310 likes | 506 Views
Risk Management Systems in Major UK Public & Private Sector Organisations: A tale of contrasting cultures. Professor Margaret Woods Aston Business School. Case Study Comparisons of Risk Management Systems in Major Public & Private Sector Entities. Structure of Presentation
E N D
Risk Management Systems in Major UK Public & Private Sector Organisations:A tale of contrasting cultures Professor Margaret Woods Aston Business School
Case Study Comparisons of Risk Management Systems in Major Public & Private Sector Entities Structure of Presentation • Background to the paper • Cases & methodology • Key findings- similarities & differences • Contingency explanation of variations • Conclusion
Background • CIMA funded project • Public & private sector cases • Interview based • Pre credit-crunch
Cases • Tesco • RBS • Department of Culture Media & Sport • Birmingham City Council
Methodology • Interviews: senior rm & internal audit staff plus operational managers & users of the system. • Public sector both staff and politicians interviewed e.g. Chief Executive & Secretary of State • Observation • Internal documents • Information systems
Contribution to the Literature • Need for studies looking at use of MCS at different levels of the organisation (Langfield Smith,1997) • Call for research which distinguishes between the existence and use of MCS (Langfield Smith,1997) • Risk management dimension barely covered in existing organisational literature
Definitions (1) Management Control “the process by which managers ensure that resources are obtained and used effectively and efficiently in the accomplishment of the organisation’s objectives.” (Anthony, 1965) Risks “uncertain future events which could influencethe achievement of the organisation’s strategic, operational and financial objectives.” (IFAC,1999) Risk Management “ process of understanding and managing the risks that the entity is inevitably subject to in attempting to achieve its corporate objectives.” (CIMA 2005)
Definitions (2) Public versus private organisations • Three criteria used to distinguish them: • Ownership • Source of financial resources • Model of social control ( market v polyarchy) (Perry & Rainey,Academy of Management Review, 1988) • Result: – two public & two private (at time of study)
Views from the Literature • Fone & Young (2000) & Mcphee (2005) • Anecdotal evidence that public sector risk management is distinctive & different • Power (2004) • Risk management of everything & alignment of risk management with good governance • Collier et al (2006) • Basic risk management structures are common across all large organisations (private sector only) • Miller et al (2008) • Risk management & standardised practices now central to both public & private sector organisations • Power (2009) • Need to shift from rule based compliance to use of “critical imagination” in risk management • Mikes (2009) • Calculative cultures – typologies of ERM interpretation
Key Findings • Each case is different but • Strong similarities e.g. between public & private sector and • Wide variations e.g. public sector more advanced in thinking re partnership risk and linking risk management to performance management Two questions: WHAT ARE THE SIMILARITIES/DIFFERENCES? WHY DO THEY EXIST?
Similarities Perceived role of risk management Timing of the formalisation of systems Overall methodologies or models Risk management tools ICT support Control via self assessment Differences Application of the models and tools Overall structure for risk management Dependence upon quantitative tools for evaluation & measurement Link from strategic objectives to operational performance – risk management as a bureaucratic structure versus an embedded process/mindset Summary of Similarities & Differences
Similarities (1): Perceived Role of Risk Management Tesco “One of the reasons we are a successful company is because of risk management.” RBS “At the end of the day, risk management is nothing other than good husbandry on how you drive your business forward.” Birmingham City Council “Risk management is very much looking at achieving your objectives and what’s going to stop you.” DCMS Risk management is concerned with“the culture, processes and structures directed towards the effective management of potential opportunities and threats to the Department achieving its objectives.”
Similarities (2) Timing of the formalisation of risk management systems: • Pressure from financial scandals in 1980s • COSO (1992) • Cadbury Code (1992) • Private sector initiatives mirrored in public sector • Cadbury triggered Treasury Note (1994) & “Green Book” (1997) • Turnbull (1999) followed by NAO Report (2000): “work is underway on the appropriate method of adapting the principles of the Turnbull Report to the central government sector.” (NAO, 2000: 39). • Transfer from central to local government • CIPFA/SOLACE governance framework (2001)
Similarities (3):Generic Risk Management Methodologies Identify Source Measure Mitigate Monitor Economist Intelligence Unit (1995)
The ERM Framework ERM considers activities at all levels of the organization: • Enterprise-level • Division or • subsidiary • Business unit • processes
Similarities (4): SystemTools Assessment & Evaluation • Likelihood consequences matrices • Traffic lights Response • Risk registers • Ownership • Escalation of responsibilities
Ranking by Likelihood and Consequence LIKELIHOOD IMPACT
RAG Assessment (DCMS) • Red – The control(s) are not in place or will not reduce the risk to an acceptable level. • Amber – The control(s) is insufficient to reduce risk to the tolerable level, or is not yet in place but is expected • Green – The control(s) is in place and working effectively to reduce the risk to a tolerable level.
