A presentation for members to understand a different perspective about risk management focussed on the enterprise or business level

1. © Copyright 2015
Risk Management
• The Added Value of an Enterprise Approach to Risk Management

2. © Copyright 2015
Agenda
• Who are LSC Group, who am I?
• What is risk and why should it be managed?
• The traditional approach to risk management
• How does enterprise risk management differs?
• Added functions of enterprise risk management
• Enterprise risk case studies
• What value does enterprise risk management add?
• Key enablers for implementing an enterprise risk function
• Summary and Questions

3. © Copyright 2015
About us
… enabling better decisions
LSC is an Engineering Consultancy
and Technology Company
We work closely with our clients
to help inform decisions
170 people across 3 key locations
and numerous customer sites
Working with asset intensive and
mission critical industries
including Defence, Energy, Rail,
Infrastructure

4. © Copyright 2015
Annualturnoverover
£18m
OfficesinLichfieldand
Bristol
ISO20000:2011
certificatedadopting
thebestpracticeITIL
standard
Employinga
workforceof
c.170 skilled
personnel
Certificatedto
ISO9001:2008
&TickIT
standards,
ensuringevery
projectisofthe
highestquality
Order book
circa
£12 billion
Enablingbetterdecisionsforover
25 years
Established
in1988
Partof
Babcock
InternationalGroup
About us

5. © Copyright 2015
Multiplestakeholders
Longlifecycles
Highlyregulated
environments
Sensitive
Information
Complexassets Order book
circa
£12 billion
BigData,InformationRich
Sharingand
Collaboration
Affordability,Availability
andPerformance
Our customers

6. © Copyright 2013

7. © Copyright 2015
Consultancy Services Solutions
Collaborative Solutions – ensuring the
information and processes our
customers need are securely shared,
better organised and available at the
point of need
Management Services – supporting and
delivering critical projects and
programmes, managing risk and
providing assurance and governance
our business
Lifecycle Engineering – managing and
supporting assets, ensuring they are
available and affordable through life
Information & Knowledge Management
– delivering confidence in the quality
and assurance of our customers’
information
Visualisation Solutions – advanced
solutions that work with the growing
big data challenge, and more
information systems to support more
informed decision making
Data Analytic Solutions - helping our
customers to work smarter and make
better decisions

8. © Copyright 2015
Who am I?
• David O’Regan
• Risk Management Consultant
• Background
– Career in law
– Moved to Risk Management 2 years ago
– Have worked in finance, energy, legal & project
risk management
– Currently working as part of a PMO for a multi-
billion pound MoD project
– Main belief, enterprise risk management is the
key to the successful management of risk

9. © Copyright 2015
What is risk?
• Definitions
• ‘A chance or possibility of danger, loss, injury, or other
adverse consequences’ (Oxford English Dictionary)
• ‘Risk is the combination of the probability of an event and its
consequence. Consequences can range from positive to
negative’ (Institute of Risk Management)
• ‘The potential of an action or event to impact on the
achievement of objects’ (APM)
• Key point – definition appropriate for you: simple & effective

10. © Copyright 2015
Why should risks be managed?
• Ensures compliance with laws and regulations
• Provides awareness of problems and opportunities that could
arise during a project
• Allows responses to be planned in advance
• Improves both the speed and quality of the responses that can be
made
• Increases the probability of your projects being successful

11. © Copyright 2015
How has risk traditionally been
managed?
• Began being practiced in projects c.1960
• In project management it has developed from the bottom-up
• Seen as the project managers responsibility
• Risk managed on an individual basis
• Little or no centralised function or senior responsibility
– Level of oversight dependent on programme/exec level desire

12. © Copyright 2015
The traditional risk management
process
Establish the Context
Risk Assessment
Risk Identification
Risk Analysis
Risk Evaluation
Risk Treatment

13. © Copyright 2015
Limitations of the traditional approach?
• Company/Programme
– No centralised view of what risk is or how it should be managed
– Creates an inconsistent approach to risk management, individual bias
– Lacks formal oversight of how risk is being managed
– Related risks unlikely to be managed together
• Projects
– Don’t always get the support they need to manage risks
– Risk not always managed by the right people
– Risk becomes managed in a bubble
• Risk Management becomes a static un-evolving discipline

14. © Copyright 2015
How does an enterprise approach to risk
management differ?
• Not different from traditional approach to risk but supplementary
• Holistic view of the management of risk, which takes into
account the wider business context
• Integrates the management of risk so that all risk functions
operate as one
• Looks at the interconnectivity of risks across projects
• Ensures risks are managed in the right way by the right people
• Addresses the limitations of the traditional approach

15. © Copyright 2015
ISO 31000 Risk Management Process
Establish the Context
Risk Assessment
Risk Identification
Risk Analysis
Risk Evaluation
Risk Treatment
Consult&Communicate
Monitor&Review

16. © Copyright 2015
Consult
• Explore the context within which the business/programme
operates
– External & Internal
• Understand your stakeholders
• Develop a strategy, plan and objectives for risk management
– What do you want risk management to achieve, how will the
success of this be measured?
• Key point
– Understanding the wider context is key to successful risk
management

17. © Copyright 2015
Communicate
• Communication plan
– Which stakeholders need risk information?
– What information do people need?
– How will risk information be transferred?
– When do people need to get risk information?
• Create a structure for communicating the risk strategy
• Common language and terminology
• Key point
– Good information flow vital for successful risk management

18. © Copyright 2015
Monitor
• Risk information system or excel
• Who will the risk information go to? Roles, responsibilities and
reporting structures need to be created
• What are you going to monitor / report on?
– Size and type of risk, near term / long term, internal and external?
• How often will risk be reported on?
• How will issues be managed and lessons learned?

