Risk Management in Public Programs

BY: LARRY MARIE G. JINON, LA-ARNI M. VARGAS, JENEATH TIQUIO (GROUP 3)

 POINTS OF DISCUSSION

Identifying and Risk Mitigation Crisis Management Compliance and Enterprise Risk
Assessing Risks in Strategies and and Response Regulatory Risk Management in
Public Programs Techniques Planning Management Public Organizations
Identifying and Assessing
Risks in Public Programs
RISK MANAGEMENT PROCESS
1. Setting the context
2. Risk Identification
3. Analyzing the risk
4. Evaluating the risk
5. Monitoring and examining
6. Risk treatment
7. Communication and consultation
 SETTING THE
CONTEXT
The risk management process begins
with setting the context. It is formed based
on the background of the scope to be
assessed. Internal and external factors
that have the potential to influence the
level of risk need to be considered. This
step requires identification of project or
department status such as resources,
financial position, strategic goals,
activities, and their functions
 RISK
IDENTIFICATION
The risk identification process is
done by applying appropriate
techniques such as Ishikawa
Diagram, Problem Cause Analysis,
5 Whys Technique, What-If
Technique just to name a few.
 ANALYZING THE
RISK
After all the risks had been identified, the risk analysis
process includes the following:
a. Examination of the existence of controls
b. Determination of probability scores
c. Determination of impact scores
d. Determination of asset value (for information
security only)
e. Determination of scores and risk levels
Analyzing risk can be done using risk matrix (Table
5.1) using two risk parameters, i) Risk probability and
ii) Risk impact. Risk probability is a chances of event
occurring, while risk impact is the outcome from the
risk event.
 EVALUATING THE
RISK
The score assessment can be
referred to as the magnitude of
risk. After determining the
likelihood and impact of an
event, the risk magnitude can
be calculated from the product
of risk likelihood multiplied by
risk impact
 MONITORING AND
EXAMINING
The risk monitoring process will be
conducted according to the level of
risk that has been determined and
based on current needs. This
monitoring process involved
reviewing any documentation such as
project reports, or risk dashboards to
identify any events with medium,
high, or time bomb risk level. Any
event identified as having a medium,
high, or time bomb risk level will be
monitored and a proper mitigation
plan will be determined to reduce the
consequences
RISK TREATMENT
 Action to treat the risk is taken if
the level of risk is higher. The
mitigation plans are applied in the
risk management framework to a)
avoid risk, b) reduce risk likelihood,
c) reduce risk’s impact, d) transfer
the risk, or e) accept the risk. The
mitigation plan includes any
controls such as procedures,
guidelines, or rules identified and
documented.
 COMMUNICATION
AND CONSULTATION

Effective communication and

consultation are essential to
ensure that all parties involved
understand the risk
management process and
implementation.
 RISK MITIGATION STRATEGIES &
TECHNIQUES
RISK RISK RISK
RISK TRANSFER RISK SHARING
ACCEPTANCE AVOIDANCE BUFFERING

RISK
RISK RISK RISK
RISK TESTING QUANTIFICATIO
STRATEGIZING REDUCTION DIGITIZATION
N

RISK
DIVERSIFICATIO
N
RISK ACCEPTANCE RISK AVOIDANCE
• This acceptance strategy acknowledges • This avoidance strategy completely avoids the
a risk and accepts its potential activity that carries the potential risk. For instance, if
a customer has a history of defaulting on loans,
consequences without taking further lending money to that person poses a serious credit
actions to mitigate or eliminate it. This risk. To avoid it, an entity may decline the customer’s
approach is suitable when the likelihood loan application. This approach is suitable when the
potential impact of the risk is high and the cost of
and impact of the risk are both low, and mitigating it is high, making it an essential risk
the cost of addressing it outweighs the management strategy in project management and
potential benefits. business operations.

