span of control: a risk management perspectivespan of control ability to effectively manage how can...
TRANSCRIPT
Span of Control: A Risk Management Perspective
Claire Negus, Manager Business FunctionsBHP Billiton, Group Project Management
Introduction
Slide 2
Context
Span of Control Risk Model
Top Tips
Context
� What is span of control?
� Why do I care about span of control
i. Legislative and legal compliance
ii. Delivery against objectives
iii. Provide assurance that both (i) and (ii) are met
� How does it relate to risk management?
� How can I practically use risk management as a tool to enable span of control?
Span of Control
� Ability to effectively manage
� How can a manager receive and provide assurance they are in control of the risks that they are required to manage
“How can I use risk management to assist me to deliver
objectives and discharge compliance requirements?”
Practical Application
�Hypothetical: Construction of a $10b infrastructure asset
Project X
Risk Management: Enabling Span of Control
Rate Risks: Identify and prioritise the right risks
� Identify risks
� Prioritise risks through assessment
� Consider this per scope of work per person and holistically
� Leverage current knowledge and historic data utilising discussions, workshops and risk and control library
Objective: identify and prioritise risks
Management of Risks within Capability and Capacity?
� Enable a manageable list of risks per manager
� Consider:
• Inherent risk consequence
• Residual risk ratings
• Proximity of risk
• Control effectiveness status
� Avoid duplication
� Analyse top or material risks to identify all controls and call out critical controls
Objective: Ensure that managements’ limited time is effectively focused
Alignment of risks to Organisational Structure
� Use a risk breakdown structure to enable alignment of risks with the organisational structure
� The right risks need to match the right roles
� Utilise risk and control libraries to capture and leverage organisational knowledge
Objective: Ensure individuals are responsible for risks matching
their responsibilities
Roll-up: Aggregate risks for each level of management
� Objective
• Big risks bubble up
• No risks are missed
• Assists in ensuring risks are managed at the right level of the org
• Leverage the RBS matched to the organisational structure
� Basis of roll-up
• Aggregation principles
– Single major risks
– Common risks or controls
– Systematic risks requiring an integrated management approach
Objective: Ensure level of management attention is commensurate to the magnitude of risk under management
Review Remedies: Identify Critical Controls and Assess Effectiveness
� Identify top or critical controls
� Performance standards
� Verify they are fit for purpose
� Check they are operating effectively
� Track timely implementation of controls actions (if required)
Objective: Ensure controls are fit for purpose and operating effectively
Cheddar = Critical Control
Control Effectiveness
Consider checking:
� Functionality
� Availability
� Reliability
� Survivability
� Dependency
� Compatibility
Eliminate
Substitute
Redesign
Separate
Administrative Controls
Personal Protective Equipment
Hierarchy of Controls
Report: Communicate current position and issues
� Report
– Make it simple
– Categorise risks
– Highlight current actions – note exceptions
– Tailor it to users
– Make it work!
� Communication of Report
– Discuss in the report in the right forum
– Increase quality of the report over time
Objective: Ensure information is understood and issues acted upon at the right time and at the right level of management
Control
Level
Risk Status
Well Controlled
Needs
Improvement
NeedsSignif icant
Improvement
Information
Outstanding
Dashboard
R3 R4 R5
R8
R6
R7 R9
R1
R10
R11 R13
R14
R15
R16 R18
R20
R21 R22
R102
BS8
Needs Significant improvement Needs Improvement Well Controlled Information OutstandingKey:
100
0
89
59
Activity Rating
Score
Summary
Tips and Tricks
� Target less than 10 risks per role! If this target is not realistic, it will not be achieved.
� Stagger the development of your risk and control library.
� Ensure traceability doing the risk roll-up.
� Ensure control status assessment criteria are defined and simple.
� Consider the use of leading indicators for tracking the performance of control effectiveness.
� Reporting formats needs to be succinct! This is a case of less is more.
Thank You!
Slide 16