Survey: Enterprise Risk Management in the lottery sector
Taking risks can give organizations a competitive edge and create new business opportunities. But the right risks must be taken and they must be constantly managed and re-assessed. A recent survey of WLA members provided insights into the overall state of play in risk management in the lottery and sports betting sector, and pointed to some specific priorities for lottery leaders.
Conducted over the summer of 2020, the survey was organized by the WLA Security and Risk Management Committee (SRMC) to offer a broad view of risk perception and crisis preparedness in the lottery sector and assess how the COVID-19 crisis has affected the priorities of lottery leaders and risk managers.
The survey questionnaire went out to a representative sample of around 80 WLA lottery members and achieved a response rate of about 50%. The regional breakdown of respondents was consistent with the wider WLA membership. From an organizational standpoint, 72% of respondents indicated that their companies had a dedicated Enterprise Risk Management team, ranging from one to seven persons, depending on the size of the organization. In 75% of cases, the ERM team reports directly to the CEO, finance director or Management Committee.
The survey focused on the 20 risks that the SRMC considered the most likely to have been impacted by the COVID-19 pandemic and its devastating effects. Respondents were asked to assess the severity of impact for each of the 20 risks – in terms of financial, reputational and regulatory consequences – on a scale of 1 to 5. The same five step scale was used to determine the probability of occurrence for each of the 20 risks over the next three years.
What is Enterprise Risk Management?
Disruptive innovation, cyberattacks, and player protection are just a few examples of the risks faced by lottery organizations. Leaders need a strategic perspective to manage risk proactively and increase the likelihood that their operations can continue to achieve their core objectives, come what may. Enterprise Risk Management (ERM) provides that strategic perspective, allowing organizations to gain a clearer picture of their overall risk level and to assess the effectiveness of the processes in place to manage different types of risks.
“We encountered troubles in managing call center and customer care services.” (Survey respondent)
Inherent risk and residual risk
The survey sought to determine both inherent risk, which is the perceived potential impact and probability of undesirable events before any controls have been put in place; and residual risk, which is the level of risk that remains after controls have been implemented. As such it provides insights into not only the type of risks that lotteries face, but also the level of confidence they have in the measures in place to reduce those risks.
The averages of the impact and probability scores were blended to assess the magnitude of each inherent risk, yielding an overview of WLA member inherent-risk perception. A standard deviation in a number of the risks reveals a certain dispersion of answers, consistent with three features of the respondents: (a) different geographical footprint; (b) business diversity; and (c) ownership (state or privately owned, or a blend of the two).
Survey results indicated that cybersecurity remains a high priority for lottery members, and that vulnerability to cyberattacks is seen as one of the highest areas of risk in terms of both probability and impact. Other data security risks, such as those related to logical access and the Information Security Management System, also ranked high in probability, and just below cybersecurity in terms of impact.
According to the survey results, operational compliance and fraud are considered high on the list of priorities for risk mangers based on their impact on the organization's operations.
The timing of the survey during a major pandemic might have influenced member perceptions of the probability and impact of catastrophic events, health and safety risks, and dependence on suppliers.
Financial risks – liquidity, bad debt, and indebtedness – were perceived as relatively low in terms of probability and impact, likely because more than half of the respondents work for state-owned companies.
“IT infrastructure capacity was challenged by the emergency, and it took some time to react.” (Survey respondent)
A majority of respondents considered that their organizations had particularly effective controls in place to mitigate financial risks, data security risks and risks related to compliance with gaming licenses and contractual obligations. In contrast, respondents felt less protected by the controls in place to manage country risk, catastrophic events, and human error.
This seems to be in line with the typical human and capital resource allocation priorities for a lottery organization. In the survey, however, residual risk levels were primarily clustered around "low" or "irrelevant", which indicates an optimistic view of the controls in place and makes a good case for stepping up compliance activity in order to continually confirm the effectiveness of established controls.
