risk management workshop john lammey, masc, p.eng 27 february, 2006
TRANSCRIPT
Outline
• Introduction• Overview• What is Risk Management?• uOttawa Approach to Risk Management• Summary and Conclusions
Introductions/expectations
• Who are you?• Do you deal with risks at work?• What do you expect to learn from the course?
Outline
• Introduction• Overview• What is Risk Management?• uOttawa Approach to Risk Management• Summary and Conclusions
Objective
Provide you with an overview of the main concepts of Risk Management
Describe the uOttawa approach to Risk Management
Encourage you to take appropriate risks
“There are things we know we know. We also know there are known unknowns, that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know.”
Definition of Risk
Definition:Risk is an uncertain outcome
Any threat that, if it occurs, may prevent the activity’s objectives from being achieved in whole, or in part.
Meaning:Risk does not represents only negative events
for example in enrollment rate risk, the enrollment rate can go up or can go down, one would have a positive and one a negative impact
What is Risk?
Risk
Uncertainty Loss
Expectations
Stakeholder
is characterised by is characterised by
is defined by
is valued by
ProbabilityImpactTiming Objectives
Risk = Probability x Impact
Definition of Risk
It is impossible for risks not to be present.
Risks are present:
crossing the street
paying for items by credit card
deciding on who to hire
deciding which priority is higher
proposing a new idea/project
investing $50,000,000 in a new facility
Definition of Risk Management
Definition:
The art of assessing and managing risks to ensure that the objective is accomplished within established tolerance levels
Meaning:
Risks that aren’t known can’t be managed
Risks are managed by recognizing them, risk mitigation and risk reduction and monitoring the effectiveness of these measures
Risk tolerance is how much variation in outcome we can accept (financial, time, outcome etc)
What is Enterprise Risk Management
Definition:
Enterprise Risk Management is the identification and management of all the risks within the organization
Meaning:
this term is an umbrella term that covers the integration of risk management from different parts of an organization
Problems & Risks
• Problems
– Exist Today
– Current Effect of Past Decisions
• Risks
– Potential Problems
– Future Effect of Current Decisions
Past Present Future
Problem
DecisionsRisk
Decisions
Perception vs Reality
Perception is the way events are viewed. It can differ very significantly depending on the individual.
Reality is an objective view of the way events occurred. It is typically only achieved by a full understanding of the subject matter and a combination of views on the events.
In most cases, perception is far more important than reality!
How many people have had a project declined or prioritized too low as they decision maker didn’t/couldn’t fully understand
Why is Risk Management Important
You don’t put ABS on a car to slow it down – you do so to allow it to go faster
EVERYONE IS GUESSING – IF THEY KNOW FOR CERTAIN IT ISN’T A RISK
Why is Risk Management Important
To meet our contractual and internal commitments
If we recognize where potential issues may arise we can manage them
If we don’t proactively identify issues the odds are that we won’t be prepared to deal with them
Benefits of Risk Management
Protection of the University reputation
Realistic costings
Proper allocations of resources
Higher probability of meeting targets
Full awareness of potential hazards for everyone
Informed go/no-go decisions
Downsides of Risk Management
Can take extra time to do
Can be seen as pessimistic
Ensuring that the risk management activities are appropriate to the nature and scale of the activities is key
Effective risk communication is vital
Outline
• Introduction• Overview• What is Risk Management?• uOttawa Approach to Risk Management• Summary and Conclusions
Risk Identification
Objective:
To identify all the “things” that could potentially go wrong (or right)
How to do it:
Brainstorming
Project plans
Key objectives for the project
Subject Matter Expertise
Previous Experience
Risk Reduction
Definition:
reducing the probability that an event will occur
How to do it:
look both ways before crossing the street
obtain written contracts with contractors
conducting background checks on prospective employees
visit a current user of new equipment before deciding what to buy
Risk Mitigation
Definition:
Reducing the impact of an event once it’s occurred
How to do it:
insurance
wearing personal protective equipment
fire alarms
temporary staff to meet surge demands
installing an Uninterruptible Power Supply (UPS)
storing back up tapes off-site
Emergency Response Plans/Business Continuity Plans
Risk Reduction vs Risk Mitigation
Risk reduction is much more important than risk mitigation
Would you rather install a baby gate at the top of a flight of stairs or put pillows on the stairs to make the baby’s landing softer
Risk financing is often expensive
Risk Monitoring
Definition:
ensuring that the risk identification, risk reduction and risk mitigation activities are effective
How to do it:
management review meetings
loss history
accident/incident reports
supervisor’s comments
THEN START OVER AGAIN!!!!
