Guidelines on Risk Management practices among statistical organisations

Transcription

1 WORKSHOP ON RISK MANAGEMENT SYSTEMS AND PRACTICES Guidelines on Risk Management practices among statistical organisations Genève, April 2016 Page 1

2 Road map proposal for developing Risk Management among statistical organisations Nov 14 Dec 14 Mar 15 May 15 Sep 15 Template Framework Survey output Benchmark analysis Best practice Guidelines Nov 15 Page 2

3 Template s Reading-Key Criteria The Reading-Key Criteria are the lens to analyze the experiences through 1. The Risk rationalities dimension reflects the main purpose which any organization grounds its own risk strategy on (i.e. compliance, performance, company value, etc.). 2. The Uncertainty experts dimension refers to the actors, roles, organizational units or structures to which the organization assigns the responsibility to conceptualize and control uncertainty and, consequently, the responsibility for Risk Management. 3. The Technologies dimension reveals the extent to which the Risk Management System becomes embedded or decupled in the organization and refers to the practices, procedures and tools adopted by an organization to implement Risk Management. Page 3

4 Project s subdivisions and links between output s variables 3 READING-KEY CRITERIA To analyse the experiences B. Reapplication Reading-key Criteria B. Reapplication 2 PARAMETERS To elaborate the questionnaire SEVERAL FACTORS describing each parameter To set the questions Page 4

5 Method: the procedure The methodological approach envisaged for data analysis is involving a multi-phase procedure: Carrying out the surveys to detect how many Countries can be profitably analyzed and which of them: Question n. 4 has been used as a filter ( Is there a strategy to effectively manage uncertainties and related threats and opportunities in your organizations? ) Leading the Items (representing consistent sets of significant features for analysis, i.e. Training & Communication ) back to the three Reading-keys (Risk rationalities, Uncertainty experts, Technologies) used in the Survey design phase. Defining Item parameters and making up descriptors that allow the former to be allocated among the three levels Low- Medium-High. Allocating descriptors and Countries within a conceptual chart crossing the dimension which shows the different levels of DEVELOPMENT(Low-Medium-High). Detecting the practices that can actually be implemented through evaluating their Reapplication, based on the «Adaptability» criteria, that is the practice ability to be transferred to other organizations without needing any specific actions or tools. Identifying the Best Practices (both Country and process ones) through: i. their Reapplication level; ii. their development level; iii. their actual use, that is, the recurrence of isolated strategic behaviors throughout the sample. Analyzing the practice internal consistency by bridging back the answers provided by the Countries. Page 5

6 First Survey (May 2015) - Statistical analysis 1. Objective: The survey aims at collecting information on the RM approaches that can be useful to establish a suitable reference for the NSIs interested in implementing RM in the future 2. Structure: The survey envisages four sections composed by a total of 53 questions 3. Target-audience: NSOs members of UNECE and other statistical organizations Involved Institutes and Organizations 64 Respondents 34 Overall Redemption 53,1% Anonymous 5 Double responses 2 Total of valid responses 29 Redemption of valid responses 45,3% Countries recognizable 27 Redemption of countries recognizable 42,2% Page 6

7 Survey on RM Practices (May 2015): Roles & Accountabilities Respondent 1 (EU): NETHERLANDS Yes Respondent 2 (EU): POLAND Yes, by a draft Regulation of the President Respondent 3 (Non-EU): AUSTRALIA Yes. Operation risks: project managers are owners. Corporate risk profile: senior managers are owners Page 7

8 Survey on RM Practices (May 2015): Risk Management and Modernization Respondent 7 (EU) Romania: The risk management process is mainly influenced by the national norms and regulations. In our approach we look to integrate it with the specificity of statistical production process. One direction for more efficient risk management is to integrate it in GAMSO. Respondent 9 (EU) Ireland: Organizational, Financial, Reputational, Compliance, Legal and Regulatory, Interagency Dependance, Loss of Personnel, Morale and Change Management Page 8

