Texas Enterprise Risk Management Guidelines

FOREWORD

Introduction from State Risk Manager

The following Texas Enterprise Risk Management Guidelines (TERM) Guidelines replace and simplify the previous Risk Management for Texas State Agencies (RMTSA) guidelines. The new guidelines implement and adhere to the global risk management standards adopted by the International Organization for Standardization (ISO 31000).

The TERM Guidelines were developed by the State Office of Risk Management through an Advisory Council of participating entities, acknowledged herein. These guidelines provide concise frameworks and processes for enterprise risk management (ERM) and are intended to support users of all levels of ERM, from novice to expert.

As outlined throughout the guidelines, the framework addresses context, approach, application, and includes supporting resources to organizations with subject matter expertise (CAAR). This simplified framework is intended to convey model techniques for developing a comprehensive risk management program. Where applicable, the accompanying Resource Guide also includes sample templates and checklists.

These guidelines do not prescribe required actions, but rather encourage consistency in decision-making through a common and interoperable framework. Entities, risks, and enterprise risk management are each constantly evolving. As new risks emerge, or new techniques are developed, these guidelines will be updated to reflect the current best practices of ERM. As a result, this document’s timeliness is reliant on the continued engagement from users. We encourage your feedback and contributions to future development.

Stephen S. Vollbrecht
JD, MA, AINS, AIS, ARM, MCP, MEMS
State Risk Manager for Texas, Executive Director

ACKNOWLEDGEMENTS

Thank you to the participants of the Advisory Council for their valuable input regarding content, language, and formatting. We appreciate the leadership of our participating agencies for prioritizing this project and supporting staff participation, and are grateful to the Board of Directors of the State Office of Risk Management for their continued support, direction, and input to these guidelines.

Advisory Council

Bret D. Adams
Office of the Attorney General

Monica Aleman-Smoot
Texas Department of Transportation

Mike Arismendez
Department of Licensing and Regulation

Charles “Skip” Baylor
Texas Education Agency

Robert Black
Health and Human Services Commission

Brandon Brown
Texas Dept. of Housing and Community Affairs

Johnny Bullock
University of North Texas at Dallas

Mandy Burrell
Texas Facilities Commission

Brian Buster
Texas Department of Criminal Justice

Sonya D. Caldwell
Texas Ethics Commission

Martin Cano
Teacher Retirement System

Belinda Castillo
State Office of Risk Management

Sami Chadli
Department of Banking

Mark Chadwick
State Office of Risk Management

Kathy Cordova
State Office of Risk Management

Stacey Correa
Texas School for the Deaf

James B. Cox Jr.
State Office of Risk Management

Guille Crenwelge
State Office of Risk Management

Marvin Dunbar
Texas Department of Criminal Justice

Scott Duncle
University of North Texas at Denton

Christopher Erickson
UNT Health Science Center at Fort Worth

Gena Garcia
Texas Workforce Commission

John Genuise
University of North Texas at Denton

Melodie Gonzales
Texas Department of Criminal Justice

George Gould
Texas Juvenile Justice Department

Mitchell Griffin
State Office of Risk Management

Erika Gutierrez
Railroad Commission of Texas

Marc Guyot
State Office of Risk Management

Derrick Guzman
State Office of Risk Management

Jamie Hahn
Texas Department of Transportation

Karin Hays
Texas Department of Insurance

Heather Hernandez
State Office of Risk Management

Shane Hill
Comptroller of Public Accounts

Carly Hughes
State Office of Risk Management

Shelby Hyman
State Office of Risk Management

Lowell Keig
Texas Workforce Commission

Jeff Kosub
Texas Higher Education Coordinating Board

Michelle Kranes
State Pension Review Board

Helena LaFleur
Texas Military Department

Fabian Landin
Texas Animal Health Commission

Mechelle Lee
State Office of Risk Management

Chris Martin
Texas State Technical College System

Rachel Martinez
State Office of Risk Management

Wendy McAdams
Employees Retirement System

Janice McCoy
State Office of Risk Management

Jackie McDunn
Office of State Prosecuting Attorney

Charlotte Miller
Office of Court Administration

Shelly Milvo
State Office of Risk Management

John Monk
Health Professions Council

Greg Moore
Stephen F. Austin State University

Paul Morris
Sam Houston University

Richard Morse
Office of Court Administration

Diana Nellessen
University of North Texas at Denton

TJ Olivarez
Texas Department of Public Safety

Scott G. Olson
Parks and Wildlife Department

Donna Osborne
Texas State Library and Archives Commission

Janalee Paiz
Office of Public Utility Counsel

Angela Pardo
State Office of Administrative Hearings

Pamela Parks
Texas Board of Professional Geoscientists

Mellany Patrong
Texas Southern University

Cathy Peterson
Department of Family and Protective Services

Ann Pierce
Texas Department of Motor Vehicles

Maureen T. Power
Health and Human Services Commission

Gary Rash
Lamar University

Suzanne Retiz
TX Board of Prof. Engineers and Land Surveyors

Lydia Scranton
State Office of Risk Management

Scotie Selman
University of North Texas at Denton

Tim Shatto
Texas Veterans Commission

Lori Shaw
State Office of Risk Management

Mike Simon
State Auditor\’s Office

Michael Slagle
Sam Houston University

Stacey Soule
Office of State Prosecuting Attorney

Samuel L. Spooner III
Angelo State University

Jim Stephens
Texas Workforce Commission

Dara Stone
Office of the Secretary of State

Cynthia Stuart
State Office of Risk Management

Mike Tacker
Board of Veterinary Medical Examiners

Elizabeth Taplin
Legislative Budget Board

Miles Tollison
Department of Public Safety

Cleveland Tolver
Alcoholic Beverage Commission

Robin Townsend
State Office of Risk Management

Melissa Trevino
Health and Human Services Commission

Travis Turner
Texas Department of Criminal Justice

Stephen Vollbrecht
State Office of Risk Management

Deea Western
State Office of Risk Management

Kelley Williams
Commission on State Emergency Communication

Chase Winburn
General Land Office

Amber Winsborough
State Office of Risk Management

David Woodfork
State Office of Risk Management

SECTION A - Enterprise Risk

1.1 – Purpose and Scope of the State Office of Risk Management

Context

The State Office of Risk Management (SORM / the Office) is administratively attached to the Office of the Attorney General and is governed by a five-member Board of Directors (Board). The Office is charged by law to administer the enterprise risk and insurance management programs, self-insured workers\’ compensation program for the State of Texas, and continuity of government operations (COOP) program. Its mission is to enable State of Texas entities to protect their employees, the public, and the state\’s physical and financial assets by reducing and controlling risk most efficiently and cost-effectively.

The following programs comprise SORM\’s core mission areas:

Enterprise Risk Management Program

Enterprise risk management services create awareness within state government of risk and the need to continually adapt to external and internal risks, including hazard, operational, financial, and strategic risks. The Office helps state entities identify potential risks to people, resources, and mission-critical functions before a loss event occurs.

Insurance Program (Risk Transfer)

The insurance purchasing program provides opportunities for risk transfer and fiscal responsibility with taxpayer funds. In cooperation with client entities, SORM procures and negotiates insurance coverage tailored for the unique exposures and liabilities of the state.

Workers\’ Compensation Program (Risk Retention)

The State of Texas self-insures most of the workers\’ compensation coverage for state employees. The Office administers workers\’ compensation claims for state entities identified in Labor Code Chapter 501. In certain situations, non-state employees may also receive workers\’ compensation through the Office.

Continuity of Operations Planning Program

Continuity of operations planning ensures the most critical government services continue to be available to Texas under any conditions. The Office\’s continuity of operations program, in coordination with the steps taken by individual state entities, helps build public confidence in the effectiveness and resiliency of state government.

Approach

The Office assists state entities in establishing and maintaining comprehensive risk management programs designed to control, reduce, and finance risk. The Office utilizes multiple approaches, including, but not limited to comprehensive guidelines; oversight in the development and maintenance of risk management and continuity of operations programs; administration of property, casualty, and liability insurance programs; specialized assistance and training; data collection, monitoring, and analysis; and the self-insured workers\’ compensation program.

