1 Implementing Risk Management Strategically and Effectively in Regulatory Practice Andrew Archer (Former Department for Business and Ministry of Justice Official)
Dec 30, 2015
1
Implementing Risk Management Strategically and Effectively in
Regulatory Practice
Andrew Archer(Former Department for Business and
Ministry of Justice Official)
Key Issues
• Is the regulator’s strategy informed by good risk analysis?
• The link between targeting efforts where the risk is greatest and having our efforts strategically focused where the opportunity/challenge is greatest
2
Opening Thoughts
• “A regulatory system will be difficult to justify – no matter how well it seems to be performing – if critics can argue that a different strategy would more relevantly achieve relevant objectives” (Baldwin et al – ‘Understanding Regulation’)
• Strategy is as much about what you do not do as much as what you actually do
Risk
“In reality, risk management is as much the art of managing people, processes and institutions as it is the science of measuring and quantifying risk.”(Thomas Coleman ‘A Practical Guide to Risk Management’)
4
"Unlike a standalone decision or goal, a strategy is a coherent set of analyses, concepts, policies, arguments, and actions that respond to a high-stakes challenge” Richard P Rumelt
•Strategy has to address the HOW.
The Essence of Strategy
Creating Strategy• Correctly understand challenge and
context (diagnosis)
• Understand the intended outcome without attachment to specific means (guiding approach)
• Work out how specifically to address challenge and achieve outcome
• Work out leverage points which multiply effort
• Decide how to focus action.
BehavioursBehaviours
ValuesValues
PurposePurpose
Strategy
Strategy requires alignment…
• Fluff
• Failure to face the challenge – the key risk or opportunity
• Mistaking goals for strategy
• Bad strategic objectives.
Conflict can arise whenever this is pointed out…
Bad strategy
• Agreeing the diagnosis (correctly understanding the challenges, risks and context)
• Agreeing the guiding approach (understanding the intended outcome without attachment to specific means)
• Agreeing the specific strategy (working out how specifically to address challenge and achieve outcome)
– Working out leverage points which multiply effort
– Deciding how to focus action.
Where conflict can arise
High economic growth
Low economic growth
Plentiful supply of skills
Shortage of skills
Scenario 1 Scenario 2
Scenario 3Scenario 4
Scenario Planning
Strategy Development
Environmental Scan
Different Possible Futures
(Scenarios)
Mandate
Vision
Values
Strategic Objectives
Plans
Evaluation
“Action "Strategies
Mission
EnvironmentalShifts
CustomersCompetitorsStakeholders
EconomyGovernmentTechnology
Society
The Why
OrganisationalResponses
StrategyStructures
MissionProductsPractices
Technologies
The What
PersonalImplications
RolesResponsibilities
MethodsThinkingValues
Behaviours
The How
Why, What, How model
• Hazard identification – inherent ability to cause harm
• Risk assessment – likelihood that harm will occur
• Risk management – minimising risk• Risk communication – making the
outcomes known• (NB distinction between risk as rationale
for regulation and risk of unintended consequences of regulation – latter will be explored in later session)
Risk Issues?
Risk and Organizations: A View
• “The art of risk management is not just in responding to anticipated events but in building a culture and organisation that can respond to risk and withstand unanticipated events. In other words, risk management is about building flexible and robust processes and organizations” Thomas Coleman (‘A Practical Guide to Risk Management’)
14
Decision Making - Risks
Step One – Identify inherent risksStep Two – Assess risk against probability and impact
• Any course of action will contain an element of uncertainty
• Those options that measure well against the desirable criteria should be assessed for inherent riskProbability
ImpactLL HH
HH
LL
Medium Priority
High
Priority
Low
Priority
Medium Priority
Managing Risk”5Ts”
• Transfer - by insurance or finding another way to get someone else to bear the risk
• Tolerate - if you can’t do anything about the risk or the cost of doing something far outweighs the benefit
• Treat - contain the risk to an acceptable level (by internal control or action taken within the organisation)
• Terminate - you may find the only way to deal with the risk is to stop the activity causing it
• Take the opportunity – entertain a level of risk for the potential benefit that a certain course of action might take.
Risk and Regulation- Hampton
• Need risk based, targeted regulation• “Unless risk assessment is carried through into
resource allocations and regulatory practice, it is wasted effort.”
• Risk assessment needs to be comprehensive, and inform all aspects of the regulatory lifecycle from the selection and development of appropriate regulatory and policy instruments through to the regulators work including data collection, inspection and prosecution
• This implies risk should inform STRATEGY
Embracing Uncertainty
• “We must give up any illusion that there is certainty in this world and embrace the future as fluid, changeable and contingent” (Thomas Coleman)
18
Public Perception of Risk• High level of public anxiety – public may not
understand risks (behavioural insight)• Public and media perception creates high
pressure on Government to act as if it can deal with more risks that is really possible
• Government cannot take responsibility for ALL risk
• Has to communicate trade-offs in managing risk
• Must avoid making long term mistakes in response to a pressured situation. 19
Perception vs Evidence
“There is a view that the policy dilemma at the heart of risk management is that policies responding to lay-people’s perceptions of risk tend towards over- regulation, while policies based entirely on scientific evidence will be seen as an inadequate response and will not be supported by the public” (Better Regulation Commission 2006) 20
Communication
• Public perception of risk may pull government / regulator away from a strategic approach e.g. panic that led to Dangerous Dogs Act
• Need to communicate and show one is listening to concerns
• Need to ensure misunderstandings about risk do not push regulator into approach that is not strategic.
21
Four Realities Model
Unitary (Truth, Rules, Action)
What are the rules here?
Is this in line with the principles?
What’s the underlying theory?
What assumptions are being made?
What’s the truth in this?
Sensory (Facts, Evidence, Sensory Information)
What is going on? What are data?
What works? What will work?
How do things connect?
What resources are there?
What feedback do we have on this?
Mythic (Ideas, Creations, Strategy)
What does this mean?
What opportunities could arise here?
What’s the story behind this?
What’s the metaphorical basis?
What would happen if we?
Social (Values, Feelings, Decisions)
What is important?
How do people feel about this?
How is this going to motivate people?
Are the changes fair for all those involved?
How to achieve what matters to us?
A Good Risk Management Strategy- Summary
• Learn about risks in general and risks in the business sector regulated (including how people respond)
• Learn about specific exposures and risks that may affect the strategy of a regulator
• Make sure the regulator’s strategy addresses key risks (and opportunities)
• Consider organisational risks (group dynamics and human factor)
• Ensure regulations and enforcement are focused on the biggest risks.
• Big question: the role of a regulator in ensuring the regulated address the above
23