Your Risk Management Magazine
Risk management in practice: a year in the life of risk at Newcrest Mining

Font size : + -

email print

Transforming risk from a buzzword to a valued process is no easy task. Tony Pooley explains how Newcrest Mining tackled the challenge in 12 months

Three weeks after joining Newcrest, my CEO called me a corporate virgin. Technically, at least, he was right. In my 35-year work history I had never worked for anyone outside of the consulting arena. Even after taking into account that the last 15 of those years were in risk management, and that I had worked for some of the world’s largest companies on a very wide range of risk issues at operating, management and board level, he was right – I was a corporate virgin. I was now inside the tent and all the pissing I’d done outside of it prior to that date had to be viewed through a very different lens. It was a period for rapid learning if I wasn’t to fail at my objective before I’d really gotten underway. I’ve learned a lot in my 10 months to date, and there’s plenty more to learn.

To do justice to this story that takes place over a little less than a year I need to set the context. Newcrest has a great exploration record over the last decade and a very sound mining record. Nevertheless, the following press statement could not have been more accurate when it was printed:

“For a chief executive, it’s surely a compliment for his company to be deemed a ‘world-class business’ in an analyst report. But when Citigroup adds ‘running on three cylinders’, some of the goodwill evaporates.”

Newcrest, despite its great industry talents, had somehow managed to rob itself of victory on a regular basis. A year earlier, the board was calling for more effective risk assessment and as a result, management had appointed a general manager for risk and commissioned a top consulting firm to help them establish a risk process. A reputable off-the-shelf product was purchased as the risk register and hundreds of risk assessments were undertaken using the sample matrix provided in AS/NZS 4360: 1999.

A little probing of the register, however, showed that the concentration lay heavily on production and safety issues. Exposures that showed up as high risk in the register were commonly not considered with enough focus by line management, and conversely, what line management did worry about often figured lowly in the risk register. In short, while a few put their heart and soul into the process, the results did not demonstrate genuine ownership of the system or good value for the time consumed. Nevertheless, compliance was demonstrated, impressive reports were generated, and we’d entered into the vicious cycle of risk management.

You can enter the cycle at any of the three points, ie you (a) may have a CEO or board that doesn’t really believe in the process; (b) allow insufficient time for good risk management; or (c) undertake low integrity work despite being given reasonable time to do better. Once in the cycle, however, breaking out is a tough job. I have a strong feeling that this is where most CROs find themselves today – looking to break out of the cycle.

I don’t really know how the split on entry points to the cycle has gone historically. I do, however, know that the standard of practice in my old world of risk consulting is generally very poor, with occasional exceptions of great work here and there. In summary therefore, I believe risk professionals themselves share as much of the blame for the slow progress in raising risk management standards as do the oft blamed senior management and boards.

Enough of how we got here though, let’s consider exactly where we are. Reflecting on my new insights into corporate life, and my exposure to many other organisations in Australia today, I feel I can now distinguish more clearly between the outputs of risk management and the drivers for it.

Broadly speaking, drivers for risk management are in two groups: the stick (regulation) and the carrot (provides a business and/or ethical payback). While I would guess the majority of CROs, and other company officers assigned the responsibility for delivering a sound risk culture and framework are passionate about their profession, not many other officers at board, executive or line management level would feel the same way. For me, this is the strongest indication that it is the stick that is the reason risk management is such a major buzzword, and unless the carrot takes over, a buzzword led, box-ticking exercise is all it will ever amount to –simply morphing every few years to conform to the latest round of regulation. Certainly, the stick has a low likelihood of breaking us out of the vicious cycle.

Breaking out of the cycle

In Newcrest I was extremely fortunate in that the new CEO, appointed only months before I joined, understood risk and regarded it as a key business tool. Indeed, it figured prominently in assessments of his own performance in key result areas. In addition, the board were pleased – if a little sceptical – to hear that management were passionate believers in risk process and philosophy. Sceptical or not, the board certainly afforded us the time to demonstrate our genuineness.

The CEO knew me from his days at Rio Tinto and, presumably, valued my risk knowledge as offsetting my lack of familiarity with corporate culture. The most common question I was asked in my first days at Newcrest was “How do you think you’ll go working for an operating company instead of a consulting firm?”To be honest I didn’t understand the pertinence of the question, but it didn’t stop me answering “No worries, I think I’ll manage just fine”.

Over the forthcoming months I came to realise just how much I didn’t know about ingrained behaviour patterns at all levels of a large organisation. I never once came across a line manager that said he didn’t believe in risk management, and I probably never met one that genuinely did. The big challenge here then, was to move out of the zone of corporate political correctness and into a zone of genuine debate with eight or 10 key players.

To this end I used statements like “Much of what is done in the name of risk assessment is a waste of good resources” and “I’m going to ask you to do better risk assessment and pay for that by making sure you assess a lot fewer scenarios” to create a minor shock element when entering debates. The idea of a risk manager saying a lot of risk assessment is rubbish, or that sometimes we undertake too many assessments, seems to open the ears better than any other tactic I’ve tried over the years.