Application

By statute, the Office is required to develop risk management guidelines that can be used by state entities to develop and implement a comprehensive risk management program to reduce property, liability, and workers\’ compensation losses. These guidelines provide a resource to train, educate, and inform employees on best practices related to enterprise risk management.

Throughout this guide, there are specific types of risk and recommendations on applying the enterprise risk management guidelines to the entity to understand the risk context (both positive and negative outcomes), assess, and treat risk. SORM\’s staff and, specifically, its risk managers are available to assist in this process.

Resources

State Office of Risk Management

Texas Insurance Code and Texas Administrative Code

Texas Labor Code, Title 5 Workers Compensation (WC), Subtitle C, Chapter 501

Texas Labor Code, Chapter 412

Texas Government Code §815.103(f)

Texas Government Code §825.103(c)
1.2 – Overview of Enterprise Risk Management
Context

Enterprise Risk Management (ERM) evaluates and defines actions taken by an entity to identify, mitigate, and monitor risks that threaten strategic goals and continuing operational activities.

State entities are dynamic. The dynamics of change in the Texas state government produce risks that may impact the state\’s financial, physical, and human resources. These risks are usually understood to be harmful or a threat to the organization. However, the risk may also be positive by presenting an opportunity for the organization to benefit or improve its process or position from the risk.

Enterprise risk management shifts the emphasis of risk management from hazard identification and control to the broad array of issues that affect the fundamental objectives of state entities, regardless of mission, size, or resources.

Approach

A comprehensive enterprise risk management program involves all personnel and operations in the risk management process.

A well-conceived, comprehensive enterprise risk management program requires a significant commitment of time and resources by the organization; however, the cost of organizational commitment benefits the organization by:
- Fewer losses
- Less frequency and severity of accidents
- Increased productivity
- Improved employee morale
Application

The various chapters of this guideline will briefly present basic concepts and theories relative to enterprise risk management and provide the user with resources to help guide and direct the enterprise risk management process. State entities should realize that applying these concepts and theories may depend on appropriate enabling legislation before implementation may occur.

These guidelines incorporate various principles, processes, and industry \”best practices\” designed to assist and guide state entities to create a more robust enterprise risk management program.

Resources

State Office of Risk Management
1.3 – The Enterprise Risk Management Framework
Context

Risks constantly change or develop. Therefore, it is essential to understand that ERM is a continual endeavor that requires regular attention and refinement. ERM seeks to provide information about risks impacting the organization\’s achievement of its core objectives.

The ERM process is a management strategy that methodically approaches risk across different venues, situations, and circumstances to effectively plan, understand, and address the risks in advance of their occurrence.

Approach

These guidelines align with the international standard for enterprise risk management (ERM), as promulgated by the International Organization for Standardization under ISO 31000:2018, adopted and incorporated by reference. The standards information provided herein is industry and sector neutral, instructional, and descriptive, and not intended to duplicate or replace the international standard.

Application

Using the ISO 31000:2018 as the ERM framework enables all risk stakeholders to communicate risk issues using the same terms and definitions. Outlined below are some key elements to apply the ISO 31000:2018 framework to create an effective and sustainable ERM program:

Key Definition
- \”Risk is the effect of uncertainty on objectives.[1]\” Risk is often described negatively as a threat of danger, harm, loss, or other adverse consequence. These guidelines adopt the definition of risk as defined by ISO 31000:2018, recognizing that effects (results) may be positive or negative.
Principles
- Integrated – Entity objectives can be affected by uncertainty, and risk management activity is essential at all levels.
- Structured and Comprehensive – Consistency and alignment with entity objectives are best supported by a structured and comprehensive approach to risk management.
- Customized – The framework and processes employed by individual entities should be designed following the entity\’s contexts and objectives.
- Inclusive – The involvement of all relevant stakeholders is a necessary element of the risk management process.
- Dynamic – Risk management is an active and ongoing process of monitoring emerging, changing, or declining risk for appropriate and timely anticipation, detection, acknowledgment, and response to those risks.
- Data-driven – Decisions should consistently be made on the best available information, whether historical, current, comparative, or anticipatory.
- Context-Aware – Considering precise information, including human and cultural factors.
- Cyclical – Focused on a continuous improvement process, such as the Deming Cycle.
Framework
- Leadership and Commitment – Ensures alignment and consistency across the organization, allocates necessary resources, ensures compliance, and assigns accountability.
- Integration – Incorporates risk management considerations and concepts into decision-making at all levels and processes, including strategy, objectives, operations, and governance.
- Design – This relies on understanding the organization and its contexts, including internal and external factors, drivers and trends, relationships and commitments, and networks and dependencies.
- Implementation – Requires awareness and engagement of all stakeholders.
- Evaluation – Measures progress, efficacy, and performance against metrics or expected outcomes.
- Improvement – Applies modifications and enhancements to improve the suitability, adequacy, and effectiveness of the framework.
Resources

ISO:31000

Deming Cycle

[1] International Organization for Standardization, ISO
1.4 – Enterprise Risk Process
Context

The ERM process involves applying policies, procedures, and practices to communicating and consulting, establishing context, and assessing, treating, monitoring, reviewing, recording, and reporting risk. Although the ERM process appears to be sequential, in practice, it is iterative.

Approach

The following diagram illustrates the ERM process[1] steps:

$\"\"$

Application

The ERM process steps are:
1. Communication and Consultation
This step allows relevant stakeholders to understand risk, the basis for decision-making, and why specific actions are necessary. It also provides for feedback (consultation) from stakeholder
1. Scope, Context, and Criteria
Scope provides for the application of risk management processes across different organizational levels. Before risk can be addressed, it is essential to understand the context in which it exists. Defining the relationship between the organization and its environment sets clear boundaries for dealing with risk. Additionally, each organization should specify the amount of risk it may want to take relative to objectives.
1. Risk Assessment
- Risk Identification – Identifies the risks by name.
- Risk Analysis – Focuses on understanding the nature and estimating the level of risk, potential events, and consequences.
- Risk Evaluation – Determines whether the risk is acceptable, tolerable, or undesirable based on a consideration of consequence and likelihood.
1. Risk Treatment
- Avoidance – Choosing not to engage in an activity.
- Capitalization or Exploitation – Accepting or increasing risk to enhance opportunity.
- Removal – Removing or modifying the risk source.
- Mitigation – Taking actions to increase or reduce the likelihood/frequency and/or the consequence/impact of a risk.
- Transfer – Another party assumes the risk through contractual or financial means, such as insurance.
- Retain or Retention – Choosing to accept the risk by informed decision.
1. Monitoring and Review
Assessing the status and the efficacy of the risk management process through controls, risk assessments, lessons, trends, contextual changes, and consideration of emerging risks. Ensures continued iterative improvements and compliance in ongoing governance, including fairness, accountability, and transparency.

Resources

Common Definitions, Strategies, and Tools for Risk Management

[1] Adapted from ISO 31000:2018
1.5 – Developing an Enterprise Risk Management Manual
Context

State entity leadership should recognize that risk management is an integral part of the entity’s governance framework and should ensure risk management is a fundamental part of all entity activities.

The purpose of the ERM Manual is to encourage the integration of risk management at all levels of management within the state entity. Risk management assists all levels of administration by supporting a systematic approach to identifying, evaluating, and managing the risks which could prevent the state entity from achieving its strategic and operational goals.

In supporting the achievement of the entity’s strategic and operational goals, the objective of the manual is to raise awareness of risk management. More specifically, it guides all levels of management and other stakeholders to encourage:
- awareness of the risk associated with the entity operations.
- understanding of the key enterprise risks that the entity faces.
- applying due diligence in decision-making.
Approach

Each state entity will have different components based on its unique risks. Any section of the Enterprise Risk Guidelines (ERG) formerly referred to as the “Risk Management for Texas State Agencies (RMTSA)” or, simply, \”the guidelines\” that apply to the entity should be modified for use or adopted within the entity’s ERM Manual.

