Embedding Risk Management - PowerPoint PPT Presentation


PPT – Embedding Risk Management PowerPoint presentation | free to view - id: 11b003-MzBhN


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Embedding Risk Management


Public sector strategic risk management is externally driven and often comprises ... Reductionism can sometimes mask pan-organisational impact ... – PowerPoint PPT presentation

Number of Views:100
Avg rating:3.0/5.0
Slides: 39
Provided by: Wil984


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Embedding Risk Management

Embedding Risk Management
  • Brian Kennedy, Divisional Director
  • Willis Limited
  • September 2004

  • Why?
  • Objectives
  • Motivation
  • How?
  • Underpinning theory
  • Method
  • What?
  • Delivering value

  • What is the brief
  • CIPFA / Solace compliance?
  • add tangible value to the business?
  • Expectations
  • is the bar set too low?
  • how can expectations be raised?
  • is there an appetite for fundamental change?

  • Where are we now? An opinion
  • Public sector strategic risk management is
    externally driven and often comprises a process
    of observation, recording and reordering of
    information which already exists elsewhere
  • It may be of reduced value because it tells us
    little that operational practitioners didnt know
    already this degrades credibility and undermines
    efforts to make risk mgmt a self-sustaining
  • Where do we want to be?
  • We could create a platform to better understand
    critical aspects of the business, undertake fresh
    analysis of activity and re-engineer processes to
    avoid loss, create resilience and maximise
  • It could bridge the strategic / operational
    divide and integrate with existing aspects of
    business management to cement together other
    initiatives and fill gaps where identified

  • Consider
  • if public sector risk management is the
    answerwhat was the question?

Financial Efficiency
Risk Management
Corporate Governance
Reputation Protection
Service Effectiveness
Legal Compliance
  • External drivers
  • CIPFA / Solace (Turnbull)
  • Civil Contingencies Bill
  • Law including Health Safety
  • Standing Financial Orders
  • Audit Scotland
  • The Media
  • Internal drivers
  • ???

  • Case Study
  • The Scientific Method at Toyota (Spear Bowen)
  • Strategic problem maintain and improve
  • Existing strengths cultural uniformity and
    ownership of the problem the system grew
    naturally over five decades
  • Management issues people are the most
    significant corporate asset and, with the
    appropriate training, together they create a
    community of scientists
  • Solution work is highly specified
    relationships are direct to ensure ownership
    processes are simple and direct improvements
    made in accordance with scientific method at
    lowest level possible under guidance of teacher

  • Case Study
  • Ethics at Honda of America Manufacturing (Coffin)
  • Strategic problem learn from experience trying
    not to repeat a business ethics scandal elsewhere
    in the group
  • Existing strengths cultural egalitarianism the
    absence of physical and social barriers between
    staff and managers
  • Management issues pro-active solution
    instituted internally by senior management in
    response to a real problem not an
    externally-imposed response to a problem which
    local managers may not even perceive

  • Case Studies key points
  • initiatives flowed from a business problem rather
    than by regulatory diktat
  • the organisational culture was favourable
    objectives were uniformly held by employees at
    all levels
  • driven by a quest for quality which was shared at
    all levels in the organisation
  • solutions were embedded at local level

  • Conclusion
  • Those organisations which pro-actively seek
    opportunities to improve their processes and
    service offering seem to embed risk management
    effectively and naturally, although they probably
    dont call it risk management.
  • Those organisations which create a risk
    management function in order to react to
    external, principally regulatory, drivers seem to
    be less successful
  • Do you agree?

  • Value aim to deliver
  • opportunity
  • uniqueness
  • effectiveness
  • efficiency
  • How?

Which of the following methods do you rely on to
obtain risk management information?
  • Focus groups
  • One to one interviews
  • Questionnaires
  • Telephone interviews
  • Professional journals / media
  • Web search
  • Networking with peers
  • Personal experience

  • Analytical risk identification assessment
  • SWOT
  • Fault Trees
  • Decision-making risk evaluation control
  • Evidence base
  • Authority
  • Access

  • Sources of support
  • Committees
  • Topic experts
  • Peer networks
  • Consultants

  • Skills (hard) might include
  • Systems theory human error
  • Anticipation resilience
  • Risk politics - liability blame
  • Quantitative risk assessment
  • Risk perception communication
  • Organisational theory
  • Decision-making models
  • Quality models
  • Participation and consultation
  • Crisis management
  • Regulation and the law
  • IT awareness
  • Accounting

  • Skills (soft) might include
  • Facilitation
  • Analysis
  • Report writing
  • Negotiation
  • Project management

Methodological concerns
  • Systems theory
  • What is a system?
  • What is an adverse event?
  • Learning from Experience
  • Isomorphism (Toft Reynolds)
  • The politics of blame

Method - generic
  • Departmental risk profiling streaming
  • Objectives key performance indicators
  • Functional activity
  • Resources deployed - assets, skills,
    communication, providers, infrastructure,
  • Dependencies
  • Policies and procedures
  • Strengths opportunities
  • Threats vulnerabilities
  • Evidence base, risk analysis evaluation
  • Risk tolerability control recommendations

Method - generic
  • The organisational risk register should deliver
  • Communication and reporting functions
  • Accurate recording medium
  • Removal of repetitive tasks
  • Action planning function
  • Diary and reminder system
  • Authority-based levels of access
  • Ease of use
  • Adequate access to requisite number of users

Method - generic
  • But
  • have risk registers been altogether a good
    thing for effective risk management?
  • are the underlying risk mgmt processes shaped to
    achieve the risk register outcome?
  • is there such a thing as a self-sustaining risk
    register (yet)?

