Fabrizio rotundi management_challenges_in_modernisation_proce
-
Upload
- -
Category
Government & Nonprofit
-
view
62 -
download
0
Transcript of Fabrizio rotundi management_challenges_in_modernisation_proce
Fabrizio Rotundi
ESS Modernisation Workshop
Management challenges in Modernisation Processes
(Bucharest, 17 March 2016)
Page 2Fabrizio Rotundi
Agenda
Change Management: From the Approach to the Process
Risk Management Framework and Process
Focus on Integration with Quality in Statistics
Risk Management in action: Institutional Practices and on-going Projects
Page 3Fabrizio Rotundi
Reactions to Change People going through change experience a variety of emotional and cognitive states that
take up some time. Transitions typically progress through a cycle of reasonably predictable phases within the
“Self-efficacy” process that is a key cognitive process identified by the psychological socialtheory for the analysis of human behavior, aiming at efficiently guiding the individualcognitive, social, emotional and behavioral “sub-abilities” to fulfill specific purposes.
Self-efficacy
Time
SHOCK !
DENIAL
DEPRESSION
LETTING GO
TESTING
CONSOLIDATION
INTERNALIZATION,AND LEARNING
Page 4Fabrizio Rotundi
Managers must follow a specific behavior to make change successful and overcome barriers:Identifying the opportunities and threats that require attention (Sense making);Identifying what needs to be done to move towards a better future (Visioning);Communicating the vision (Sense giving);Promoting shared sense of direction (Aligning);Removing obstacles and creating the conditions to empower people to change (Enabling);Recognizing the concerns of those affected by the change (Supporting);Demonstrating that they are prepared to change their behavior (Sustaining the change).
STATE POTENTIAL CHANGE DERAILERS CRITICAL SUCCESS FACTOR
Poor Vision of the Future.
Cultural Resistance to Change.
Lack of a sponsor/commitment
Lack of recognition for the need to continuously change.
Excessive Bureaucracy.
Lack of Competencies.
Poor follow through.
Lack of access to technology.
Lack of time.
Lack of performance metrics.
Lack of Synergy.
Lack of commitment to funding and/or resources.
Lack of knowledge/learning in a change process.
Lack of training.
INTERNALIZATION AND LEARNING
Stakeholder Collaboration, Empowerment, and Engagement • Addressing stakeholders systematically and iteratively, planning and monitoring and correcting for changes. • Performing change “with” rather than “to” people, ensuring those impacted by the change see the need for change.Formalize Philosophy and Policy of Change Management• Providing strong sponsorship for leadership, resources, and support of the change initiative.• Establishing a culture for change management by writing policies or incorporating change statements into the vision and mission. • Building a common change vocabulary.
Time for Acceptance into the Change Life Cycle Framework• Building in flexibility. • Allocating time into the project/program to ensure that the foreseen or emergent resistance will not impact the project schedule.System Alignment with the Change Initiative• Creating a clear description and measures for a successful future state. • Ensuring all supporting systems work effectively and efficiently together. • Scaling change management activities to the extent, complexity, and speed of the change. Identifying, Selecting, and Developing Change Management Competencies• Changing management competency program.• Developing employees. Focus for the Change Initiative• Building communication assets: models, methods, and requirements methods. • Clearly communicating the change vision early outlining the benefits and impacts of the change. • Ensuring that the organization’s leaders actively communicate throughout the change process. • Providing opportunities for dialogue and true representation to promote a sense of ownership.• Monitoring and measuring the effectiveness of the communications.
Develop and Deploy Change Management Measurement Processes and Tools• Measuring the success of change and determining what existing organizational indicators are in place for measuring change. • Capturing and sharing lessons learned retaining them in a knowledge management repository.
SHOCK
DENIAL
DEPRESSION
POOR FOLLOW TROUGH
TESTING
CONSOLIDATION
Page 5Fabrizio Rotundi
Change is GOOD (!?!)
Before embarking on organizational change, it is important to assess:
What do we want to achieve with this change?
How will we know that the change has been achieved?
Who is affected by this change?
How will they react to it?
How much of this change can we achieve ourselves?
What parts of the change do we need help with?
Page 6Fabrizio Rotundi
Organizational ChangeChange must be realistic, achievable and measurable and change effortsshould be geared and managed to improve performances and alignpeople, processes and culture with changes due to different culture, risk-taking, risk-aversion, openness to change, innovation, etc..