Application

Start with an ERM Policy Statement and add the chapters of these guidelines that pertain to your organization. Then modify the templates provided to represent the entity. Contact a SORM Risk Manager for assistance.

Resources

Risk Management Plan Template

NIH Policy Manual
1.6 – Risk Management Organizational Structure
Context

The organizational structure implemented to address risk management within a state entity can vary widely depending on the entity’s size, resources, and risk exposure. Ideally, a risk management function should be as independent as possible to ensure it is afforded proper standing within the organization and does not get lost within another function. While it can be challenging to strike the perfect balance, the risk team should be embedded throughout the entity’s business processes while maintaining independence. However, for smaller state entities, resources may not allow for risk management to be treated as a discrete function. For these entities, risk management must instead be performed as a secondary function without dedicated positions allocated to it.

Whatever structure is used by the state entity, a risk manager should be selected to plan and oversee the program and act as a liaison with SORM.

Approach

The following entity components should be included in a comprehensive risk management structure:
- Board/Commission: The entity’s policymaking body should establish the entity’s philosophy and policy toward risk management.
- Executive Director/Commissioner: The executive director should manage the entity according to sound risk management practices and fully support its risk management program deployed by employees throughout their functional areas.
- Department/Division/Branch/Section Managers: Managers play an important role in emphasizing risk management within their areas and their employees.
- General Counsel/Legal Department/Staff Attorney: Legal staff plays a significant role by reviewing policies, programs, contracts, and other documents to identify legal liability exposure before they are implemented or published. Legal staff also provides legal counsel after a loss occurs.
- Financial/Accounting/Purchasing: An entity’s financial activities, including handling public funds or property, produce fiduciary liabilities that must be managed through sound controls.
- Human Resources/Personnel: Human resources represent one of the largest areas of risk exposure for an entity and must be executed in coordination with the risk manager/legal staff.
- Information Technology (IT): An entity’s IT infrastructure plays a critical role in communications, training, and operations.
- All Employees: Every employee plays a critical role by working safely and minimizing risk in various areas, from safety and health to cybersecurity and beyond.
The success of any risk management program depends on the level of support the program receives from executive leadership. A fully supported program that is communicated throughout the organization creates employee awareness that eliminating or reducing risk is the most important aspect of every program, activity, job, and task.

Application

State entities may utilize the resources and information provided by SORM to structure and monitor their risk management approach. State entities are encouraged to work with the staff of SORM to draw upon their knowledge and expertise in establishing and maintaining a well-planned risk management organizational structure.

Resources

Best Practices for Structuring ERM Within the Organization

ISO 31000 Risk Management Standards

28 Tex. Admin. Code Part 4, Chapter 252

SECTION B – Risk Transfer

2.1 – Risk Financing

Context

Risk control attempts to eliminate or prevent losses from occurring or reduce the frequency and severity of losses. Risk financing is the element of risk management concerned with funding and payment of losses. Generally, financing losses include retention and transfer (Section 2.2).

Approach

Risk-retention or \”risk of loss\” is \”retained\” if the funding source for the payment of loss originates from and remains within the entity or organization. A typical example of risk retention is a deductible carried on an insurance policy. Risk-retention is an organizational decision to accept responsibility for the risk of loss, whether intentional or unintentional. The State of Texas retains risk for most, if not all, risk unless the risk is transferred.

Risk transfer includes insurance and contractual transfer. When insurance is purchased, the risk of loss is transferred to the insurance carrier (according to terms and conditions outlined in the policy). Contractual transfer of risk involves a legal transfer of the financial responsibility for payment of losses but does not involve insurance purchase. Such non-insurance transfers typically involve the use of a \”hold harmless agreement.\”

Application

Risk financing and risk transfer strategies interact with physical risk mitigation plans. Effective risk financing and transfer require risk assessment reduction to levels that allow for cost-effective risk financing or risk transfer. As stated in other sections of the guidelines, following the ISO 31000 framework will improve risk awareness, risk assessment, and help an entity or organization understand when risk financing is appropriate.

Resources

Why & How International Risk Management Institute, Inc. (IRMI)

SORM Insurance Services

SORM Enterprise Risk

International Organization for Standardization, ISO 31000
2.2 – Risk Transfer, Insurance

Context

Insurance is a system in which risk, or the possibility of a loss, is transferred to an insurer that reimburses the insured for covered losses and provides for sharing the cost of losses among its insureds. Risk transfer and sharing are vital elements of insurance. By transferring risk to insurers, insureds exchange the possibility of large losses for smaller, certain, manageable costs (e.g., insurance premiums and deductibles).

Approach

One of the SORM\’s key statutory missions is to operate as a full-service insurance manager for state entities and institutions of higher education. State entities subject to Labor Code Chapter 412 may not purchase property, casualty, or liability insurance coverage without the Office\’s approval.^[1]

To ensure the Office is informed of state insurance purchases, Insurance Code Section 1803.002 requires insurers that intend to sell property, casualty, or liability insurance coverage to a state entity to report the intended purchase of insurance coverage at least 30 days before the insurance sale occurs.

Application

Sponsored Lines of Insurance

Sponsored Lines of Insurance are lines approved by SORM\’s Board of Directors to be managed and made available to participating entities. The Office currently sponsors five lines of insurance: property; directors\’ and officers\’; automobile; volunteer; and fine arts insurance. After the Office sponsors a line of insurance, state entities must purchase that type of coverage only through the Office. A state entity can obtain a written exception to purchase a sponsored line of insurance under a non-sponsored policy in certain circumstances.

Non-Sponsored Insurance Purchases (SORM-201 Process)

State entities can purchase a line of insurance that is not available through the Office\’s insurance program and obtain a waiver to purchase an available line of insurance outside of the insurance program. However, both purchases must be reviewed by the Office before the purchase occurs.^[2]

The process begins when a state entity reports an intended purchase to the Office using a SORM-201 form, including supporting documentation (i.e., copies of insurance forms, policies, and other relevant information). The Office\’s insurance staff analyze the SORM-201 packet and then forward the information to a SORM-201 committee. The committee reviews the proposed purchase and determines whether the purchase should be approved or denied.

Resources

Consumer Finance – What is Insurance?

TDI Consumer Guides to Insurance

Understanding Your Insurance Policy

Texas Insurance Code Chapter 1803

SORM Insurance Services

Understanding Insurance Guide, AM Best

[1] Labor Code §§412.011(e) and 412.051(b).

[2] 28 Texas Administrative Code §252.307
2.3 – Overview of Liability Exposures
Context

Liability can be defined as being potentially responsible for an incident or loss that may occur. Liability exposure is defined as the organization\’s susceptibility to an incident or risk. Liability exposures and the associated loss or risk may include compensatory or punitive damages resulting from personal injury or property damage claims against an organization by employees or the public. Even if the organization is not responsible for any legal wrongdoing, liability losses (monetary) may be incurred to defend a claim against the entity or individual employees.

Approach

There are a few ways to identify a state entity’s exposures to liability risks. These include, but are not limited to, the following:
- Checklists
- Interviews with the department(s)
- Inspections and site visits
- Records of incidents or claims
- Complaint forms
- Annual Reports and Budgets
- Contracts
Application

Once liability risk exposures have been identified, the financial aspects of each exposure should be determined. These financial exposures can be accomplished by examining historical records of past losses. These records can be examined to help determine potential future losses.

Estimating the severity of liability loss exposures can be difficult because it involves assigning exact costs to unpredictable variables. However, it is possible to predict or forecast liability losses based on an analysis of the number of past losses. Adjustments for the future might include changes in policy, operations, growth, inflation, changes in the law, and similar relevant factors.

Although the goal of a liability loss control program is to avoid the loss entirely, the underlying objective is to minimize the combined total amount of actual losses and the costs of loss control measures. Risk prevention and loss control are two risk management techniques that address specific control points and measures that should be incorporated into an entity’s liability loss control program.

Resources

State Office of Risk Management
2.4 – Contractual Liability Exposures
Context

A contract is a legally enforceable promise made by agreement between two or more parties to create reasonably specific mutual obligations. Contracts are typically concerned with the creation, transfer, and disposition of rights and duties through promises, or sets of promises, legally enforceable in court. Generally, a contract is viewed as a voluntary agreement between competent parties suitable enough for legal consideration.

