Roosendaal is a midsized town in the south of the Netherlands with a population of around 78,000 inhabitants, located between Rotterdam and Antwerp, Belgium. Almost three years ago the Municipality decided to improve its risk management practice.
According to Dick Maaskant, Business Controller of the municipality, this decision was influenced by several internal and external forces. For example, risk management had become a political issue not only due to the rise of principles of governance but also due to new legislative reporting rules concerning risk control within annual reports and budgets. However, of even more importance , was senior management’s growing consciousness that risk management should be an important tool in achieving strategic and operational goals.
Back in 2006, risk management in Roosendaal was not embedded within the organisation’s mainstream business. No policy, standard procedures or systematic approach towards risk management were available. When projects were being discussed, there would be a question of identifying risks during the decision stage but this had little impact on the outcomes. There was reluctance to talk about risks arising, mostly out of fear for their inhibitory effect on the acceptance of new initiatives. Discussing risks was not part of business culture – in reality a pretty risky situation.
City Manager Jack Kruf and the Board of Mayor and Aldermen, pushed for the integration of risk management into existing business practices by laying out their aims and objectives in its four year activity program. Accordingly, the Board allocated a substantial budget to facilitate the required process to establish this goal.
Dick Maaskant became the Project Manager and at the end of 2006, his proposal was approved by the Board.
The project approach was based on the following insights:
– Whilst tools and sufficient management / employee technical skills are important in developing risk management, risk awareness and changing attitudes / behaviour towards risk management are equally so. This is a precondition for the successful implementation of risk management;
– on the scale of a city such as Roosendaal, integrating risk management into business processes is a matter of making small steps which will take several years to be accomplished: a multi phased approach was required;
– top-down implementation is necessary: The tone at the top is essential for changing behaviours.
The project plan was scheduled to run for a period of three years.
During 2007, the year the project started, the focus was on developing risk awareness at the managerial level ie. The Board, top management, departmental managers and project managers. Several workshops were organised to demonstrate the added value of risk management, including themes such as ‘how can risk management contribute to decision making processes on a strategic level ?‘ and ‘how can risk management contribute to the control of operational goals?’.
Risk analysis sessions, conducted in conjunction with various external agencies, were also carried out. Analysis of a real estate project ( new school ), the introduction of new legislation around social services at local level and on a process design for a new way of communicating with neighbourhoods about improving their environment took place.
In addition a quick scan of the main operational risks and their effects on required reserves was carried out to meet the reporting rules requirements regarding 2008 budgets
Year two was a year of investing in the education and skills of employees. Initial focus was on risk management processes – how to identify, analyse and quantify risk, and how to implement and evaluate control measures
Following this exercise all department managers were asked to make an analysis of the 10 main operational risks in their area of responsibility . A software tool to systematically register their performances on risk analysis was made available. This software system includes a statistical function (Monte Carlo analysis) which can calculate the level of financial reserves needed to cope with the overall financial risk that Roosendaal is exposed to. The amount of reserves required for this purpose is based on the degree of certainty chosen in relation to the required adequacy of reserves. On this, a policy was agreed with the Municipality, also resulting in estimating a minimal performance value at a ratio expressing total amount of financial risk related to the financial reserves of Roosendaal. That ratio is called the ’risk resistance ratio’.
With regard to risk ownership, a manual was created which included procedures on reporting and managing risks. Department managers are the initial risk owners but depending on the potential financial impact of a risk or its control measure, the risk has to be reported and shared with higher management levels. The basic rule is that the higher the financial risk, the higher the managerial level involved.
In the last year of the project (2009) the focus is on integrating risk management into the mainstream business. Risk management is introduced as an activity in the subsequent project phases for large projects, risk management is applied to risk management processes. Risk management accountability is secured in the planning and control process, both in the annual program budget and report as internal accountability and reporting to senior management and the Board.
According to Dick Maaskant “As we near the end of the project have I think our views at the beginning of the project have proved correct. There has been a significant investment of time and money but we have achieved our goal in that t risk is now on the agenda for not only the administration and management in general but also the wider employee base. Risk awareness has improved and we have developed a systematic way of working to deal with risks. We have integrated risk management into our business. Understanding of the risks we run has been improved, which also results in a less tense atmosphere when we talk about risk.”
But we can also make further steps in the future. Discussion about measures concerning risks can still become more indepth and require more attention. Our risk perception should not be limited to incidental or financial risks. We still need to expand into other risk categories such as legal , environment , political and strategic risk to further grow awareness . But, the foundation is there.