Managing changes not only helps organization ensure that thetransition being implemented is successful, it also helps managersdiagnose risks with the transition, before they become unbearable.
‒ is a comprehensive, cyclic and structured approach to transitioningindividuals and organizations from a current to a desired future state;
‒ helps organizations drive their strategy through portfolio, program,and project management;
‒ offers a standardized method that efficiently evaluates the potential positive and negativeimpact of change;
‒ aims at applying a systematic approach that helps "the change" be successful supporting theindividuals involved, addressing resistance and developing knowledges.
“Change management”:
Page 7Fabrizio Rotundi
Among the others, some theories embrace the holistic approach to change:
Change Process Theories
All those theories view change as a series of interconnected events, decisions and actions, but thesequence of stages whose direction is constructed is considered in a different way: Teleological and Dialectical theories: change trajectories is predetermined, but goals and steps
taken to achieve goals can be changed at the will of those involved in the change process. TheMcKinsey 7S model belongs to this kind of theories.
Life cycle and Evolutionary theories: change is a predetermined process that unfolds over time ina specified direction. These theories include the Kotter's integrative model.
3. Life cycle, change is a process that progresses through a necessary sequence of cumulative stages,each of them contributes to the final outcome.
1. Teleological: organizations are purposeful and adaptive, andchange is an unfolding cycle of goal formulation, implementation,evaluation and learning.
2. Dialectical, focusing on conflicting goals between differentinterest groups and explaining stability and change in terms ofcomparison between the opposing entities.
4. Evolutionary: change proceeds through a continuous cycle of variation, selection and retention.
Page 8Fabrizio Rotundi
Change and Risk Management StandardsITIL V.2 & V.3 (Information Technology Infrastructure Library) and COBIT V. 4.1 & 5.0(Control OBjectives for Information and related Technology) aren’t formal standards butframeworks for good practice in IT Service Management.
These describes processes, procedures, tasks not organization-specific but applicablefor an integrated strategy to maintain a suitable level of quality and competency in theService support processes optimizing risk levels and resource use.
ISO/IEC 20000:2011 (ITSM – IT Service Management) & ISO/IEC 27001:2013 define a set ofrequirements against which an organization can be independently audited and, if theysatisfy those requirements, focusing on goals rather than outputs, can be certificated.
They establish high-level objectives for change management to ensure the implementationof strategies through actions for mitigating risks associated with ineffective controls.
sets the practices, processes and disciplines to guide executives in managingchange providing practitioners from different fields such as organizationaldevelopment or human resource management;
The PMI’s standard illustrates how portfolio, program, and project management help organizations developthe effective practice of change management so that strategy can be executed reliably and effectively, and:
describes the change life cycle framework that reflects the portfolio, program and project managementprocess and its purposes and demonstrates resilience resulting from unforeseen changes.
Page 9Fabrizio Rotundi
Change Life Cycle Framework
3. Implementing the change by preparing the organization for change, mobilizing the stakeholders, anddelivering project outputs. Planning, implementation, and transition processes are overlapping due tochange implementation is an iterative process.
4. Managing the change transition by transitioning the outputs into business operations, measuring theadoption rate and the outcomes and benefits, and adjusting the plan to address discrepancies.
Process model of change are based on teleological and dialectical theories.The model conceptualizes the change management as a purposeful, structuredbut often discussed process that comprises 7 core activities:
1. Formulating the change consists of: Identifying/clarifying need for change;Assessing readiness for change; Delineating scope of change
5. Sustaining the change on an ongoing basis through: Ongoing communication, consultation, andrepresentation of stakeholders; Conducting sense-making activities; Measuring benefits realization.
6. Communicating the change. Managers should give sufficient attention to communication and other issues,such as: establishing different goals and priorities; trust; motivation and commitment; support for thosewho will be affected by the change.
7. Learning from the experience helps people’s modify their behavior in order to improve performances.
2. Planning the change by defining the change approach and planningstakeholder engagement as well as transition and integrating people,processes, technologies, structures, and cultural issues into the overallportfolio, program, or project plan.
