Yearbook 2014
The association of choice for risk management professionals in the Asia Pacific Region ABN 82 106 528 509
2113_RMIA Yearbook 2014.indd 1
15/12/14 10:57 AM
FRIENDS ROMANS RISK GLADIATORS
LEND ME
YOUR EARS
PALADIN RISK MANAGEMENT TRAINING ACADEMY IS CURRENTLY TAKING ENROLMENTS FOR ... Diploma of Risk Management and Business Continuity The Diploma Course which has been endorsed by the Risk Management Institution of Australasia, is the only broad based risk management diploma in the country and is fully accredited by the Australian Skills Quality Authority (ASQA). The Diploma Program is aimed at risk management and business continuity professionals or those aspiring to fill roles in these industries. The course is offered face to face over four days or through our NEW distance education program. Visit the website to see all course dates.
Advanced Diploma of Governance, Risk and Compliance The Advanced Diploma of Governance, Risk and Compliance is the only vocational GRC course in the country and is fully accredited by ASQA. This course is aimed at Executives in a myriad of roles including (but not limited to): • Chief Executive Officer • General Manager/Managing Director • Director • Chief Risk Officer • Chair/Member Audit and Risk Committee • Compliance Manager Visit the website to see all course dates
SPECIAL OFFER FOR READERS OF RMIA BEST PRACTICE 2014 PUBLICATION
ENTER THE PROMO CODE RMIA TO RECEIVE A DISCOUNT ON COURSE COSTS Special Offer Price
Special Offer Price
$3500 for Face to Face course and $3000 for Distance Education
$4000
Includes: Membership to the RMIA Accreditation as a Certified Risk Management Technician All Materials and catering for the four days A money back guarantee...... if you are not satisfied with the course after day 1 you will be refunded your course cost - no questions asked.
Includes: Membership to the RMIA Accreditation as a Certified Risk Management Technician All Materials and catering for the four days A money back guarantee...... if you are not satisfied with the course after day 1 you will be refunded your course cost - no questions asked
Qualifications issued by McMillan Staff Development
Rod Farrar, Managing Director M 0400 666 142 E rod@paladinrisk.com.au To sign up to our newsletter go to:
www.paladinrisk.com.au
2113_RMIA Yearbook 2014.indd 2
15/12/14 10:57 AM
Yearbook 2014
Foreword I am delighted to provide the foreword to the 2014 Yearbook for the Risk Management Institution of Australasia (RMIA), particularly on the auspicious occasion of its 10-year anniversary as a professional industry body. As I mentioned in my keynote address to the RMIA’s 2014 National Conference, I am excited by the potential for a greater exchange of ideas between the public and private sectors in relation to risk management. While there are many common risks faced by both sectors, there are also many differences in how we manage and derive opportunities from risks. Learning from these differences can strengthen both sectors, and the RMIA is in a unique position to continue to facilitate this increased level of collaboration between public and private sector organisations throughout Australasia. The Commonwealth is taking steps to develop a more positive risk culture through the adoption of a new Risk Management Policy, which accompanied the introduction of the Public, Governance, Performance and Accountability Act 2013 from 1 July 2014. What we are aiming for is a culture in which risk is appropriately identified, communicated and managed throughout the entire entity. A positive risk culture considers both threat and opportunity. It is about engaging with risk in a transparent way that will contribute to improved policy development, and to service delivery. Key to this important reform has been the acknowledgement that if the Commonwealth is to better manage risk, we must operate as a coherent whole, with a shared set of values and behaviours that drive the way that risk is managed. That is what the Commonwealth’s new Risk Management Policy aims to provide. We will know that we have succeeded in developing a more positive risk culture when we see government bodies and entities shifting from a ‘compliance mentality’ to one in which risk is embedded into the day-to-day operations of all Commonwealth officials. We will know that we have succeeded when entities are making informed choices about taking on particular risks, in line with their overall strategies and objectives. Equally, we can claim success
when our commercial partners and service suppliers encounter less risk-averse entities and less red tape. The Commonwealth should not undertake this ambitious work in isolation, and the work of organisations such as the RMIA is important in facilitating greater Commonwealth awareness of best practice. The articles contained in this 2014 RMIA Yearbook highlight a number of different approaches to contemporary risk management issues, and provide great examples of how this information exchange can occur. I congratulate the RMIA on its work in fostering awareness of one of the most challenging aspects for many organisations – managing risk in a dynamic and everchanging world. The sharing of new ideas and best practice across all sectors of the economy benefits us all, and this is only possible through the dedication and enthusiasm of organisations such as the RMIA. The Hon. Michael McCormack MP Parliamentary Secretary to the Minister for Finance
1
2113_RMIA Yearbook 2014.indd 1
15/12/14 10:57 AM
Contents 1 3 4
6
Foreword | The Hon. Michael McCormack MP,
28
Peter Moore – Risk Consultant of the Year 2014
Parliamentary Secretary to the Minister for Finance
30
Managing Enterprise Risk Management at
RISK2020: Into the future | Bryan Whitefield,
Gallagher Bassett – Andrea Kanserski, Risk
President, Risk Management Institution of Australasia
Manager of the Year 2014
Public sector risk management – not walking early
32
to the winner’s circle | Auditor-General
– Ian Hord, Highly Commended in Risk Manager of
Mr Ian McPhee
the Year Award 2014
The Commonwealth Risk Management Policy |
34
How risk appetite setting has helped the Bank of
36
RMIA National Conference 2014 | Jeff Jones
Queensland ‘Grow the Right Way’ | Peter Deans,
38
What is happening to construction project managers
Bank of Queensland 10 12
Jevon Turner – Highly Commended in Risk Manager of the Year Award 2014
Robert Antich, Comcover 7
The evolution of the risk management industry
Improving road safety | Marian McLean,
when it comes to managing risk? 41
Auto Club and Auto Club insurers Community of
WorleyParsons
Practice Group | Robyn Trigge, Risk RACT Insurance,
Towards resilience management – building a
and David Callanan, RACQ Insurance
resilient organisation | David Martin, DavRisk &
42
The challenges of describing a risk
Resilience Solutions
43
Control environment | Barry Davidow and Albert
18
Improving performance | Jane Holling
20
Building business resilience | Grant Whitehorn, Risk
44
SAI Global’s 360 Degrees of Compliance
Management Consulting & Training Services
46
Risk managers: Five essentials when selecting a
24
The RMIA National Conference and Exhibition:
Davidow, Fraud Prevention & Governance Pty Ltd
technology-based risk management system
A retrospective | Andrea Doney, Risk Management Institution of Australasia Published by:
ABN 30 007 224 204 430 William Street, Melbourne VIC 3000 Tel: (03) 9274 4200 Fax: (03) 9329 5295 Email: media@executivemedia.com.au Web: www.executivemedia.com.au
The editor, publisher, printer and their staff and agents are not responsible for the accuracy or correctness of the text of contributions contained in this publication or for the consequences of any use made of the products, and the information referred to in this publication. The editor, publisher, printer and their staff and agents expressly disclaim all liability of whatsoever nature for any consequences arising from any errors or omissions contained in this publication whether caused to a purchaser of this publication or otherwise. The views expressed in the articles and other material published herein do not necessarily reflect the views of the editor and publisher or their staff or agents. The responsibility for the accuracy of information is that of the individual contributors and neither the publisher
nor editor can accept responsibility for the accuracy of information which is supplied by others. It is impossible for the publisher and editors to ensure that the advertisements and other material herein comply with the Trade Practices Act 1974 (CTH). Readers should make their own enquiries in making any decisions, and where necessary, seek professional advice. © 2014 Executive Media Pty Ltd. Reproduction in whole or in part without written permission is strictly prohibited.
2
2113_RMIA Yearbook 2014.indd 2
15/12/14 10:57 AM
Yearbook 2014
RISK2020: Into the future By Bryan Whitefield, President, Risk Management Institution of Australasia
The founders of the RMIA played a pivotal role in establishing the profession of risk management globally. The dedication and drive of these pioneers in establishing appropriate standards and certification processes set a benchmark for others to follow. Their vision of creating a body of professionals that can inform decision-making at all levels of management and grow community awareness of the benefits of risk management has yet to come to fruition; however, from the meetings I have had over the past year with leaders from business and government, it has become clear that the profession is about to experience a step function change in its acceptance of risk management and the role it will play in the future of society. As the professional body for risk managers, it is imperative that the RMIA rises to the challenge of this impending change, and shows leadership to ensure that the outcome is in the best interests of the community and of the profession. In January 2015, the RMIA launched a new five-year initiative: RISK2020. Our vision is that by 2020 we will substantially improve the quality and understanding of risk management in Australia, and thereby increase its influence in decision-making at all levels of government, business and the community to the benefit of our society. At the heart of this five-year project will be a fundamental change to the professional certification process, making it completely transparent and more user-friendly, without lowering standards. To achieve this vision, we will be undertaking a range of stakeholder engagement, networking and professional development events, fundraising activities, and a strategic marketing campaign. To accomplish change in the certification, we will adopt a three-stage process. Stage 1 will be to create a body of exceptional expertise to take on the role of thought leadership for the profession. This will be achieved by creating a new class of certification to be known as
Certified Fellow of Risk Management (CFRM). Fellows will be drawn from the existing category of Certified Practicing Risk Manager (CPRM), which is made up of a cohort of the most experienced and talented risk professionals in the country. Stage 2 will be to create a variety of pathways for achieving CPRM status, which recognise prior learning, experience, competency and academic rigour. These pathways will be in keeping with the latest thinking in professional certification. Finally, Stage 3 will be to develop a broad base of young risk professionals looking to make a career in risk management. To that end, we will apply the same pathway principles to the most junior category of certification, which will be known as Certified Practicing Associate. While these changes to our internal processes will be vital to the success of RISK2020, the initiative will not be successful without objectives that will benefit our clients as well as our stakeholders; therefore, we are implementing an ambitious marketing and promotion campaign to gain government, business and community support. RISK2020 will aspire to improve the quality of decisionmaking and project delivery in all levels of government; promote the use of risk management strategies in business, and the inclusion of risk management professionals at Board level to deliver improved and sustainable company results; and bring our stakeholders together to address important community issues. To pay for the project, and most particularly the marketing and promotion budget, the RMIA intends to raise $2.5 million through sponsorship, levies and donations. RISK2020 is an aspirational and ambitious project designed to unite and focus the profession, and to allow us to take advantage of the paradigm shift apparent in the realisation of the importance of risk management in business and government decision-making. It will also deliver on the vision of our founders, and all those dedicated volunteers that have followed in their footsteps. Bryan Whitefield President, RMIA
3
2113_RMIA Yearbook 2014.indd 3
15/12/14 10:57 AM
Yearbook 2014
Public sector risk management – not walking early to the winner’s circle Auditor-General Mr Ian McPhee spoke to delegates at this year’s RMIA 2014 National Conference in Brisbane.
Ian McPhee’s presentation to the RMIA 2014 National Conference explored the evolution of risk management in the Australian government public sector. McPhee emphasised that there is still more to be done to embed risk management into organisational behaviour in a way that means all employees can contribute positively to stronger outcomes through more effective engagement. McPhee illustrated his presentation with examples of organisations providing greater visibility to business risks, risk assessments and risk tolerances; and used examples from audit reports to emphasise the challenges in effective risk management. The main message was that the ultimate goal for all organisations is to build risk management into their organisational fabric and culture, so that we have betterperforming and more resilient organisations. Necessarily, this requires sound governance for organisations to perform as expected, and to deliver to the required standard. Being alert to these considerations, and being aware of the organisation’s natural strengths and weaknesses, allows organisations to compensate for soft spots as part of their governance and risk management strategies.
The main message was that the ultimate goal for all organisations is to build risk management into their organisational fabric and culture
Ian McPhee
4
2113_RMIA Yearbook 2014.indd 4
15/12/14 10:57 AM
Yearbook 2014
All organisations want to manage the risks to achieving objectives, and convert opportunities into advantage. As government policy development increasingly has regard to building resilience in communities to manage the demand for services in more stringent fiscal times, different approaches to public administration and service delivery will be required. This is because such approaches necessarily involve different strategies and greater community engagement, thereby changing risk profiles.
approaches and risk tolerances are communicated and monitored, and emphasising continuous improvement and sharing of best practices. For some organisations, there will be a need to grow capabilities and to better capture the learnings from their experience, and that of others, to get the balance right. The clear message from McPhee’s presentation, though, is that we need to engage our people to bring alive the various frameworks, strategies and approaches that we have in place.
Organisations will need to continue to improve their intelligence gathering, and manage any uncertainties. Most public sector organisations appreciate the benefits of applying risk management approaches, but have more work to do to embed risk management – particularly risk monitoring – into the culture of the organisation, and to assess the effectiveness of their approaches to risk management over time. Various audit reports have shown that ‘set and forget’ approaches are not good enough today.
At any time, risk management is a good investment; however, in an era when public sector resources are tight, confidence in government has been on the wane, and policy stances and delivery models continue to evolve, effective risk management is essential. It deserves ongoing support from those with governance responsibilities in the public sector so that it becomes part of the culture, and organisations are able to deliver on their core responsibilities efficiently and effectively. Because new risks can be expected to emerge, and because there can be significant changes in known risks, the message for managers here is: do not walk too early to the winner’s circle.
Management at all levels has a role here in leading by example, improving the way in which risk management
5
2113_RMIA Yearbook 2014.indd 5
15/12/14 10:57 AM
Yearbook 2014
The Commonwealth Risk Management Policy By Robert Antich, Assistant Secretary, Comcover
From 1 July 2014, risk management was ‘hardwired’ into the Australian public sector as a result of the Public Governance, Performance and Accountability Act 2013 (PGPA Act). For the first time, there is now a legislative requirement for agencies (Commonwealth accountable authorities and their staff) to maintain systems and internal controls to oversee and manage risks.
culture that we can improve decisionmaking and communication around risk. This means Commonwealth Risk that officials Management Policy need to ‘own’ 1 July 2014 risks, and that the risks for which they are responsible are appropriately managed, and are escalated if necessary when risk tolerances are being tested.
