Embedding Risk Management

1
Embedding Risk Management

• Brian Kennedy, Divisional Director
• Willis Limited
• September 2004

2
Agenda

• Why?
• Objectives
• Motivation
• How?
• Underpinning theory
• Method
• What?
• Delivering value

3
Objectives

• What is the brief
• CIPFA / Solace compliance?
• add tangible value to the business?
• Expectations
• is the bar set too low?
• how can expectations be raised?
• is there an appetite for fundamental change?

4
Objectives

• Where are we now? An opinion
• Public sector strategic risk management is
  externally driven and often comprises a process
  of observation, recording and reordering of
  information which already exists elsewhere
• It may be of reduced value because it tells us
  little that operational practitioners didnt know
  already this degrades credibility and undermines
  efforts to make risk mgmt a self-sustaining
  process
• Where do we want to be?
• We could create a platform to better understand
  critical aspects of the business, undertake fresh
  analysis of activity and re-engineer processes to
  avoid loss, create resilience and maximise
  opportunity
• It could bridge the strategic / operational
  divide and integrate with existing aspects of
  business management to cement together other
  initiatives and fill gaps where identified

5
Objectives

• Consider
• if public sector risk management is the
  answerwhat was the question?

6
Motivation
Financial Efficiency
Risk Management
Corporate Governance
Reputation Protection
Service Effectiveness
Legal Compliance
7
Motivation

• External drivers
• CIPFA / Solace (Turnbull)
• Civil Contingencies Bill
• Law including Health Safety
• Standing Financial Orders
• Audit Scotland
• The Media
• Internal drivers
• ???

8
Objectives

• Case Study
• The Scientific Method at Toyota (Spear Bowen)
• Strategic problem maintain and improve
  competitiveness
• Existing strengths cultural uniformity and
  ownership of the problem the system grew
  naturally over five decades
• Management issues people are the most
  significant corporate asset and, with the
  appropriate training, together they create a
  community of scientists
• Solution work is highly specified
  relationships are direct to ensure ownership
  processes are simple and direct improvements
  made in accordance with scientific method at
  lowest level possible under guidance of teacher

9
Objectives

• Case Study
• Ethics at Honda of America Manufacturing (Coffin)
• Strategic problem learn from experience trying
  not to repeat a business ethics scandal elsewhere
  in the group
• Existing strengths cultural egalitarianism the
  absence of physical and social barriers between
  staff and managers
• Management issues pro-active solution
  instituted internally by senior management in
  response to a real problem not an
  externally-imposed response to a problem which
  local managers may not even perceive

10
Objectives

• Case Studies key points
• initiatives flowed from a business problem rather
  than by regulatory diktat
• the organisational culture was favourable
  objectives were uniformly held by employees at
  all levels
• driven by a quest for quality which was shared at
  all levels in the organisation
• solutions were embedded at local level

11
Motivation

• Conclusion
• Those organisations which pro-actively seek
  opportunities to improve their processes and
  service offering seem to embed risk management
  effectively and naturally, although they probably
  dont call it risk management.
• Those organisations which create a risk
  management function in order to react to
  external, principally regulatory, drivers seem to
  be less successful
• Do you agree?

12
Motivation

• Value aim to deliver
• opportunity
• uniqueness
• effectiveness
• efficiency
• How?

13
Methods
Which of the following methods do you rely on to
obtain risk management information?

• Focus groups
• One to one interviews
• Questionnaires
• Telephone interviews
• Professional journals / media
• Web search
• Networking with peers
• Personal experience

14
Methods

• Analytical risk identification assessment
• SWOT
• PESTEL
• HAZOP
• Fault Trees
• Decision-making risk evaluation control
• Evidence base
• Authority
• Access

15
Method

• Sources of support
• Committees
• Topic experts
• Peer networks
• Consultants

16
Method

• Skills (hard) might include
• Systems theory human error
• Anticipation resilience
• Risk politics - liability blame
• Quantitative risk assessment
• Risk perception communication
• Organisational theory
• Decision-making models
• Quality models
• Participation and consultation
• Crisis management
• Regulation and the law
• IT awareness
• Accounting

17
Method

• Skills (soft) might include
• Facilitation
• Analysis
• Report writing
• Negotiation
• Project management

18
Methodological concerns

• Systems theory
• What is a system?
• What is an adverse event?
• Learning from Experience
• Isomorphism (Toft Reynolds)
• The politics of blame

19
Method - generic

• Departmental risk profiling streaming
• Objectives key performance indicators
• Functional activity
• Resources deployed - assets, skills,
  communication, providers, infrastructure,
  utilities
• Dependencies
• Policies and procedures
• Strengths opportunities
• Threats vulnerabilities
• Evidence base, risk analysis evaluation
• Risk tolerability control recommendations

20
Method - generic

• The organisational risk register should deliver
• Communication and reporting functions
• Accurate recording medium
• Removal of repetitive tasks
• Action planning function
• Diary and reminder system
• Authority-based levels of access
• Ease of use
• Adequate access to requisite number of users

21
Method - generic

• But
• have risk registers been altogether a good
  thing for effective risk management?
• are the underlying risk mgmt processes shaped to
  achieve the risk register outcome?
• is there such a thing as a self-sustaining risk
  register (yet)?

