HomeMy WebLinkAbout06. Receive information on Strategic Risk Inventory and Enterprise Risk Management (ERM) Program Page 1 of 20
Item 6.
,ek CENTRAL SAN
CENTRAL CONTRA COSTA SANITARY DISTRICT
January 16, 2020
TO: HONORABLE BOARD OF DIRECTORS
FROM: SHARI DEUTSCH, RISK MANAGEMENT ADMINISTRATOR
PHILIP R. LEIBER, DIRECTOR OF FINANCEAND ADMINISTRATION
REVIEWED BY: ANN SASAKI, DEPUTY GENERAL MANAGER
ROGER S. BAILEY, GENERAL MANAGER
SUBJECT: RECEIVE INFORMATION ON STRATEGIC RISK INVENTORYAND
ENTERPRISE RISK MANAGEMENT (ERM) PROGRAM
I ntroduction
Leading utilities and other organizations have for many years taken steps to better identify and address
risks through creating centralized risk oversight through the development of an Enterprise Risk
Management (ERM) program. Central San has taken steps towards an ERM program through the
development of a strategic risk inventory. This risk inventory will be used as the foundation for an ERM
program to include internal and Board communication about risks facing Central San. It will also be used
as an input to the development of the annual internal audit workplan (also presented at this meeting).
What is Enterprise Risk Management (ERM)?
ERM includes the processes used by organizations to manage risks and advance opportunities related to
the achievement of their objectives, which are typically identified in a strategic plan. ERM provides a
framework for risk management which involves identifying particular risks and opportunities, assessing
them in terms of likelihood and magnitude of impact, determining a response strategy, and establishing a
monitoring process. ERM has evolved to address the needs of various stakeholders including boards who
want to understand the broad spectrum of risks facing complex organizations to ensure they are
appropriately managed. Regulators and debt rating agencies have also increased their scrutiny on the risk
management processes of companies, with Standard & Poors introducing ERM compliance into their
ratings criteria in 2009.
Organizations have traditionally managed risks in a distributed way, with a variety of functions that identify
and manage risks. Prior to ERM, these efforts were not typically centrally coordinated or reported on. A
central goal of ERM is improving this capability and coordination, while providing summary level reporting
to provide a unified picture of risk for stakeholders and improving the organization's ability to manage these
risks effectively. Establishing an ERM program typically involves the following:
• Identifying executive sponsors for ERM.
• Establishing a common risk language or glossary.
• Describing the entity's risk appetite (i.e., risks it will and will not take).
January 16, 2020 Regular Board Meeting Agenda Packet- Page 52 of 232
Page 2 of 20
• Identifying and describing the risks in a "risk inventory" (presented here).
• Implementing a risk-ranking methodology to prioritize risks within and across functions.
• Establishing a risk committee and or responsible risk officer to coordinate certain activities of the risk
functions.
• Establishing ownership for particular risks and responses.
• Developing action plans to ensure the risks are appropriately managed.
• Developing consolidated reporting for various stakeholders.
• Monitoring the results of actions taken to mitigate risk.
• Ensuring efficient risk coverage by internal auditors, consulting teams, and other evaluating entities.
Development of the Risk Inventory as Central San
An initial risk inventory was created in 2017 as a mentor-mentee project. The development of this inventory
of risks involved conversations with each manager about the risks they were concerned with in their
respective work areas. This initial risk inventory was further refined by other staff throughout 2018 by
refining and consolidating some of the risks, rating each as to frequency and impact prior to and after
mitigating controls, and documenting additional mitigating controls that could be implemented.After
discussion of the risk inventory with the General Manager, it became apparent that the initial Risk Inventory
was primarily operational, as one would expect from the "bottoms up" process used in its development.
Since an operational risk inventory does not include broader, strategic risks affecting the organization as a
whole, a strategic risk inventory was developed during 2019, with the assistance of an ERM consultant
specializing in utilities (AetherAdvisors). Starting with a standard framework of risks for utilities, a strategic
risk inventory relevant to Central San was created and refined. This risk inventory now consists of 27 risks.
An overview of the strategic risks is provided in Attachment 1, with definitions related to each risk provided
in Attachment 1 a.
Each risk has been assigned a composite score of up to 40 points consisting of four elements, each with
up to 10 points: frequency, impact, remaining work needed to mitigate the risk, and speed of onset. Each
risk has been assigned to a Department Director, who was responsible for developing a mitigation plan for
each risk. A sample of the fields in a risk mitigation plan is provided in Attachment 2. The mitigation plan
documents various information about the risk, and specifies actions to be taken to address the risk. Finally,
to integrate the two risk registers (operational and strategic), each risk on the original operational risk
inventory was also associated with a strategic risk for tracking and continued efforts to address those risks.
