Home Breadcrumb caret News Breadcrumb caret Risk Risk Elements While not every organization has launched enterprise risk management (ERM), there is growing awareness of its value among risk managers who recognize essential elements must be identified to reach a core understanding of the challenges their respective organizations face. July 31, 2014 | Last updated on October 1, 2024 13 min read Risk is everywhere. The challenge that risks managers face – regardless of the sector in which they operate – is how best to identify existing and emerging risks, while at the same time understanding how risks can work individually and in combination. Enterprise risk management (ERM), which seeks to address and manage the full spectrum of an organization’s risk, is the goal. To meet that objective, though, participation of all departments and functions is necessary. This will allow a complete picture of risks to form and for all parts of an organization to continuously feed understanding of not only risks that are easily manageable, but also those that could contribute to worst-case scenarios. Some Canadian risk managers are implementing ERM while others are using integrated or strategic risk management. ERM may mean slightly different things to different organizations, but RIMS (Risk and Insurance Management Society) defines this as “a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.” Being in Canada, when talk turns to risks that organizations face, severe weather predictably is often top of mind; so too are global concerns such as cyber risk. Of course, issues currently on risk managers’ radars go far beyond that. Consider the risk management approach taken in the oil and gas industry. Javier Pardo, Calgary-based manager of risk management and insurance for Nexen Energy ULC, offers his view on how the global oil and gas company does strategic risk management (which PwC has been defined as an organization’s response to the uncertainties and untapped opportunities embedded in strategic intent and how well they are executed). Nexen Energy operational people from countries where Nexen has operations (including Western Canada and the North Sea) “gather around a meeting room table and they will brainstorm all of the horrible things that could happen within their divisions,” Pardo reports. “One example is, you have 10 or 11 Nexen people or Nexen contractors in a helicopter flying towards a platform. There is a mechanical issue with the helicopter, it ends up crashing into the platform, killing or seriously injuring everyone on board.” AGGREGATING RISK Risks may not always be this dramatic, but all need to be carefully considered and taken into account. At Mount Royal University in Calgary, senior members of faculty and staff are finding a “commonality of risks percolating between a lot of different departments,” says Darius Delon, associate vice president of risk services at the university. “Independently, they don’t think it’s necessarily all that important, but in an aggregate, it becomes very important because they are all dealing with it at the same time,” Delon explains. In essence, members of Mount Royal University’s ERM group gather information on risk and identify significant risks to provide to the school’s Board of Governors, thereby helping to give the board ready access to key concerns while increasing ERM’s profile. “One of my primary mandates was to get more traction with the ERM program,” Delon says. “We tried to teach people about the benefits of it (ERM). There was still some resistance. They weren’t able to see the actual benefit in front of their eyes,” he suggests. That said, deans and directors at the university were often “quite successful at identifying the different risks that they deal with on an operational hazard basis,” Delon notes. Department chairs, as supervisors of faculty members, are often “quite successful at identifying the different risks that they deal with on an operational hazard basis, some of them financial and academic, and they are quite capable of actually developing that risk register,” he adds. With ERM, Mount Royal University officials can “identify those pieces that people think are low risk, or even isolated, aggregate them together and say, ‘Hey, actually, this is a system-wide risk that we need to address and we need some resources. We cannot continue to try to manage it on an ad-hoc basis, so let’s come up with a plan, let’s come up with some resources and figure out an owner for that risk,'” Delon adds. Jeff Schaafsma, president of B.C. Risk and Insurance Management Association Inc. (BCRIMA), would likely agree ERM offers value as a planning tool that can benefit the whole. “What ERM does is allows me to map the risks from the various departments and see how they tie into some more strategic risks and how mitigating one risk will affect the others,” Schaafsma comments. Mount Royal University saw the benefits of ERM during its response to the June 2013 floods in southern Alberta, which are reported to have caused more than $5 billion in economic losses and inundated many areas, such as the Town of High River and downtown Calgary. Bow Valley College’s Calgary Campus, which is located in an area affected, responded by issuing “a mandatory evacuation of all its campuses in Calgary and surrounding areas.” In its own response, Delon reports that Mount Royal established an emergency operations centre. “We also became the emergency operations centre for Bow Valley College, because their building was actually out of commission because of the flood and because of the power being taken out,” he points out. However, some good emerged from the disruption and loss, Delon reports. The flooding resulted in “a lot of interest in mitigation work” on the part of Alberta policyholders to prevent flood losses in the future,” he says. Some of that work includes backup power for sump pumps. “If you didn’t have emergency back-up able to run continuously for, let’s say, two weeks, then the sump pump fails,” he explains. “If the sump pump fails, then your lower level is actually flooded,” he adds. “There are examples of buildings in (Calgary) where a crafty building operator had all of his ducks in a row, had a lot of diesel to fill up his emergency generator set, his generator was attached to his sump pumps and they just made sure it never flooded.” MAP CONFUSION