Managing Operational Risks through “Bow Ties”...and Rolls-Royce entered into a Deferred...

Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control

Managing Operational Risks through “Bow Ties”

Peter Ralph, Enterprise Risk Manager

28th Sept 2018

Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control2

“Risk Management” as a Bow TieThe Problem we face….


Our Business• Operate in 50

countries, serving customers in 150.

• ~£80bn order book

• Spent over £1.3bn in R&D in 2017

• File 600+ patents a year

• Employ over 15,000 engineers

• Total of 49,000 employees


Rolls-Royce – Pioneering the Power the Matters

https://www.mtu-online.com/great-britain/applications/rail/?L=15


Results Overview

• £15Bn Revenue

• £2.9Bn Gross Profit

• £1.1Bn Net Profit

Civil Aerospace dominates business

53%

19%

15%

7%6%

Underlying Revenue Mix

Civil

Power Systems

Defence Aero

Marine

Nuclear


Pioneering the Power that Matters Rolls-Royce pioneers cutting edge technologies that deliver the

cleanest, safest and most competitive solutions to meet our planet’s vital power needs

Our Long-Term Vision

Build balanced portfolio


Risk Management in Rolls-Royce

Business Risk

• At least one Risk Manager in each business• Dotted reporting line into the Head of ERM• Supported by risk points of contact and risk

co-ordinators embedded in the business • Ensures risk activity takes place in the

business

Function Risk

• At least one Risk Manager per corporate function

• Dotted reporting line into the Head of ERM • Supported by risk co-ordinators that are

either central to the function or embedded in the business

• Ensures risk are identified in the function and reviewed in the business

Central Enterprise Risk Team

• Small central team lead by the Head of ERM• Provides central focal point for all risk

activities


Group Principal Risks


“Risk Management” as a Bow TieThe Consequences

Business sensitivity classification | © 2018 Rolls-Royce Business proprietary classification Export Control classification

10

£170M

Consequences

Financial, Legal, Safety & Reputational

Cost of Trent 1000 & 900 in-service issues in 2017

M

“Following a four year investigation, the SFO and Rolls-Royce entered into a Deferred Prosecution Agreement (DPA) which was approved by Sir Brian Leveson”

“The DPA enables Rolls-Royce to account to a UK court for criminal conduct spanning three decades in seven jurisdictions and involving three business sectors.

The DPA involves payments of £497,252,645 (comprising disgorgement of profits of £258,170,000 and a financial penalty of £239,082,645) plus interest. Rolls-Royce are also reimbursing the SFO’s costs in full (c£13m).

The investigation into the conduct of individuals continues.”


11

“Risk Management” as a Bow TieThe Root Causes


Addressing Root Causes:



• No Desire to Manage Risk

• Improved Visibility• Rapid ‘Weakness’ Identification

• No place to hide• Consistent Standard for Assurance

• Greater Engagement




• Complexity


• No place to hide• Consistent Standard for Assurance

• Greater Engagement• Ease of Use = Understand Complexity




• Complexity

• Don’t Understand Risks


• No place to hide• Consistent Standard for Assurance• Risks are Structured

• Greater Engagement• Ease of Use = Understand Complexity• Aligns to Risk Process




• Complexity


• No ‘Controls’ Culture


• No place to hide• Consistent Standard for Assurance• Risks are Structured• Test the Things that Matter

• Greater Engagement• Ease of Use = Understand Complexity• Aligns to Risk Process• Activity Focused (What are we doing?)




• Complexity


• No ‘Controls’ Culture

• Time Pressures

• Improved Visibility• Rapid ‘Weakness’ Identification• Consistent Risks (Drive Improvement)

• No place to hide• Consistent Standard for Assurance• Risks are Structured• Test the Things that Matter• Visible Best Practice

• Greater Engagement• Ease of Use = Understand Complexity• Aligns to Risk Process• Activity Focused (What are we doing?)

Stronger Risk Management


“Risk Management” as a Bow TieThe Controls?


Bow Tie as a 6 Step ProcessHow to Undertake

Bow Tie (& Realise

the Benefits)


Why define the risk?1. Define the Risk

▪ Driven by corporate priorities to manage the risk

▪ ‘Risk Owner’ defining the ‘Risk’ (or problem0 they need to understand

▪ Defining the risk gives the opportunity to consider:

▪ What are the risks that ‘worry’ the organisation?

▪ Have we considered the right risk(s) to explore?

▪ How does the risk fit within the organisation?