RISK TRANSFER
• Risk transfer involves shifting the risk to
another party, such as purchasing an
insurance policy to cover the costs of a
data breach. This approach suits risks
with a high potential impact and
significant mitigation costs.
RISK SHARING RISK BUFFERING RISK
In this approach, business Buffering adds extra resources, STRATEGIZING
It involves creating a
partners, stakeholders, or third time, or personnel to mitigate a contingency plan or “Plan B” for
parties share the identified risk’s potential impact. specific risks. Developing an
risks. This strategy suits risks Implementing redundant alternative strategy to manage
with a significant potential servers or backup systems can the project in smaller segments
impact that cannot be avoided. reduce the risk of a critical can reduce potential risks,
system failure, showcasing how illustrating the importance of
project management can flexibility in project management
benefit from such mitigation templates.
efforts.
TESTING QUANTIFICATION REDUCTION
RISK TESTING RISK QUANTIFICATION RISK REDUCTION
• Performing tests to verify that • Accurately quantifying risks • Implementing risk controls to
a project is secure and allows an organization to mitigate potential hazards or
functions as intended is determine the potential bad outcomes is fundamental
crucial. A comprehensive risk financial implications of a risk to risk reduction. This strategy
testing program should event. This information is enhances the safety and
include various techniques, critical for making informed security of projects and the
such as vulnerability decisions about risk transfer organization by identifying
assessments and code through insurance purchases and addressing potential risks
reviews, to identify and or risk sharing among before they become
remediate potential security stakeholders. significant, highlighting the
issues, thereby mitigating risk goal of risk mitigation to
effectively. maintain risk levels within an
acceptable range.
RISK DIGITIZATION RISK DIVERSIFICATION
Using digital tools and technologies to Diversification spreads out potential
transform how businesses recognize, risks across various projects,
evaluate, control, and reduce risks products, investments, or business
involves integrating digital solutions that areas to reduce the impact of a
provide features like machine learning,
failure in any area. This strategy is
data analytics, automation, and artificial
intelligence. This approach enhances crucial for financial and operational
the efficacy of risk management management, demonstrating how
systems and supports business strategy diversification can serve as an
by enabling more precise risk effective risk mitigation and
identification and mitigation efforts. business strategy.
THANK YOU
Crisis Management and
Response Planning
⦿ Crisis Management is the management and
coordination of an organization’s responses
to an incident that threatens to harm, or has
harmed, that organization’s people, its
structures, its ability to operate, its
valuables and/or reputation. It takes into
account its planning and automatic incident
response, but it must also dynamically deal
with situations as they unfold, often in
unpredictable ways.
⦿ Crises management is the process of responding
to an event that threatens the operations, staff,
customers, reputation or the legal and financial
status of an organization. Its aim is to minimize
the damage.
⦿ Crisis management is the process by which an
organization deals with a major event that
threatens to harm the organization, its
stakeholders, or the general public. The study of
crisis management originated with the large
scale industrial and environmental disasters of
the 1980’s. Therefore, the defining quality is the
need for change.
⦿ If change is not needed, the event could more
accurately be described as a failure or incident
⦿ Crisis management involves dealing with
threats after they have occurred, whereas
risk management is one which involves
assessing potential threats and finding the
best ways to avoid those threats. It is a
discipline within the broader context of
management consisting of skills and
techniques required to identify, assess,
understand, and cope with a serious
situation, especially from the moment it first
occurs to the point till the recovery
procedures start.
⦿ (i) Natural Disaster: Natural crises or disasters
are the ‘Acts of God’. They are environmental
phenomena as earthquakes, volcanic eruptions,
tornadoes and hurricanes, floods, landslides,
tsunamis, storms, and droughts that threaten
life, property, and the environment. For example
the 2004 Indian Ocean earthquake, i.e., Tsunami
was a natural crisis.
⦿ (ii) Technological Crisis: Technological crisis are
caused by human application of science and
technology. Technological accidents inevitably
occur when technology becomes complex and
something goes wrong with the system as a
whole. For example, Chernobyl disaster.
⦿ (iii) Confrontation Crises: It occurs when
discontented individuals and/or groups fight
with government and other interest groups to
win acceptance of their demands and
expectations. The common type of confrontation
crises are boycotts, ultimatums to those in
authority, blockade or occupation of buildings,
and resisting or disobeying police.
⦿ (iv) Crises of Organizational Misdeeds: It
occurs when management takes actions without
adequate precautions, knowing well that they
will harm or place the stakeholders at risk.
⦿ (v) Workplace Violence: It occurs when an
employee or a former employee commits
violence against other employees on
organizational premises.
⦿ (vi) Rumours: False information about an
organization or its products creates crises
thus hurting the organization’s reputation,
e.g., linking the organization to radical
groups or spreading stories that their
products are contaminated or such standard.
 Risk Response Planning
Criteria for risk response

 Risk response must be:

• Cost effective
• Timely
• Realistic
• Accepted by all parties
involved
• Owned by a person or a
party
 Inputs to Risk Response Planning

 Risk management plan.