9 Survey (phase 2): Defining Item parameters and Descriptors Items represent consistent sets of significant features for analysis (i.e. Risk Framework ) complying with the 3 Reading-keys(Risk rationalities, Uncertainty experts, Technologies) identified in the Survey design phase Parameters and Descriptors allow allocation of the countries among the levels Low-Medium-High. READIN G KEYS ITEMS ITEM PARAMETERS DEVELOPMENT Low Medium High RISK RATION ALITIES * Risk Framework Attitude towards uncertainties Approach to RM Either preventative or ex-post control system Previous organizational practice Both preventative and ex-post control system International standards (ISO, COSO, ecc) Both preventative and ex-post control system involving a specific audit unit Customized model UNCERTAIN TY EXPERTS Organizatio nal chart RM function in the organization chart Neither a RM Unit nor a board entity deciding on RM exists Either a RM Unit (included in the Organization chart) or a board entity deciding on RM exists Both a RM Unit (included in the Organization chart) and a board entity deciding on RM exist TECHN O LOGIES* Human Resources Human resource adequacy HR are either not suitable or not yet evaluated HR are quite suitable HR are suitable * Internal/external context, Risk Framework and Process ** Actors, roles, structures *** Practices, Procedures & Tools Page 9

10 Survey (phase 2): Conceptual Chart Examples All countries practices have been allocated along the Conceptual chart, based on the descriptors which show the different level of Risk Management Development among the statistical organizations (Low Medium High) READING KEYS RISK RATIONALITIES UNCERTAINTY EXPERTS TECHNOLOGIES ITEMS Risk Framework Internal and external stakeholders ITEM PARAMETERS Attitude towards uncertainties Stakeholders mostly involved in RM process Training & Training system communication Page 10 DEVELOPMENT Low Medium High Either preventative or ex-post control system Both preventative and ex-post control system Both preventative and ex-post control system involving a specific audit unit NETHERLANDS FINLAND IRELAND AUSTRALIA ITALY LITHUANIA SLOVENIA NORWAY ESTONIA UK CROATIA NEW ZEALAND ROMANIA AUSTRIA MEXICO CANADA SOUTH AFRICA SWEDEN REPUBLIC OF ARMENIA POLAND SLOVAKIA ICELAND Either management or nonmanagement staff management staff Both management and non- Even external stakeholders ICELAND ROMANIA SOUTH AFRICA NETHERLANDS MEXICO CANADA IRELAND NEW ZEALAND LITHUANIA SLOVAKIA AUSTRALIA FINLAND ESTONIA NORWAY POLAND ITALY UK SLOVENIA SWEDEN AUSTRIA CROATIA Specific but not structured training Specific training program for Specific training program for all management (at any level) personnel running RM matters NETHERLANDS ICELAND ROMANIA SWEDEN REPUBLIC OF ARMENIA MEXICO NEW ZEALAND SLOVAKIA IRELAND LITHUANIA AUSTRALIA CANADA ESTONIA UK POLAND AUSTRIA ITALY CROATIA

11 In-Depth Survey (September 2015): Roles & Accountabilities Respondent 1 (EU) THE NETHERLANDS: A set of high level objectives is identified on strategic, finance, operational and compliance level. Actions are identified to meet the objectives and assigned to the heads of divisions Respondent 2 (EU) ROMANIA: According to the procedure s steps the roles, accountabilities and tasks are the following. - Anystaffmember:tofulfilltheRiskAlertForm,etc - For Risk Officer: to collect the Risk Alert Form, etc - For Rm Team: to validate/invalidate the closing solutions, etc.. Respondent 3 (non-eu) AUSTRALIA: The Risk Management Framework outlines that the head of statistical division will be the single point of accountability for managing statistical risk but below that managing statistical risk will be a shared responsibility in recognition that there are many sections that can contribute to managing this key risk totheabs. Page 11

12 In-Depth Surveys on Risk Management, Change management and Modernization practices Respondent 9 (Non-EU) Canada: A management tool for all current projects is used by project managers to manage their changes, issues, and risks throughout the life cycle of their project. The implementation of the corporate tracking tool provides a consistent approach to management for all projects and establish a centralized service. Respondent 7 (EU) Romania: Many projects related to GSBPM, GAMSO, QAF and risk management are in progress or finalized either under UNECE or Eurostat initiatives. Their value is undisputable, but, some additional actions would be required, mainly in assisting Statistical offices to implement results. Respondent 8 (Non-EU) Australia: There are qualitative measures for assuring quality for most statistical output. The NSI has expanded its focus on managing statistical risk to include a more holistic assessment of risk in statistical areas that can affect data quality as well as managing stakeholder relationships, the impact of change programs and workforce capability. Page 12