Approach

There are several kinds of contracts, each with specific requirements and characteristics. The utilization of a contract to transfer risk is a risk treatment method discussed in ISO 31000. Every state entity should consult the Comptroller of Public Accounts Procurement and Contract Handbook when developing a contract. The Texas Comptroller states, \”The guide provides a framework for navigating the complexities of Texas procurement law and offers practical, step-by-step guidance to ensure agencies acquire goods and services in an effective and efficient manner.\”

Application

Understanding the risk associated with contractual liabilities may be accomplished by an analysis of the following:
- Experience, qualifications, certifications, and reputation of the vendor
- Identify potential risks for each of the parties to the agreement
- Determine service level agreements (SLA\’s) and minimum compliance requirements
- Consider a non-insurance transfer (hold harmless or indemnity agreement)
- Consider an insurance product that transfers the risk to an insurance carrier
  - Verify coverage (if an insurance transfer)
- Audit vendor performance
- Monitor for changes during the agreement period
- Adjust as necessary
Resources

Texas Procurement and Contract Management Guide

Alliant Insurance Requirements in Contracts

TDI Surety Companies & Agents

SEC – How to Read a 10-K/10-Q

D&B Credit Rating Fact Sheet

ISO 31000:2018 Risk Management – Guidelines
2.5 – Texas Tort Claims Act

Context

The Texas Tort Claims Act (TTCA) was passed in 1969 as part of the Texas Civil Practice and Remedies Code, Title 5, Chapter 101. The Act partially waives immunity for wrongs committed by governmental units and their employees by permitting Texans to sue in certain specific limited circumstances defined under the act. The act does not completely waive or abolish the doctrine of sovereign immunity but limits waiver of immunity only to areas specifically covered in the act.

TTCA provides a limited waiver of sovereign immunity in certain situations when a governmental unit is liable for damages. The TTCA limits the maximum amount of monetary damages for each person and each occurrence.

Approach

An entity may be held liable for damages arising from the negligence of its employees in operation or use of motor-driven vehicles or motor-driven equipment; in the condition of real property used by the entity; or the condition or use of tangible personal property. While acting within the scope of employment, entity employees may be held personally liable for certain acts done either intentionally or negligently. Personal liability may be avoided if the defense of official or qualified immunity is available.

Application

A state entity can shift or eliminate its potential exposure to unanticipated TTCA expenditures to a pre-planned expenditure through the purchase of liability insurance. SORM helps individual state entities make informed decisions on whether to retain all the TTCA liability risks, transfer the TTCA liability risk, or partially transfer the TTCA liability risk. SORM helps state entities understand the cost savings of self-insured retention through an insurance deductible and insurance policy limits that do not exceed the maximum damages of the TTCA.

Resources

Texas Tort Claims Act

TML Texas Tort Claims Act Basics

Section C - Risk Retention

3.1 – Worker\'s Compensation

Context

Workers\’ compensation pays medical bills and replaces some lost wages for employees injured at work or who have work-related diseases or illnesses. Benefits are provided without regard to fault and are the exclusive remedy for workplace injuries, illnesses, and deaths.

In Texas, workers\’ compensation insurance covers medical benefits, income benefits (including temporary income benefits, impairment income benefits, supplemental income benefits, lifetime income benefits), and death and burial benefits.

Approach

The State of Texas self-insures for the purposes of workers\’ compensation. SORM administers workers\’ compensation claims for state entities identified in Labor Code Chapter 501. The state employee workers\’ compensation program covers most state entities, including courts, institutions of higher education, community supervision, and corrections departments.

Application

Workers\’ compensation claims of state employees are filed with and investigated for, compensability by the Office, but TDI/DWC adjudicates income and medical benefit disputes. The SORM executive director acts in the insurer\’s capacity as an adversary before DWC and the courts and presents the legal defenses and positions of the state as the insurer.

Resources

SORM: Claims Operations

SORM Claims Coordinator Handbook

Texas Department of Insurance Division of Workers\’ Compensation Website

TDI/DWC Employer Resources

TDI/DWC Employee Resources

Section D - Continuity of Operations

4.1 – COOP Planning
Context

In partnership with SORM, the Texas Labor Code § 412.054 requires all state entities to develop a continuity of operations plan to “keep the agency operational in case of disruption of production, finance, administration, or other essential functions.” A plan must detail the resumption of essential functions and include: (1) coordination with public authorities; (2) media management; (3) delivery of customer service; (4) an assessment of immediate financial and operational needs; and (5) other services identified by the entity.

Approach

An effective continuity of operations (COOP) program incorporates an ongoing cycle of planning, training, exercising, and evaluating the performance outcomes after each exercise (or real event) to review and improve the plan. Continuity programs are intended to evolve and should be regularly reviewed and updated to ensure continuity of essential functions in any disaster event. Every continuity plan should incorporate four phases:
- Phase I: Readiness and Preparedness – includes all continuity readiness and preparedness activities, such as: the development, review, and revision of continuity plans; the orders of succession in the plans; delegations of authority; test, training, and exercises; and risk management.
- Phase II: Activation – includes the activation of plans, procedures, and schedules for the continuation of essential functions.
- Phase III: Continuity Operations – includes performing essential functions, accountability of personnel, establishing communications, and preparing for reconstitution.
- Phase IV: Reconstitution – includes initiating operations for resuming normal business operations.
Application

State entities may utilize any of the resources provided below, or other relevant guidelines addressing business continuity, disaster recovery, or other planning frameworks, as applicable.

Resources

FEMA Continuity Guidance Circular Feb. 2018

FEMA Continuity Plan Template and Instructions for Non-Federal Entities and Community-Based Organizations

FEMA Continuity Excellence Series

Texas State Agency Continuity Planning Policy Guidance Letter

SECTION E – Employee Safety & Health

5.1 – Overview
Context

A comprehensive Employee Safety and Health Program is an essential component of an entity’s risk management program. State employers should protect both state employees and the public against harm to life and health while performing business for the state. State entities are encouraged to take actions devoted to preventing and mitigating potential consequences of losses by developing policies, procedures, and training that provide state employees with the basic guidance and instruction required to perform job duties with the least exposure to costly risks safely.

The potential costs associated with an employee work-related injury, illness, or disease for the State of Texas and state entities include:
- Workers\’ compensation administration costs
- Legal defense fees and claim settlement costs
- Indemnity payments and medical payments
- Employee training and replacement costs
- Replacement costs of damaged property or equipment
Approach

Employee safety and health programs aim to eliminate the risks of occupational accidents, injuries, and diseases. The program allows intervention in a chain of events that may lead to accidents, injuries, and occupational diseases.

Often preventable, common causes of work-related accidents include, but are not limited to:
- Lack of adequate training, policies/procedures, or compliance
- Lack of safety and health culture
- Inadequate personnel protective equipment and safety devices
- Human error, complacency, or fatigue
- Poorly designed or old equipment
- Altering safety devices
Application

The employee safety and health program should be fully integrated into the entity’s organizational structure and standard operating procedures, and it should require active participation from all entity personnel.

Resources

OSHA Safe and Sound Program

OSHA Sample Safety and Health Training Plan
5.2 – Program Management
Context

The Employee Safety and Health Program should help prevent workplace accidents (i.e., injury, occupational illness, and death) and the associated loss to the injured worker, family, and entity. Best practices recognize that identifying and correcting hazards before they cause injury or illness is a far more effective approach.

The concept of risk management encompasses all aspects of workforce protection, including the physical environment and entity operations. The fields of risk management and safety are interrelated and interdependent. \”The idea is, to begin with, a basic program and simple goals and grow from there. If you focus on achieving goals, monitoring performance, and evaluating outcomes, your workplace can progress along the path to higher levels of safety and health achievement.\” ^[1]

Approach

Safety management programs are often comprised of multiple components. However, a few core elements include:
- Management and Leadership
- Employee or worker participation (all levels)
- Hazard identification and assessments (ISO 31000:2108)
- Hazard prevention and controls
- Education and training
- Program evaluation and improvement
- Communication
Application

The Occupational Safety and Health Administration’s (OSHA) Recommended Practices for Safety and Health Programs provide a straightforward approach to implementing a safety and health program. Their approach is based around seven core elements, each of which is implemented by completing several action items.

