Case Studies Managing Risks to Improve Public Services · MANAGING RISKS TO IMPROVE PUBLIC...

REPORT BY THE COMPTROLLER AND AUDITOR GENERALHC 1078-II Session 2003-2004: 22 October 2004

Case Studies

Managing Risks to Improve Public Services

The National Audit Officescrutinises public spending

on behalf of Parliament.

The Comptroller and Auditor General, Sir John Bourn, is an Officer of the

House of Commons. He is the head of theNational Audit Office, which employs some800 staff. He, and the National Audit Office,

are totally independent of Government.He certifies the accounts of all Government

departments and a wide range of other publicsector bodies; and he has statutory authority

to report to Parliament on the economy, efficiency and effectiveness

with which departments and other bodieshave used their resources.

Our work saves the taxpayer millions ofpounds every year. At least £8 for every

£1 spent running the Office.

LONDON: The Stationery Office£17.00Two volumes not to be sold separately

Ordered by theHouse of Commons

to be printed on 18 October 2004

REPORT BY THE COMPTROLLER AND AUDITOR GENERALHC 1078-II Session 2003-2004: 22 October 2004

Managing Risks to Improve Public Services

Case Studies

Introduction

1

Intr

oduc

tion

Introduction

1 This volume of the report contains case studies in fivegovernment departments and descriptions of riskmanagement in four private sector companies withglobal operations. While the examples we give of riskmanagement in operation are specific, they draw on riskmanagement principles and practices that can beapplied more widely.

Departmental case studies2 Areas of work in five departments - HM Customs and

Excise, the Department for Culture, Media and Sport,the Department of Trade and Industry, National Savingsand Investments, and the Office for National Statistics -were selected to represent different types of servicedelivery. The departmental case studies illustrate howdepartments can secure the benefits of risk managementand how it can help departments to:

i Deliver better public services;

ii Improve efficiency;

iii Make more reliable decisions; and

iv Support innovation.

3 The departmental case studies also demonstrate the five key areas that departments need to address to take risk management forward beyond the end of theRisk Programme:

� Good risk management requires time and top levelcommitment;

� Responsibility and accountability for risks needs to beclear, backed up by scrutiny and robust challenge toprovide assurance;

� Departments need to base their judgements about riskson reliable, timely and up to date information;

� Risk management needs to be applied throughoutdepartments' delivery networks;

� Departments need to continue to develop theirunderstanding of the common risks they share and work together to manage them.

Private sector comparisons4 The four private sector companies - insurers Prudential

plc, the Japanese investment bank Nomura,pharmaceutical multinational GlaxoSmithKline andinternational news and financial information providerReuters - took part in the National Audit Office's (2000)study on risk. Our purpose in revisiting them was toconsider how for these companies risk managementhad progressed over the subsequent four year periodand to provide pointers for how departments' riskmanagement may develop.

How the cases studies wereconducted5 In departments, interviews were carried out with key

senior managers responsible for the areas of workconcerned. These were supplemented by desk research,material gathered from our survey of departments, andby two focus groups for each case study designed togather views and experiences of applying riskmanagement from wider staff involved in the deliverynetwork. The focus groups were mainly of staff atmiddle and senior management levels. For Customsand Excise, one focus group consisted of uniformedCustoms Officers at the port of Dover and at Coquelles,the UK Customs and Excise base at the French end ofEurotunnel, and the second of their team leaders andmanagers. For the Department for Culture, Media andSport's Culture Online programme and for theDepartment of Trade and Industry's Coal LiabilitiesUnit, where delivery is outsourced to contractors, onefocus group of consisted of staff and one of theDepartment's contractors.

6 For our private sector comparisons, interviews tookplace with senior managers of the company withresponsibility for risk management.

7 The focus groups and interviews took place betweenMarch and June 2004.

MANAGING RISKS TO IMPROVE PUBLIC SERVICES

3

HM

Cus

tom

s an

d Ex

cise

: Law

Enf

orce

men

t Dir

ecto

rate

Case Study HM Customs and Excise: Law Enforcement Directorate

1 HM Customs and Excise (HMCE) is responsible forcollecting Value Added Tax (VAT) revenue and othertaxes and customs duties. The Department has a vitalfront line role of enforcing government requirementsrelating to the movement of goods into and out of thecountry, and protecting society from illegal imports ofdrugs, tax fraud, and alcohol and tobacco smuggling.The Department had 23,000 staff in 2002-03 andexpenditure of some £1 billion.

2 Customs operations at ports and airports are theresponsibility of the Law Enforcement Directorate,established in April 2002. As an indication of the scaleof operations, in 2002 its remit covered 29.3 millioninternational sea passenger journeys, 10.75 millionunits of freight shipped in lorries and containers, and558.3 million tons of maritime cargo. Around 5,000lorries and trailers pass through the port of Dover daily.

3 The establishment of the Law Enforcement Directorateaccompanied a shift to a more intelligence basedoperation with analysis of intelligence data andidentification of key risks. Three major strategiesdesigned to tackle specific smuggled goods - tobacco,Class 'A' drugs and oils - are used to deploy lawenforcement and intelligence resources.

4 The Department has a stated aim of being the best riskmanagement organisation in the UK public sector.

Key risks5 Key risks for the Department include:

� failure to achieve key targets, including reductionsin the availability of smuggled goods;

� loss of revenue due to failure to reduce the supply ofillegal tobacco.

6 For Customs Officers at ports, key risks include:

� failing to follow correct stop and search proceduresmay result in the collapse of high profile court cases;

� failure to keep up to date with changing legislation,new priorities and new areas of Customs and Exciseresponsibilities, such as International Tradeinspections as part of the International TradeCompliance Strategy, and inspection of meat imports.

How these risks are managed7 Assessment of risks is the responsibility of the relevant risk

owner. A standardised risk evaluation methodology isused across the Department. The ManagementCommittee reviews all 'red' risks from the central riskregister on a monthly basis and 'amber/red' risks at leastquarterly. Each quarter, an exercise is commissioned toupdate the central risk register in full. These timescales arerepeated for all other lower level risk registers throughoutthe Department. Outside of the regular review timetable,emerging issues and threats are discussed on anexception basis by the Management Committee.

HM Customs and Excise's Law Enforcement Directorate uses strategies based on risk assessment tocombat smuggling operations and uses risk management to minimise loss of revenue from substitutionof smuggled for duty-paid goods by:

� using risk assessments to deliver detailed operational strategies designed to deliver results bytackling risks and directing resources to address them;

� applying a clear risk management approach at all levels of the Department;

� making its risk assessments dynamic and responsive to an ever-changing pattern of risks; and,

� establishing clear accountability: officers at ports know their responsibilities, what they shouldtarget, and the procedures they must follow to get a successful prosecution.


4

HM

Cus

tom

s an

d Ex

cise

: Law

Enf

orce

men

t Dir

ecto

rate


8 The Board receives risk updates quarterly. The Board hasfour Non-Executive Directors, two of whom also sit onthe Audit Committee, with the longest serving Non-Executive Director appointed as Chair. Independentchallenge of how risks are being managed is providedby the Audit Committee and Internal Audit.

9 All staff are encouraged to identify, understand andmanage risks, appreciating which risks can be toleratedand which cannot. Managers are expected tounderstand the risks they face, their causes, probabilityand impact; to prioritise the management of risks so thatthose of highest concern are adequately controlledbefore efforts are directed at lower level risks; and tomanage the Department's exposure to these risks atreasonable costs.

10 To achieve its public service agreement targets, theExecutive Board takes decisions on resource allocationin the light of key risks and strategies for addressingthem; for instance the Tobacco Smuggling strategy orClass 'A' Drugs strategy. Strategies are cascaded throughthe Department to determine deployment of resourcesat head office, regional and local level. The strategy-ledapproach has led to more flexible deployment ofresources with the National Deployment Committeeand Regional Deployment Committees having at theirdisposal flexible strike forces to deploy at ports orairports to meet changing risks within and between theDepartment's strategies.

11 All staff are informed about what the Department'sstrategies require and what the strategies require ofthem. Officers are kept informed about changes to risksthrough daily briefings.

