The BBC’s Management of Risk NAO review presented to the BBC Governors' Audit Committee, September 2006, by the Comptroller and Auditor General, and a response to the review from the BBC INSIDE COVER - BLANK The BBC’s Management of Risk BBC response to the National Audit Office Value for Money study At the request of the Governors’ Audit As mentioned in the study, the Governors Committee, the BBC’s management of risk are currently developing a draft risk has been subject to a value for money protocol for possible approval by the BBC study to assess whether the BBC’s overall Trust in line with its duties under the new approach to risk management allows the Charter.The protocol will specify how the organisation to understand fully and BBC Trust will carry out its duties under the respond effectively to the risks it faces. new Charter and Agreement regarding the oversight of risk.The Governors will ensure This study is published alongside the that NAO’s recommendations will be taken Deloitte review of the BBC’s Independent into consideration and incorporated, Commissioning process.These are the last where appropriate, in the draft. in the current three-year programme of studies, commissioned by the Governors, The attached response from BBC assessing value for money across the BBC. Management outlines what action is being The BBC Governance Unit is currently taken to address other recommendations working with the National Audit Office made by the NAO. It has been considered (NAO) on plans for a new programme and approved by the Board of Governors. of value for money studies that will be considered for commissioning by the BBC Trust from January 2007 onwards. Board of Governors October 2006 As the NAO acknowledges, the BBC faces a wide variety of risks, ranging from reputation risks associated with its broadcast output to risks in the management of its resources. With this in mind, the BBC has sought in recent years to improve its risk management process, increasing its priority for Governors and senior management. The Governors commissioned this study to review the progress made so far and to provide recommendations for the BBC to adopt going forward. The Board of Governors thanks the NAO for undertaking this review and accepts the report’s conclusions and recommendations. The Governors welcome the NAO’s conclusion that the BBC has an appropriate framework for managing risks and will continue to monitor progress made to ensure this process is fully embedded throughout the organisation. The BBC’s Management of Risk BBC response to the National Audit Office Value for Money study The BBC’s risk management arrangements have been in place for several years and were strengthened from the beginning of 2006 following an internal and external consultation on good practice.The objective of those arrangements is to ensure that material risks, and opportunities, are identified and communicated to ensure that the BBC continuously meets its objectives and core purposes. We are pleased to note the NAO’s overall conclusion that the BBC has an appropriate framework for managing risk and that the approach to developing risk management is similar to that of other organisations. The NAO’s review of risk management in five other organisations found that it takes between four and six years to fully embed risk management.The NAO’s study has made helpful recommendations as to how the BBC can make further progress towards fully embedding risk management. Some of those recommendations confirm existing work in progress, while the new recommendations will also be taken forward. Responding to the recommendations of the NAO With a new risk management process in place, the BBC now needs to ensure that this becomes embedded in the way it does its business… The BBC will establish a timetable, milestones and criteria for measuring and reporting progress as recommended by the NAO. During 2006, the BBC has used a self-assessment model based on HM Treasury’s Orange Book, Risk Management Assessment Framework, which together with the survey of BBC managers conducted by the NAO will be used as a baseline for monitoring improvement. We accept that best practice guidance is to record in risk registers each risk owner. While all identified risks in the BBC are owned, it has not been our practice to require that the owner is recorded in the risk register, other than where further risk actions are identified.We confirm that in future we will require that all risk owners are recorded in risk registers. The NAO has noted some of the areas of good practice within the BBC in the sharing of risk issues across divisional boundaries, while noting that there is potential for further improvement. The process of bottom-up identification of risks from divisions, fed to risk owners at senior management and board level is in itself designed to promote effective communication of risk across boundaries. We will review existing measures and areas of best practice within the BBC to promote further sharing of risk information wherever relevant. In developing the BBC’s risk management approach it has been appropriate to draw upon the expertise of the Head of Business Assurance and his team. As we make the transition to a fully embedded arrangement we will migrate those responsibilities to the management team under the direction of the Group Finance Director, who will assume the role of Risk Officer.The network of divisional risk officers will be strengthened and divisional boards will in future be required to address risk management to the same standards as the main board. The BBC’s risk management could be more focused… As recommended by the NAO, we are preparing more clearly defined parameters for rating risks reported to the Executive Direction Group (EDG) and adopting a single five-colour coding system in all reports that they will receive thereby ensuring greater granularity of relative risk levels. The Annual Risk Baseline report by its nature is a substantial review of risks facing the BBC and while this has drawn favourable comment in terms of the comprehensive view, we appreciate that there is