What you can learn about Organisational Risk Culture from the CBA Prudential Inquiry
R2A was recently commissioned to complete a desktop risk documentation review in the context of the CBA Prudential Inquiry of 2018. The review has provided a framework for boards across all sectors to consider the strength of their risk culture. This has been bolstered by the revelations from The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry.
Specifically, R2A was asked to provide commentary on the following:
- Overall impressions of the risk culture based on the documentation.
- To what extent the documents indicate that the organisation uses organisational culture as a risk tool.
- Any obvious flaws, omissions or areas for improvement
- Other areas of focus (or questions) suggested for interviews with directors, executives and managers as part of an organisational survey.
What are the elements of good organisational risk culture?
Organisations with a mature risk culture have a good understanding of risk processes and interactions. In psychologist James Reason’s terms[1], these organisations tend towards a generative risk culture shown in James Reason’ s table of safety risk culture below.
Pathological culture | Bureaucratic culture | Generative culture |
|
|
|
How different organisational cultures handle safety information
Key attributes include:
- Risk management should be embedded into everyday activities and be everyone’s responsibility with the Board actively involved in setting the risk framework and approving all risk policy. Organisations with a good risk culture have a strong interaction throughout the entire organisation from the Board and Executive Management levels right through to the customer interface.
- The organisation has a formal test of risk ‘completeness’ to ensure that no credible critical risk issue has been overlooked. To achieve this, R2A typically use a military intelligence threat and vulnerability technique. The central concept is to define the organisation’s critical success outcomes (CSOs). Threats to those success outcomes are subsequently identified and are then systematically matched against the outcomes to identify critical vulnerabilities. Only the assessed vulnerabilities then have control efforts directed at them. This prevents the misapplication of resources to something that was really only a threat and not a vulnerability.
- Risk decision making is done using a due diligence approach. This means ensuring that all reasonable practicable precautions are in place to provide confidence that no critical organisational vulnerabilities remain. Due diligence is demonstrated based on the balance of the significance of the risk vs the effort required to achieve it (the common law balance). This is consistent with the due diligence provisions of the Corporations, Safety (OHS/WHS) and environmental legislation.
Risk frameworks and characterisation systems such as the popular 5x5 risk matrix (heat map) approach are good reporting tools to present information and should be used to support the risk management feedback process. Organisations should specifically avoid using ‘heatmaps’ as decision making tool as that is inconsistent with fiduciary, safety and environmental legislative requirements.
Risk Appetite Statements for commercial organisations have become very fashionable. The statement addresses the key risk areas for the business and usually considers both the possibility of risk and reward. However, for some elements such as compliance (zero tolerance) and safety (zero harm), risk appetite may be less appropriate as the consequences of failure are so high that there is simply no appetite for it. For this reason, R2A prefers the term risk position statements rather than risk appetite statements.
To get a feel for the risk culture within an organisation, R2A suggest conducting generative interviews with recognised organisational ‘good’ players rather than conducting an audit.
We consider generative interviews to be a top-down enquiry and judgement of unique organisations rather than a bottom-up audit for deficiencies and castigation of variations for like organisations. R2A believes that the objective is to delve sufficiently until evidence to sustain a judgement is transparently available to those who are concerned. (Enquiries should be positive and indicate future directions whereas audits are usually negative and suggest what ought not to be done).
Interview depth
Individuals have different levels of responsibility in any organisation. For example, some are firmly grounded with direct responsibility for service to members. Others work at the community interface surface with responsibilities that extend deep into the organisation as well as high into the community. We understand that the idea is that a team interviews recognised 'good players' at each level of the organisation. If a commonality of problems and, more particularly, solutions are identified consistently from individuals at all levels, then adopting such solutions would be fast, reliable and very, very desirable.
Other positive feedback loops may be created too. The process should be stimulating, educational and constructive. Good ideas from other parts of the organisation ought to be explained and views as to the desirability of implementation in other places sought.
If a health check on your organsational risk culture or a high level review of your enterprise risk management system is of interest, please give us a call to discuss further on 1300 772 333 or head to our contact page and fill in an enquiry.
[1] Reason, J., 1997. Managing the Risks of Organisational Accidents. Aldershot, Hants, England: Ashgate Publishing Limited. Page 38.