Page 10Fabrizio Rotundi
Change, Risk and Project ManagementChange management is interconnected with Risk management: Innovation requires risks so everychange strategy comes with its own levels of risk; changes can be made less risky if they are adequatelyreviewed, assessed, and coordinated adopting a proper risk management process.
The relationship between Risk and Changemanagement is characterized as having circular nature:
• Change Management acts as a subsystem of Risk Management; the actions aiming at reducing thelikelihood of incoming risky events are themselves changes.
• Risk Management identifies criticalities in changingprocesses and plans fitting response activities tominimize risk of failure both during and postimplementation phases.
Risk Management
Process risk/criticalitydetection
Response action planning= CHANGE PLANNING
Criticality reduction/elimination
ChangeManagem
ent
Change impact assessment
Change risk reduction
Organization improvement(next point)
Starting point
(«understanding and controllingthe exposure to hazards»)
Project management aligns the organization’s components through the implementation of: Portfoliomanagement that optimizes, oversees and selects concurrent organizational initiatives and Programmanagement that defines a set of expected benefits and their transition into the business.
RM is a part of the wider cycle of CM as well as CM isa component of the RM’s cycle.
Page 11Fabrizio Rotundi
Risk Definitions and StandardsRisk is the effect of uncertainty on objectives, where an effect is adeviation from what is expected (positive and/or negative), oftenexpressed in terms of a combination of the consequences of anevent (including changes in circumstances) and the associatedlikelihood of occurrence.
The Co.SO. Model is a multidimensional standard upon which a RiskManagement system stands. It develops along three sides of the cube:1) Objectives; 2) Organization; 3) Process
Among the others (more than 60!), main used standards are:
ISO 31000:2009: Risk Management Principles and Guidelines
ISO/IEC 31010:2009: Risk assessment techniques
ISO TR 31004:2013: Guidance for the implementation of ISO 31000:2009
AS/NZS4360:2004: Australia/New Zealand Risk Management Standard
COSO Model 2004/2013 that defines Enterprise Risk Management “... a process effected by an entity’sboard of directors and management, applied in strategy setting and across the enterprise, designed toidentify potential events that may affect the entity, and manage risk to be within its risk appetite, toprovide reasonable assurance regarding the achievement of entity objectives.”
[AS/NZS 4360:1999, ISO 31000:2009, ISO Guide73:2009, definition 1.1, COSO ERM – IF/IC 2004].
Page 12Fabrizio Rotundi
Risk Complexity
• Risk Appetite, which could be expressed either qualitativelyor quantitatively, maybe in terms of ranges, and exploredgoing through the impacts of past events and the reactionsof key stakeholders (customers, employees, regulators, ..).
• Risk Perception, which describes how people perceive risks according to their values and interests
• Risk Tolerance, which is the level of variation that the entity is willing to accept around specific objectives.
• Risk Retention considers stakeholders’ conservative return expectations and a very low appetite for risk-taking.
Risk Profile is the set of risks that could affect all or part of an organization. It results from a comprehensiveprocess that: concerns risk information from several sources; reflects recommendations from managers;envisages a risk questionnaire, revised guidelines, clearer definitions of risk sources and communication strategy.
• Risk Attitude. (Existing Risk Profile). If an organization isparticularly effective in managing certain types of risks, itmay be willing to take on more risk in that category,conversely, it may not have any appetite in that area.
• Risk Acceptance, which refers to the maximum potentialimpact of a risk event that an organization could withstand.Often, appetite will be well below acceptance.
Risk Profile takes into account:
Page 13Fabrizio Rotundi
investigating four dimensions:I. the risk perception compared to the activities
of each manager;II. the risk perception in the Institute as a whole;III. the maturity of the control environment in
the structure leaded by each manager;IV. the maturity of the control environment in
the Institute as a whole
ISTAT launched a survey on risk perception involving Top and Executive Managers,carried out trough a questionnaire: composed of about 70 questions and divided into four sections:
1. Internal control environment and organizational culture;2. Objectives of the organization and Risk Management;3. Identification and classification of risk factors;4. "Cataloging" risks
Risk perception analysis in ISTAT
Page 14Fabrizio Rotundi
The Risk Management System – ISO 31000:2009According to the ISO 31000:2009, Risk Management refers to the architecture used to manage risks.This architecture includes Principles, Framework, and Process.
