Section 2. Risk management process (in English)

Paragraph 2.1: Context analysis.

Risk philosophy, risk appetite e risk strategy should be always kept aligned, as one reflects the other. To this purpose it’s necessary to “measure” risk perception by the management staff – as some managers may be prepared to take more risk while others are more conservative – as well as the risk maturity of organizational context, since this latter could be more or less resilient in facing risk.

 Focus on: Measuring risk perception.

The following example has been selected because of the experimental and iterative approach; the risk perception is strictly connected with the subjectivity of the human element and with the peculiarities of the organizational context whose impact on the risk management effectiveness is often underrated.

CASE STUDY

Italian National Institute of Statistics (ISTAT)

At Istat (Italian National Institute of Statistics), in order to measure risk perception, a questionnaire was submitted to the Top-Management in 2011. The survey was carried out through a web application to about 30 Top Managers and it regarded their perception of the dynamics and severity of risk factors that could affect the activities of single offices or of the entire Institute. Among the possible methodological options evaluated for the topographic analysis of risk perception in ISTAT, the selected questionnaire is based on an international standard (ISO 31000:2009, AS / NZS 4360:1999, A & O) and modeled according to the definitions of an EU framework (PD ISO / IEC Guide 73:2002 and standards FERMA - Federation of European Risk Management Associations).

The Survey is made up of more than 60 questions and focuses on:

1.    the level of attention given to risk management when programming and monitoring the main activities of the Directorates and the Institute;

2.    the alignment of the current tools used for programming and control  with the risk management system;

3.    finding, although in simplified form, the factors that may cause injury, distinguishing among internal risks, external risks and cross sectional risks.

The questionnaire uses heterogeneous expressions and different types of responses, in order to keep constant the level of attention of the respondent; and it sometimes uses subjective terms, such as "substantially", "normally", "total", etc. as the survey is used to detect perception.

The survey on risk perception explored the most representative dimensions of managers’ organizational behavior when the critical events occur. The information obtained was processed to highlight the incidence of risk factors on planning and organizing the activities of each single structure and of the Institute's goals. For this purpose, ISTAT selected four dimensions, which are most representative of the attitude of managers with respect to critical events. They describe:

1.      the perception of risk compared to the activities of the manager: measured by the content of those responses that determine “whether” and “how much” the risk affects the planning and management of the manager’s activities within the structure of belonging;

2.      the perception of risk compared to the Institute: related to the connection between the existence of risk and the achievement of the strategic objectives of the Institute;

3.      the maturity of the control environment headed by the respondent: depending on the individual property to apply the risk management system adopted by the Institute;

4.      the maturity of the control environment of the Institute: its value derives from answers to questions that investigate the ability of the Institute to implement and support a system of risk assessment.

Each of these dimensions corresponds to a  set of answers, not necessarily placed in sequence, that highlight the character and the criteria used by the Manager when converting the perception of risk into organizational behavior.

Given the variability and subjectivity of risk perception, the results of the analysis of the responses showed a trend in behavior and do not establish a psychological profile or aptitude of the manager.

To facilitate understanding and interpretation of data, the four behavioral dimensions have been represented using a radar chart, in which the value placed on each vertex is the average of the values declared by the manager in the set of questions that express the meaning of the relative dimension. Depending on the risk profile to be analyzed, the results of the survey can be differently interpreted.

Specifically were examined 3 situations:

-      The risk perception by management, (highlighting the outliers);

-      The risk perception by management, by level of responsibility;

-      The risk perception by management, by area of activity (technical and administrative).

Example: The risk perception by management

Figure 1 compares the average rating given by all the executives involved in the survey (brown line) with the profile of the Top management (dashed blue line), including General Director and Chief of Departments, who, in the current theoretical framework, is the level of acceptance of risk consistent with corporate strategies (risk appetite). It also shows outliers, i.e. the maximum values (green bubbles) and minimum values (red bubbles), recorded for each dimension.

 Figure 1 – Representation of the average of management profile

The graph shows that the risk is considered an important component in planning activities (Size A), for all groups of respondents considered, even though there is a more favorable approach by apical managers (value of 4 to a maximum of 5) compared to all respondents (value of approximately 3.5).

