RECOMMENDED STRATEGIC ERM MODEL
After reviewing the results from the two pm2 pilots, the ERM team consulted with the subject matter experts from both operating departments involved in the Risk Scorecard workshops. The participants saw the logic in the model and had a good understanding of what was required in the workshop. They also provided valuable feedback on the usefulness of each section of the model.
All participants regarded step 1, the linking of goals and strategic objectives, as a strength; in fact, it was believed that this methodology would add value to other processes as well, such as results-based budgeting. Steps 2 and 3, identifying and scoring risks, would be core processes for any risk model. Step 4, linking programs, initiatives, and risks, was regarded as powerful but potentially confusing to branch managers and, as a result, might not add the expected value to the process. Moreover, linking programs and initiatives may have also been done with other processes, making this a duplication of effort. Finally, step 5, while necessary to the ERM process, was considered to be excessively complex and time-consuming. A simpler process for determining mitigations and following up was needed. From discussions with EPS and other research regarding ISO 31000, it was determined that the ISO 31000 framework held the key to a simpler risk mitigation and review process. It was also superior to the Risk Scorecard model in that it focused on mitigation at the risk level, rather than the strategic objective level, and did not require a separate worksheet for each risk/objective combination. Finally, because several city branches were certified to the ISO 14001 (Environmental Management) standard under Edmonton's Enviso program, it was noted that upcoming recertifications would require risk assessment conforming to the ISO 31000 standard.
The final recommended strategic ERM model for the City of Edmonton consisted of four steps, and is shown in Exhibit 15.11.
Step 1 (Weight Goals and Objectives), step 2 (Identify Risks), and step 3 (Assess Risks) are the same as steps 1 to 3 in the pm2 Risk Scorecard model. Step 4, however, is based on the "Evaluate Risks" and "Treat Risks" sections of the ISO 31000 RM
Exhibit 15.11 The City of Edmonton's Proposed ISO 31000-Based Strategic Risk Management Framework
(risk management) standard. In Step 4, the risks are transposed onto a risk register, where each row contains the necessary information for that risk: category, description, likelihood score, weighted impact score, weighted risk score, risk rating, risk acceptance, summary comments, current mitigations, future mitigations, risk owner, status update, and update interval.
An example of the proposed risk register is found in Exhibit 15.12.