Implementing Risk Management Strategically and Effectively in Regulatory Practice

1

Implementing Risk Management Strategically and Effectively in

Regulatory Practice

Andrew Archer(Former Department for Business and

Ministry of Justice Official)

Key Issues

• Is the regulator’s strategy informed by good risk analysis?

• The link between targeting efforts where the risk is greatest and having our efforts strategically focused where the opportunity/challenge is greatest

2

Opening Thoughts

• “A regulatory system will be difficult to justify – no matter how well it seems to be performing – if critics can argue that a different strategy would more relevantly achieve relevant objectives” (Baldwin et al – ‘Understanding Regulation’)

• Strategy is as much about what you do not do as much as what you actually do

Risk

“In reality, risk management is as much the art of managing people, processes and institutions as it is the science of measuring and quantifying risk.”(Thomas Coleman ‘A Practical Guide to Risk Management’)

4

"Unlike a standalone decision or goal, a strategy is a coherent set of analyses, concepts, policies, arguments, and actions that respond to a high-stakes challenge” Richard P Rumelt

•Strategy has to address the HOW.

The Essence of Strategy

Creating Strategy• Correctly understand challenge and

context (diagnosis)

• Understand the intended outcome without attachment to specific means (guiding approach)

• Work out how specifically to address challenge and achieve outcome

• Work out leverage points which multiply effort

• Decide how to focus action.

BehavioursBehaviours

ValuesValues

PurposePurpose

Strategy

Strategy requires alignment…

• Fluff

• Failure to face the challenge – the key risk or opportunity

• Mistaking goals for strategy

• Bad strategic objectives.

Conflict can arise whenever this is pointed out…

Bad strategy

• Agreeing the diagnosis (correctly understanding the challenges, risks and context)

• Agreeing the guiding approach (understanding the intended outcome without attachment to specific means)

• Agreeing the specific strategy (working out how specifically to address challenge and achieve outcome)

– Working out leverage points which multiply effort

– Deciding how to focus action.

Where conflict can arise

High economic growth

Low economic growth

Plentiful supply of skills

Shortage of skills

Scenario 1 Scenario 2

Scenario 3Scenario 4

Scenario Planning

Strategy Development

Environmental Scan

Different Possible Futures

(Scenarios)

Mandate

Vision

Values

Strategic Objectives

Plans

Evaluation

“Action "Strategies

Mission

EnvironmentalShifts

CustomersCompetitorsStakeholders

EconomyGovernmentTechnology

Society

The Why

OrganisationalResponses

StrategyStructures

MissionProductsPractices

Technologies

The What

PersonalImplications

RolesResponsibilities

MethodsThinkingValues

Behaviours

The How

Why, What, How model

• Hazard identification – inherent ability to cause harm

• Risk assessment – likelihood that harm will occur

• Risk management – minimising risk• Risk communication – making the

outcomes known• (NB distinction between risk as rationale

for regulation and risk of unintended consequences of regulation – latter will be explored in later session)

Risk Issues?

Risk and Organizations: A View

• “The art of risk management is not just in responding to anticipated events but in building a culture and organisation that can respond to risk and withstand unanticipated events. In other words, risk management is about building flexible and robust processes and organizations” Thomas Coleman (‘A Practical Guide to Risk Management’)

14

Decision Making - Risks

Step One – Identify inherent risksStep Two – Assess risk against probability and impact

• Any course of action will contain an element of uncertainty

• Those options that measure well against the desirable criteria should be assessed for inherent riskProbability

ImpactLL HH

HH

LL

Medium Priority

High

Priority

Low

Priority

Medium Priority

Managing Risk”5Ts”

• Transfer - by insurance or finding another way to get someone else to bear the risk

• Tolerate - if you can’t do anything about the risk or the cost of doing something far outweighs the benefit

• Treat - contain the risk to an acceptable level (by internal control or action taken within the organisation)

• Terminate - you may find the only way to deal with the risk is to stop the activity causing it

• Take the opportunity – entertain a level of risk for the potential benefit that a certain course of action might take.

Risk and Regulation- Hampton

• Need risk based, targeted regulation• “Unless risk assessment is carried through into

resource allocations and regulatory practice, it is wasted effort.”

• Risk assessment needs to be comprehensive, and inform all aspects of the regulatory lifecycle from the selection and development of appropriate regulatory and policy instruments through to the regulators work including data collection, inspection and prosecution

• This implies risk should inform STRATEGY

Embracing Uncertainty

• “We must give up any illusion that there is certainty in this world and embrace the future as fluid, changeable and contingent” (Thomas Coleman)

18

Public Perception of Risk• High level of public anxiety – public may not

understand risks (behavioural insight)• Public and media perception creates high

pressure on Government to act as if it can deal with more risks that is really possible

• Government cannot take responsibility for ALL risk

• Has to communicate trade-offs in managing risk

• Must avoid making long term mistakes in response to a pressured situation. 19

Perception vs Evidence

“There is a view that the policy dilemma at the heart of risk management is that policies responding to lay-people’s perceptions of risk tend towards over- regulation, while policies based entirely on scientific evidence will be seen as an inadequate response and will not be supported by the public” (Better Regulation Commission 2006) 20

Communication

• Public perception of risk may pull government / regulator away from a strategic approach e.g. panic that led to Dangerous Dogs Act

• Need to communicate and show one is listening to concerns

• Need to ensure misunderstandings about risk do not push regulator into approach that is not strategic.

21

Four Realities Model

Unitary (Truth, Rules, Action)

What are the rules here?

Is this in line with the principles?

What’s the underlying theory?

What assumptions are being made?

What’s the truth in this?

Sensory (Facts, Evidence, Sensory Information)

What is going on? What are data?

What works? What will work?

How do things connect?

What resources are there?

What feedback do we have on this?

Mythic (Ideas, Creations, Strategy)

What does this mean?

What opportunities could arise here?

What’s the story behind this?

What’s the metaphorical basis?

What would happen if we?

Social (Values, Feelings, Decisions)

What is important?

How do people feel about this?

How is this going to motivate people?

Are the changes fair for all those involved?

How to achieve what matters to us?

A Good Risk Management Strategy- Summary

• Learn about risks in general and risks in the business sector regulated (including how people respond)

• Learn about specific exposures and risks that may affect the strategy of a regulator

• Make sure the regulator’s strategy addresses key risks (and opportunities)

• Consider organisational risks (group dynamics and human factor)

• Ensure regulations and enforcement are focused on the biggest risks.

• Big question: the role of a regulator in ensuring the regulated address the above

23