HomeMy WebLinkAbout4.b. Receive information on strategic risk inventory Page 1 of 14
Item 4.b.
,orVIOIN SAN
December 17, 2019
TO: ADMINISTRATION COMMITTEE
FROM: SHARI DEUTSCH, RISK ADMINISTRATOR
PHILIP R. LEIBER, DIRECTOR OF FINANCE AND ADMINISTRATION
REVIEWED BY: ANN SASAKI, DEPUTY GENERAL MANAGER
ROGER S. BAILEY, GENERAL MANAGER
SUBJECT: RECEIVE INFORMATION ON STRATEGIC RISK INVENTORY
I ntroduction
Leading utilities and other organizations have for many years taken steps to better identify and address
risks through creating centralized risk oversight through the development of an Enterprise Risk
Management (ERM) program. Central San has taken steps towards an ERM program through the
development of a strategic risk inventory. This risk inventory will be used as the foundation for an ERM
program to include internal and Board communication about risks facing Central San. It will also be used
as an input to the development of the annual internal audit workplan (also presented at this meeting).
What is Enterprise Risk Management (ERM
ERM includes the processes used by organizations to manage risks and advance opportunities related to
the achievement of their objectives, which are typically identified in a strategic plan. ERM provides a
framework for risk management which involves identifying particular risks and opportunities, assessing
them in terms of likelihood and magnitude of impact, determining a response strategy, and establishing a
monitoring process. ERM has evolved to address the needs of various stakeholders including boards who
want to understand the broad spectrum of risks facing complex organizations to ensure they are
appropriately managed. Regulators and debt rating agencies have also increased their scrutiny on the risk
management processes of companies, with Standard & Poors introducing ERM compliance into their
ratings criteria in 2009.
Organizations have traditionally managed risks in a distributed way, with a variety of functions that identify
and manage risks. Prior to ERM, these efforts were not typically centrally coordinated or reported on. A
central goal of ERM is improving this capability and coordination, while providing summary level reporting
to provide a unified picture of risk for stakeholders and improving the organization's ability to manage these
risks effectively. Establishing an ERM program typically involves the following:
• Identifying executive sponsors for ERM.
• Establishing a common risk language or glossary.
• Describing the entity's risk appetite (i.e., risks it will and will not take).
• Identifying and describing the risks in a "risk inventory" (presented here).
• Implementing a risk-ranking methodology to prioritize risks within and across functions.
• Establishing a risk committee and or responsible risk officer to coordinate certain activities of the risk
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 57 of 113
Page 2 of 14
functions.
• Establishing ownership for particular risks and responses.
• Developing action plans to ensure the risks are appropriately managed.
• Developing consolidated reporting for various stakeholders.
• Monitoring the results of actions taken to mitigate risk.
• Ensuring efficient risk coverage by internal auditors, consulting teams, and other evaluating entities.
Development of the Risk I nventory as Central San
An initial risk inventory was created in 2017 as a mentor-mentee program. The development of this
inventory of risks involved conversations with each manager about the risks they were concerned with in
their respective work areas. This initial risk inventory was further refined by other staff throughout 2018 by
refining and consolidating some of the risks, rating each as to frequency and impact prior to and after
mitigating controls, and documenting additional mitigating controls that could be implemented. After
discussion of the risk inventory with the General Manager, it became apparent that the initial Risk Inventory
was primarily operational, as one would expect from the "bottoms up" process used in its to
development.
Since an operational risk inventory does not include broader, strategic risks affecting the organization as a
whole, a strategic risk inventory was developed during 2019, with the assistance of a ERM consultant
specializing in utilities (AetherAdvisors). Starting with a standard framework of risks for utilities, a strategic
risk inventory relevant to Central San was created and refined. This risk inventory now consists of 27 risks.
An overview of the strategic risks is provided at Attachment 1, with definitions related to each risk provided
at Attachment 1 a.
Each risk has been assigned a composite score of up to 40 points consisting of four elements, each with
up to 10 points: frequency, impact, remaining work needed to mitigate the risk, and speed of onset. Each
risk has been assigned to a Department Director, who was responsible for developing a mitigation plan for
each risk.A sample of the fields in a risk mitigation plan is provided in Attachment 2. The mitigation plan
documents various information about the risk, and specifies actions to be taken to address the risk. Finally,
to integrate the two risk registers (operational and strategic), each risk on the original operational risk
inventory was also associated with a strategic risk for tracking and continued efforts to address those risks.