Method some additional thoughts
  • What Really Works (Nohria, Joyce, Roberson)
  • Companies which excelled, outperformed their
    peers on
  • strategy
  • execution
  • culture
  • structure
  • They also performed well in at least two of the
  • talent
  • innovation
  • leadership
  • partnership

Method some additional thoughts
  • What Really Works (Nohria, Joyce, Roberson)
  • Effective strategy is built on focused value
    propositions, rooted in certain knowledge of the
    customer and a realistic appraisal of own
  • Develop and maintain flawless operational
    execution disciplined attention to operations is
    what really counts
  • Promote a culture that champions high-level
    performance and ethical behaviour everyone works
    at the highest level
  • Simplify structures and processes, trim
    unnecessary bureaucracy

In which of the following does your
organisations risk management programme play a
key role?
  • Strengthen business cases?
  • Inform resource allocation?
  • Manage performance?
  • Redesign processes?
  • Inform the Board of Directors?
  • Satisfy external audit?
  • Develop service continuity?
  • Achieve none of the above?

Strengthen business cases
  • Strategic
  • should we do it?
  • Tactical
  • project management
  • Operational
  • how should we do it - method?
  • Cost benefit analysis
  • is risk restricted to financial considerations
  • Veracity
  • are business cases designed to justify the
    instinctively preferred outcome?

Inform resource allocation
  • Scarce resources and limited opportunity to
    create alternative strategies re service
  • spending wisely is imperative
  • tension is the norm
  • Measurement
  • places strain on risk descriptors costs arent
    always financial
  • require pre- and post-control estimates of
    probable impact
  • is weighting of descriptors required?

Manage performance
  • Relationship between Performance Risk
  • the objective is a response to risk or
  • and the risk or opportunity therefore justifies
    the objective
  • but how were objectives arrived at, if not
    through a systematic appraisal of risks and
  • conclusion is the decision-making process
    underpinning performance management separate from
    risk management?
  • Strong links to Governance accountability and
  • action plans and timescales
  • who has responsibility for monitoring?
  • sanctions or remedial action?
  • Does IT have a role
  • how many systems are there?

Manage performance
  • Setting non-financial performance targets (Ittner
  • Link measures to strategy
  • which measures to select from the smorgasbord of
  • Validate the measures
  • eg. does employee retention lead to client
  • Set the right targets
  • difficult in public sector it may be easy to
    reach 80, but costly to reach 90 - does the
    extra 10 deliver value?

Redesign processes
  • Systems
  • excellent organisations succeed at execution
  • are the outcomes of failure too politically-laden
    to enable local scrutiny of causes? (compare to
    Toyota model)
  • Require information a strong evidence base
  • Departmental / Divisional risk profiling must
    lead to joint analysis of processes
  • can you draw logical conclusions from the
  • is the information representative of reality
    would we come up with the same results if we
    repeated the exercise?
  • Implementation
  • knock-on effects
  • local ownership, authority and willingness to
    implement change

Inform the Board of Directors
  • Methods
  • risk register real-time information (if updated,
    if accurate)
  • reports quarterly? annual?
  • What are the current benefits?
  • assurance? (of what?)
  • Key issues
  • credibility?
  • duplication?

Satisfy external audit
  • Rigour of audit
  • ambition ticking boxes, or actually assessing
    the inherent value in processes?
  • Audit is prescriptive by nature
  • effective (risk) management may be harder to
  • just try documenting a risk management culture!
  • consider is audit a good motivation?
  • might audit sometimes encourage us to achieve
    quick wins rather than fundamental change?

Satisfy external audit
Have you assessed those risks that could damage
your reputation, affect your market position or
result in prosecution?
Do you regularly review control measures with
respect to their adequacy and effectiveness?
Do you report annually on your risk control
Have you identified potential business risks to
the organisation?
Have you established continuity management
arrangements in the event of a disaster?
Ensure service continuity
the business
Service continuity analysis disaggregation
Definition breaking the problem down into its
smallest manageable components
Benefits Logic of problem becomes clearer Reveals
dependencies Pitfalls Can become over-complex
and unnecessarily detailed Reductionism can
sometimes mask pan-organisational impact
Step 1 what is the acceptable downtime on key
functions of each dept? Step 2 function
vulnerability dependency threat to goals Step
3 compare acceptable downtime v. likely downtime
to fine tune threat Step 4 prioritise threats
according to impact, and plan risk control /
Service continuity analysis disaggregation
Summary current risk management processes
generally in use are similar to BCP with regard
to risk identification and evaluation. However,
the potentially additional components of BCM risk
analysis are explicit reference to functional
objectives, risk mapping and downtime tolerance,
only after which can impacts be estimated in
terms of usual descriptors.
Benefits Encourages a deeper level of analysis
what if and if, then scenarios Involves staff
operationally Downtime adds an extra dimension
to tolerance evaluation Pitfalls Can become
extremely complicated Time consuming for the
analyst Requires significant operational input,
clarification and advice
  • CIPFA / Solace is a means to an end
  • borrow from Toyota take the most direct path
    identify business problems requiring a solution
    and CIPFA / Solace will take care of itself
  • use a consistent analytical model and research
    process which can deliver multiple outputs
  • look outwith the risk management section of CIPFA
    / Solace for the best reasons to embed risk
  • require explicit management buy-in, enthusiasm
    and authorisation risk management terms of
    reference and strategy?

  • Brian Kennedy MSc BA(Hons) ACII
  • Divisional Director
  • Willis Limited
  • 160 West George Street, Glasgow G2 2HQ
  • kennedybm_at_willis.com
  • T 0141 306 1852

Embedding Risk Management
  • Brian Kennedy, Divisional Director
  • Willis Limited
  • September 2004
About PowerShow.com