7. What is a Risk
The OED defines risk as:
• A situation involving exposure to danger, The possibility that something
unpleasant or unwelcome will happen, A person or thing regarded as a
threat or likely source of danger, A possibility of harm or damage
against which something is insured, A person or thing regarded as likely to
turn out well or badly in a particular context or respect, The possibility of
financial loss.
8. What is a Risk
ISO 31000 defines a risk as:
The “effect of uncertainty on objectives” and an effect is a positive or negative
deviation from what is expected
Uncertainty Negative Effect Positive Effect
possibility exposure to danger
unpleasant or unwelcome
threat or likely source of danger
possibility of harm or damage
as likely badly well
possibility loss
9. What is Risk Management
“Risk management involves understanding, analysing and
addressing risk to make sure organisations achieve their
objectives.”
“Enterprise risk management (ERM) is an integrated and joined up
approach to managing risk across an organisation and its extended
networks.”
• Risk Management is:
• NOT risk avoidance
• About Taking RATIONAL risks
• Applicable to OPPORTUNITIES & THREATS
A Perspective
on Risk
Management
10. Do We Need Risk Management?
We live in an uncertain world !!
11. Brexit, Mark Carney & Risk Management
“Discharging the Bank’s responsibilities for these public goods demands
rigorous analysis, objective judgement, and effective transparency.
We will not shirk from these obligations.”
“The Bank and its independent policy committees will continue to
provide analytically based, clear-eyed assessments of the
economic and financial outlooks. And we will outline the risks to
these forecasts so that we and others can prepare to manage them”
Mark Carney, Governor of the Bank of England, 24th June 2016
15. Do We Need Risk Management? 15
What is it worth?
Answer: ~ £5.6bn
16. How Does it Benefit a Business
• Improved Decision Making
• Improved Performance
“Companies in the top 20 percent of risk maturity generated 3 times more
earnings (EBITDA) as those in the bottom 20 percent.” (Ernst and Young
2011 Global Report)
• Improved Understanding and Control
• Reduced Errors (Hard to quantify)
17. How Does it Deliver a Project Benefit
• Better control of the project
• Managed spend
• Managed timelines
• A plan to deal with the ‘unexpected’ when it happens
• Increased success rates
• Better linkage to other activities in the business
18. Rolls-Royce ERM Framework 18
HierarchyProcess
Plan
Identify
Assess
Treat
Review
Close
Risk management culture
Risk organisation and training
Tools
Supporting
technology
Risk appetite
Templates and
guides
Effectiveness
measures & KRIs
Principal
risks
Key risks
Business/Function
risks
Sub-Business /
Major Projects
Group risk register
Risk policy
Group RMP
Assurance
1) Board
2) Board
committees
3) ELT risk
committee
4) Business /
Functions
5) Sub-Business /
Major Projects
Governance & Committees
Incident
reporting
Deep dives
20. If we Fail to Plan then we Plan to Fail!
Plan early and upfront, review regularly to remain fit
for purpose
Success Factors:
• Tone from the Top
• Governance and Infrastructure (e.g. Group Risk Policy,
Stated Appetite, Consistent Approach to Measuring Impact, etc.)
• Integrated Risk Management Planning
• Organisational Risk Culture -“Risk Management
is something that we do here.”
21. Principal Risks
(Owned by ELT
Member):
Tone from the Top: Risk Structure
Key Risks (ELT -1): These material risks arise in the business or functions stemming
directly from the realisation of a principal risk and made up of
specific risks. (Circa 40-50 risks)
Specific Risks: These are the detail risks that are present everywhere in the
business. Each of these can be related to a principal risk. There
are circa 5,000 of these risks and they are growing everyday
Talent&Capability
ProductFailure
Compliance
ITVulnerability
Market&Financial
Shock
PoliticalRisk
MajorProgramme
Delivery
Business
Continuity
Competitive
Position
Source Rolls-Royce Website Principal Risks
22. • Bow-Tie Technique Applied to
Enterprise Risk
• Benefits:
• Breaks down the risk into a range
of threats and consequences.
• Engages a wider audience
• Enhancing the connection to
Assessment and Treatment
Identifying Risk: Bow Tie Technique
Consequences
Threats
Risk
Event
23. A Consistent Approach to Assessment
• Apply one Risk Matrix across the Organisation
• Develop a set of impact variables and probabilities that the
entire organisation can agree on (RR use Financial, Safety,
Compliance and Reputation)
• Ensure Significant Risks get the Right Assessment.
• Don’t waste time / resources modelling low impact risks, but
understand the full extent of significant risks
• Have clarity on appetite, escalation and priority
• A well designed risk scoring scheme help to set appetite
and determine organisation priorities
24. Sample Risk Matrix - Impacts with Appetite
VH 9 14 19 24 29
H 7 12 17 22 27
M 5 10 15 20 25
L 3 8 13 18 23
VL 1 6 11 16 21
Finance VL L M H VH
VH 9 14 19 24 29
H 7 12 17 22 27
M 5 10 15 20 25
L 3 8 13 18 23
VL 1 6 11 16 21
Safety VL L M H VH
VH 9 14 19 24 29
H 7 12 17 22 27
M 5 10 15 20 25
L 3 8 13 18 23
VL 1 6 11 16 21
Comp VL L M H VH
VH 9 14 19 24 29
H 7 12 17 22 27
M 5 10 15 20 25
L 3 8 13 18 23
VL 1 6 11 16 21
Rep VL L M H VH
25. Actively Treat Risk
• Ensure that Risks are Treated!!
• Create actions that are SMART,
monitor progress and ensure risk
is reduced or controlled
• Ensure high quality controls are in
place, effective and regularly
tested
• Avoid ‘Bike Shedding’
Admiral Nelson prior to
disobeying orders to
thren destroy the Danish
fleet
26. • Map Controls against Threats
and Consequences
• Benefits:
• Visualise controls over threats.
• Recognise weaknesses
• Evaluate the quality of controls
against threats to inform risk
assessment
Utilise the Bow Tie Technique
27. Embed Review Activity
• Ensure it is frequent
• Frequency is often dictated by pace of project, but less
than quarterly is infrequent
• Ensure it is has senior support
• Review chair must have authority to act or escalate
• Ensure focused is on the process and deliverables
• Review by exception, focus on treatment with periodic
identification
• Ensure it does not feel ‘stale’
• Maintain currency and ‘deep dive’ into areas to ensure
engagement is maintained
28. Summary & Words of Caution
• Risk Management is a Enduring Activity
• Plan, Plan and Plan some more!
• Ensure Risk Management Improves the Positon
• A Risk System isn’t the answer
• Risk Management is evolving
29. Thank you for your attention!
Peter Ralph – Enterprise Risk Manager
Peter.Ralph@Rolls-Royce.com