Powerline Bushfire Safety Committee
Gaye recently attended the second meeting of the Powerline Bushfire Safety Committee (PBSC) at Energy Safe Victoria (ESV).As set out in the Committee Charter, the purpose of the PBSC is to provide the Director of Energy Safety (DoES) with comprehensive expert advice to support ESV in its administration of the Electricity Safety (Bushfire Mitigation) Amendment Regulations 2016 (the regulations) and any advice ESV may, in turn, provide government on further policy changes that may be required in the light of initial network experience implementing the regulations.In addressing its purpose, the PBSC will have regard to the regulations, the regulatory impact statement (RIS) including the target fire risk reduction benefits set out herein, and the statement of reasons (SoR).The objective of the PBSC is to provide transparent, independent oversight and advice to ESV in undertaking its regulatory responsibilities to hold the distribution business accountable for the delivery of the fire reduction benefits implicit in the regulations.Gaye’s role is to provide risk management and best practice advice. All documents relating to the Committee’s activities can be found on the ESV website.
Problems and Solutions: The Power of Perspective
Imagine you have a great idea. Perhaps it’s for a start-up venture. Perhaps it’s a new, better way of doing something at your workplace. Perhaps it’s changing the way your business has always done something. Perhaps it’s a substantial capital works project.Each of these will require a business case to convince stakeholders that your idea is, in fact, great, and ought to be implemented. Key aspects considered and explained should include:
- what the good idea is
- how it fits into the current market or organisation
- the benefits it will bring
- the upfront and ongoing costs that it will entail
- the risks the proposed course of action will carry
- what will be done to address these risks
These points can be separated into the three elements of any good business case: the ‘what’, the cost-benefit analysis, and the risk management strategy. The effort and detail required to prepare a convincing business case will vary depending on the idea, but it is unlikely to gain stakeholder acceptance without these three key elements.The ‘what’ and the cost-benefit analysis are generally well understood. However, business case risk management strategies are often difficult to interpret for readers. When you consider that those reading a business case will likely be those deciding if your (great) idea is accepted, the benefit of a clear and concise risk management strategy becomes obvious.So, what does a clear and concise risk management strategy involve? How can one best be prepared and presented? And how can it be made convincing as part of a business case?
Perspectives
The essence of a convincing risk management strategy is emphatically not a statement of “here are the risks, and here is what we will do about them so we don’t think they will happen.”This is, essentially, a list of problems. When deciding on a new course of action as a start-up, a small business or a large organisation, a list of problems in a business case will not give decision-makers confidence.This is especially the case if, as proposed by AS31000 (the Australian Standard for risk management), the goal of the risk management strategy is to ensure risks are ‘tolerable’, which generally means they are unlikely to occur. This argument to unlikelihood is particularly unconvincing if a decision-maker asks “I accept that this risk is unlikely, but what if it happens?”A clearer and more convincing approach is to present a case that states “here are the critical issues, here is why we don’t believe any have been overlooked, and here is why we believe all reasonable measures are in place to address them.”This approach takes a solution (rather than hazard) based approach. A hazard-based approach typically identifies many specific problems and puts them in a list, before thinking of things to do about them. Its perspective is “here’s what could go wrong with my great idea, and here’s why I don’t think it will.”This approach tends to focus on problems and their complexity, going into detailed, oft-impenetrable risk analysis, making it difficult for senior decision-makers to fully comprehend due to the specialist skill-sets required. Problems are often taken out of context for the organisation, and measures identified for each problem tend to be specific to each problem and as such hard to justify. It creates analysis paralysis.A solution-based approach, by contrast, begins by looking at what measures are in place in similar situations, and what further measures might be needed for this specific context. It is actually an options analysis and provides the case for action. Its perspective is "here’s what we should have in place to be confident going ahead with my great idea.”This shift from problems to solutions is key to presenting a convincing business case. It pushes the focus to the way forward, and takes an overarching, holistic viewpoint, making recommendations clearly explicable to senior decision-makers. It ensures the organisation’s context is always considered, and identifies a smaller number of solutions that address multiple potential issues, with a focus on implementing recognised good practice rather than presenting unnecessarily detailed analysis.Where needed, this approach can still generate the level of detail required for budget contingency estimation (e.g. through Monte Carlo simulation). However, it ensures that this detail remains contextually sound, and is only provided where beneficial to decision-making.This approach is also simpler, faster, more efficient, often cheaper, and certainly more defensible if something does go wrong. They provide an argument as to why decisions are diligent, rather than why they are ‘right.’ In short, a solution-based approach provides a far superior decision basis than a hazard-based approach. And that’s something that any business case should aim for.
This article first appeared on Sourceable.
Risk Management Standard Squabble
An interesting article in the European Commercial Risk Europe titled "Hopkin calls for end to risk management standard squabble" discusses the squabble between the use of ISO 31000 and the COSO ERM Cube shown below.
