Getting the risk basics right, 30th November 2016
-
Upload
association-for-project-management -
Category
Education
-
view
168 -
download
0
Transcript of Getting the risk basics right, 30th November 2016
Trusted to deliver excellence
© 2016 Rolls-Royce plc
The information in this document is the property of Rolls-Royce plc and may not be copied or communicated to a third party, or used for any purpose other
than that for which it is supplied without the express written consent of Rolls-Royce plc.
This information is given in good faith based upon the latest information available to Rolls-Royce plc, no warranty or representation is given concerning
such information, which must not be taken as establishing any contractual or other commitment binding upon Rolls-Royce plc or any of its subsidiary or
associated companies.
Peter Ralph
APM – 24th Nov 2016
What is a Risk
The OED defines risk as:
• A situation involving exposure to danger, The possibility that something
unpleasant or unwelcome will happen, A person or thing regarded as a
threat or likely source of danger, A possibility of harm or damage
against which something is insured, A person or thing regarded as likely to
turn out well or badly in a particular context or respect, The possibility of
financial loss.
What is a Risk
ISO 31000 defines a risk as:
The “effect of uncertainty on objectives” and an effect is a positive or negative
deviation from what is expected
Uncertainty Negative Effect Positive Effect
possibility exposure to danger
unpleasant or unwelcome
threat or likely source of danger
possibility of harm or damage
as likely badly well
possibility loss
What is Risk Management
“Risk management involves understanding, analysing and
addressing risk to make sure organisations achieve their
objectives.”
“Enterprise risk management (ERM) is an integrated and joined up
approach to managing risk across an organisation and its extended
networks.”
• Risk Management is:
• NOT risk avoidance
• About Taking RATIONAL risks
• Applicable to OPPORTUNITIES & THREATS
A Perspective on Risk
Management
Brexit, Mark Carney & Risk Management
“Discharging the Bank’s responsibilities for these public goods demands
rigorous analysis, objective judgement, and effective transparency.
We will not shirk from these obligations.”
“The Bank and its independent policy committees will continue to
provide analytically based, clear-eyed assessments of the
economic and financial outlooks. And we will outline the risks to
these forecasts so that we and others can prepare to manage them”
Mark Carney, Governor of the Bank of England, 24th June 2016
1971
Rolls-Royce Declared
Bankrupt
2010
Rolls-Royce Qantas A380
Engine Explosion
2013
Formal Bribery Investigation
at Rolls-Royce
News Source: http://www.telegraph.co.uk/
Screen 16
Do We Need Risk Management?
1971
Rolls-Royce Declared
Bankrupt
2010
Rolls-Royce Qantas A380
Engine Explosion
2013
Formal Bribery Investigation
at Rolls-Royce
News Source: http://www.bbc.com/news/business-23076586/
Do We Need Risk Management?
1971
Rolls-Royce Declared
Bankrupt
2010
Rolls-Royce Qantas A380
Engine Explosion
2013
Formal Bribery Investigation
at Rolls-Royce
News Source: http://www.telegraph.co.uk//
Do We Need Risk Management?
How Does it Benefit a Business
• Improved Decision Making
• Improved Performance
“Companies in the top 20 percent of risk maturity generated 3 times more
earnings (EBITDA) as those in the bottom 20 percent.” (Ernst and Young
2011 Global Report)
• Improved Understanding and Control
• Reduced Errors (Hard to quantify)
How Does it Deliver a Project Benefit
• Better control of the project
• Managed spend
• Managed timelines
• A plan to deal with the ‘unexpected’ when it happens
• Increased success rates
• Better linkage to other activities in the business
Rolls-Royce ERM Framework 18
Hierarchy Process
Plan
Identify
Assess
Treat
Review
Close
Risk management culture
Risk organisation and training
Tools
Supporting technology
Risk appetite
Templates and guides
Effectiveness measures & KRIs
Principal risks
Key risks
Business/Function risks
Sub-Business / Major Projects
Group risk register Risk policy
Group RMP
Assurance
1) Board 2) Board committees 3) ELT risk committee 4) Business / Functions 5) Sub-Business / Major Projects
Governance & Committees
Incident reporting
Deep dives
If we Fail to Plan then we Plan to Fail! Plan early and upfront, review regularly to remain fit for purpose
Success Factors:
• Tone from the Top
• Governance and Infrastructure (e.g. Group Risk Policy,
Stated Appetite, Consistent Approach to Measuring Impact, etc.)
