Professor Margaret Woods Aston Business School
description
Transcript of Professor Margaret Woods Aston Business School
Risk Management Systems in Major UK Public & Private Sector Organisations:
A tale of contrasting cultures
Professor Margaret WoodsAston Business School
Case Study Comparisons of Risk Management Systems in Major Public &
Private Sector Entities
Structure of Presentation Background to the paper Cases & methodology Key findings- similarities & differences Contingency explanation of variations Conclusion
Background CIMA funded project Public & private sector cases Interview based Pre credit-crunch
Cases Tesco RBS Department of Culture Media &
Sport Birmingham City Council
Methodology Interviews: senior rm & internal audit
staff plus operational managers & users of the system.
Public sector both staff and politicians interviewed e.g. Chief Executive & Secretary of State
Observation Internal documents Information systems
Contribution to the Literature
Need for studies looking at use of MCS at different levels of the organisation (Langfield Smith,1997)
Call for research which distinguishes between the existence and use of MCS (Langfield Smith,1997)
Risk management dimension barely covered in existing organisational literature
Definitions (1)Management Control“the process by which managers ensure that resources are obtained and used effectively and efficiently in the accomplishment of the organisation’s objectives.” (Anthony, 1965)
Risks“uncertain future events which could influence the achievement of the organisation’s strategic, operational and financial objectives.” (IFAC,1999)
Risk Management“ process of understanding and managing the risks that the entity is inevitably subject to in attempting to achieve its corporate
objectives.”(CIMA 2005)
Definitions (2)Public versus private organisations
Three criteria used to distinguish them: Ownership Source of financial resources Model of social control ( market v polyarchy)
(Perry & Rainey,Academy of Management Review, 1988)
Result: – two public & two private (at time of study)
Views from the Literature Fone & Young (2000) & Mcphee (2005)
Anecdotal evidence that public sector risk management is distinctive & different
Power (2004) Risk management of everything & alignment of risk management with good
governance
Collier et al (2006) Basic risk management structures are common across all large organisations
(private sector only)
Miller et al (2008) Risk management & standardised practices now central to both public & private
sector organisations Power (2009)
Need to shift from rule based compliance to use of “critical imagination” in risk management
Mikes (2009) Calculative cultures – typologies of ERM interpretation
Key Findings Each case is different
but Strong similarities e.g. between public & private sector
and
Wide variations e.g. public sector more advanced in thinking re partnership risk and linking risk management to performance management
Two questions:
WHAT ARE THE SIMILARITIES/DIFFERENCES?
WHY DO THEY EXIST?
Summary of Similarities & Differences
Similarities Perceived role of risk
management Timing of the
formalisation of systems Overall methodologies or
models Risk management tools ICT support Control via self
assessment
Differences Application of the models
and tools Overall structure for risk
management Dependence upon
quantitative tools for evaluation & measurement
Link from strategic objectives to operational performance – risk management as a bureaucratic structure versus an embedded process/mindset
Similarities (1): Perceived Role of Risk
ManagementTesco“One of the reasons we are a successful company is because of risk management.”
RBS“At the end of the day, risk management is nothing other than good husbandry on how
you drive your business forward.”
Birmingham City Council“Risk management is very much looking at achieving your objectives and what’s going to
stop you.”
DCMSRisk management is concerned with “the culture, processes and structures directed towards the effective management of potential opportunities and threats to the Department achieving its objectives.”
Similarities (2)Timing of the formalisation of risk management systems:
Pressure from financial scandals in 1980s COSO (1992) Cadbury Code (1992)
Private sector initiatives mirrored in public sector Cadbury triggered Treasury Note (1994) & “Green Book” (1997) Turnbull (1999) followed by NAO Report (2000): “work is underway on the appropriate method of adapting the
principles of the Turnbull Report to the central government sector.” (NAO, 2000: 39).
Transfer from central to local government CIPFA/SOLACE governance framework (2001)
Similarities (3):Generic Risk Management
Methodologies
Identify Source Measure Mitigate Monitor
Economist Intelligence Unit (1995)
The ERM Framework
ERM considers activities at all levelsof the organization:
• Enterprise-level• Division or
subsidiary• Business unit
processes
Similarities (4): SystemTools
Assessment & Evaluation Likelihood consequences matrices Traffic lights
Response Risk registers Ownership Escalation of responsibilities
Ranking by Likelihood and Consequence
LIKELIHOOD
High 3
Significant
Medium 6, 14
Low 2
5
Low Medium Significant High
IMPACT
RAG Assessment (DCMS) Red – The control(s) are not in place or
will not reduce the risk to an acceptable level.
