Span of Control: A Risk Management Perspective

Claire Negus, Manager Business FunctionsBHP Billiton, Group Project Management

Introduction

Slide 2

Context

Span of Control Risk Model

Top Tips

Context

� What is span of control?

� Why do I care about span of control

i. Legislative and legal compliance

ii. Delivery against objectives

iii. Provide assurance that both (i) and (ii) are met

� How does it relate to risk management?

� How can I practically use risk management as a tool to enable span of control?

Span of Control

� Ability to effectively manage

� How can a manager receive and provide assurance they are in control of the risks that they are required to manage

“How can I use risk management to assist me to deliver

objectives and discharge compliance requirements?”

Practical Application

�Hypothetical: Construction of a $10b infrastructure asset

Project X

Risk Management: Enabling Span of Control

Rate Risks: Identify and prioritise the right risks

� Identify risks

� Prioritise risks through assessment

� Consider this per scope of work per person and holistically

� Leverage current knowledge and historic data utilising discussions, workshops and risk and control library

Objective: identify and prioritise risks

Management of Risks within Capability and Capacity?

� Enable a manageable list of risks per manager

� Consider:

• Inherent risk consequence

• Residual risk ratings

• Proximity of risk

• Control effectiveness status

� Avoid duplication

� Analyse top or material risks to identify all controls and call out critical controls

Objective: Ensure that managements’ limited time is effectively focused

Alignment of risks to Organisational Structure

� Use a risk breakdown structure to enable alignment of risks with the organisational structure

� The right risks need to match the right roles

� Utilise risk and control libraries to capture and leverage organisational knowledge

Objective: Ensure individuals are responsible for risks matching

their responsibilities

Roll-up: Aggregate risks for each level of management

� Objective

• Big risks bubble up

• No risks are missed

• Assists in ensuring risks are managed at the right level of the org

• Leverage the RBS matched to the organisational structure

� Basis of roll-up

• Aggregation principles

– Single major risks

– Common risks or controls

– Systematic risks requiring an integrated management approach

Objective: Ensure level of management attention is commensurate to the magnitude of risk under management

Review Remedies: Identify Critical Controls and Assess Effectiveness

� Identify top or critical controls

� Performance standards

� Verify they are fit for purpose

� Check they are operating effectively

� Track timely implementation of controls actions (if required)

Objective: Ensure controls are fit for purpose and operating effectively

Cheddar = Critical Control

Control Effectiveness

Consider checking:

� Functionality

� Availability

� Reliability

� Survivability

� Dependency

� Compatibility

Eliminate

Substitute

Redesign

Separate

Administrative Controls

Personal Protective Equipment

Hierarchy of Controls

Report: Communicate current position and issues

� Report

– Make it simple

– Categorise risks

– Highlight current actions – note exceptions

– Tailor it to users

– Make it work!

� Communication of Report

– Discuss in the report in the right forum

– Increase quality of the report over time

Objective: Ensure information is understood and issues acted upon at the right time and at the right level of management

Control

Level

Risk Status

Well Controlled

Needs

Improvement

NeedsSignif icant

Improvement

Information

Outstanding

Dashboard

R3 R4 R5

R8

R6

R7 R9

R1

R10

R11 R13

R14

R15

R16 R18

R20

R21 R22

R102

BS8

Needs Significant improvement Needs Improvement Well Controlled Information OutstandingKey:

100

0

89

59

Activity Rating

Score

Summary

Tips and Tricks

� Target less than 10 risks per role! If this target is not realistic, it will not be achieved.

� Stagger the development of your risk and control library.

� Ensure traceability doing the risk roll-up.

� Ensure control status assessment criteria are defined and simple.

� Consider the use of leading indicators for tracking the performance of control effectiveness.

� Reporting formats needs to be succinct! This is a case of less is more.

Thank You!

Slide 16