the danger of providing too much information. We will continue to monitor the streamlining of information through the quarterly updates of risk and seek feedback from EDG on the level of information provided. The NAO recommend that the costs and benefits of risk controls are routinely assessed so that minor risks are not over-managed.We will review the consideration of cost versus benefit of controlling minor risks. As noted in the NAO report, establishing risk appetite is easier where the impact of the risk can be quantified. Consequently the benefit in controlling risk that is non-financial, e.g. reputation impact, can be harder to measure.The BBC is currently working towards agreeing a definition of risk appetite in regard to each key category of risk. The BBC needs to develop its training and communication for risk management… The NAO has noted that, while the majority of BBC managers surveyed had consulted the BBC’s risk management guidance, 29% had not. In light of the diversity of responsibility of those surveyed, it is perhaps not surprising that some will not have reviewed the overarching guidance, placing reliance instead on individual risk specific policies of the BBC. However, we will take steps as recommended to ensure that all those who are relevant are identified and targeted with communications on managing risks. Through the survey of managers, the NAO has identified that, while the majority of managers consider their training and support in managing risks to be adequate, 37% felt it was not meeting their needs. We welcome and will act upon the suggestion of conducting a training needs assessment to identify where further training is required The NAO recommendations relating to the risk protocol being developed by Governors in regard to the new arrangements under the Trust is answered in the Governors response. The BBC’s management of risk REVIEW BY THE COMPTROLLER AND AUDITOR GENERAL PRESENTED TO THE BBC GOVERNORS’ AUDIT COMMITTEE | 20 September 2006 This report has been prepared under Clause 10B of the amendment to the Agreement between the Secretary of State for Culture, Media and Sport and the BBC dated 4 December 2003 John Bourn Comptroller and Auditor General National Audit Office The National Audit Office study team consisted of: Richard Gauld, Vicky Lewis, Ashley McDougall and Keith Hawkswell. This report can be found on the National Audit Office website at www.nao.org.uk For further information about the National Audit Office please contact National Audit Office Press Office 157-197 Buckingham Palace Road Victoria London SW1W 9SP Tel: 020 7798 7400 Email: enquiries@nao.gsi.gov.uk © National Audit Office 2006 CONTENTS SUMMARY 4 MAIN REPORT What is this report about? 6 What are the BBC’s risk management arrangements? 6 Are senior management and Governors engaged with the risk management process? 7 Have the BBC’s risk management arrangements been effectively communicated to staff? 8 Is identification and reporting on key risks carried out in a consistent, timely and integrated way? 9 Is risk information user-friendly? 9 Are staff encouraged to report significant risks up the management chain? Is there effective communication about risk between divisions? 10 Do managers have the training and support they need to manage risk? 10 Is risk management embedded within day-to-day management and business processes? 10 Is information about risks being used to actively manage and monitor them? 11 Are there risk management practices found in other organisations which could inform the BBC’s approach? 12 APPENDICES One: Study methods 13 Two: Good practice references 15 Photograph (front cover and page 5) courtesy of Alamy.com SUMMARY 1 The BBC faces a wide variety of risks ranging from reputation risks associated with its broadcast output to risks in the management of its resources. This report is about whether the BBC’s overall approach to risk management allows it to fully understand and respond effectively to the risks it faces. 2 The BBC introduced new risk management processes at the start of 2006 and there are early signs that these are making a difference, with senior management getting more frequent and comprehensive information about risks. There is, however, scope to make the risk information they receive more user-friendly and this would support management in identifying current priorities. 3 Senior management are receiving regular assurance that controls are in place and operating as intended for key risks and the top five risks are regularly reported to the Governors’ Finance and General Purposes Committee. However, too many key risks may be being rated as red or amber as a result of divisions being over-cautious when scoring their risks, and the BBC is working to define its risk appetite to inform managers’ assessment of risk. 4 Divisional managers are identifying risks in their areas and receiving assurance about actions to control risks from nominated owners. While the majority of divisional risks have owners identified in risk registers, 29 per cent do not. Good practice is to identify the owners of all risks to help ensure they are managed and monitored over time. 5 All the BBC staff we contacted regarded themselves as having risk management responsibilities and the majority considered the training and support they had received was adequate. But 37 per cent felt they had not received adequate training and support, and there are gaps in awareness of the BBC’s framework for risk management within divisions. 