Risk Identification
Best to identify all the possible risks and only reject potential risks after the analysis - do not apply materiality at this stage.
Risk Identification should involve as many people as possible. No one person can fully understand every aspect of the project well enough to identify all the risks alone.
Pessimists make good risk identifiers
The identification of risks should never be considered to be complete. Risks will become apparent later in the process and during operations and should be included!
Business Risk Areas
Management
Performance
Resources
Compliance
Commercial/Financial
Relationships
External Issues
Risk Identification
Brainstorming
How to use a project plan to determine risks
critical path
Which objectives are key to ensuring the project is successful?
Sensitivity analysis on project budgets
Risk Identification
Consider all your stakeholders:
Future Students
Current Students
Faculty
Support Staff
Alumni
General Public
Neighbours
Government (all levels)
Group Exercise
Identify the Risks associated with Homecoming weekend:
Over 18 events including:
high tea
pub nite
family picnic
campus tours
football tailgate party
boat flotilla to Landsdowne Park
Risk Reduction
What can be done to prevent a risk from occurring?
contracts in placeoutlining the scope of work and expectations of each
sideindemnification clauses
meeting minutes
engineering controls
Risk is seldom eliminated entirely. It is typically reduced or transferred.
Group Exercise
For 3 of the Risks associated with Homecoming weekend, identify risk reduction measures
pub nite
family picnic
campus tours
Risk Mitigation
So it’s happened. Now what?
Risk financing:
must be put in place before the event
typically insurance but could include options/hedges, funded reserves, unfunded reserves, lines of credit
Back up plans:
move events inside if it rains
hire additional staff to meet surge demand
Group Exercise
For the same 3 risks associated with Homecoming weekend, identify risk mitigation measures
pub nite
family picnic
campus tours
InsuranceInsurance has a limited role.
Insurance is good when:large numbers of similar events can be insuredpremiums can be established based on logic/experiencepremiums are commercially feasible
Cases when insurance is not useful:delays in projects (ERP etc)regulatory fines or jail timeloss of a blackberrywhen things go right!
Don’t forget all insurance has specified limits!
Risk Monitoring
Learning from the past to influence the future
Key questions to ask:
what hasn’t gone ideally?
what went unexpectedly right?
what went wrong that I didn’t predict?
when things went wrong did we have a plan?
was the plan realistic and implementable?
did everyone know what they needed to?
did they know it when they needed to?
Evaluating Risks
Resources are always limited
Where to put resources where they will do the most good
Evaluations can be Qualitative or Quantitative
Quantitative – determine the characteristics of the loss
determine the maximum, minimum losses
conduct a Monte Carlo analysis to determine the Most Probable Number
repeat for all risks on the project
Evaluating Risks
Qualitative evaluation of Risks
Risk = probability * impact
Probability on a five point 1-5 scale
Impact on a five point 1-25 scale
Probability
Descriptor Scenario Probability ScoreVery Low Not Expected to Occur <1% 1Low Small Likelihood 1-20% 2Medium Occurs quite often 21-49% 3High Common Occurrence 50-85% 4Very High Very Frequent >85% 5
Probability
ImpactDescriptor Financial Regulatory Injury Environmental Reputational Operational Score
Negligible 0-$49,999 Not regulated no injury or illness possible
No Impact, internal or external
negative internal impact, short term
Disrupts single lab operation, but normal functions able to resume quickly
5
Marginal $50,000-$249,999 non-compliance with Standard/Guidelines
first aid Minor or localized internal impact and internal clean up crew
negative internal impact, long term
Disrupts operation of a floor, but normal functions able to resume quickly; or disrupts operations of a single lab for longer periods
10
Substantial $250,000-$999,999 non-compliance with Internal Policy
minor injury possible
Minor or localized external impact and internal clean up crew
negative external impact, short term
Disrupts operation of a bldg but normal operations resume quickly; disrupts operations of a floor; extensive renovations to a lab
15
Severe $1,000,000-$3,000,000
potential violation of Act / Regulation
critical injury possible
Serious external impact and external cleanup crew, required notification to authorities
negative external impact, long term
Disrupts more than one bldg, not resume quickly; disrupts one bldg for longer period 20
Disastrous <$3,000,000 potential violation of external Permits / Certificates / Licences
fatal injury possible
Significant external impact requires external crew & has long lasting impact requiring authority and community notification
significant negative external impact, long term
wide scale disruption of more than one bldg for longer periods, major disruption to a bldg requiring major renovations
25
IMPACT
Risk Scoring System
Probability
VLO LO MED HI VHI
Disastrous 5 4 3 2 1
Severe 5 4 3 2 1
Substantial 5 4 3 3 1
Marginal 5 5 4 3 1
Impact
Negligible 5 5 4 3 1
Imp
act
Risk Categories
1 Critical
2 Severe
3 Significant
4 Minor
5 Possible Concern
Communicating Risk Management
Know who you are talking to and what their perception is likely to be
Risk registers are a good way to communicate risks
Risk Tolerance
What risks are acceptable risks?