Similarities (5):ICT Support • RBS – dedicated rm software for quantitative analysis • Birmingham City Council – Magique • Tesco –ERP systems, customer facing data collection • DCMS – sharing of partnership risks
Similarities (6): Self Assessment Private Sector Combined Code, Section C2, p.14 “The board should, at least annually, conduct a review of the effectiveness of the group’s system of internal controls and should report to shareholders that they have done so. The review should cover all material controls, including financial, operational and compliance controls and risk management system.” Public Sector Statement of Internal Control – standard format (DAO,2003): “ For the year ended 31 March 2009, that opinion concluded that there were no significant control issues arising that require disclosure in this Statement.” NOTE MAJOR DIFFERENCE IN DETAIL!!!!
Differences (1): Overall Structure for Risk Management • Separate function: determined by regulation • Tesco: “having a risk management function probably gets in the way of actually managing the risks because people are thinking about the risks as opposed to thinking about the customer.” • RBS: Function essential under banking regulations and supervisory process (ARROW) • DCMS: Head of Risk at Departmental level • Birmingham: Sits within internal audit • Job titles – professional risk officer
Differences (2): Dependence upon quantitative tools • RBS: Extensive use for market, credit, liquidity monitoring. Essential as part of the Basel capital requirement regulations • Tesco: Hourly monitoring of sales statistics; daily pricing of standard basket; steering wheel targets e.g financials & staff turnover • DCMS: Limited and primarily financial in nature • Birmingham: Performance monitoring for CPA targets e.g. Trading standards visits;
Integrated Tesco “people do it without actually knowing they are doing it, its part of their accountabilities. They are held to account. We monitor things on such a micro level.” Birmingham Forms part of the CPA evaluation and is risk forms part of individual performance review at operational levels. Divorced RBS: Risk management defined by compliance with regulatory targets. Bonus culture separates remuneration from risk exposure. Differences (3): Link from strategic objectives to operational performance
Problem • DiMaggio & Powell (1983) suggest coercive, mimetic & normative pressures may encourage similarity in search for legitimacy but…..institutional theory also suggests a need for “strategic fit” i.e. scope for variation • Does answer lie in distinguishing between existence and use of rm controls?
Contingency Explanation for different levels of use • Complexity of business model • Level and nature of regulatory controls and accountability • Organisational culture & informal controls over risk • Criteria used to evaluate risk management – compliance v performance
Complexity of Business Model • RBS – complex interdependent businesses. Go for silo approach. • Tesco – very simple value chain. What drives value? • Birmingham – complex, multiple interdependencies & partnerships. Learning via CPA. • DCMS – Multiple partnership risks. Still learning.
Level & Nature of Regulatory Controls & Accountability Regulations • RBS subject to intense regulatory oversight - drives tools of control • Tesco – greater discretion under Combined Code. • Birmingham & DCMS – limited strategic choice – have to manage risks; accountability tight via SIC (and CPA for Birmingham)
Organisational Culture & Informal Controls Ouchi (1979) “clan” controls • Is performance against objectives high on the agenda and pervasive? e.g.Tesco slogans; shelf stacker • Is performance measured purely in financial terms & shareholder value? • Risk “champions” • Isolated risk function – RBS 5th Floor
Criteria Used to Evaluate Risk Management Two different mindsets: • “are we within prescribed risk boundaries laid down either externally or internally?” OR • “are we achieving the results we promised”
Conclusion Simons (1991) Control systems may be diagnostic or interactive. • Cases suggest that diagnostic use equates to a compliance mindset • Interactive use fits with a performance oriented mindset. • Orientation depends upon a range of factors both internal and external to the organisation • Only in latter does rm guide organisational learning via the application of “critical imagination.”