▪ Reduce waste by focusing on what matters (without missing opportunities.)

Risk Landscape

Corporate Objectives

Objective Enablers

Risk Stream 1

Risk Stream 2

Risk Stream 3


Creating our SME Network2.Gather Subject Matter Experts (SME)

▪ Understand:

▪ Who the SMEs are

▪ What their specialism is

▪ Where they are

▪ How they can interact

▪ Do gaps in our knowledge remain

▪ Getting the right people involved ensures:

▪ The right expertise is obtained

▪ All stakeholders are involved

▪ Knowledge is shared

▪ Knowledge gaps are recognised

▪ Communities are created

▪ Organisation diversity is understood (“We do things differently here because….”)

http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwj1ytayyJDWAhVRPFAKHVCTAE4QjRwIBw&url=http://geology.com/world/world-map.shtml&psig=AFQjCNGu19PrdRHJ8QBbsTGosZOyrxVKFg&ust=1504787474187529http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009


Why have a ‘Master’?3.Create Master Bow Tie

▪ Experts collaborate to establish what good ‘looks like’

▪ Organisation records ‘Good’ – It becomes the ‘Master’ Bow Tie

Formalised development of the ‘Master Bow Tie’ enables:

▪ Consistent review of the risk to company standards

▪ Application of existing policies, processes, tools and training

▪ Cross organisation review of previous activity

▪ Consideration of industry best practice

▪ Access to resources and facilitation


Defining what ‘Good’ is? 4.Establish Tests

▪ Understand what we need to know

▪ Decide how we can obtain the information (and what will be sufficient)

▪ Establish who can be tested in the organisation

Spending time developing tests is beneficial because:

▪ Control owners can decide what they need to understand (is the control present or ‘as described’? Or operating effectively (does this need evidence)

▪ Control owners can decide who can determine if a control operates effectively

▪ Asking the ‘right’ questions reduces the waste in getting results that don’t give the necessary insight

• Do they know the business area well enough (Representative)?

• Do they understand the control(s) well enough (Subject Knowledge)?

• Do they know how the control is operated in their area (Effectiveness)?


Measuring Effectiveness5.Create ‘Child’ Bow Ties

▪ Use tests to assess the organisation

▪ Test results create an individual ‘bow tie’ for a business area

▪ Individual ‘bow tie’ highlights strengths and weakness across the organisation

At this stage the wider benefits of ‘Bow Tie’ become apparent:

▪ Knowledge spreads throughout the organisation

▪ Weaknesses, problems and issues, become apparent

▪ The organisation becomes aware of how it is (or is not) managing risk


Identify and Rectify the Weaknesses (STAR)

6. Fix Issues

▪ Act on the information to improve the organisation

▪ Acting will require:

▪ Change

▪ Resource (People)

▪ Funding

▪ Confirm action has made the required difference

Fixing the problem strengthens the organisation, but using a Bow Tie:

▪ Focuses on the best use of resources

▪ Identifies best practices and reduces waste across the organisation

▪ Allows for structured assessment of the improvement

STAR

SpecificTimelyAction onRisk

http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiwufba9ZfWAhVKfxoKHQxwAGgQjRwIBw&url=http://clipart-library.com/policies-cliparts.html&psig=AFQjCNHffb98pnpYtnv7HZVyBBvXaVWppQ&ust=1505040178488877


26

Chart title

0

1

2

3

4

5

6

Category 1 Category 2 Category 3 Category 4

Series 1 Series 2 Series 3

The Complete Bow Tie??

“Risk Management” Bow Tie


Future Steps in Bow Tie DevelopmentWhat Next

▪ Funding / Resourcing all our Fixes

▪ Ensuring learning is embedded (and activity is maintained)

▪ Enriching our controls with greater explanatory content

▪ Linking to our policies and standards

▪ Using our Incident data to tell us more

▪ Addressing ‘Spin-off’ & Lower Level Bow Ties

▪ Standardised Bow Ties for Common Themes (e.g. Human Factors)


Closing ThoughtsSummary

▪ Bow Tie is a powerful tool in managing operating risk

▪ We understand the risks we face and the extent of the risks

▪ We know who can help (and who is impacted) in our organisation

▪ We know the higher risks and the weak points

▪ We understand what we can do to reduce the risk

▪ We can take action to improve our business


Thank You

Date post:	31-Jan-2021
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Managing Operational Risks through “Bow Ties”...and Rolls-Royce entered into a Deferred...

Documents