12 Customs Officers at ports of entry receive intelligencereports that target likely smugglers and prioritise these forstopping and searching. Customs Officers are stronglyencouraged to report new risks, such as the arrival of newtypes of smuggled goods, new methods of concealment,or smuggled goods arriving from new destinations, to theIntelligence Division, which distributes the informationrapidly, immediately if necessary, to Customs Officers atother ports. Individual reports are collated, new trendsanalysed and, if sufficiently high risk, are incorporatedinto the priority indicators used by Customs Officers tostop and search vehicles.

13 The Department is undertaking initiatives to strengthen itsuse of intelligence and is piloting developments to assistin identifying vehicles to stop and search at ports. AtDover, an intelligence based 'Pre-Selection Hub' becameoperational in May 2004. The Pre-Selection Hub analyses

multiple data sources including lists of stolen vehicles,criminal records data, ships' cargo manifests, ticket-buying patterns and other intelligence to produce theoptimum list of vehicles to stop and search. This reflects amove within Customs and Excise from recognition basedor intuitive risk decision-making, based on Officersselecting vehicles that on their previous experience aremost likely to contain smuggled goods, to risk decision-making based on analysis of data, supported by front lineOfficers using for stopping and searching vehicles rulebased risk analysis based on standard operatingprocedures (Flin and Crichton, 2004).1 Dedicated staffhave been trained to use the Pre-Selection Hub, selectedon the basis of their aptitude for the task.

14 The Butterfield Review (2003)2 identified two key areasof concern about the Law Enforcement Directorate'sassurance systems - that a 'tick box' approach mightlead to automatic conformity to a system rather thanthought through consideration of whether actions wereappropriate; and that lack of compliance with thesystems might lead to abuse of process applications and major trial failures. The Law EnforcementDirectorate has set up a programme of trainingseminars 'Managing Risks through Professionalism' forall Customs Officers, team leaders and their managers,to reinforce the value of maintaining high standards inprocedures and processes and following and recordingthem correctly. Customs and Excise is also workingwith the Police to devise a joint national framework foroccupational standards.

15 Following interceptions of smuggled goods, teams aredespatched to carry out debriefing of intercept teams toanalyse why they did or did not get a successful result and to check prior to prosecutions that allprocedures have been correctly carried out andrecorded to mitigate the risk of prosecutions failingthrough minor procedural errors. New tactical andstrategic intelligence is fed into the Regional FreightPre-Selection Hub to update the selection profiles andinfluence future pre-selection of vehicles.

16 The Department works closely with other lawenforcement and is part of a multi-agency approach toserious crime. It has co-operation agreements with UKand international agencies including the Association ofChief Police Officers, the National Crime Squad,National Criminal Intelligence Service, SecretIntelligence Service, Security Service, the DrugEnforcement Administration and Interpol. Customs andExcise is also working closely with the Department forEnvironment, Food and Rural Affairs to prevent illegalmeat imports from entering the UK; with the Home

1 Risk-Based Decision Making: Mitigating threat - Maximising opportunity, Rhona Flin and Margaret Crichton, 2004, Managing Risks to Improve Public Services,Volume 1, Appendix 2.

2 Review of Criminal Investigations and Prosecutions, The Hon Mr Justice Butterfield, HM Treasury, July 2003.

5

HM

Cus

tom

s an

d Ex

cise

: Law

Enf

orce

men

t Dir

ecto

rate


Office to control radiological material entering the UK;with maritime authorities to implement the newmaritime security regime agreed by the InternationalMaritime Organisation; and with airport authorities toimprove airport security following recommendations ofthe Wheeler Review.3 Transitional programmes are alsobeing developed to manage the moves towardsestablishment of the integrated HM Revenue & CustomsDepartment, and the new Serious Organised CrimeAgency (SOCA).

Lessons learned17 HM Customs and Excise's Law Enforcement Directorate

has demonstrated effective risk management by:

� Using risk assessments to deliver detailedoperational strategies designed to deliver results bytackling and directing resources to address them.

� Applying a clear risk management approach at alllevels of the Department.

� Making its risk assessments dynamic and responsiveto an ever-changing pattern of risks - but in a waythat does not confuse staff.

� Establishing clear accountability. Officers at portsknow their responsibilities, what they should target,and the procedures they need to follow to get asuccessful prosecution.

Customs and Excise focus group participants' perceptions of risk management at Dover - Focusing on risk has contributed to delivering results

1

1= risk averse 5= risk taking

1= strongly disagree

NOTES

1 Two focus groups were conducted, one with freight anti-smuggling officers or assistant officers (Grades 4 and 5), and one with freight anti-smuggling team leaders or managers (Grades 7 and 9) from Dover Port and Coquelles (UK Customs and Excise based at the French end of Eurotunnel).

2 Participants were asked to complete a short questionnaire on the extent to which they agreed or disagreed with statements about risk management within the Department. The Figure summarises the results of these key measures. The scale ranges from 1 at the centre (the most negative score) to 5 at the edge (the most positive score). The figure compares Customs and Excise responses (plotted in blue) with the average for all participants in the focus groups across the case study departments. The Figure is based on small sample sizes and the results it presents are indicative of the participants' area of work in the Department only.

Source: MORI (All departments refers to all five case study departments).

All case study deptartments (mean) Customs & Excise

Common understanding

Prioritising risks

Supports innovation

Importance of risk managementcommunicated

Support when things go wrong

Knows strengths/weaknesses of risk system

Procedures for reporting risks

Effective contingency plans

Contributed to achievingoutcomes

Organisational risk appetite now

5

4

3

2

1

5= strongly agree

Customs and Excise Officers in our focus groups considered their department as risk averse, in that they were addressing past failures in risk management that had led to failure of prosecutions. Due to the nature of their role, Officers considered there to be limited room for them to take risks and be innovative in their day-to-day work, but in terms of suggesting better ways of working, Officers considered there to be some scope for them to be innovative.

3 Airport Security. Report by the Rt Hon Sir John Wheeler, JP, DL, commissioned by the Home Office and the Department for Transport, 2002.

7

Dep

artm

ent f

or C

ultu

re, M

edia

and

Spo

rt: C

ultu

re O

nlin

e

Case Study Department for Culture,Media and Sport: Culture Online

1 The Department for Culture, Media and Sport (DCMS)has 490 staff located in London. Its expenditure in 2003-04 was some £4 billon.

2 The Department established the Culture Onlineprogramme in 2002 with a budget of £13 million (£3 million revenue funding and £10 million CapitalModernisation funding). Culture Online aims to providefunding and project management expertise to bringtogether cultural organisations and cutting-edgetechnical providers using new technologies, includingInternet (broadband and narrowband), digital TV,mobile devices, CD/DVD and touch-screen kiosks tocreate innovative projects aimed at adults and childrenfrom hard to reach groups.

3 Successful delivery of Culture Online forms part of theDepartment's PSA targets to deliver ten educationallyfocused and ten culturally orientated projects. By 2003-04, £6.5 million had been allocated to ten projects and £3.8 million ear-marked against apossible 23 projects in all; the balance to be allocatedby the end of 2004. The projects aim to be accessiblethrough individual organisations' websites and throughlinks to Curriculum Online, run by the Department forEducation and Skills, and in partnerships withbroadcasters, newspapers and other organisations withaccess to audiences (Figures 2, 3, 4 and 5).

Culture Online projects include …2

The Dark is a walk-through installation that uses a totally darkinterior and a sophisticated 3D sound system to create soundsand narratives of slaves and slave traders to tell the story ofBritain's eighteenth century slave trade. The Dark opened fora pilot phase at the Science Museum, London before movingto the Magna Centre, Sheffield where many performancesplayed to 100 per cent capacity audiences. It will move toother regional museums and galleries. An experimentalwebsite version is at http://www.thedark.net/.

Stagework is delivered through a website(www.stagework.org.uk) produced by the National Theatre and selected regional theatres. It aims to increaseunderstanding of theatre as a creative industry and to makeyoung people aware of its career possibilities. Stageworktakes visitors to the website behind the scenes to understandthe process of creating a theatre production. Productionsinclude His Dark Materials, Henry V and Beauty and theBeasties. Stagework supports Key Stages 3 and 4 of theNational Curriculum in English and Drama, Citizenship,Religious Education, Performing Arts, ICT andCommunication Skills.

'That's the beauty of this simpleand effective installation: you createall the drama and all the horror'.

Hermione Eyre, Independent onSunday, 21 March, 2004

Adrian Lester as the King in theNational Theatre's modern dressHenry V.