22
Method some additional thoughts

• What Really Works (Nohria, Joyce, Roberson)
• Companies which excelled, outperformed their
  peers on
• strategy
• execution
• culture
• structure
• They also performed well in at least two of the
  following
• talent
• innovation
• leadership
• partnership

23
Method some additional thoughts

• What Really Works (Nohria, Joyce, Roberson)
• Effective strategy is built on focused value
  propositions, rooted in certain knowledge of the
  customer and a realistic appraisal of own
  capabilities
• Develop and maintain flawless operational
  execution disciplined attention to operations is
  what really counts
• Promote a culture that champions high-level
  performance and ethical behaviour everyone works
  at the highest level
• Simplify structures and processes, trim
  unnecessary bureaucracy

24
Objectives
In which of the following does your
organisations risk management programme play a
key role?

• Strengthen business cases?
• Inform resource allocation?
• Manage performance?
• Redesign processes?
• Inform the Board of Directors?
• Satisfy external audit?
• Develop service continuity?
• Achieve none of the above?

25
Strengthen business cases

• Strategic
• should we do it?
• Tactical
• project management
• Operational
• how should we do it - method?
• Cost benefit analysis
• is risk restricted to financial considerations
  only?
• Veracity
• are business cases designed to justify the
  instinctively preferred outcome?

26
Inform resource allocation

• Scarce resources and limited opportunity to
  create alternative strategies re service
  provision
• spending wisely is imperative
• tension is the norm
• Measurement
• places strain on risk descriptors costs arent
  always financial
• require pre- and post-control estimates of
  probable impact
• is weighting of descriptors required?

27
Manage performance

• Relationship between Performance Risk
• the objective is a response to risk or
  opportunity
• and the risk or opportunity therefore justifies
  the objective
• but how were objectives arrived at, if not
  through a systematic appraisal of risks and
  opportunities?
• conclusion is the decision-making process
  underpinning performance management separate from
  risk management?
• Strong links to Governance accountability and
  responsibility
• action plans and timescales
• who has responsibility for monitoring?
• sanctions or remedial action?
• Does IT have a role
• how many systems are there?

28
Manage performance

• Setting non-financial performance targets (Ittner
  Larcker)
• Link measures to strategy
• which measures to select from the smorgasbord of
  options?
• Validate the measures
• eg. does employee retention lead to client
  satisfaction?
• Set the right targets
• difficult in public sector it may be easy to
  reach 80, but costly to reach 90 - does the
  extra 10 deliver value?

29
Redesign processes

• Systems
• excellent organisations succeed at execution
• are the outcomes of failure too politically-laden
  to enable local scrutiny of causes? (compare to
  Toyota model)
• Require information a strong evidence base
• Departmental / Divisional risk profiling must
  lead to joint analysis of processes
• can you draw logical conclusions from the
  information?
• is the information representative of reality
  would we come up with the same results if we
  repeated the exercise?
• Implementation
• knock-on effects
• local ownership, authority and willingness to
  implement change

30
Inform the Board of Directors

• Methods
• risk register real-time information (if updated,
  if accurate)
• reports quarterly? annual?
• What are the current benefits?
• assurance? (of what?)
• Key issues
• credibility?
• duplication?

31
Satisfy external audit

• Rigour of audit
• ambition ticking boxes, or actually assessing
  the inherent value in processes?
• Audit is prescriptive by nature
• effective (risk) management may be harder to
  evidence
• just try documenting a risk management culture!
• consider is audit a good motivation?
• might audit sometimes encourage us to achieve
  quick wins rather than fundamental change?

32
Satisfy external audit
Have you assessed those risks that could damage
your reputation, affect your market position or
result in prosecution?
Do you regularly review control measures with
respect to their adequacy and effectiveness?
Do you report annually on your risk control
measures?
Have you identified potential business risks to
the organisation?
Have you established continuity management
arrangements in the event of a disaster?
33
Ensure service continuity
the business
34
Service continuity analysis disaggregation
Definition breaking the problem down into its
smallest manageable components
Benefits Logic of problem becomes clearer Reveals
dependencies Pitfalls Can become over-complex
and unnecessarily detailed Reductionism can
sometimes mask pan-organisational impact
Step 1 what is the acceptable downtime on key
functions of each dept? Step 2 function
vulnerability dependency threat to goals Step
3 compare acceptable downtime v. likely downtime
to fine tune threat Step 4 prioritise threats
according to impact, and plan risk control /
resilience
35
Service continuity analysis disaggregation
Summary current risk management processes
generally in use are similar to BCP with regard
to risk identification and evaluation. However,
the potentially additional components of BCM risk
analysis are explicit reference to functional
objectives, risk mapping and downtime tolerance,
only after which can impacts be estimated in
terms of usual descriptors.
Benefits Encourages a deeper level of analysis
what if and if, then scenarios Involves staff
operationally Downtime adds an extra dimension
to tolerance evaluation Pitfalls Can become
extremely complicated Time consuming for the
analyst Requires significant operational input,
clarification and advice
36
Conclusions

• CIPFA / Solace is a means to an end
• borrow from Toyota take the most direct path
  identify business problems requiring a solution
  and CIPFA / Solace will take care of itself
• use a consistent analytical model and research
  process which can deliver multiple outputs
• look outwith the risk management section of CIPFA
  / Solace for the best reasons to embed risk
  management
• require explicit management buy-in, enthusiasm
  and authorisation risk management terms of
  reference and strategy?

37
Contact

• Brian Kennedy MSc BA(Hons) ACII
• Divisional Director
• Willis Limited
• 160 West George Street, Glasgow G2 2HQ
• kennedybm_at_willis.com
• T 0141 306 1852

38
Embedding Risk Management

• Brian Kennedy, Divisional Director
• Willis Limited
• September 2004