1. A Practical Approach
to Strategic Risk Management
Part One of a three-part Strategic Risk Management training program
Katharine Hullinger, ARM
Risk Manager
California State University Channel Islands
Revised 3/13/2018
Part One
5. Outline
Objectives of Part One
Conversation Starters
A Quick Risk Exercise
Principles and Basics
Why SRM?
The Risk Inventory Tool/template
Considerations Back at the Office
Q &A
6. A Practical Approach to Strategic Risk Management (SRM)
Training
Components
Introduction to SRM Participant Outcomes
Introduction to the risk
management process and
terminologies
Introduction to the SRM
framework
Introduction to Risk
Assessments
Discuss best way to
implementation SRM in work
area
Clarify roles & responsibilities
for SRM
Understanding of risk management process
Understanding of how risk management is
already incorporated in day-to-day work
Understanding the reasons for SRM
SRM roles and responsibilities clearly
defined
Awareness of SRM tools
Commitment to SRM implementation in
area of work
Commitment to continuous risk
communication & learning
7. Who is accountable for risks?
How do we talk about risk? Do we have a common
language in the department, across divisions, across
the campus, across the CSU?
Are we taking too much risk? Or not enough?
Are the right people taking the right risks at the right
time?
What’s our risk culture? Are we risk-adverse, risk-
takers, or somewhere in between?
Conversation Starters
8. A Quick Risk Exercise
Identify risks (threats and opportunities) that a
cyclist faces in cycling to campus for work.
How would you mitigate the threats?
How would you maximize the opportunity?
Report back
9. Identifying the risks in cycling
Threats:
Injury
Death
Reputation
Financial expense
Damage or theft
Weather Issues
Opportunities:
Exercise and good health
Fresh air
Reputation
Financial savings
Role model
Environmental impact
10. Mitigation strategies for threats associated with cycling
Injury and death – helmet, bright clothes, lights, bell, obey traffic
laws, stay alert
Reputation – great biking outfit, change of clothes, openly
promote alternative transportation
Financial – inexpensive transportation, avoid traffic citations
Damage or theft – regular maintenance, know the route, avoid
obstacles and things that puncture tires, high quality lock
Weather issues – carry filled water bottle, warm/waterproof
outerwear and gloves
11. The Risk Management Principles
Risk is the uncertainty that surrounds future events
and outcomes.
Risk is the expression of the likelihood and impact of
any event with the potential to influence the
achievement of an organization’s objectives.
12. Risk Management Basics
Risk (uncertainty) may affect the achievement of objectives.
Effective mitigation strategies and controls can reduce negative risks
(threats) or increase opportunities.
Residual risk is the level of risk remaining after applying risk controls.
Acceptance and action should be based on residual risk levels.
13. Definition of Strategic Risk Management
“… a process, effected by an entity's board of directors,
management and other personnel, applied in a strategic
setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage
those events within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.”
Source: COSO Enterprise Risk Management – Integrated Framework. 2004.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
14. SRM removes silo-based decision making
SRM becomes embedded in key processes such as strategic,
budgeting and project planning
Identify and understand risks that positively or negatively impact
the achievement of strategic goals
Evaluate risk priorities and allocate resources strategically
Improve overall risk tolerance
Why are we implementing SRM?
15. Practice proactivity rather than reactivity
Identify new risk and develop appropriate strategies for mitigating
or profiting from it
Establish accountability, transparency and responsibility
Realize programmatic success, defined as implementation and
practice throughout the entire organization
Promote a healthy risk culture, where risk is a routine and
expected topic of conversation.
Develop a common and consistent approach to addressing risk
across the institution
17. CSUCI 2015-2020 STRATEGIC OBJECTIVES
Facilitate Student Success
• Provide University access to students who bring diverse perspectives
• Provide a mission-driven education that prepares students for individual success
• Provide support for degree completion
Provide High Quality Education
• Hire and support quality faculty and staff who are committed to the mission of the University
• Infuse integrative approaches, community engagement, multicultural learning, and international
perspectives into all aspects of learning
• Engage undergraduate and graduate students in research and creative activities
Realize Our Future
• Build infrastructure capacity
• Leverage the use of technology
• Seek, cultivate, and steward resources, both public and private
• Implement collaborative planning and accountability processes
19. Risk Number Risk Short Name Risk Description
Existing Risk Controls/Measures
in Place
Outcome Impact Likelihood
Impact
Score
Likeli- hood
Score
Net Score Risk Mitigation Actions Responsibility Cost Estimate
Resources
Needed
Target Date for
Completion
Mitigation
Complete
EXAMPLE Access To High Hazard Areas The risk of unauthorized
access to hazardous areas
outside of normal business
hours
*Perimeter doors have
mechanicallocks that are
randomly spot checked by police
after normal business hours.
*Some buildings with high hazard areas
are open to the public, increasing the
chances of unauthorizedor accidental
access to high hazard areas
*Random spot checks not adequate
considering the life/safetyrisks in some
areas.
Serious Likely 4 3 12 *Installation of electronic door locks (proxy
cards) will allow 24/7 security control as only
authorized users will have access to the area.
John Doe $3,000 3/14/2015
1 #N/A #N/A #N/A
2 #N/A #N/A #N/A
3 #N/A #N/A #N/A
4 #N/A #N/A #N/A
5 #N/A #N/A #N/A
6 #N/A #N/A #N/A
7 #N/A #N/A #N/A
8 #N/A #N/A #N/A
9 #N/A #N/A #N/A
Identification Assess and
Prioritize
Take Action –
Mitigate or Accept
Risk Inventory
20. Identification of Risk
Identify Risks
Financial Risk - unplanned losses or expenses
Service Delivery/Operational Risk - lapses in continuity of operations
HR Risk – Employment practices; retention
Strategic Risk – untapped opportunities
Reputational Risk – damage to relationship with community at large
(loss of revenue)
Legal/Compliance Risk – noncompliance with statutory or regulatory
obligations
Technology/Privacy Risk – threats to and breaches in IT security
Governance Risk – wide-spread non-compliance with policies and
standards
Physical Security/or Hazard Risk – harm or damage to people, property
or environment
21. A B C D E
Risk Number Risk Short Name Risk Description Existing Risk Controls/Measures in Place Outcome
1 Access To High
Hazard Areas
The risk of unauthorized access
to hazardous areas outside of
normal business hours
Perimeter doors have mechanical
locks that are randomly spot
checked by police after normal
business hours.
*Some buildings with high hazard areas are open to
the public, increasing the chances of unauthorized or
accidental access to high hazard areas
*Random spot checks not adequate considering the
life/safety risks in some areas.
2
Risk #2
3
Risk #3
4
Risk #4
5
Risk #5
6
Risk #6
7
Risk #7
8
Risk #8
9
Risk #9
Identification of Risks – Creating a Risk Inventory
22. Risk Assessment – Consider Impact and Likelihood to
Prioritize Risks
Likelihood of a risk event occurring
5 Expected: Is almost certain to occur
4 Highly Likely: Is likely to occur
3 Likely: Is as likely as not to occur
2 Not Likely: May occur occasionally
1 None/Slight: Unlikely to occur
Impact - level of damage sustained when
a risk event occurs
5 Critical: Threatens the success of the
project
4 Serious: Substantial impact on time, cost
or quality
3 Moderate: Notable impact on time,
cost or quality
2 Minor: Minor impact on time, cost or
quality
1 Insignificant: Negligible impact
Slide 22
Prioritize
23. F G H I J
Impact Likelihood Impact Score
Likeli-
hood
Score
Net Score
Serious Likely 4 3 12
#N/A #N/A #N/A
#N/A #N/A #N/A
#N/A #N/A #N/A
#N/A #N/A #N/A
#N/A #N/A #N/A
#N/A #N/A #N/A
#N/A #N/A #N/A
#N/A #N/A #N/A
Assessing Risks – Considering the Likelihood and Impact
Scoring risks
Impact:
Critical - 5
Serious - 4
Moderate - 3
Minor - 2
Insignificant - 1
Likelihood:
Expected - 5
Highly Likely - 4
Likely - 3
Not Likely - 2
None/Slight - 1
24. Risk Mitigation Actions Responsibility Cost Estimate
Resources
Needed
Target Date for
Completion
Mitigation
Complete
*Installation of electronic door locks
(proxy cards) will allow 24/7 security
control as only authorized users will
have access to the area.
John Doe $3,000 3/14/2015
Mitigating or Treating Risks – Accept? Alter? Transfer? Decline?