Resources

OSHA Recommended Practices for Safety & Health Program

OSHA S&H Implementation Checklist

OSHA Additional S&H Resources by Topic

DOL Managing Worker Safety & Health

OSHA \”Ten Ways to Get Your Program Started\”

[1] https://www.osha.gov/safety-management
5.3 – Program Roles and Responsibilities

Context

State entities need to understand and support the various roles and responsibilities that encompass safety and health programs. It is important to emphasize that these programs are not the sole responsibility of the entity’s safety officer; they are the responsibility of everyone within the organization.

Approach

Since the safety and health function falls within an entity’s comprehensive risk management program, most organizations that have established risk management programs include the employee safety and health program within the risk management organizational structure. In these organizations, the safety officer or manager usually reports to the risk manager.

Application

State entity leadership has the responsibility to establish and maintain these programs. Their roles and responsibilities include the following: establishing acceptable levels of risk: the Safety and Health Policy, and metrics of success; allocating resources; and revising the program areas as necessary.

Employees’ acceptance is critical for a successful program. Their roles and responsibilities should include: help develop, establish, and participate in the programs; follow policy and procedures; report hazards, incidents, and near misses; and provide feedback to management, as needed.

Every state entity should also consider appointing or hiring an employee to serve as the safety officer and member organization\’s safety and health committee. Such an appointment may be a full-time safety professional, or the appointment can be an \”additional duty\” for the designated position. An individual assigned to manage the safety and health program as an additional duty (Additional Duty Safety Officer, ADSO) is expected to perform these duties and serve as the ADSO.

Resources

Safety Committee Sample (Oregon State)

Safety Committee Guide (Oregon)

SORM Additional Duty Safety Officer Training
5.4 – Education and Training
Context

Many incident investigations identify lack of education and training or inadequate education and training as a precipitating factor in workplace incidents. Supervisors often list other health and safety education and training as action items on incident reporting forms. Additionally, management often does not understand why the supervisor or ADSO does not provide the proper training to employees.

Education and training are most effective when incorporated into performance requirements and everyday job practice. Safety and Health education and training equips leadership and employees with the knowledge of their specific roles and responsibilities in the program and is designed to understand existing workplace hazards, identify potential hazards, and prevent and control these hazards from causing an injury or loss.

Approach

An education and training program for safety and health is one of the most necessary and basic elements of an Employee Safety and Health Program. Safety education and training are most effective when immediately incorporated into standard operating procedures, workplace practices, and individual job performance requirements.

Application

New employees should be trained on the program, and all employees should be trained on the updated program following any revision. Below are some components of a Safety and Health Program:
- Safety and health policy statement
- Workplace standards of conduct
- Emergency action procedures (hazard identification)
- Health and safety manual
- Reporting procedures
- Recordkeeping
- Assignment of duties, responsibility, authority, and staffing
- Education, training, and certification resources
- Committee information
Examples of some safety and health training and education materials include:

Emergency Action Plans (EAP)

Every organization has exposure to emergency events that could pose a threat to life and property. Therefore, employees should know the specific actions expected of them in case of an emergency.

Safety and Health Manual

The safety and health manual is a reference document that serves as a crucial resource for general and specific safety and health program information. Without an entity-specific safety and health manual, the safety and health staff will have difficulty communicating program elements to employees.

Training

SORM’s training team provides health, safety, and risk management training to state entities and their employees. The focus is on the prevention of work-related injuries and illnesses. This proactive approach is intended to make the workplace safer and reduce the costs incurred by state entities due to work-related injuries. SORM training specialists work hard to have course offerings and training materials serve the diverse needs of the 185,000 employees the entity serves.

Resources

OSHA Sample H&S Programs

OSHA Safety Handbook Sample

SORM Training
5.5 – Manual
Context

An essential requirement of the Employee Safety and Health Program is that every employee understands workplace safety and health programs, procedures, and practices. A safety and health manual is a convenient format for documenting these elements. A safety and health manual also provides information about work situations that have a risk or loss potential. Therefore, a safety and health manual should be developed to reflect the specific needs of the entity. It should be flexible and proactive to respond to situations that may arise in the work environment.

Approach

No two safety manuals are alike. However, all manuals serve a common purpose to provide employees with access to safety and health-related resources and information. The primary function of the manual is to present information regarding safety and health programs, policies, procedures, and standards. This information is developed to assist employees in preventing accidents and reducing occupational safety and health risk exposures. The manual is also an indication of the emphasis given by the entity to employee safety and health. The manual serves as a record that the entity takes the employee safety and health program seriously. Employees should be expected to understand and follow all safety policies, procedures, and practices provided in the manual. The following are several additional reasons to develop a safety and health manual:
- Present information
- Emphasize the importance of safety
- Efficacy when an incident occurs
- Promote a safety culture across the organization
- Meeting legal or procedural needs
Application

Because of the diversity of size, the scope of operations, number of separate geographical locations, and unique entity needs, the content of one entity’s manual may be different from that of other entities. However, certain subjects and topics should be common to all state entities.

Resources

OSHA Evacuation Plans & Procedures

Safety Plan Template

TDI OSHA Consultation Program

Sample: Safety & Health Program (Hawaii)

Sample: Additional Duty Safety Officer Program (Lamar University)

US Coast Guard, Safety and Environmental Health Manual

OSHA Safety and Health Program Management Guidelines

OSHA Recommended Practices for Health and Safety Programs, Construction
5.6 – Occupational Health Resources
Context

An Employee Safety and Health Program should assist state entities in potentially preventing diseases, injuries, and deaths due to working conditions. Work-related illnesses and injuries include any illness or injury incurred by an employee engaged in work-related activities while on or off the worksite.

State entities vary in size, design, location, essential functions, workplace culture, and resources. In addition, entity employees differ in age, gender, training, education, and cultural background. This diversity in each entity’s safety and health risk profile requires safety and health programs that can be easily modified or customized.

Approach

An occupational safety and health program should include incident prevention and loss control measures that address specific safety hazards, issues, and concerns in the workplace. Effective incident prevention and loss control programs are the most effective cost-containment measures a state entity can implement to reduce loss exposures and workers\’ compensation claims and losses. Incidents may be prevented by eliminating workplace hazards and redesigning jobs or job sites to prevent occupational incidents. Occupational hazards (i.e., generally classified as chemical, physical, ergonomic, and biological) that cannot be eliminated may be controlled through engineering techniques, administrative controls, and other loss control methods.

Application

An occupational health program should include those loss prevention and control measures that address specific occupational health exposures and concerns in the employer\’s workplace. A state entity’s executive management, assisted by supervisors, the risk manager, and the safety officer, must make every effort to ensure that safety and health concerns are fully addressed, understood, and supported throughout the organization.

This guide addresses certain occupational safety exposures in many state entity environments. Discussion of these exposures includes suggestions for incident prevention and loss control. These suggestions are based upon applicable industry standards, and federal and state entity laws and regulations.

Resources

Texas Department of Insurance (TDI)
Occupational Health and Safety Administration (OSHA)
National Fire Protection Association, NFPA
- The Standard for Electrical Safety in the Workplace
- Life Safety Code (Free Access)
The National Institute for Occupational Safety and Health (NIOSH)
- Machine Safety
The United States Environmental Protection Agency, EPA
- Indoor Air Pollution and Health
- Guidance for Cleaning and Disinfecting
Centers for Disease Control (CDC)
- Work-Related Musculoskeletal Disorders & Ergonomics
- Repetitive Motion Injuries
Driving Safety
Other
5.7 – Direct and Indirect Costs

Context

Workplace injuries and illnesses have an impact on an entity’s bottom line. The costs of workplace injuries and illnesses include direct and indirect costs. An accurate estimation of direct and indirect incident costs will assist the entity in budgeting for costs related to employee safety and health programs.