The CEO and I had agreed no amount of leadership or back-up by him was going to result in a winning outcome unless we could show the effort paid its way in reduced losses and by capitalising on the occasional lucrative opportunity. But his support did give me the opening for one genuine effort at getting a meaningful system up and operating.

Before going on to describe how we did things at Newcrest, I’d like to hypothesise on what I might have done had the CEO not been a true believer – a situation many people may find themselves in. If I want to break out of the cycle and I don’t have deep management support then I believe I’d tackle the ‘insufficient time’ step by asking to pilot a good risk assessment/management process on the organisation’s biggest single worry.

The presumption here is that the management will afford you good resources and time if you claim you can substantially reduce their concern over this issue. Given the time, you need to carefully select the tools and conditions that are going to give you the outcome you need. Of course, this is a once-off opportunity and you’d want to be very comfortable with your selection of facilitator.

I feel the slowest and hardest route, unfair though it may seem, is to describe the benefits of a good process and hope that wins the day for you. I’ve certainly tried over the years on behalf of others and, without prior management support or an urgent need, I’ve almost always failed.

What constitutes a good process?

I believe a sound risk management framework will have the following components:

1. Ability to assess all scenarios for risk value.

2. Predetermined criteria to define whether further assessment is necessary.

3. Ability to undertake in-depth risk assessment for risks above criteria.

4. Clear guidelines on what level of management is requirement in sign-off.

5. The ability to follow up on commitments.

We committed to quantification of risk in order to get far greater clarification on where to apply resources effectively. A single box on the risk matrix will include a range of risks more than an order of magnitude different in scale. We were very keen not to consider those risks as equal when it comes to spending risk management dollars.

As we had committed to quantifying risk at the in-depth assessment stage, we developed a screening tool that was not only swift to use (ie comparable to matrix assessment) but gave quantified values that were in the same units as the more advanced tool. Units were loss per unit of time and we found it quite easy to establish a screening assessment that gave multiple choice answers for a range of questions. Some simple sums in the software would turn the multiple choice selections into a risk value for users.

It took only a few weeks to develop the tool in-house, get feedback from users and build it into a simple computer application. We’ve found the results are generally skewed towards high risk values, but acceptably so. Generally, scenarios that exceed the value for in-depth assessment and are submitted to SQRA tend to have their risk value reduced as a result of applying the more considered process.

A series of definitions of “material impact” was devised, covering monetary and sustainability impacts. All hazards that had a credible material impact were to be assessed using SQRA.

SQRA is a risk process that covers the following steps: (The descriptions given relate to the SQRA package but the objectives of each step can be met without purchasing that software.)

• Understand the dynamics of the scenario by identifying all causes, controls and pathways prior to the initiating event/incident and afterwards. (SQRA uses the bowtie approach to model the dynamics.)

• Calculate the risk by breaking the overall picture down into bite-sized chunks that together provide values for the frequency of things starting to go wrong, the probability that that initial incident will continue on to become a material outcome and the likely spread across a range of escalating material outcomes.

• Utilise the risk value and the bowtie diagram to identify the most critical controls. This is done by distributing the overall risk value to each pathway on a percentage basis and the software indicates which pathways have critical controls within them.

• Probe the critical controls for weaknesses using a series of prompts, listing shortcomings and potential improvement areas. Then carry out cost-benefit (ratio of cost to reduction in risk) analysis to decide whether the actions you are considering are the smart place to commit your resources.

• Provide action tracking for the committed actions. Many a good risk management opportunity has been wasted by insufficient focus after the assessment. Our software provider has been admirable in their preparedness to tailor their software to accept our inputs yet retain their reporting and tracking capabilities.

The concept of three levels of material risk was introduced. Category 1 would involve material loss (a preset dollar or ethical value) that wasn’t a threat to the company or any single operating centre’s viability. Responsibility for risk management lay with line management and overview is provided by my department.

A category 2 loss could impact an operating centre substantially, with some knock-on to the company performance. Again, line management retains responsibility for the assessment and management of the risk, but has to convince the executive management team that the scenarios are being well-managed.

Category 3 risks have the potential to seriously impact the company’s financial viability and/or reputation and would require in-depth review by the relevant executive general manager (and sometimes the entire executive team) and be noted and discussed at the next meeting of the board’s audit and risk committee.

In-depth assessment will take place on all material risks, although we are tackling this over a period of time starting with the highest risks from the screening process. In less than a year we have carried out in-depth assessments on the top 50 scenarios.

Key learnings in the first year

Framework and tools

In regard to the Newcrest risk framework, we seem to have got it about right. The concept of rapid screening followed by in-depth assessment has struck the appropriate balance between quality and resource demand. However, it was still essential to cut back the sheer number of assessments to make the value equation work. This wasn’t all that difficult because, like most organisations I’ve worked in over the years, Newcrest was wasting too much effort through ill-disciplined identification of scenarios. Commonly exposures overlapped each other, and on a number of occasions people were carrying out assessments on causes or control failure rather than hazardous scenarios.