How the Risk Inventory Will Be Used / Next Steps
The risk inventory will be used for two purposes:
• Internal auditors typically perform an annual risk assessment of the enterprise to develop the audit plan
for the prospective year. In a separate presentation by Central San's Internal Auditor, she describes the
risk assessment process which has led to the proposed 2020 Audit Plan. One input into this plan has
been the risk inventory developed as part of the ERM effort.
• Monitoring, control and reporting on risks: A Risk Committee will meet quarterly to discuss progress on
mitigating the risks identified the risk inventory. Annually, a report on the risks will be presented to the
Board of Directors. The annual reports will cover matters such as changes in the top risks facing Central
San, how the risks are trending, status of mitigation efforts, and potential events in the risk areas
indicated.
Strategic Plan Tie-In
GOAL ONE:Provide Exceptional Customer Service
Strategy 1 - Build external customer relationships and awareness, Strategy 2- Foster employee engagement and
interdepartmental collaboration, Strategy 3- Maintain a strong reputation in the community
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 58 of 113
Page 3 of 14
GOAL TWO: Strive to Meet Regulatory Requirements
Strategy 1 - Strive to achieve 100%permit compliance in air, water, land, and other regulations, Strategy 2- Strive to
minimize the number of sanitary sewer overflows, Strategy 3- Comply with all federal, state, and local regulations
related to District administration
GOAL THREE:Be a Fiscally Sound and Effective Water Sector Utility
Strategy 1 - Conduct long-range financial planning, Strategy 2- Manage costs
ATTACHMENTS:
1. Risk Inventory Summary
1.a. Description of Risks
2. Risk Mitigation Template Example
3. Presentation
December 17, 2019 Special ADM IN Committee Meeting Agenda Packet- Page 59 of 113
Risk Profile- Low to High Componant Rankings (S Year Outlook) Attachment 1
Sum of Severity, Probability,Onset, and Mitigation Ratings
40
35
LA
tin
30
25
ra
c
L 20
>_
0v 15
O
E 10
N
5
0
yy c.° co a, Q 0< <a G° �oQ co �a` 00 yv' Qo 0i c0 Q7 �� c a Q y
2aC� �FJ aoQ� Qo y��} Jy
CO
`1 F
�
"
o 0 0'- 0c,y yG 0 `'m c �
c� yv° 4o 01
G °89
0 o o ° °b
�v�J
�m
ym
■Severity ■Probability ■Mitigation to be Done ■Speed of Onset
(10=most severe) (10=100%) (10=Lots) (10=no notice)
December 17, 2019 Special ADM IN Committee Meeting Agenda Packet- Page 60 of 113
Attachment 1a: Description of Risks
# Strategic Goal Strategic Risk Name Strategic Risk Description
16 (4)Workforce [4] Change Readiness Risk The organization is unable to implement process or service
improvements quickly enough to keep pace with changes in the
industry.
4 (1) Customer Service [1] Poor Customer Communications Failure to communicate well with customers on bills, rates, and
other key topics (communications, customer services, and field
employees)
26 (6)Technology/Innovation [6] Failure to adopt new tech Dramatic shifts or adjustments in emerging technology (such as
automation) are not capitalized upon due to the organization's
reliance on current paradigms
27 (7) Other [7] Social/Political Risk Adverse social or political actions (including terrorism)
significantly impact the industry threatening the organization's
resources and future cash flows (i.e. environmental extremist
groups impair Central San's ability to fulfill basic mission)
12 (3) Fiscal Responsibility [3] Higher borrowing cost/lose tax exempt Increase in new debt costs if interest rates increase, or if tax free
status financing is not available
10 (3) Fiscal Responsibility [3] Loss of Major Cust/Bus Partner Loss of a major contract (Concord/Clayton) that is a major
revenue source or provides critical service
11 (3) Fiscal Responsibility [3] Lg Rate Increase/High Rates Large rate increase in short timeframe (rate spikes), or service
charges trend above Bay Area median resulting in declining
customer satisfaction.
15 (4)Workforce [4] Changing Workforce Challenges in recruiting: loss of key employees from
retirements or alternative employment. Also limited hiring pool
for trades workers in future. Generational differences in work
styles.