Approach

A risk management/safety program can reasonably plan for the direct costs of personal protective equipment (PPE) training and workers\’ compensation coverage. These direct costs are easily available for trending and budgetary purposes.

Indirect costs of incidents are not associated with workers\’ compensation or a specific safety purpose. Examples of indirect costs include training replacement employees, incident investigation and implementation of corrective measures, lost productivity, repairs of damaged equipment and property, and costs associated with lower employee morale and absenteeism.

Application

Direct Costs

Direct workers\’ compensation costs information is provided to entities by SORM. These reports are provided to the entity’s workers\’ compensation claims administrator and risk manager. In addition, the entity’s accounting office can determine other direct costs including PPE and training.

Estimating Indirect Costs

An entity’s accounting department can provide safety professionals with internal information to derive the overlooked costs associated with incidents and injuries. A reporting procedure could be developed and implemented to capture incident-related costs until all damages and losses caused by the incident have been identified. Costs associated with this type of data gathering and reporting include supervisory time spent completing reports and forms, logging data, program monitoring, and if necessary, training and education of staff.

Resources

OSHA Business Case for Safety & Health

OSHA Occupation Injury Cost Estimator
5.8 – Job Safety Analysis

Context

Job safety analysis (JSA) is one of the first and foremost proactive steps in a safety program. The JSA centers on identifying the set of activities or distinct steps performed in sequence, resulting in an anticipated work-related end-product. The JSA focuses on specific tasks performed as a part of a larger set of job duties.

Approach

JSA is a process that examines specific job tasks to identify hazards, safe methods, and procedures to perform job tasks. A JSA is accomplished by performing a detailed study of the job and recording each step required to carry out and safely complete the tasks. Existing or potential job hazards are identified, and a determination is made of the best way to perform the job to eliminate, reduce, or control associated hazards. Outcomes may include improved job methods and procedures, safer equipment, engineering controls, employee training, PPE use, reduced employee absenteeism, workers\’ compensation costs, and increased employee satisfaction and productivity.

Application

The cornerstone of JSA is an agreement between the employee and supervisor to identify all job components and then analyze each component for potential hazards. Solutions to the hazards identified are then developed. JSA collaborates with the employee based on what they do and not necessarily those functions that are identified in the job description. Employee involvement helps minimize oversights, ensures a quality analysis, and encourages worker \”buy-in\” to the solutions.

Each entity should identify and evaluate all identified hazardous positions and all jobs susceptible to accidents, injuries, or occupational diseases. The JSA should be conducted periodically to ensure that new jobs and significant changes to existing jobs are not overlooked.

Resources

Job Safety Analysis (OSHA)

Job Safety Analysis (TDI)

Job Safety Analysis & Task Training (TDI)
5.9 – Incident Reporting

Context

In the past, the term \”accident\” was often used when referring to an unplanned, unwanted event. To many, \”accident\” suggests a random event and could not have been prevented. Since nearly all worksite fatalities, injuries, and illnesses are preventable, OSHA suggests using the term \”incident\” investigation.

The purpose of incident reporting is to initiate an investigation to identify the facts and circumstances surrounding an incident, inform management, and take the necessary actions to prevent a similar incident in the future.

Approach

State entities should develop specific procedures that employees are expected to follow when injuries, incidents, or near-misses (injury or incident could have occurred but did not) occur. These procedures should outline the methods and practices for reporting incidents that employees can easily understand.

Application

The instrument used to report accidents/incidents is an appropriate employee accident/incident report form. SORM developed a form specifically for this purpose.

The entity’s safety officer and safety committee should review the comments and actions taken by the supervisor, ADSO, and department head and take appropriate action to prevent future incidents.

Resources

OSHA – Incident Information

SORM 703 Incident/Accident Investigation Form
5.10 – Incident Investigation, Review, and Analysis
Context

A state entity should react quickly to all incidents with a prescribed investigation procedure to find the root causes and implement corrective actions. Prompt and planned actions demonstrate a commitment to employees’ safety and health and demonstrate a willingness to prevent future incidents. Investigating the hazards that exist based on any injury or illness and taking measures to correct or eliminate the hazard will help to prevent injuries and illnesses from recurring.

Approach

Entities should investigate all workplace incidents, including those that cause harm and the close calls that could have caused harm under slightly different circumstances. Investigations are incident-prevention tools and should be an integral part of occupational safety and health management programs.

Application

Each state entity should develop its incident review and analysis procedures to guide personnel in the review and analysis process. These procedures establish: what to do; when to do it; they help identify the conditions, behaviors, hazards, and root causes of an incident; and pinpoint the corrective actions necessary to prevent similar occurrences. The procedures should include a clearly stated, easy-to-follow written plan with guidelines for the following:
- Who:
  - should be notified of an accident
  - is authorized to notify outside entities (police, fire, etc.)
  - will conduct investigations
  - will receive investigation recommendations
  - receives and acts on the investigation
  - will be responsible for implementing corrective actions
- Timetables for completing the investigation and implementing recommendations
- Training needed
Resources

The Importance of Root Cause Analysis During Incident Investigation

OSHA – Incident Information

Incident Investigations: A Guide for Employers, (OSHA)

Introduction to Effective Incident Analysis

A Guide to Smart Accident Investigation. EMC Insurance

SECTION F – Hazards

6.1 – Hazard Identification and Analysis
Context

A hazard is a condition that increases the frequency or severity of a loss. Hazard identification is a crucial step in improving safety in the work environment. Once identified, management is equipped to take the steps necessary to eliminate or minimize a hazard and prevent employee injury or property loss. Taking corrective action before a loss occurs reduces the incident frequency and prevents property loss and the interruption of the entity’s operations. Proper hazard identification and corrective action positively impact the funding necessary to compensate occupational injuries and illnesses. In simple terms, preventing hazards is more cost-effective than reacting to their consequences.

Four principal factors which contribute to hazards and employee loss exposures include the following:
- Human Factors refer to an act or failure to act that creates an unsafe condition that exposes the employee, their coworker (s), and others to an increased potential for an accident.
- Situational Factors – contribute to loss exposures and employee injuries through hazardous conditions related to design, construction, or planning.
- Environmental Factors – contribute directly or indirectly to potential accident situations.
- Managerial Factors – the level of commitment to safety from the top down throughout an organization.
Approach

Methods to identify hazards may include safety inspections, loss data, maintenance records, and employee input.

Identifying potential hazards is wide-ranging and covers all operational areas where employees are present. Therefore, any time a safety professional is in the workplace, he/she should be conducting either a formal or informal inspection. Issues and items to observe will include the following and more:
- Housekeeping
- Work practices
- Emergency equipment
- Condition of equipment, including guarding
- Ladders and railings
- Environmental conditions including lighting, noise, and indoor air quality
- Adherence to organizational safety policies
- Regulatory compliance
Application

OSHA states that one of the \”root causes\” of workplace injuries, illnesses, and incidents is the failure to identify or recognize present hazards, or hazards that could have been anticipated. A critical element of any effective safety and health program is a proactive, ongoing process to identify and assess such hazards.

An entity safety program should include hazard inspections, identification, monitoring, and correction.

Additional issues to consider:
- Hazard inspections help to detect unsafe conditions and hazards before an accident occurs. When utilized properly, safety inspections effectively eliminate occupational hazards and provide an educational opportunity. An effective safety inspection program is based upon knowledge of safety regulations that apply to specific operations.
- Hazard identification methods may include checklists, inspections, audits, surveys, historical accident or claims data, maintenance records, and employee suggestions.
- Hazard monitoring involves four elements: job safety analyses, safety inspections, measurement and testing, and accident reviews.
- Hazard correction addresses the identified hazards and classifies them in an orderly fashion from the most severe (i.e., catastrophic) down to negligible.
Resources

Incident Investigation (OSHA)

Incident Investigations: A Guide for Employers (OSHA)

The Importance of Root Cause Analysis During Incident Investigation (OSHA)

Supervisor’s Incident Review Best Practices (MMA)

Accident and Incident Root Cause Analysis (ciobacademy.org)

Hazard Identification and Risk Assessment (OSHA)

The Health and Safety Executive’s Five Steps to Risk Assessment (rospa.com)
6.2 – Hazard Inspection Program
Context

Workplace safety inspections identify unsafe work conditions and provide the opportunity for such hazards to be addressed before injuries, illnesses, or accidents occur. Periodic facility inspections also provide an opportunity to verify compliance with applicable regulations and established workplace safety standards. When utilized properly, safety inspections effectively eliminate occupational hazards and provide educational opportunities.