Following flooding in southern Alberta last year, and more recently with the Oldman River (which runs through Lethbridge), “we did not have a lot of exposure in the river valley, other than our water treatment plant, our wastewater treatment plant, and a couple of facilities that would not be substantial hits to us financially,” says Len Cheryk, Lethbridge’s manager of integrated risk management. That may be thanks to precautions taken. “We have taken steps to reduce the flood risk on both the water and wastewater treatment plant by building substantial berms,” Cheryk says. “Several years ago, our city fathers made a decision to move all the residential development out of the river valley and that’s proved to be quite attractive for insurers. Unless we just get a Noah’s ark-type of rainstorm, flood and so on, we are not going to have that kind of exposure to flood,” he says. In the aftermath of the Alberta flooding, however, some policyholders are facing steep deductibles, Delon says, pointing out that some policyholders do not have access to new flood maps in Alberta. “Some of the flood deductible wordings are based on someone else’s reference map of what is a flood zone and what is not a flood zone,” he reports. “It’s not really clear if you have a property in a certain area, whether or not you have this flood deductible or another.” This is likely because some insurers have not informed policyholders in which zones they are located, rather saying more generally that changes are related to a specific map. “Well, if that map changes, unbeknownst to the insured, then we have no idea if that deductible has changed,” Delon suggests, adding he is convinced downtown Calgary “now has a different flood map compared to 2012,” or from before the 2013 floods. Clear ly, questions (and maybe confusion) related to severe weather and its effects persist in other parts of the country as well. Having talked to some risk managers, Schaafsma comments that “the insurance markets, we think, are fairly stable right now. It’s a soft market… some people are interested in what’s going to happen in the next couple of years on the property side, particularly if there is more and more water damage and catastrophic weather events, how that’s going to affect the marketplace.” Asked about emerging risks, “climate adaptation and climate change is one that a lot of people are starting to be alive to and the impact that it will have when you actually drill down and look at various sectors, like agriculture and forestry,” Schaafsma says. “Those sectors could have, potentially enormous impact.” With the possibility of more frequent and more severe events, there is a very real need to be prepared. “During a recent rainfall flood event this past spring, we had a situation where we had to evacuate a campground, so they had to co-ordinate with police and fire to evacuate,” Cheryk says. “There were probably 40 or 50 units that had to be evacuated, and they had to find alternate accommodations for them.” There was also a situation this past March when the river from which the city draws its water had increased turbidity because of a quick spring melt over land that was still frozen. Production at the water treatment plant was halted, the city declared a state of emergency and residents were told not to use washing machines or dishwashers, Cheryk says. “We were at the stage where we had to actually shut off the system in order to clean the water properly. We had to potentially warn our citizens that we may not be able to have any clean water at all in the system because we would not have had enough water to fight a fire, had a fire occurred,” he reports. If unclean water had been pumped into the system, Cheryk says, “it would have taken us probably four to five weeks to clean out the system and Alberta Health would have had to certify the water as being clean and potable and so on,” he adds. The boil water advisory was lifted March 14. In 2005, the City of Lethbridge began moving to an “integrated risk management system, which is one step down from an enterprise risk management system,” Cheryk says. (The Treasury Board Secretariat defines integrated risk management as promoting “a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective.”) One way that the city manages risk is to take the occupational health and safety program for municipal employees and use that information for its hazard management program, says Cheryk. “What we found is that a lot of the things that our health and safety program was doing was mitigating our risk to our employees for injuries and so on,” he says. “We thought that what we should do is to take that good information from the health and safety side, de-silo it and bring that information over to the risk management, or in other words, the hazard management side of our business.” Cheryk notes he is currently working with city managers to move from integrated risk management to ERM, which he sees as taking “risk management to the strategic level, looking at objectives that the corporation sets for itself, identifying those risks that might cause us to fail, and developing mitigation strategies in response to those risks that we’ve identified so that we do not fail.” Says Schaafsma, ERM allows municipal risk managers to “map the risks from the various departments and see how they tie into some more strategic risks and how mitigating one risk will affect the others.” Cheryk expects that he will likely have a helping hand, saying that municipalities tend to share information with other municipalities. “It makes it a little bit easier where I don’t have to re-invent the wheel,” he suggests. “I can go to Calgary or Edmonton and talk to them about, ‘How do you get started? What are your steps? How do I make my risks better here? How do I understand what risks we have?'” SHARED EXPERIENCE Schaafsma agrees that it is very helpful to gather experience from other risk managers. He notes, for example, that some of his recent conversations indicate that an issue high on risk managers’ radar screens is fraud and embezzlement, especially for banks and credit unions. To help reduce the risks, “educate the managers that supervise cash handling, that supervise people who have the opportunity (to steal), so they see the signs when somebody is defrauding the company. The banks have a well-developed system for