The URL can be used to link to this page

Home My WebLink About08.b. Receive annual update on Strategic Risk Inventory/Enterprise Risk Management (ERM) Program Page 1 of 18 Item 8.b. CENTRALSAN jdf A- hom CENTRAL CONTRA COSTA SANITARY DISTRICT April 1, 2021 TO: HONORABLE BOARD OF DIRECTORS FROM: SHARI DEUTSCH, RISK MANAGEMENT ADMINISTRATOR PHILIP LEIBER, DIRECTOR OF FINANCE AND ADMINISTRATION REVIEWED BY: ROGER S. BAILEY, GENERAL MANAGER SUBJECT: RECEIVE ANNUAL UPDATE ON STRATEGIC RISK INVENTORY/ ENTERPRISE RISK MANAGEMENT (ERM) PROGRAM In January 2020, staff presented to the Board the District's initial Strategic Risk Inventory. At that time it was noted that the risk inventory would be used as the foundation for an Enterprise Risk Management (ERM) Program. A mid-year update was presented in June 2020. This report represents the Strategic Risk Inventory annual update. Background on Enterprise Risk Management Organizations have traditionally managed risks in a distributed way, with a variety of internal functions that identify and manage risks. Prior to ERM, these efforts were typically not centrally coordinated or reported on. A central goal of ERM is to improve this capability and coordination, while providing summary level reporting to provide a unified picture of risk for stakeholders, and improving an organization's ability to manage these risks effectively. The Central San Strategic Risk Inventory is used for two purposes: 1. As an input to the Internal Auditor's annual work plan. The Strategic Risk Inventory was used to develop the 2020 internal audit plan. 2. For monitoring, control, and reporting on risks. The ERM Team meets twice per year to discuss progress on mitigating the risks identified in the Strategic Risk Inventory. Updates to the Strategic Risk Inventory are reported to the Administration Committee and Board semiannually. The attached presentation constitutes the annual update on the ERM Strategic Risk Inventory, and highlights changes in risk rankings as well as new risks identified (if any). This matter was reviewed with the Finance Committee on January 26 and February 3, 2021. April 1, 2021 Regular Board Meeting Agenda Packet- Page 102 of 153 Page 2 of 18 Strategic Plan Tie-In GOAL TWO:Environmental Stewardship Strategy 1—Achieve 100%compliance in all regulations GOAL FIVE:Infrastructure Reliability Strategy 3—Protect personnel and assets from threats and emergencies GOAL SEVEN:Agility and Adaptability Strategy 2—Plan ahead for scenarios of direct adverse impacts ATTACHMENTS: 1. Presentation April 1, 2021 Regular Board Meeting Agenda Packet- Page 103 of 153 �~w Item 8.b. (Updated Presention) 2020 Year-End Enterprise Risk r Management Update r _ Finance Committee Meeting January 26, 2021 / February 3, 2021 _= Board Meeting April 1 , 2021 C 1111 f i 1�y I - Shari Deutsch, Risk Management Administrator Phil Leiber, Director of Finance and Administration ENTERPRISE RISK MANAGEMENT Traditional Risk Management • Included insurance risk management and management of various risks by individual managers. TRADITIONAL Focuses primarily on Aims to prevent or hazards and other mitigate loss through Analyzes risk Assesses risk Siloed Reactive Department insurable risks. insurance or safety independently. at certain points by Department improvements. in time. Focuseson all risks and opportunities Aims to increase the Analyzes risks that affect an organization's value collectively,how they Assesses risk organization's through increased relate to each other, and opportunities Holistic Proactive Enterprise-wide performance, efficiency and better and the cumulative continually_ including intangibles decision making. impact on the like reputation. organization. .L ENTERPRISE RISK MANAGEMENT Enterprise Risk Management • Adds centralized oversight and reporting . • Broad consideration of what can go wrong, what are we doing about it, how are risks changing over time. Portfolio approach . k.. '_fIB1tFYa` BACKGROUND • Central San created a strategic risk inventory in 2018-2019 • Presented results of the risk inventory in December 2019 • Committee desired periodic updates; two times per year is the current plan • Summary update in July • More detailed update in January • 25+ strategic risks identified ; top 10 were focus of presentation to the Board in June 2020 • Risk mitigation plans developed for each • Year-end update: • Rescore the risks and consider trends • Update the mitigation plans • Present all strategic risks CENTRAL SAN ERM PROGRAM ERM Team • Meets twice per year to review and update risk inventory and mitigation plans, then re-scores all strategic risks • Members are the Executive Team , Risk Management Administrator and Internal Auditor Risk Scoring • Risks assessed on four factors, each scored from 1 -10 • Risk Score is the total of factor scores • Ranking based on Risk Score: Highest score = Highest Rank Risk Description Frequency Severity Mitigation To Do Speed of Onset Total = Risk 1-10 1-10 1-10 1-10 Score L Economic Uncertainty / Recession 7 8 2 8 25 1 Global Pandemic 6 10 3 5 24 2 k Internal Controls Failure 4 3 2 7 16 3 Ara APT I ■ Top 10 STRATEGIC RISKS • No changes to the Top 10 List since mid-2020 Severity :Frequency; Mitigation Speed of Current Trend Needed Onset Score and prior scare Owner Rank Risk Descriptions JMP 1 Natural Disaster1 D 3 9 10 32 32 �� ........................................................................................................................................................................................................................................................p..................................................................................................................................................................................................................................... JMP 