SELECTING AND TESTING A STRATEGIC RISK MANAGEMENT MODEL
After a review of several ERM frameworks (CBRP, ISO 31000, COSO, etc.), the Administration decided on a strategy-focused approach. The relationship of strategic ERM as part of the risk universe is shown in Exhibit 15.2.
Such a method was provided in the Risk Scorecard model devised by pm2 Consulting (pm2consulting.com). The Financial Services and Utilities department (facilitated by the ERM Program Manager) conducted two pilot Risk Score- cards using the pm2 model, for The Way We Move and The Way We Live. Following is a description of the pm2 Risk Scorecard methodology.
Exhibit 15.2 Relationship between Strategic, Project, and Operational Risks
Pilot pm2 Risk Scorecard Methodology
The Risk Scorecard consisted of six steps, each dependent on the previous one:
1. Weighting of goals in the plan based on what is the highest priority in the organization to advance
2. Linking of strategic objectives to goals – determine how the strategic objectives contribute to goals, and to what degree (relationship expressed as low/medium/high)
3. Identification of risks to each strategic objective, scored 1 to 5 in likelihood and 1 to 5 in impact
4. Identification of how current programs (processes) contribute to achieving strategic objectives; currently performed – scored 1 to 5 in relationship to strategic objective and in effectiveness in meeting expectations
5. Identification of planned future initiatives – scored 1 to 5 in relationship to strategic objectives
6. Identification of possible future mitigations and risk indicators
Deliverables from this process include a risk register, a heat map, and charts showing each strategic objective's cumulative levels of risk, program contribution, and initiative contribution, to show relative effort toward areas of relative risk. In addition, a list of possible future mitigations and a list of risk indicators (measures to show as early as possible that a risk may be occurring) can be derived. The methodology is shown in Exhibit 15.3.
Ideally, risk assessment would have taken place during the creation of strategic planning documents to help determine the most risk-appropriate actions to achieve the vision and goals. However, the "Ways" documents were created before ERM was conceptualized in Edmonton. Therefore, pilots were conducted to catch up to each Ways document by conducting a Risk Scorecard workshop for each one. Because of the resource commitment of this exercise, workshops could realistically only be done one at a time. By the summer of 2013, pilot Risk Scorecards for two Ways documents had been completed or nearly completed: The Way We Move and The Way We Live.