Page 15Fabrizio Rotundi
Top-down and Bottom-up approaches
Three different approaches can be followed in managing risks:
A. Top-Down-approach: the decision making process iscentralized at a government body-level. This approach canput in place in 2 ways: a) Full top-down: the business units’risks are listed at department level so heads of units cannotadd risks themselves; b) Prevailing top-down: the corporaterisk register comes from a detailed operational risk register.
B. Bottom-Up approach: the decision making process is located at management level.Operational risks are identified by any staff member while performing his/her dailywork, in order to encourage the staff to be more active in defining non-conformities.
C. Mixed approach: the board entity states the criteria (top-down) by which the heads ofunit identify and manage risks (bottom-up). Risks may be viewed and assessed at anylevel of the organization.
The selected RM approach impacts on the Hierarchy of Risks.
Page 16Fabrizio Rotundi
Risk Hierarchy
1. Enterprise Risks, strategic and significantly impacting on the organization.Management them is crucial for the long term viability. They are assessed and treatedby the Executive Managers, responsible for monitoring their implementation.Examples are: Regulatory and compliance risks, global financial shocks, agingconsumers and workforce, emerging markets .
The hierarchy of risks is related to the different levels of risks:
3. Project Risks, impacting on the project objectives and outcomes. They are managed bythe project risk manager and where appropriate will be addressed as part of the ProjectManagement Framework. Examples are: Project scope poorly defined; Resources notavailable when required; Quality requirements not clearly specified.
2. Operational Risks, impacting on a program's objectives and/or outcomes; they areassessed and managed by the line managers. In considering them, they should takeinto account the enterprise ones. Examples are: Inappropriate skills mix; resourcesreduced due to budget cuts; outputs not delivered on time; poor quality outputs.
Page 17Fabrizio Rotundi
Roles and Accountabilities1) All staff are responsible for an effective management of risks including identification of any potential risks;
3) An Office is dedicated to the coordination of themanagement process and risk analysis,"impartial" with respect to other structures,supporting the highest level of decision making;
4) The Risk Manager is responsible for:collaborating with Top Management both inidentifying high risk areas related to strategicand business processes and in planningtreatments to mitigate corporate risks;
5) The Risk Committee defines the RiskManagement policy; it is coordinated by theRisk Manager and composed by the topmanagers operating in the most risky areas;
6) Chief Statisticians and Governing body definethe strategies based on the information comingfrom the RM System;
7) The Internal Auditing is responsible for reporting to the Governance on the adequacy of the RM processand the compliance of the mitigating actions.
2) Risk management is driven by the organizational units;
Page 18Fabrizio Rotundi
Risk Management Framework Integrated with Quality of StatisticsStatistical risks are events that potentially could impact on productionprocesses and/or integrity and quality of statistical data. Ex. “statistics that arenot considered by users as fit for purpose which includes, but is not limited to,time series that are not coherent” (Planned changes to systems, processes,methods, data & resources availability or quality).
At operational level, statistical risks can be identified separately by Risk Management and then integratedinto the Quality management framework because of their close connection: a) Quality managementassesses if the original requirements (ISO 9001:2015) are met or corrective actions need to beimplemented; b) Risk management identifies threats that can effect Quality objectives.
The Australian Bureau of Statistics (ABS) has instigated better quality managementpractices by the risk management strategy to mitigate the Statistical Risk that one ormore of the statistical process components fail to meet the quality standard expectedor the data integrity requirement.
The RM integrated approach has been developed as a part of the Internal Control Framework whichcomprises different kind of risks (Strategic, Statistical, Change, Operational & Compliance, Financial, WorkHealth & Safety) associated with Statistical Risk Appetite.
This strategy is based on the risk assessment through the quality gates composed of: Placement, Roles,Actions, Evaluation, Tolerance, Quality Measures (ex. frame size, n. units, units rotated in/out of a sample).
