Title: Title of the risk/hazard to which the risk relates Risk Owner: Name of the risk owner responsible for mitigating the risk
RISK DETAILS
Risk ID: Unique identifier assigned to this risk (Risk Management to provide) Raised By: Name of person who is raising the risk Date Raised: Date on which this form is completed Risk Description : Add a brief description of the risk identified and its likely impact on the organization or operation (e.g. scope, resources, deliverables, timescales and/or budgets) Risk Impact on Organization/Program: Add a brief description of the impact this risk or hazard would have on the organization/program, if it was to eventuate. Risk Likelihood, Impact & Prioritization : □ Highly Likely/High Impact – Priority 1 □ Low Likelihood/High Impact – Priority 2 □ Highly Likely/Low Impact – Priority 3 □ Low Likelihood/Low Impact – Priority 4
RISK CATEGORY
Risk Category: Select the appropriate risk category based on the following descriptors: □ Governance
o The edifice of corporate governance includes: � the national/regional laws governing the formation of corporate bodies � the bylaws established by the corporate body itself � the organizational structure of the corporate body
□ Operations o Those activities involved in the running of a business for the purpose of producing value
for the stakeholders. □ Financia l
o Those activities involving balancing risk and profitability. □ Information Technology (IT)
o A broad subject concerned with the use of technology in managing and processing information; including data security, backup and verification activities.
□ Human Resources (HR) o Those activities dealing with hiring, firing, training, and other personnel issues.
Scott Kuebler Page 2 4/29/2008 C:\Documents and Settings\skuebler\My Documents\Risk Management Resources & Information\Forms & Templates\2008 Forms & Templates\ServiceSource Risk Form.doc
□ Contract o Those activities concerned with the development, maintenance, performance, renewal or
obligatory requirements of any contract the Network, or any of its parts, may be part of or undertake.
□ Corporate Development (CD) o Those activities associated with corporate strategic planning expansion and merger &
acquisition execution. □ Program Development (PD)
o Those activities associated with the development of new programs and activities, grant development and general oversight of the Network’s strategic activities to meet it stated goals and objectives.
□ Safety o Those activities associated with maintaining a safe, secure and healthful work
environment.
RISK RESPONSE STRATEGY
Strategy: The appropriate leadership team identifying the hazard or risk should identify the best strategy to handle the issue. These strategies include: □ Avoidance – the leadership team decides that the best practice to handle this particular hazard
or risk is to eliminate it or its impact. This may be achieved by changing operational activities or policies, adding resources, extending time frames, or otherwise removing the opportunities for the hazard or risk to manifest itself.
□ Transference – the leadership transfers the hazard or risk to another (e.g., purchasing insurance coverage is an example).
□ Mitigation – the leadership team understands that the risk or hazard cannot be completely eliminated or transferred; however they implement process, policies, and methods to reduce the probability or the consequences of the hazard or risk, in the event it manifests itself.
□ Acceptance – the leadership team, after careful review, decides to accept the risk and decide to not develop or implement any strategy or specific response, other than to agree to address the issue if and when it occurs.
RISK MITIGATION
Based on the strategy chosen, explain how the ident ified hazard or risk will be handled: Recommended Preventative Actions: Add a brief description of any actions that should be taken to prevent the risk from eventuating Recommended Time Specific Actions: Specify and describe any actions, along with an estimated completion date, that should be taken, in the event that the risk happens, to minimize its impact on the organization or program Signature: Date: _______________________ ___/___/____
PLEASE FORWARD THIS FORM TO THE DIRECTOR OF SAFETY & RISK MANAGEMENT
Scott Kuebler Page 1 4/29/2008 C:\Documents and Settings\skuebler\My Documents\Risk Management Resources & Information\Forms & Templates\2008 Forms & Templates\ServiceSource Risk Status Form.doc
Risk ID#: Number assigned by Safety & Risk Management Risk Title: Title of the risk/hazard to which the risk relates Risk Owner: Name of the risk owner responsible for mitigating the risk Date of Report: Date this form completed Person Submitting: Name of person submitting this report
RISK DESCRIPTION DETAILS
Risk Description: Add a brief description of the risk identified and its likely impact on the organization or operation (e.g. scope, resources, deliverables, timescales and/or budgets) Risk Impact on Organization/Program: Add a brief description of the impact this risk or hazard would have on the organization/program, if it was to eventuate.
RISK MITIGATION ACTIVITY DETAILS
Describe any activity either completed or currently in progress that addresses the risk/hazard identified: Recommended Preventative Actions Identified: Add a brief description of any actions that have been taken to prevent the risk from eventuating Recommended Time Specific Actions: Specify and describe any actions taken to either prevent or mitigate the identified risk/hazard
Issue priority change (current status is Yellow): □ Green □ Yellow □ Red Supporting Documentation: Reference any supporting documentation used to substantiate
Some rights reserved.This work is licensed under a Creative Commons License.You are free:
- to copy, distribute, and transmit the work- to make derivative works
Under the following conditions:- Attribution. You must attribute the work in the manner specified by the author or licensor.- You may not use this work for commercial purposes.- If you alter, transform, or build upon this work, you may distribute the resulting work only
under the same or similar license to this one.- Any of these conditions can be waived if you get permission from the copyright holder
LegendRisk Category Select from categories as defined in the values list in cells A36:A64.Affiliate/Operation Iderntify the appropriate affiliate/operation affected.Potential Outcome What happens if the risk occurs - usually written in the form "then <this outcome occurs>".Raised By Person who identified the risk.Raised Date Date risk identified.Source Source of risk - who or what process identified it.Impact Qualitative ranking of impact to project, using scales defined in the Risk Management Plan. You will find the
values list in cells E47:F51.Probability Probability of risk being realized, using scales defined in the Risk Management Plan. You will find the
values list in cells E54:F58.Matrix Score This is calculated once you select the Impact and Probability. These cells use conditional formatting to display color
shadings as defined in cells E61:G64.Qualitative Impact Space for further description of potential impact.Risk Strategy Select from strategies as defined by the Risk Management Plan. You will find the values list in cells H36:H41.Response Notes Additional notes about the response plan.Owner Risk owner.Status Risk status. You will find the values list in cells H44:H52.Trigger Date If the risk was triggered (occurred), the date the trigger occurred.Notes Additional notes.