19. © Copyright 2015
Review
• How do you know if your risk management function is working
optimally?
• By having definable objectives against which the success of risk
management can be measured
– E.g. response times, unexpected risk events, activeness of risk
activities
• Has the risk landscape changed, has your organisations context
changed?
• Key point
– Risk management should be an evolving and dynamic practice

20. © Copyright 2015
Case Studies
• We will now look at how a number risk
situations could affect a fictitious
programme of works
• The fictional programme will be called
the ABC Programme
• I will present 4 potential risk scenarios
• I will then show the consequences of
these if
– A, ABC Programme had a traditional
risk function
– B, ABC Programme had an enterprise
wide risk function

21. © Copyright 2015
Case study 1 – Increasing risk
The situation
• ABC Programme has a project that
requires a specialist piece of technology
• The capability to manufacture this
technology only existed within 2
companies
• The company that our project was to
use has recently gone into
administration
• This has increase the risk that the
project will not be able to obtain the
required tech within time and/or to
budget

22. © Copyright 2015
Response – traditional risk function
• Noticed but not formally assessed?
• Full appreciate the gravity of the risk?
• Understand effect on wider business?
• Communicated the risk to the wider business?
• Change the response strategy?

23. © Copyright 2015
Response – enterprise risk function
• The increase assessed early and in line with the overall risk
strategy
• Proportionate response
• Individual project assurance
• Programme managers would be highlighted to the risk early
• Addition resource provided if necessary

24. © Copyright 2015
Case study 2 – foreign import risks
The situation
• The ABC Programme has a project
that needs to procure a large amount
of metal components
• The components are not
manufactured in the UK
• The metal components will be needed
to be procured every 6 months over
the next few years
• There are risks that the exchange rate
and import costs could fluctuate

25. © Copyright 2015
Response – traditional risk function
• The risk may not be identified as it is something out of the
project’s control
• If the risk were identified and an assessment of the level of risk
was made it may not be fully understood
• The project is very unlikely to have the expertise to manage
these risks by themselves
• This will leave the success of the project open to chance

26. © Copyright 2015
Response – enterprise risk function
• An enterprise wide function should have processes in place to
identify programme wide risks
• The responsibility for controlling these risks should be removed
from the project and placed within the team(s) with the
necessary expertise, e.g. finance and commercial
• Regular communications and reports allow the project manager
to remain aware of the risk and how it is managed, but frees
them up to focus on controlling their controllables

27. © Copyright 2015
Case study 3 – risk issues
The situation
• The ABC Programme has incurred a
100% increase in the number of fines
received from their regulator in the
past year
• The fines relate to a number of
different issues ranging from health
and safety to security breaches
• The fines are across a number of
different unconnected projects across
the programme
• The individual fines not significant

28. © Copyright 2015
Response – traditional risk function
• Unlikely to have an issues management capability.
• Unlikely to see or manage their connectivity.
• Response would be disjointed.
• Could lead to an increase in issues and/or inappropriate
responses.

29. © Copyright 2015
Response – enterprise risk function
• Key Risk Indicators to identify emerging issues.
• The root cause investigation.
• Response strategy defined with roles / responsibilities.
• Expertise could be drawn from across the business.
• Periodic reviews and lessons learned.

30. © Copyright 2015
Case study 4 – risk support
The situation
• ABC Programme’s parent company has
recently received bad financial figures for
the previous year
• As a result the ABC Programme has been
informed that they need to make operational
savings for the next financial year of 10%
• ABC Programme want to make the savings
without affecting the health and safety of the
workers
• ABC would also like to make the savings
whilst keeping schedule exposure to a
minimum.

31. © Copyright 2015
Response – traditional risk function
• Risk management unlikely to be considered.
• Unlikely to have the framework or expertise in place to provide
support.
• Making changes without considering risks could;
– Unacceptably increase risk exposure
– Increase risk exposure to inappropriate areas – critical path
• Effect may not be noticed for some time, could though be
significant.
– Important therefore that risks are considered early

32. © Copyright 2015
Response – enterprise risk function
• Identify processes with potential H&S consequences.
• Advice to be given on the processes with the smallest risk of
causing schedule impact.
• Allows programme manager chance to ‘step back’ and see the
bigger picture when making decisions about where to cut.
• Ongoing monitoring and reviews to make sure the strategy
remains effective.

33. © Copyright 2015
What Value does Enterprise Risk
Management Add?
• Allows wider context to be seen and understood
• Provides a consistent approach to risk management across
programmes & business
• Gives assurance to project managers that they are managing
risk in line with expectations
• Ensures risks are managed by the right people
• Allows for better and more proactive decision making
• Increases confidence of stakeholders

34. © Copyright 2015
Implementing an Enterprise Function
• Key enablers
– Executive / Programme level buy-
in
– A risk framework; reporting lines,
accountability
– Reinforcing through culture;
presentations and information
– Risk Information System
– Good risk managers!

35. © Copyright 2015
Conclusions
• Traditional approach to risk management limited by having a disjointed
and individualistic approach
• Enterprise risk management addresses these issues by;
– Creating a common structure and approach to risk management
– Ensuring accountability
– Communicating risk information to the right people
– Constantly reviewing both risks and risk management to make sure the
process is effective and efficient
– Using the wider business to help projects meet their target

36. © Copyright 2015
Questions

37. © Copyright 2015
David.O’Regan@LSC.co.uk or 07912979116