13 Second Survey - Quantitative Results The points highlighted by the general trend are: corporate risks* (strategic, cross-cutting, most common,... ) are lower than operational ones; the absolute number of corporate risks varies depending on the risk policy (top-down vs bottom-up approach) In terms of percentage of total, statistical risks are the majority, followed by organizational risks. Other risks arisen are: financial, ITC, reputational, security ones. Approximately one third of respondent countries shows a not-negligible pervasiveness of the Risk Management process within the organizational structures. The high percentage of respondent countries with trained specialists underlines an organizational culture that, as regards Risk Management, is under a significant and ongoing development. Page 13

14 Towards the Guidelines Selection of best practices identified by in-depth analysis Consistency analysis by responses Page 14 SECTION 2. RISK MANAGEMENT PROCESS 1. Internal/External Communication & consultation 1.1 Internal Communication & Consultation 1.2 External Communication & Consultation 2. Context analysis 2.1 Establishing the Internal/External context 2.2 Process Mapping 3. Risk Identification 3.1 Top-down vs Bottom-up approach 3.2 Risk hierarchy 3.3 Risk Identification techniques 4. Risk Assessment 4.1 Risk Analysis & Measurement 4.2 Risk Weighting 4.3 Roles & accountabilities related to the assessment phase 5. Risk treatment 5.1 Risk treatment priorities 5.2 Roles & accountabilities related to the treatment phase 6. Monitoring & Reporting 6.1 Monitoring of treatment actions 6.2 Establishing internal/external reporting mechanisms I. Internal reporting II. External reporting

15 The Guidelines The draft consists of two sections, whose index complies with Risk Management standard ISO31000/2009: Section 1 investigates the Risk Management system; Section 2 focuses on the Risk management process. The Sections 1 and 2 include Question Mark boxes that consistently report some answers to the questions contained in the first and the second survey. The Guidelines also comprise: The Annex which include Focus and Case studies to show a practical approach to the different elements of the Risk Management system described in the Guidelines; The References, concerning the main sources of the Guidelines; The Glossary, with the definition of the main relevant terms of the Guidelines. Page 15

16 The Guidelines: The Risk Management Framework Page 16

17 Establishing risk management policy and defining Accountabilities ISO 31000:09: The risk management policy should clearly state the organization's objectives for, and commitment to, risk management. The organization should ensure that there is accountability, authority and appropriate competence for managing risk. PRACTICE: The risk appetite (level of exposure which is deemed tolerable and justifiable) will only tolerate High or Extreme risks when treatment measures are unable to reduce the level of inherent risk to an acceptable level. The leadership of governance system is provided by the Executive Management Board [ ]. Directors, Assistant Directors, Chiefs and Unit Heads (Divisions) are owners of Operational risk and Project risk registers. All Other Staff are responsible for identification, documentation and management of operational and project risks. GUIDELINES: Risk philosophy (as feature of risk strategy) and risk appetite (as feature of risk policy) should be always kept aligned. Risk management design should be mostly contributed by Top management with the assistance of middle/low management and technical staff. A. The Chief Statistician is responsible for ensuring an effective RM. B. The Risk Committee is responsible for:.. C. The Risk Manager is responsible for: Page 17

18 Risk Management Framework Roles and Accountabilities 1) All staff are responsible for an effective management of risks including identification of any potential risks; 2) Risk management is driven by the organizational units; 3) An Office is dedicated to the coordination of the management process and risk analysis, "impartial" with respect to other structures, supporting the highest level of decision making; 4) The Risk Manager is responsible for: collaborating with Top Management both in identifying high risk areas related to strategic and business processes and in planning treatments to mitigate corporate risks; 5) The Risk Committee defines the Risk Management policy; it is coordinated by the Risk Manager and composed by the top managers operating in the areas most risky; 6) Chief Statisticians and Governing body define the strategies based on the information coming from the RM System; 7) The Internal Auditing is responsible for reporting to the Governance on the adequacy of the RM process and the compliance of the mitigating actions. Page 18