“The crisis management group was too big.” (Survey respondent)
Shifts in risk perception
Around 80% of the respondents described the risk environment within their organizations as "mature" or "maturing". But has the COVID-19 pandemic caused a shift in risk perception among WLA member lotteries? One survey question asked respondents to compare their company's risk perception today with that of 2019. And although cybersecurity remained at the top of the list of priorities, and health and safety is seen as more relevant than in 2019, lottery organizations appear to have also sharpened their focus on other areas of risk management, including dependence on suppliers, catastrophic events, and change management.
Risk management and business continuity
The survey confirmed that Enterprise Risk Management is well established in the business culture of participating members. A full 95% of the respondents indicated that they maintain a business continuity plan and test their control environment at least once a year. And 49% of respondents said that risk was formally discussed by senior management on a monthly or quarterly basis.
On the downside, less than 33% of respondents indicated that their business continuity plans had proven effective in the face of the COVID-19 pandemic. Around 54% of the respondents claimed their organization's business continuity plan proved somewhat effective, while 10% said it had proven to be very ineffective in mitigating the impact of the crisis.
Action taken in key areas of risk YES NO Health & safety risk mitigation 98% 2% Supply chain / logistics risk mitigations 68% 32% IT / cyber risk mitigations 73% 27% Financial risk mitigations 61% 39% Internal & external communication 85% 15%
Risk appetite and tolerance
Risk appetite is a written enterprise-level statement that can inform individual business decisions regarding how much risk the organization is prepared to assume. It sets a target level of loss exposure that the organization views as acceptable, given its business objectives and resources. Risk tolerance is the degree of variance from the organization’s risk appetite that the organization is willing to tolerate.
About 78% of the survey respondents indicated that their organizations have an explicit posture on risk appetite and risk tolerance.
“The business continuity plan includes back-up sites for employees, but these physical alternatives were not viable during the pandemic.” (Survey respondent)
Government measures to control the pandemic forced many organizations into an almost complete shutdown. As in many other industries, working from home has become the norm for large numbers of lottery employees in order to keep their organizations up and running. According to the survey, lotteries quickly realized that the physical presence of staff on site could be limited to a few key people – in the datacenter or the prize office, for example – without significantly impacting their ability to run the business efficiently. Looking ahead, WLA member lotteries will likely be reshaping their operations to better accommodate remote working, for example by drawing up emergency laptop-provisioning plans and deploying secure VPN connections for home workers.
Beyond these provisions for homeworking, survey respondents pointed to a number of strategic and organizational changes that have been introduced or scheduled since the pandemic began and that could help lotteries deal with future crises. Examples include:
- Adapt business continuity plans in a dynamic way
- Re-assess risks across all business units following the pandemic
- Monitor financial risks more closely
- Introduce new measures to manage logistics in a lockdown situation
- Support the digitalization of previously manual processes
- Encourage digital-driven product innovation
- Introduce a back-up site for draws
- Explore the feasibility of electronic draws to replace physical draws
- Divide critical teams in two sub-groups to avoid contagion and create a back-up capacity
- Pre-approve a budget for expired winning tickets
- Adjust compensation and benefits plans
- Support change management by improving employee communications and expanding online training
Risk management is about thinking ahead, drawing up different scenarios, evaluating potential impacts, and being aware of the risks an organization faces. The SRMC survey in itself has helped to raise awareness among WLA members of the benefits of an Enterprise Risk Management strategy, and its findings provide valuable input for members' efforts to anticipate risks and minimize their impact.
In view of the substantial consequences of the current crisis for the lottery and sports betting industry, the SRMC hopes the survey will help WLA members to embrace Enterprise Risk Management, incorporate this approach more fully into their strategic planning, and better prepare for possible further COVID-related restrictions.
We wish to thank Lottomatica, FDJ, Camelot UK, and the WLA SRMC for making this survey possible.
The complete survey report is available for downloading from the WLA website at: