Using ERM to

position yourself as

a Strategic Partner

Steve Treece

Assistant Director Risk Resilience & Safety

Identity & Passport Service

IRM GLOBAL RISK MANAGEMENT

PROFESSIONAL DEVELOPMENT FORUM

22nd March 2011

Identity and Passport Service V1.00 Not Protectively Marked

Agenda

Using ERM to position yourself as a Strategic Partner

Risk management as a source of competitive advantage, not a cost

• IPS background

• Driving returns by Business Alignment and Integration across the business

• Demonstrate the Value of Risk Management (rather than the costs)

• Challenging conventional concepts of risk tolerance in decision making or

– Risk Tolerance: a mirage?

• Importance of Dialogue and Understanding

• Making Enterprise Risk Management live

Identity and Passport Service V1.00 Not Protectively Marked

Identity & Passport Service

• Executive Agency of the Home Office

• Activities

– Issuing Passports (5.35 million: 2009/10)

– Operations of General Register Office (England & Wales – 1.92 million vital event certificates: 2009/10)

• £380 million annual income

• Over 4,000 employees

• Wide range of suppliers and partners

• Business change initiatives

• Manage risks in context of Principles

– Trusted and Secure

– Customer Service

– Operational Focus

– People

– Cost

Identity and Passport Service V1.00 Not Protectively Marked

New Challenges Require New Thinking First

Context of major change in the public sector

“The world we have made as a result of the level of thinking we have done thus far creates problems we cannot solve at the same level of thinking at which we created them” – Albert

Einstein

We need more effective thinking and dialogue to make Enterprise Risk Management more effective

Identity and Passport Service V1.00 Not Protectively Marked

ERM in a Business Context

Corporate outcomes

Directorate outcomes

Corporate activities

Directorate activities

Corporate resources

Directorate resources

Future

OutcomesHierarchical

Future

ResourcesFuture

Activities

Manage Risks and Rewards in this context

Identity and Passport Service V1.00 Not Protectively Marked

Measures

& TargetsActivities

Savings2. How will

we measure

achievement?

4. What

should

we stop?

Present

Future

?

5. What resources do

we need to produce

our outcomes?

I want experts to give me

customised, specialised

solutions

ART, Financial &

industry experience

Develop & manage

risk solutions

Partner to

deliver solutions

Provide direct

assessments

Link to U/W desktop

Shared accountability & incentives

Build

sophisticated ART

& fee-based solutions

business

1. What do we need

to deliver?

Embedding ERM as a Strategic Partner

8. Should we

add resource

or stop?

7. Are we

getting the

benefits? Can

we afford them?

I want experts to give me

customised, specialised

solutions

ART, Financial &

industry experience

Develop & manage

risk solutions

Partner to

deliver solutions

Provide direct

assessments

Link to U/W desktop

Shared accountability & incentives

Build

sophisticated ART

& fee-based solutions

business

6. What will

they cost?

Budget

£

Resources

Investment

Prediction/

Review

Outcomes 3. What do

we need to

do?

Priorities

Identity and Passport Service V1.00 Not Protectively Marked

How Risks are Managed affects Results

Step Deliverable

What do we need to deliver? Linked future outcomes

How will we measure success? Predictable outcomes

What do we need to do? Value chain

What should we stop? Savings

What resources do we need to produce our outcomes?

Staffing and budget needs

Are we getting the benefits? Benefits realisation

Identity and Passport Service V1.00 Not Protectively Marked

ERM as a Cost/Value to the Business?

• Cut across silos: facilitate understanding across the business

• Insight: consequences of investment etc. decisions

• Minimise costs by early intervention and incident analysis

• Risks related to Performance Indicators & Early Warning Signs

• Ensure controls aren’t just overheads

• Horizon scanning and scenario planning

• Protect reputation and ratings

Identity and Passport Service V1.00 Not Protectively Marked

Value Proposition

CEO and EDs are confident that we are key to ensuring that we are a resilient business and actively reduce risk, especially as we go through significant change and uncertainty.

All of our interactions support this because we are brilliant at:

• Listening to and understanding the business, its key objectives and concerns

• Expert analysis and consultancy support

• Reliable, clear and timely risk and incident information & analysis, which drives insight and informed key decisions

• Simple business focused language and tools which enhance integrity, capability, communication and engagement

• Exercises of scenarios around significant risk events to explore consequences and solutions

Identity and Passport Service V1.00 Not Protectively Marked

Risk Management Insight: Light the Road

• Have a positive outlook on risk

• High quality, reliable MI and tools to promote:

– Consistency

– Transparency

– Structure for what is intuitive

• Increase confidence key challenges are:

– Understood

– Prepared for; and

– Under appropriate control to achieve success

• Early warning to avoid unplanned surprises

– Conscience?