Approach

The primary purpose of a workplace safety inspection is to identify unsafe working conditions and equipment, unsafe behavior, and reveal any need for new safeguards and procedures. However, an inspection also fosters safety awareness and promotes the safety program within the organization. Individuals at all levels of the entity should be included in the safety inspection process. Senior leadership is essential to reinforce the message that all employees, not just the safety staff, are responsible for safety.

Application

A safety inspection program should assist entity management in accomplishing the following:
- Determine if the safety and health program is meeting its goals and objectives
- Establish a basis for employee participation in, and accountability for, safety matters
- Detect operational and procedural problems that may adversely impact the program
- Establish the need for further education or training
- Facilitate action plans to correct safety issues
A workplace safety inspection is an on-site walk-through of the work environment to identify potential hazards and the opportunity for remedial action. Safety inspections are also important for property insurance (risk transfer) issues. A review of safety equipment (i.e., emergency eyewash, shower, fire extinguishers, first aid kits, etc.) is also completed to verify that they are in proper working order. A sample safety inspection checklist is included in the Resources below.

After completing a workplace safety inspection, the responsible person(s) should be contacted for remedial action. These actions prevent future incidents, injury/illness, or property/equipment damage.

Resources

Building Safety Inspection Checklist

Workplace Inspection Program (Florida Tech)

Policies, Procedures, and Forms: Occupational Safety (UConn)
6.3 – Hazard Reporting
Context

Hazard reporting is an important part of any safety and health program and is necessary to prevent incidents and control losses. Employees should have the ability to report all known, potential, or perceived hazards in the work environment. Entity leadership and supervisors should also encourage employees to take responsibility and initiative for the safety and health program and report any known or suspected hazards and dangers. Direct communication is the principal means through which safety and health concerns receive management\’s attention.

OSHA provides the following recommendation regarding a hazard reporting system: \”Develop and communicate a simple procedure for workers to report any injuries, illnesses, incidents (including near misses/close calls), hazards, or safety and health concerns without fear of retaliation. Include an option for reporting hazards or concerns anonymously.\”

Approach

Every entity should have a formal written hazard reporting procedure to provide clear guidance to employees who wish to report safety and health concerns to management. A written hazard reporting procedure formally communicates the accepted reporting process to all employees. The program is not intended to replace direct communication with supervisors. This procedure may be included in a safety manual or other administrative manuals.

Application

Elements of a Hazard Reporting Program

At a minimum, the hazard reporting program should provide:
- A means for reporting the hazard, such as the person to contact (agency safety officer), a reporting form, or a telephone hotline
- A written report of the hazard that includes the inspection/investigation conducted
- A record of the corrective action that was taken
- Feedback to the employee who makes the report, if desired
- Anonymity to the employee who makes the report, if desired
- A monitoring system that permits review, audit, data analysis, and program reporting
- Purpose of the Hazard Reporting Procedure
Resources

Safety Hazards: How to Encourage Worker Reports

OSHA Employee\’s Report of Injury Form (Sample)

Safety Culture: Hazard Report Form Template
6.4 – Hazardous Materials Management Program (HAZMAT)

Context

State entity employees can and may use or contact various chemicals or materials classified as hazardous. Such hazardous chemicals and materials can create risk exposures to employees, public members, and the environment. If hazardous material exposure exists, a state entity should develop a program to guide the entity and its employees in appropriate procedures for safe use, handling, transporting, and disposal of these materials.

Hazardous materials (HAZMAT) are any materials, chemicals, or wastes that harm the environment or affect people if released in a specific volume, quantity, or amount. HAZMAT chemicals include those that are ignitable, reactive, corrosive, and toxic.

Approach

The purpose of the HAZMAT program is to ensure the proper use, handling, storage practices, and procedures to be followed by people working with hazardous materials and to assist in protecting them from potential health and physical hazards presented by hazardous materials present in the workplace.

Application

The first step for any state entity should be to conduct an internal, comprehensive inventory of all hazardous chemicals and hazardous wastes at the entity (updated when the inventory changes and annually). If any hazardous substances are identified, employees should follow appropriate OSHA requirements.

Texas Department of Insurance (TDI) states, in the Objective of Emergency Response Planning for Hazardous Materials Safety Training Program, is \”Employers who use, store, or dispose of hazardous substances will demonstrate knowledge of OSHA\’s 29 CFR 1910.120 requirements for Emergency Response Program training, medical surveillance, personal protective equipment (PPE), and decontamination for response personnel.\”

Resources

OSHA Safety and Health Program Management Guidelines

Standard System for the Identification of the Hazards of Materials for Emergency Response

Emergency Response Planning for Hazardous Materials Safety Training Program

Hazardous Materials (TEEX)
6.5 – Personal Protective Equipment (PPE)

Context

Safety is a major concern for any state entity, and personal protection equipment (PPE) is a key part of workplace safety. PPE minimizes exposure to hazards that cause workplace injuries and illnesses. These injuries and illnesses may result from chemical, radiological, physical, electrical, mechanical, or other workplace hazards. Examples of PPE may include eye and face protection, hand protection, body protection, respiratory protection, hearing protection, and high-visibility clothing.

Approach

OSHA requires employers to check their workplaces for physical and health hazards that may require PPE use. If hazards cannot be controlled by engineering or administrative means, the employer must provide employees suitable PPE and train them in its use. Entity employees should be trained in the use, care, and storage of the PPE.

Occupational safety and health professionals use a \”hierarchy of controls\” framework to select ways of controlling workplace hazards.

The following chart from The National Institute for Occupational Safety and Health (NIOSH) outlines this hierarchy:

$\"\"$

Application

OSHA states, \”If PPE is to be used, a PPE program should be implemented.\” This PPE program should address the hazards present; the selection, maintenance, and use of PPE; the training of employees; and monitoring the program to ensure its ongoing effectiveness.

Resources

Texas Health and Safety Code, Title 6, Chapter 502, Hazardous Communications Act

Personal Protective Equipment (OSHA)

Personal Protective Equipment (TDI)

Free Safety and Health Publications (TDI)

Free Safety and Health Publications, Texas Department of Agriculture (TDA)

Hierarchy of Controls (NIOSH)

SECTION G – Entity Operations

7.1 – Human Resources

Context

An effective, comprehensive human resources program is one of the most challenging management functions. Several variables contribute to the overall success of a well-managed human resources program. These include the diversity of employees, changing societal values, and evolving federal and state legal requirements. By their very nature, these variables are difficult to control. An entity’s human resources management program must undergo a process of continual, regular review and revision to stay current with a dynamic blend of legislation, case law, and accepted employment practices.

Approach

Exposures to human resource liabilities may be identified through surveys, questionnaires, internal audits, interviews, and knowledge of an entity’s previous loss experience. An entity’s prior experience with employee complaints, grievances, and lawsuits are useful to identify the types of exposures unique to each state entity. An assessment of the frequency, severity, and types of exposures and losses should be conducted. The state entity’s legislative mandate, operational objectives, legal requirements, workforce factors, and prevalent societal concerns are factors involved in this assessment.

Application

When exposures have been identified and assessed, the appropriate loss control method can be utilized. Risk prevention and loss control within the human resources management function typically involves developing policies, procedures, and programs that specifically address those human resources loss exposures identified in the earlier assessment. Policies and procedures should be well-written, implemented consistently, distributed, communicated, applied equally to all affected employees, and reviewed and revised regularly.

Resources

EEOC Best Practices for Employers and HR/EEO Professionals

EEOC Publications

TWC \”The A to Z of Personnel Policies\”

SAO Employee Policy & Procedure Manual Recommendations
7.2 – Return-to-Work

Context

A proactive return-to-work program (RTW) contains effective tools associated with injuries or illness, which provide the opportunity for injured workers to return to the workplace as soon as it is medically appropriate. A RTW program also provides a mechanism for employers to encourage employees to return to work as soon as possible after an injury or illness.