The Department for Culture, Media and Sport's Culture Online programme shows how working withpartners to manage risks can help deliver innovative projects by:

� supporting arts bodies to establish risk management processes that increase the likelihood of innovativeprojects delivering;

� helping commissioned arts bodies to identify risks and put contingency plans in place;

� establishing a blame free culture in which all partners can discuss risks openly; and,

� cascading risk management expertise through the Department so others can benefit.


8

Dep

artm

ent f

or C

ultu

re, M

edia

and

Spo

rt: C

ultu

re O

nlin

e


4 Project start up was slower than expected, mainly due tothe time needed to design processes appropriate toGovernment, to produce standard contracts and toobtain legal advice on procurement and intellectualproperty rights issues. These aspects are now in placeand can be replicated for other similar commissioningexercises by the Department.

Key risks5 Key risks for Culture Online include:

� convincing arts bodies to want to work in a new waythat involves commissioning products rather thanproviding grants, with more complex legalrequirements and paperwork than they were usedto, run by people with industry knowledge whocould challenge their budgets;

� allocating its funding in the time available;

� reaching its target audiences - people who wouldnot usually participate in arts and cultural projects;

� developing innovative projects using technology inpreviously untried ways;

� ensuring the quality and timely delivery of theproducts it has commissioned; and,

� ensuring that expertise built up within Culture Onlineis not lost to the Department at the end of programme.

How these risks are managed 6 Risk reporting is through two levels of risk register -

individual project registers and a programme register forCulture Online overall. The Culture Online risk register isreviewed fortnightly.

7 To maximise the likelihood of the arts bodies it contractswith delivering what it has commissioned, Culture Onlineinputs time and technical expertise at the contractingstage and insists that contractors do a thoroughassessment of risks to delivery before the contract issigned. Culture Online vets shortlists of key sub-contractors involved in the project and approves thenature of all subcontracts. The Culture Online team alsoworks with project teams to produce contingency plans toaddress potential problems, such as broadcasters andother bodies outside the project dropping their support.

8 To secure funding, arts bodies often have to convincepotential funders that they are capable of managing theideas they are proposing. In the development stages, itcan be difficult for arts bodies to be open about the risksassociated with their projects. Culture Online sometimeshas to educate arts bodies in its new way of working,where partners are encouraged to identify risks ratherthan play them down.

WebPlay UK3

WebPlay UK is an Internet-based project enabling primary school children from urban and rural areas towork with a professional theatre company to create, produce and perform short plays about the area inwhich their partner school is based. The plays are digitally videoed as the children perform them, and thenuploaded onto a specially created secure website for the partner schools to view. The project ends with acelebration in each of the different areas, involving pupils, families and teachers. WebPlay UK helpschildren to learn to build web pages, write about their lives and describe where they live, within the safetyof a secure, educational platform. The project was launched with schools in Birmingham and Shropshireand is aimed at Key Stage 2 pupils. It focuses on the English, literacy, ICT and drama aspects of theNational Curriculum. For many of the schoolchildren, WebPlay UK is their first introduction to the Internetand the project aims to develop their awareness of, and skills in, using the Internet as a means ofcommunication. WebPlay UK completed its first year in July 2004, with 180 children from six schoolstaking part. In the second year of the project, this will rise to 30 schools from Birmingham, Shropshire,Nottinghamshire and Leicestershire. Schools are selected using a Department for Education and Skills'indicator of social deprivation - the number of children receiving free school meals. Children participate in the project twice a week for 45 minutes each session.

MadforArts4

MadforArts is a project that aims to give a voice to users ofmental health services, among the most marginalised peoplein society. The project provides access to a microphone,digital camera, web space and structured support to create awebsite gallery of mental health services users' views andcritiques of works of art, music, sculpture and architecture.The project will be launched regionally; with the best twelvecontributions being made into films and featured on TheCommunity Channel, which is owned by The Media Trust, anot-for-profit channel broadcast on satellite and cable. Five ofthe twelve films will also be shown on Channel Five, therebyencouraging more people to take part online.

9

Dep

artm

ent f

or C

ultu

re, M

edia

and

Spo

rt: C

ultu

re O

nlin

e


Plant Cultures5

Plant Cultures is a website about plants that draws on apartnership of botanical experts, museums, libraries and localcommunities to gather information about the significance ofplants in different communities. Taking the communities ofSouth Asia as a starting point, the site uses oral history, finearts, and demonstrations of arts and crafts to bring to life thedifferent ways in which plants are used. At least 1,500 imagesof rare prints, paintings and artefacts, many never exhibitedbefore, will be made available on the website. Partnermuseums will run events and workshops to introduceparticipants to the Plant Cultures project, including visits to botanical gardens and handling sessions with museumobjects. The Plant Cultures project will gather anecdotes,folklore and examples of art and crafts that are becoming less accessible as attitudes change and generations grow upsurrounded by other cultures.

Illustration of Mango by Charles Maries 1886 - Kew Library

9 To obtain the products it has commissioned, during thedevelopment of the project the Culture Online team hasregular meetings with contractors to check on progressand that any products meet 'acceptance tests'.

10 To gear projects towards its target audience of hard toreach users, Culture Online pays projects more forreaching members of the public who do not normallyparticipate in cultural activities. To determine how toreach its target audiences, at the start of the programmeCulture Online commissioned a report from the LondonSchool of Economics' Centre for the Analysis of SocialExclusion to advise on its intended value for moneytargets.4 Culture Online is currently working with CityUniversity's Centre for Human Computer InteractionDesign on how to make its projects accessible for peoplewith disabilities.

11 Each Culture Online project must include a strategy forreaching its hard to reach audience and one of the partnerbodies in the project must have regular access to thetarget group. MadforArts, for instance, reaches mentalhealth service users by working with Rethink, MentalHealth Media, drop-in centres and networks for thoseinvolved in mental health issues. Plant Cultures reachesolder Asian participants in the Midlands by working withsmall community groups.

12 To increase the likelihood of successful delivery, CultureOnline controls the level of risk exposure for each projectby aiming to ensure that risks are not taken on all frontssimultaneously by, for instance, avoiding using untriedtechnology in projects that involve complex intellectualproperty rights and licensing negotiations.

13 The Department's overall approach to risk management isto integrate risk management techniques with projectmanagement and to use the project based approachacross increasing areas of the Department's work,including policy-making. Culture Online is designed totake this approach forward and to provide a lead in riskmanagement practice in the Department. The risk thatCulture Online's expertise will be lost when theprogramme finishes is being addressed by setting upworkshops for staff of the Department for Culture, Mediaand Sport and of other departments who deal withcommissioning from non-departmental public bodies orthe procurement of consumer services with an IT or newmedia component.

Lessons learned14 Culture Online has demonstrated effective risk

management by:

� Supporting arts bodies to establish risk managementprocesses that increase the likelihood of innovativeprojects delivering.

� Using a thorough risk assessment and projectplanning process to help commissioned bodiesidentify risks and put contingency plans in place.

� Establishing a blame free culture in which all partnerscan discuss risks openly.

� Cascading risk management expertise through theDepartment so others can benefit.

4 Culture Online: Removing Barriers to Participation in the Arts and Culture, Francesca Borgonovi, Centre for Analysis of Social Exclusion, London School of Economics, 2003.

10

Dep

artm

ent f

or C

ultu

re, M

edia

and

Spo

rt: C

ultu

re O

nlin

e


Culture Online staff and contractor focus group participants' perceptions of risk management in Culture Online - Risk management supports innovation

6


5= strongly agree

NOTES

1 Two focus groups were conducted, one with staff and another with the Unit's contractors. Responses for staff and contractors are plotted separately.

2 Participants were asked to complete a short questionnaire on the extent to which they agreed or disagreed with statements about risk management within the Department. The Figure summarises the results of these key measures. The scale ranges from 1 at the centre (the most negative score) to 5 at the edge (the most positive score). The Figure compares staff and contractors' responses with the average for all participants in the focus groups across the case study departments. The Figure is based on small sample sizes and the results it presents are indicative of Culture Online only.



