Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control
Managing Operational Risks through “Bow Ties”
Peter Ralph, Enterprise Risk Manager
28th Sept 2018
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control2
“Risk Management” as a Bow TieThe Problem we face….
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control3
Our Business• Operate in 50
countries, serving customers in 150.
• ~£80bn order book
• Spent over £1.3bn in R&D in 2017
• File 600+ patents a year
• Employ over 15,000 engineers
• Total of 49,000 employees
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control
Rolls-Royce – Pioneering the Power the Matters
https://www.mtu-online.com/great-britain/applications/rail/?L=15
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control5
Results Overview
• £15Bn Revenue
• £2.9Bn Gross Profit
• £1.1Bn Net Profit
Civil Aerospace dominates business
53%
19%
15%
7%6%
Underlying Revenue Mix
Civil
Power Systems
Defence Aero
Marine
Nuclear
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control6
Pioneering the Power that Matters Rolls-Royce pioneers cutting edge technologies that deliver the
cleanest, safest and most competitive solutions to meet our planet’s vital power needs
Our Long-Term Vision
Build balanced portfolio
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control7
Risk Management in Rolls-Royce
Business Risk
• At least one Risk Manager in each business• Dotted reporting line into the Head of ERM• Supported by risk points of contact and risk
co-ordinators embedded in the business • Ensures risk activity takes place in the
business
Function Risk
• At least one Risk Manager per corporate function
• Dotted reporting line into the Head of ERM • Supported by risk co-ordinators that are
either central to the function or embedded in the business
• Ensures risk are identified in the function and reviewed in the business
Central Enterprise Risk Team
• Small central team lead by the Head of ERM• Provides central focal point for all risk
activities
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control8
Group Principal Risks
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control9
“Risk Management” as a Bow TieThe Consequences
Business sensitivity classification | © 2018 Rolls-Royce Business proprietary classification Export Control classification
10
£170M
Consequences
Financial, Legal, Safety & Reputational
Cost of Trent 1000 & 900 in-service issues in 2017
M
“Following a four year investigation, the SFO and Rolls-Royce entered into a Deferred Prosecution Agreement (DPA) which was approved by Sir Brian Leveson”
“The DPA enables Rolls-Royce to account to a UK court for criminal conduct spanning three decades in seven jurisdictions and involving three business sectors.
The DPA involves payments of £497,252,645 (comprising disgorgement of profits of £258,170,000 and a financial penalty of £239,082,645) plus interest. Rolls-Royce are also reimbursing the SFO’s costs in full (c£13m).
The investigation into the conduct of individuals continues.”
Business sensitivity classification | © 2018 Rolls-Royce Business proprietary classification Export Control classification
11
“Risk Management” as a Bow TieThe Root Causes
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control12
Addressing Root Causes:
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control13
Addressing Root Causes:
• No Desire to Manage Risk
• Improved Visibility• Rapid ‘Weakness’ Identification
• No place to hide• Consistent Standard for Assurance
• Greater Engagement
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control14
Addressing Root Causes:
• No Desire to Manage Risk
• Complexity
• Improved Visibility• Rapid ‘Weakness’ Identification
• No place to hide• Consistent Standard for Assurance
• Greater Engagement• Ease of Use = Understand Complexity
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control15
Addressing Root Causes:
• No Desire to Manage Risk
• Complexity
• Don’t Understand Risks
• Improved Visibility• Rapid ‘Weakness’ Identification
• No place to hide• Consistent Standard for Assurance• Risks are Structured
• Greater Engagement• Ease of Use = Understand Complexity• Aligns to Risk Process
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control16
Addressing Root Causes:
• No Desire to Manage Risk
• Complexity
• Don’t Understand Risks
• No ‘Controls’ Culture
• Improved Visibility• Rapid ‘Weakness’ Identification
• No place to hide• Consistent Standard for Assurance• Risks are Structured• Test the Things that Matter
• Greater Engagement• Ease of Use = Understand Complexity• Aligns to Risk Process• Activity Focused (What are we doing?)
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control17
Addressing Root Causes:
• No Desire to Manage Risk
• Complexity
• Don’t Understand Risks
• No ‘Controls’ Culture
• Time Pressures
• Improved Visibility• Rapid ‘Weakness’ Identification• Consistent Risks (Drive Improvement)
• No place to hide• Consistent Standard for Assurance• Risks are Structured• Test the Things that Matter• Visible Best Practice
• Greater Engagement• Ease of Use = Understand Complexity• Aligns to Risk Process• Activity Focused (What are we doing?)
Stronger Risk Management
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control18
“Risk Management” as a Bow TieThe Controls?
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control19
Bow Tie as a 6 Step ProcessHow to Undertake
Bow Tie (& Realise
the Benefits)
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control20
Why define the risk?1. Define the Risk
▪ Driven by corporate priorities to manage the risk
▪ ‘Risk Owner’ defining the ‘Risk’ (or problem0 they need to understand
▪ Defining the risk gives the opportunity to consider:
▪ What are the risks that ‘worry’ the organisation?
▪ Have we considered the right risk(s) to explore?
▪ How does the risk fit within the organisation?
▪ Reduce waste by focusing on what matters (without missing opportunities.)
Risk Landscape
Corporate Objectives
Objective Enablers
Risk Stream 1
Risk Stream 2
Risk Stream 3
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control21
Creating our SME Network2.Gather Subject Matter Experts (SME)
▪ Understand:
▪ Who the SMEs are
▪ What their specialism is
▪ Where they are
▪ How they can interact
▪ Do gaps in our knowledge remain
▪ Getting the right people involved ensures:
▪ The right expertise is obtained
▪ All stakeholders are involved
▪ Knowledge is shared
▪ Knowledge gaps are recognised
▪ Communities are created
▪ Organisation diversity is understood (“We do things differently here because….”)
http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwj1ytayyJDWAhVRPFAKHVCTAE4QjRwIBw&url=http://geology.com/world/world-map.shtml&psig=AFQjCNGu19PrdRHJ8QBbsTGosZOyrxVKFg&ust=1504787474187529http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hJvyyJDWAhULK1AKHdoqD_IQjRwIBw&url=http://webpop.github.io/jquery.pin/&psig=AFQjCNGqTUle4aomlQavJUP7fBJsDFqLwg&ust=1504787622931009
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control22
Why have a ‘Master’?3.Create Master Bow Tie
▪ Experts collaborate to establish what good ‘looks like’
▪ Organisation records ‘Good’ – It becomes the ‘Master’ Bow Tie
Formalised development of the ‘Master Bow Tie’ enables:
▪ Consistent review of the risk to company standards
▪ Application of existing policies, processes, tools and training
▪ Cross organisation review of previous activity
▪ Consideration of industry best practice
▪ Access to resources and facilitation
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control23
Defining what ‘Good’ is? 4.Establish Tests
▪ Understand what we need to know
▪ Decide how we can obtain the information (and what will be sufficient)
▪ Establish who can be tested in the organisation
Spending time developing tests is beneficial because:
▪ Control owners can decide what they need to understand (is the control present or ‘as described’? Or operating effectively (does this need evidence)
▪ Control owners can decide who can determine if a control operates effectively
▪ Asking the ‘right’ questions reduces the waste in getting results that don’t give the necessary insight
• Do they know the business area well enough (Representative)?
• Do they understand the control(s) well enough (Subject Knowledge)?
• Do they know how the control is operated in their area (Effectiveness)?
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control24
Measuring Effectiveness5.Create ‘Child’ Bow Ties
▪ Use tests to assess the organisation
▪ Test results create an individual ‘bow tie’ for a business area
▪ Individual ‘bow tie’ highlights strengths and weakness across the organisation
At this stage the wider benefits of ‘Bow Tie’ become apparent:
▪ Knowledge spreads throughout the organisation
▪ Weaknesses, problems and issues, become apparent
▪ The organisation becomes aware of how it is (or is not) managing risk
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control25
Identify and Rectify the Weaknesses (STAR)
6. Fix Issues
▪ Act on the information to improve the organisation
▪ Acting will require:
▪ Change
▪ Resource (People)
▪ Funding
▪ Confirm action has made the required difference
Fixing the problem strengthens the organisation, but using a Bow Tie:
▪ Focuses on the best use of resources
▪ Identifies best practices and reduces waste across the organisation
▪ Allows for structured assessment of the improvement
STAR
SpecificTimelyAction onRisk
http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiwufba9ZfWAhVKfxoKHQxwAGgQjRwIBw&url=http://clipart-library.com/policies-cliparts.html&psig=AFQjCNHffb98pnpYtnv7HZVyBBvXaVWppQ&ust=1505040178488877
Business sensitivity classification | © 2018 Rolls-Royce Business proprietary classification Export Control classification
26
Chart title
0
1
2
3
4
5
6
Category 1 Category 2 Category 3 Category 4
Series 1 Series 2 Series 3
The Complete Bow Tie??
“Risk Management” Bow Tie
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control27
Future Steps in Bow Tie DevelopmentWhat Next
▪ Funding / Resourcing all our Fixes
▪ Ensuring learning is embedded (and activity is maintained)
▪ Enriching our controls with greater explanatory content
▪ Linking to our policies and standards
▪ Using our Incident data to tell us more
▪ Addressing ‘Spin-off’ & Lower Level Bow Ties
▪ Standardised Bow Ties for Common Themes (e.g. Human Factors)
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control28
Closing ThoughtsSummary
▪ Bow Tie is a powerful tool in managing operating risk
▪ We understand the risks we face and the extent of the risks
▪ We know who can help (and who is impacted) in our organisation
▪ We know the higher risks and the weak points
▪ We understand what we can do to reduce the risk
▪ We can take action to improve our business
Non-Confidential| © 2018 Rolls-Royce Not Subject to Export Control
Thank You