Implementing Enterprise Risk Management in Washington State Government

Drew Zavatsky, who oversees the work of the Loss Prevention Group in the Washington State Office of Financial Management’s Risk Management Division, spoke at the November 7, 2008 ERM roundtable about how ERM is being implemented in Washington’s state agencies and the ERM training that the Loss Prevention Group provides.  Statewide, ERM implementation has been a stated organizational best practice of the governor since 2006 and Zavatsky developed training programs for state agencies using the Australia/New Zealand 4360:2004 ERM Standard.

Since Zavatsky joined the Loss Prevention Group in December 2006, more than 40 agencies and 500 agency staff have received ERM training.  ERM implementation efforts for the largest state agencies are reported during Government Management, Accountability, and Performance (GMAP) forums, in which the governor hears about progress on key agency activities.  Since beginning their ERM implementation efforts, the state has been able to decrease its self-insurance for its liability fund by $40 million, representative of a much larger decrease in expected liabilities, likely attributable at least in part to ERM practices.  Future ERM efforts in Washington include sharing ERM implementation best practices with all state agencies, increasing participation to more agencies, and creating a state enterprise risk register.

Developing ERM in State Agencies

The goal for the Loss Prevention Group was to foster ERM implementation in all 165 state agencies.  The Group developed ERM practices based on activities that every state agency already used.  In implementing ERM, the Loss Prevention Group emphasizes flexibility, ease of training and use, and low costs to demonstrate how ERM can add value to an agency.

The Group started by purchasing ERM training for agency executives to get buy-in.  Then the Group developed a 7-Step ERM Method that was very comparable to the governor’s existing management framework familiar to most agency leaders.  The 7-Step Method is based on the Australia/New Zealand 4360:2004 ERM Standard and works well for all agencies regardless of their business functions.  A pilot training program was then employed to test the method on a trial basis.  ERM tools were designed that would be easy for all of the agencies to use.  Finally, the training was extended to additional state agencies.

ERM training sessions for agencies range from thirty minute sessions for executives to two-day sessions where day-long sessions are scheduled a few weeks apart to allow agency personnel to start implementing their ideas and come back to the second session and refine their ideas.  Training sessions emphasize that ERM techniques are simple and straightforward and apply just as easily to situations in everyday life.  During a session, agency personnel first refine their goals and then identify risks to achieving those goals, whether positive or negative.  After identifying risks, the personnel work together to identify a short list of priority risks that should be addressed.

Reporting on ERM Implementation Efforts

Once a year, during the governor’s GMAP forums, ERM maturity model scores of the largest state agencies are reported.  Twice a year, these agencies are responsible for reporting on ERM, with annual updates on ERM implementation successes and best practices.  The maturity model helps to assess ERM progress and it measures ERM in five areas: fundamentals of risk management, executive leadership, ERM integration into agency culture, application ERM principles, and how embedded ERM is in agency strategic business operations.

Maturity model scores range from 2-6 and in 2006, only four of the agencies reporting on ERM were at a maturity level 5, while in 2008, all thirty-two of the agencies reporting were at maturity level 5 or 6.  One advantage of the maturity model approach is that it provides an identical tool for use in assessment across the state so it is easier to see which programs are working well and which could use improvement.  In addition to maturity mapping, these thirty-two largest state agencies are on a 3-year roadmap for implementing essential ERM functions.

ERM Training Session Messages and Benefits

There are several core messages the Loss Prevention Group seeks to convey in ERM training sessions for agency personnel.  One message is that there is no one correct risk appetite but that it is important to know what the agency’s risk appetite is since different people could make different decisions based on the same set of facts.  Sessions also address the idea that risk is usually thought of with a negative connotation but that there is no opportunity without risk and in every risk there is an opportunity.  Another key message is that ERM does not involve implementation of an entirely new set of principles.  Rather, ERM is merely an enhancement of traditional risk management that starts by looking at all the important goals in the agency and all of the risks, both positive and negative risks, which can prevent reaching that goal.

There are also several key benefits ERM implementation can provide to state agencies.  ERM helps to prioritize which risks to avoid, accept, reduce, or share.  Also, because some risks cannot be controlled, ERM can help by having a plan for those risks and deciding the amount of resources to devote to those risks.  ERM is a repeatable and scalable process that is time-specific and success-oriented that can help in refining goals, improving communication, and using resources where they are most needed.  A benefit of ERM training sessions to the agencies is that they leave the session with a written record of what they have done and why they have done it.  By the end of a training session, the agency is able to have a deliverable, such as a Risk Register completed for a goal that they are able to start using.  The agency can then often apply the same process themselves to other agency goals.

Seven-Step ERM Method

The Seven Step ERM Method includes the following actions:

1. Clearly state the goal.  The goal should be stated in the positive, be specific and precise, and have a finite timeframe.

2. List everything that could keep you from meeting the goal.  This is a list of risks, whether positive, negative, large, or small, that could prevent reaching the goal in the defined timeframe.  The list can be   developed by a risk manager, others in the agency, and even include subject matter experts external to the agency.

3. Evaluate each risk.  Choose a likelihood rating from 1-5 and an impact rating from 1-5.  The ratings may vary for different agencies that have different impacts of concern.  Voting on likelihood and impact scores should be done anonymously to avoid bias.

4. Prioritize the risks.  By multiplying the likelihood and impact scores, a risk map can be created.  Priority risks are often the most severe risks that are both likely to happen and will have a large effect, but that is not always the case.  Sometimes the frequent but minor risk that in the aggregate could have a very large impact or the rare but significant risk may also be important to address.  The map also serves as a document showing stakeholders the reasons for the decisions made.

5. Respond to priority risks by avoiding, accepting and monitoring, transferring, reducing the likelihood, or reducing the impact of the risks.  In accepting and monitoring a risk, put a system in place so that if the risk exceeds a certain level is will be addressed.  The treatment that is chosen should fit the risk appetite of the agency, reflect the amount of control over that risk, be measurable, and have a definite timeframe.  This approach allows resources to be directed to the most important risks.

6. Make a Risk Register that includes treatment plans and measures of success.  The Risk Register is a list of priority risks and an overview of how each will be handled.  The goal should be listed, along with the priority risks to achieving that goal including descriptions of the risk, risk scores, level of control over the risk, treatment chosen, description of treatment plan, measures that will show success, target dates, and the person responsible or risk owner.  This treatment plan should be monitored and refined periodically as ERM is an iterative process, not a one-time effort.

7. Communicate results by gathering and sharing best practices, reviewing any gaps, and reassessing and refining practices.

Take-Home Messages about ERM Implementation

Some take-home messages from Zavatsky were that there is no one right ERM approach for everyone but that the best method is the one that fits the complexity and culture of your group.  All ERM methods will provide structured ways to use goals, understand risk appetite and tolerance, identify risks, assess their relative severity, address priority risks, and measure performance as well as focus on efficient use of resources in implementing these efforts.  The important thing is that the focus is on goals important to your organization, not necessarily that the goals fit into categories of risks defined in frameworks.  Also, ERM can be a valuable tool but to be effective it needs to be actively used.

Several of the ERM tools used by the state of Washington are available on the state’s Office of Financial Management’s website:  http://www.ofm.wa.gov/rmd/default.asp

Click below to download presentation.