ISO 31000 in Government: A Case Study
Guest Post by James Kline (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
ISO 31000 is the International Enterprise Risk Management (ERM) framework developed in 2009 by the International Organization for Standardization (ISO). Its use in government is increasing. The reason for the increase is that governments around the world are recognizing that risk events are increasing in frequency and cost. For instance, Hurricane Harvey impacted the States of Texas, Louisiana, Mississippi, Tennessee and Kentucky. It flooded 19 water systems, 31 waste water systems and 13 super fund sites spreading toxic waste throughout the region. It cost Texas $125 billion dollars. (1)
The 2018 California wildfires in will cost the state $400 billion in total damages. (2) In 2017, the Government of Saskatchewan was the victim of a cyber-attack. The city’s web site was down for two hours. (3) In November 2018, the U.S. Department of Justice charged Iranian hacker with attacks on the Colorado Department of Transportation and the City of Atlanta. The City of Atlanta’s network was down for one week. The cyber attack cost the city an estimated $9 million. While these may seem like random instances, a 2018 survey of 395 local governments in the United Kingdom found that 29% had experienced a breach. The Tonbridge and Malling Council reported a total of 62 incident over five years. Over this same period, Herefordshire experience 22 breeches, and the City of Edinburgh experienced 11. (4)
Natural disasters and cyber-attacks are just some of the risks that governments face. Lloyd’s of London estimates that the279 cites face 22 major risk events at a potential cost of $546 billion. The risk events include: Market Crashes, Human Pandemics, Floods and Terrorist Attacks. (5)
Lloyd’s estimates that if these cities took risk mitigative actions they could reduce the potential damages by 13.4% or $73.4 billion. But, a lack of resources hinders mitigation efforts. This creates a dilemma for governments. Citizen are demanding more and better-quality services at lower cost, while the number of risk events are increasing and becoming costlier
Faced with this dilemma, governments are implementing ERM, with ISO 31000 being the dominant model. ISO 31000, updated in 2018, provides a methodology by which an organization can identify all the risks it faces, prioritize them, develop mitigative actions and then decide how many resources it will allocate to the mitigation efforts.
The City of Saskatoon Canada is an example of a local government which is implementing ISO 31000.
City of Saskatoon
In 2005, the Risk Management Division proposed the adoption of ERM. Management decided to start with a pilot project. The pilot project was implemented in the Transit Division. Once the Transit Division risk identification was completed, risk identification expanded to all department. The identified risks were placed on a risk register. The operation’s risk registers were completed in 2010. At this point the intent was to develop a risk management strategy and strategic risk register. There was no follow up. ERM went dormant for four years.
In 2014, a review of the ERM policy and process was initiated. The purpose of the review was to: “embed into corporate operations and reporting a systematic, proactive and ongoing process to understand and manage risk and uncertainty, and to communicate risk information throughout the City.”
A Corporate Risk Committee, consisting of the City Manager, General Managers, City Solicitor, Director of Government Relations, Fire Chief, Police Chief and Director of Corporate Risk, was established. The city also developed a set of ERM principles, a risk management guide and a policy statement.
In 2014, the city’s auditor conducted a strategic risk assessment. The audit identified thirty-two strategic risks. Of these, five were considered high risk, twenty were considered medium risk and seven were low risk. The five high level risks were:
- The current investment in infrastructure renewal and maintenance over the last ten years may not have been adequate. Some areas need fresh infrastructure investment: roads and sidewalks.
- The city may not be delivering expected levels of services to citizens or internal stakeholders: road maintenance, snow removal, bridges.
- The city may not have adequate business continuity planning and/or emergency preparedness in place.
- There may be limitation on non-property tax revenue options and taxing powers, resulting in over reliance on property tax.
- The city may lack the right initiatives to adequately engage and inform citizens. An expectation gap between citizens and the city may be leading to dissatisfaction with services.
The audit provided guidance to the Corporate Risk Committee. The committee began initiating steps to fully implement ERM and initiate mitigative actions to reduce the risks the city faced. A 2017 risk management report noted: that before risk management efforts, 21 strategic risks were ranked high severity and 2 were ranked medium. After risk mitigation, 13 ranked as high and 10 ranked as medium.
The Corporate Risk Division’s 2017 report listed the following accomplishments.