COSO ERM Cube
Essentially the point being made is that the failure to adopt a single approach creates confusion and loss of traction in the market place.
From R2A’s perspective, this confusion was inevitable. The attempt to make market risk and safety risk operate under a single risk management approach was always a nonsense as has become increasingly obvious.
For example, the idea that ‘risk appetite’ can be applied to high consequence, low likelihood safety issues is simply irrational, and in breach of the model WHS legislation. This matter is being discussed in the paper being presented at the AMPI conference above. With regard to the pilotage of ships in and out of Sydney Harbour and Port Botany, the use of ISO 31000 is specifically rejected in favour of the precautionary approach required by the WHS legislation.
Event Invitation – 2013 Overview and Book Launch
We are very pleased to announce that after 15 years the R2A text is now in it's 9th edition. New chapters include the R2A Operations Due Diligence model as well as significant updates to the Work Health and Safety chapter and the Quantified Risk Assessment chapter.
Save the Date
To kick off 2013 and to celebrate the 9th edition text launch, R2A will be hosting a private event in Melbourne on Thursday, 7 February 2013 from 3pm to 5pm at Pop Restaurant (Upstairs), 68 Hardware Lane, Melbourne.
Richard Robinson will discuss what's new in the 9th edition text and overview the general state of affairs in industry. The short presentation followed by drinks and canapés.
Professor John Wilson from Swinburne University will also be in attendance as our special guest.
R2A clients and their colleagues are welcome to attend. It is a great opportunity to network and catch up with Industry colleagues.
All welcome.
2012 The Year in Review
It’s hard to believe that another year is coming to a close. As part of our end of year wrap up, here are some highlights that we would like to share with you.
In May, we welcomed Dr Peter Hurley as a Consulting Engineer to our team and would like to thank Peter for his contribution in 2012 and in particular his work on the Enterprise Due Diligence Review for Energy Safe Victoria and the 9th edition of the R2A text.
We were also privileged to work with many clients throughout the year. Here are some interesting projects completed in 2012.
Interesting Projects
Security of supply of the Victorian Transmission System (VTS) – A review with particular regard to the economic benefits to existing and long-term customers of the proposed Western Outer Ring Main (WORM) Project.
Plant safety and operations due diligence reviews, Veolia Environmental Services. A safety and business continuity review of one of Veolia’s plants to identify and establish critical items of plant and equipment.
Work Health & Safety Review, Maritime Safety Tasmania. A review of MAST activities to demonstrate due diligence as required under the Tasmanian Work Health & Safety Act. The results were documented as part of MAST’s Safety Management System.
Quality assurance framework, Office of the Chief Fire Officer. Development of a framework in which the Chief Fire Officer has confidence that his obligations during fire events have been diligently met.
Conferences
Richard presented at the following conferences in 2012 and has availability for similar opportunities in 2013. Drop Richard a line if you have an event coming up.
- Shutdown in Brisbane and Perth
- Energy Networks Association
Media
Richard had two articles published in 2012 -
- Engineering implications of the harmonised safety legislation (feature article in January edition of Engineers Australia)
- Managing bushfire risk of powerlines (April edition of Infrastructure Australia)
Marketing Activities
Our marketing program continued in 2012 with the following highlights –
Project Due Diligence white paper
Industry case studies for:
- Airspace collision risk modelling
- Tunnels
- Powerline bushfires
New client testimonials
This blog!
Education
From an Education perspective Richard delivered –
- Five public short courses Risk & Liability Management for EEA
- Seven in-house courses
- Swinburne post graduate course Introduction to Risk & Due Diligence.
We are looking forward to some new projects in 2013. Richard’s Engineering Due Diligence course is now also available for registrations, details here. All registered participants receive a copy of the new 9th edition of the R2A text valued at $265.
Expert Witness
At R2A, we are called upon from time to time to give expert witness statements. Recently, Richard was an expert witness for the Harbour Master at Marlborough District Council (New Zealand).
Richard was asked to provide evidence to the Board of Enquiry appointed under the Resource Management Act 1991 to consider The New Zealand King Salmon Co. Limited private plan change requests to the Marlborough Sounds Resource Management Plan and resource consent applications for marine farming at nine locations in the Marlborough Sounds.
Richard was retained on behalf of the Marlborough Sounds Harbour Master to provide expert evidence in regards to the navigational hazards associated with the proposed development.
Richard used a due diligence framework to assess two expert reports from the viewpoint of all users of the Marlborough Sounds.
The hearing concluded on Thursday 18 August 2012 and the Board are now working on the draft report and decision, which is expected before Christmas 2012.