6 Our overall conclusion is that the BBC has an appropriate framework for managing risk, with top risks considered regularly by senior BBC managers and Governors. And the BBC’s approach to developing its risk management is similar to that of other organisations. But the processes, leadership and organisational culture needed to ensure that risk information is routinely and consistently identified, documented, shared and acted on are not yet fully embedded throughout the BBC. THEBBCSMANAGEMENTOFRISK RECOMMENDATIONS A With a new risk management process in place, the BBC now needs to ensure this becomes embedded into the way it does its business by: ¦ Establishing a plan with a clear timetable, milestones and criteria for measuring and reporting on progress. The results of the risk management survey conducted for our report could be used as a baseline for measuring progress. ¦ Ensuring that all risks in divisional risk registers have owners identified so that, in line with good practice, all risks have nominated owners to provide assurance that they are being managed and monitored over time. ¦ Promoting more open communication between divisions about risks and how they are being managed. Risk workshops and peer reviews of divisional risk registers could be useful approaches. ¦ Preparing a clear plan for migrating responsibilities for developing risk management and summarising risk reports from the Head of Business Assurance to members of the management team. B The BBC’s risk management could be made more focused by: ¦ Clearly defining the parameters for rating the key risks as red, amber or green (at present, these are not clear and therefore there is a risk of inconsistency). ¦ Building on its new risk management arrangements by taking stock of whether the volume of information presented to senior management is meeting their needs, and improving the manageability and consistency of risk information by using common approaches to reporting overall risk ratings and ensuring that each top risk is rated. ¦ Routinely assessing the costs and benefits of risk controls so that minor risks are not over-managed. The work the BBC is doing to identify and develop guidance on its risk appetite should, in due course, help to inform the assessment and prioritisation of risk. C The BBC needs to develop its training and communications for risk management: ¦ The BBC should clearly identify the target audience for its communications about risk management, their information needs and the channels that will be used to reach them. Although the majority of managers1 in our survey had consulted the BBC’s guidance on risk management, 29 per cent had never looked at it. ¦ The BBC should carry out a training needs assessment to identify whether additional risk management training and support is needed and what form it should take: while the majority of managers considered that training and support was adequate, 37 per cent felt it was not meeting their needs. D Looking ahead to the creation of the new BBC Trust, the Governors are developing a risk protocol and in doing so will need to: ¦ Ensure that, in relation to risk management, the respective roles of the Trust and the Audit Committee from January 2007 (when Audit Committee responsibilities transfer from the Governors to the Executive Board) are clearly defined. ¦ Define the information the Trust requires and the arrangements for obtaining it for the purpose of assessing and challenging management’s handling of risk, and for monitoring the BBC’s progress in embedding risk management. This could include inviting divisional directors, on a rotational basis, to talk about the main risks in their areas. 1 See Appendix One for information about the participants in this survey. THEBBCSMANAGEMENTOFRISK MAIN REPORT What is this report about? 7 This report is about the BBC’s management of risk. The BBC faces a wide variety of risks ranging from reputation risks associated with its broadcast output to risks in the management of its resources. It defines risk as any potential event, situation or circumstance, including the potential to miss opportunities, the emergence or occurrence of which, in a specific business context, could jeopardise meeting the organisation’s objectives or business purpose. Risk management is about getting the right balance between minimising threats and taking informed decisions about exploiting opportunities in the face of uncertainty. 2 For example, the BBC has to balance the need to produce news reports on insurrection, civil unrest and war by sending its staff to dangerous areas while minimising the risk of staff being harmed. The aim of managing risks is generally to constrain them to an acceptable level rather than entirely eliminating them. Whether mitigating threats or exploiting opportunities, risks must be carefully identified, evaluated and managed. 8 The main question this report addresses is whether the BBC’s overall approach to risk management allows it to fully understand and respond effectively to the risks it faces. We based our assessment on documentary evidence, questionnaires which we sent to BBC executives and managers, interviews with key stakeholders in the BBC, case studies of Business and Broadcast Continuity and the BBC’s Change programme, and consultancy advice on practice in other organisations. Further details about our approach are in Appendix One. 9 This review of the BBC’s management of risks has been carried out at a time when the Board of Governors is planning for its succession by the new BBC Trust in January 2007, when the next Royal Charter starts. A system of risk management and reporting will, as the BBC recognises, be important in helping the Trust in its oversight of BBC management. What are the BBC’s risk management arrangements? 10 The BBC’s current risk management arrangements, strengthening those which existed before, were introduced at the start of 2006. The main elements are: ¦ Identification of top risks: For a number of years the BBC has maintained a list of top risks. The list currently contains 44 risks under nine themes (Figure 1), which can span the work of several BBC divisions. Each month, the Director–General comes to his own view, informed by the Annual Risk Baseline (see below), on what he considers to be the five most important risks and reports these to the Governors’ Finance and General Purposes Committee. ¦ Annual Risk Baseline: Drawing on divisional risk registers, this report (which is updated quarterly) provides senior managers with a stock-take on the top risks. ¦ Divisional risk registers: Each of the BBC’s 14 divisions maintains its own risk register. These registers include, where relevant to individual divisions, the top risks but are not confined to these risks. Every three months, each division identifies its top five or so risks for a quarterly performance report which goes to the Executive Direction Group. 