Risk Management

Facilitation Skills for Risk ManagersImproving the risk identification process

Dr Rodney Irwin Ann Alder

Group Director Risk Management Director / Founder

& Internal Control RSVP Design Ltd

TNT NV

3

Best postal operator

in the world

Mail networks in eight

European countries

4.7 billion addressed

mail items in Holland

Largest in express

in Europe

40 aircraft

26,610 vehicles

230 million

consignments

World-class global leader in express and mail

151,000 employees

64 countries

Network covers 200 countries

4

Hoau

5

Speedage

6

Overview of ERM Process

Risk Management is a critical part of internal and external

governance systems within the group – legally required disclosure on

risk profile in Dutch corporate governance code and the Dutch

Financial Markets Supervision Act (EU Transparency Directive).

The current process has been in place for seven years and is one of

the more established formal governance mechanisms in the group

The process has Group ownership with localised participation and

has a dedicated sign off as part of the semi-annual LOR process

(Journey continues)

Linked to M&A, CAPEX and Budget setting processes

7

``

8

Journey or Destination.

ERM perceived as a compliance issue therefore not fully supported

by all management

ERM seen as additional work (we do risk management everyday –

why do we need a formalised process)

ERM is seen as too transparent for some!!!

What is risky to one is a opportunity to another so the definition of

risk is not universally understood

Then there is the problem of the risk management team …….

9

2. Risk Management at TNT - ERM Capability Maturity Model

Top Down

• Tone for managing the risks is set

by the Board but not embraced.;

• Enterprise wide, industry specific

risk framework;

• The Board establishes the risk

appetite;

• Few executives are held

responsible;

• Risk assessments are performed

considering only financial impacts;

• Enterprise-wide policies,

procedures and controls to mitigate

risks are developed and

communicated;

• Monitored through separate

evaluations by top management.

Systematic Risk Mgmt

• The tone for managing risks and

risk awareness is widely adopted

throughout the enterprise;

• Standardized risk framework

• Technology enabled processes

are used for risk reporting ;

• The Board establishes thresholds

(financial and non financial) and

tolerances in accordance with the

risk appetite;

• Appropriate executives consider

risk as part of the decision

making;

• Training is provided to employees

to understand the risk

management responsibilities;

• Controls are robust and support

an effective and reliable

operation.

Fragmented

• Written charters include risk

management roles and

responsibilities;

• Limited accountability of

senior executives;

• Disconnected risk

management programs and

tools in various silos;

• Sporadic risk assessments

considering expected event

on a limited basis;

• Controls are adequately

designed but have

inconsistent operating

effectiveness results;

• Ownership of risks is siloed.

Risk Intelligent

• Board considers risk

management as a competitive

advantage;

• There is a common risk language

including the value protection and

value creation;

• Senior executives constitute a

executive-level committee;

• Integrated with corporate

strategy:

• Risk management is monitored

extensively;

• Tools and techniques (such as

stress testing, sensitivity analysis)

are used to identify how the

enterprise might fail;

• Risk scenarios are prepared;

• There is an early warning system

based on thresholds to the Board.

Sta

ke

ho

lde

r V

alu

e

Systematic

Risk

Intelligent

Top DownFragmented

Unaware

• No tone at the top for

managing risks,

• No risk governance

structure;

• No risk framework, no

risk process;

• Heavy reliance on

manual processes to

report, communicate and

monitor risk related

activities;

• Unassigned roles and

responsibilities;

• No risk ownership for

business units.

Unaware

Integrated ERM capability

Where is TNT today?

Where does TNT want to be?

10

Strong program areas:

Common Risk Framework

Risk Infrastructure

Supporting functions

Key areas of attention:

- Risk Definition

- Executive management

Risk Infrastructure

& Oversight

Risk Governance Risk Infrastructure & Oversight Risk Ownership

Risk Definition

Common Risk

Framework

Roles &

Responsibiliti

es

Transparency/

Visibility

Executive

Management

Risk

Infrastructure

Functions

(IA, Risk

Mgmt.)

Business

Units

Supporting

Functions

Current State 3 4 3 3 3 4 3 3 4

Future State 5 5 5 5 5 5 5 5 5

0

1

2

3

4

5Risk Definition

Common Risk Framework

Roles and Responsibilities

Transparency / Visibility

Executive Management Risk Infrastructure

Functions

(IA, RM, Mgt)

Business Units

Supporting Functions

2. Risk Management at TNT - ERM Capability Maturity Model

11

Recommendations of Enhancement

1. Upgrade existing risk management processes to embed a local culture of risk identification,

ownership and accountability. Move away from the mindset of compliance towards

responsible management with informed decision making. Specifically (in order or priority)

- focus more attention on the quality of risk identification and the effective follow-up on corrective

actions by local management. Allocate sufficient skilled facilitation resources to the role of risk

coordinator locally.

- require regions and certain material local entities to perform risk workshops more frequently

than once a year and to update the risk profile accordingly in the risk register. e.g. require

quarterly management meetings to review risk profile and to adjust based on current knowledge.

- Re-define the risk management definition at TNT and replace it with a more time focused factor

as is the case in current best practice.

2. Develop functional risk assessments for key Group wide and division specific activities to add

bridge the gaps in the current silo model.

3. Create a virtual Risk Council to recommend risks for Board evaluation, monitor and (in some

cases) drive the corrective actions of known significant risks and improve the decision

making of key projects by evaluating the risks attached to such projects.