• “Ignorance more frequently begets confidence than does knowledge” (Charles Darwin)

Identity and Passport Service V1.00 Not Protectively Marked

Risk Tolerance: a mirage

• Vital or a myth?

• Everyone says it is important

• But nobody agrees on what it is

• ISO31000– Amount & type of risk that an organisation is willing to pursue or retain

• BS31100– Amount and type of risk that an organisation is prepared to seek, accept or

tolerate

• Corporate Governance Code– “The Board is responsible for determining the nature and extent of the

significant risks it is willing to take in achieving its strategic objectives”

– “The Board should maintain sound risk management and internal control systems”

Identity and Passport Service V1.00 Not Protectively Marked

Structured Decision Making

• How much risk are you prepared to take/retain/accept?

• How much control are you prepared to exercise/relinquish?

• What are the Priority Business Outcomes and Objectives?

– Conflicts and Compromises

• Balance with Risk Themes

– Trusted and Secure (Data security, legally compliant, resilient)

– Customer Service (Performance)

– Operational Focus (Efficiencies)

– People (Safe and Engaged)

– Cost (VFM and business benefits)

• Cross Business sign off

– Acceptable level of residual risk/opportunity will result

– Clear time bound action plans to improve management if necessary

– Contingency plans in place should a risk be realised

Identity and Passport Service V1.00 Not Protectively Marked

Understand the Business first

• ERM core skill and value

• “Seek first to understand, then be understood”

• “There are three constants in life... change, choice and principles.”

– Stephen R Covey

• Power of positive change and the positive question

Identity and Passport Service V1.00 Not Protectively Marked

Advocacy

• A western educational & business tradition that stresses:

- critical thinking - critiquing

- adversarial thinking - confrontation

- testing one viewpoint against the other to find the strongest

• We focus almost exclusively on advocacy

- presenting our views and arguing strongly for them

- debating forcefully to influence others

• Most managers are trained to be advocates

Identity and Passport Service V1.00 Not Protectively Marked

Enquiry

• A complementary skill to advocacy that:

• seeks to uncover information about why a view is held

• asks questions about underlying assumptions, beliefs,

reasoning

• explores:

- why do you believe this ?

- what logic leads to this conclusion ?

- what facts and data do you have ?

- what examples or past experience exists ?

• Supported by attitude of wanting to understand, explore,

learn, expand

• Not a technique to cross examine people or find fault

Identity and Passport Service V1.00 Not Protectively Marked

Appreciative Enquiry

• Appreciative Enquiry is a way of achieving positive learning and change by gathering information and closely examining its quality, significance, and magnitude, focusing on strengths.

(From OED)

Appreciate– Esteem highly, value

– Be sensitive to

– To raise in value

• Enquiry– The process of asking questions or seeking information.

– A close examination in a quest for truth.

Identity and Passport Service V1.00 Not Protectively Marked

Comparison to Problem Focus

• What to fix

• Underlying grammar = problem, symptoms, causes, solutions, action plan, intervention

• Breaks things into pieces & specialties, guaranteeing fragmented responses

• Slow! Takes a lot of positive emotion to make real change.

• Assumes organisations are constellations of problems to be overcome

• Traditional risk management?

• What to grow

• New grammar of the true, good, better, possible

• “Problem focus” implies that there is an ideal. AE breaks open the box of what the ideal is first.

• Expands vision of preferred future. Creates new energy fast.

• Assumes organisations are sources of infinite capacity and imagination

• Minimises defensiveness

• Breaks down silos

• A better context for risk management?

Problem Solving Appreciative Enquiry

Identity and Passport Service V1.00 Not Protectively Marked

AE in practice: Understand the Board

• What’s going on in their world?

• What’s important to them?– What do you value about… yourself, work, organisation?

– If you had three wishes for this organisation, what would they be?

– What are your key concerns and opportunities at the moment?

• Avoid received wisdom

– That’s how we have always done it

– This is the way is must be done

• Provide insight

Identity and Passport Service V1.00 Not Protectively Marked

AE in practice:

Understand the wider business

• External forces

• Customers

• Shareholders

• Other Stakeholders

– Community

– Suppliers

– Government/regulators

– Press/Media

• Internal

– Current and prospective employees

– Other departments

Identity and Passport Service V1.00 Not Protectively Marked

Management Board &

Executive Directors

Management

This is what we are worried

about

What are you doing about it?

