Trusted to deliver excellence

© 2016 Rolls-Royce plc

The information in this document is the property of Rolls-Royce plc and may not be copied or communicated to a third party, or used for any purpose other

than that for which it is supplied without the express written consent of Rolls-Royce plc.

This information is given in good faith based upon the latest information available to Rolls-Royce plc, no warranty or representation is given concerning

such information, which must not be taken as establishing any contractual or other commitment binding upon Rolls-Royce plc or any of its subsidiary or

associated companies.

Peter Ralph

APM – 24th Nov 2016

Who Are Rolls-Royce

Latest (2015) Financial Highlights

Vision: ‘Better Power for a Changing World’

Our Businesses

We Don’t Make These Anymore

What is a Risk

The OED defines risk as:

• A situation involving exposure to danger, The possibility that something

unpleasant or unwelcome will happen, A person or thing regarded as a

threat or likely source of danger, A possibility of harm or damage

against which something is insured, A person or thing regarded as likely to

turn out well or badly in a particular context or respect, The possibility of

financial loss.

What is a Risk

ISO 31000 defines a risk as:

The “effect of uncertainty on objectives” and an effect is a positive or negative

deviation from what is expected

Uncertainty Negative Effect Positive Effect

possibility exposure to danger

unpleasant or unwelcome

threat or likely source of danger

possibility of harm or damage

as likely badly well

possibility loss

What is Risk Management

“Risk management involves understanding, analysing and

addressing risk to make sure organisations achieve their

objectives.”

“Enterprise risk management (ERM) is an integrated and joined up

approach to managing risk across an organisation and its extended

networks.”

• Risk Management is:

• NOT risk avoidance

• About Taking RATIONAL risks

• Applicable to OPPORTUNITIES & THREATS

A Perspective on Risk

Management

Do We Need Risk Management?

We live in an uncertain world !!

Brexit, Mark Carney & Risk Management

“Discharging the Bank’s responsibilities for these public goods demands

rigorous analysis, objective judgement, and effective transparency.

We will not shirk from these obligations.”

“The Bank and its independent policy committees will continue to

provide analytically based, clear-eyed assessments of the

economic and financial outlooks. And we will outline the risks to

these forecasts so that we and others can prepare to manage them”

Mark Carney, Governor of the Bank of England, 24th June 2016

1971

Rolls-Royce Declared

Bankrupt

2010

Rolls-Royce Qantas A380

Engine Explosion

2013

Formal Bribery Investigation

at Rolls-Royce

News Source: http://www.telegraph.co.uk/

Screen 16

Do We Need Risk Management?

1971

Rolls-Royce Declared

Bankrupt

2010

Rolls-Royce Qantas A380

Engine Explosion

2013

Formal Bribery Investigation

at Rolls-Royce

News Source: http://www.bbc.com/news/business-23076586/

Do We Need Risk Management?

1971

Rolls-Royce Declared

Bankrupt

2010

Rolls-Royce Qantas A380

Engine Explosion

2013

Formal Bribery Investigation

at Rolls-Royce

News Source: http://www.telegraph.co.uk//

Do We Need Risk Management?

Do We Need Risk Management? 15

What is it worth?

Answer: ~ £5.6bn

How Does it Benefit a Business

• Improved Decision Making

• Improved Performance

“Companies in the top 20 percent of risk maturity generated 3 times more

earnings (EBITDA) as those in the bottom 20 percent.” (Ernst and Young

2011 Global Report)

• Improved Understanding and Control

• Reduced Errors (Hard to quantify)

How Does it Deliver a Project Benefit

• Better control of the project

• Managed spend

• Managed timelines

• A plan to deal with the ‘unexpected’ when it happens

• Increased success rates

• Better linkage to other activities in the business

Rolls-Royce ERM Framework 18

Hierarchy Process

Plan

Identify

Assess

Treat

Review

Close

Risk management culture

Risk organisation and training

Tools

Supporting technology

Risk appetite

Templates and guides

Effectiveness measures & KRIs

Principal risks

Key risks

Business/Function risks

Sub-Business / Major Projects

Group risk register Risk policy

Group RMP

Assurance

1) Board 2) Board committees 3) ELT risk committee 4) Business / Functions 5) Sub-Business / Major Projects

Governance & Committees

Incident reporting

Deep dives

Rolls-Royce Risk Management Process

Process

Plan

Identify

Assess

Treat

Review

Close

If we Fail to Plan then we Plan to Fail! Plan early and upfront, review regularly to remain fit for purpose

Success Factors:

• Tone from the Top

• Governance and Infrastructure (e.g. Group Risk Policy,

Stated Appetite, Consistent Approach to Measuring Impact, etc.)

