Risk Management Systems in Major UK

Public & Private Sector Organisations:

A tale of contrasting cultures

Professor Margaret Woods

Aston Business School

Case Study Comparisons of Risk

Management Systems in Major Public &
Private Sector Entities

Structure of Presentation
Background to the paper
Cases & methodology
Key findings- similarities & differences
Contingency explanation of variations
Conclusion

Background

CIMA funded project

Public & private sector cases
Interview based
Pre credit-crunch

Cases

Tesco
RBS
Department of Culture Media &
Sport
Birmingham City Council

Methodology

Interviews: senior rm & internal audit

staff plus operational managers & users
of the system.
Public sector both staff and politicians
interviewed e.g. Chief Executive &
Secretary of State
Observation
Internal documents
Information systems

Contribution to the
Literature

Need for studies looking at use of MCS

at different levels of the organisation
(Langfield Smith,1997)
Call for research which distinguishes
between the existence and use of MCS
(Langfield Smith,1997)
Risk management dimension barely
covered in existing organisational
literature

Definitions (1)
Management Control
the process by which managers ensure that resources are
obtained and used effectively and efficiently in the accomplishment
of the organisations objectives. (Anthony, 1965)
Risks
uncertain future events which could influence the achievement of
the organisations strategic, operational and financial objectives.
(IFAC,1999)
Risk Management
process of understanding and managing the risks that the entity is
inevitably subject to in attempting to achieve its corporate
objectives.
(CIMA 2005)

Definitions (2)
Public versus private organisations

Three criteria used to distinguish them:

Ownership
Source of financial resources
Model of social control ( market v polyarchy)

(Perry & Rainey,Academy of

Management Review, 1988)

Result: two public & two private (at time of

study)

Views from the

Literature

Fone & Young (2000) & Mcphee (2005)

Power (2004)

Risk management & standardised practices now central to both public & private
sector organisations

Power (2009)

Basic risk management structures are common across all large organisations
(private sector only)

Miller et al (2008)

Risk management of everything & alignment of risk management with good

governance

Collier et al (2006)

Anecdotal evidence that public sector risk management is distinctive & different

Need to shift from rule based compliance to use of critical imagination in risk
management

Mikes (2009)

Calculative cultures typologies of ERM interpretation

Key Findings

Each case is different

but

Strong similarities e.g. between public & private sector

and

Wide variations e.g. public sector more advanced in thinking re

partnership risk and linking risk management to performance
management
Two questions:
WHAT ARE THE SIMILARITIES/DIFFERENCES?
WHY DO THEY EXIST?

Summary of Similarities &

Differences

Similarities
Perceived role of risk
management
Timing of the
formalisation of systems
Overall methodologies or
models
Risk management tools
ICT support
Control via self
assessment

Differences
Application of the models
and tools

Overall structure for risk

management
Dependence upon
quantitative tools for
evaluation & measurement
Link from strategic
objectives to operational
performance risk
management as a
bureaucratic structure
versus an embedded
process/mindset

Similarities (1):
Perceived Role of Risk
Management
Tesco
One of the reasons we are a successful company is because of risk management.

RBS
At the end of the day, risk management is nothing other than good husbandry on how
you
drive your business forward.

Birmingham City Council

Risk management is very much looking at achieving your objectives and whats going to
stop
you.

DCMS
Risk management is concerned with the culture, processes and structures directed
towards the effective management of potential opportunities and threats to the
Department achieving its objectives.

Similarities (2)
Timing of the formalisation of risk management systems:

Pressure from financial scandals in 1980s

Private sector initiatives mirrored in public sector

COSO (1992)
Cadbury Code (1992)

Cadbury triggered Treasury Note (1994) & Green Book (1997)

Turnbull (1999) followed by NAO Report (2000):
work is underway on the appropriate method of adapting the
principles of the Turnbull Report to the central government sector.
(NAO, 2000: 39).