How the Risk Inventory Will Be Used / Next Steps
The risk inventory will be used for two purposes:
• Internal auditors typically perform an annual risk assessment of the enterprise to develop the audit plan for
the prospective year. In a separate presentation by Central San's Internal Auditor, she describes the risk
assessment process which has led to the proposed 2020 Audit Plan. One input into this plan has been
the risk inventory developed as part of the ERM effort.
• Monitoring, control and reporting on risks: A Risk Committee will meet quarterly to discuss progress on
mitigating the risks identified in the risk inventory. Updates will be provided quarterly to the Administration
Committee. Annually, a report on the risks will be presented to the Board of Directors. The annual
reports will cover matters such as changes in the top risks facing Central San, how the risks are trending,
status of mitigation efforts, and potential events in the risk areas indicated.
The Administration Committee received the report on December 17, 2019, and expressed support for the effort.
Strategic Plan Tie-In
Tie-In
GOAL TWO: Strive to Meet Regulatory Requirements
January 16, 2020 Regular Board Meeting Agenda Packet- Page 53 of 232
Page 3 of 20
Strategy 3- Comply with all federal, state, and local regulations related to District administration
GOAL FIVE: Maintain a Reliable Infrastructure
Strategy 3- Protect District personnel and assets from threats and emergencies
ATTACHMENTS:
1. Risk Inventory Summary
1.a. Description of Risks
2. Risk Mitigation Template Example
3. Presentation
January 16, 2020 Regular Board Meeting Agenda Packet- Page 54 of 232
Risk Profile- Low to High Componant Rankings (S Year Outlook) Attachment 1
Sum of Severity, Probability,Onset, and Mitigation Ratings
40
35
LA
tin
30
25
ra
C:
L 20
E
uu 15
O
E 10
N
5
0
yy c.° co a, Q 0< <a G° CoQ co �a` 00 yv' Qo Oi c0 Q7 �� c a Q y
2aC� SFJ aoQ� Qo y��} G°c Qo G°o yQo� yv'a ��, yJ c,�� cjU °ago y��� cF° �yIQ
"o ym
m o Jy py ai m �° o �F F o 0 0 �c 0 a
G �0 00` y G �¢, f 0c �c y o� 0c° 3 °� w' oo `�0 `' c ;o h Jim
cvc� °Fo` c°i �5 .°c0 Oar .ya�o ¢� �� Quo, ��` X10 �o y v o�y\� ��m �v
1 Gey 1 0\ o �m J c° h� ` 0 Oy 4 1 0 0
<< yy . o� �`� �c� �0 r ,2 ,v ` by °yy
00 0° vo �1 0 F� ° vo, ti v°
■Severity ■Probability ■Mitigation to be Done ■Speed of Onset
(10=most severe) (10=100%) (10=Lots) (10=no notice)
January 16, 2020 Regular Board Meeting Agenda Packet- Page 55 of 232
Attachment 1a: Description of Risks
# Strategic Goal Strategic Risk Name Strategic Risk Description
16 (4)Workforce [4] Change Readiness Risk The organization is unable to implement process or service
improvements quickly enough to keep pace with changes in the
industry.
4 (1) Customer Service [1] Poor Customer Communications Failure to communicate well with customers on bills, rates, and
other key topics (communications, customer services, and field
employees)
26 (6)Technology/Innovation [6] Failure to adopt new tech Dramatic shifts or adjustments in emerging technology (such as
automation) are not capitalized upon due to the organization's
reliance on current paradigms
27 (7) Other [7] Social/Political Risk Adverse social or political actions (including terrorism)
significantly impact the industry threatening the organization's
resources and future cash flows (i.e. environmental extremist
groups impair Central San's ability to fulfill basic mission)
12 (3) Fiscal Responsibility [3] Higher borrowing cost/lose tax exempt Increase in new debt costs if interest rates increase, or if tax free
status financing is not available
10 (3) Fiscal Responsibility [3] Loss of Major Cust/Bus Partner Loss of a major contract (Concord/Clayton) that is a major
revenue source or provides critical service
11 (3) Fiscal Responsibility [3] Lg Rate Increase/High Rates Large rate increase in short timeframe (rate spikes), or service
charges trend above Bay Area median resulting in declining
customer satisfaction.
15 (4)Workforce [4] Changing Workforce Challenges in recruiting: loss of key employees from
retirements or alternative employment. Also limited hiring pool
for trades workers in future. Generational differences in work
styles.