19 Integration into organizational processes ISO 31000:09: Risk Management should be embedded in all the organization s practices and processes in a way that is relevant, effective and efficient PRACTICE: Better quality management practices has been endeavored through the development and use of the risk mitigation strategy known as quality gates. Object Oriented Quality and Risk Management (OQRM) model is a quality framework developed in the field of official statistics in order to improve compliance with the European Code of Practice and deal with quality standards of statistical output. GUIDELINES: Given that statistical risks (i.e. the possibility that one or more of the production process components fail to meet the quality standard) are unavoidably managed at all levels (strategic, operational and project ones), it is worth noting that even when they are managed separately they should eventually be integrated into an organizational risk framework. Page 19

20 Risk Management Framework Integrated with Quality of Statistics Statistical risks are events that potentially could impact on production processes and/or integrity and quality of statistical data. They concern statistics that are not considered by users as fit for purpose which includes, but is not limited to, time series that are not coherent. Statistical risks can be identified separately, but then they should be integrated into the organizational risk framework. They can occur due to: Planned changes to systems, processes or methods; Changes in the resources availability; Changes in the data source availability or quality; Changes in organizational issues. At operational level, statistical risks can be treated by quality management because Quality and Risk Management are strictly connected: Quality management assesses if the original requirements (ISO 9001:2015) are met (review, audit, etc.) or not. If not, corrective actions are implemented. Risk management identifies threats that can effect objectives. If the risk level is too high, mitigating measures are implemented. Page 20

21 Human Resources and Training ISO 31000:09: The organization should allocate appropriate resources for risk management. Consideration should be given also to training programmes. PRACTICE: Yearly training on Risk Management and Internal Control System with an external expert is organized. A presentation of the Risk Management system is provided to all new staff members within Statistics Austria's general training programme(half-yearly) The Risk Management Training program involves General control system training, quality management issues, internal auditingofqms;upto10%ofstaffhavebeentrainedonriskmanagementsofar. A specific training program on risk management issues has been envisaged and addressed to all employees. GUIDELINES: It is advisable to start training with a program devoted to managers and employees assigned to run risk management matters at different levels; it would be best if kick-off training activity focuses first on higher-risk areas. It is also important to carry out training initiatives regularly, in accordance with risk management system development, as well as concurrently with significant organizational changes. Page 21

22 The Guidelines: The Risk Management Process Page 22

23 Defining risk criteria and Risk Identification approach ISO 31000:09: The organization should define criteria to be used to evaluate the significance of risk The organization should identify sources of risks, areas of impacts, events (including changes in circumstances), their causes and their potential impacts PRACTICE: Risks are identified by accountable managers and then gathered in strategic categories (corporate risks), in order to be assessed, treated and monitored, based on: Monitoring risk treatments through specific indicators; Organizational sustainability; Cross-cutting treatments; priority areas. Risk identification, analysis and management are practices aim at anticipating and removing the obstacles that may prevent the achievement of strategic objectives. 3 levels of risks [..] have been identified: 1. Risks associated to the ESS Vision 2020 [..]; 2. Portfolio management risks; 3. Project related risks. The process starting by engaging all Directors to respond to a risk questionnaire to identify the top three/five risks from a divisional program perspective. The risk registers are reviewed and approved to ensure[..] importance of the risks identified at the divisional or program level. GUIDELINES: The coordination of Risk Management process phases is centralized [ ]. Three kinds of approach can be followed in identifying risks: Top-Down-approach; Bottom-Up approach; Mixed approach. The Risk Management framework includes a hierarchy of risks: Enterprise Risks,; Operational Risks and Project Risks. Page 23

24 Risk Management approaches and Risk Hierarchy Three different approaches can be followed in managing risks: A. Top-Down-approach: the decision making process is centralized at a government body-level. a) Full top-down: the business units risks are listed at department level; b) Prevailing top-down: the corporate risk register comes from a detailed operational risk register. B. Bottom-Up approach: the decision making process is located at management level and risks are identified by any staff member performing daily work. C. Mixed approach: the board entity states the criteria (top-down) by which the heads of unit identify and manage risks (bottom-up). The hierarchy of risks reflects the selected RM approach and is related to the different levels: 1. Enterprise Risks, strategic and significantly impacting on the organisation, assessed and treated by the Executive Managers: Regulatory and compliance risks, global financial shocks, aging consumers and workforce, emerging markets. 2. Operational Risks, impacting on a program's objectives and/or outcomes, assessed and managed by the line managers: Inappropriate skills mix; budget cuts; poor quality outputs. 3. Project Risks, impacting on the project objectives and outcomes, managed by the project risk manager: Scope poorly defined; Resources not available; Quality requirements not clearly specified. Page 24