Transfer from central to local government

CIPFA/SOLACE governance framework (2001)

Similarities (3):
Generic Risk Management
Methodologies

Identify

Source

Measure

Mitigate

Monitor

Economist Intelligence Unit

(1995)

The ERM Framework

ERM considers activities at all levels
of the organization:
Enterprise-level
Division or
subsidiary
Business unit
processes

Similarities (4):
SystemTools
Assessment & Evaluation
Likelihood consequences matrices
Traffic lights
Response
Risk registers
Ownership
Escalation of responsibilities

Ranking by Likelihood and

Consequence
L
I
K
E
L
I
H
O
O
D

High

Significant

Medium

6, 14

Low

Low

Medium

Significant

High

IMPACT

RAG Assessment (DCMS)

Red The control(s) are not in place or

will not reduce the risk to an acceptable
level.
Amber The control(s) is insufficient to
reduce risk to the tolerable level, or is
not yet in place but is expected
Green The control(s) is in place and
working effectively to reduce the risk to
a tolerable level.

Similarities (5):
ICT Support

RBS dedicated rm software for

quantitative analysis
Birmingham City Council Magique
Tesco ERP systems, customer
facing data collection
DCMS sharing of partnership
risks

Similarities (6):
Self Assessment
Private Sector
Combined Code, Section C2, p.14
The board should, at least annually, conduct a review of the
effectiveness of the groups system of internal controls and
should
report to shareholders that they have done so. The review
should
cover all material controls, including financial, operational and
compliance controls and risk management system.
Public Sector
Statement of Internal Control standard format (DAO,2003):
For the year ended 31 March 2009, that opinion concluded
that there were no significant control issues arising that
require disclosure in this Statement.
NOTE MAJOR DIFFERENCE IN DETAIL!!!!

Differences (1): Overall

Structure for Risk
Management

Separate function: determined by regulation

Tesco: having a risk management function

probably gets in the way of actually managing
the risks because people are thinking about the
risks as opposed to thinking about the
customer.
RBS: Function essential under banking
regulations and supervisory process (ARROW)
DCMS: Head of Risk at Departmental level
Birmingham: Sits within internal audit

Job titles professional risk officer

Differences (2):
Dependence upon
quantitative tools

RBS: Extensive use for market, credit,

liquidity monitoring. Essential as part of
the Basel capital requirement regulations
Tesco: Hourly monitoring of sales
statistics; daily pricing of standard
basket; steering wheel targets e.g
financials & staff turnover
DCMS: Limited and primarily financial in
nature
Birmingham: Performance monitoring for
CPA targets e.g. Trading standards visits;

Differences (3): Link from

strategic objectives to
operational performance
Integrated

Tesco
people do it without
actually knowing they
are doing it, its part of
their accountabilities.
They are held to account.
We monitor things on
such a micro level.
Birmingham
Forms part of the CPA
evaluation and is risk
forms part of individual
performance review at
operational levels.

Divorced

RBS:
Risk management
defined by compliance
with regulatory targets.
Bonus culture separates
remuneration from risk
exposure.

Problem

DiMaggio & Powell (1983) suggest

coercive, mimetic & normative pressures
may encourage similarity in search for
legitimacy but..institutional theory also
suggests a need for strategic fit i.e.
scope for variation

Does answer lie in distinguishing between

existence and use of rm controls?

Contingency
Explanation for
different levels of use

Complexity of business model

Level and nature of regulatory
controls and accountability
Organisational culture & informal
controls over risk
Criteria used to evaluate risk
management compliance v
performance

Complexity of Business
Model

RBS complex interdependent

businesses. Go for silo approach.
Tesco very simple value chain. What
drives value?
Birmingham complex, multiple
interdependencies & partnerships.
Learning via CPA.
DCMS Multiple partnership risks. Still
learning.

Level & Nature of

Regulatory Controls &
Accountability
Regulations
RBS subject to intense regulatory
oversight - drives tools of control
Tesco greater discretion under
Combined Code.
Birmingham & DCMS limited strategic
choice have to manage risks;
accountability tight via SIC (and CPA for
Birmingham)

Organisational Culture
& Informal Controls
Ouchi (1979) clan controls
Is performance against objectives
high on the agenda and pervasive?
e.g.Tesco slogans; shelf stacker
Is performance measured purely in
financial terms & shareholder value?
Risk champions
Isolated risk function RBS 5 th Floor

Criteria Used to
Evaluate Risk
Management
Two different mindsets:
are we within prescribed risk
boundaries laid down either
externally or internally?
OR
are we achieving the results we
promised

Conclusion
Simons (1991)
Control systems may be diagnostic or
interactive.

Cases suggest that diagnostic use equates to a

compliance mindset
Interactive use fits with a performance
oriented mindset.
Orientation depends upon a range of factors both
internal and external to the organisation
Only in latter does rm guide organisational
learning via the application of critical
imagination.