January 16, 2020 Regular Board Meeting Agenda Packet- Page 56 of 232
Attachment 1a: Description of Risks
# Strategic Goal Strategic Risk Name Strategic Risk Description
3 (1) Customer Service [1] Poor Jurisdictional Coordination Failure to properly coordinate could result in loss of
opportunities for joint projects to the benefit of customers and
both agencies, or other negative consequences such as
reputational impact, and lack of support for Central San projects
or positions.
9 (3) Fiscal Responsibility [3] Non-Compliance with Internal Controls Financial and/or reputational risk associated with failure of
internal controls
14 (4)Workforce [4] Work Stoppage Conflicts arising from contract negotiation or District labor
decisions
25 (6)Technology/Innovation [6] External Data Risk(Connectivity) Interruption to the availability and/or quality of external data
significantly impairs the functionality or value of the
organization provided services.
24 (6)Technology/Innovation [6] Lg Tech Project Implem Failure Risk of problems with the new project implementation (ex: ERP,
Plant Control System Upgrades, SCADA). Could have
reputational,financial or reliability impacts.
22 (5) Infrastructure [5] Lg Project Coordination Ineffective coordination on Large Projects with Cities/Agencies
8 (3) Fiscal Responsibility [3] Economic Recession Ad Valorem Tax, Capacity Fees, other development-related
revenue may go down - UAAL may increase dramatically
2 (1) Customer Service [1] Slow Response Time Failure to respond quickly to emergency calls and/or slow on-
site response
January 16, 2020 Regular Board Meeting Agenda Packet- Page 57 of 232
Attachment 1a: Description of Risks
# Strategic Goal Strategic Risk Name Strategic Risk Description
6 (2) Regulatory [2] New or Proposed Reg/Leg New or proposed regulation/legislation that increases
operational costs and adds compliance requirements (current
focus: SB Bills 69 nutrient and 332 zero discharge)
13 (4)Workforce [4] Loss of Life or Major Injury Loss of life or a major injury to employee, contractor or the
public.
7 (3) Fiscal Responsibility [3] Self Insurance Risk Unusual events increase claims and liability beyond what is in
the Emergency Fund (self-insurance) (Single event exceeds
insurance limits)
21 (5) Infrastructure [5] Physical Security Breach The organization perimeter technical and physical defenses are
not effective in maintaining system integrity:threat to
operations, personnel safety.
23 (6)Technology/Innovation [6] Cyber Security Risk Cyber security risks that shut down the District's systems or
vendor systems, or other unauthorized access to Central San
systems. Includes data breach where third party uses and
releases sensitive data.
1 (1) Customer Service [1] Service/Product Failure Service commitment or product failures threaten the
organization's ability to maintain customer satisfaction, or
otherwise negatively impact operations.
20 (5) Infrastructure [5] Loss of utilities or supply chain Utilities outage or loss of essential goods/services that would
cause Central San to not operate
5 (2) Regulatory [2] Environmental Risk Risk of a major environmental incident or non-compliance with
environmental regulation (overflows to collection system, creek,
air permits) - high CoF items
January 16, 2020 Regular Board Meeting Agenda Packet- Page 58 of 232
Attachment 1a: Description of Risks
# Strategic Goal Strategic Risk Name Strategic Risk Description
19 (5) Infrastructure [5] Loss of Major Physical Asset Risk to major physical asset (including Treatment Plant, Pump
Stations,Automated Plant Control System)that could result In
shutdown of inflows, sewage backflows or discharge of sewage
into the environment.
18 (5) Infrastructure [5] Major Spill Risk A major spill or force main break could result in discharge of
sewage into the environment
17 (5) Infrastructure [5] Natural Disaster Risk A major disaster threatens the organization's ability to sustain
safe operations, provide essential services, and/or recover
operating costs (i.e. a natural disaster)
January 16, 2020 Regular Board Meeting Agenda Packet- Page 59 of 232
Page 9 of 20
Attachment 2
Risk Mitigation Template
Date Prepared:
Prepared By:
Risk Name
Strategic Plan Goal
Risk Owner(s)
Risk Team
Mitigation Plan(addressing
root cause,reducing
severity or probability of
risk,or preparing for risk
event)
Cost to Mitigate
In the Budget or Unfunded
Resources Needed
Critical Path Items
Mitigation Time-Frame
Early Warning Signs
January 16, 2020 Regular Board Meeting Agenda Packet- Page 60 of 232
v
ATTACHMENT
Ilei ._
RISK INVENTORY AND
r ENTERPRISE RISK MANAGEMENT
r.