December 17, 2019 Special ADM IN Committee Meeting Agenda Packet- Page 61 of 113
Attachment 1a: Description of Risks
# Strategic Goal Strategic Risk Name Strategic Risk Description
3 (1) Customer Service [1] Poor Jurisdictional Coordination Failure to properly coordinate could result in loss of
opportunities for joint projects to the benefit of customers and
both agencies, or other negative consequences such as
reputational impact, and lack of support for Central San projects
or positions.
9 (3) Fiscal Responsibility [3] Non-Compliance with Internal Controls Financial and/or reputational risk associated with failure of
internal controls
14 (4)Workforce [4] Work Stoppage Conflicts arising from contract negotiation or District labor
decisions
25 (6)Technology/Innovation [6] External Data Risk(Connectivity) Interruption to the availability and/or quality of external data
significantly impairs the functionality or value of the
organization provided services.
24 (6)Technology/Innovation [6] Lg Tech Project Implem Failure Risk of problems with the new project implementation (ex: ERP,
Plant Control System Upgrades, SCADA). Could have
reputational,financial or reliability impacts.
22 (5) Infrastructure [5] Lg Project Coordination Ineffective coordination on Large Projects with Cities/Agencies
8 (3) Fiscal Responsibility [3] Economic Recession Ad Valorem Tax, Capacity Fees, other development-related
revenue may go down - UAAL may increase dramatically
2 (1) Customer Service [1] Slow Response Time Failure to respond quickly to emergency calls and/or slow on-
site response
December 17, 2019 Special ADM IN Committee Meeting Agenda Packet- Page 62 of 113
Attachment 1a: Description of Risks
# Strategic Goal Strategic Risk Name Strategic Risk Description
6 (2) Regulatory [2] New or Proposed Reg/Leg New or proposed regulation/legislation that increases
operational costs and adds compliance requirements (current
focus: SB Bills 69 nutrient and 332 zero discharge)
13 (4)Workforce [4] Loss of Life or Major Injury Loss of life or a major injury to employee, contractor or the
public.
7 (3) Fiscal Responsibility [3] Self Insurance Risk Unusual events increase claims and liability beyond what is in
the Emergency Fund (self-insurance) (Single event exceeds
insurance limits)
21 (5) Infrastructure [5] Physical Security Breach The organization perimeter technical and physical defenses are
not effective in maintaining system integrity:threat to
operations, personnel safety.
23 (6)Technology/Innovation [6] Cyber Security Risk Cyber security risks that shut down the District's systems or
vendor systems, or other unauthorized access to Central San
systems. Includes data breach where third party uses and
releases sensitive data.
1 (1) Customer Service [1] Service/Product Failure Service commitment or product failures threaten the
organization's ability to maintain customer satisfaction, or
otherwise negatively impact operations.
20 (5) Infrastructure [5] Loss of utilities or supply chain Utilities outage or loss of essential goods/services that would
cause Central San to not operate
5 (2) Regulatory [2] Environmental Risk Risk of a major environmental incident or non-compliance with
environmental regulation (overflows to collection system, creek,
air permits) - high CoF items
December 17, 2019 Special ADM IN Committee Meeting Agenda Packet- Page 63 of 113
Attachment 1a: Description of Risks
# Strategic Goal Strategic Risk Name Strategic Risk Description
19 (5) Infrastructure [5] Loss of Major Physical Asset Risk to major physical asset (including Treatment Plant, Pump
Stations,Automated Plant Control System)that could result In
shutdown of inflows, sewage backflows or discharge of sewage
into the environment.