2 See HM Government (March 2006) Risk: Good Practice in Government. THEBBCSMANAGEMENTOFRISK TheBBC’s nine top risk themes ¦ Business continuity ¦ Financial management and controls ¦ Licence fee collection ¦ Loss of rights or failure to obtain or exploit rights ¦ Failure to comply with legal and external regulations ¦ Licence fee settlement ¦ Loss of competitive advantage ¦ The Change programme ¦ Supply chain management 11 The responsibilities of the key parties and the reporting flows between them are shown in Figure 2. Are senior management and Governors engaged with the risk management process? 12 In 2004, following the appointment of a new Director–General and Chairman, the BBC’s management board structure was reorganised. In May 2005, the BBC’s then Chief Operating Officer identified the need to clarify responsibilities for risk management and ensure that the BBC had clear arrangements for reviewing and reporting on risk. The Head of the BBC’s Business Assurance team3 was tasked with developing proposals to improve risk management. This led to the introduction of a number of changes to strengthen the risk management process in 2006 (Figure 3 overleaf). Having performed a consulting role in relation to risk management, the Head of Business Assurance is looking to ensure that, in accordance with guidance from the Institute of Internal Auditors4, there is a clear plan for migrating responsibilities to members of the management team. Responsibilities ofkey parties for riskmanagement,and the reportingarrangements Source:NationalAudit OfficeGovernors’ Audit Committee: Monitoring theeffectiveness of,andcompliance with, theriskmanagement process Governors’ FinanceandGeneralPurposes Committee: Scrutinising theDirector– General’s topfive risks andtheconsiderationof risks inmajor investment proposals ExecutiveDirectionGroup:Ensuringthat thereis aprocess inplaceby whichkey risks areidentified, reviewedandmanaged throughcontrols andmitigation strategies HeadofBusiness Assurance: Co-ordinating thepreparationof theAnnualRiskBaselineanddraftinga summary; reporting totheAudit Committeeon the riskmanagement process Key riskowners:Members of theExecutiveDirectionGroupownkey risks andare responsiblefor monitoring their management RiskAssuranceTeam:Facilitatingthe riskmanagement process at alllevels andcoordinatingrisk reportingStrategy division:Incorporatingdivisions’ top risks into quarterly performance reports DivisionalDirectors:Maintainingup-to-datedataon risks relevant to their business andensuring that appropriatelocal riskmanagement processes areembeddedintodivisionalprocesses Director–General’s monthly report on the topfive risks AnnualBaselineReview with quarterly updates Six monthly report on the riskmanagement process Reports ondivisions’ topfive risks Divisional risk registers Reports onindividual top risks Quarterly performancereports (including topfiverisks for eachdivision) 3 Which includes internal audit. 4 The Institute of Internal Auditors UK and Ireland (September 2004) Position statement: The role of Internal Audit in Enterprise-wide Risk Management. THEBBCSMANAGEMENTOFRISK Mainchanges to the riskmanagement process madein 2006 Requirement Reviewing the list of top risks Update divisional risk registers Reporting key divisional risks to senior management Annual Risk Baseline report Report for the Governors’ Finance and General Purposes Committee on the top five risks identified by the Director General Report to the Audit Committee on risk management processes Source: BBC 13 The BBC’s top level Executive Direction Group, which comprises 16 Executive Members and is chaired by the Director–General, has overall day-to-day responsibility for the risk management process. It is responsible for the top corporate risks (currently 44), each of which has an owner on the Executive Direction Group, and receives the Annual Risk Baseline report (and quarterly updates) on these risks. It also receives quarterly reports on the top five or so risks identified by each division. 14 The early signs are that the new processes introduced in early 2006 (Figure 3) are making a difference. The Director–General thought that with the new reporting arrangements in place, risk management had moved up the Executive Direction Group’s agenda. The results of a questionnaire which we sent to the members of this Group showed that 15 of its 16 members thought that risk management had improved over the previous 12 months. And our review of Executive Direction Group papers confirmed that the development of the risk management process had been a regular item on the agenda. 15 Part of the BBC Governors’ role is to constructively challenge and scrutinise management’s approach to, and performance in, managing risks. To fulfil this role the Governors’ Audit Committee, in line with good practice, assesses management’s overall approach to risk management. It receives updates from the Head of Business Assurance on the risk management process twice a year and a summary of the highest risks identified in the Annual Baseline Review. We discussed the BBC’s risk management procedures with two Audit Committee members, including the Chair, whose views were that they are sensible and fit for purpose and that management takes risk management seriously. Previous process Current process Annual, with six Annual, with quarterly review (starting in month update May 2006) Twice a year Quarterly (starting in March 2006) As required Quarterly (starting in June 2006) Not in place Annual (starting in May 2006) with quarterly updates Monthly oral report Monthly written report (starting in June 2006) Annual Twice a year (starting in June 2006) 16 In addition, the Governors receive information about the management of individual risks through monthly reports which the Director–General provides to the Governors’ Finance and General Purposes Committee. This gives the Committee a clear view of his understanding of the top five or so current risks (paragraph 10), which in July 2006 included delays in the licence fee settlement and the safety of staff working in Iraq. 17 The current framework for overseeing risk management will change when the Board of Governors is replaced by the new BBC Trust in January 2007, and Audit Committee responsibilities transfer from the Governors to the Executive Board. The details, including a draft risk protocol which will set out duties and approach, are being worked on. The Governors’ expectation is that the BBC’s Executive Board will present to the Trust, on a rolling basis, an account of their management of risk. Have the BBC’s risk management arrangements been effectively communicated to staff? 