• Integrated Risk Management Planning

• Organisational Risk Culture -“Risk Management is something that we do here.”

Principal Risks (Owned by ELT Member):

Tone from the Top: Risk Structure

Key Risks (ELT -1): These material risks arise in the business or functions stemming directly from the realisation of a principal risk and made up of specific risks. (Circa 40-50 risks)

Specific Risks: These are the detail risks that are present everywhere in the business. Each of these can be related to a principal risk. There are circa 5,000 of these risks and they are growing everyday

Tale

nt

& C

apab

ility

Pro

du

ct F

ailu

re

Co

mp

lian

ce

IT V

uln

era

bili

ty

Mar

ket

& F

inan

cial

Sh

ock

Po

litic

al R

isk

Maj

or

Pro

gram

me

D

eliv

ery

Bu

sin

ess

C

on

tin

uit

y

Co

mp

eti

tive

P

osi

tio

n

Source Rolls-Royce Website Principal Risks

• Bow-Tie Technique Applied to Enterprise Risk

• Benefits:

• Breaks down the risk into a range of threats and consequences.

• Engages a wider audience

• Enhancing the connection to Assessment and Treatment

Identifying Risk: Bow Tie Technique

Consequences

Threats

Risk Event

A Consistent Approach to Assessment

• Apply one Risk Matrix across the Organisation

• Develop a set of impact variables and probabilities that the entire organisation can agree on (RR use Financial, Safety, Compliance and Reputation)

• Ensure Significant Risks get the Right Assessment.

• Don’t waste time / resources modelling low impact risks, but understand the full extent of significant risks

• Have clarity on appetite, escalation and priority

• A well designed risk scoring scheme help to set appetite and determine organisation priorities

Sample Risk Matrix - Impacts with Appetite

VH 9 14 19 24 29

H 7 12 17 22 27

M 5 10 15 20 25

L 3 8 13 18 23

VL 1 6 11 16 21

Finance VL L M H VH

VH 9 14 19 24 29

H 7 12 17 22 27

M 5 10 15 20 25

L 3 8 13 18 23

VL 1 6 11 16 21

Safety VL L M H VH

VH 9 14 19 24 29

H 7 12 17 22 27

M 5 10 15 20 25

L 3 8 13 18 23

VL 1 6 11 16 21

Comp VL L M H VH

VH 9 14 19 24 29

H 7 12 17 22 27

M 5 10 15 20 25

L 3 8 13 18 23

VL 1 6 11 16 21

Rep VL L M H VH

Actively Treat Risk

• Ensure that Risks are Treated!!

• Create actions that are SMART, monitor progress and ensure risk is reduced or controlled

• Ensure high quality controls are in place, effective and regularly tested

• Avoid ‘Bike Shedding’

Admiral Nelson prior to disobeying orders to thren destroy the Danish fleet

• Map Controls against Threats and Consequences

• Benefits:

• Visualise controls over threats.

• Recognise weaknesses

• Evaluate the quality of controls against threats to inform risk assessment

Utilise the Bow Tie Technique

Embed Review Activity

• Ensure it is frequent

• Frequency is often dictated by pace of project, but less than quarterly is infrequent

• Ensure it is has senior support

• Review chair must have authority to act or escalate

• Ensure focused is on the process and deliverables

• Review by exception, focus on treatment with periodic identification

• Ensure it does not feel ‘stale’

• Maintain currency and ‘deep dive’ into areas to ensure engagement is maintained

Summary & Words of Caution

• Risk Management is a Enduring Activity

• Plan, Plan and Plan some more!

• Ensure Risk Management Improves the Positon

• A Risk System isn’t the answer

• Risk Management is evolving

Thank you for your attention!

Peter Ralph – Enterprise Risk Manager

Peter.Ralph@Rolls-Royce.com