Amber – The control(s) is insufficient to reduce risk to the tolerable level, or is not yet in place but is expected
Green – The control(s) is in place and working effectively to reduce the risk to a tolerable level.
Similarities (5):ICT Support
RBS – dedicated rm software for quantitative analysis
Birmingham City Council – Magique Tesco –ERP systems, customer
facing data collection DCMS – sharing of partnership
risks
Similarities (6): Self Assessment
Private SectorCombined Code, Section C2, p.14“The board should, at least annually, conduct a review of the effectiveness of the group’s system of internal controls and
should report to shareholders that they have done so. The review
should cover all material controls, including financial, operational and compliance controls and risk management system.” Public SectorStatement of Internal Control – standard format (DAO,2003):“ For the year ended 31 March 2009, that opinion concluded
that there were no significant control issues arising that require disclosure in this Statement.”
NOTE MAJOR DIFFERENCE IN DETAIL!!!!
Differences (1): Overall Structure for Risk
Management Separate function: determined by regulation
Tesco: “having a risk management function probably gets in the way of actually managing the risks because people are thinking about the risks as opposed to thinking about the customer.”
RBS: Function essential under banking regulations and supervisory process (ARROW)
DCMS: Head of Risk at Departmental level Birmingham: Sits within internal audit
Job titles – professional risk officer
Differences (2): Dependence upon quantitative tools
RBS: Extensive use for market, credit, liquidity monitoring. Essential as part of the Basel capital requirement regulations
Tesco: Hourly monitoring of sales statistics; daily pricing of standard basket; steering wheel targets e.g financials & staff turnover
DCMS: Limited and primarily financial in nature
Birmingham: Performance monitoring for CPA targets e.g. Trading standards visits;
Differences (3): Link from strategic objectives to
operational performanceIntegrated
Tesco “people do it without actually knowing they are doing it, its part of their accountabilities. They are held to account. We monitor things on such a micro level.”BirminghamForms part of the CPA evaluation and is risk forms part of individual performance review at operational levels.
Divorced RBS:
Risk management defined by compliance with regulatory targets. Bonus culture separates remuneration from risk exposure.
Problem DiMaggio & Powell (1983) suggest
coercive, mimetic & normative pressures may encourage similarity in search for legitimacy but…..institutional theory also suggests a need for “strategic fit” i.e. scope for variation
Does answer lie in distinguishing between existence and use of rm controls?
Contingency Explanation for
different levels of use Complexity of business model Level and nature of regulatory
controls and accountability Organisational culture & informal
controls over risk Criteria used to evaluate risk
management – compliance v performance
Complexity of Business Model
RBS – complex interdependent businesses. Go for silo approach.
Tesco – very simple value chain. What drives value?
Birmingham – complex, multiple interdependencies & partnerships. Learning via CPA.
DCMS – Multiple partnership risks. Still learning.
Level & Nature of Regulatory Controls &
AccountabilityRegulations RBS subject to intense regulatory
oversight - drives tools of control Tesco – greater discretion under
Combined Code. Birmingham & DCMS – limited strategic
choice – have to manage risks; accountability tight via SIC (and CPA for Birmingham)
Organisational Culture & Informal Controls
Ouchi (1979) “clan” controls Is performance against objectives
high on the agenda and pervasive? e.g.Tesco slogans; shelf stacker
Is performance measured purely in financial terms & shareholder value?
Risk “champions” Isolated risk function – RBS 5th Floor
Criteria Used to Evaluate Risk Management
Two different mindsets: “are we within prescribed risk
boundaries laid down either externally or internally?”
OR “are we achieving the results we
promised”
ConclusionSimons (1991)Control systems may be diagnostic orinteractive. Cases suggest that diagnostic use equates to a
compliance mindset Interactive use fits with a performance
oriented mindset. Orientation depends upon a range of factors
both internal and external to the organisation Only in latter does rm guide organisational
learning via the application of “critical imagination.”