The PGPA Act has provided a unique opportunity to reinvigorate the focus of the Australian public sector on the value of effective risk management. To support this important reform, Comcover has developed the first Commonwealth Risk Management Policy (RM Policy), which was formally launched by the Hon. Michael McCormack MP, Parliamentary Secretary to the Minister for Finance, on 2 July 2014.
Communicating – sharing information – about risks is also critical. For the public sector, a key feature is the need to provide frank and fearless advice to decision-makers about the risks of a future course of action, which also includes potential benefits and opportunities. Having a sound risk framework and practices will enable the public sector, in a fiscally constrained and risk-averse environment, to better identify opportunities for innovative and more efficient policy and program solutions. Fully integrating risk management into the activities of government, however, will take time and consistent effort by our leadership. This is because successful risk management is not just about developing processes and boxes to tick, but it’s also about fostering a positive risk culture that changes behaviour. This is critical. Getting the right risk culture is about making sure that risk management is integral to the decisions that entities make, and the opportunities that they pursue. Risk management is far more than a compliance exercise or something that ‘gets in the way’ of projects and programs.
The RM Policy is principles-based policy encapsulated in nine core elements, and it sets out the government’s expectations of the way in which Commonwealth accountable authorities are to undertake the business of government. Key aspects include establishing a risk management framework, defining responsibility for, and ownership of, risks, developing a positive risk culture, and ensuring that there is ongoing communication, consultation and review of risks. In attending the 2014 RMIA National Conference in October this year, I noted that many of the risk management challenges faced by the Australian public sector are also common to the private sector. Too often, both sectors adopt a ‘set and forget’ approach to risk management, where risk management is poorly understood and rarely discussed. This is something that the RM Policy seeks to change in the Commonwealth. The RM Policy recognises that it is only through embedding risk management as part of the Commonwealth’s operational
Comcover will be strongly supporting the Australian public sector in its transition to the new RM Policy, through a number of new initiatives and training programs. Over time, I expect that this work, when taken with existing Comcover programs like the Comcover Awards for Excellence in Risk Management, and our benchmarking of agency risk management frameworks, will drive real and positive change in the way that the Australian public sector engages with risk.
6
2113_RMIA Yearbook 2014.indd 6
15/12/14 10:57 AM
Yearbook 2014
How risk appetite setting has helped the Bank of Queensland ‘Grow the Right Way’ By Peter Deans, Chief Risk Officer, Bank of Queensland
In March 2012, the Bank of Queensland Limited (BOQ) outlined a new strategy for the organisation. The new strategy had four pillars: Multi-channel Optimisation, Risk-Return Balance, Operational Excellence, and Talent and Culture. The new strategy followed a $450 million capital raising to strengthen BOQ’s balance sheet, and a record loss after tax of $17.1 million (for the financial year ended 31 August 2012). The Risk-Return Balance strategic pillar was critical to establishing the foundations for long-term earnings stability. In early 2014, the four pillars were renamed Customer in Charge, Grow the Right Way, There’s Always a Better Way, and Loved Like No Other. This change was made to improve staff engagement, and to better articulate the strategic pillars to staff, customers and external stakeholders. One of the important initiatives under the Risk-Return Balance pillar (renamed Grow the Right Way) was to reset risk appetite across the BOQ Group. The risk management division of BOQ, Group Risk Management, led and facilitated this exercise. A new Board Risk Appetite Statement was written in 2012, and a detailed set of limits and triggers was established at the BOQ Group level. The limits and triggers covered a wide range of financial, capital, loan portfolio/credit risk, market risk and operational measures. The discussions held at both the Risk Committee and the Board levels were focused on confirming that the various business strategies (existing and proposed) were consistent with the likely risk outcomes. This analysis also extended to downsides assessments. Regular stress testing of BOQ’s profitability and capital
Peter Deans
The limits and triggers covered a wide range of financial, capital, loan portfolio/credit risk, market risk and operational measures
7
2113_RMIA Yearbook 2014.indd 7
15/12/14 10:57 AM
Yearbook 2014
position, for both management and regulatory purposes, provided good foundations for establishing robust limits and triggers for many measures. Following this, each Business Unit then wrote its own Risk Appetite Statement, and drafted up an accompanying set of limits and triggers for a similarly wide range of measures. The key business units at the BOQ Group in 2014 were Retail Banking; Business Banking, Agribusiness and Financial Markets; BOQ Finance (asset financing); and St Andrews (insurance). The workshops undertaken during this phase looked at existing businesses’ strategies, existing loan portfolios, current financial and business performance, and expected future performance. In some of the business units that already existed, we had measures that we had agreed were currently outside risk appetite. This usually mirrored areas that were already subject to action plans. It was agreed that we would report these as ‘outside risk appetite’ until they came within the limits.
The Risk Appetite Statement process has been an important milestone in the longer-term objective of embedding risk management in everything that is done at BOQ. The reaction from the debt and equity markets has been positive, with a re-rating of the stock having already taken place – in part due to the more disciplined approach to credit. In summary, development of the new Risk Appetite Statements, and accompanying limits and triggers, has seen extensive debate and refinement of business strategies. This is to ensure that the organisation can continue to Grow the Right Way in the future. In recognition of the work undertaken within BOQ in 2013 and 2014, BOQ was awarded Asian Banker’s 2014 Enterprise Risk Management of the Year award for the transformation of risk within BOQ. In addition, Peter Deans was awarded Chief Risk Officer of the Year 2014 by Australian Banking & Finance magazine.
8
2113_RMIA Yearbook 2014.indd 8
15/12/14 10:57 AM
Yearbook 2014
Risk, safety and business advisory consultancy Take advantage of opportunities and manage risks with QRMC
Experienced Consultants Accredited Auditors Extensive work portfolio Professional approach Quality assured services
QRMC is an independent consultancy firm providing services in the areas of Risk Management, Work Health and Safety, Business Continuity Management and Integrated Management Systems (quality, safety and environmental). We have worked with leading public and private sector organisations across Australia since being founded in 1998. All our services are tailored to suit the specific requirements of individual clients. We can help you to achieve your business objectives and compliance requirements.
Tailored for your needs Training & facilitation Contemporary practices Tips & guidance OBLIGATION-FREE QUOTES
(07) 3229 1744 enquiries@qrmc.com.au qrmc.com.au GPO Box 199, Brisbane Qld 4001
delivering nationally
326276A_QRMC Risk Man | 2113.indd 1
17/06/14 1:48 PM
DOES YOUR INSURANCE BROKER REALLY UNDERSTAND YOUR BUSINESS? Established in 1974 Cost effective risk transfer and insurance program design
With Event Logistics you can:
Claims Management
CONSIDER IT DONE!
Certified Practising Risk Manager on staff
INSURANCE BROKERS PTY LTD
4th Floor, 131 Leichhardt Street Spring Hill, Brisbane QLD Australian Financial Services License No: 239179 ABN: 56 070 806 156
CONTACT STEVE HAMILL (07) 3839 5450 OR stephen@comsure.com.au 326264A_Comsure | 2113.indd 1
2113_RMIA Yearbook 2014.indd 9
PUBLIC & CORPORATE EVENTS SINCE 1992
www.eventlogistics.com.au liz@eventlogistics.com.au 03 9531 2587
20/08/14 11:10 326262A_Event AM Logistics | 2113.indd 1
10/07/14 11:58 AM
9
15/12/14 10:57 AM
Yearbook 2014
Improving road safety By Marian McLean, WorleyParsons
Road travel was identified as one of WorleyParsons’ highest health and safety risks when, in 2011 and 2012, WorleyParsons personnel were involved in fatal road accidents in five countries. These events provided the burning platform to implement a dedicated group-wide road safety program, which identified ways to reduce road travel risks for our people, and to provide guidance to our internal and external stakeholders.
Having the engagement of the Board and operational leaders in key risk discussions has helped WorleyParsons to drive the step change we needed to reduce this key health and safety risk. Without a clear risk management framework, this would not have been possible.
In 2012, WorleyParsons signed the United Nations Decade of Action for Road Safety 2011–2020. By signing, WorleyParsons pledged to work towards zero deaths and/or severe injuries. To support this, WorleyParsons developed a plan underpinned by the five pillars of the Decade of Action for Road Safety. One of the key activities was the launch of the 9 Key Safe Behaviors for Driving campaign in 2013; the aim of this program is to educate our employees in the nine key safe driving behaviors identified as integral to road safety.
Our risk management process is based on the ISO 31000 standard, and our vision is to create a culture in which risk management is embedded in everything, promoting transparent communication and wise decision-making.
In addition to an internal focus on road safety, WorleyParsons has participated in a number of community road safety projects – many with donated engineering services. In 2012, employees in Sofia, Bulgaria, orchestrated the installation of a road safety barrier on a six-lane dual carriageway that separates two WorleyParsons offices.
WorleyParsons delivers projects; provides expertise in engineering, procurement and construction; and offers a wide range of consulting and advisory services. We cover the full life cycle of a project – from creating new assets, to sustaining and enhancing operating assets – in the hydrocarbons, minerals, metals, chemicals and infrastructure sectors. WorleyParsons has a presence in 157 offices across 46 countries, and employs 35,600 people worldwide.
The WorleyParsons risk management process is: •
systematic, scalable and tangible; applied across all areas of the business from delivering projects to opening a new office or exploring new initiatives
•
aligned with COSO1 requirements for risk management
•
consistent with RAMP (Risk Analysis and Management for Projects).
The WorleyParsons Foundation is a key sponsor of the Safe Schools Project, which is aimed at reducing child pedestrian injuries and deaths by improving road safety around schools. Partnering with the International Road Assessment Programme (iRAP), the project conducts assessments of schools across many countries using the global star rating process. The project’s first phase was completed in Cape Town, South Africa. While WorleyParsons has been able to achieve a 34 per cent reduction in our motor vehicle crash rate, we still have a journey ahead of us to achieve zero harm, and this year we commenced a 24/7 campaign that links to non-work-related road travel activities; for example, the use of motorbikes and bicycles. We continue to gather leading practice stories from our projects and locations across the group to promote and share.
1 The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five private sector organisations, established in the United States, dedicated to providing thought leadership to executive management and governance entities on critical aspects of organisational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting.
10
2113_RMIA Yearbook 2014.indd 10
15/12/14 10:57 AM
Yearbook 2014
The importance of a strong risk culture One thing that is clear in any organisation is that poor risk culture can be extremely damaging to any business. Risk culture is at the heart of human decisions that govern the day-to-day activities of every organisation. It is relevant to all parts of the organisation, and not just the risk managers. When risk culture goes wrong, the consequences can be devastating and even fatal. Some have even gone so far as to say that it was poor risk culture and lack of accountability that ultimately led to the devastating global financial crisis.
through providing a risk process that is simple and scalable, focuses on accountability, and effectively puts risk management into practice within daily routines. Visit www.riskman.net.au to see the infinite opportunities for improving and maintaining risk culture in your organisation.
Risk culture can be defined as individual and group behaviour within an organisation that determines the way in which the company identifies, understands, discusses and acts on the risks that the organisation confronts, and ultimately takes. In an increasingly volatile world, it has become apparent that organisations need to be robust and capable in the face of both predictable and unpredictable risk. It is therefore imperative that any organisation’s risk management solution is aligned to improving and maintaining an effective risk culture. This can be achieved
MANAGE
MONITOR
ANALYSE
RiskMan.Net is a total information management solution. Start with any module today and expand later. Incidents
OH&S
Complaints
Contracts
Workplace Claims
Expenses
Audits
Investigations
Personnel
Risk Register
Fraud Events
Quality Activities
Any other module you may need.... RiskMan International Pty Ltd www.riskman.net.au 61 3 9686 0009
1A1
2113_RMIA Yearbook 2014.indd 11
15/12/14 10:57 AM
Yearbook 2014
Towards resilience management – building a resilient organisation By David Martin, DavRisk & Resilience Solutions
Hit by a tornado in Sydney! Imagine yourself sitting at home enjoying a late-night movie and, without prior notice, the wind suddenly increases to such intensity that you think the roof of your house is about to lift off. Well, this recently happened to me in a quiet area near Camden, 60 kilometres south of Sydney, where I experienced what it was like to be in a building hit by the full strength of a tornado!
Unprecedented change We are now living and operating in a world of unprecedented global change, with an increase in natural disasters, which stretches risk management professionals to new and immediate challenges, and forward thinking. The increasing rate of natural disasters, particularly over the past year, coupled with increased frequency and longer durations of events, has raised the need to manage the human consequences of such events while maintaining critical business activities and operations. These events and actions lead us to the next generation of thinking, as we see risk management, emergency management, crisis management, business continuity management, disaster recovery, testing and maintenance of plans moving towards an integrated concept of resilience management – so resilience is not just a ‘buzzword’.
A resilient organisation is one that is able to achieve its business objectives and realise opportunities – even in the face of adversity Despite many businesses having programs that include enterprise risk management, business continuity and disaster recovery programs, they have failed to achieve a higher level of resilience and survivability in times of adversity and chaos.
The resilience challenge Forward-thinking leaders are experiencing wake-up calls, with wider-ranging, more complex and compounding ‘wild’ risks and vulnerabilities creating the need to develop a proactive and robust business resilience strategy, supported by a resilience management framework.
12
2113_RMIA Yearbook 2014.indd 12
15/12/14 10:57 AM
Yearbook 2014
There is also the need to create and embed a resilience culture that encourages ideas and knowledge to be brought together, coalesced and acted upon through people working together and, above all, having the ability to adapt to the ever-changing environment. Changing corporate culture and mindsets is not an easy task.
A simple resilience management framework
The challenge includes the application of knowledge, innovation, education and training to build a culture of safety, in order to embed resilience at all levels and to ensure a ‘people safe/place safe’ concept, including: •
identification of key vulnerabilities
•
the need to develop a road map for approaches, methodologies and processes to meet new challenges
•
identification of key drivers in leading and managing a resilience management program
The framework assists in building and implementing an integrated process from preparedness, recovery and resumption to business as usual.
•
development of resilience indicators and building adaptive capacity
Resilience management policy and framework
•
realising the benefits and value-add, and how this can be measured.
New generation of thinking and actions This requires management to fully understand: •
the concept of resilience
•
how to identify emerging challenges and ‘wild’ risks
•
lessons learnt from recent major earthquake experiences in Christchurch, Japan and China
•
what effective resilience management is
•
how to build resilient and sustainable organisations
•
how to apply lessons learnt – such as Toyota’s experiences during the Brisbane floods and North Queensland cyclones, and the impact of the Fukushima combined tsunami, earthquake and nuclear power plant failure – from a resilience perspective
•
how to stay abreast of hot topics
•
how to think about ‘where to from here’ – beyond resilience to sustainable businesses.
Increasing situational awareness will provide a greater understanding of vulnerabilities that can critically undermine business performance.
An essential first step in introducing and embedding a resilience management framework is to develop the policy and framework documents together with a set of procedures, plans and manuals that provide guidance on risk management, incident management, business continuity management, crisis management, and disaster recovery. The framework provides an outline for the development of an enterprise-wide resilience management culture in the business, incorporating a rolling action plan with a six-monthly cycle of review – things happen more quickly these days.
13
2113_RMIA Yearbook 2014.indd 13
15/12/14 10:57 AM
Yearbook 2014
The following documents need to be incorporated into the resilience management framework: •
risk management policy and plan
•
emergency response plan
•
incident management, and response policy and manual
•
business continuity and crisis management policy and plan.
Emerging risks You should be thinking about the next five years – to 2018, which is the particular year that you should be considering. Why do I say this? Take yourself back five years and write down the key risks and major events at that time. Write down today’s risks, major crises and disaster events and their key drivers, and compare the differences. Put yourself in the same seat and write down the risks that you believe you are likely to face in 2018 – this is where your thoughts will need to be directed. Effective risk management means that management needs to know and be able to articulate its risk appetite, and what risks it is prepared to take. Our world is rapidly changing, and the following are examples from the past year or so.
The changing environment – extreme weather conditions Extreme weather conditions and temperatures have had an increased impact on firefighters, SES and emergency services personnel, who are being called on to cope for extended periods. This has caused higher levels of fatigue, and has resulted in these people taking increased risks when there has been a reduction in their resilience; in some cases, these risks have resulted in deaths. Evacuation is not always possible, as areas in a crisis become congested, and new guidelines are required to cover extreme events.
New era and new challenges Recent incidents have occurred in Boston, New York, London, Japan and Australia, including New South Wales bushfires at catastrophic levels, continuing floods in Queensland, and cyclones and tornadoes in Northern Victoria and south-west of Sydney.
Extreme conditions and bushfires in Australia have recently reached catastrophic levels, with temperatures reaching 50 degrees Celsius in some parts of Australia during summer – this can occur once or twice a week. These conditions call on the utmost resilience of emergency services, firefighters, communities and businesses that can find it difficult to cope. It is also difficult to predict such extreme events, and often the frequency and duration is overlooked.
Boston Marathon terrorist attack The homegrown deadly terrorist attack on a crowded street in Boston on 17 April 2013 brought the eyes of the world to Boston within minutes. The attack occurred during a marathon event that was attended by record numbers of spectators, which resulted in three deaths and a large number of crowd members becoming amputees. The city, businesses and schools were shut down for three days, and one million people were ordered to stay in their homes as they tracked down one of the terrorists. Resilience was the key word used during this chaos – of the community, businesses and government officials.
New York – Hurricane Sandy This event changed the global landscape for managing unscheduled disruptions and crises, due to the wide area that it covered and the difficulty in predicting paths of cyclones and hurricanes. Seven million people were impacted by power outages, as were a significant number of businesses. Underground services were subjected to extensive flooding and long periods of outages. The flooding of road tunnels damaged the water supply network, which took weeks to restore.
Japan – Fukushima The combination of ‘wild’ risks, including a tsunami, an earthquake and the failure of a nuclear power station, resulted in multiple deaths and total destruction of infrastructure. The outcomes of this crisis have initiated new reforms and innovative thinking on infrastructure and the design of nuclear power stations. Major new risk categories eventuated, including fear in the community; people, crops, food and fish being exposed to radiation; and an extended lack of power supply, which impacted production on major brands like Toyota and Sony, and increased supply chain risks.
14
2113_RMIA Yearbook 2014.indd 14
15/12/14 10:57 AM
Yearbook 2014
Christchurch was hugely affected by the 2011 earthquakes
Christchurch earthquakes – three years on
Our changing response
During a recent visit to Christchurch, it was devastating to see the situation three years on from the major earthquakes. There is plenty of evidence of the quakes remaining – buildings that are still shored up, churches that are closed forever, and cleared sites throughout the city and suburbs, where buildings and houses once stood, with no foreseeable replacements.
Social media has led to speeding up communication significantly in a crisis, and we no longer have that initial ‘golden hour’ in which to make crisis response decisions.
Research workers have been evaluating the impact on workers three years on from the devastating Christchurch earthquakes, as well as the continuing uncertainties in the city. Five main categories of worker have been identified: 1. those who continue to be overwhelmed by the earthquake 2. those no longer able to cope with the cumulative impacts of different working conditions and increased tasks 3. those with continuing uncertainties coupled with increased and changing workloads, stress, anxiety, and fatigue, all of which led to reaching ‘tipping points’ where they felt compelled to leave 4. those forced to stay at home when their organisations were closed for an extended period. During this period, people who were struggling to cope and had felt trapped in their jobs before the earthquake could begin to look for new employment, some of which was created by the events
In embedding resilience, we need to be more adaptive, and proactive (rather than reactive), and it is vital that lessons learnt are documented and acted on promptly. These elements should be a priority in embedding resilience. Resilience is more about ‘bouncing forward’ – faster than just simply ‘bouncing back’ – and is about embedding resilience in the organisation’s culture, coupled with strong leadership. The challenge is in the embedding process, which requires a new level of thinking. As a start, consider: •
combining planning with adaptive capability and capacity
•
focusing on innovation and creativity
•
integrating resilience disciplines
•
moving from an IT-centric focus and continuity of operations to an ‘enterprise readiness resilience’ program, and embedding a resilience culture
5. those whose work perspective changed, resulting in different challenges and priorities in their lives. Research showed a strong recovery in the population, with net positive migration. Churn with opportunities to rebuild was being driven by the construction sector, and there was significant growth in professional services businesses. (Reference/Source: Christchurch The Press 10 September 2013).
15
2113_RMIA Yearbook 2014.indd 15
15/12/14 10:57 AM
Yearbook 2014
•
moving from checklists to adaptive behaviour
•
broadening business continuity management (BCM) policies and frameworks
•
building transition programs for resilience training, and testing programs that are vital to changing culture and work practices.
This requires radical new thinking on changed behaviours in a chaotic situation, and the best way to integrate and embed this thinking into current management systems and crisis management processes is to be able to act quickly and with confidence. Remember, it is the people who are the key in chaos management.
Building an adaptive capacity
Designing systems for resilience management
Here lies yet another challenge in the context of business continuity and crisis management: linking vulnerability considerations on internal and external stress introduced during a crisis, and the impact on people and systems.
The changing environment and new normality are key drivers in planning and managing for tomorrow, and in developing innovative resilience frameworks.
We need to be cognisant of the similarities, key differences and links between vulnerability, resilience and adaptive capacity in coping with, and managing, the response to the situation. This includes the ability and capacity of people and systems to adjust – not forgetting the impact of the duration of an event, which is another major factor to be considered. The key challenge is to be able to maintain, or even enhance, responses to unscheduled disruptions or a major crisis in the face of adversity. Adaptive capacity is about the ability to reconfigure people’s actions and systems performance with a minimum loss of function in a complex crisis situation, including the following: •
The ability to work and perform in changed circumstances and uncertainty under increased stress levels. Ask yourself, ’Have I, or my close associates, been trained for such occasions?’
•
Combining people’s different temperaments, fields of knowledge and experience, which can modify people’s behaviour, particularly in changed and stressful circumstances.
Behaviour The proposal here is that resilience is key to enhancing adaptive capacity – but how to implement resilience is the challenge. Any further deliberations fall outside the scope of this article, but the subject is included as a prompt for further thought.
Chaos management Increasing turbulence is now a fact of life for businesses and communities, and it has become increasingly more difficult to predict. Consequently, there is a need to become more responsive, robust, adaptable and resilient.
An enterprise-wide resilient organisation is one that: •
survives in the face of adversity
•
maintains customers’ and stakeholders’ perceptions
•
provides a level of trust
•
is more successful in fulfilling new opportunities
•
steers more clearly through turbulent and chaotic times
•
has strong and consistent leadership.
Concluding remarks The recent catastrophes of the devastating tornados in Texas, the Boston Marathon terrorist attack, the massive explosion and fire in the Boston fertiliser factory, Hurricane Sandy in New York, and the combined earthquake, tsunami and nuclear power plant failure in Japan (Fukushima) are just some of the events that highlight the absolute need to have current, meaningful and tested emergency response plans, crisis management plans, business continuity management plans, IT disaster recovery security, and highly reliable leadership from the top. The frequency, duration and impact levels of recent crisis events have reinforced the imperative need to consider raising the focus on integrating resilience disciplines for government, businesses, communities, hospitals, the various emergency services groups, families and individuals. We are now living and operating in a new era of normality, where resilience has become a key phrase and needs to become a key paradigm supported by new processes, procedures and adaptive capacity. Resilience considerations must now be included as part of big business and small business models, which requires a new focus, and building the following into the planning process: •
being aware of the key drivers of change, and being able to anticipate and plan changes actively
•
implementing the ‘best fit’ in challenging the new world and the multiple interdependencies
16
2113_RMIA Yearbook 2014.indd 16
15/12/14 10:57 AM
Yearbook 2014
•
building and embedding a culture of resilience and adaptive behaviour with a single line of sight on risk management, incident management, emergency response, business continuity management, crisis management, chaos management and disaster recovery – and ensuring that this is embedded and led from the top
•
being able to not only bounce back, but also to bounce forward, and faster.
The links between vulnerability, resilience and adaptive capacity are paramount, and I suggest that you ask yourself the following questions: •
How much adaptive capacity does my business or organisation have?
•
Are there a few quick and simple steps that I could take to understand whether there is a gap between current adaptive capacity and a minimal level to survive in a major crisis?
•
Are there just two or three things that are low in cost and can be implemented quickly, and that would increase the adaptive capability of my business or organisation and make it more resilient?
Business leaders must have the courage and commitment to ask the hard questions, and have even more courage to accept and implement the harsh answers, even in the face of adversity. A conservative approach to risk and resilience is likely to be the greatest risk of all. David Martin Managing Director, DavRisk & Resilience Solutions davmus@bigpond.com.au About the author David Martin is the Managing Director of his own management consultancy business, DavRisk & Resilience Solutions, based in Sydney, which specialises in value-add solutions in risk management, emergency management, business continuity management, crisis management, disaster recovery, security, and pandemic planning. He started his career as an aeronautical engineer, including working with the Concord design team. Martin holds an MBA and a degree in Aeronautical Engineering, is a fellow of the Australian Institute of Management and a member of the Risk Management Institution of Australasia, and was awarded the Citizen of the Year award in 1993.
326273A_ANZIIF | 2113.indd 1
2113_RMIA Yearbook 2014.indd 17
16/07/14 9:10 AM
17
15/12/14 10:57 AM
Yearbook 2014
Improving performance By Jane Holling
As risk managers, one of the hardest tasks that we face is to demonstrate the value that we’re delivering. Through helping our organisations to identify and manage risks, we’re enabling better performance – working more efficiently and collaboratively, and helping to communicate information to decisionmakers. The more mature our risk management program is, the better the information is for making decisions, and the more likely we are to achieve our objectives. So, how do we demonstrate and communicate our risk management program value and improvements?
One option is to assess and track improvements in risk management maturity. The risk program supports the decision-making environment for each business area, so the maturity assessment checks whether the framework components (such as risk processes, skilled facilitators, awareness and tools) are in place. The Australian Securities Exchange (ASX) corporate governance principles recommend an annual review, and the ISO 31000 risk management standard reminds us through principle K that ‘risk management facilitates continual improvement of the organisation. Organisations should develop and implement strategies to improve their risk management maturity, alongside all other aspects of their organisation.’
Assessment criteria To track and demonstrate progress and improvement of our risk management performance, we need quality criteria against which to measure our maturity. These criteria can be developed from a set of principles, such as in the ISO 31000 standard or an organisation’s risk management policy. It’s important to ensure that the criteria is clear, is applicable across the business, is uniformly applied (not subjective), and can be seen or verified.
18
2113_RMIA Yearbook 2014.indd 18
15/12/14 10:57 AM
Yearbook 2014
The scale should provide several levels – from basic through to leading practice – for each principle (leading practice will likely extend beyond the current capabilities of the organisation, but provides a vision for what can be achieved). Each level should have practical evidence to reflect what is required for that level of maturity (such as risk registers, position descriptions, documented responsibilities, and agenda items for discussing risk). Providing examples that can be verified helps business areas to self-rate accurately and honestly, and to have a uniform understanding of what leading practice is. It also provides a platform for audit to verify self-assessment results.