(Delegation)

This is what we are doing about your concerns

This is what we are worried about as well

Did you know?

Are you happy with what we are doing?

(Assurance)

Identity and Passport Service V1.00 Not Protectively Marked

Don’t forget your Supply Chain

Key Issues

• Reputation risks difficult to fully transfer

• Potentially competing priorities/agendas

– Other Government Departments and similar

– Shareholders

• Collaborative approach

– Shared understanding, principles and behaviours

• Shared management of key risks

– Clear and transparent ownership

• Supply chain resilience

• Engage all key functions:

– Commercial; Operations; IT service and supplier management

Identity and Passport Service V1.00 Not Protectively Marked

AE in practice: Communication

• Simples!

• People buy benefits

• Align language used to the way the business speaks

• Attitude and behaviour more important than content

Identity and Passport Service V1.00 Not Protectively Marked

Understand Risk Attitude/Culture

Risk IgnorantRisk Deluded

Risk AverseRisk Aware

Identity and Passport Service V1.00 Not Protectively Marked

What is your view of risk?

• Who drives their children to school?

• Who lets their child go swimming?

• Why?

What is more likely?

• Is a child more likely to be (US statistics 2003: Dan Gardner, “Risk”):

• Abducted by a stranger

– 1 in 655,555

• Drown in a swimming pool

– 1 in 210,526 = 3 times more likely

• Killed in a car crash

– 1 in 24,502 = 26 times more likely

• When do sales of earthquake insurance increase most quickly?

• Do we focus on impact to exclusion of likelihood?

– Coloured by media coverage and recent events

– Ignore the real risks (“it’s never happened here before”)

Identity and Passport Service V1.00 Not Protectively Marked

Make it live: Scenario planning

• Real life examples

• Go beyond conventional Business Continuity events

• Make it relevant (Business Outcomes and Risk Themes):

• One man’s problem is another man’s opportunity?

Identity and Passport Service V1.00 Not Protectively Marked

Case study: Challenger Space Shuttle

Presidential Commission 1986

• Pressure seal in joint between two lower segments of right Solid Rocket Motor failed

• Faulty design unacceptably sensitive to a number of factors including temperature

• Contractor advised against launch below 53 degrees F

• Temperature at launch 36 degrees F, 15 lower than next coldest previous launch

• Joint test programme inadequate – motors not tested as in flight

• No analysis flight history O-ring performance – correlation damage and low temperature

• Failed to recognise the problem; failed to fix it; treated as acceptable flight risk

• Launch decision made without awareness of O-ring problems and contractor recommendation

• Escalating risk accepted because “got away with it last time”

Identity and Passport Service V1.00 Not Protectively Marked

Case Study: Mobile phone industry

Economist Intelligence Unit 2009

• Philips microchip plant New Mexico

• Major fire contaminated millions of mobile phone chips

• Nokia switched suppliers

• Erikson accepted assurances on recovery

• Lost market share and over $400m annual earnings

• Nokia profits rose 42%

• What further risks/opportunities from economic downturn– Tighter credit

– Pressure to drive down costs

– Energy price volatility

Identity and Passport Service V1.00 Not Protectively Marked

In Conclusion

• Align ERM within the business

– Business Cycle

– Structured Decision Making

• Demonstrate understanding and value

• Make ERM live as part of the day job

– Flexibility to manage

– Achievement of objectives and outcomes

– Satisfaction from not continually fire fighting

– Security from adverse performance review

– Time to think and plan

Identity and Passport Service V1.00 Not Protectively Marked

It’s only History repeating?

• “The budget should be balanced, the Treasury should be filled,

public debt should be reduced, the arrogance of officialdom

should be tempered and controlled, and the assistance to

foreign lands should be curtailed lest Rome be bankrupt.

People must again learn to work, instead of living on public

assistance.”

• Marcus Tullius Cicero

• “We trained hard, but it seemed that every time we were

beginning to form up into teams we would be reorganised. I was

to learn later in life that we tend to meet any new situation by

reorganising : and a wonderful method it can be for creating the

illusion of progress, while producing confusion, inefficiency and

demoralisation.”

• Caius Petronius, Roman Consul, 66 AD

Identity and Passport Service V1.00 Not Protectively Marked

Thank you

Any questions?