12

Recommendations of Enhancement

1. Upgrade existing risk management processes to embed a local culture of risk identification,

ownership and accountability. Move away from the mindset of compliance towards

responsible management with informed decision making. Specifically (in order or priority)

- focus more attention on the quality of risk identification and the effective follow-up on corrective

actions by local management. Allocate sufficient skilled facilitation resources to the role of risk

coordinator locally.

- require regions and certain material local entities to perform risk workshops more frequently

than once a year and to update the risk profile accordingly in the risk register. e.g. require

quarterly management meetings to review risk profile and to adjust based on current knowledge.

- Re-define the risk management definition at TNT and replace it with a more time focused factor

as is the case in current best practice.

2. Develop functional risk assessments for key Group wide and division specific activities to add

bridge the gaps in the current silo model.

3. Create a virtual Risk Council to recommend risks for Board evaluation, monitor and (in some

cases) drive the corrective actions of known significant risks and improve the decision

making of key projects by evaluating the risks attached to such projects.

The rest of this workshop will be devoted to one of these enhancement

objectives

We believe it to be the fundamental to many other objectives being implemented.

focus more attention on the quality of risk identification and the

effective follow-up on corrective actions by local management.

Allocate sufficient skilled facilitation resources to the role of risk

coordinator locally

13

Why did TNT initiate this training?

TNT’s Risk Managers are responsible for running Risk

Assessment Workshops (minimum one a year). In these,

they collect and share ideas and discuss the events that

could impact the achievement of business objectives.

All divisions, BU’s and Group Head Office departments

are required to run a formal workshop, whose outcome

will be reported to the next level of the organisation

through the TNT ERM Register.

14

Why did TNT initiate this training?

The Managing Director, Finance Director and the Management team

attend, participate and provide input to the risk assessment session.

In a BU/RPU risk assessment the management team should include

those responsible for ICT, Security, Operations and Health & Safety

(e.g. Sales, Customer, Administration), Human Resources and

Sustainability & Environment.

So, a senior and diverse group…...

15

Why did TNT initiate this training?

The purpose of the Risk Assessment

Workshops is to:

- Familiarise participants with the risk management process

- Enhance risk awareness

- Share risk knowledge and experience

- Determine the [entity] risk profile

- Understand key risks in more detail

- Develop initial risk mitigating action plans

16

Why did TNT initiate this training?

Observation and experience suggested

that:- Those delivering the workshops lacked confidence in their own ability to

manage the process

- There was a reluctance to move out of an ‘instructional role’ and to

engage the participants in active discussion and debate

- The relative lack of seniority of the workshop presenters meant that they

could feel threatened by Senior Managers in the workshops

- There was an over-reliance on a ‘script’ and technology

- There was a tendency to repeat ‘old’ thinking and not challenge this

- There was concern that the process was not contributing to ‘risk

awareness’ but being seen purely as a compliance exercise

17

What do we mean by Facilitation Skills?

Pure ‘Facilitation’ ( from the same root word ‘facile’) means to ‘make easy’.

In organisational contexts, we use the word in the context of facilitating a process: making it easy for a group to work through a process and achieve their end goal.

Facilitation is not instruction, training or coaching.

It relies on a three core skills: • Sensitivity to what is going on within a process

• Diagnostic ability to be able to identify what needs to happen or to change

• An ability to move towards action

18

What do we mean by Facilitation Skills?

It is perfectly possible to facilitate a process without having any knowledge of the content. It requires some of the same skills as those demonstrated by an independent chairperson in a meeting: the ability to support a group in making the decisions that are required.

Good facilitation needs:o Group management skills

o A client-centred focus

o Effective listening skills and ability to clarify and summarise

o The ability to ask appropriate and varied questions

o The ability to offer feedback

o The ability to challenge and confront discrepancy

o The ability to create positive, agreed future action

19

Why do Risk Managers need these skills?

For TNT’s Risk Managers, their role was somewhat confused.

Within the same workshop they needed to move between the roles of:

• Subject Matter Expert

• Instructor/presenter

• Consultant/Compliance advisor

• Process Facilitator

It was the last of these that was the most difficult for them. It was therefore decided to support them by working on a specific set of facilitation skills.

20

Why do Risk Managers need these skills?

In this context, Risk Managers need to be able to:

Ensure that the purpose and output of the session is achieved

Ensure that all key risks are identified and assessed

Engage the participants and encourage ‘ownership’

Provide specialist knowledge as appropriate

Manage the discussion and interaction effectively

Ensure that there is representation of different points of view

Handle challenges and objections

Achieve commitment to follow-up and implement action plans

21

The Training Design

It was agreed that the training design would be aligned

to the following learning objectives:

- To understand the specific role of the facilitator in managing risk workshops and how to build credibility in that role

- To understand how to elicit and manage good quality information form participants

- To understand group process and learn techniques in group management and control

- The develop skills and confidence in challenging and confronting participants in order to achieve more in-depth understanding of issues

- The ability to challenge and confront discrepancy

- The develop new approaches to running their own workshops

22

The Training Design

It was also agreed that the training design would include and illustrate facilitation methods appropriate for use in the Risk

- Small group/breakout group work

- Experiential learning activities

- Activities to encourage creative and innovative

thinking and would also include

- Rehearsal and practice

- Trainer and peer feedback

- Workshop re-design and application planning

23

The Training Workshop

So, let’s get you involved in some experiential learning:

A practical activity to explore the Risk Management journey ahead……