Engaging the organisation To build a profile of organisational performance, people from a range of roles and seniority levels need to be engaged in self-assessment activities. Developing a diverse range of perspectives helps us to establish how good we are at risk management, and how much better we want to be. A variety of positions can be surveyed (such as project managers, compliance managers, business planners, and health and safety managers). A survey is a simple option for collecting data from a broad range of perspectives on the current state of risk management maturity.
real commitment to change, and they are accountable to oversight committees. Having clear criteria from the maturity assessment scale available for each person to refer back to provides a common understanding and platform to work from. For example, the business area might be at maturity level 3 for people and skills, which means that someone informally does risk management facilitation. To progress to level 4 means that they have risk management activities formally documented in their job description, and have training; then, the action plan needs to include those actions to move up a level of maturity when the business performs the self-assessment again in future. These improvements across each area of the organisation can be aligned with the risk management plan to improve the maturity of the risk management program as a whole. It provides an opportunity for group risk functions and business unit risk functions to discuss and align risk management plans for the year ahead. It can create common focus areas of improvement, while still allowing for flexibility, and demonstrates the commitment to improvement and a common vision to work towards.
Review
It’s also important to engage with the Group Executive, or leadership at a level that is able to influence the allocation of resources to commit to improvements.
Reviewing and reporting progress against the action plan helps to drive accountability, and keep the action plan and performance improvements on track.
By providing them with a report on the results from their business area self-assessment, you help them to drive accountability and verify whether or not their business area is as mature and consistent as they expect for the current level of risk management maturity. It provides the opportunity to offer recommendations and guidance on areas of the risk program that can be improved, and the value of these improvements to the business. It also allows them the flexibility to select targets and areas that they’re most keen to focus on improving, and to develop these into an action plan.
Reporting to the Board or Risk Committees provides useful insight on the current state, the rate of improvement, and comfort regarding whether a sound risk management framework is in place. The targets for improvement and progression against the action plan demonstrate a commitment by each business unit individually – and as a group – to meet the targets.
Action plan To ensure that the risk management maturity assessment goes beyond measurement to improvement, it’s important to develop an action plan with clear accountability and timelines to improve performance. This plan should be prepared by the risk champion, who will drive the action plan to increase maturity, as that person is best placed to understand what’s achievable with the resources available. The plan needs to be agreed to by the person who funds the resources to deliver it, in order to secure
Reviews of progress against the plan should be conducted by the business (first line of defence), the risk facilitators (second line of defence) and the audit (third line of defence). Reviews can also be benchmarked against industry data (this service is available from a number of consulting firms). By assessing our performance against quality criteria, and engaging the business to develop a perspective of the current state and target state linked to an action plan that is reviewed, we help to drive a common understanding of our risk management maturity journey. The more mature our risk management program is, the better the environment is for making decisions, and the more likely we are to achieve our objectives.
19
2113_RMIA Yearbook 2014.indd 19
15/12/14 10:57 AM
Yearbook 2014
Building business resilience By Grant Whitehorn GCertRiskMgt, CPRM, MAICD, FRMIA, ANZIIF (Fellow) CIP
In less than a decade, the term ‘resilience’ has evolved from the disciplines of materials science and environmental studies to become a concept used liberally and enthusiastically by politicians, government officials, expert practitioners and academics. It suggests the ability of something or someone to recover and return to normalcy after confronting an abnormal, alarming and often unexpected threat. Resilience embraces the concepts of awareness and anticipation, detection, communication, reaction (and, if possible, avoidance), recovery and adaptability. These are essential features of the daily struggle for life, and they are founded in our basic survival instinct. Resilience also suggests the ability and willingness to adapt over time to a changing and potentially threatening environment. The concept of organisational resilience was first used to describe the need for companies to respond to a rapidly changing business environment. Hamel and Välikangas showed great foresight in their paper ‘The Quest for Resilience’, published in the Harvard Business Review in September 2003, by predicting a global economic crisis later in the decade that would lead to the collapse of a number of iconic United States companies. The authors argued that successful organisations were those that understood the dynamic nature of their business environment (competitors, technology, the availability and cost of finance, taxation, government policy, and their customers’ needs and expectations), and who were able and willing to adapt to sudden and large changes to the environment. In this regard, Hamel and Välikangas argued that successful organisations should evolve like resilient ecosystems, constantly adapting to reflect the changing external environment.
Hamel and Välikangas, and others, argue that companies that rely on legacy products and traditional customers are not resilient, and will suffer most in an economic downturn. As with failing ecosystems, organisations that do not adapt will collapse, later to be replaced with new and more efficient organisations that are better suited to the new environment. Over the past five years, the concept of organisational resilience has changed its focus as organisations in the private and public sectors have redefined the extent and scope of the threats that they face. As our society becomes more complex and interdependent, we are becoming more vulnerable to disruptive events from a broad range of threats and hazards. If not properly managed, a disruptive event can escalate into an emergency, a crisis, or even a disaster – as was recently evidenced by a range of natural disasters impacting millions of people and crippling economies. Such an event can taint an organisation’s image, reputation or brand, in addition to resulting in significant physical or environmental damage, injury or loss of life.
Over the past five years, the concept of organisational resilience has changed its focus as organisations in the private and public sectors have redefined the extent and scope of the threats that they face
Resilient organisations should have a flexible staff and adaptable supply chains; a range of products that satisfy a range of customers; and agile organisational structures.
20
2113_RMIA Yearbook 2014.indd 20
15/12/14 10:57 AM
Yearbook 2014
Seville, Brunsdon, Dantas, Le Masurier, Wilikinson, and Vargo suggest that a resilient organisation is one that is ‘… able to achieve its core objectives in the face of adversity. This means not only reducing the size and frequency of crises (vulnerability), but also improving the ability and speed of the organisation to manage crises effectively (adaptive capacity). To effectively manage crises, organisations also need to recognise and evolve in response to the complex system within which the organisation operates (situational awareness), and to seek out new opportunities, even in times of crises’. Businesses must also realise that they don’t operate in isolation to the rest of the world. They need to understand their interconnections, constraints and dependencies, as well as how they interact with employees, stakeholders, communities, other organisations, industry sectors and government, if they are to clearly articulate their operating context and boundaries of vulnerability. The international terminology index of risk management definitions, known as ‘ISO Guide 73 Risk Management – Vocabulary’, defines resilience as the ‘adaptive capacity of an organisation in a complex and changing environment’. One might suggest, therefore, that the core competencies for business resilience are based on three key areas: situational awareness, managing vulnerabilities and adaptive capacity. For a business to build resilience, it must have the ability to clearly comprehend the context of its operating environment, to understand its key vulnerabilities and how to mitigate them, and to demonstrate leadership so that it is flexible enough to adapt to the changing business landscape. Interestingly, Charles Darwin (1809–1882) famously said, ‘It is not the strongest or most intelligent that survive, it is the most adaptable to change’. This appears to be as true today as it has ever been. Think about how many local businesses, global corporations, financial institutions or even governments went broke or collapsed as a result of the recent global financial crisis. Were they too large and complex for their silo-based organisational cultures to adapt to the turbulent and rapidly changing environment that unfolded? Perhaps. Others might suggest that there was a complete lack of integrity and ethics in their approach to business. Australia’s Resilience Community of Interest, which forms part of the Trusted Information Sharing Network in the Federal Attorney-General’s Department, states that organisational resilience is a combination of leadership, organisational culture and attitude, policy, plans, processes and procedures.
There is no common blueprint for a resilient organisation; however, resilience is strongest in organisations that show all or a combination of the following attributes: •
anticipates emerging threats and understands its impact on the organisation’s goals and strategic objectives
•
provides strong leadership that articulates and encourages the implementation of the organisation’s goals and strategic objectives, even in times of crises
•
nurtures and supports its workforce
•
fosters a partnership with critical supply chain partners and community stakeholders
•
possesses an ability to respond to, and recover from, disruptions quickly
•
develops an integrated management approach, embracing quality management, risk management, environmental management, security management, emergency management and organisational resilience.
Organisations that have already adopted management systems such as ISO 9001:2008 (Quality Management) can draw on existing work and management experience in developing policies and plans to build and manage their organisational resilience. Many organisations perceive themselves as being fairly ‘resilient’, but how many of these organisations have actually measured their ‘resilience maturity’? Numerous organisations have quality management systems and business excellence frameworks in place, but do these measures provide a benchmark for business resilience alone? Some organisations have programs and initiatives that encourage leaders to focus on the key requirements and influencing factors of their cultures and strategies, including risk. Some even focus on their organisational capabilities and supply chains, and by doing so improve the performance of their respective businesses. But are we really doing enough to build business resilience? According to research from global strategy consulting firm Palladium, only 30 per cent of Australian firms have strategic risk indicators in place, and fewer still have integrated these into their management systems. So how do organisations assure themselves that these risks are under control, and that a clear strategy is in place to address them?
21
2113_RMIA Yearbook 2014.indd 21
15/12/14 10:57 AM
Yearbook 2014
Some things that businesses might like to consider include the following: •
Would everyone in the organisation know what to do if their office was destroyed in a catastrophic fire? How would they continue to deliver client services and meet contractual obligations?
•
How do organisations fulfil their duty of care with regards to staff welfare? Considering that some organisations face significant mobility and security issues in their global operating environments, can they guarantee staff safety wherever employees are working?
•
What does the business risk profile look like, and do organisations have cost-effective mitigation strategies in place to maximise the achievement of objectives?
•
Do organisations have risk-based audit programs that link to their risk profiles?
•
Do organisations have information security management systems in place to protect their intellectual property in accordance with ISO/IEC 27001:2005?
•
Do organisations clearly understand their supply chain constraints and dependencies? Who do they rely on, and for what? Will these things always be available when they are needed? Do organisations have a system in place that provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving security management of their supply chains?
•
Does every business have a succession plan in place to deal with the sudden loss of key personnel?
•
Is the business prepared for the next global financial crisis?
To ensure that businesses have the right tools in place to combat these challenges, I have provided a basic list of behaviours, practices and strategies that an organisation should consider (see facing page); however, simply having these things is not enough – the key is to constantly measure the effectiveness of whether these approaches actually make a difference and contribute to the organisation’s resilience.
About the Author Grant Whitehorn GCertRiskMgt, CPRM, MAICD, FRMIA, ANZIIF (Fellow) CIP Principal Consultant, Risk Management Consulting & Training Services Grant Whitehorn is an experienced risk and governance professional with more than 15 years’ practical experience in the implementation of risk management in organisations across the government, corporate and not-for-profit sectors. Grant is a Certified Practising Risk Manager, Certified Insurance Professional, Fellow of the Risk Management Institution of Australasia, Fellow of the Australian and New Zealand Institute of Insurance and Finance, and Member of the Australian Institute of Company Directors, and holds a Graduate Certificate in Risk Management from Griffith University. Grant was formerly the President, Chief Executive Officer, Company Secretary, ACT Chapter President and National Conference Director of the Risk Management Institution of Australasia. Grant is recognised by industry as an experienced risk management trainer and adviser, and can be contacted via email: grantwhitehorn@icloud.com, or phone: 0401 168 123. References: ISO Guide 73 Risk Management – Vocabulary, 2009 Charles Darwin (1809–1882) Trusted Information Sharing Network (TISN), Australian Attorney-General’s Department ‘The Quest for Resilience’, Hamel and Välikangas, Harvard Business Review, September 2003 Draft Organisational Resilience Standard, 29 January 2010 Palladium Research, 2010 Peter Brouggy, Resilience Maturity Model Quick Assessment Tool, 2008 Dr. Erica Saville, ‘A framework for evaluating and improving organisational resilience’, December 2007
The programs and initiatives in this list are by no means exhaustive, but they are a sensible basis on which to start moving the organisation in the right direction. Conversely, not embarking on a cultural change program or starting a dialogue to enhance business resilience may have a long-term detrimental effect on strategic direction, business success, customer satisfaction, staff retention, profitability and performance.
22
2113_RMIA Yearbook 2014.indd 22
15/12/14 10:57 AM
Yearbook 2014
BEHAVIOUR
STRATEGY Encourage open learning and discussion about failures – do not apportion blame. Break down hierarchy and evolve to a loosely coupled, flatter organisational structure – remove the silos.
Agility
Encourage ideas from all parts of the organisation, not just the privileged. Capitalise on incidents and seek opportunity from adversity. Align all organisational risk management functions. Evolve to a strongly aligned governance structure.
Integration
Encourage tightly coupled communications across all functions. Balance silo-based incentive schemes with whole-of-business performance incentives. Remove the hierarchy and key-man dependencies, and devolve the decision-making. Invest in mutual understanding, and build strong bipartisan relationships with all interdependent parties.
Interdependency
Factor the interdependencies into risk plans. Encourage support within and across the business, and reduce the internal competitiveness. Ensure that the organisation’s leaders have clear objectives, goals and direction. Define the vision, purpose and values of the organisation. Ensure that leaders walk the talk.
Leadership
Encourage partnerships rather than bureaucracy. Encourage mentoring relationships. Ensure that leadership development programs are entrenched within the organisation. Drive the organisation to become fully aware of, and engaged with, the internal and external environment. Drive the organisation to become fully engaged with the local community.
Awareness
Fully understand the supply chain and conduct exercises with partners to test resilience. Develop the ability to anticipate unexpected threats. Embrace change as an opportunity to grow the organisation and to achieve strategic advantage.
Change
Manage change with diligence, and change within the organisation if it is ineffective. Encourage open and collaborative communication within the organisation, and to external partners. Break down the silos.
Communication
Develop effective communications systems that enable a consistent and clear message. Identify the stakeholders and their stake holding, and develop strategies for communication. Focus on value, not cost. Develop a strong unity of purpose.
Culture and values
Make the organisation’s value simple and easy to relate to. Incentivise and reward actions that align with the organisation’s values.