Page 19Fabrizio Rotundi
ISTAT’s Risk Management System: From the project to the process
2009 2010 2011 2012 2013-2014 2015-2016
Project launched Approach trialExperimental
phaseExperimental
phaseFull
implementationDevelopments
Analysis and comparison of practices and models
Identification of appropriate approach
Establishing ISTAT’s RM model
Pilot and rollout of risk management approach
RM training and dissemination
Creation of a risk registers
Risk assessmentRM training and
dissemination
Revision of a risk registers
Identification of risk treatments
RM training and dissemination
Integration w/ operational planning
Risk treatments monitoring
InformationSystem start up
From the bottom-up to the top-down vision
Adapting model to Risk of Corruption
Cooperation in International projects
Dissemination
The project developed following some parallel but related paths:
1. Organization: Both the President and the Directorate general endorsed and sponsored the project. Abusiness unit was involved in implementing and coordinating risk management system
2. Training and dissemination program in order to improve management culture and promote a commonlanguage and understanding throughout the organization
3. All Risk Management process has been implemented
4. Information System has been developed to support the process
5. Change of perspective: Bottom-up/Top-down mixed approach
Page 20Fabrizio Rotundi
ISTAT’s Risk Management - Bottom-up & Top-Down approaches
Corporate risk selection considers: Ability to monitor a risk treatmentsthrough specific indicators; Organizational sustainability; Quality of theCross-cutting risk treatments; Belonging to “priority intervention areas”.
From 2015 on, the previous bottom-up approach is being integrated with a top-down one in order toenhance quality and significance of the information contained in the registers.
Organizational risks are identified by accountable managers and then gathered in strategic categories(corporate risks), in order to be assessed, treated and monitored.
The risks were assessed by the same personnel who identified themwith the C&RSA method to measure likelihood (occurrences in the last 12months) and impact a) Organization (delay, extra workload); b)Reputation, c) Higher costs.
According with the Top-Down perspective, risks have beendramatically decreased from 359 events of the experimentalphase, to 111 in 2015; about 18% are "Corporate".
Also the Risk treatments have been reduced, from 450(2013) to 128 measures (2015); about 19% are associatedwith “Corporate“ risks, monitored by proper output andperformance indicators.
Page 21Fabrizio Rotundi
In 2015, the Committee for the European Statistical System implemented the strategicdirections “ESS Vision 2020” to redesign by 2020 the statistical production methodsthrough a system based on the use of new data sources, standardized methods for thestatistical production process, interoperability and reuse of data and tools.
Risk Management Institutional Activities: ESS 2020 Vision
According to this Vision: Risk identification, analysis and management help NSIs anticipate and remove theobstacles that may prevent the achievement of the strategic objectives.
Three levels of risks associated with the ESS Vision 2020 have been identified:
2. Portfolio management risks, associated withthe projects portfolio as a whole.
1. Risks associated with implementation of theESS Vision 2020 whose common strategicundertaking requires: capability; financialinformation; ownership and commitment;communication within the system and withthe stakeholders.
3. Project related risks identified inimplementing the ESS projects portfolio.These refer to the specific "business" or"infrastructural" categories of the ESS Vision.
1. Lack of common understanding on the strategic aims
4. Lack of coherence among national and ESS modernization programmes
5. Different maturity of national statistical systems regarding the ESS aims
6. Underestimation of the role of communication in implementing ESS 2020
14. Wrong identification of dependencies among projects in the portfolio
15. Affordability of the portfolio
16. Lack of timely availability of skills and human resources
19. Different legislative systems/lack of common EU legislation
20. Lack of a precise cost-benefit assessment
21. Improper project management
Fabrizio Rotundi
UNECE’s project for developing Risk Management practices among NSOs
Dec ‘14
May ‘15
Template
Benchmark analysis
Tuning practices
Guidelines
Nov ‘15
Apr ‘16
Page 23Fabrizio Rotundi
From the Surveys towards the Guidelines In 2015 survey has been carried out to analyze to what extent Risk management systems are
adopted among NSOs and international organizations members of UNECE in order to define criteriafor identifying best practices.
13 countries were selected as the most interesting practices for an in-depth analysis according tosome Items representing consistent sets of significant features for analysis and Parametersto allocate the countries among the Low-Medium-High levels.
The main points highlighted by the data analysis were:
- corporate risks lower than operational ones;
- the occorrrunces of corporate risks varies depending on the riskpolicy (top-down vs bottom-up approach)
- statistical risks are the majority, followed by organizational risks
- other risks related to: financial, ITC, reputational, security
The analysis has allowed theidentification of the RiskManagement practice mostsuitable to the NSOs that isdescribed in the Guidelines.
Page 24Fabrizio Rotundi
Thank you for your attention !!!
Fabrizio ROTUNDI