Risk tolerance statements are a subject of much discussion with the Board of Governors
Typical statements include:10% of faculty/service budget or $1,000,000 (whichever is lower)carrying weaponsconducting human stem cell research
There is no absolute right answer on what is an acceptable risk until hindsight is used
Implementation
A well thought out, well documented risk management plan is a piece of paper.
It is not worth more than that unless the planned risk reduction and risk mitigation measures are implemented.
Typically the weakest point in implementation is communications.
It is recommended that a Champion be identified for each risk, including ensuring the risk reduction and risk mitigation measures are implemented.
Timing of Risk Management
Time
Eff
ort
Effort/Cost expended
Impact of the risk
Ability to influence the risk
Concept5%
Planning20%
Execution/Control60%
Closing15%
When to Transfer Risks
Risks are rarely eliminated. Instead they are transferred between parties.
Key points to remember:
Everyone is trying to manage risk – to some this means they must minimize the risks they accept.
Risks should be held by the people best positioned to manage them.
When to Transfer Risks
Everyone is guessing based on their perceptions.
People’s behaviour is strongly influenced by their guesses and tends to reinforce their perception.
Outline
• Introduction• Overview• What is Risk Management?• uOttawa Approach to Risk Management• Summary and Conclusions
uOttawa Risk Policy
Highlights of the policy include:
definitions
applicability
risk tolerance statements
risk oversight group
uOttawa Insurance Program
Some of our 34 insurance policies in place include:
property
liability
malpractice/professional liability
directors and officers
auto & non-owned auto
environmental
data
construction
catastrophic accident coverage for students
Our policies include over 800 exclusions and endorsements
uOttawa Insurance Program
What isn’t covered:
some membership on Boards of Directors
replacement of goods over $100k unless you tell us!
some out of country medical exposures
student organized events
intellectual property infringements
work in progress, including animals
slander/libel
employment practices (wrongful termination etc)
And over 790 other things!!!!
uOttawa Insurance Program
Who pays???
deductibles
currently being reviewed
annual maximum likely to be removed
self insurance fund
pays for the amount between the faculty/service deductible and the insurance company deductible
why do the faculties/services pay???
Typical losses
Property lossestheftfloodsauto accidents
Liability lossesslips and fallscontractual obligations
Operational lossesnot meeting objectivesnot meeting timescales
Typical losses
Breakdown of Losses 2005
Student Injuries16%
Theft26%
Water Damage11%
Fire5%
Vehicle Losses26%
Law Suits16%
Typical losses
Accident Severity (Property vs Liability 01.1999~08.2005)
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
200000
Total Property LossTotal Liability LossTotal Loss
Exercise
For your typical projects:
identify three risks
identify two risk reduction measures for each risk
identify two risk mitigation measures for each risk
rank the risks
Outline
• Introduction• Overview• What is Risk Management?• uOttawa Approach to Risk Management• Summary and Conclusions
Summary
Risk is everywhere
Risk can not, and should not, be eliminated
Risks can not be managed unless they are identified
Risk reduction is more important than risk mitigation
Risk management isn’t scary!
Conclusion
The future is not necessarily less predictable than the past.
The past was not predictable when it started.