The longer an employee is away from work, the higher the employer\’s workers\’ compensation expenses, and related business costs. Sometimes an injured employee needs extra help returning to work, especially if they have been away from work for a long time. Factors such as fear, depletion of financial resources, or a decline of self-image or self-esteem may present barriers to an employee returning to work. Employees who return to work in a modified or alternate duty capacity are likely to recover more quickly and with less impairment. In addition, these employees are also less likely to become treatment dependent.

Every state entity is required by the Texas Workers\’ Compensation Act (Labor Code, Title 5, Subtitle A, Section 412.051) to develop, implement, and maintain a program designed to assist employees who sustain compensable injuries to return to work.

Approach

RTW is a proactive and collaborative approach endorsed by many health care providers, designed to help restore injured workers to their former lifestyle safely and effectively.

Application

A return-to-work program should include appropriate, detailed procedures that identify specific responsibilities and actions taken by designated return-to-work coordinators, supervisors, and employees. TDI provides a guide for RTW, entitled \”Return to Work Works for You and Your Employees.\”

Resources

SORM Return to Work Resources

TDI Return to Work Resources

OSHA: Guidance on Returning to Work

Texas Labor Code Chapter 412
7.3 – Ethics

Context

\”Ethics\” clearly defines the moral duty, obligation, principles, and values for all state employees. The \”Rules of Conduct\” guidelines are also considered an important part of governing all employees\’ official duties in a lawful, professional, and ethical manner.

There are several benefits to establishing an ethics program. An ethics program can boost employee morale, create a positive image for the organization, and encourage ethical behavior by employees. It may also provide long-term financial benefits for the organization. Unethical conduct can adversely affect the entity, as well as the individual employee engaged in the conduct. Property theft, embezzlement, misuse of equipment, misuse of work time, and theft of services are just some of the consequences of unethical conduct within an entity.

Approach

Texas state entities must operate under ethical standards and federal/state laws. Texas Government Code Sec 572.001 (b), outlines the standards of conduct and requirements which must be observed: \”by persons owing a responsibility to the people and government of this state in the performance of their official duties.\”

Application

State entities should employ an ethics program that sets high ethical standards. An ethics program would typically include a policy statement, rules of conduct and provide ethics training to all employees. The ethics program should be developed in conjunction with the General Counsel or outside counsel if warranted.

Resources

Texas Ethics Commission Guide for State Officers and Employees

Ethics Laws and Regulations

Sample Ethics Policy (Texas Workforce Commission)

Sample Compliance and Ethics Guide (UT-Austin)
7.4 – Notary

Context

State employees charged with Notary duties in their course and scope of employment are eligible to become a Notary Public without purchasing a surety bond (77R HB 1203). A bond is not necessary for state employees because the State Office of Attorney General (OAG) will defend them against any claim/complaint of their notary duties within the course and scope of their employment. Notaries without a bond may not notarize documents outside the scope of their employment.

Approach

Notaries Public are governed by Chapter 406 of the Texas Government Code, Chapter 121 of the Texas Civil Practice & Remedies Code, and the Secretary of State\’s administrative rules found in Title 1, Chapter 87 of the Texas Administrative Code. Section 406.005 of the Government Code sets forth the requirements for a notary public application.

Notary commissions are effective as of the date of qualification by the applicant. The commission expires four years from the date of issuance and may be renewed by applying for renewal no earlier than 90 days before the date the commission expires. This form is required for both new and renewed applications by employees of state entities.

Application

As that term is defined in section 2052.101, Texas Government Code, notaries employed by state entities are not required to obtain surety bonds; however, they must obtain verification of employment from SORM before submitting their applications. These notaries must also purchase an official notary seal (stating that the notary is without bond) and a record book. If the notary ceases to be employed by a state entity during the term of their commission, they must either surrender the commission or obtain a bond for the remainder of the term.

The application process for new applicants and the renewal of notary commissions without bond is available on SORM\’s website. Notary publics seeking to renew commissions are required to wait to within 90 days of the expiration date of the current commission before submitting a renewal application.

Resources

SOS Notary without Bond Information

Notary Application

SORM Notary without Bond Forms

Notary Search
7.5 – Property Conservation
Context

Property belonging to the state is an asset. Therefore, all state assets must be accounted for and protected. A state official or employee may be liable to the state for any loss sustained due to negligence or wrongful act where property is lost, damaged, or destroyed.

A property conservation program is developed to identify, conserve, and protect an organization\’s physical assets. Property conservation is an essential element of management and supervisory responsibilities. It should be incorporated into entity planning, organizing, budgeting, coordinating, directing, and evaluating activities. Property conservation activities apply to all real property owned or leased by the state, all personal property (e.g., contents), boilers, and machinery contained or operated in state-occupied facilities.

Approach

Implementation of an effective property conservation program requires the cooperation of managers, supervisors, and employees. The benefits of such a program are reduced losses and insurance premium costs and a safer environment for employees and the public. Therefore, every state entity should develop and maintain a sound property conservation program.

Elements of a written property conservation program should provide agency risk management personnel with methods for incorporating essential property loss control techniques into their areas of responsibility. Key aspects of this program include:
- Annual review of property risk issues
- Engineering evaluation of critical items
- Evaluate property conservation management programs
- Identify potential life-safety improvements throughout the process
Application

The Texas Comptroller of Public Accounts is responsible for accounting for all personal property owned by state entities. The Property Manager and Risk Manager should refer to the State Property Accounting System (SPA) website for additional information and resources.

Resources

Texas Government Code Chapter 403.273

Texas Government Code Chapter 403.275

CPA State Property Accounting System

Texas Fleet Management System
7.6 – Records Management
Context

Records Management is a way of organizing records and ensuring a system is in place to keep those records according to the entity’s records retention policy. State law requires state entities to establish a records management program to ensure that records are created, maintained, and disposed of adequately and properly.

The State and Local Records Management Division (SLRM) of the Texas State Library and Archives Commission (TSLAC) operates under the Texas Government Code Chapter 441. This chapter requires all agencies to establish and maintain an active, continuing program for efficient records management. Each state entity head shall act as or appoint a records management officer for the state entity to administer the entity’s records management program under Texas Government Code §441.184.

Approach

A records management program is an important element of a comprehensive risk management program. An effective records management program will:
- enhance document identification and retrieval
- establish an approved retention period for state records in each entity
- provide documentation and proof of state entity and employee actions that may be useful in future litigation
- provide a management audit trail
- provide physical protection of vital records
- provide security for confidential records
The above functions of a records management program are all compatible with a comprehensive risk management program that protects an entity’s assets from damage, destruction, or loss.

Application

State entities may utilize the resources and information provided by the SLRM of TSLAC to build and maintain an effective records management program. The SLRM assists state and local officials with training, resources, guidelines, templates, and consultation to ensure that government information is stored, retained, and accessible.

Resources

SLRM – Texas State Library and Archives Commission

Texas Government Code Chapter 441

VERSION CONTROL

Title	Texas Enterprise Risk Management Guidelines (Former RMTSA)
Description	Risk Guidelines for Texas Agencies subject to Texas Labor Code, Chapter 412
Created By	Risk Advisory Council
Date Created	10/22/2021
Maintained By	Enterprise Risk Department of SORM
Version Number	Modified By	Modifications Made	Date Modified
1.	James Cox	Board Approval of Draft	7/27/21
2.	James Cox	Added Glossary and Acknowledge Page	10/22/21
3.	James Cox	Added Foreword	10/27/21
4.	James Cox	Updated \”broken links\”	1/3/22
5.	Shelby Hyman	Updated Opening Paragraph	2/28/22
6.	Heather Hernandez	Updated COOP Section with new \”Continuity Planning Policy Guidance Letter)	5/23/22
7.	James Cox	Removed accidental data from chapter footers & updated a chapter reference.	07/20/22

TERM Guidelines