Risk Management Systems in Major UK
Public & Private Sector Organisations:
A tale of contrasting cultures
Professor Margaret Woods
Aston Business School
Case Study Comparisons of Risk Management
Systems in Major Public & Private Sector Entities
Structure of Presentation
 Background to the paper
 Cases & methodology
 Key findings- similarities & differences
 Contingency explanation of variations
 Conclusion
Background




CIMA funded project
Public & private sector cases
Interview based
Pre credit-crunch
Cases




Tesco
RBS
Department of Culture Media & Sport
Birmingham City Council
Methodology





Interviews: senior rm & internal audit staff
plus operational managers & users of the
system.
Public sector both staff and politicians
interviewed e.g. Chief Executive & Secretary
of State
Observation
Internal documents
Information systems
Contribution to the
Literature



Need for studies looking at use of MCS at
different levels of the organisation (Langfield
Smith,1997)
Call for research which distinguishes between
the existence and use of MCS (Langfield
Smith,1997)
Risk management dimension barely covered
in existing organisational literature
Definitions (1)
Management Control
“the process by which managers ensure that resources are
obtained and used effectively and efficiently in the accomplishment
of the organisation’s objectives.” (Anthony, 1965)
Risks
“uncertain future events which could influence the achievement of
the organisation’s strategic, operational and financial objectives.”
(IFAC,1999)
Risk Management
“ process of understanding and managing the risks that the entity is
inevitably subject to in attempting to achieve its corporate objectives.”
(CIMA 2005)
Definitions (2)
Public versus private organisations

Three criteria used to distinguish them:



Ownership
Source of financial resources
Model of social control ( market v polyarchy)
(Perry & Rainey,Academy of
Management Review, 1988)

Result: – two public & two private (at time of study)
Views from the Literature

Fone & Young (2000) & Mcphee (2005)


Power (2004)


Risk management & standardised practices now central to both public & private sector
organisations
Power (2009)


Basic risk management structures are common across all large organisations (private
sector only)
Miller et al (2008)


Risk management of everything & alignment of risk management with good
governance
Collier et al (2006)


Anecdotal evidence that public sector risk management is distinctive & different
Need to shift from rule based compliance to use of “critical imagination” in risk
management
Mikes (2009)

Calculative cultures – typologies of ERM interpretation
Key Findings

Each case is different
but

Strong similarities e.g. between public & private sector
and

Wide variations e.g. public sector more advanced in thinking re partnership risk
and linking risk management to performance management
Two questions:
WHAT ARE THE SIMILARITIES/DIFFERENCES?
WHY DO THEY EXIST?
Summary of Similarities &
Differences






Similarities
Perceived role of risk
management
Timing of the formalisation
of systems
Overall methodologies or
models
Risk management tools
ICT support
Control via self assessment

Differences
Application of the models
and tools



Overall structure for risk
management
Dependence upon
quantitative tools for
evaluation & measurement
Link from strategic
objectives to operational
performance – risk
management as a
bureaucratic structure
versus an embedded
process/mindset
Similarities (1): Perceived
Role of Risk Management
Tesco
“One of the reasons we are a successful company is because of risk management.”
RBS
“At the end of the day, risk management is nothing other than good husbandry on how you
drive your business forward.”
Birmingham City Council
“Risk management is very much looking at achieving your objectives and what’s going to stop
you.”
DCMS
Risk management is concerned with “the culture, processes and structures directed
towards the effective management of potential opportunities and threats to the
Department achieving its objectives.”
Similarities (2)
Timing of the formalisation of risk management systems:

Pressure from financial scandals in 1980s



Private sector initiatives mirrored in public sector



COSO (1992)
Cadbury Code (1992)
Cadbury triggered Treasury Note (1994) & “Green Book” (1997)
Turnbull (1999) followed by NAO Report (2000):
“work is underway on the appropriate method of adapting the principles of
the Turnbull Report to the central government sector.” (NAO, 2000: 39).
Transfer from central to local government

CIPFA/SOLACE governance framework (2001)
Similarities (3):
Generic Risk Management Methodologies
Identify
Source
Measure
Mitigate
Monitor
Economist Intelligence Unit
(1995)
The ERM Framework
ERM considers activities at all levels
of the organization:
•
•
•
Enterprise-level
Division or
subsidiary
Business unit
processes
Similarities (4):
SystemTools
Assessment & Evaluation
 Likelihood consequences matrices
 Traffic lights
Response
 Risk registers
 Ownership
 Escalation of responsibilities
Ranking by Likelihood and
Consequence
High
3
L
I
K
E
L
I
H
O
O
D
Significant
Medium
6, 14
Low
2
Low
IMPACT
5
Medium
Significant
High
RAG Assessment (DCMS)