18 (5) Infrastructure [5] Major Spill Risk A major spill or force main break could result in discharge of
sewage into the environment
17 (5) Infrastructure [5] Natural Disaster Risk A major disaster threatens the organization's ability to sustain
safe operations, provide essential services, and/or recover
operating costs (i.e. a natural disaster)
December 17, 2019 Special ADM IN Committee Meeting Agenda Packet- Page 64 of 113
Page 9 of 14
Attachment 2
Risk Mitigation Template
Date Prepared:
Prepared By:
Risk Name
Strategic Plan Goal
Risk Owner(s)
Risk Team
Mitigation Plan(addressing
root cause,reducing
severity or probability of
risk,or preparing for risk
event)
Cost to Mitigate
In the Budget or Unfunded
Resources Needed
Critical Path Items
Mitigation Time-Frame
Early Warning Signs
December 17, 2019 Special ADMIN Committee Meeting Agenda Packet- Page 65 of 113
Page 10 of 14
11/26/2019
RISK INVENTORY AND
ENTERPRISE RISK MANAGEMENT
- Shari Deutsch, Risk Management Administrator
r Philip R. Leiber, Director of Finance &Administration
Administration Committee
December 17, 2019
AGENDA
• Development and Status of the Operational and
Strategic Risk Inventories
• How this information will be used
• Internal Audit Plan and Enterprise Risk
Management
• Next Steps
2 zlgi
CENTRALSAN
December 17, 2019 Special ADM IN Committee Meeting Agenda Packet- Page 66 of 113
Page 11 of 14
11/26/2019
HISTORY
• An initial Risk Inventory was created in 2017 as a mentor-mentee project
• The Risk Inventory was further refined by other staff through 2018 with
the goal of using it as:
• A basis for Internal Audit Selection
• For conversations with the Board about Risk..."Enterprise Risk Management'
• Initial Risk Inventory:
• Was primarily operational
• Did not include any strategic risks
• Developed Strategic Risk Inventory in 2019
• 27 risks,with mitigation plans and teams
• Operational and Strategic Risk Inventories used as an input into the
development of the Internal Audit Workplan
3
OPERATIONAL RISK INVENTORY
•71 risks initially; refined to 62 risks
• Rated and prioritized as to frequency, impact
•Sorted by Strategic Goals per the Central San
Strategic Plan
• Mitigation plans discussed with Managers
• No further development in 2019 as attention
turned to development of a Strategic Risk
Inventory
2
December 17, 2019 Special ADM IN Committee Meeting Agenda Packet- Page 67 of 113
Page 12 of 14
11/26/2019
STRATEGIC RISK INVENTORY
• Developed by Exec Team, Risk Manager, Internal Audit, outside
consultant Aether Advisors during 2019
• Started with a standard framework for
utilities; eliminated some not relevant
to Central San and added others
• Now consists of 27 risks
• Rated as to frequency, impact, speed
of onset, remaining mitigation work a a ;
needed
Draft mitigation plans developed for
each
HUMAN CAPITAL RIS%5
5 I
CENTRALSAN
STRATEGIC RISK INVENTORY
Risk Profile-Low to High Componant Rankings(5 Year Outlook)
Sum of Severity,Probability,Onset,and Mitigation Ratings
ao
c 30
25
C 30
O
0
r 21
•Seu¢d[y •110bd Jify lie-
DD tD bE 01p •(10 Ot kM
I10=most severe) If0=100k� 130=tots [IO=meotice)
6 h
3
December 17, 2019 Special ADM IN Committee Meeting Agenda Packet- Page 68 of 113
Page 13 of 14
11/26/2019
RISK MITIGATION PLANS
• Risk Name
• Aligns to a Strategic Plan Goal
• Risk Owner(s) assigned
• Risk Team
• Mitigation Plan (addressing root cause,
reducing severity or probability of risk, or
preparing for risk event)
• Cost to Mitigate
• In the Budget or Unfunded
• Resources Needed
• Critical Path Items
• Mitigation Time-Frame
• Early Warning Signs
7
CENTRALSAN
NEXT STEPS IN ERM
• Maintain the Risk Inventories
Periodic Review by Management and Exec Teams
• Mitigate the Risks
Risk Owners and Teams execute Mitigation Plans
• Monitor Progress
Risk Committee of Exec Team, Risk Manager, Internal Audit
• Meets quarterly to monitor risks, ongoing mitigations,
• Considers changes to environment that could affect risk
assessments
• Identify and assess new or evolving risks
• Present Findings and Developments
Annual presentation to Board of Directors
8 1
CENTRALSAN
December 17, 2019 Special ADM IN Committee Meeting Agenda Packet- Page 69 of 113
Page 14 of 14
11/26/2019
ERM BIG PICTURE
Sep{-0sse ssmenh
Ipipmal audit
Plun
—ner
Acaep!
Shore I'aherslial impact
'Aiti�a* Eikeli oad
Avoid
I
I
TIMELINE
Inputto Mitigation Risk Ongoing
of Strategic I Internal Efforts by Committee Board
Risks to
dit Each Risk Meetings Discussion
Board . . .
December December Ongoing Quarterly Annually
2019 2019
10
5
December 17, 2019 Special ADM IN Committee Meeting Agenda Packet- Page 70 of 113