IRM RISK FORUM 2006

1
IRM RISK FORUM 2006

• Delivering Improved Performance through
  Integrated Business
• and Risk Management Assessment
• Jean Leah and Lorraine Rogers (South Yorkshire
  Police)
• and Alan Stanbra (DNV)

alan.stanbra.dnv.com
2
Outline of Session

• Introductions
• Background to How it all Began
• Developing the Framework Self-Assessment
  Protocol
• Undertaking the Pilot Process
• Realising the Benefits
• Further Developments
• Interactive Group Session/Feedback.

3
Introductions

• Jean Leah
• 32 years experience with South Yorkshire Police
• Held various posts
• Holds a Masters Degree in Business Administration
• Until recently was responsible for managing
  change in ensuring that actions arising from
  reviews undertaken in the organisation were
  implemented. Just moved into a new role where
  she is responsible for managing strategic risk
  and undertaking inspection audits in the
  organisation
• Co-creator of the framework under discussion
  today
• Not a risk management professional.

4
Introductions

• Lorraine Rogers
• 22 years experience with South Yorkshire Police
• Held various posts
• Holds a Masters Degree in Business Administration
• Until recently was responsible for managing the
  Police Authoritys Best Value Review methodology
  to ensure it was continually fit for purpose as
  well as budget manager for the Department.
  Current role as Business Performance Manager
  involves the overall management of strategic
  planning, performance and performance assessment
  for the Force
• Co-creator of the framework under discussion
  today
• Not a risk management professional.

5
Introductions

• Alan Stanbra
• Principal Consultant in Det Norske Veritas
• MSc in TQM and Business Excellence
• DNV- a foundation which was founded in 1864
• Global organisation over 120 countries
• Probably one of the largest independent Risk
  Management companies in the world
• EFQM partner in Risk Management
• Authors of EFQM Risk Management Framework
• Memorandum of Understanding DNV and EFQM 2004
• Promote Risk Management and Business Excellence.

6
Background How it all Began

• As part of CPD in January 2005 registered for
  what was believed to be a course on Risk
  Management.
• Course - not a course - but a pilot workshop run
  by DNV and EFQM.
• Experts from several different
  countries/sectors participated to QA a new
  framework document to assess existing Risk
  Management arrangements.

7
Background How it all Began

• Two day workshop exhilarating !
• Travelling home decided that our Head of
  Department definitely needed this type of tool so
  as to identify and eliminate, where possible,
  unwelcome surprises in the running of
  day-to-day business.

8
Background How it all Began

• Question - Why bother developing a framework?
• SYP already uses self-assessment processes and
  business excellence principles.
• Needed to challenge how we can use the framework
  to address risk in SYP.
• SYP already deals with risk but not, in my
  opinion, in a systematic manner.
• Instead rely on individuals personal knowledge in
  this area.
• In reality no glue holding the process together.

9
Background How it all Began

• Question - Why the need for this approach?
• SYP need a business assessment tool which allows
  us to-
• Demonstrate to external auditors that we are in
  control of business delivery through
  self-assessment which
• Identifies areas of weakness
• Has action plans to address/manage those areas
• Is monitored via the Business Change Model
  (Service Plan/ISA approach) which has the
  capacity to demonstrate positive trends
• Allows us to benchmark across the Force
• Provides a mechanism which shows that
  improvements and delivery are attributable to the
  actions as a result of self assessment
• Links to the Force Strategic Plan (e.g. Business
  Plans)
• Is transparent to all parties
• DEMONSTRATES MANAGEMENT BY FACT.

10
Developing the Framework

• With a blank sheet of paper we began researching
  a wide number of inspection protocols to
  establish what is good Corporate Governance
  e.g. from HMIC, Audit Commission, CIPFA,
  Metropolitan Police Service.
• Helped to identify what a well managed
  organisation should look like - the basis for our
  framework.
• Used the above information, and the EFQM risk
  management framework, as a basis for the SYP
  (police speak) framework.

11
Developing the Framework

• Using a DNV river diagram approach as had been
  seen on the two-day workshop - developed a chart
  with four key sections of
• Policy
• Planning
• Core Business
• Monitoring Review.

12
Developing the Framework

• Expanded 4 headings into 9 sub-sections, each
  with an individual definition for a typical SYP
  Dept
• Corporate Governance
• Leadership, Commitment Culture
• Accommodation, Asset Management Health and
  Safety
• Planning
• Core Business Delivery
• Business Optimisation and/or Transfer
• Recruitment Selection, Training, Development
  Competence
• Communication Knowledge Management
• Statutory/Voluntary Inspection/QA Arrangements.

13
Framework Protocol Development

• Already stated not experts.
• Met with DNV and gave presentation to DCC.
• DNV contract entered into, to utilise their
  expertise and to enable them to advise on further
  development.
• Particularly assisted in areas of-
• Risk Assessment framework structure and
  assessment approach
• Assessment questions to gain broad knowledge and
  evidence quickly
• Methodology to deliver results.

14
Developing the Protocol

• Its a question based self-assessment protocol.
• It contains Assessor guidelines and instructions.
• Has a bespoke scoring mechanism together with
  associated risk appetite indicators, delivering
  an overall impact analysis, which shows current
  environment/performance.
• Intention was for it to be undertaken quarterly.