Red – The control(s) are not in place or will
not reduce the risk to an acceptable level.
Amber – The control(s) is insufficient to
reduce risk to the tolerable level, or is not yet
in place but is expected
Green – The control(s) is in place and
working effectively to reduce the risk to a
tolerable level.
Similarities (5):
ICT Support




RBS – dedicated rm software for
quantitative analysis
Birmingham City Council – Magique
Tesco –ERP systems, customer facing
data collection
DCMS – sharing of partnership risks
Similarities (6):
Self Assessment
Private Sector
Combined Code, Section C2, p.14
“The board should, at least annually, conduct a review of the
effectiveness of the group’s system of internal controls and should
report to shareholders that they have done so. The review should
cover all material controls, including financial, operational and
compliance controls and risk management system.”
Public Sector
Statement of Internal Control – standard format (DAO,2003):
“ For the year ended 31 March 2009, that opinion concluded that
there were no significant control issues arising that require
disclosure in this Statement.”
NOTE MAJOR DIFFERENCE IN DETAIL!!!!
Differences (1): Overall
Structure for Risk Management

Separate function: determined by regulation





Tesco: “having a risk management function
probably gets in the way of actually managing the
risks because people are thinking about the risks
as opposed to thinking about the customer.”
RBS: Function essential under banking regulations
and supervisory process (ARROW)
DCMS: Head of Risk at Departmental level
Birmingham: Sits within internal audit
Job titles – professional risk officer
Differences (2): Dependence
upon quantitative tools




RBS: Extensive use for market, credit,
liquidity monitoring. Essential as part of the
Basel capital requirement regulations
Tesco: Hourly monitoring of sales statistics;
daily pricing of standard basket; steering
wheel targets e.g financials & staff turnover
DCMS: Limited and primarily financial in
nature
Birmingham: Performance monitoring for CPA
targets e.g. Trading standards visits;
Differences (3): Link from strategic
objectives to operational
performance
Integrated

Tesco
“people do it without actually
knowing they are doing it, its
part of their accountabilities.
They are held to account.
We monitor things on such a
micro level.”
Birmingham
Forms part of the CPA
evaluation and is risk forms
part of individual
performance review at
operational levels.
Divorced

RBS:
Risk management defined by
compliance with regulatory
targets. Bonus culture
separates remuneration from
risk exposure.
Problem


DiMaggio & Powell (1983) suggest coercive,
mimetic & normative pressures may
encourage similarity in search for legitimacy
but…..institutional theory also suggests a
need for “strategic fit” i.e. scope for variation
Does answer lie in distinguishing between
existence and use of rm controls?
Contingency Explanation
for different levels of use




Complexity of business model
Level and nature of regulatory controls
and accountability
Organisational culture & informal
controls over risk
Criteria used to evaluate risk
management – compliance v
performance
Complexity of Business
Model




RBS – complex interdependent businesses.
Go for silo approach.
Tesco – very simple value chain. What drives
value?
Birmingham – complex, multiple
interdependencies & partnerships. Learning
via CPA.
DCMS – Multiple partnership risks. Still
learning.
Level & Nature of Regulatory
Controls & Accountability
Regulations
 RBS subject to intense regulatory oversight drives tools of control
 Tesco – greater discretion under Combined
Code.
 Birmingham & DCMS – limited strategic
choice – have to manage risks; accountability
tight via SIC (and CPA for Birmingham)
Organisational Culture &
Informal Controls
Ouchi (1979) “clan” controls
 Is performance against objectives high
on the agenda and pervasive?
e.g.Tesco slogans; shelf stacker
 Is performance measured purely in
financial terms & shareholder value?
 Risk “champions”
 Isolated risk function – RBS 5th Floor
Criteria Used to Evaluate
Risk Management
Two different mindsets:
 “are we within prescribed risk
boundaries laid down either externally
or internally?”
OR
 “are we achieving the results we
promised”
Conclusion
Simons (1991)
Control systems may be diagnostic or
interactive.




Cases suggest that diagnostic use equates to a
compliance mindset
Interactive use fits with a performance oriented
mindset.
Orientation depends upon a range of factors both
internal and external to the organisation
Only in latter does rm guide organisational learning
via the application of “critical imagination.”