 Major elements from the plan

needed include roles &
responsibilities, budgets and
schedule for risk management
activities, risk categories,
definitions of probability & impact,
and the stakeholders tolerance
Risk Register Reference will be made to:
 List of prioritized risks. from qualitative and
quantitative risk analysis.
 Probability of achieving the cost and time objectives.
 Risk thresholds. The level of risk that is acceptable to
the organization will influence risk response planning.
 Common risk causes. Several risks may be driven by a
common cause. This situation may reveal
opportunities to mitigate two or more project risks
with one generic response.
 Trends in qualitative and quantitative risk analysis
results. Trends in results can make risk response or
further analysis more or less urgent and important.
 Watch list of low priority risks.
Risk Register Updates

 The risk register is updated to reflect

the results of the response planning
process. Level of detail of documenting
a risk should be appropriate to the
ranking of the risk (high risks in detail,
low risks by listing)
Project Management Plan
 Updates The project management plan is
updated to incorporate response activities
including reflecting impact on cost and
schedule.

Contractual agreements

 Contractual agreements are prepared to

specify each party’s responsibility for specific
risks, should they occur. This include
agreements for insurance, services, and other
items as appropriate in order to avoid or
mitigate threats
 COMPLIANCE AND REGULATORY RISK
MANAGEMENT

 Compliance risk management involves

identifying, controlling, and assessing
the regulatory risks that an
organizations faces.

 Regulatory compliance risk

management refers to a business’s
efforts to operate within the laws,
guidelines, and agreements governing
its industry.
COMPLIANCE AND REGULATORY RISK
MANAGEMENT

 Regulatory risk is the risk that a change in

laws and regulations will materially impact
a security, business, sector, or market. A
change in laws or regulations made by the
government or a regulatory body can
increase the costs of operating a business,
reduce the attractiveness of
an investment, or change the competitive
landscape in a given business sector.
 Organizations must comply with existing laws
and regulations to be complaints.

 Risk management activities try to be

predictive, anticipating risks: and require a
strategic approach.
 Compliance with established rules and
regulations helps protect organizations from a
variety of unique risks, while risk management
helps protect organizations from risks that could
lead to non-compliance – risk, itself.
 Compliance risk management
involves identifying, controlling, and
assessing the regulatory risks that an
organization faces. Risk managers must
understand significant compliance
risks. They must apply appropriate
mitigation measures. And they need to
monitor risk management strategies to
ensure that controls function
effectively.
 Regulatory compliance risk management involves
identifying, controlling, and assessing the regulatory risks
that an organization faces.

 Risk managers must understand significant compliance

risks, apply appropriate mitigation measures, and monitor
risk management strategies to ensure that controls
function effectively.