23
2113_RMIA Yearbook 2014.indd 23
15/12/14 10:57 AM
Yearbook 2014
The RMIA National Conference and Exhibition: A retrospective By Andrea Doney, Events and Sponsorship Executive, Risk Management Institution of Australasia
The RMIA’s annual National Conference and Exhibition took place at the Brisbane Convention Centre from 1–3 October 2014. RMIA’s Andrea Doney provides a summary of the company’s cornerstone event.
When we sat down to contemplate the 2014 National Conference and Exhibition in April 2014, with around six months’ planning time, we knew that we were in for a big challenge! Fortunately, the RMIA has a wealth of resources within its membership database, and we were able to confirm a really diverse range of speakers across six topic streams, including Enterprise Risk Management, Business Continuity, Financing and Insurance, Appetite Culture and Leadership, Human Culture and Workforce, and Security Risk. By the Conference’s opening, we had nigh on 300 registered delegates, and excitement was running high. The Conference’s first day is traditionally a day of workshops and networking. Some high-quality panel discussions took place around a diverse range of risk topics. Delegates made
use of the various breaks to browse the excellent exhibition space, where 20 risk product providers showcased their wares and interacted with potential clients. Pan Software has been a great supporter of the RMIA for many years, and 2014 was no exception, with the company showcasing itself through a dynamic Top Gear-style interactive car-racing game, which enticed delegates to blow off a little steam around Germany’s famous Nürburgring racetrack. Delegates had great fun screeching around the virtual track in pursuit of the fastest lap time in the hopes of winning an iPad. Other exhibitors included Noggin IT, dorsaVi, QRMC Risk Management, RSA, Tickit Systems, Know Risk, Cura Software, Sword Active Risk, GRC Solutions, NTT Data Figtree Systems, Paladin Risk Management Services, SAI Global, RISQ Group and TripStop.
24
2113_RMIA Yearbook 2014.indd 24
15/12/14 10:57 AM
Yearbook 2014
On the evening of the first day, we welcomed all delegates with reception drinks on the stunning terrace balcony of the conference facility. GRC’s Liam O’Brien gave a short introductory speech, after which delegates enjoyed a relaxed and stylishly casual evening function overlooking the stunning Brisbane skyline. The Conference’s second day traditionally marks the start of the real substance of the event. RMIA President Bryan Whitefield welcomed all attendees, and introduced one of our keynote speakers and RMIA Patron, Australian Auditor-General Mr Ian McPhee. Ian provided a captivating and useful insight into public sector risk management. He then passed the baton to the morning’s second keynote speaker, the Hon. Michael McCormack MP, Parliamentary Secretary to the Minister for Finance. Michael impressed us with a confident, funny and concise case study of the new Commonwealth approach to risk management. Both speakers then made themselves available to answer questions from the floor.
After the morning’s formalities, the conference continued to deliver. One of the highlights of the morning was a fascinating presentation by Tigerair’s Chief Pilot, Harry Holling, who spoke about managing risk in an airline. Since the audience comprised many regular airline passengers, the presentation was entertaining on many levels. Harry enlightened the room on the many levels of risk that govern airline and aeroplane operations, and how genuinely safe air travel has become. He also touched on the risks affecting other airline carriers in the wake of global events lately, and provided metaphors for every sector of the risk economy. After the morning break, the Conference diversified into its six streams once again, before regrouping in the afternoon for the day’s final keynote addresses. Marian McLean from WorleyParsons focused on material HSE risk before Mark Hamill from the Fortescue Metals Group took the stage with the day’s most engaging title: ‘Adventure without Risk is Disneyland’. Once again, both speakers answered a series of questions from the floor with clarity and authority. The highlight of the second day’s proceedings was undoubtedly the evening’s gala dinner, which gave all delegates a chance to kick up their heels after a tough day’s debate. The theme of the event was the 1920s, and the ladies (and even a few gents) swung into the spirit of the night, donning feather boas and beads. The Annual RMIA Risk Awards were also presented, and we once again congratulate our deserving winners. The Risk Student of the Year Award went to Tegan Farley, with Melinda Kershaw being the worthy runner-up. The Risk Manager of the Year Award was won by Andrea Kanserski of Gallagher Basset, with Ian Hord and Jevon Turner receiving notable mentions. The Risk Consultant of the Year Award was won by Peter Moore. Steven Cvetkovic also deserves a mention for his achievements in this category. Finally, we paid tribute to some sterling contributions from the RMIA member community, and we were pleased to award Kevin Mutch with the Lifetime Achievement Award. Special mention also goes to Chris Douglas for being RMIA’s Volunteer of the Year. Once the awards were presented and our champagne glasses considerably emptier, it was time to celebrate RMIA’s 10th birthday with a beautiful cake and a lighthearted song. Bryan Whitefield once again did us proud when he cut the cake in celebration of RMIA’s 10 years of dedicated service to the risk management community. Before the band took to the stage once again, Brenton Scroop, President of our South Australian chapter, announced that next year’s Conference will take place at the Adelaide Oval in November. Following his video presentation, Pan Software awarded prizes to the winners of their fun photo booth competition. No doubt I don’t need
25
2113_RMIA Yearbook 2014.indd 25
15/12/14 10:57 AM
Yearbook 2014
to describe the events after that; suffice it to say, many heads were a bit sore the next morning! My thanks to the Conference venue staff for a great evening’s food, wine and entertainment. It will not be forgotten in a hurry. The final day of the Conference commenced with a Plenary Session and CEO Forum conducted by Matt Tice, Managing Director of Palladium, Andrew Ronchi, CEO of dorsaVi, and Gino Calvisi, Managing Director of Retail FM. Peter Deans, Chief Risk Officer of the Bank of Queensland then outlined the methods of risk-taking and risk management in a financial institution. Both sessions enjoyed capacity attendance, and the speakers delivered informed, insightful and confident presentations. Subsequent to the conference, these sessions garnered some great media coverage, as well. The breakout streams commenced again after morning tea and lunch, with Guy Underwood from the RISQ Group providing the day’s final keynote on managing corruption risk. After three frantic days on the ground listening to a range of feedback from all levels of attendees, I am pleased to be able to call the Conference a significant success. As many delegates acknowledged, the RMIA has had more than its fair share of challenges in recent years, and the conference marked a noticeable turnaround in attitudes, energy levels and interest in the organisation. Since returning to
Sydney, membership numbers have grown steadily, and interest from new and existing sponsors is strong. All of our exhibitors have committed to returning in 2015, and many want to increase their sponsorship profile. We are enthused and invigorated by the acknowledgements, suggestions, feedback and fervour that we have received, and buoyed by several great ideas and initiatives for 2015’s planning. I would like to take this opportunity to thank the RMIA team for their significant efforts over this period. Our President, Bryan Whitefield, has captained the ship through troubled waters in recent months, and deserves kudos for his patience, insight, thoughtful guidance and unsurpassed expertise. Our thanks, too, to the Chapter Presidents, the Conference committee, the Conference organisers and RMIA staff for being willing and able to take on a huge range of tasks under very challenging conditions, and for the collective efforts that led to such a sterling achievement. The 2014 Conference brought together almost 300 delegates, 72 speakers, and 20 sponsors and exhibitors – not to mention their guests and staff – to form the most significant gathering of the risk tribe in recent years. As our focus turns to Adelaide in 2015, we are renewed and enthused by the lessons learnt and the conversations had, and we look forward to an even bigger and brighter event next year.
26
2113_RMIA Yearbook 2014.indd 26
15/12/14 10:57 AM
Yearbook 2014
The importance of business resilience planning
Marcus Turner, HTM Group Director Governance and Risk
Our world is a place of many risks. Today’s news is full of terror alerts, domestic security issues, bushfire hazards and extreme weather conditions.
the broad benefits of establishing true business resilience by ensuring BCPs cover far more than just fire.
But is your business prepared to meet the many day-to-day business risks, let alone the various external issues?
Ultimately, protecting your business, your staff and your customers can help you keep your head when all around are losing theirs. The challenge is to review your BCPs, ensure they truly support your business objectives, and, in the interests of existence, practice, practice, practice. Now is the time to apply a little uncommon thinking and, as the saying goes, don’t learn to dance on your wedding day.
While many large businesses will have business continuity plans (BCPs) in place, small to medium-sized businesses remain, in many cases, almost fatally vulnerable to crisis, and insurance can only cover so much. Where training and evacuation are required under legislation, experience shows that many businesses at best pay lip service to these obligations, and very few think of
The benefits of resilience help you to understand critical vulnerabilities and risks, and support you in demonstrating management of certain insurable risks.
The Achilles heel for many organisations’ risk management systems is implementation. HTM Group is uniquely placed with expertise across risk, emergency management, engagement and corporate communications to help organisations get the best from their investment in risk management.
2A7
328487AE_HTM 2113_RMIA Yearbook Group2014.indd | 2113.indd27 1
15/12/14 16/10/14 10:57 4:20 PM AM
Yearbook 2014
Peter Moore – Risk Consultant of the Year 2014 My journey as a risk management consultant commenced in 1997, 17 years ago. I had sold a business that I’d started in 1990, with two partners, in the software engineering and systems integration industry. One of my past clients requested that I carry out a risk assessment – in particular, a Y2K (year 2000) assessment – on their business and operations. It was a fertiliser manufacturing plant with technically complex, logic-based controllers and operating systems.
I believed that I had a good understanding of risk management, as I had taken and managed a good deal of risk in starting, building and managing my own business. I prepared a proposal to carry out the work, and was successful in my bid. That was the commencement of my risk management consulting career. As the year 2000 passed and the world did not collapse, the nature of the risk consulting work I was doing changed, and became more of an advisory role in the dotcom era. With a technical background and sound knowledge of the internet, I was advising my clients on the technical and business risks associated with internet start-up ventures. This lasted two years before the dotcom era came to a close with the ‘tech wreck’. Following this period, I took time to reflect on the nature of the work I would be doing, and where the risk management profession was heading. I decided to focus on business and corporate risk management. In 2002, I joined an organisation known as the Australian Institute of Risk Management (AIRM), with a view to better understanding the profession and gaining a qualification or accreditation to add to my science and business degrees. After AIRM amalgamated with another organisation (ARIMA), my membership was migrated to the Risk Management Institution of Australasia (RMIA) – the new peak body representing the risk management profession.
28
2113_RMIA Yearbook 2014.indd 28
15/12/14 10:57 AM
Yearbook 2014
...I have spent the last several years assisting companies and organisations to understand and develop their risk appetite and risk tolerance positions
In 2003, I lodged an application to pursue the certification of Certified Practising Risk Manager (CPRM). It took many months to prepare my portfolio and submission. During this time, I was busy working on a range of consulting engagements in various industries. Much of my work was in establishing risk management policies and risk management frameworks, and conducting business risk assessments for my clients. I was also working on largescale, complex mining and infrastructure projects, as well as conducting risk reviews. In November 2003, at the inaugural RMIA conference held in Hobart, I achieved my CPRM certification.
As the years progressed, I honed my skills across all activities that I was undertaking for my clients, always with the view that my role was to add value to my clients’ businesses or organisations. In 2005, I was approached by Murdoch University to lecture in the field of risk management in the Master of Business Administration (MBA) program. After writing and developing a 14-lecture course in risk management, I lectured in the subject at the Perth campus, followed by the Singapore campus, and then coordinated the course at Murdoch University’s Dubai campus in the Middle East. Following five years of lecturing part-time while running my successful consulting business, I retired from teaching and was presented with an award for contribution to teaching in postgraduate degrees. In addition to my normal risk management consulting services, I have spent the last several years assisting companies and organisations to understand and develop their risk appetite and risk tolerance positions. Many companies are challenged in understanding and implementing these elements of risk management. Through specialised intellectual property, which I developed several years ago, I assist organisations to create value through improved decision-making, and through integrating risk management into corporate governance frameworks and the strategic planning process. In 2014, I was nominated for the award of Risk Consultant of the Year. After the preparation of a substantial submission and portfolio, I was announced as the recipient of this award at RMIA’s 10th anniversary conference in Brisbane. As the inaugural recipient of this award, my role in the year ahead will be to not only continue to work in my business as Principal Consultant and Director, but also to act in an ambassadorial role for both the RMIA and the risk management profession. Peter Moore e. peter.moore@riskpoint.com.au t. 0417 982 456
29
2113_RMIA Yearbook 2014.indd 29
15/12/14 10:57 AM
Yearbook 2014
Managing Enterprise Risk Management at Gallagher Bassett – Andrea Kanserski, Risk Manager of the Year 2014
Gallagher Bassett (GB) is the largest multidisciplinary third-party claims administrator (TPA) in Australia, and has a proven track record of successfully managing claims and compensation programs for a broad range of organisations. In my role as National Risk Manager, I ensure that GB maintains a professional approach to the management of strategic operational and contractual risks, and that we are committed to establishing a risk-focused organisational culture.
GB’s focus on risk management started in earnest in 2007, with the establishment of the Corporate Governance Framework. This structure is the foundation for business planning, enterprise risk management, internal control framework, audit and compliance, ethics and fraud prevention, insurance and incident management, customer feedback, business continuity, corporate policy and process management. This then led to the development and implementation of our Enterprise Risk Management (ERM) policy and framework, which was designed to identify and manage risks; support prioritising and allocation of material and human resources, including capital spend; and, ultimately, facilitate decisionmaking to achieve our strategic goals and objectives. Our risk management policy is supported by the accountability and responsibility framework that clearly articulates the role responsibilities of risk approvers, and risk and control owners. The accountability framework is further extended to other governance areas, such as
30
2113_RMIA Yearbook 2014.indd 30
15/12/14 10:57 AM
Yearbook 2014
that we handle risk gives our clients security, and confidence that we will protect their brand and reputation, while providing best practice claims management. The efficacy of this framework can be demonstrated by our development in risk maturity over the last seven years. Using the insurance RIMS Risk Maturity Assessment and Indicators, GB has moved from a self-assessed rating Level 1 Ad Hoc in November 2007, to Level 3 Repeatable in March 2011, to current Level 4 Managed in October 2013. The significant maturity in GB’s corporate governance has supported GB’s business strategies to realise growth and a revenue increase from $30 million in 2009 to $110 million in 2013. The development of risk management has enabled GB to maintain its reputation for claims expertise. With our company planned to double in the next few years, and with an RIMS assessment of Level 5 Leadership in our sights, we will continue to strive for risk management excellence in all of our business operations.
