Specifications include, but are not limited to: 1. Conduct a comprehensive “stem to stern” evaluation of the State’s risk management and insurance landscape. The State-wide evaluation shall include stakeholder interviews and surveys, articulation of drivers, triggers, consequences, and clearly define risk ratings’ impact and likelihood. Of specific note, an enterprise cyber risk assessment has already been completed for the RI Division of Information Technology and will be made available to the vendor for review and use in this assessment. 2. Identify acceptable risk appetite and tolerance levels for the State. 3. Conduct an Existing Conditions Evaluation: A. Evaluate State’s existing risk placement program, processes, and practices to determine the need for commercial insurance. B. Evaluate the current insurance and reinsurance landscape to determine if these programs are meeting the State’s needs. C. Evaluate the State’s existing risk management programs to determine if they are performing according to industry standards. D. Provide a comprehensive report identifying findings in scorecard format. E. Provide feedback on the current operational alignment of the risk and insurance program within the State government. F. Provide recommendations if changes in the alignment would improve efficiency and transparency. G. Provide recommendations for future consideration based on findings broken down by: Immediate implementation due to operational and/or life-safety concerns 1-year implementation 3-year implementation 5-year implementation Final implementation of the program 4. Provide advice and recommendations for a risk/insurance framework/system and the associated processes and procedures. 5. Recommendations must be accompanied by supporting case studies and/or objective examples. 6. Consultant should work to align risk management approaches across branches of government, Agencies, departments and functions: including developing a consistent framework that would include reporting templates, reviewing, and assessing the effectiveness of current policies and processes, and recommending updates (or new) policies and processes to assist with evaluating and managing risks; recommending materiality thresholds1 ; and developing meaningful and actionable metrics for measuring success. This would include a scoring methodology that can assist with assessing the impact and likelihood of identified risks and includes consideration of existing mitigating controls that offset the risks. 7. Develop a tracking list and risk pyramid to consolidate and prioritize the key organizational risks based on the risk assessments, typical industry risks, and strategic plan risks2 .