18 It is important that staff involved in managing risk understand the BBC’s approach to risk management and its corporate priorities; otherwise risk management is unlikely to be embedded in a consistent way. Good practice in risk management suggests that visible commitment to risk management from the very top of organisations is critical to achieving this.5 5 See, for example, HM Treasury (2004) Creating a Risk Management Culture. THEBBCSMANAGEMENTOFRISK 19 The BBC’s approach to risk management and the list of top corporate risks identified by the Executive Direction Group are available to all staff on the BBC’s intranet. However, there are gaps in awareness of this guidance. While 64 per cent of respondents in our survey of managers in the BBC had looked at the guidance within the last year, 29 per cent had never looked at it, with a lack of awareness of the existence of a formal risk management process being a factor. 20 Some 61 per cent of respondents had a view of where leadership responsibilities for promoting risk management lay. However, the remainder either did not know or considered that the importance of risk management had not been promoted. These findings tie in with a self-assessment exercise carried out by the BBC, based on HM Treasury guidance, which suggested that management support for and promotion of risk management is the least developed area of risk management within divisions. 21 BBC policy is that all staff have a responsibility to identify and report on risks. All the staff in our survey regarded themselves as having risk management responsibilities, although a quarter considered that these responsibilities had not been clearly communicated to them. Is identification and reporting on key risks carried out in a consistent, timely and integrated way? 22 To achieve a consistent approach, divisions are required to record their risks using a standard template and score them for likelihood and impact using criteria which are clearly defined. The new template has only been in use since March 2006, and our examination of divisional risk registers showed that some divisions were not yet providing all the information required. For example, risks and associated controls were not always clearly described. 23 Until recently, divisions were formally required to update their risk registers twice a year. As the BBC judged this was not frequent enough to provide an up-to-date picture of the main risks, from March 2006 divisions have been required to update their risk registers every three months. While the new arrangements settle in, the Risk Assurance Team is having to prompt some divisions to update their risk registers. 24 The BBC has taken steps to integrate top-down and bottom-up reporting on risks. The template for divisional risk registers lists all the top 44 risks, so that divisions are able to identify any that are relevant to them. In addition, the BBC’s annual review of all its main risks (the Annual Risk Baseline report) draws on divisional risk registers and is broadly structured around the list of top risks. While the list of 44 top risks has remained largely static since May 2005, we confirmed it has been considered at Executive Direction Group meetings, most recently in May 2006. 25 For risks that cut across divisions, the BBC has specialist units who are responsible for their management. For example, the Business and Broadcast Continuity unit coordinates continuity arrangements, with divisions being responsible for their own individual business continuity plans. However, as the BBC’s Change programme team has found, it can sometimes be difficult to get divisions to fully consider cross-cutting risks. The team has sought to address this by running risk workshops (see paragraph 34). 26 The reporting of risks to senior managers on the Executive Direction Group has been strengthened. In addition to the Annual Risk Baseline on top risks, the Executive Direction Group receives risk information from two sources: quarterly updates on the risk baseline and a quarterly report on the top risks identified by each division. However, these two reports do not show the overall rating of risks in a consistent way (see paragraph 29). 27 To strengthen the recording and reporting on risks, the BBC is moving from manual processes by rolling out a new electronic risk database (Magique). This is intended to improve the accessibility of risk data and the timeliness of reporting by recording and sharing risk information electronically. Is risk information user-friendly? 28 Risk information should be clearly presented, identify changes in risk assessments and controls and help users prioritise action. The BBC’s Chief Operating Officer and Head of Business Assurance draw out key messages from the Annual Risk Baseline and summarise them for the Executive Direction Group. THEBBCSMANAGEMENTOFRISK 29 Senior management are, nonetheless, receiving a significant volume of risk information. There are 140 risks in the 70 page Annual Risk Baseline and more than half of these risks are in a single category (amber). Although the 140 risks are rated, there is no overall rating of the BBC’s top 44 risks (see paragraph 10). In addition to quarterly update reports on the Annual Risk Baseline, there is a 20 page quarterly report covering 85 top divisional risks. These reports do not show the overall rating of risks in a consistent way (the baseline review uses a red/amber/ green rating system which does not have set criteria and therefore there is a risk of inconsistency, while the report on divisions’ risks uses a five point colour coding system). Are staff encouraged to report significant risks up the management chain? 