...integration ensures that all GB clients receive best practice and consistent claims management services to achieve their goals and outcomes policy and process ownership and management, control framework, audit and compliance, customer feedback and incident management. All risk approvers and owners have been trained in GB risk assessment and management methodology, and are accountable and responsible for identifying, assessing and reporting on their respective strategic, operational and/or contractual risks, which also includes the auditing of key controls by control owners. ERM has been integrated with all business units, which assists performance goals at an operational and strategic level. Ultimately, integration ensures that all GB clients receive best practice and consistent claims management services to achieve their goals and outcomes. Our vision is to be recognised as the ‘go to’ business partner in TPA claims management services, and our purpose is to foster long-term relationships with our clients, support our people and deliver a sustainable company to our owners. Not only does the Corporate Governance Framework support the values by which we, as a business, operate; it also directly upholds GB’s core vision and purpose. The way
31
2113_RMIA Yearbook 2014.indd 31
15/12/14 10:57 AM
Yearbook 2014
The evolution of the risk management industry – Ian Hord, Highly Commended in Risk Manager of the Year Award By Ian Hord, Risk and Insurance Manager, Western Power
RMIA has just celebrated its 10th birthday. How will the risk management industry evolve over the next 10 years? My work on Bayesian belief networks to model risk may be an early indicator. Three years ago, I initiated a major project at Western Power to create a risk score for every pole and significant piece of equipment on the network. Risk-based tools are now revolutionising the way that Western Power is prioritising more than $1.1 billion of expenditure annually. The revolution is risk based on Bayesian belief networks, an approach which is bridging the gap between qualitative and quantitative risk management. Western Power supplies electricity to more than one million customers across the south-west of Western Australia, creating one of the lowest customer density transmission and distribution networks in the world. Consequences of asset failure include bushfire, interruptions in customer electricity supplies, and injury from electrocution. The risk management challenge is how to prioritise limited funding to get the
greatest reduction in bushfire damage, maintain supply reliability and keep the public safe. The approach we are taking is to conduct an individual risk assessment on every significant asset in the network, representing more than four million assets, and calculate individual risk scores each month. Assessments take into consideration all the failure modes of the asset, the known condition of the asset, and other information that can affect degradation of the asset. Using this information, an estimate of the likelihood of the asset failing in the next year is made. To complete the risk assessment, the consequence of failure is estimated, based on the cost of consequence and the likelihood of there being a consequence (see Figure 1). Influencing factors are included, such as whether the asset is located in a high bushfire zone, supplies large numbers of customers or is located in a population-dense area. The software tool we use is a Bayesian belief network modelling tool, Netica, by Norsys Software. This is one of many similar Bayesian tools available. Bayesian models break the problem into multiple causal relationships. They are different to traditional statistical analysis or pure machine learning algorithms, such as neural networks.
Figure 1: Risk score calculation
32
2113_RMIA Yearbook 2014.indd 32
15/12/14 10:57 AM
Yearbook 2014
Figure 2: Wood pole influence diagram
The risk models run automatically in the corporate IT systems, and calculate risk scores monthly
A Bayesian belief network can accommodate statistically derived relationships, engineering equations and expert opinion-based relationships. Inputs can include probability distributions if input data sets are incomplete. A further advantage of this approach is sensitivity analysis; it is easy to identify input data that has a heavy influence on the output. This knowledge is used to prioritise data collection accuracy and data clean-up efforts.
Separate models are necessary for each type of asset, such as poles, conductors, cross arms and transformers. A total of 24 models have been developed. A simplified example is shown in Figure 2. The risk models run automatically in the corporate IT systems, and calculate risk scores monthly. Not only are the scores prioritising the work to be done, but they also inform the business of the expected number of failures based on various long-term investment scenarios. The tool, known as the Network Risk Management Tool (NRMT), is creating a step change improvement in the way that Western Power manages its risk. Our next challenge is to link the cost of risk to asset life cycle cost to reduce our customers’ cost of electricity and maintain a safe and reliable network. Bayesian belief networks are a great way to develop more granular risk assessments in data-poor environments. The next 10 years for risk management professionals is looking very exciting. For more information, contact Ian Hord at ian.hord@westernpower.com.au, or call 0414 853 988. Ian Hord was Highly Commended in the 2014 Risk Manager of the Year Award.
33
2113_RMIA Yearbook 2014.indd 33
15/12/14 10:57 AM
Yearbook 2014
Jevon Turner – Highly Commended in Risk Manager of the Year Award 2014 Risk management is a rewarding profession, providing an enormous variety of issues with which you can get involved, and the opportunity to develop a broad range of risk management initiatives.
From a personal perspective, I did not consciously initially choose risk management as a career, but rather more or less fell into it through various employment opportunities. After leaving high school, I had an interest in design and ergonomics, so I completed my undergraduate studies in occupational health and safety (OH&S). While studying, I undertook work experience at Amcor Petrie Paper Mill assisting their Safety and Training Manager. This evolved into a part-time job, and later into a full-time position when I had completed my studies. Not long after this, I joined Golden Circle to head up the safety program for their three manufacturing sites. Business management was also appealing to me during my undergraduate studies, so I completed a Master of Business Administration. It was during this time that I met several risk consultants, and I began to see risk management as a natural progression from OH&S. When I was promoted to Risk Manager at Golden Circle, I
completed a graduate certificate in risk management at the University of Queensland. While studying, I was invited by the university to join a task group to review the course offering. This led to lecturing in one of the risk management modules, which I did for several years as a side interest. Since late 2007, I have been the Manager, Risk and Compliance, for Herron Todd White. Herron Todd White is one of Australia’s largest independent property valuation and advisory organisations, with more than 900 members of staff located in 65 offices Australia-wide, and with an annual turnover exceeding $115 million. The organisation has experienced rapid growth over the last several years – literally doubling in size since I started. Property valuers not only operate within a very litigious environment, but the professional indemnity insurance market for property valuers is also extremely difficult, with only a handful of individual lead underwriters globally prepared to insure valuers.
34
2113_RMIA Yearbook 2014.indd 34
15/12/14 10:57 AM
Yearbook 2014
A key focus for me has been to develop, promote and roll out a job risk-profiling tool across the organisation. This has been dubbed the ‘Swiss Cheese Model’ (based on the loss causation model designed by James Reason of the University of Manchester in 1990). All potential jobs are riskrated at the quote stage through our valuation management system, which then drives the level of oversight required for the job. For example, the tool determines who approves the jobs, which valuers are allocated jobs based on their skill levels, what training and mentoring programs are put in place to build our pool of skills, and which jobs get audited before the report is delivered to the client. Through the capture of risk-profiling data, we are able to work with clients and insurers to assist in reducing their risk exposures. The tool is groundbreaking within the valuation industry, and is being hailed across the finance and insurance industries as a leading market initiative. Â
A key focus for me has been to develop, promote and roll out a job riskprofiling tool across the organisation
35
2113_RMIA Yearbook 2014.indd 35
15/12/14 10:57 AM
Yearbook 2014
RMIA National Conference 2014 Masterclass Session 1 – Overview
Background
Masterclass Session 1: How to apply and benefit from the new risk management publication ISO/TR 31004:2013 for implementing ISO 31000.
Risk management has evolved in most organisations since the release of ISO 31000 in 2009; however, many organisations and practitioners struggle with mandate and commitment, and aspects of implementation, particularly with integrating risk management practices and processes within myriad management systems.
•
A Masterclass run by Jeff Jones
Objective The objective of this masterclass was to provide an overview of ISO/TR 31004, and to provide a facilitated discussion for masterclass participants to discuss how to apply and benefit from the new risk management implementation Technical Report ISO/TR 31004:2013. The masterclass inspired the participants to leverage off the existing ISO Standards (31000, 31010 and Guide 73) and embrace ISO/TR 31004 as a further guide to the ISO doctrine on the management of risk, and to keep up – and ahead – to ensure effectiveness within their organisations. The vision planted in 31000 Annex A, ‘Attributes of Enhanced RM’, was explained, along with providing a general overview of ISO/TR 31004. A key focus was on how to approach integrating risk management into existing management systems (ISO 31004 Annex D), and an exercise in which the masterclass examined the content provided in 31004 Annex B for application of ISO 31000 principles.
ISO/TR 31004 was released in 2013 to help provide guidance for organisations with how to implement risk management in the context of underlying concepts, and the intended principles and framework of ISO 31000. This RMIA masterclass aimed to provide a facilitated forum for CPRM/CRMT participants to convene within an advanced practitioner cohort to discuss and share the latest application of enterprise risk management.
Key learning outcomes were: •
awareness of the new ISO risk management guide and its content
•
knowledge of how the guide fits in with the other ISO and AS risk management documents
•
a practical approach for integrating risk management within existing management systems
•
reinforcement of the principles to be applied behind a risk management framework.
36
2113_RMIA Yearbook 2014.indd 36
15/12/14 10:57 AM
Yearbook 2014
Size doesn’t matter; it’s what you do with your risk data that counts! ‘Big data’ is everywhere, but the reality is that Boards and executive management need meaningful data to improve organisational performance, decision-making and outcomes, as well as to satisfy their legal duties.
4.
Risk assessment ratings – are we applying the appropriate level of assessment; for example, qualitative for strategic risks, and quantitative for project risk adjusted costings?
5.
Risk warnings – what are my key risk indicators that provide an early warning to prevent a potential event from becoming a crisis?
Risk data comes in many forms, but needs to be expressed using the language and context of an organisation’s operations and culture. In our experience, the five key dimensions of meaningful risk data are: 1.
Risk appetite – do our risk matrix and risk tolerance reflect our organisation’s appetite for risk across all our operations and key outcome areas?
2.
Risk intelligence – what intelligence have I gathered to inform my ongoing risk assessment; for example, incidents, compliance breaches and audit findings?
3.
Risk confidence – am I confident that the critical controls in my organisation are effectively managing risk?
Big data? I’ll take small and meaningful any day. Praveen Reddy, Periscope Corporation
c
o
r
p
o
r
a
t
i
o
n
3A7
2113_RMIA Yearbook 2014.indd 37
15/12/14 10:57 AM
Yearbook 2014
What is happening to construction project managers when it comes to managing risk? There does not appear to be much debate about the fact that projects by their nature are risky. The Project Management Institute defines a project as ‘a temporary group activity designed to produce a unique product, service or result’. Risk, therefore, comes with the territory; any activity that is temporary, unique and has to produce defined outcomes is bound to be risky. Add to this the complexity of the technology, the increasing size of projects, globalisation and an unpredictable commercial environment, and you have major uncertainties and risk. The benefit of good risk management is well documented, though it is difficult to quantify risks that did not happen. Zwikael and Ahn (2011) found that even moderate levels of risk management planning are sufficient to reduce the adverse impact that risk has on project success. Conversely, Ikediashi, Ogunlana and Alotaibi’s (2014) findings confirm that poor risk management is a critical success factor for infrastructure projects. The importance of risk is reflected in the role that it plays in recognised standards and methodologies, or Body of Knowledge developed for project managers.
It is not unusual for articles concerning risk management to commence with statements such as: •
‘Risk management is a critical part of project management, as unmanaged or unmitigated risks are one of the primary causes of project failure’ (Lyons and Skitmore, 2004)
•
‘The construction process is inherently prone to risk’ (Choudhry and Iqbal, 2012)
•
‘Construction projects are risky’ (Dey and Ogunlana, 2004)
•
‘No construction project is risk-free’ (Taroun, 2014)
•
‘The built environment is full of uncertainty, which leads to risk’ (Forbes, Smith and Horner, 2008)
•
‘Risks are unavoidable in almost every construction project, whether it is building projects, civil works, or any other type of construction projects (Sharma and Swain, 2011).
There are a number of associations related to project management, and evidence shows that their memberships are extensive. Each of these associations aims to develop a consistent approach to project management via the use of standards and consistent practices among their membership. The two main international organisations are: •
the Project Management Institute (PMI), with its Body of Knowledge
•
the International Project Management Association (IPMA). The Australian Institute of Project Management is the affiliate to the IPMA in Australia.
But there are also myriad other organisations that have developed their own standards, or Bodies of Knowledge, including: •
the British Government’s agency, the Office of Government Commerce (OGC), which has developed the PRINCE2 (Projects in Controlled Environments, version 2) method, which is widely used in government organisations in Australia
38
2113_RMIA Yearbook 2014.indd 38
15/12/14 10:57 AM
Yearbook 2014
•
the International Centre for Complex Project Management (ICCPM). ICCPM is an association that develops research, delivers education, and provides support services and tools for businesses and government specifically focused on complex projects
•
the International Organization for Standardization (ISO), a developer of voluntary International Standards, many of which have been adopted in Australia. ISO/IEC 21500:2012 Guidance on Project Management is the first in a planned series of project management standards (this is generally consistent with the PMI PMBOK Guide).