Prioritising risks

Supports innovation








All case study departments (mean) Culture (internal) Culture Contractors

5

4

3

2

1


Staff at Culture Online see the Programme as risk taking and were positive about all aspects of its management of risk. Contractors were less convinced of the benefits of Culture Online's risk management processes, particularly with regard to achieving outcomes and agreeing that there was a common understanding of risk between themselves and Culture Online. Contractors recognised however that risk management supported innovation and that there were effective contingency plans in place.

11

Dep

artm

ent o

f Tra

de a

nd In

dust

ry: C

oal L

iabi

litie

s U

nit

Case Study Department of Trade andIndustry: Coal Liabilities Unit

1 The Department of Trade and Industry (DTI) works withemployers, consumers and businesses, to drive UKproductivity and competitiveness by facilitatingpartnerships between business, employees, consumers,unions, the scientific community and the government. Itaims to promote a legal framework encouraging bothenterprise and innovation, ensuring consumers,companies and employees receive a fair deal. TheDepartment has 4,300 staff; its expenditure for 2003-04was £8.3 billion.

2 Following the break up of British Coal, under the terms ofCoal Industry Act 1994 the liabilities of British Coaltransferred to the Department on 1 January, 1998. Aroundthat time British Coal was found liable in two major courtcases for compensation for damage caused to minersthrough exposure to dust and excessive use of vibratingtools. The courts instructed the Department to work withtwo co-ordinating groups of solicitors representing theminers to draw up arrangements for handling largevolumes of claims. The Coal Liabilities Unit was thereforeformed to negotiate Handling Arrangements and toprocess ex-miners' health compensation claims undertwo major personal injury schemes covering VibrationWhite Finger and Chronic Obstructive PulmonaryDisease. The Unit also deals with other health claimsoutside the two big schemes and with the non-healthliabilities of British Coal. The Department experiencedsignificant problems initially due to the complexity of theschemes, which reflect closely what a claimant would beentitled to at common law, the fact that no similarschemes had been run to provide a template, and ageneral underestimate by all parties involved, includingsolicitors representing ex-miners, of the volume ofpotential claims. In the early stages of the scheme, slowprocessing of claims led to criticism by Parliament and bythe media.

3 The Vibration White Finger scheme closed on 30 October 2002 for live claimants, and 31 January 2003for widows and estates of deceased claimants, and theChronic Obstructive Pulmonary Disease scheme on 31 March 2004. Rather than generally acceptedestimates of tens of thousands of claims, around684,000 claimants have registered over both schemesand some £2 billion compensation has been paid to claimants so far. The Department is payingcompensation of around £2.5 million every working dayand expects to pay out some £7 billion in total. Theseare the biggest personal injury schemes in British legalhistory and, possibly, the world.

4 The Coal Liabilities Unit retains overall managementresponsibility for the liabilities, but the schemes areoperated by a network of contractors, including Capita-IRISC for the processing of claims and payment ofcompensation, and Capita Health Solutions and AtosOrigin for medical assessments. A national monitoringgroup, chaired by the Department's Minister withresponsibility for coal health liabilities, monitors thedelivery of the schemes as seen from the miningcommunities and advises the Minister on this.

Key risks5 These include:

� slow processing of claims leads to distress forclaimants and their families and damages thereputation of the Department; especially given theage of some claimants and media interest in the issue;

� managing a complex delivery network;

� poor controls lead to delays, fraudulent claims orerrors in payments.


The Department of Trade and Industry's Coal Liabilities Unit demonstrates the use of risk management toset up and manage large and novel projects with multiple partners by:

� thinking about risk so that it becomes an integral part of day to day project management andcommunications between all relevant parties;

� establishing positive and open relationships with key stakeholders;

� allowing time and sufficient resources for risk management; and,

� being prepared to take calculated risks.

12

Dep

artm

ent o

f Tra

de a

nd In

dust

ry: C

oal L

iabi

litie

s U

nit


How these risks are managed6 There is a structured risk management process focused

around risk registers. Each part of the claims process istreated as a project with its own risk register, which iscreated through brainstorming and is managed throughregular project/contract meetings. Following the initialdevelopment of the project risk register, key risks withhigher level implications are escalated and placed on theGroup level risk register where appropriate.

7 Within the Department as whole, risk champions areresponsible for escalating risks up the management lineand increasing awareness of the risks and of riskmanagement. The head of the Coal Liabilities Unit is arisk champion.

8 Risk is an item on the agenda of all monthly meetingsbetween the Unit and its main contractors. This promptsboth parties to assess their progress on an action log andto think about current and future risks. Every four months,the Unit's senior management meet to go through thecombined risk registers to review progress onmanagement of risk and report changes to seniormanagement up the line.

9 The Unit has created a 'no blame' risk managementculture that encourages openness and sharing ofknowledge and experience.

10 Each new contractor is required to participate in a risksworkshop to establish the risk management principles towhich the Unit works, to identify and prioritise key risksfor the Unit and the contractor, to agree responsibility formanaging risks and to identify and assess controls. TheUnit also holds regular risk workshops to considerspecific risks, such as the identification of fraudulentclaims, how partners can work together to share goodpractice, and identifying new trends.

11 The Unit's claims handler, Capita-IRISC, has SolicitorLiaison Officers among whose key responsibilities aremonitoring and managing operational issues associatedwith individual claimants' solicitors. The Unit hostssolicitor days to update major solicitors about progresswith the schemes.

12 The risk, to claimants and to the Department's reputation,of slow processing of claims is being addressed byseeking to reduce the time taken to complete specificstages of the claims process and to speed up the volumeof claims processed. The Unit has set up a website toenable claimants' solicitors to complete claims formselectronically, to agree claims details online and to seethe progress of claims. This was a calculated risk in thatthe Unit was ahead of standard practice for solicitors'offices and was advised that solicitors would be unwillingto work through a website - which has not proven to bethe case.

13 The Unit has a very close relationship with internal auditin the Department to help ensure that risks are beingmanaged in a transparent and consistent way. The Unit'sStrategic Audit Framework is built around the key risks toeffective delivery and mitigating actions on key risks areaudited to ensure that risk management processes put inplace are sound.

Lessons learned14 The Coal Liabilities Unit has demonstrated effective risk

management by:

� Thinking about risk so that it becomes an integral part of day-to-day project management andcommunications between all relevant parties.

� Establishing positive and open relationships with keystakeholders and a culture free of blame, so staff andcontractors can highlight their concerns.

� Allowing time and sufficient resources for riskmanagement so that risk registers become part ofroutine management.

� Keeping risk management simple, user-friendly, andflexible.

� Avoiding complacency and continuing to refine anddevelop risk management.

� Being prepared to take calculated risks.

13

Dep

artm

ent o

f Tra

de a

nd In

dust

ry: C

oal L

iabi

litie

s U

nit


Coal Liabilities Unit staff and contractor focus group participants' perceptions of risk management in theUnit - Staff and contractors have a shared view of risks

7


5= strongly agree

NOTES

1 Two focus groups were conducted, one with staff and another with the Unit's contractors. Responses for staff and contractors are plotted separately.

2 Participants were asked to complete a short questionnaire on the extent to which they agreed or disagreed with statements about risk management within the Unit. The Figure summarises the results of these key measures. The scale ranges from 1 at the centre (the most negative score) to 5 at the edge (the most positive score). The Figure compares staff and contractors' responses with the average for all participants in the focus groups across the case study departments. The Figure is based on small sample sizes and the results it presents are indicative of Unit only.



Prioritising risks

Supports innovation








All case study departments (mean) DTI (internal) DTI Contractors

5

4

3

2

1


Coal Liabilities Unit staff considered their Unit to be risk taking. Coal Liabilities Unit staff and contractors were positive about all aspects of risk management and shared similar perceptions of the Unit's risk management arrangements.

15

Nat

iona

l Sav

ings

and

Inve

stm

ents

Case Study National Savings and Investments

1 National Savings & Investments (NS&I) is one of thelargest savings organisations in the UK, offering savingsand investment products to personal savers andinvestors. It is also a Government Department,accountable to the Treasury, and an Executive Agency of the Chancellor of the Exchequer. The money whichcustomers place is used by HM Treasury to help managethe national debt cost effectively; contributing towardsthe Government's financing needs. NS&I's back officefunctions are delivered entirely by Siemens BusinessServices (SBS). Post Office Limited provides NS&I'smain distribution channel.

