Risk Management Systems in Major UK Public

1
Risk Management Systems in Major UK Public
Private Sector OrganisationsA tale of
contrasting cultures

• Professor Margaret Woods
• Aston Business School

2
Case Study Comparisons of Risk Management
Systems in Major Public Private Sector Entities

• Structure of Presentation
• Background to the paper
• Cases methodology
• Key findings- similarities differences
• Contingency explanation of variations
• Conclusion

3
Background

• CIMA funded project
• Public private sector cases
• Interview based
• Pre credit-crunch

4
Cases

• Tesco
• RBS
• Department of Culture Media Sport
• Birmingham City Council

5
Methodology

• Interviews senior rm internal audit staff plus
  operational managers users of the system.
• Public sector both staff and politicians
  interviewed e.g. Chief Executive Secretary of
  State
• Observation
• Internal documents
• Information systems

6
Contribution to the Literature

• Need for studies looking at use of MCS at
  different levels of the organisation (Langfield
  Smith,1997)
• Call for research which distinguishes between the
  existence and use of MCS (Langfield Smith,1997)
• Risk management dimension barely covered in
  existing organisational literature

7
Definitions (1)

• Management Control
• the process by which managers ensure that
  resources are
• obtained and used effectively and efficiently in
  the accomplishment
• of the organisations objectives. (Anthony,
  1965)
• Risks
• uncertain future events which could influence
  the achievement of
• the organisations strategic, operational and
  financial objectives.
• 
  (IFAC,1999)
• Risk Management
• process of understanding and managing the risks
  that the entity is
• inevitably subject to in attempting to achieve
  its corporate objectives.
• (CIMA 2005)

8
Definitions (2)

• Public versus private organisations
• Three criteria used to distinguish them
• Ownership
• Source of financial resources
• Model of social control ( market v polyarchy)
• (Perry Rainey,Academy of
• Management Review, 1988)
• Result two public two private (at time of
  study)

9
Views from the Literature

• Fone Young (2000) Mcphee (2005)
• Anecdotal evidence that public sector risk
  management is distinctive different
• Power (2004)
• Risk management of everything alignment of risk
  management with good governance
• Collier et al (2006)
• Basic risk management structures are common
  across all large organisations (private sector
  only)
• Miller et al (2008)
• Risk management standardised practices now
  central to both public private sector
  organisations
• Power (2009)
• Need to shift from rule based compliance to use
  of critical imagination in risk management
• Mikes (2009)
• Calculative cultures typologies of ERM
  interpretation

10
Key Findings

• Each case is different
• but
• Strong similarities e.g. between public private
  sector
• and
• Wide variations e.g. public sector more advanced
  in thinking re partnership risk and linking risk
  management to performance management
• Two questions
• WHAT ARE THE SIMILARITIES/DIFFERENCES?
• WHY DO THEY EXIST?

11
Summary of Similarities Differences

• Similarities
• Perceived role of risk management
• Timing of the formalisation of systems
• Overall methodologies or models
• Risk management tools
• ICT support
• Control via self assessment

• Differences
• Application of the models and tools
• Overall structure for risk management
• Dependence upon quantitative tools for evaluation
  measurement
• Link from strategic objectives to operational
  performance risk management as a bureaucratic
  structure versus an embedded process/mindset

12
Similarities (1) Perceived Role of Risk
Management

• Tesco
• One of the reasons we are a successful company
  is because of risk management.
• RBS
• At the end of the day, risk management is
  nothing other than good husbandry on how you
• drive your business forward.
• Birmingham City Council
• Risk management is very much looking at
  achieving your objectives and whats going to
  stop
• you.
• DCMS
• Risk management is concerned with the culture,
  processes and structures directed
• towards the effective management of potential
  opportunities and threats to the
• Department achieving its objectives.

13
Similarities (2)

• Timing of the formalisation of risk management
  systems
• Pressure from financial scandals in 1980s
• COSO (1992)
• Cadbury Code (1992)
• Private sector initiatives mirrored in public
  sector
• Cadbury triggered Treasury Note (1994) Green
  Book (1997)
• Turnbull (1999) followed by NAO Report (2000)
• work is underway on the appropriate method
  of adapting the principles of the Turnbull Report
  to the central government sector. (NAO, 2000
  39).
• Transfer from central to local government
• CIPFA/SOLACE governance framework (2001)

14
Similarities (3)Generic Risk Management
Methodologies
Identify
Source
Measure
Mitigate
Monitor
Economist Intelligence Unit (1995)
15
(No Transcript)
16
The ERM Framework

• ERM considers activities at all levels
• of the organization
• Enterprise-level
• Division or
• subsidiary
• Business unit
• processes

17
Similarities (4) SystemTools

• Assessment Evaluation
• Likelihood consequences matrices
• Traffic lights
• Response
• Risk registers
• Ownership
• Escalation of responsibilities

18
Ranking by Likelihood and Consequence

High       3
Significant        
Medium     6, 14  
Low 2       5
  Low Medium Significant High
LIKELIHOOD
IMPACT
19
RAG Assessment (DCMS)

• Red The control(s) are not in place or will not
  reduce the risk to an acceptable level.
• Amber The control(s) is insufficient to reduce
  risk to the tolerable level, or is not yet in
  place but is expected
• Green The control(s) is in place and working
  effectively to reduce the risk to a tolerable
  level.