I strongly advise CROs to consider the enormous benefits of risk quantification of at least the top percentage of risks. Clear prioritisation of scenarios, help in the identification of key controls, ability to carry out simple cost-benefit analysis, and the ability to demonstrate ALARP (as low as reasonably practicable) all flow from quantification.

When considering quantification, I suggest the first stop is for enterprise risk managers to take a hard look at some of the more advanced safety and reliability risk management processes. While these approaches are often branded too complex or not sensitive to the needs of business risks, I suggest this conclusion comes out of laziness, ego or even fear that it might be too complex. There is also real validity in the claim that it is too time consuming. However, none of these are adequate excuses for not taking the best of what those processes have to offer and turning them into leading enterprise risk management processes.

Of course, none of this discussion on quantification of risk is to dismiss the value of Monte Carlo modelling or consequence modelling tools as very strong components of the risk manager’s toolkit.

Building a risk management culture

Of course winning hearts and minds is a key hurdle, especially when the organisation had been through a major program of risk assessment in 2005–06 that the various departments had decided “showed us nothing we didn’t already know”. In our first 10 months we have arrived at a situation where about 40 per cent of the business would continue enthusiastically with the risk program even if the company said it was optional. In other words, I believe we are about 40 per cent along the road to where we need to be. Nevertheless, it took a lot less time to capture the second 20 per cent than it did the first and I fully expect to be at around 80–90 per cent before the end of 2007.

It takes some time to convert department and site managers into believers in good risk assessment given a myriad of distractions. As a result, all of our managers are being accelerated along this path by having them present to the executive committee on their risk profile and answer questions about it on a regular basis. In all honesty, line management’s ownership of their registers is now an order of magnitude higher than it was when I joined the company.

There have been some significant organisational modifications to bring about change. First of all, my role reports directly to the CEO for the first time in Newcrest’s history. I have split the technical excellence and assurance function in relation to risk management by having a group manager for risk and a group manager for assurance. The former is responsible for managing the risk framework and establishing technical excellence in this area and the latter is responsible for monitoring and auditing that line management and the group manager for risk actually do what they commit to doing.

The group manager for risk leads a functional lead team and has a reference group for risk across the business. The lead team is made up of risk champions in the various areas of the business. These people do not have risk as their primary responsibility, but they have been trained in the risk processes we are using and are all on the road to becoming proficient facilitators. We are over half way to a point where the only time we will call on a consultant is to cover a temporary overload. We have already started carrying out risk assessment facilitation with in-house resources and will be in total control of our own destiny within a few months.

The reference team is made up of managers or senior professionals from each operating centre. They are selected for their strategic thought processes and influence within their area of the business. It is the job of this team to embed risk management into the psyche of Newcrest managers to a point where they manage their business generally using risk-based decision-making principles (but not necessarily in a formal risk assessment sense).

Board and management interface on risk

We will finish this article where we started, with my corporate virginity. It never occurred to me that having a good handle on risk would cause such debate on the respective roles of the board and management, but it did.

Principle 7 in the ASX Principles of Good Corporate Governance and Best Practice Recommendations can be a little blurry on the board’s role and is likely to become more so. Legislation and regulation in regard to managing occupational health and safety risk is even more confusing in regard to the role of the board. As your organisation’s risk maturity increases, it becomes critical that the separation of management and board responsibilities are clear.

The following clarifies the separation of board and management activities in regard to our category 3 risks:

The board shall be responsible for ensuring due process has been undertaken but will not be responsible for the technical performance of the assessment or the detail of the resultant risk management plan. In other words:

• The board shall note that the risks that are considered material by management and satisfy itself that management have subjected the risks to assessment in compliance with the company’s risk framework. The board will look for assurance from management that a comprehensive action plan to manage risks to as low a level as is reasonably practicable has been developed and will be implemented in the scheduled timeframe.

• It is not the responsibility of the board to verify the technical integrity of the assessment (although it might direct this element into an internal audit process) or the extent to which the action plan addresses all substantial exposures. This recognises that the board doesn’t have the technical expertise to undertake this role and the responsibility must therefore rest with management.

In just 10 months with strong management and board support for a comprehensive, enterprise risk management system, Newcrest is in substantially greater control of its destiny than it has ever been in the past. We confidently expect fewer surprises in relation to financial management, production, sustainability and consequently our reputation in the future.

While risk cannot be totally removed and there is always the chance that the gods will be against us, we genuinely believe that our efforts in the last year to establish a powerful risk management framework within Newcrest will result in our stakeholders concluding that Newcrest is a world-class business –running on all cylinders.

Professor Tony Pooley is head of safety, environment and risk at Newcrest Mining Ltd

This article is based on his address at Risk Managementmagazine’s recent conference in Sydney

  • Bookmark & Share
go back
Your comment
Risk management is the place for positive industry interaction and welcomes your professional and informed opinion.
eNewsletter

Breaking news, video interviews, opinion and analysis delivered straight to your inbox. Subscribe now
Categories

Home   |    Advertising   |    About Us   |    Contact Us   |    Privacy Policy  

© 2012 Key Media Pty Ltd.