30 Members of the Executive Direction Group were reasonably confident that they had a complete and up-to-date picture of all the main risks and that they were generally getting the information they need. However, nearly a third of managers responding to our survey were not clear about when to escalate risk information upwards. 31 There are also barriers to reporting risks up the management chain. Although 43 per cent of managers thought that management were receptive to both good and bad news about risks, nearly a quarter thought that they were not. At the same time, 38 per cent thought that the BBC had a blame culture, which could prevent effective reporting about risks. Is there effective communication about risk between divisions? 32 One of the BBC’s aims for risk management is to develop an improved process for capturing information about and learning from adverse events. For instance, the BBC’s Journalism Board, which includes representatives from five divisions (News, World Service, BBC World, Nations and Regions, and Factual and Learning), discusses risks such as health and safety, editorial and talent. But, at present, information about individual risks is not generally shared between divisions, and only 23 per cent of managers thought there were effective mechanisms for communicating risks identified in one area to other parts of the BBC. The rollout of Magique (paragraph 27) has the potential to improve the sharing of risk information, although divisions are not currently able to use the system to view other divisions’ risk registers. 33 There are mechanisms for identifying cross-divisional risks such as reporting to the Executive Direction Group and oversight by specialist teams such as Business Continuity and Disaster Recovery. However, the extent to which managers within divisions share experiences and good practice in managing risks which may not be unique to their areas is limited under the current arrangements. 34 There have been cases where staff from different divisions have been brought together to discuss common risks. For example, to encourage the sharing of risk information and help identify risks to the Change programme and mitigating actions, the Change programme team ran workshops which included staff from two–thirds of BBC divisions. The team found the workshops useful and aim to run more later this year. Such forums could also help with sharing lessons in risk management, although this approach is not being routinely adopted across divisions. Do managers have the training and support they need to manage risk? 35 Staff should be given access to appropriate training and support to help them meet their responsibilities for risk management. This can include the provision of guidance as well as formal training, although we noted that half of the 172 managers responding to our survey considered they needed more training in risk management, particularly in risk identification. Although 63 per cent of staff thought they had received adequate training and support, 37 per cent felt that it had been barely adequate or not adequate at all. Is risk management embedded within day-to-day management and business processes? 36 One of the main aims of the new risk management process is to integrate risk management into the policy–making, planning and decision-making processes of the BBC. Embedding risk management is about creating a culture where effective risk management is an integral and natural part of the way most people work.6 This can extend from embedding risk management in core processes, such as planning, performance management and project management, to including risk management in individual performance appraisals. 6 HM Treasury (2004) Creating a Risk Management Culture. THEBBCSMANAGEMENTOFRISK1 37 We found that while 41 per cent of BBC managers agreed that risk identification was integrated into everyday business processes, 27 per cent felt that this was not the case (Figure 4). And our review of a random sample of 10 recent projects showed that although risk identification was an integral part of preparing investment proposals, in some cases the ongoing recording and monitoring of risks was not evidenced in a consistent and transparent way. Together with gaps in the promotion of and training in risk management (paragraphs 20 and 35), these findings suggest that risk management is not yet fully embedded. In the BBC’s view, it will take two to three years to fully embed risk management in this way. PricewaterhouseCoopers’ review of other organisations also found that it takes time to fully integrate risk management into the business (paragraphs 43–45). Is information about risks being used to actively manage and monitor them? 38 To provide the Executive Direction Group with assurance that controls are in place and operating as intended for the top risks identified by the Group, each of those risks has a named executive owner and a senior manager who is responsible for ensuring that the owner is kept informed about the risk and mitigating actions. 39 Divisional managers receive assurance about the control of risks in their areas from nominated ‘action owners’ who are responsible for taking steps to maintain or reduce the likelihood or impact of individual risks occurring. From our review of divisional risk registers in the first quarter of 2006, which contained a total of 850 risks, we noted that: ¦ Controls were identified and, where deemed necessary, further actions were planned. For example, the risk of a break in transmission of BBC broadcast output identified in the Strategy division’s risk register is addressed through controls which include performance monitoring, compliance checking and contractual agreements about emergency back-up arrangements. ¦ Of the 850 risks, 250 (29 per cent) did not have risk owners identified in risk registers. Treasury guidance states that all risks, once identified, should be assigned to an owner who has responsibility for ensuring that the risk is managed and monitored over time.7 The BBC is planning to address this by making the identification of risk owners mandatory in its new electronic risk database (paragraph 27). 