On the other hand, both groups show a moderate mistrust in considering the risks an essential planning element to achieve the strategic objectives of the Institute (Size B). Again, however, it should be noted an attitude more inclined to consider the risk as an important factor for the Institute's activities, by the Top management, although the gap between the two values is not so large as in the case of A. In addition, for this dimension, even the maximum value recorded (bubble green equal to 3.8 points) is by far divergent from the average. It is worth noting, however, a positive general judgment about the maturity level of the control environment, both the single structure of belonging and for the Institute (Dimensions C and D: values slightly higher 3 out of a possible 5), such that it is allowed a positive development of the risk management system, based on the current organizational configuration. Even for these two dimensions, the orientation of the apical Leadership is demonstrated more favorable than that of all the respondents, although the gap between the two values is more pronounced about the overall vision of the Institute (Size D).

Paragraph 2.2: Process mapping

Focus on: Process mapping methods

CASE STUDIES

The mapping process is a crucial element of the document management system.

To exemplify the process mapping, the methodology applied by the Mexican Institute of Statistics (INEGI) and by the Institute of Statistics of Lithuania are described below.

• INEGI applies the IDEF standard; its characteristic is being modular, analytical and suitable for mapping processes involving a large number of people.
• Statistics Lithuania has focused on the interaction among production and organizational processes and on their impact on the statistical quality in terms of performance analysis; by doing so, this NSO considered the process mapping as the basis for quality management according to the standard ISO:9001.

Mexico, The National Institute of Statistics and Geography (INEGI)

The National Institute of Statistics and Geography (INEGI) has been using the Standard ‘Integration Definition for Function Modeling’ (IDEF) to map processes since 2011. IDEF0 is an engineering technique for performing and managing functional analysis, systems design, needs analysis, and baselines for continuous improvement. The Standard has been issued by the National Institute of Standards and Technology after approval by the United States Department of Commerce.

IDEF0 is used to produce a "function model": a structured representation of the functions, activities or processes within the modeled system or subject area. The IDEF0 methodology includes procedures for developing and critiquing models by a large group of people, as well as integrating support subsystems into an IDEF0 Architecture. The result of applying IDEF0 to a system is a model that consists of a hierarchical series of diagrams, text, and glossary cross-referenced to each other. The two primary modeling components are functions (represented on a diagram by boxes) and the data and objects that inter-relate those functions (represented by arrows). An IDEF0 model is composed of a hierarchical series of diagrams that gradually display increasing levels of detail describing functions and their interfaces within the context of a system. There are three types of diagrams: graphic, text, and glossary. The graphic diagrams define functions and functional relationships via box and arrow syntax and semantics. The text and glossary diagrams provide additional information in support of graphic diagrams.

The graphic diagram is the major component of an IDEF0 model, containing boxes, arrows, box/arrow interconnections and associated relationships. Boxes represent each major function of a subject. These functions are broken down or decomposed into more detailed diagrams, until the subject is described at a level necessary to support the goals of a particular project. The top-level diagram in the model provides the most general or abstract description of the subject represented by the model. This diagram is followed by a series of child diagrams providing more detail about the subject.

Statistics Lithuania (SL)

Process mapping in Statistics Lithuania (SL) has involved core processes, cross-cutting processes, operational activities in detail. As for the methodology followed in process mapping, ISO 9001 standard was used as a basis. Afterwards detailed analysis of performance was made, activities, their sequence and interactions were identified. In fact, ISO-certified Quality management system is based on process mapping.

Moreover, among the main elements of quality management system conforming to ISO there are:  definition of the processes, identification of their interactions and sequences; documentation of quality management system: process map, quality policy and quality tasks, quality manual. Quality management system is based on process management, which in turn is based on a detailed process map to which documented rules and guidelines on the various processes are linked. Management rules, structures, processes, activities, responsibilities, sequences and links, and associated documentation, are clearly defined and documented. The process map is a strong tool for standardization and the improvement of quality, and is also used as the backbone of the documentation system.

Processes of Statistics Lithuania: General Scheme 

Paragraph 3.2: Risk assessment

Focus on: Risk assessment methodology

The C & Risk Self-Assessment method involves:

•      valuators are the same staff that have identified the risks;

•      all assessment criteria must be the same by number and type.

In addition, the scale used for the evaluation of the likelihood and impact can be of 3, 5 or 6 levels. The higher the rating scale, the greater the distribution of the occurrences.

It is recommended to evaluate multiple types of impact, both qualitative (reputational) and quantitative (financial, operational). Each rating level must be described as objectively as possible to facilitate the task of the evaluators.

Statistics Austria

Risk indexes