2 The government sets NS&I's objectives. Currently, thesingle strategic objective is to provide retail financing forthe Government that is cost effective in relation tofinancing raised on the wholesale market. The ChiefExecutive, as Accounting Officer, assisted by the Boardand the Executive Management Team, is responsible fordefining and directing NS&I's business strategy andpolicies to achieve the objective, and for developing aculture and environment that are conducive to thesuccessful implementation of the strategy.

Key risks3 Key risks for National Savings and Investments include:

� failing to ensure Siemens Business Services areincentivised to deliver the operational service in waysthat enable NS&I's business to develop;

� too great a reliance on one product - Premium Bonds;

� too great a reliance on the Post Office as the maindistribution channel;

� competition from other financial institutions,especially the Bank of Ireland;

� failing to fulfil ever-changing customer needs andexpectations;

� IT modernisation;

� fraud.

How these risks are managed4 NS&I structures its risk management around a series of

risk registers. Each of the '13 key risks' for the business isowned by an Executive Director. Business Unit Leaders atmiddle management level have recently assumedresponsibility for the management of the sub-risks thatmake up the key risks. Where appropriate, SBS managerscan be sub-risk owners and responsible for the delivery ofrisk mitigation actions. Risks are reviewed six monthly atBoard level, every three months by the ExecutiveManagement Team and the Audit Committee, and on anongoing basis at Business Unit Level. Risk is also astanding item on monthly Executive Management Teamagendas. Individual projects have their own risk registers,which feed upwards to the main registers. All jointNS&I-SBS projects have joint project teams. Internal Auditis asked to help develop the risk registers.


National Savings and Investments shows how risk management can support well managed risk taking andworking with private sector partners by:

� combining the best of private sector risk management with public sector controls;

� assigning clear responsibilities for risks and sub-risks at all levels of the management chain; and,

� conveying commitment to risk management at the top of the Department.

16

Nat

iona

l Sav

ings

and

Inve

stm

ents


5 NS&I integrates risk reporting with other performancemanagement information in a 'Balanced Scorecard' tiedto its objectives and uses this to highlight emerging risks.To embed risk management further down themanagement chain, in 2004-05 NS&I is introducingexplicit identification of risks within the businessplanning process.

6 NS&I's risk management structures and leadership fromsenior management have created openness about risk anda 'no blame' culture that has encouraged staff to alertdecision-makers to new risks and to report changes inrisks early.

7 NS&I is currently piloting the LEAN businessimprovement methodology, which will help identify and confirm the risks within operational processes andthe mitigation strategies in place.5 The Audit Committeehas agreed that Internal Audit will then review the risks identified.

8 NS&I needs to understand the operating risks identifiedand managed by Siemens Business Services and to satisfyitself that these are in line with the NS&I business strategyand not out of line with its risk tolerances. To discharge itsmonitoring role, the Board's primary sources of assuranceare the management structures and processes put in placeto deliver the business strategy. This is supported andchallenged by Internal Audit, directed on behalf of theBoard by the Audit Committee. The Joint Audit and RiskManagement Committee provides a cross-business forumfor sharing information on risk between NS&I and itsprimary partner Siemens Business Services.

9 A key element of NS&I's joint risk management with SBSis to ensure good communication between the partners atall levels. In addition to day to day working relationships,at the highest level there are contacts with seniormembers of Siemens AG, SBS UK and the SBS-NS&Iaccount, meets twice yearly to align NS&I and SBSinterests; and a range of joint groups and committees,covering all aspects of the NS&I business which togetheraim to ensure there is good communication andexchange of views and information. In addition, both theNS&I Executive Management Team and the SeniorManagement Team have SBS representation.

10 The initial SBS contract represented a high risk for NS&Iin that it was a pioneering outsourcing operation andremains one of the largest undertaken by a UKgovernment department. The initial contract ran at a lossto Siemens and to mitigate the risk for NS&I of servicedelivery failure if Siemens withdrew from thepartnership, NS&I has worked with SBS to align theinterests of both partners so that SBS can benefit fromNS&I business growth.

11 To keep abreast of changing financial markets and tokeep and increase its customer base, NS&I has a newproduct development team that is encouraged to takewell managed risks to innovate. In 2004, NS&I launcheda major new account - the Easy Access Savings Account- and is in the process of closing the National SavingsOrdinary Account.

12 To maintain customer satisfaction, IncidentManagement Teams of staff from NS&I and SBS meetquickly to address any serious customer complaints andto take mitigating action, as well as diagnosingproblems so they do not recur.

13 NS&I has contingency plans for scenarios that representmajor business risks, such as the end of the contractwith the Post Office, IT systems failures and customerservice complaints.

14 NS&I is seeking to reduce its dependence on Post OfficeLimited, whose recent partnership with the Bank of Irelandgives it the potential to market products which wouldcompete with those of National Savings and Investments.NS&I is addressing this risk by developing its website andits call centre to deal with direct sales and is increasingmarketing through mail shots through third parties.

15 To address weaknesses in elderly IT systems, thepartnership with SBS is enabling NS&I to migrate itsproducts onto a commercial IT system for bankingproducts. The most recent transfer was of the PremiumBonds database with records for 23 million customers,representing an investment value of £24 billion - one ofthe biggest databases of its kind to be migrated. Internalaudit were heavily involved in developing the risk registerfor the project. To mitigate the risk to its reputation andpotential loss of sales if errors were made, NS&I timed themigration for the Easter weekend, when fewer peoplewould be making transactions, held back on marketingcampaigns for Premium Bonds to reduce pressure on itspartner SBS, and undertook six months of parallel runningof the new system before the go-live date.

5 "LEAN" is a process improvement tool first developed by Toyota and now applied in administrative environments. It focuses on employees identifying andeliminating waste from processes and working practices.

17

Nat

iona

l Sav

ings

and

Inve

stm

ents


16 The contract with SBS provides a cap on NS&I's annualexposure to product fraud and until 2004; NS&Iconsidered fraud to be more of a reputational rather thana financial risk. The launch in 2004 of the Easy AccessSavings Account and its automated teller machine (ATM)cards has introduced a new level of financial risk. Newfraud monitoring arrangements include the use of specialsoftware to run checks between the addresses of accountholders and debit cards.

Lessons learned17 National Savings and Investments has demonstrated

effective risk management by:

� Combining the best of private sector riskmanagement with public sector controls can changea department's culture from a conservative one to onethat takes well managed risks.

� Using risk as a basis for decision-making turns riskmanagement from a form-filling exercise to a way ofthinking, supported by a reporting structure.

� Assigning clear responsibilities for risks and sub-risksat all levels creates personal responsibility and allowsrisk management to be practised throughout thedepartment - not just at director level.

� Conveying commitment to risk management at the top of the Department and implementing it in all Departmental activities is supported when a 'noblame' culture is created that encourages riskreporting.

� Allocating time to risk management is necessary ifrisks are to be identified and managed well.

18

Nat

iona

l Sav

ings

and

Inve

stm

ents


National Savings and Investments focus group participants' perceptions of risk management - Risk management has supported well managed risk taking

8


NOTES

1 Two focus groups were conducted at National Savings and Investments, one with staff in the marketing and product development area of the business and one group of staff dealing primarily with provision and continuous development of services to customers.

2 Participants were asked to complete a short questionnaire on the extent to which they agreed or disagreed with statements about risk management. The Figure summarises the results of these key measures. The scale ranges from 1 at the centre (the most negative score) to 5 at the edge (the most positive score). The Figure compares National Savings and Investments' responses with the average for all participants in the focus groups across the case study departments. The Figure is based on small sample sizes and the results it presents are indicative.



Prioritising risks

Supports innovation








5= strongly agree 1= strongly disagreeAll case study departments (mean) NS&I

5

4

3

2

1

National Savings and Investments managers considered that risk management supported innovation and that they had clear procedures for reporting risks and effective contingency plans.

19

Offi

ce fo

r N

atio

nal S

tatis

tics

Case Study Office for National Statistics

1 The Office for National Statistics (ONS) is a GovernmentDepartment and Executive Agency created in April 1996from the merger of the Central Statistical Office with theOffice for Population, Censuses and Surveys. The Officefor National Statistics is responsible for producing a widerange of key economic, business and social statistics,including the Census, Index of Services and the RetailPrice Index, which are used across government todevelop evidence-based policies and to trackperformance against them. The Office also builds andmaintains data sources for its business and researchcustomers, as well as for its own use. The Office alsoincorporates the General Register Office for England andWales. The Office employs around 3,800 staff in London,Newport, Southport and Titchfield, plus up to 1,000 fieldstaff working on social surveys. Its net total expenditurefor 2002-03 was some £139 million and it publishessome 500 surveys and other data sets each year.