All of these organisations and associations include risk as a fundamental part of project management. As a result, there is a large range of standards/methods/body of knowledge/ frameworks covering project risk management; each of them has its own strengths and weaknesses, depending on the industry, project and focus that they are set towards. All are the same in one crucial aspect: their objective to identify and mitigate risks. The major methods/standards/guides generally accepted include: •
PMI PMBOK® Guide Knowledge area, Chapter 11, and Practice Standard for Project Risk Management (PMI 2009). The PMI’s Practice Standard for Project Risk Management provides a list of appropriate risk management processes, tools and techniques for identifying, analysing and evaluating project risks
•
‘Management of Risk’ (M_o_R). This was sponsored by the British Government agency Office of Government Commerce (OGC), and is used extensively within the British Government as the de facto risk management standard for its public projects. It is affiliated with the PRINCE2
•
‘Project Risk Analysis and Management’ (PRAM). This is associated with the Association of Project management in the United Kingdom
•
‘Shape, Harness, And Manage Project Uncertainty’ (SHAMPU), developed by Chapman and Ward in 2003
•
‘Risk Analysis and Management for Projects’ (RAMP), which originates from the actuarial profession in conjunction with the Institution of Civil Engineers (United Kingdom), and is a simple and straightforward process for evaluating and controlling risk in major projects
•
the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a United States organisation whose mission is ‘to provide thought leadership through the development of comprehensive frameworks and guidance on
enterprise risk management, internal control and fraud deterrence designed to improve organisational performance and governance, and to reduce the extent of fraud in organisations’ •
the ISO Standard ISO: 31000:2009 (AS/NZS ISO/IEC 31000:2009), which is the established Standard for treating risks in Australia. It provides managers with a solid generic framework on how to find, assess, treat and record risk. As an industry standard, the framework is universal in nature, and does require tailoring to suit specific context, sectors or projects. The ISO 31010 supports the ISO 31000:2009, and provides direction on the selection and application of systematic tools and techniques for risk assessment, which can be used equally well for projects and for organisations.
So, why are project managers, especially those in the construction industry, not at the forefront of applying risk management practices? While project management literature is rich in papers talking about risk management and risk factors, fewer papers have addressed its actual application (Lyons and Skitmore, 2004). Similarly, Taroun (2014) concluded that he had ‘demonstrated a remarkable contribution of the researchers towards advancing risk modelling and assessment. It is unfortunate that there is still a wide gap between theory and practice’. A review of literature by Forbes, Smith and Horner (2008) indicated that the construction industry is particularly poor at applying techniques, choosing only to use tools when faced with certain types of uncertainty. They categorised this uncertainty as being caused by mainly economic factors, and the unknown(s) (fuzziness, incompleteness and randomness) faced by the project. Overseas research has shown that where techniques have been used, they are often the more simplistic tools, such as checklists, flow charts and brainstorming (Martins et al. 2011).
What is stopping project managers from applying risk tools and techniques? We can surmise as to why a more expansive array of risk tools and techniques is not used. Is it the: •
nature of projects that actually discourages the use of risk tools and techniques?
•
focus on cost, or fast delivery of the project? This is supported in the research by Winch (2006) into lean construction, which has as its basis uncertainty reduction, is a backward-looking model when
39
2113_RMIA Yearbook 2014.indd 39
15/12/14 10:57 AM
Yearbook 2014
considering future risk, and does not encourage the application of risk tools and techniques •
perceived cost of undertaking risk analysis where you cannot easily demonstrate the benefits?
•
characteristics of effective project managers who are generally task-focused, and have skills that channel them to a particular technical area?
•
•
organisational culture that does not inculcate risk into the fabric of the organisation, but instead leaves it to a whole of organisation approach? Those studies that look at where risk tools and techniques are effectively used imply that compliance with legislation and the demands to improve corporate governance are the dominant drivers (Collier and Woods 2011). Other research of IT project managers concluded that project risk management was conditioned by deliberate ignorance, with risk management being demoted to a purely administrative exercise (Kutsch and Hall 2010) lack of training with, and comfort using, different tools and techniques? (Serpella et al. 2014) (Hillson Nov 12, 2013) Hubbard, in ‘The failure of risk management – why it’s broken and how to fix it’ (2009), is an advocate of a more scientific approach to risk analysis, with the use of statistical tools and models validated/calibrated with real-life data and observations. He has a general criticism of current practice that relies on qualitative or semi-quantitative methods, when organisations are able to produce more reliable estimates with a small effort but do not do so due to lack of effort or knowledge.
Whatever the cause, there needs to be a more proactive approach to getting project managers involved in risk management, as well as a better understanding of which tools and techniques work in practice within the construction industry. LIST OF REFERENCES: Choudhry, RM & Iqbal, K 2012, ‘Identification of risk management system in construction industry in Pakistan’, Journal of Management in Engineering, Vol. 29, No. 1, pp. 42–49. Collier, PM & Woods, M 2011, ‘A comparison of the local authority adoption of risk management in England and Australia’, Australian Accounting Review, Vol. 21, No. 2, pp. 111–123. Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2014, www.coso.org/documents/coso_erm_executivesummary.pdf. Dey, PK & Ogunlana, SO 2004, ‘Selection and application of risk management tools and techniques for build-operate-transfer projects’, Industrial Management & Data Systems, Vol. 104, No. 4, pp. 334–346.
Forbes, D, Smith, S & Horner, M 2008, ‘Tools for selecting appropriate risk management techniques in the built environment’, Construction Management and Economics, Vol. 26, No. 11, pp. 1241–1250. Hillson, D Nov 12, 2013, ‘Managing risk in projects – New concepts’, www.youtube.com/watch?v=SCb8p4OJa9I. Hubbard, DW 2009, The Failure of Risk Management: Why It’s Broken and How to Fix It Ikediashi, DI, Ogunlana, SO & Alotaibi, A 2014, ‘Analysis of Project Failure Factors for Infrastructure Projects in Saudi Arabia: A Multivariate Approach’, Journal of Construction in Developing Countries, Vol. 19, No. 1, pp. 35–52. ISO 31010 Risk management – Risk assessment techniques 2009, ICS 03.100.01, IEC, Geneva, Switzerland. Kutsch, E & Hall, M 2010, ‘Deliberate ignorance in project risk management’, International Journal of Project Management, Vol. 28, No. 3, pp. 245–255. Lyons, T & Skitmore, M 2004, ‘Project risk management in the Queensland engineering construction industry: a survey’, International Journal of Project Management, Vol. 22, No. 1, pp. 51–61. Martins, CG, Morano, C, rea, R, Ferreira, MLR & Haddad, AN 2011, ‘Risk identification techniques knowledge and application in the Brazilian construction’, Journal of Civil Engineering and Construction Technology, Vol. 2, No. 11, pp. 242–252. PMI 2009, Practice Standard for Project Risk Management, Project Management Institute, Pennsylvania. Serpella, AF, Ferrada, X, Howard, R & Rubio, L 2014, ‘Risk Management in Construction Projects: A Knowledge-based Approach’, Procedia-Social and Behavioral Sciences, Vol. 119, pp. 653–662. Sharma, SK & Swain, N 2011, ‘Risk Management in Construction Projects’, Asia Pacific Business Review, Vol. 7, No. 3, pp. 107–120. Taroun, A 2014, ‘Towards a better modelling and assessment of construction risk: Insights from a literature review’, International Journal of Project Management, Vol. 32, No. 1, pp. 101–115. Ward, S & Chapman, CB 2003, Project risk management, 2nd ed. edn, Wiley, Hoboken, NJ. Winch, GM 2006, ‘Towards a theory of construction as production by projects’, Building Research & Information, Vol. 34, No. 2, pp. 154–163. Zwikael, O & Ahn, M 2011, ‘The effectiveness of risk management: an analysis of project risk planning across industries and countries’, Risk Analysis, Vol. 31, No. 1, pp. 25–37.
40
2113_RMIA Yearbook 2014.indd 40
15/12/14 10:57 AM
Yearbook 2014
Auto Club and Auto Club insurers Community of Practice Group By Robyn Trigge, Manager Compliance and Risk RACT Insurance, and David Callanan, Chief Risk Officer RACQ Insurance
A group of like-minded risk and compliance professionals is taking a refreshing approach to the achievement of ‘better practice’ in their industry.
The group is able to share this knowledge and these resources, given that the involved organisations do not compete commercially (covering different states) and, in light of the intended independent nature of the ‘second line of defence’, there is no real rivalry at play. The group’s outcomes ultimately protect policyholders, members and the public. The group shares program ideas, challenges and successes with these stakeholders in mind. The idea for the group is modelled on longstanding committees of professionals, such as lawyers and accountants, whose law society or accounting practice committees are set up to allow practitioners to share information about common issues. Even though issues may arise from strictly confidential client matters, they may also be shared to benefit all clients and the public, in a spirit of collegiality and under committee charter guidelines.
Since February 2014, the group (representing Auto Clubs and Auto Club insurance companies) has joined together to form a nationwide ‘Community of Practice’. Foundation members include representatives from Queensland (RACQ and RACQ Insurance), South Australia (RAA and RAA Insurance), Western Australia (RAC Insurance) and Tasmania (RACT Insurance). Under the auspices of a documented charter, the group meets quarterly by phone, and in person at least once a year, to discuss agenda items of common concern, including risk management, compliance, regulator interface, internal assurance, audit issues, and consumer complaints. As an example of the types of agenda items discussed, at the first meeting of the group an extensive discussion was held regarding the assessment of 13 risk management software options. This pooling of market knowledge has enabled the group members to save many hours investigating vendors and their offerings. Subsequent meetings have included various other focus areas, including the exchange of samples of risk assessment and compliance tools, Board committee charters that meet new prudential requirements, service providers that supply compliance updates and news feeds, and ideas on the enhancement of organisational risk culture.
Compliance and risk professionals should, on the experience of this group, feel free to form similar committees or communities of practice; these can only benefit our customers and the public through enhanced compliance and risk management within our various organisations. Tasmania, in particular, benefits from groups such as these, as mainland industry associations seem rarely to travel to Tasmania to provide resources and venues to share issues. The challenges of regulator-enforced risk management standards, new privacy requirements and ever-increasing compliance expectations are not ones that professionals should have to bear alone. Regulators, too, should be comforted to know that this pooling of knowledge and resources is occurring. Given that regulators are less likely to encounter cases beyond the bell curve, their tasks of compliance should be easier, and the public should be assured of consistency – at least from members of such groups. The group intends to continue to build on its successes to date. Future topics include opportunities to enhance contract management processes, business continuity planning, and efficiency and effectiveness of compliance training and complaints handling. The group will continue to act as a support network: sharing knowledge, resources, new ideas and research in an unwavering search for ‘better practice’.
41
2113_RMIA Yearbook 2014.indd 41
15/12/14 10:57 AM
Yearbook 2014
The challenges of describing a risk Often, when identifying a risk, there is confusion about what the risk actually is, and how to capture the risk name in the risk register. There are a number of traps that organisations fall into.
Trap 1 – the Broad Statement Risk Trap Some organisations fall into the trap of capturing ‘risks’ that are broad statements, as opposed to events or incidents. Examples include: •
reputation damage
•
compliance failure
•
fraud
•
environment damage.
These tell us little and cannot be managed – even at a strategic level.
Trap 2 – the Causes as Risk Trap The most common issue that I see with risk registers is that many organisations fall into the trap of capturing ‘risks’ that are actually causes, as opposed to events or incidents. Wording that indicates a cause as opposed to a risk includes: •
lack of … (trained staff; funding; maintenance; communication)
•
ineffective … (staff training; internal audit; contract management)
•
insufficient … (time allocated for planning; resources applied)
•
inefficient … (use of resources; procedures)
•
inadequate … (training; procedures)
•
failure to… (disclose conflicts; follow procedures; understand requirements)
•
poor… (project management; inventory management; procurement practices)
•
excessive … (reporting requirements; administration; oversight)
•
inaccurate… (records; recording of outcomes).
These also tell us very little and, once again, cannot be managed.
Trap 3 – Consequences as Risk Trap Another trap that organisations fall into when identifying risk is that of capturing ‘risks’ that are actually consequences, as opposed to events or incidents. Examples include: •
the project does not meet schedule
•
the department does not meet its stated objectives
•
budget overspend.
Once again, these cannot be managed. So, if these are the traps that organisations fall into, then what should our risks look like? The answer is simple: they need to be events. When something goes wrong, such as a plane crash, a train derailment, a food poisoning outbreak, or major fraud, there is usually a post-event analysis of some form to determine the circumstances of the incident in an attempt to prevent it happening again in the future. As risk managers, we are trying to anticipate and stop the incident before it happens.
The table below shows the similarities between risk analysis and post-event analysis RISK ANALYSIS
POST-EVENT ANALYSIS
What could happen?
What happened?
What would cause it to happen?
What caused it to happen?
What would the consequences be?
What were the consequences?
What can we do to try and stop it happening?
What could we have done to stop it happening?
What can we do to minimise the consequences if it does happen?
What could we have done to reduce the consequences?
To that end, risk analysis can be viewed as post-event analysis prior to the event occurring. The rule of thumb to use is that if the risk in your risk register could not have a post-event analysis conducted on it if it occurred, then it is not a risk. If you are able to make all of your risks events, you will reduce the number of risks in your risk register considerably, and (more importantly), you will be able to make the management of those risks a lot more achievable. If you review your risk register with this in mind, you will be amazed at the results.
42
2113_RMIA Yearbook 2014.indd 42
15/12/14 10:57 AM
Yearbook 2014
Control environment By Barry Davidow and Albert Davidow, Consultants with Fraud Prevention & Governance Pty Ltd
Risk workshops, internal audits and discussions with relevant operational managers have shown that safety alarms are an effective control, because they go off every time there is a safety breach; however, a facilitated control self-assessment (CSA) workshop that we conducted showed that often the alarms go off about 60 times a day and, therefore, everyone ignores them. This means that, in effect, the control that is relied upon is actually next to useless.