40 Controls for individual risks need to be proportionate to the significance of and level of exposure to these risks, and the BBC’s internal guidance on risk management asks managers to consider the extra cost involved in controlling risks versus the potential benefit. Our discussions with BBC senior management suggested that while the costs and benefits of risk controls are sometimes considered it is not routinely done, and there is a tendency to over-manage some minor risks. 41 The significance of risks and decisions about whether responses are proportionate should be informed by a clear understanding of the BBC’s risk tolerance or ‘appetite’.8 The Executive Direction Group recognises that it needs to clarify what level of risk is tolerable and justifiable and is therefore currently considering how to develop a corporate definition of ‘risk appetite’. PricewaterhouseCoopers’ review of other organisations (paragraphs 43–45) did not identify a common framework for addressing this aspect of risk management. Strongly agree Agree Neither agree nor disagree Disagree Strongly disagree Source: National Audit Office survey of BBC Managers To what extent do you agree or disagree that risk identification is integrated into everyday business processes? Percentage of respondents 0 5 10 15 20 30 3525 40 7 HM Treasury (October 2004) The Orange Book: Management of Risk – Principles and Concepts. 8 HM Treasury (October 2004) The Orange Book: Management of Risk – Principles and Concepts. THEBBCSMANAGEMENTOFRISK11 42 Even when controls are in place, contingency plans may be needed for key risks. Assurance about the effectiveness of contingency arrangements, particularly in relation to Business and Broadcast Continuity, is supported by reviews of responses to simulated and real events. For example, the BBC carried out a post event review of its response to the July 2005 bombings, which concluded that contingency plans were in place and operated mostly as planned, although it identified a need for clearer communication arrangements, which it has since addressed. Are there risk management practices found in other organisations which could inform the BBC’s approach? 43 We commissioned PricewaterhouseCoopers to identify practical examples of good practice in other organisations which could be helpful to the BBC. PricewaterhouseCoopers carried out interviews with five organisations (see Appendix One). 44 The results of this work confirmed that the five organisations it covered have been following a broadly similar path to the BBC, starting with the creation of a central framework for risk management then working towards embedding risk management. PricewaterhouseCoopers found that the process of fully embedding risk management arrangements takes from four to six years. 45 We identified the following points as being potentially helpful to the BBC: a Risk maturity models provide a benchmark for monitoring progress through key phases in the development of risk management. Risk maturity models are used to assess the development of risk management over time and identify objectives for improvement. They help with setting a clear direction of travel, managing expectations about the development of skills and practices, and identifying the levels of support that are needed at different levels of development. b Organisations at more advanced stages of risk maturity move towards an increasingly outward and forward looking approach to risk management. As the management of existing risks becomes more embedded, organisations can then concentrate on developing their skills and ability to identify trends and developments in the wider external environment that may impact on or provide opportunities for its business. c A clear approach to communication and training helps increase recognition of the importance of risk management. Having a defined communication strategy, aligned to a risk management maturity model, supports the ongoing engagement of managers in risk management. For example, increasing the visibility of risks through central databases and integrating risk assessment into business plans, and therefore budget decisions, promotes awareness among managers of the value of risk management in supporting decision-making. This can be supplemented by focused training and a regular programme of general seminars. d Inviting senior managers to summarise key risks and controls at board-level meetings demonstrates leadership engagement and provides assurance that risks are understood and managed. Inviting divisional managers, on a rotational basis, to attend meetings and report on their current and anticipated risk portfolio provides the board with additional assurance that risks are understood and managed within the business. This requires managers to be able to critically assess and summarise their business risk and the actions in hand to manage them within a limited discussion time. e Establishing the ‘risk appetite’ is easier where the impact of the risk can be quantified. Although other organisations are seeking to define their risk appetite, PricewaterhouseCoopers’ review did not identify a common framework for addressing this aspect of risk management as the organisations were at different stages in identifying and assessing their overall risk profile, which is a pre-requisite for determining risk appetite. However, focusing on financial risks, such as potential losses on revenue generating projects or cost increases in new investments, provides a good starting point as this type of risk, and what the business is prepared to bear, can be readily quantified. THEBBCSMANAGEMENTOFRISK1 appendix one APPENDIX ONE Study methods 1 The aim of our study was to assess whether the BBC’s approach to risk management allows it to fully understand and respond effectively to the risks it faces. As our focus was on the BBC’s overall approach we did not seek to evaluate the management of individual risks. 