3/17/2011 1:23 PM Risk Matrix FY11.xlsx Page 1 of 1
Risk RegisterServiceSource Network
Risk ID Risk Category Affiliate/Operation Risk Description Raised By
Relates to the use of technology, processing of information, data transmission or storage, electronic data security, etc. Stakeholder Accept
Human Resource
Related to the hiring, firing, retaining, training, etc., of employees, participants & volunteers. Other
Contract
Related to the development, maintenance, performance, renewal or any obligatory requirements of any contract.
Warning: Be careful adding/removing rows in the following section - these values are used for data validation
3/17/2011 1:29 PM Risk Matrix FY11.xlsx Page 1 of 2
Risk RegisterServiceSource Network
Risk ID Risk Category Affiliate/Operation Risk Description Raised By
Date Raised Source Impact
Prob- ability
Matrix Score Qualitative Impact
Risk Strategy
Corporate Development
Related to activities associated with corporate strategic planning, expansion and merger & acquisition activities.
Program Development
Activities associated with the development or maintenance of service programs, grants and any activities related to the organizations strategic activities to meet it's stated goal and objectives. Status
Safety/Security
Related to those activities associated with maintaining a safe, secure and healthful work environment. Identified
“The potential for some event to have a significant negative impact on the organization, tangible or intangible, as measured by both its likelihood to
occur and its resulting impact.”
3/17/2011
2
What can a risk event impact?
A risk event can impact –
� Direct cost the organization (loss of revenue, fines, etc.)
�Loss of valued physical assets (property loss)
� Injury/death to employees or others
�Negative impact in the organization’s reputation
Risk impact example
Operation: Mail Services
Risk Event: Sensitive material lost and potentially exposed to the outside world.
Potential Impact: Reputation as it relates to performance.
Potential Result: Contract loss; failure to qualify for additional or new.
What is not a risk?
• If the event already happened - that’s history and a learning event.
• If the event in question is a “certainty” – makes the event part of an existing operational, insurance or similar plan. Example, a scheduled DOL audit is not a “risk” – it is a manageable event.
• If the event or issue is generally accepted as “impossible” or “improbable” (a meteor destroying your facility).
3/17/2011
3
Why have a risk management plan?
A risk management plan, working in partnership with an organization’s strategic plan, is like upgrading from a paper roadmap to a GPS system. While the roadmap is great at providing needed information to get from point “A” to point “B”, no one would question the wisdom of a GPS system that provides up-to-date directions, with alternatives; real time traffic reports, voice enhanced direction, etc.
In short – a proactive risk management plan provides data to allow an organization to identify and then eliminate, mitigate or knowingly accept identified risks; all with the intent on making the organization more adept at success!
What does a risk management plan do?
From “Framework for Environmental Health Risk Management”
The Presidential/Congressional Commission on Risk Assessment and Risk Management
Risk management process
Steps in the risk management process
Planning RiskIdentification
PrioritizationControl & Monitoring Closure &
Audit
Tracking, Management, Reporting
3/17/2011
4
Step One - Planning
� Determine who will be involved in the process (accountability).
�Gain management buy-in at every level.
� Know how you are going to collect, track, trend and present information.
� Align the program with the organization’s mission, vision and strategic goals/objectives.
3 FinanceFormalized expenditure and revenue approval process.
11/01/10External Audit/Review
4 Information TechnologyLack of a readily available method to transmit sensitive data.
11/01/10Internal Audit/Review
5 Human ResourceEthics Training Requirements
11/01/01Internal Audit/Review
6 OperationsPaint booth is out of compliance with NFPA codes
11/01.2010
External Audit/Review
7 Human Resource
Current policy titled "Code of Ethics, Conduct and Corporate Compliance" (300.38) does not contain proper "whistleblower" protection.
11/01/10Internal Audit/Review
Step Four - Prioritization
Risk Analysis
ImpactProb-ability
Matrix Score
Qualitative Impact
5 0 5.00
D&O exposure without coverage and potential risk of losing directors.
9 3 12.00
Loss of certification; loss of income streams where this is required; and loss of reputation.
4 4 8.00
Lack of a formalized and consistent approval matrix governing expenditures/revenue leaves the organization vulnerable to misuse or misappropriation of funds.
3/17/2011
8
Response PlanningRisk Monitoring and
ControlRisk
Strategy Response Notes/Plan Status Notes
Transfer
Worked with Housing management and our brokers/carriers to develop and implement an insurance solution.
ResolvedD&O policy in place.
MitigateNew Quality Manager will be working with each affiliate to ensure CARF compliance.
OpenSSRM Team has started safety audits.
MitigateCFO team is developing a formalized process that will include an authority matrix.
ResolvedAuthority matrix approved and published.
TBDIssue has been referred to the IT team.
Open
Mitigate
HR developed and implemented a vigorous ethics program with ongoing training. All employees are now required to receive this training upon hire and then, must take a refresher course annually.