The URL can be used to link to this page

Home My WebLink About04.d. Receive semi-annual update on Strategic Risk Inventory/Enterprise Risk Management (ERM) Program Page 1 of 8 Item 4.d. CENTRAL SAN September 27, 2022 TO: FINANCE COMMITTEE FROM: SHARI DEUTSCH, RISK MANAGEMENT ADMINISTRATOR PHILIP LEIBER, DIRECTOR OF FINANCE AND ADMINISTRATION REVIEWED BY: ROGER S. BAILEY, GENERAL MANAGER SUBJECT: RECEIVE SEMI-ANNUAL UPDATE ON STRATEGIC RISK INVENTORY/ ENTERPRISE RISK MANAGEMENT (ERM) PROGRAM In January 2020, staff presented to the Board the District's initial Strategic Risk Inventory. At that time, it was noted that the risk inventory would be used as the foundation for an Enterprise Risk Management (ERM) Program. Since then, semi-annual updates have been provided on the status of these risks. Background on Enterprise Risk Management Organizations have traditionally managed risks in a distributed way, with a variety of internal functions that identify and manage risks. Prior to ERM, these efforts were typically not centrally coordinated or reported on. A central goal of ERM is to improve this capability and coordination, while providing summary level reporting to provide a unified picture of risk for stakeholders, and improving an organization's ability to manage these risks effectively. The Central San Strategic Risk Inventory is used for two purposes: 1. As an input to the Internal Auditor's annual work plan. 2. For monitoring, control, and reporting on risks. The ERM Team meets twice per year to discuss progress on mitigating the risks identified in the Strategic Risk Inventory. Updates to the Strategic Risk Inventory are reported to the Administration Committee and Board semi-annually. The attached presentation constitutes the semi-annual update on the ERM Strategic Risk Inventory, and highlights changes in risk rankings as well as new risks identified (if any). The presentation for this period is relatively short, as there have been few changes in the assigned scores for the risks between the last update and now. This matter was last reviewed with the Finance Committee on March 22, 2022, covering the risk inventory status for the second half of calendar year 2021. ATTACHMENTS: 1. Presentation September 27, 2022 Regular FINANCE Committee Meeting Agenda Packet- Page 160 of 171 g # Mir Strategic Risk Inventoryand Enterprise Risk Management Summer 2022 Update Finance Committee Meeting September 27, 2022 Shari Deutsch, Risk Management Administrator Phil Leiber, Director of Finance and Administration CENTRALSAN September 27, 2022 Regular FINANCE Committee Meeting Agenda Packet- Page 161 of 171 ERM PROGRAM Strategic Risk Inventory • Created in 2018-2019 • Presented to Admin Committee in December 2019 and to Board in January 2020 • Reviewed by ERM Team biannually • Updates included in biannual reports to Admin Committee and Board Mitigation Plans • Each risk on the inventory has a mitigation plan. • Each plan is reviewed, updated during biannual ERM Team Mtg. • Progress and goals amended in response to risk scores and operational environment CENTRALSAN September 27, 2022 Regular FINANCE Committee Meeting Agenda Packet- Page 162 of 171 ERM PROGRAM ERM Team • Meets biannually to review and update strategic risk inventory and mitigation plans, then re-scores all strategic risks • Members are the Executive Team, Risk Manager and Internal Auditor Risk Scoring • Four-part risk assessment, each scored from 1 -10 • Risk Score is the total of four scores • Ranking based on Risk Score: Highest score = Highest Rank rl— Risk Description.&. Probability Severity Mitigation To Do Speed of Onset Total = Risk 1-10 1-10 1-10 1-10 Score Economic Uncertainty/ Recession 7 8 2 8 25 1 Global Pandemic 6 10 3 5 24 2 Internal Controls Failure 4 3 2 7 16 3 - CENTRALSAN September 27, 2022 Regular FINANCE Committee Meeting Agenda Packet- Page 163 of 171 THE TOP TEN : RANK AND SCORES EVOLVE OVER TIME Rank Summer 2022 Score Winter 2022 Score 1 Environmental Risk 34 Natural Disaster 32 .................................................................................................................................................................................................................................................................................................................... 2 Major Spill 32 Major Spill 32 ..................................................................................................................................................................................................................................................................................................................... 