15
Developing the Protocol

• Methodology completed utilising some software
  unique to DNV (Protogen), which produces the
  outputs (Summit), and is then capable of
  transferring all the data stored (via an access
  database) into a word document.
• Placing the framework requirements into the
  software has enabled us to determine
• What systems should be in place to manage risk
  and overall business
• How well our organisation manages those risks,
  with respect to statutory requirements and
  desired outcomes of stakeholders
• Highlights areas of good practice (allows for
  this to be spread across the whole of the
  organisation)
• Highlights areas of improvement which feeds
  directly into action plans.

16
Undertaking the Pilot Process

• Objectives of the Pilot
• To thoroughly test the audit protocol
• Evaluate the audit methodology
• To gain a level of confidence that it gave the
  required results in a user-friendly format
• Provide a snapshot of real-time performance
  against the key elements of the framework
• Provide feedback to the audited Department on
  their performance
• Enable the audited Department to take the results
  of the audit to create an action plan for
  improvement.

17
Undertaking the Pilot Process

• DNV then piloted the protocol on a live SYP Dept
  (CDD) over two days.
• Pilot assessment undertaken on first day
• Interviews with senior managers in the morning
• Reality checks with staff in the afternoon
• At the end of the day DNV auditors fed back to
  the Departments management team highlights of
  the findings.

18
Undertaking the Pilot Process

• On the second day inputted the data received into
  Summit.
• Afternoon of day two presented a formal
  PowerPoint presentation of all the findings (to
  include the good practice and areas for
  improvement found)
• Real time reporting via Summit software allowed
  for audit report to be issued on second day.

19
Undertaking the Pilot Process

• Pilot Results

20
Undertaking the Pilot Process

• Lessons Learned from the Pilot
• In completing the audit in two days insufficient
  time was allowed three days is a more
  appropriate timescale.
• Didnt build into the timetable any time to do
  any pre-reading on (a) the Departments business
  plan and (b) actual performance achievements of
  the Department.
• Reality checking only spoke with internal
  Departmental staff didnt take account of any
  views that its customers might have (done this
  since very successfully).

21
Realising the Benefits

• At Head of Department Level
• Easy management tool to enable pro-activity in
  managing day-to-day business risk.
• Identifies all risk allowing any high
  categories to be prioritised and actioned.
• Confirms to managers whether they have the
  correct level of measures (KPIs) in place (e.g.
  our own experience).
• Is transferable between Departments in the Force.

22
Realising the Benefits

• At Force (Strategic) Level
• Collects data and evidence to support findings.
• Identifies Risk Exposure highlighting area(s) of
  concern BUT captures best practice (benchmarks).
• Provides a Risk Profile (River Diagram) allowing
  comparison between departments or areas scored.
• Audit methodology allows for improvements or
  otherwise to be captured during subsequent
  assessments, which alters risk profile.

23
Realising the Benefits - Benchmarking
CDD
CRD
24
Realising the Benefits

• Allows for creation of Protocols that can
• Ensure a consistent and thorough approach
• Give a constant scan of an organisations
  performance against key criteria
• Complete an in-depth assessment
• Allow pick and mix against criteria e.g. elements
  such as governance, leadership, coupled with
  others such as strategy, deployment measurement
  metrics
• Provide opportunity to take a strategic view of
  how the Force is performing
• Allow further development to create the
  opportunity to address other Force requirements
  (e.g. NIM, FCS, HMIC).

25
Realising the Benefits

• DCC in SYP has already indicated that this
  framework and protocol will be the tool used to
  enhance our Corporate Health Check process across
  the Force.
• This work will be undertaken by members of my
  Team and I will be responsible for scanning the
  results for trends which are escalating across
  Departments.
• If appropriate, issues will be elevated to the
  Force Risk Management Board now dealing with
  strategic and not tactical i.e. pots and pans
  issues.

26
Further Developments

• Now we are enhancing the protocol to cover not
  only Departments in the Force but also ability to
  assess all five operational policing Districts
  business.
• Entered into a second contract with DNV to expand
  the protocol accordingly.
• Elements being included are diversity issues, the
  Forces control strategy, monitoring elements of
  the National Intelligence Model, audit and data
  protection control issues unfortunately not in
  a position to discuss.
• Will pilot the expanded protocol during October
  2006.

27
Further Developments

• Software has facility to tag questions and this
  is being included in the latest version of the
  protocol.
• In the second contract now making good use of the
  tagging element so that appropriate questions
  can be utilised from the protocol depending on
  the type of audit being undertaken.

28
Further Developments
29
Further Developments

• Expanded protocol enable assessment of all SYP
  against (a) entire criteria or (b) by using
  Summits filters to carry out Department or
  specific assessments.
• This allows for
• Benchmarking across all or some areas
• Capture of strategic issues
• Quick but accurate holistic view for top level
  evaluation
• Details for divisional auditors.

30
Further Developments

• It is now believed that the utilisation of
  SYPs vision and imagination is the only limit!

31
QUESTIONS
32
Group Exercise 30 minutes

• Step 1 Split into groups and read through
  protocol element Leadership.
• Appoint a spokesperson and note-taker for each
  group
• Step 2 Discuss how the element can be improved.
  Consider all aspects of the protocol, as shown by
  red circles below. (20 minutes)
• Step 3 Hand protocol element and notes back to
  speakers, who will facilitate a discussion.
• .

ALL PAPERWORK TO BE RETURNED AT THE END OF THE
SESSION
33
(No Transcript)