25 Risk evaluation and weighting ISO 31000:09: The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment and the priority for treatment implementation PRACTICE: The risk management matrix is a tool developed in for identifying, analyzing, evaluating and treating risks. This tool allow to incorporate process data, participants in this activity and shows preloaded content to facilitate their operation. The risk assessments by managers are also based on the risk tolerance model, [ ] applied sequentially to identify risks that were deemed appropriate for potential corporate consideration(the top 6). Risk appetite will only tolerate High or Extreme risks when treatment measures are unable to reduce the level of inherent risk to an acceptable level. Low or Moderate risks will be managed within the specific area and/or routine procedures. All Treatment measures are selected by considering the cost vs benefits. GUIDELINES: The purpose of risk weighting is to ensure that use of resources will be focused on the most important risks. A common approach to prioritize risks is to divide them into three bands: Upper, where the level of risk is regarded as intolerable whatever benefits the activity may bring, and risk treatment is essential whatever its costs; Middle, where costs and benefits are taken into account and opportunities balanced against potential consequences; Lower, where the level of risk is regarded as negligible that no risk treatment measures are needed. Page 25

26 Risk treatment and monitoring ISO 31000:09: The information provided in risk treatment plans should include also those who are accountable for approving the plan and those responsible for implementing the plan. Both monitoring and review should be a planned part of the risk management process and involve regular checking or surveillance. Responsibilities for monitoring and review should be clearly defined. PRACTICE: Risk treatment [..] is assigned to managers and followed up (annually or bi-annually by the board of directors). [..]. The treatment is assigned to person responsible for implementing the treatment as a part of normal operations or if that is not possible a separate implementation plan is to be prepared Directors/division chiefs (Risk owners) propose response actions validated by the Risk Manager. Governance select the actions after defining their significance on a priority basis(risk strategic area, risk value, feasibility) and then entrust them to the executives. Risks and treatments are included in the regular follow up of operations after each 4 month period with focus on effectiveness and deviations from plan. GUIDELINES: Responsibilities related to the treatment phase should be clearly assigned specifying who is accountable for the management of particular risks or categories of risk, for implementing treatment strategies and for the maintenance of risk controls. The overall responsibility for monitoring and review activities relies on the board and top management. Operational risks are monitored at business unit level, project risks are monitored within the Project Management system, and corporate risks are monitored by Senior managers. Page 26

27 Annex, References and Glossary of the Guidelines The Annex aims at: highlighting the massive information obtained and providing a more practical approach to the different domains of Risk Management. It consists of two sections, Risk Framework and Risk Process, showing two categories of examples: - Focus points on Risk Management core topics, in order to share practices, coming from the NSOs, able to substantiate "theoretical" information; - Case-studies, shortly reporting some NSOs' significant experiences on particular features of the Risk Management systems in order to share the know-how gained from implementing Risk Management within the different organizational contexts and highlight any element in common among the different experiences. The References reports the main sources of the Guidelines, i.e. Research Investigation, Ad hoc Analysis, documentation provided by the Countries involved, National and International Standards, Models and Guidelines, ISO, Academic Sources, papers and handbooks. The Glossary includes the definition of the main relevant terms of the Guidelines, arising from the countries practices and the international standards, i.e. The ISO Guide 73:2009. Risk management Vocabulary. Page 27

28 Sharing, publishing and disseminating the Guidelines Sharing for comments, suggestions, Workshop MCs 11/16 Sharing for comments, suggestions, Workshop HRMT - 09/16 Publication and Dissemination Workshop on Risk Management - 04/16 Eventual proposals for cooperation or network projects under the coordination of UNECE/HLG Page 28

29 Integrated Common Framework GAMSO 1.0 Manage business& performance describes how the organization run its business, including agreed changes, in order to achieve planned outputs and outcomes. It encompasses: Manage business performance Manage change and risk Manage legislation & compliance GSBPM 5.0 The GSBPM recognises several over-arching processes that apply throughout the production phases and across statistical business processes, including Quality and Risk management, to investigate on financial and social justifications, initial and following risks, cost-benefit, information and the selected solutions planned for proceeding in statistical production processes. Page 29

30 Fabrizio ROTUNDI Page 30