2 The Minister responsible for National Statistics is theChancellor of the Exchequer. The National Statisticianhas overall responsibility for the professional integrityand statistical quality of the all the Office's outputsdesignated as 'National Statistics' and for ensuring thatthey are produced in accordance with the standards setout in the National Statistics Code of Practice andsupporting protocols. Key principles of the NationalStatistics Code of Practice are that National Statisticswill be:

� valued for relevance, integrity, quality andaccessibility;

� produced in the interests of all citizens by protectingconfidentiality, and balancing the needs of usersagainst the burden on providers; and,

� enhanced through integration, accumulation andinnovation, and by efficiency in costs, and fairnessin prices.

3 Data services delivered by the Office for NationalStatistics inform economic policy-making, Bank ofEngland decisions on interest rates, and decisions madeby institutions in the financial markets. Otherdepartments also use the Office's data, for example toallocate resources to address the need for housing. TheOffice also provides data that citizens can use to assessthe work and performance of government. The Office forNational Statistics is the most published governmentdepartment.

4 The Office considers itself to be risk averse in its core business of producing statistics, where accuracy is paramount.

Key risks5 These include:

� maintaining relevance: the Allsopp Review (2004)6

identified that the Office was good at measuringproduction but less good at measuring the economicimpact of service provision, which is now consideredto be a more important indicator of UK economicbuoyancy; the changing socio-economic climate canimpact on the priorities of the Office's customers - forexample, migration and pensions data have recentlytaken on much greater importance;

� maintaining quality: the Office for NationalStatistics' data sets inform significant decisions ingovernment, business and the wider community.Error in a data set can have serious economic andsocial consequences and creates risk contagion, inthat it damages the credibility of the 'NationalStatistics' brand;


The Office for National Statistics shows how risk management can be used to minimise risk in anenvironment that is highly dependent on accuracy and timeliness by:

� communicating from the top of the Office commitment to risk management;

� creating clear channels of communication about risk; and,

� applying project management risk principles to a wide range of departmental activity.

6 Review of Statistics for Economic Policymaking - Final Report to the Chancellor of the Exchequer, the Governor of the Bank of England and the National Statistician, Christopher Allsopp, HM Treasury, 2004.

20

Offi

ce fo

r N

atio

nal S

tatis

tics


� maintaining objectivity: data are used to make keyeconomic, social and business decisions and anydelays in publication are risks to the Office'sreputation as a timely provider of data and can raisepublic and media suspicion that data publicationmay be subject to political pressure;

� maintaining confidentiality: data collection andpublication is based around a high level of publictrust which must be seen through protecting theconfidentiality and security of individual responses;

� the Office was allocated £75 million in the SpendingReview 2002 for a Statistical ModernisationProgramme involving putting in place new methods,standards and processes and the IT systems todeliver them. Major risks associated with the projectare those for any large IT project - project overspendand overruns, plus risks associated with softwareinnovations needed by the Office's specificstatistical needs.

How these risks are managed6 The Office has established a risk management structure

with a database and a common risk register. As well asindividual project risk registers, all projects have beenbrought together on a special database that gives anoverview of the Office's project risk portfolio. 'Business asusual' routine surveys are increasingly being treated asongoing projects, using project management techniques.

7 There is a monthly reporting system from DivisionalDirector level up to heads of Directorates, whichprovides channels of communication to raise risks at thetop of the Office. This is supplemented by a weeklymeeting of Executive Directors at which immediate risksare discussed. Quarterly, the Office management boardidentifies corporate risks and project progress andincludes an analysis of emerging risks.

8 A Risk Task Force co-ordinates cross-cutting risks -financial management, IT, human resources, facilitiesand business continuity - across the Office. The TaskForce has a communication link to the Chief Executive.The Risk Task Force is chaired by an Executive Directorand member of the Office Management Board. ONSalso has a Policy Board, on which sit three non-Executive Directors, two of whom are on the ONS AuditCommittee, one of them chairing it.

9 The Office has appointed a Director of Quality and RiskManagement who has a risk management groupreporting to him. The risk management group isresponsible for risk registers, developing riskmanagement and training. The Director of Qualityworks with the Finance Director in the preparation ofthe Office's Statement on Internal Control. If problemsemerge, for instance when errors were made on theRegional Gross Domestic Product (GDP) figures, theDirector can carry out troubleshooting 'audits' with thestaff involved to analyse what went wrong and to workwith them to prevent recurrences.

10 The existence of risk registers and leadership from seniormanagement to demonstrate that early reporting of risksis imperative has encouraged staff to be proactive inmonitoring how risks are changing and to report anychanges so action can be taken promptly.

11 To manage the risks arising from the complexity and sizeof the Modernisation Programme, which is greater thanany change programme previously implemented withinthe Office, a phased delivery programme has been set upwith specific performance targets and each phase isstructured into modules or projects to create clear projectspecifications, milestones and deliverable benefits.

12 A particular risk to the Office is the use of legacyprocesses where data error is more likely, such as thecomplex use of spreadsheets that would not now beconsidered fit for purpose. The Office has identified theprocesses most likely to be subject to error, and thesurveys that are most reliant on them, and is developingnew statistical tools to replace them. The first tools arebeing tested in 2004 and completion of the re-engineering is due in 2006.

13 In terms of users, the Office's website is one of the topten in the UK public sector. Usage is rising with theOffice moving increasingly to making data available tothe public electronically, including the data of the latest2001 Census. The Census has a high profile for theOffice as the largest single programme in NationalStatistics, with Parliamentary scrutiny of delivery andfinance. Aware of the overload problems experiencedby the Public Record Office when it posted the data ofthe 1901 Census forms on its website in January 2002,before publishing the Census 2001 data, the Officecontracted with the BBC, which has capacity to handlemillions of users daily, for use of their website. TheOffice published the Census 2001 data in August 2002,with some 90,000 users accessing data on the websitein its first week, easily within the technical capacity ofthe BBC site. Usage has since risen to 163,000 users aweek (March 2004).

21

Offi

ce fo

r N

atio

nal S

tatis

tics


Lessons learned14 The Office for National Statistics has demonstrated

effective risk management by:

� Communicating from the top of the Officecommitment to risk management and creating aclimate in which staff are encouraged to report bad news early so senior management can makedecisions and take action.

� Applying project management risk principles to awide range of departmental activity, not just one-off projects.

� Creating clear channels of communication about risk.

Office for National Statistics staff focus group participants' perceptions of risk management at the Office for NationalStatistics - Staff are confident about procedures for reporting risks

9


5= strongly agree 1= strongly disagree

NOTES

1 Two focus groups of Office for National Statistics staff were conducted, one with staff dealing with providing economic data and one group of staff dealing with social statistics.

2 Participants were asked to complete a short questionnaire on the extent to which they agreed or disagreed with statements about risk management. The Figure summarises the results of these key measures. The scale ranges from 1 at the centre (the most negative score) to 5 at the edge (the most positive score). The Figure compares the Office for National Statistics' responses with the average for all participants in the focus groups across the case study departments. The Figure is based on small sample sizes and the results it presents are indicative.


All case study departments (mean) ONS


Prioritising risks

Supports innovation








5

4

3

2

1

ONS staff were confident that there were now procedures in place for reporting risks.

23

Prud

entia

l plc

Case Study Prudential plc

1 Prudential plc is a leading international financialservices company with operations in the UK andEurope, Asia, and the United States and some 16 millioncustomers, policy holders and unit holders and 20,000employees worldwide. The company operates fivebusiness areas - Prudential UK, its life and pensionsprovider; M&G, its fund management businessresponsible for managing over £111 billion of funds; Egg, its internet based bank with over three millioncustomers; its US operation Jackson National Life, a lifeinsurance company; and Business Asia, incorporating 23 businesses in 12 countries serving some 5 millioncustomers. Total profits for 2003 were £359 million.