- Risk registers for all “high”, “medium” and “low” priority strategic risks were updated to reflect 2017 mitigative efforts and mitigation strategies for 2018 and beyond.
- The Internal Audit Plan was updated based on the Strategic Risk Assessment priorities.
- Eight risk reviews of new/proposed programs, existing program enhancements and corporate policies were performed, at the request of management and staff.
- A corporate Risk SharePoint site has been established to serve as a source of information and guidance.
The accomplishments indicate that risks are regularly assessed, and registers updated to reflect mitigative actions. Further, new risks are assessed and incorporated into the corporate strategic policies. Finally, a centralized repository for risk information has been developed. This repository allows management and employees to monitor risk mitigation progress.
Table 1 and 2 are part of the strategic risk register. They show the risk mitigation efforts for two of the city’s strategic risks.
|Risk: Existing strategies may not be attracting, hiring, managing,developing and retaining top talent to support existing and
Key current risk mitigation activities:
Succession planning framework has been developed for senior positions.
Competency frameworks have been/are being developed.
“Employee Rewards and Recognition” program under development.
“Investing in Leaders” program continues to offer a variety of opportunities for staff.
Mandatory supervisor training program implemented.
Prior to mitigation this risk was rated at 8.5. After mitigation it is 6.6.
The 6.6 score is the result of the mitigative efforts. By showing the impact of the mitigative efforts, the city communicates to its citizens that it is taking steps to manage risks and protect resources from adverse risk events. Table 2 shows a similar expected reduction in score due to the mitigative efforts.
|Risk: The City may not be prepared for the effects of climate change.Rate: High
Key current mitigation activities:
Environmental implications section in Committee and City Council report templates.
Revised roadway design standards consider severe/prolonged weather events.
Stormwater superpipe capacity improvements.
Develop predictive model with university regarding rainfall to identify infrastructure constraints.
Prior to mitigation this risk was at 7.3. After mitigation risk was at 4.6.
Tables 1 and 2 are just two of the city’s strategic risks. They indicate the breadth of the identified risk events. Hiring and retention are internal and human resource oriented. Climate change is external and physical infrastructure oriented. Both can have substantive impact of the organization’s ability to respond to a risk event. By managing its risks the city protects and better allocates its resources.
With the costs of risk events like natural disasters and cyber-attacks increasing and limited resources, governments around the world are implementing ERM. ERM is helping improve efficiency and reduce costs. It’s implementation also demonstrates that government is responding to the mantra: “Do more with less”.
Saskatoon is a local government which has responded to the increasing risks it faces by adopting a risk management policy using the ISO 31000 framework. This framework allows management to identify, prioritize and mitigate the adverse impact of the risks it faces. The framework also allows management to tailor the mitigative efforts to meet it specific needs. This ensures that resources are managed in an efficient and effective manner.
- Kimberly, Amadea, 2018, “Hurricane Harvey Facts, Damages, Costs”, May 31, httsp://www.the balance.com/hurricane-harvey-facts-damage-costs-4150087.
- Michell, Robert, 2018, “2018 Wildfires Will Cost California Total Economic Losses of $400 billion”, Nov 22, https://www.conservativedailynewws.com/2018/11/2018-wildfire-will-cost-california-total-economic-losses-of-$400-billion
- Baxter, David, 2017, “Update: Government of Saskatchewan Victim of ‘Malicious’ cyber-attack”, May 15, https://www.globalco/news/345365/government-of-Saskatchewan-victim-of- malicious-cyber-attack
- Hill, Rebecca, 2018, “UK Local Gov: 37 cyber-attacks a minute but little mandatory training”, Feb 20, https://www.theco.uk/2018/02/20/local-government-98-million-cyber-attacks-five-years-big-brother-watch/
- Lloyd’s of London, 2018, “Lloyd’s City Risk Index: Executive Summary”, https://www.lloyds.com/cityrisk index/files/8771-city-risk-executivesummary-aw.pdf.
James J. Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence and a Certified Enterprise Risk Manager. He has over ten year’s supervisory and managerial experience in both the public and private sector. He has consulted on economic, quality and workforce development issues for state and local governments. He has authored numerous articles on quality in government and risk analysis. firstname.lastname@example.org