4 Shari Deutsch, Risk Management Administrator
Phil Leiber, Director of Finance & Administration
Board Meeting
January 16 2020
January 16, - oard M
CENTRALSAN
AGENDA
• Development and Status of the Operational
and Strategic Risk Inventories
• How this information will be used
• Internal Audit Plan and Enterprise Risk
Management
• Next Steps
s
CENTRALSAN
2
HISTORY
• An initial Risk Inventory was created in 2017 as a mentor-mentee project
• The Risk Inventory was further refined by other staff through 2018 with
the goal of using it as:
• A basis for Internal Audit Selection
• For conversations with the Board about Risk. . ."Enterprise Risk
Management"
• Initial Risk Inventory
• Was primarily Operational
• Did not include Strategic Risks
• Developed Strategic Risk Inventory in 2019
• 27 risks, with mitigation plans and teams
• Operational and Strategic Risk Inventories used as an input into the
development of the Internal Audit Workplan
CENTRALSAN
..
OPERATIONAL RISK INVENTORY
• 71 risks initially; refined to 62 risks
• Rated and prioritized as to frequency, impact
• Sorted by Strategic Goals per the Central San
Strategic Plan
• Mitigation plans discussed with Managers
• No further development in 2019 as attention
turned to development of a Strategic Risk
Inventory
Ilk
a
STRATEGIC RISK INVENTORY
• Developed by Exec Team , Risk Manager, Internal Audit,
outside consultant Aether Advisors during 2019
• Started with a standard framework
for utilities; eliminated some not �;�R�®�ebal-
Global-
relevant to Central San and added
O� o .yrRy a CR/�
4"bt,
others P `o o�PBogRoco oNo Fp4 0�s
S/
G `�QP O �AQCT /Toy
• Now consists of 27 risks
RGANIZATIONAL
v<
z� OBJECTIVES C o
• Rated as to frequency, impact, 2 ¢�V �2
LE
speed of onset, remaining N IMPACT yq�
mitigation work needed LEAO
g SUCCESSIONN PPLA LANNING
PENSION2013
of iorsriai
RECRUITMENT
\ • Draft mitigation plans developed HUMAN CAPITAL RISKS
for each
5 _ '
,., ..
== - _ CENTRALSAN
STRATEGIC RISK INVENTORY
Risk Profile - Low to High Componant Rankings (5 Year Outlook)
Sum of Severity, Probability, Onset,and Mitigation Ratings
40
35
kA
CLO
E 30
11
m
25
m
c
0. 20 •
E
0
U 15
0
F-- 10
M
Ln
5 1
0
,`¢y
,¢ ° �°c c a, � �
y m
$fig F� °Q Q° ¢,`� � [�� Fm r C� 4 �° e� �
C�c� v°q S ¢ &Q Vim°
r y y
41
■Severity ■Probability ■Mitigation to be Dane ■Speed of Onset
(10=most severe) (10=100°/) (10=Lots) (10=no notice)
6CENTRALSAN
RISK MITIGATION PLANS
• Risk Name
• Strategic Plan Goal
• Risk Owner(s)
• Risk Team
• Mitigation Plan (addressing root cause, reducing
severity or probability of risk, or preparing for risk
event)
• Cost to Mitigate
• In the Budget or Unfunded
• Resources Needed
• Critical Path Items
• Mitigation Time-Frame
• Early Warning Signs
7
MAINTAINING THE RISK INVENTORY,
ADDRESSING THE RISKS , AND REPORTING TO
BOARD
• Quarterly discussion by Exec Team , Risk Manager,
Internal Auditor on status of the overall inventory
• Progress reporting
• Is the mitigated risk status trending up or down?
• What new risks are emerging?
� • Risk Report
• Annual discussion with Board
NEXT STEPS IN ERM
• Maintain the Risk Inventories
• Periodic review by Management and Exec Teams
• Mitigate the Risks
• Risk owners and teams execute mitigation plans
• Monitor Progress
• Risk Committee (Exec Team , Risk Manager, Internal Audit)
meets quarterly to monitor risks, ongoing mitigations.
Considers changes to environment that could affect risk
assessments. Identify new or evolving risks.
• Present Findings and Developments
• Quarterly to Administration Committee, Annually to Board
of Directors
yq,�FF
i
ERM BIG PICTURE
InlaFnainudil
rrr
plan
Risl o
r'rl
ArwpP
Li
.od
Avoid
�"� CENTRAL SAN
Presentation Input to Internal Risk
of Strategic Internal Mitigation Risk Ongoing
Risks to Audit Efforts by Committee Board
Board Workplan Each Risk Meetings Discussion
TiMELINE
Owner
Semiannually
December •
2019/ December Ongoing Quarterly Committee,
January 020 j j Annually to
Full Board
k
CENTRALSAN