Prudential's approach to risk management2 A significant part of the Group's business involves the

acceptance and management of risk. The Group's riskmanagement model requires the primary responsibilityfor risk management at an operational level to rest withbusiness unit chief executives. The second line ofdefence of risk comprises oversight functions reportingto the Group Chief Executive together with business unitrisk functions and risk management committees. Thethird line of defence comprises independent assurancefrom Internal Audit reporting to business unit and GroupAudit Committees.

Initiatives to make risk managementmore effective3 Since our previous report, the company has developed

and deepened its approach to risk and has sought toembed risk management and risk reporting in routinemanagement processes, through:

� Dedicating senior management time and expertiseto build effective risk reporting processes.The Group Risk Committee is chaired by the GroupFinance Director and its members includerepresentatives of the business units and Groupfunctions who have input into the operation of theGroup Risk Framework. The Group Risk Committeeis the senior management forum responsible for theoversight of the Group Risk Framework across thebusiness units and Group functions, includingmonitoring operational risk and related policies andprocesses as they are applied throughout the Group.

� Establishment of a Group Asset Liability Committeeduring 2003. Its membership includes business unitand Group Management involved in the operationof the asset liability, credit and insurance risksframeworks. The Group Asset Liability Committee isthe senior management forum responsible for theoversight of asset-liability mismatch, solvency,market, credit and insurance risks across the Group.The Group Asset Liability Committee reports to theGroup Chief Executive.

� Building formal common structures for riskreporting. The Group Risk committee reports to theGroup Chief Executive, who has overallresponsibility for the risks faced by the Group. TheGroup Risk Committee is supported in this role bythe Group Risk Function and the Risk Committeesand Risk Functions in each business units. Quarterlyrisk reports from the business units and Group arereported to the Group Risk Committee covering allrisks of Group Significance. Regular reports are alsomade to the Group and business unit AuditCommittees by management, internal audit,compliance and legal functions.

Prudential's experience shows how risk reporting, as part of routine management information, can helphighlight overall risks to the business; and the importance of clear accountability and challenge to testhow effectively risks are being managed.


24

Prud

entia

l plc


� Assessing risks according to scale and frequency.Risks are assessed in their scale and likely impact infinancial terms, for instance threats to revenue oropportunities for profitability. Assessing risks infinancial terms enables risk management effort andresources to be deployed according to the scale ofcapital involved.

� Identifying clear accountability for individual risks.Each of the risks on the company risk register has anowner who is accountable for monitoring and thequality of reporting on individual risks.

� Testing accountability. Senior risk owners - at middlemanagement level - are called periodically on a rollingbasis to report in person to the Group Operational RiskCommittee about the risks, which challenges theadequacy and integrity of risk controls and reporting.

� Analysing the broad portfolio of risk, assessing, inparticular, the likelihood of aggregation risks - risksarising in different areas which may present anoverall risk or opportunity for the business, andcontagion risks - which may arise in one businessarea but have the potential to affect the Prudentialbrand more generally.

� Recognising the need to promote controlled risktaking. Prudential has benefited from promotion ofgood practice across business and product areas todevelop its understanding of risk appetite andwillingness to take well managed risks.

Lessons learned4 The Prudential's approach to risk management indicates

that:

� Senior management commitment and time isessential for risk management to be effective. Thiscommitment provided the bedrock for buildingawareness and structures needed to encourage riskthinking by all staff. It has taken time (4-5 years) forrisk management to become a routine part ofmanagement practice.

� Clear accountability for individual risks helpsembed risk management practice. Accountabilityinvolves scrutiny of the 'quality of challenge' aboutthe risks being reported to senior management.Regular testing of accountability helps ensure that itis 'real' for those responsible for individual risks.

� Risk management reports should be a clearlydefined management information requirement. Forrisk reporting structures to be adequate andeffective, reporting requirements should be includedas part of a portfolio of management informationroutinely provided to senior management, which isrecognised as relevant information within businessunits - a centrally driven, prescriptive approach isunlikely to provide good quality risk reporting.

� A culture of openness encourages effective riskreporting. Individual staff need to be encouraged toreport risks, not hide them or ignore them. Effectivereporting of risks enables senior managers to identifythe potential for aggregation risks, which may havean impact across the Prudential group even if theydo not appear significant in individual businessunits, and contagion risks, which arise in onebusiness unit but have a potential impact on thebrand in other business units.

� Risk taking needs to be promoted by senior managersfor it to be encouraged as part of the culture. Formalreporting processes for risks are a supplement to theongoing dialogue about risk between the ChiefExecutive and senior managers. Risk reporting is partof the monthly portfolio of management informationprovided by senior management, but the paperexercise is supplemented by monthly meetings whichprovide the opportunity for face to face discussions ofrisks and how they are being managed.

25

Nom

ura

Case Study Nomura

1 Nomura Bank International plc is part of a financialservices group comprising subsidiaries in Japan andoverseas. Nomura Bank International provides a fullrange of investment banking services to clients in thepublic and private sectors. Services include theunderwriting, syndication and management of offers of all forms of securities, related products andspecialist advisory services across all aspects ofcorporate finance and investment banking. Its activitiesextend throughout Europe and into Africa and theMiddle East.

Nomura's approach to riskmanagement2 As in 2000 when we visited Nomura, risk processes are

embedded in Nomura's business. It also continues touse a matrix approach where the organisation isarranged along product and geographical lines, and a

capital allocation committee (the Chief Executive, theRisk Manager and one other senior manager) routinelyreviews each month as a standard item the main risksthe business is facing.

3 Like other financial organisations, Nomura has sought to strengthen its corporate governance with theappointment of Non-Executive Directors and theestablishment of an Internal Controls Committee, whichincludes a Non-Executive Director (Figure 10).

Initiatives to make risk managementmore effective4 The business is exposed to three types of risk - market

risk, from movements in the financial markets; creditrisk - the risk of creditors failing to meet commitments;and operational risks - which may be external, such ascomplying with regulatory requirements, or internal,


Nomura shows the importance of encouraging staff to be open about risks they are taking and to reportaccurate information about risks materialising so that senior managers are in a position to make decisionseither to increase or reduce corporate risk exposure.

Internal controls arrangement at Nomura Holdings10

Source: National Audit Office visits

Management of internal controls system

Audit Committee

Audit Mission Directors

Office of AuditCommittee

� Support staff for the Audit Committee and Audit Mission Directors

Nomura Holdings and its Subsidiaries

Management Business Risk Management Compliance

Internal Audit

AuditReport

Approval ofAudit Plan

Internal Controls Committee

Internal Audit Division

26

Nom

ura


such as trading losses resulting from individual traders'judgements or improved efficiency. The focus of riskmanagement has broadened and developed beyondmarket risk and increasing attention is being paid tocredit risk and operational risks. A portfolio approach isused to monitor daily exposure to the three types ofrisks. Nomura has developed its approach through:

� Assessing the impact of unexpected events. Astechnology for modelling and assessing risks infinancial markets has become more sophisticated,Nomura has recognised the need to become morealive to 'shock' events such as sharp changes in oilprices and tests the resilience of its risk managementapproaches by developing scenarios and modellingpossible market impacts.

� Continued encouragement to staff to be open aboutoperational risks. Modelling and analysis ofoperational risk relies on staff being open aboutreporting risks that they have taken, for exampletrading losses. To reinforce from the outset a blamefree culture, Nomura's induction trainingencourages staff to be open about the risks they arerunning and the mistakes/losses they make so thatsenior managers can take decisions either to reduceor increase corporate risk, based on reliable andaccurate information.

� Alertness to possible contagion risks. These canhave potentially extremely rapid impacts in financialmarkets (for example if a major investment fundwere to run out of capital this would precipitateadverse market movements). Contagion risks cannotbe managed out of the system but exposure to themcan be assessed by analysing in detail historicalperformance of funds and ensuring capital issufficiently diversified so that no one part of thebusiness is overly exposed to the possible contagion.

� Using management information about risk as aroutine part of business processes and reporting toassess the efficiency with which resources are beingutilised - whether the right resources are directed towhere the potential risk exposure is greatest.

Lessons learned5 Nomura's approach to risk management indicates that:

� Encouraging a culture which encourages staff toreport risks being taken puts managers in a positionto make better decisions on whether risk exposurecan be increased or decreased. This commitment ispromoted from the outset in induction training fornew recruits.