2 In carrying out our work, we collected and analysed a range of quantitative and qualitative data using the methods set out below. Our work was informed by good practice from HM Treasury, The Chartered Institute of Public Finance and Accountancy, and National Audit Office reports on risk management (see Appendix Two). Interviews with staff and the Governors 3 We met with the BBC’s Director–General, Chief Operating Officer and Finance Director to discuss the BBC’s approach to risk management and the development of its risk management process, as well as the role of senior management in overseeing the BBC’s management of risk. 4 We interviewed BBC divisional managers with specific risk management responsibilities to discuss their approach to identifying, recording, reporting and managing risks, the effectiveness of the current arrangements and the guidance and support they have received. We also carried out interviews with the Head of Business Assurance and members of the BBC’s Risk Assurance Team to discuss their role in relation to risk management and their involvement in the development of the process. We interviewed managers from the following business areas and divisions: ¦ News ¦ BBC Scotland ¦ BBC People ¦ Future Finance ¦ Marketing, Communications and Audiences ¦ Media Asset Management ¦ Procurement 5 To understand the Governors’ oversight of risk management and the effectiveness of the BBC’s approach to risk management, we met with the Chair of the Governors’ Audit Committee and the Chair of the Governors’ Finance and General Purposes Committee (who also sits on the Audit Committee), as well as key staff from the Governance Unit, which supports the Board of Governors in its work. Case studies 6 We met with the BBC’s Change programme team and the Business and Broadcast Continuity team to discuss how cross-cutting risks are identified, recorded, reported and managed. THEBBCSMANAGEMENTOFRISK1 appendix one Survey of senior management and staff 7 We carried out two risk management questionnaire surveys of BBC staff, which we discussed with ALARM: The National Forum for Risk Management in the Public Sector (Peter Andrews, Chairman) and the Institute of Risk Management (Sheila Boyce, Board Member): ¦ The first was sent to all 16 members of the Executive Direction Group to obtain their views on whether risk management is embedded and effective. ¦ We separately surveyed 317 BBC staff to identify the awareness and understanding of the BBC’s risk management approach and the extent to which risk management is embedded in the BBC. 8 The staff surveyed were identified by the BBC as those staff with risk management responsibilities; the staff surveyed comprised managers from various BBC divisions as well as advisers from the Occupational Risk Management team. Completed questionnaires were received from 172 of the staff surveyed (a 54 per cent response rate). Analysis of the BBC’s risk information 9 We reviewed the BBC’s documents on the risk management process and the guidance for managers to assess whether the risk management approach is comprehensively and clearly documented. We also examined the papers and agendas of the Executive Direction Group, the Governors’ Audit Committee and the Governors’ Finance and General Purposes Committee meetings to determine whether risk management was discussed and the extent to which it was considered by senior management and the Governors. 10 We analysed the first Annual Risk Baseline report presented to the Executive Direction Group in May 2006 and the list of top risks maintained by the Executive Direction Group to identify the type of risk information presented to and used by senior management to manage risk. We also examined divisional risk registers from March 2006 and the quarterly performance report which included each division’s top risks to assess how divisions were recording and reporting risk information. 11 We reviewed the investment proposals and most recent management reports for a random sample of 10 projects which were put to the Director–General’s Finance Committee in the last 12 months to identify how risks were being considered at a project level. Consultation with other organisations 12 We commissioned PricewaterhouseCoopers to identify examples of risk management practice in other organisations which could potentially inform the BBC’s risk management approach. PricewaterhouseCoopers consulted the following organisations: ¦ Barclays Plc ¦ E.On UK Plc ¦ GlaxoSmithKline Plc ¦ Metropolitan Police Service ¦ Transport for London THEBBCSMANAGEMENTOFRISK14 appendix two APPENDIX TWO Good practice references In producing this report, we were guided by good practice principles from the following sources: ¦ NAO (2004) Managing Risks to Improve Public Services, HC 1078, Session 2003-04. ¦ NAO (2000) Supporting Innovation: Managing Risk in Government Departments, HC 864, Session 1999-2000. ¦ HM Government (March 2006) Risk: Good Practice in Government. ¦ The Institute of Internal Auditors UK and Ireland (September 2004) Position statement: The role of Internal Audit in Enterprise-wide Risk Management. ¦ HM Treasury (2004) Creating a Risk Management Culture. ¦ HM Treasury (October 2004) The Orange Book: Management of Risk – Principles and Concepts. ¦ HM Treasury (October 2004) Risk Management Assessment Framework. ¦ The Chartered Institute of Public Finance and Accountancy (2005) It’s a Risky Business: A Practical Guide to Risk Based Auditing. ¦ Financial Reporting Council (2003) The Combined Code on Corporate Governance. ¦ The Association of Insurance and Risk Managers, ALARM: The National Forum for Risk Management in the Public Sector and the Institute of Risk Management (2002) A Risk Management Standard. ¦ The Office of Government Commerce (2002) Management of Risk: Guidance for Practitioners. THEBBCSMANAGEMENTOFRISK15 BLANK PAGE INSIDE BACK COVER - BLANK British Broadcasting Corporation Broadcasting House This report is available online at London W1A 1AA www.bbcgovernors.co.uk