 Essentially, it’s about proactively navigating evolving

regulations, protecting your organization’s reputation, and
maintaining operational integrity. If you need more details
or have specific questions, feel free to ask!
THANK YOU
ENTERPRISE RISK
MANAGEMENT IN
PUBLIC
ORGANIZATION
by: JENEATH C. TIQUIO
ERM
Enterprise Risk Management (ERM) in public organizations
is a strategic approach that prioritizes the identification
and mitigation of risks across the entire organization. In
the context of public entities, ERM focuses on managing
risks that can have far-reaching consequences on the
government's operations and objectives.
ERM
It is a holistic methodology that aims to systematically identify,
assess, and prepare for various risks that can impact the
government's functions, services, and overall performance. In
public organizations, ERM plays a unique role in ensuring that
government entities operate safely, efficiently, and
transparently. It involves strategic decision-making to manage
risks proactively, prevent threats, and promote a risk-aware
culture across all levels of the government.
 Key Components of ERM in Public
Organizations
1. Risk Governance Structure
 Establishing a risk management governance structure aligned with the
organizational goals and structure
 Defining clear risk management responsibilities and goals within the
organization.
2. Risk Management Framework
 Following a risk management framework such as the one provided by the
Committee of Sponsoring Organizations (COSO) or ISO 31000.
 Adhering to established frameworks to guide risk management practices
effectively.
 Key Components of ERM in Public
Organizations
3. Risk Identification
 Continuously identifying risks and risk events through the creation of a risk
register.
 Utilizing methods such as surveys, interviews, brainstorming sessions, and
benchmarking against other organizations to identify risks.
4. Risk Profile Management
 Creating and managing a risk profile that includes defining risk tolerance levels.
 Quantifying and prioritizing risk events, identifying risk triggers and
consequences, and managing key risk areas.
 Key Components of ERM in Public
Organizations
5. Risk Response Strategies
 Establishing risk response strategies that involve accepting, sharing, avoiding, or
mitigating risks.
 Developing communication and public relations plans to address risk events effectively.
6. Monitoring and Reporting
 Regularly monitoring and reporting on risk management activities.
 Conducting monitoring processes at intervals appropriate to the risk universe in which
the organization operates.
 Benefits of Effective ERM in Public
Organizations
1. Enhanced Risk Awareness - ERM provides a comprehensive view of risks across the organization, increasing
awareness of potential threats and vulnerabilities. It allows public entities to proactively identify, assess, and
address risks, leading to better decision-making.
2. Improved Decision-Making - ERM supports better-informed decision-making by providing stakeholders
with timely and relevant risk information. This enables leaders to make strategic choices aligned with risk
appetite, enhancing the organization's ability to achieve its objectives.
3. Regulatory Compliance - ERM helps public organizations comply with legal and regulatory requirements by
establishing processes to identify, assess, and mitigate risks effectively. This ensures that the organization
operates within the boundaries of applicable laws and standards.
 Benefits of Effective ERM in Public
Organizations
4. Efficient Resource Allocation - By prioritizing risks and optimizing resource allocation, ERM
helps public entities effectively manage their resources. This leads to cost savings, improved
operational efficiency, and better utilization of financial and human resources.
5. Improved Stakeholder Confidence - Implementing ERM demonstrates a commitment to risk
management and governance, instilling confidence in stakeholders, including the public, investors,
and regulatory bodies. Enhanced transparency in risk management practices can build trust and
credibility.
 Benefits of Effective ERM in Public
Organizations
6. Business Continuity and Resilience - ERM enables public organizations to anticipate, prepare
for, and respond to potential risks, ensuring business continuity in the face of disruptions. By
developing contingency plans and response strategies, ERM enhances organizational resilience
7. Strategic Alignment - ERM aligns risk management activities with the organization's strategic
objectives, helping public entities achieve their mission effectively. By integrating risk
management into strategic planning, ERM ensures that risks are considered in decision-making
processes.
 Benefits of Effective ERM in Public
Organizations
8. Operational Efficiency - ERM promotes operational efficiency by streamlining risk management
practices, reducing redundancies, and enhancing coordination across departments. This leads to
smoother operations, improved service delivery, and optimized performance.
9. Proactive Risk Identification - ERM enables public organizations to proactively identify and
address risks before they escalate, allowing for timely risk mitigation strategies. By predicting and
managing risks early, ERM helps prevent potential crises and disruptions.
 Benefits of Effective ERM in Public
Organizations
10. Long-Term Sustainability - ERM fosters a culture of risk management that promotes long-term
sustainability. By embedding risk management practices into the organization's DNA, public
entities can adapt to changing environments and ensure their continued success.
 Frameworks for ERM in Public
Organizations
1. Committee of Sponsoring Organizations (COSO) ERM Framework - The COSO ERM
Framework is a widely recognized framework that provides principles and components
for effective ERM implementation. It focuses on aligning risk management with
organizational objectives, strategy, and performance.

2. International Organization for Standardization (ISO) 31000 - ISO 31000 is an

international standard that provides principles and guidelines for risk management. It
offers a systematic approach to identifying, assessing, and managing risks across all
levels of an organization.
 Frameworks for ERM in Public
Organizations
3. Risk Management Society (RIMS) ERM Framework - The RIMS ERM Framework is
designed specifically for risk management professionals and provides guidance on
developing and implementing ERM strategies. It emphasizes strategic and enterprise-
wide risk management practices.

4. Casualty Actuarial Society (CAS) ERM Framework - The CAS ERM Framework is
focused on casualty and property risks and offers a conceptual framework for unifying
various aspects of risk management within the actuarial discipline.
 Frameworks for ERM in Public
Organizations
5. Management of Risk (M_o_R) Framework - The M_o_R Framework, developed by
the Office of Government Commerce (OGC), provides guidance on risk management
processes for organizations to address risks that may affect strategic, program, project,
or operational objectives.
6. Agile Risk Management Canvas Framework - The Agile Risk Management Canvas
Framework is designed to provide a visual and structured approach to risk
management in public administration. It allows participants to quickly identify risks,
assess them, and plan risk treatment strategies effectively.
 Frameworks for ERM in Public
Organizations
7. Enterprise Risk Management Integrated Framework (COSO ERM Cube) - The COSO ERM
Integrated Framework, also known as the ERM Cube, offers a structured approach to integrating
risk management with strategy and performance. It emphasizes the importance of evaluating risk
in the context of achieving organizational objectives.