K L M N O
Take Action
25. Risk Number Risk Short Name Risk Description
Existing Risk Controls/Measures
in Place
Outcome Impact Likelihood
Impact
Score
Likeli- hood
Score
Net Score Risk Mitigation Actions Responsibility Cost Estimate
Resources
Needed
Target Date for
Completion
Mitigation
Complete
EXAMPLE Access To High Hazard Areas The risk of unauthorized
access to hazardous areas
outside of normal business
hours
*Perimeter doors have
mechanicallocks that are
randomly spot checked by police
after normal business hours.
*Some buildings with high hazard areas
are open to the public, increasing the
chances of unauthorizedor accidental
access to high hazard areas
*Random spot checks not adequate
considering the life/safetyrisks in some
areas.
Serious Likely 4 3 12 *Installation of electronic door locks (proxy
cards) will allow 24/7 security control as only
authorized users will have access to the area.
John Doe $3,000 3/14/2015
1 #N/A #N/A #N/A
2 #N/A #N/A #N/A
3 #N/A #N/A #N/A
4 #N/A #N/A #N/A
5 #N/A #N/A #N/A
6 #N/A #N/A #N/A
7 #N/A #N/A #N/A
8 #N/A #N/A #N/A
9 #N/A #N/A #N/A
Identification Assessment Mitigation
or Treatment
Risk Inventory
27. Risk Level Action and Level of Involvement Required
Critical Risk
Inform Cabinet
Immediate action required
High Risk
Inform division Vice President
Attention is essential to manage risks – provide report to VP as
directed
Moderate Risk
Inform relevant administrators
Mitigation and ongoing monitoring by managers is required
Low Risk
Accept, but monitor risks
Manage by routine procedures within the program or department
Risk reporting and communications
28. Personnel Resources
• Average time to fill vacant positions
• Staff absenteeism /sick time rates
• Percentage of staff appraisals below
“satisfactory”
• Age demographics of key managers
Information Technology
• Systems usage versus capacity
• Number of system upgrades/version releases
• Number of help desk calls
Finance
• Reporting deadlines missed (#)
• Incomplete P&L sign-offs (#, aged)
Legal/Compliance
• Number and cost of litigated cases
• Compliance investigations (#)
• Customer complaints (#)
Audit
• Outstanding high risk issues (no., aged)
• Audit findings (no., severity)
• Revised target dates for clearing findings (no.)
Risk management
• Risk Management overrides
• Limit Breaches (#, amounts)
Monitoring and Reassessing – Examples of Key
Risk Indicators
Monitor and
Reassess
29. Excellent
• Advanced capabilities to identify, measure, manage all risk exposures within tolerances
• Advanced implementation, development and execution of SRM parameters
• Consistently optimizing risk adjusted returns throughout the organization
Strong
• Clear vision of risk tolerance and overall risk profile
• Risk controls in place for most major risks
• Robust processes to identify and prepare for emerging risks
• Incorporates risk management and decision making to optimize risk
Adequate
• Risk controls in place for some of identified major risks
• May lack a robust process for identifying and preparing for emerging risks
• Performing solid classical “silo” based risk management
• No fully developed process to optimize risk opportunities
Weak
• Incomplete control process for at least major risk
• Inconsistent or limited capabilities to identify, measure or manage major risk exposures
Monitor, Measure and Report SRM
Implementation Progress
30.
31. Ask questions and develop your approach
Do we understand our major risks? Do we know what
is causing our risks to increase, decrease or stay the
same?
Have we assessed the likelihood and impact of our
risks?
Have we identified the sources and causes of our
risks?
How well are we managing our risks?
Are we trying to prevent the downside of risk, or are
we seemingly trying to recover from them?
32. Considerations back at the office
Why is the organization interested in SRM? What are we
hoping will be achieved with its implementation?
Who is doing what? Roles and responsibilities must be clearly
defined. Leadership must support SRM and use SRM results to
when making decisions. Everyone is a risk manager. Make sure
that all risks have owners and the responsibilities for mitigation
are assigned.
How will it be implemented? What is your framework? How
will risks be measured and reported? Who is your champion?
Where will you start? Where you can most easily succeed, or
where it is needed the most?
When will it be implemented? SRM is a journey, not a
destination; risks should be continually assessed and mitigation
methods re-considered. Change is inevitable; recognize new
risks and opportunities.