• Integrated Risk Management Planning
• Organisational Risk Culture -“Risk Management is something that we do here.”
Principal Risks (Owned by ELT Member):
Tone from the Top: Risk Structure
Key Risks (ELT -1): These material risks arise in the business or functions stemming directly from the realisation of a principal risk and made up of specific risks. (Circa 40-50 risks)
Specific Risks: These are the detail risks that are present everywhere in the business. Each of these can be related to a principal risk. There are circa 5,000 of these risks and they are growing everyday
Tale
nt
& C
apab
ility
Pro
du
ct F
ailu
re
Co
mp
lian
ce
IT V
uln
era
bili
ty
Mar
ket
& F
inan
cial
Sh
ock
Po
litic
al R
isk
Maj
or
Pro
gram
me
D
eliv
ery
Bu
sin
ess
C
on
tin
uit
y
Co
mp
eti
tive
P
osi
tio
n
Source Rolls-Royce Website Principal Risks
• Bow-Tie Technique Applied to Enterprise Risk
• Benefits:
• Breaks down the risk into a range of threats and consequences.
• Engages a wider audience
• Enhancing the connection to Assessment and Treatment
Identifying Risk: Bow Tie Technique
Consequences
Threats
Risk Event
A Consistent Approach to Assessment
• Apply one Risk Matrix across the Organisation
• Develop a set of impact variables and probabilities that the entire organisation can agree on (RR use Financial, Safety, Compliance and Reputation)
• Ensure Significant Risks get the Right Assessment.
• Don’t waste time / resources modelling low impact risks, but understand the full extent of significant risks
• Have clarity on appetite, escalation and priority
• A well designed risk scoring scheme help to set appetite and determine organisation priorities
Sample Risk Matrix - Impacts with Appetite
VH 9 14 19 24 29
H 7 12 17 22 27
M 5 10 15 20 25
L 3 8 13 18 23
VL 1 6 11 16 21
Finance VL L M H VH
VH 9 14 19 24 29
H 7 12 17 22 27
M 5 10 15 20 25
L 3 8 13 18 23
VL 1 6 11 16 21
Safety VL L M H VH
VH 9 14 19 24 29
H 7 12 17 22 27
M 5 10 15 20 25
L 3 8 13 18 23
VL 1 6 11 16 21
Comp VL L M H VH
VH 9 14 19 24 29
H 7 12 17 22 27
M 5 10 15 20 25
L 3 8 13 18 23
VL 1 6 11 16 21
Rep VL L M H VH
Actively Treat Risk
• Ensure that Risks are Treated!!
• Create actions that are SMART, monitor progress and ensure risk is reduced or controlled
• Ensure high quality controls are in place, effective and regularly tested
• Avoid ‘Bike Shedding’
Admiral Nelson prior to disobeying orders to thren destroy the Danish fleet
• Map Controls against Threats and Consequences
• Benefits:
• Visualise controls over threats.
• Recognise weaknesses
• Evaluate the quality of controls against threats to inform risk assessment
Utilise the Bow Tie Technique
Embed Review Activity
• Ensure it is frequent
• Frequency is often dictated by pace of project, but less than quarterly is infrequent
• Ensure it is has senior support
• Review chair must have authority to act or escalate
• Ensure focused is on the process and deliverables
• Review by exception, focus on treatment with periodic identification
• Ensure it does not feel ‘stale’
• Maintain currency and ‘deep dive’ into areas to ensure engagement is maintained
Summary & Words of Caution
• Risk Management is a Enduring Activity
• Plan, Plan and Plan some more!
• Ensure Risk Management Improves the Positon
• A Risk System isn’t the answer
• Risk Management is evolving
Thank you for your attention!
Peter Ralph – Enterprise Risk Manager