3 Natural Disaster 32 Environmental Risk 31 ..................................................................................................................................................................................................................................................................................................................... 4 Loss of Major Asset 30 Loss of Major Asset 30 .................................................................................................................................................................................................................................................................................................................... 5 Physical Security Breach 28 Loss of Utilities/Supply Chain 27 ..................................................................................................................................................................................................................................................................................................................... 5 Loss of Utilities/Supply Chain 27 Continuity Threat/Pandemic 27 ..................................................................................................................................................................................................................................................................................................................... 7 Continuity Threat/Pandemic 27 Service or Product Failure 26 ..................................................................................................................................................................................................................................................................................................................... 8 Service or Product Failure 26 CyberSecurity 25 .................................................................................................................................................................................................................................................................................................................... 9 CyberSecurity 25 Self-Insurance/Reserve Insufficiency 24 .................................................................................................................................................................................................................................................................................................................... 10 Self-Insurance/Reserve Insufficiency 24 Loss of Life/Major Injury 23 11 Economic Downturn/Recession 24 Economic Downturn/Recession 23 The top risks don't change very often, but occasionally a new top 10 risk arises and others are displaced September 27, 2022 Regular FINANCE Committee Meeting Agenda Packet- Page 164 of 171 CURRENT STRATEGIC RISKS (28 Risk Owner Description Risk Owner Description Finance & Operations Service or Product Failure Admin Poor Customer Communications Slow Response to Customer Self-Insurance/Reserve Insufficiency Poor Jurisdictional Coordination Failure of Internal Controls Loss of Utilities/Supply Chain Economic Downturn/Recession Continuity Threat/Pandemic Need for Large Rate Increase Loss of Major Asset Lass of Major Customer/Partner Physical Security Breach Higher Borrowing Casts/Lass of TE Band Status Social/ Political Risk(Civil Unrest etc) CyberSecurity Risk Owner Description LgTech Implementation Failure Engineering Environmental Risk External Data Connectivity Risk New/Proposed Regs/Legislation Failure to Adopt New Technology Natural Disaster Major Spill Risk Owner Description Poor Coordination on Large Projects HR Loss of Life/Major Injury Work Stoppage Changing Workforce Change Readiness Risk ' CENTRALSAN September 27, 2022 Regular FINANCE Committee Meeting Agenda Packet- Page 165 of 171 STRATEGic RISKS - SUMMER 2022 40 Strategic Risk Scores - Summer 2022 35 30 25 20 15 10 5 — 0 ' o °e �y et 5e �� o`y to et o� tJ o� °� �-,A to `c `�• �• e� et �� o ' of 2° ea Q tt �o toy o . o t o tt` a a h Q y Q o o a to a o� �J \� t� °e t`aOe QeetLo o S�et�°tto t�f?�`Q��e •e°�a�Cr.oa°Go\�aoo ��at�e'�� aett\ �ato ��ok° tetseat� �aQ�o ee�L $y\�e \�a�etc\Q e C.J ec`�t°a��°�a`\Q a°\`��Q�Q J`5 aJoec � ec ok° ° i Lo ° 0 oe° �°a�Jta♦O d�a�lto ° e otCQF �°yy tLJ °�� to t�� ota ok ee eta Qa er hyo \Q o° oy5 �. Qoo Se\k ■Severity ■Probability Mitigation ■Speed of To Do Onset September 27, 2022 Regular FINANCE Committee Meeting Agenda Packet- Page 166 of 171 Quest 'ions ?. 4"m CENTRALSAN September 27, 2022 Regular FINANCE Committee Meeting Agenda Packet- Page 167 of 171