identifying fraud and that sort of thing, but it’s something the smaller organizations have to be aware of, particularly not-for -profits, where they put a lot of trust in one or two people, with insufficient checks and internal audits to make sure that what’s supposed to happen is happening. That’s when they become victims,” he cautions. Looking externally, another major concern is cyber risk. “Anybody involved in e-commerce has a risk of having credit card data compromised,” says Schaafsma, suggesting one way to reduce risk is to use standards from PCI Security Standards Council LLC, a Wakefield, Massachusetts-based forum that represents merchants, banks, processors and vendors. The PCI Security Standards Council reports on its website that its security standards include the Payment Card Industry Data Security Standard, Payment Application Data Security Standard, and PIN Transaction Security requirements. “The costs associated with the theft of credit card data is expensive as well,” Schaafsma says. “There are a lot or risk managers with organizations that are not PCI-compliant that do have that risk.” Cyber risk, of course, applies to any industry – and can have some long-reaching and costly implications. If an oil and gas company had problems with its computers in the process control systems in either its offshore oil platforms or its on-shore field facilities, there could be a “significant loss,” says Nexen Energy’s Javier Pardo. What if the screens that provide data on pressures, temperatures levels of liquids – monitored by control room operators – all went black, Pardo offers. “So are you now operating your facilities blind? Or do you shut everything down because you are nervous about what could actually be happening in the field and you don’t know about it? It could be that you are still looking at your screens, but your screens are giving you false data and that false data could be problematic. It could be a valve that isn’t working, maybe it’s leaking hydrocarbons into the sea, or you could have lost equipment that you just don’t know about because you don’t have visibility into the system,” he points out. And what is the cause for screens going black? Is it an accident or “bad guys hacking into your systems,” Pardo says. “It is unclear to us whether we have insurance against those kinds of perils from a traditional property and casualty insurance policy.” With regard to cyber risks in oil and gas, Pardo says “we don’t think the insurance industry is mature enough yet to properly understand what these risks are, and so it’s difficult to find a policy that gives you the certainty that you need. That’s a new developing area.” Pardo says even if underwriters could determine “what could go wrong with all the various computerized systems an oil and gas producer has,” the underwriters “are having a tough time understanding what would be the impact on either physical loss or damage, business interruption or liabilities. What would be the impact of that if those things actually did go wrong?” Pardo suggests “until you get some actual claims experience, and some actual losses to rely on, you don’t know how big of a problem you have.” BUYING GLOBALLY One watershed moment for risk managers in oil and gas was the April 2010 Deepwater Horizon incident, when an explosion killed 11 workers and caused a drilling rig in the Gulf of Mexico to sink. The tragedy “was an industry-changing event,” Pardo says. “We spend a lot more time performing audits on our drilling contractors. We ensure that the blowout preventer that the drilling rig contractor owns is tested… in the water, in the depths that the well is expected to be in,” he adds. Many insurance carriers do not offer full limits on coverage of a blowout because they could be insuring multiple parties, Pardo says, noting that now the coverage limit would be reduced by the policyholder’s interest in the well. This makes it difficult to provide one number related to a company’s limit of third-party liability and pollution insurance “because that number will be reduced according to whatever working interest you have in that particular well in that particular location,” he says. “Oil and gas companies today tend to go into areas with harsher climates, such as the arctic. Some are also digging deeper offshore wells where there are higher temperatures and higher pressures,” conditions that “could lead to larger losses,” Pardo suggests. “Even though your risks might be higher, you might not be able to buy as much as you need, so you end up, by default, self-insuring the top portions of big losses where your program ends. That just forces you into better and better operational controls because you know you can’t transfer those risks to insurance companies,” he explains. Although a helicopter has never crashed on a Nexen Energy offshore oil platform, perhaps resulting in injuries or deaths and demanding repairs, company managers still contemplate that risk. Everything up to and including monetary loss because the company cannot produce while its assets are being repaired must be taken into account. “We add that all up to get a severity and then we put a probability of that occurrence happening,” Pardo says. Mount Royal University’s Darius Delon says that the university participates in the Campus Alberta Risk and Assurance (CARA) Committee, which this past May launched an effort to educate staff and students at several Alberta schools about how to respond to a shooting in which people on campus are being targeted. CARA – whose partner institutions include Concordia University College, MacEwan University, NorQuest College, SAIT Polytechnic, the University of Alberta and the University of Lethbridge – consulted with police experts to develop awareness materials. “I think there is a great benefit to all institutions to take a very close look at their emergency response plan,” Delon says. “Think of really the worst-case scenarios, and not the most probable scenarios,” he emphasizes. It all ties into the risk manager’s role. “The role of risk management is to bring those different scenarios forward and have people contemplate it,” Delon says. “If it’s never contemplated, that’s a loss. At least if you contemplate it, you bring in some experts, you talk about it, and you say, ‘Will we ever be exposed to it?'” Save Stroke 1 Print Group 8 Share LI logo