� Responses to risk should be continually refined inthe light of more up to date and relevantinformation. Building historical information aboutoperational and credit risk has helped Nomuraunderstand better the portfolio of risks it is exposedto and where it has the opportunity to take on morerisk. Capturing data from ongoing risk eventsoccurring has also helped promote learning fromexperience to inform future action.

� Testing of extreme or unexpected scenarios canhelp assess the impact on the business of risksmaterialising. Even though the pattern of historicalevents is not necessarily a guide to the future, 'stress testing' of models and systems can helpdevelop understanding of risk appetite to assesswhat actions need to be taken in response todifferent market scenarios, including exposure topossible contagion risks.

27

Gla

xoSm

ithK

line

Case Study GlaxoSmithKline

1 GlaxoSmithKline (GSK) was formed in January 2001 asa result of a merger between GlaxoWellcome andSmithKline Beecham. Headquartered in the UK andwith operations based in the United States,GlaxoSmithKline is one of the industry leaders, with anestimated 7 per cent of the world's pharmaceuticalmarket. The company has operations in 117 countries,with products sold in 130 countries. The major marketsfor the company's products are the USA, Europe andJapan. GlaxoSmithKline is a global leader in severaltherapeutic areas including respiratory, anti-viral,central nervous system, diabetes and vaccines. In 2003pre-tax sales were £21.4 billion and pre-tax profit was £6.3 billion and the company invested nearly £2.7 billion in pharmaceuticals R&D.

GlaxoSmithKline's approach to risk management2 Risk management is central to any large business, but

especially to a highly regulated, multinational, sciencebased business such as GSK. A robust internal controlenvironment mitigates but does not eliminate risk.Almost by definition, companies take risk to achievesatisfactory returns for shareholders. This is true for GSKin areas such as investment in acquiring new productsor businesses. In these cases, it is the company'sresponsibility to explicitly identify risks and then applyits expertise in the prudent management rather than theelimination of those risks. After the merger, GSK soughtto take the strongest aspects of both companies'corporate governance structures and create an internalcontrol framework that spans operations throughout theworld. The internal control framework includes centraldirection, resource allocation, and risk management ofthe key activities of research and development,manufacturing, marketing and sales, legal, humanresources, information systems, and financial practice.

Initiatives to make risk managementmore effective3 Clear principles and procedures designed to achieve

appropriate accountability and control are important inevery business. GSK has a corporate policy that definesits internal control framework and mandates thatbusiness units establish processes for managing riskssignificant to their businesses and GSK as a whole.Commercial and financial responsibility is clearlydelegated to local business units, supported by aregional management structure. These principles aredesigned to provide an environment of centralleadership coupled with local operating autonomy asthe framework for the exercise of accountability andcontrol within GSK.

4 In a number of risk areas, specific standards that meet orexceed requirements of applicable law have beenestablished. Specialist audit and compliance groupsassist in the dissemination and audit of these standards,while implementation is largely the responsibility of the operating units. Extensive financial controls,procedures, self-assessment exercises and riskmitigation activities are reviewed by internal auditors.All major audit and compliance groups report to theAudit Committee at least annually on the effectivenessof internal controls.

GlaxoSmithKline's approach to risk management demonstrates how risk management is successfullyintegrated into the business to provide challenge throughout the company.


28

Gla

xoSm

ithK

line


5 GSK's internal control framework also relies on the RiskOversight and Compliance Council (ROCC), whichreports to the Corporate Executive Team and the AuditCommittee, as well as on other business unit RiskManagement and Compliance Boards (RMCBs), to helpidentify risks and to provide guidance to the riskmanagement and compliance initiatives at the corporateand business unit levels. The ROCC is chaired by theCorporate Compliance Officer (CCO). Through theROCC, the company reviews and updates its assessmentof the risks affecting the business and the mitigationplans against these risks. While the ROCC has oversightof the risks deemed significant to GSK, each RMCBoversees risks important to its business or function, thusincreasing the active management of risks across thecompany. The CCO assists in the co-ordination of therisk management activities among the variouscompliance and audit functions across the company.

6 Using regular reports on the company's significant risksand on related internal controls, the Audit Committeereports to the Board annually on the effectiveness of controls.

Lessons learned7 GlaxoSmithKline's approach to risk management

indicates that management at every level must:

� Identify and assess their significant risks;

� Establish and communicate clear standardsregarding business conduct;

� Assign individual responsibility for establishingmitigation plans against their risks;

� Ensure that robust risk mitigation plans are in placeand operating effectively;

� Actively monitor mitigation plans with appropriatefeedback and upward reporting; and

� Continuously improve mitigation plans andprocesses that control significant risks.

29

Reu

ters

Case Study Reuters

1 Reuters (www.about.reuters.com), the global informationcompany, provides information tailored forprofessionals in the financial services, media andcorporate markets. Reuters information is used to drivedecision-making across the globe and customer trustdepends on Reuters ability to maintain its reputation for speed, accuracy and independence. Reuters staff total 14,700 across 92 countries, including some2,400 editorial staff in 197 bureaux servingapproximately 130 countries (July 2004). In 2003, theReuters Group had revenues of £3.2 billion.

Reuters approach to riskmanagement2 Reuters has embedded risk management into the

company's overall performance managementframework. Reuters has implemented a Mission Analysisprocess which is central to its annual business objectivesetting process. Risk identification and evaluation is anintegral part of defining the mission and objectives forbusiness units. Focusing on those risks that impact onmajor objectives helps Reuters to move away fromcatalogues of potential risks to identifying those thatneed active senior management input if the business is to succeed.

3 Business units are asked to identify risks by consideringwhat factors could prevent them from achieving their objectives. These could be related to resources(financial and human), capabilities (technology, people,processes), and structure/decision-making (availabilityof information, ability to make timely decisions).

4 Each major business unit is required to prepare andregularly update risk radars that classify risks by impact,likelihood and the effectiveness of management'sresponse. An overall risk profile for the company iscompiled on the basis of the key risks identified by thebusiness units. This company-wide risk radar isreviewed by the senior management committee, theAudit Committee and the Board.

5 Focusing on key risks enables Reuters to take strategicdecisions about how to deploy resources. A key risk forReuters, for example, is any failure of service continuityand disruption of services to clients. To address this,Reuters uses contingency and continuity planning toensure it can maintain delivery of its news and financialinformation services in the event of a crisis. Investmentin back up systems and other contingency investment,such as deployment of staff and arrangements forcontingency premises, is assessed and approved by aReuters investment committee.

Initiatives to make risk managementmore effective6 Since our previous report, the company has:

� Reviewed the risk management process in the contextof initiatives to improve business performance. Theanalysis of the company's approach to performancemanagement has identified opportunities to positionrisk as a further means of assuring business units areon track to achieve business objectives.

Reuters experience shows how focusing on risks that impact on major objectives helps to move awayfrom simple catalogues of potential risks to identifying those risks that need senior management actionfor the business to succeed.


30

Reu

ters


� Reviewed its approach to address the view that riskmanagement is a bureaucratic process. Reuters isreviewing and assessing its risk managementapproaches against those of other businesses toassess where it can improve and focus its riskmanagement efforts on risks which need mostattention, rather than risk management simply actingas a compliance mechanism.

� Demonstrated its preparedness in an emergencysituation. To maintain its position in the highlycompetitive news and financial information markets,Reuters devotes considerable resources to ensuringbusiness continuity in the face of disruptions anddisaster. On Thursday 13 August 2003, when asequence of power station failures and overloadscaused the biggest power failure in United States'history, Reuters used carefully prepared and testedcontingency plans to keep ahead of competitors andmaintain news and data service levels by switchingoperations around its network of global offices.

Lessons learned7 Reuters approach to risk management indicates that:

� Focusing on risks that impact on major objectivesdirects senior management attention to where it is needed. Reuters has sought to move away fromsimple catalogues of potential risks to identifyingthose that need senior management action for thebusiness to succeed. Risks should be concrete andspecific, not "the market collapses".

� Building on risk management strengths and learningfrom others can help develop a sound approach.Reuters recognises that it can apply lessons from itsown experience, together with learning from otherorganisations, to develop its approach to risk in away that does not become bureaucratic.

Date post:	20-Aug-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Case Studies Managing Risks to Improve Public Services · MANAGING RISKS TO IMPROVE PUBLIC...

Documents