Albert Davidow
This highlights the importance of assessing the control environment when considering an area’s risks. The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Internal Control Integrated Framework is the internal control methodology that is the most widely used internationally, and strongly emphasises the importance of the control environment. People are probably the most predominant aspect of the control environment. People carry out controls. They can do it well, or less than adequately; for example, you couldn’t rely on a person whose favourite saying was, ‘The day is wasted if you are not’ to carry out the weekly reconciliations at the required standard. Similarly, most organisations rely on their codes of conduct – yet, we have seen some codes that are so obtuse that they appear to have been written in code. If people do not understand the code, then they are unlikely to comply with it. The necessity to understand the control environment can be evidenced by a few examples. A team told us, ‘Our managers are like clouds – when they go away, it is a nice day’. They rarely listened to their managers, so they didn’t really know exactly what they were supposed to be doing in certain key areas. Control failure was almost inevitable. In another organisation, a customer services team told us, ‘Our clients are so dense, light bends around them’. They had contempt for their clients and simply did not want to spend any extra effort helping them. Most controls about customer service were supposedly carried out, but generally subverted. As people tend to fill in the computer screens or do the paperwork correctly, supervisors, managers and internal auditors often do not detect that the controls are not carried out properly.
The evidence showed that procurement controls were working well to address the relevant risks in a large public-sector organisation; for example, orders were all made out by people with the appropriate delegations after quotes had been obtained and proof of delivery was properly evidenced. The workshop showed that, in fact, the control environment was poor. This was as a result of a number of things, including people often placing orders for other staff members who considered it inconvenient for them to place the orders themselves; old quotes being recycled, as some suppliers refused to give quotes because they never got the contracts; and the people signing for proof of delivery working in a central location and seldom knowing whether or not the items or services had actually been received. The COSO framework recommends examining ethical culture, organisational structures, accountability and people issues. We find the approach taken by the Canadian Criteria of Control (CoCo) framework to be very useful. The CoCo framework suggests asking four questions: 1. Do you know what you are doing? 2. Do you want to do it? 3. Do you have the resources to do it? 4. Do you monitor it and learn to do it better?
43
2113_RMIA Yearbook 2014.indd 43
15/12/14 10:57 AM
Yearbook 2014
SAI Global’s 360 Degrees of Compliance The increasing complexity of global compliance and regulatory changes impacting your organisation creates operational and business risk – risk that demands a considered strategy and comprehensive program that identifies risks, eliminates gaps, and delivers the flexibility to respond to changes systematically and proactively. Having the proper tools and analysis in place to build and maintain your compliance program is essential in order to evaluate, execute and evolve the supporting components and operational effectiveness of your program. A comprehensive governance, risk and compliance (GRC) solution can serve as an organisation’s ‘compliance system of record’, streamlining and automating the compliance process across the enterprise and, ultimately, providing a body of evidence needed to demonstrate program effectiveness. There is a variety of published compliance guidance from governmental entities and regulatory bodies around the world. SAI Global has distilled those published compliance guidelines into five key elements that enable organisations to comply with those regulations, and build effective compliance programs:
1. Risk identification and risk assessment This involves understanding the unique risk profile of your organisation – a ‘one size fits all’ approach will not be effective. Identifying and documenting the unique risk profile within your business enables you to establish a more proactive compliance program. By using SAI Global’s 360 Degrees of Compliance, you gain: •
a central repository of compliance obligations in order to assess current status and manage gaps in your program
•
the ability to identify, prioritise and manage the risk areas across the enterprise through continuous risk assessments and controls testing
•
dashboards and reports that offer a consolidated view of your organisation’s risks.
2. Policies, procedures and controls Policies, procedures and controls must be relevant to the risks that you have identified. Policies should not be generic; they should meaningfully address the changing regulatory requirements, risks and compliance obligations that comprise the unique profile of your organisation. SAI Global’s 360 Degrees of Compliance delivers: •
full life cycle automation of policies and procedures, from creation through revisions and retirement. The solution includes features such as alerts for upcoming review and revision dates, tailored workflow for the collaboration and approval processes, as well as the ability to easily distribute updated/new policies to employees, and collect attestations
•
the ability to link policies to relevant laws, regulations, and obligations for external and internal audits, and get automated alerts when those laws and regulations have changed
•
readily available access for employees to easily search and retrieve approved policies.
SAI Global has distilled those published compliance guidelines into five key elements that enable organisations to comply with those regulations, and build effective compliance programs
44
2113_RMIA Yearbook 2014.indd 44
15/12/14 10:57 AM
Yearbook 2014
Regular program evaluation and improvement is vital to maintaining a proactive, effective compliance program 3. Training and communication Effectively training your employees in key risk areas and communicating the policies and procedures to ensure that they are aware of, and understand, the organisation’s compliance obligations is an ongoing process. SAI Global’s 360 Degrees of Compliance: •
•
establishes a curriculum plan to best address the identified risks for your organisation, and conducts a training needs analysis to better target your compliance and ethics training provides the market’s largest training content library of more than 500 titles available in more than 50 languages, of various lengths and media types, with online and offline formats
•
delivers compliance and ethics content on multiple mobile devices to suit your audience’s needs
•
delivers targeted communication of your Code of Conduct, and distributes assessments and certifications to employees on an annual basis, or as a follow-up to the release of new or updated polices or procedures.
4. Monitoring, auditing and response The regular monitoring and auditing of your organisation’s compliance program is necessary to determine the effectiveness of the program. With SAI Global’s 360 Degrees of Compliance, you can: •
collect and track disclosures information (for instance, gifts and hospitalities, potential conflicts of interest) via online forms submitted by employees or third parties with automated review and approval processes
•
perform audits of high-risk compliance areas, leveraging the data within the GRC system, including current policies and procedures; reported compliance incidents and the organisation’s response; corrective actions taken for areas of non-compliance; and compliance training records and certifications
•
centralise and automate third-party risk management with a contracts management system; perform due
diligence data collection and scheduled, ongoing risk assessments of your third parties; and distribute relevant policies and procedures to your third parties and vendors •
collect all incidents in a central repository, using automated workflows to ensure that they are dealt with in an efficient/timely manner, and easily escalate potential issues or compliance concerns to upper management
•
monitor your compliance program and emerging areas of risk with configurable reports and dashboards.
5. Evaluate and improve Regular program evaluation and improvement is vital to maintaining a proactive, effective compliance program. With SAI Global’s 360 Degrees of Compliance, you can: •
monitor the overall health of the compliance program using configurable dashboards and reports. The solution provides visualisation through charts and graphs that are relevant to the individual, whether they are a Board member or compliance office staff
•
provide internal auditors, as well as external parties, such as regulators and examiners, ready access to the information required for a compliance program audit, including our Virtual Evidence Room®, where all internal incident investigation activities, compliance policies, training records, corrective actions and other supporting information are linked directly to the organisation’s compliance obligations.
ABOUT SAI GLOBAL SAI Global Compliance is the world leader in providing organisations with a wide range of governance, risk and compliance (GRC) products, services and technologies that help build organisational integrity and effectively manage compliance risk. Our global staff includes professionals and subject matter specialists in program design, management and implementation; instructional design; and software development. Our focus is to help establish and enhance compliance effectiveness.
45
2113_RMIA Yearbook 2014.indd 45
15/12/14 10:57 AM
Yearbook 2014
Risk managers: Five essentials when selecting a technology-based risk management system Liam O’Brien is a Senior Consultant at GRC Solutions, with more than 12 years’ experience as a user of risk systems and an adviser on risk system configuration and functionality. Below, he cites five must-haves for risk managers looking to select a technology-based risk management system. 1. Find a clear and effective risk management framework Risk managers often view technology-based solutions as a panacea, but the best systems are implemented around risk management frameworks that are already mature. To some extent, all that these systems will do is automate a controlled process, provide consistency of inputs and interaction with risk management disciplines, and provide an agile platform for data analysis. If your new system can streamline your existing risk management program, you’re off to a flying start. Organisations shouldn’t have to fight to establish risk management roles in their business while also encouraging their colleagues to embrace risk systems.
2. Get your leaders to endorse the project Your new system must be endorsed by your organisation’s leadership team. C-suite leaders will play an integral role in a risk management system project, not least in providing project management discipline. Consider how key performance indicators (KPIs) and performance management plans can be used to support the project’s outcomes. Leaders aren’t just people with a ‘C’ at the front of their title. Every organisation has its internal influencers – wise heads who’ve been around for a long time, often in a technical capacity. They bring tremendous experience and have more powerful influence than any email from the CEO to the Board supporting the project.
The most important function of a new risk management system will be how easily it can identify and evaluate risks relating to your business objectives Look to create opportunities for your leaders to give input, and consider giving them roles in the project.
3. Know the purpose for, and functional specification of, your system Before surveying the market or engaging vendors, you must have a strong understanding of what you want to achieve with your new risk management system. There are obvious efficiency and controlled workflow benefits; but also think about who your organisation’s primary users of the system will be, and what their needs are. Since each department may dabble in the system at different levels and use it in different ways, the system needs to be intuitive. Among the primary users will be the risk team, which will be excited about a new toy and its suite of sophisticated capabilities. But the risk team’s excitement will contrast with other users, who will adopt the system in the course of their normal day-to-day work. These users will be less excited about functionality and more interested in intuitive features, user-friendliness, and minimal training. If the system requires them to be as technically informed about risk management as the risk team, they’ll be unlikely to embrace it.
continued on page 48
46
2113_RMIA Yearbook 2014.indd 46
15/12/14 10:57 AM
Yearbook 2014
Take the risk out of decision-making Palisade software provides the difference between taking a guess and taking control – turning the art of decisionmaking into a science that works for you. As the leading provider of risk and decision analysis software for three decades, Palisade enables companies and organisations to evaluate risk at any level and to decide which step comes next – creating useable insights from uncertain situations. Our flagship tools, @RISK and the DecisionTools Suite, bring powerful new analytics to Microsoft Excel and Project. By harnessing the power of Monte Carlo simulation, decision trees, optimisation, and other techniques, Palisade’s products enable users to fully understand risks and make better decisions. Palisade also offers personalised risk solutions, allowing for customised software applications that integrate with your organisation’s models. Along with our cutting-edge software solutions, Palisade provides business consulting, model-building services, and on-site training designed around your organisation’s specific needs and goals.
our products at top research universities and Fortune 500 companies, we know how to deliver superior service for superior clients.
With offices around the world, Palisade offers a truly global presence. And, with over 150,000 decision-makers using
Download a free trial version, and learn more at www.palisade.com.
4A7
328490AE_Palisade 2113_RMIA Yearbook_ 2014.indd 2113.indd 47 1
30/10/14 15/12/14 10:00 10:57 AM
Yearbook 2014
continued from page 46
There are some great risk systems out there, all of which have similar levels of functionality. Perhaps the most important consideration is how well you can work with the vendor
Then there’s the Board. Try to understand what information the Board wants, and in what format. If a system can’t provide good reports in the right format, ensure that it allows for customised reports. A good functional specification will outline these requirements. The more detail, the better. No system is perfect, so knowing what can and can’t be compromised will help.
4. Obtain risk identification guidance The most important function of a new risk management system will be how easily it can identify and evaluate risks relating to your business objectives. Put yourself in the shoes of your other staff members who may not be familiar with the risk management process. If a system cannot identify and evaluate risks easily, this will be time-consuming to figure out. A system should provide guidance on how to identify risks and establish a risk management context. Ideally, this will reflect the unique qualities of your organisation, and will be customisable. If your chosen system doesn’t do this, think about the best way to do this outside of the system by way of instructions or training.
5. Find a partner that you can trust There are some great risk systems out there, all of which have similar levels of functionality. Perhaps the most important consideration is how well you can work with the vendor. Implementation won’t be easy. Hurdles will come your way. Ensure that the vendor has clear documentation about what their ongoing service includes. Do they offer local support, or will it be a long-distance relationship? Also question their reputation for success. Above all, consider whether you can picture yourself working closely and constructively with the vendor’s project team.
About the author Liam O’Brien recently joined the team at GRC Solutions as a Senior Consultant. Liam has worked for large and diverse organisations in senior management roles since 2003, including Suncorp, SAI Global and QR Limited. His governance, risk and compliance expertise comes from successfully executing: •
risk management frameworks
•
compliance programs
•
governance reviews
•
bribery and corruption assessments
•
audit programming.
Liam has provided expert content to professional development courses for industry bodies, including the Governance Institute of Australia, and universities. He delivers courses, and speaks at conferences and networking events for professional associations, such as RMIA, the GRC Institute, the Governance Institute of Australia, the Institute of Internal Auditors, and the International Association of Privacy Professionals (IAPP). Liam has been a Board member of the ACI (now GRC Institute), Chair of the Compliance Committee for Social Investments Australia, Chair of Foresters Community Finance, and a founding Director of Help Me With It.
48
2113_RMIA Yearbook 2014.indd 48
15/12/14 10:57 AM
Yearbook 2014
Risk professionals – getting a seat at the table For almost 20 years I have been asked by risk professionals of all persuasions, ‘How do I get the CEO to listen to me?’ My usual answer is, ‘Grow taller, become better looking and ensure you are famous in your own right, or demonstrate real value for the CEO so she or he asks for your advice.’ In truth, you only get a seat at the table where the big decisions are made if you are able to speak the language of the C-suite, if you are able to understand the drivers of the business and connect what you do with those drivers, and if you are able to succinctly articulate the benefits your approach will bring to the business. The challenge you have is self-inflicted by the risk profession. Too many risk and compliance evangelists have preached the letter of the law of risk to the nth degree, making it unnecessarily complicated, and delivering information that senior management is unable to understand, let alone utilise.
It is time for all of us to lift our game; to think, act and communicate like executives and to gain our clients’ trust. Where are you on your journey to Trusted Advisor? Bryan Whitefield, Director, Risk Management Partners
Bryan Whitefield
4A9
2113_RMIA Yearbook 2014.indd 49
15/12/14 10:57 AM
2113_RMIA Yearbook 2014.indd 50
15/12/14 10:57 AM