2 Major Spill1 a 6 7 9 32 31 'm/ ......................................................................................................................................................................................................................................................... ................................................................................................................................................................................................................................... JMP 3 Environmental Risk1 D 3 9 9 31 30 41 ........................................................................................................................................................................................................................................................p..................................................................................................................................................................................................................................... JMP 4 Loss of Major Asset4 a 4 7 10 31 30 '� ............................................................................................................................................................................................................................... ................................................................................................................................................................................................................................... 5 Continuo Threat!Pandemic 9.5 10 3 5 27.5 28 '�/ .............................................................................................................................................................................................................................p..................................................................................................................................................................................................................................... 6 Service or Product Failure9 2 510 26 26 4r ...............................................................................................................................................................................................................................:...................................;................................................................................................................................................................................................... 7 Loss of UbIl e Supply Chain10 5 38 26 26 '0/ .............................................................................................................................................................................................................................o...................................;..................................................o.............................................................................. ..................................................... PL 8 CyberSecur49 4 3 9 25 25 4� ......................................................................................................................................................................................................................................................... ................................................................................................................................................................................................................................... PL 9 SePnsurancelReserve Insufficiency 7 3 6 9 24 24 �1 ........................................................................................................................................................................................................................................................o...................................;..................................................o................................................................................................................................................ PL 10 Economic RownturnlRecession 7 7 2 S 24 25 I Top TEN STRATEGIC RISKS IN 2020 35 30 25 i0 15 - 10 5 0 * � 4A Cie E Severityr E F req uency Mitigation ■ Speed of Needed Onset I Low,,.! s ■ STRATEGIC RISKS RANKED #11 =20 • Some movement due to recalibration of scoring and differing views of status • Anticipate some additional movement with participation of the new Director of Operations. Severity :Frequency; Mitigation Speed of Current Trend Needed Onset Score and prior scare Owner Rank Risk Descriptions TO 11 Lass of Life/Major Injury 10 2 3 8 23 22 4m+ ........................................................................................................................................................................................................................................................-0........................................................................ ..................................... ....................................... ......... .. JIVP 12 Physical Security Breach 7 2 3 10 22 23 ............................................................................................................................................................................................................................................................................................a.................................................................................................................................................................................................... JMP 13 NewlProposed Regs/Legislation 8 2 1Q 1 21 22 N .............................................................................................................................................................................................................................a.....................................................................................a................................................................................................................................................ 14 Slaw Response Time 5 3 2 10 20 20 �+ ...................................o.................................................................................................................................................................................................... 15 Work Stoppage 7 3 9 1 20 14 t .................... .............................................................................................................................................................................................................................4.....................................................................................4................................................................................................................................................ PL 16 Failure of Internal Controls 4 4 3 7 18 16 T .........................................................................................................................................................................................................................................................:.................................. ....... ...................... ................. ....................................... ................................. PL 17 External Data Connectivity Risk5 3 2 7 17 15 T ........................................................................................................................................................................................................................................................-0................................................................... .. ..................................... ....................................... ......... .. PL 18 Lg Tech Implementation Failure 6 3 2 5 16 18 j i PL 19 Need for Large Rate Increase 7 3 1 2 3 15 16 1■■/ ............................................................................................................................................................................................................................a.....................................................................................a................................................................................................................................................ 20 Poor Jurisdictional Coordination 6 4 2 2 14 14 �1 I ■ STRATEGIC RISKS RANKED #21 =28 • Risks with lower scores/rank still require attention , reassessment, as environment and circumstances will change over time. Wigation Speed of Current Trend Severity :Frequency: NeOnseNeededScore and prior score Owner Rank Risk Descriptions ........................................................................................................................................................................................................... TO 21 Changing 1Norkbrce3 1 6 3 2 14 14 .......................................................................................................................................................................................................... .............................................................................................................................................................................. ................................................................................................ . PL 22 Loss of Major GustorneriParIner9 1 3 1 14 13 4=� ......................................................................................................................................................................................................................................................................................... ................................................................................................................................................................................................. JMP 23 Poor Coordination on Large Pr01'ecb2 5 5 1 13 19 1 ........................................................................................................................................................................................................................................................ Higher Borrowing Co3W PL 24 Lose Tax Fx for Bonds 5 3 2 3 13 9 ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................ PL 25 Social I Political Risk(Civil Unrest rest etc) 5 2 2 4 13 12 40� .............................................................................................................. ............................................................................................................................................................................................................................................ PL 26 Failure to Adopt New To ch n o I Dgy3 3 4 3 13 12 ............................................................................................................................................................................................................................................................................................... ............................ ............................................................. 27 Poor Customer Communications 4 2 2 2 10 10 ............................................................................................................. ...................................................................................................................................................................................................................................................................................... IT!O! 28 Change Readiness Risk 2 2 1 1 6 8 CENTRALSAN NOTABLE MOVEMENTS SINCE LAST REVIEW CURRENT PRIOR TREND 15 'Nork stoppage 21D 16 Failure of Internal Controls 18 17 External Data Connectivity Fisk 17 18 Lg Tech Implementation Failure 16 3 Poor Coordination on tare Projects 1 Higher Borrowing Costs) 4 Lose Tax Ex for Bonds * Work Stoppage - recognition of mitigation work needed * Large Project Coordination - significant progress made in mitigation efforts * Borrowing - severity increased based on financial impact which was recalibrated with standard scale across all risks. Y. 4 kpr' I CENTRAL i A BUBBLE CHART OF ALL STRATEGIC RISKS • Placement of bubble: top right is more concern. Lower left is less. • Size of bubble: composition of speed of onset and mitigation work remaining Risk Heat Map: Probability of Occurrence, Severity of Impact, and Mitigation Opportunity/ Speed of Onset 12 Loss of II Service or Loss of Major Q Product Life/Major AssetMajor Spill 10 Failure Injury Loss of IyChain Conti nui TIrePandernic Loss of Major Natural Disas�eyrberSecurity _0 Customer/Partner II 8 New/ProposedWork Stopper Self-Insurance/Reserve Regs/Legislation Insufficiency Economic }, ^ Downturn/Recession U gL�g, rJurisdictional Need for Large C Physical Security aCoordination� (a � Higher Borrowing Rate Increase �'— Costs/ CI .,o_____ r � ----�� ,- External Data Lose Tax Exempt'Pbor Customer Connectivity Risk Ke y to bubble info: 4 for Bonds Failure of Internal Control SoCia I/ Communications RiskName 0 PoliticalRis Changing Failure to (Civil Unres Workforce a-�+ Size of bubble is based on 2 Change Adopt New a Technology / a ve ra a score for Readiness g 0 Poor Coordination > Risk on Large Projects mitigationto do and N 0 speed of onset U) 0 2 4 6 8 Probability of Event (1 = low, 10 = high) � I CENTRAL BUBBLE CHARTS BY RISK OWNER : ENGINEERING Risk Heat Map: Probability of Occurrence, Severity of Impact, and Mitigation Opportunity/ Speed of Onset 12 New/Proposed II Regs O Natural Disaster MajorSpill � /Legislation 3 6.0 10 2.0 10 Loss of Major Asset 10.0 8.0 9.5 4.0 8.0 O 5.5 10.0 II 8 8.5 r U L (0 _0 6 Physical Keyto bubble info: Security RiskName _ 4 Breach Poor Probability `� 2 Coordination Impact O 7 on Large Projects Avg of Mitigation&Speed of Onset 2 6.5 5.0 2.0 N 3.0 (n 0 0 2 4 6 8 10 Probability of Event (1 = low, 10 = high) Alai CENTRAL BUBBLE CHARTS BY RISK OWNER : HUMAN RESOURCES Risk Heat Map: Probabilityof Occurrence, Severity of Impact, and Mitigation Opportunity/Speed of Onset Loss of Life/Maj or Injury f 10 2.0 11 10.0 CD 5.5 r & Work Stoppage 3.0 7.0 5.0 V i� IL .r Changing Workforce Keyto bubble info: O 6_0 Risk Name +.> Change Readiness Risk 3.0 Probability 1.- Z z.0 25 Impact > 2.0 ug of Mitigation&Speed of Cnset 1.0 D 2 4 6 8 _ Probability of Event (1 = law, 10 = high) _ I CENTRAL BUBBLE CHARTS BY RISK OWNER : FINANCE AND ADMINISTRATION Risk Heat Map: Probability of Occurrence, Severity of Impact, and Mitigation Opportunity/Speed of Onset sz Lass ofMajor N eed f or Large R ate Self-Insuranc J Increase berF,ecurity II I CustomerlPartner 3.0 4_0 70 Reserve Insufficiency 1.0 - 3.0 9.0 . 7.0 8 224&, 7.n O LgTech Impl Economic II Failur Externa I a ata Connectir9ownturnf Recess cn r S-0 Risk 7.0 6 fx0 3.0 7.0 CL Higher Borrowing-Costs/ Failure ofIaternalontrol 5 _ 4 Lase Tax Exemption for 4.0 4-- Bands4.0 Keyto bubble info: O S.0 FaillluretoAdoptNeu15b Risk Name 5.0 IS 50� a !Politicaisk(Civil 2.5 3.0 Unrest cl Probability 3.0 5.0 Impact 3.5 10 vg of Mitigation&Speed of Onset 3.0 0 z 4 6 8 _v Probability of Event (1 = low, 10 = high) CENTRALSAN - I BUBBLE CHARTS BY RISK OWNER : OPERATIONS Risk Heat Map: Probabilityof Occurrence, Severity of Impact, and Mitigation Opportunity/Speed of Onset Loss of Utilities/Supply Chain Continuity Threat f S6 Service or Product Failure0 Pandemic II CD 10.0 10.0 r 9.0 5.5 9.5 & 7.5 4.0 O II Slow Response Time 3.0 Poor Jurisdictional Poor Customer 5.4 Coordination Communications C 6.0 4.0 Key to bubble info: E 2.0 6.0 Risk Name Probability z 2.0 2.0 Impact Avg of Mitigation&Speed of Onset 7 ur a 6 2 4 6 = Probability of Event (I = low, 10 = high) ►. '"' ■ . ALL STRATEGIC RISKS - DECEMBER 2020 35 30 ■ 1 r I ■ to �o -J c� o r oo e �e o�y \yam to ye o� y 5Q Q` yy tt` �J ra Jt` et` `° �J ea ` ��` a ct Q �J ea ` of to ec y� ec jos- rya ,of cap tP ae Qa` L ec `�` ce`� too Q,t `yea e oQQ °o � Qa ct `oa Qat toy �.° eye �° cap cw , e o Jta �a \Q aJ JQQ °e �yJ \� a� JtkJ \�z 44' t�`' �a� ecc a�.o ace °ot et\ tie �� Jt` pec Jo eaa`o oo k ac to \5 LJ e� Jt e\� ec pay (Z, o et o w Q C. tao otc �a to �� to �a O��t �oyyo Arte e tQ 'Ja\oagQ�o c o Zce° o04 JQo Q°otee Cra ■Severity ■Probability Mitigation To Do ■Speed of Onset NIL 9,711 mumI PLANNED ENHANCEMENTS • Tighten linkages between individual risk mitigation plans and Strategic Plan • Consider Risk Mitigation Plan resource needs in budget process bob& CENTRALS--�� a Questions ? 1 CENTRALSAN . iii