20
Similarities (5)ICT Support

• RBS dedicated rm software for quantitative
  analysis
• Birmingham City Council Magique
• Tesco ERP systems, customer facing data
  collection
• DCMS sharing of partnership risks

21
Similarities (6) Self Assessment

• Private Sector
• Combined Code, Section C2, p.14
• The board should, at least annually, conduct a
  review of the
• effectiveness of the groups system of internal
  controls and should
• report to shareholders that they have done so.
  The review should
• cover all material controls, including financial,
  operational and
• compliance controls and risk management system.
• Public Sector
• Statement of Internal Control standard format
  (DAO,2003)
• For the year ended 31 March 2009, that opinion
  concluded that there were no significant control
  issues arising that require disclosure in this
  Statement.
• NOTE MAJOR DIFFERENCE IN DETAIL!!!!

22
Differences (1) Overall Structure for Risk
Management

• Separate function determined by regulation
• Tesco having a risk management function
  probably gets in the way of actually managing the
  risks because people are thinking about the risks
  as opposed to thinking about the customer.
• RBS Function essential under banking regulations
  and supervisory process (ARROW)
• DCMS Head of Risk at Departmental level
• Birmingham Sits within internal audit
• Job titles professional risk officer

23
Differences (2) Dependence upon quantitative
tools

• RBS Extensive use for market, credit, liquidity
  monitoring. Essential as part of the Basel
  capital requirement regulations
• Tesco Hourly monitoring of sales statistics
  daily pricing of standard basket steering wheel
  targets e.g financials staff turnover
• DCMS Limited and primarily financial in nature
• Birmingham Performance monitoring for CPA
  targets e.g. Trading standards visits

24
Differences (3) Link from strategic objectives
to operational performance

• Integrated
• Tesco
• people do it without actually knowing they are
  doing it, its part of their accountabilities.
  They are held to account. We monitor things on
  such a micro level.
• Birmingham
• Forms part of the CPA evaluation and is risk
  forms part of individual performance review at
  operational levels.

• Divorced
• RBS
• Risk management defined by compliance with
  regulatory targets. Bonus culture separates
  remuneration from risk exposure.

25
Problem

• DiMaggio Powell (1983) suggest coercive,
  mimetic normative pressures may encourage
  similarity in search for legitimacy
  but..institutional theory also suggests a need
  for strategic fit i.e. scope for variation
• Does answer lie in distinguishing between
  existence and use of rm controls?

26
Contingency Explanation for different levels of
use

• Complexity of business model
• Level and nature of regulatory controls and
  accountability
• Organisational culture informal controls over
  risk
• Criteria used to evaluate risk management
  compliance v performance

27
Complexity of Business Model

• RBS complex interdependent businesses. Go for
  silo approach.
• Tesco very simple value chain. What drives
  value?
• Birmingham complex, multiple interdependencies
  partnerships. Learning via CPA.
• DCMS Multiple partnership risks. Still
  learning.

28
Level Nature of Regulatory Controls
Accountability

• Regulations
• RBS subject to intense regulatory oversight -
  drives tools of control
• Tesco greater discretion under Combined Code.
• Birmingham DCMS limited strategic choice
  have to manage risks accountability tight via
  SIC (and CPA for Birmingham)

29
Organisational Culture Informal Controls

• Ouchi (1979) clan controls
• Is performance against objectives high on the
  agenda and pervasive? e.g.Tesco slogans shelf
  stacker
• Is performance measured purely in financial terms
  shareholder value?
• Risk champions
• Isolated risk function RBS 5th Floor

30
Criteria Used to Evaluate Risk Management

• Two different mindsets
• are we within prescribed risk boundaries laid
  down either externally or internally?
• OR
• are we achieving the results we promised

31
Conclusion

• Simons (1991)
• Control systems may be diagnostic or
• interactive.
• Cases suggest that diagnostic use equates to a
  compliance mindset
• Interactive use fits with a performance oriented
  mindset.
• Orientation depends upon a range of factors both
  internal and external to the organisation
• Only in latter does rm guide organisational
  learning via the application of critical
  imagination.