Fabrizio Rotundi

ESS Modernisation Workshop

Management challenges in Modernisation Processes

(Bucharest, 17 March 2016)

Page 2Fabrizio Rotundi

Agenda

Change Management: From the Approach to the Process

Risk Management Framework and Process

Focus on Integration with Quality in Statistics

Risk Management in action: Institutional Practices and on-going Projects

Page 3Fabrizio Rotundi

Reactions to Change People going through change experience a variety of emotional and cognitive states that

take up some time. Transitions typically progress through a cycle of reasonably predictable phases within the

“Self-efficacy” process that is a key cognitive process identified by the psychological socialtheory for the analysis of human behavior, aiming at efficiently guiding the individualcognitive, social, emotional and behavioral “sub-abilities” to fulfill specific purposes.

Self-efficacy

Time

SHOCK !

DENIAL

DEPRESSION

LETTING GO

TESTING

CONSOLIDATION

INTERNALIZATION,AND LEARNING

Page 4Fabrizio Rotundi

Managers must follow a specific behavior to make change successful and overcome barriers:Identifying the opportunities and threats that require attention (Sense making);Identifying what needs to be done to move towards a better future (Visioning);Communicating the vision (Sense giving);Promoting shared sense of direction (Aligning);Removing obstacles and creating the conditions to empower people to change (Enabling);Recognizing the concerns of those affected by the change (Supporting);Demonstrating that they are prepared to change their behavior (Sustaining the change).

STATE POTENTIAL CHANGE DERAILERS CRITICAL SUCCESS FACTOR

Poor Vision of the Future.

Cultural Resistance to Change.

Lack of a sponsor/commitment

Lack of recognition for the need to continuously change.

Excessive Bureaucracy.

Lack of Competencies.

Poor follow through.

Lack of access to technology.

Lack of time.

Lack of performance metrics.

Lack of Synergy.

Lack of commitment to funding and/or resources.

Lack of knowledge/learning in a change process.

Lack of training.

INTERNALIZATION AND LEARNING

Stakeholder Collaboration, Empowerment, and Engagement • Addressing stakeholders systematically and iteratively, planning and monitoring and correcting for changes. • Performing change “with” rather than “to” people, ensuring those impacted by the change see the need for change.Formalize Philosophy and Policy of Change Management• Providing strong sponsorship for leadership, resources, and support of the change initiative.• Establishing a culture for change management by writing policies or incorporating change statements into the vision and mission. • Building a common change vocabulary.

Time for Acceptance into the Change Life Cycle Framework• Building in flexibility. • Allocating time into the project/program to ensure that the foreseen or emergent resistance will not impact the project schedule.System Alignment with the Change Initiative• Creating a clear description and measures for a successful future state. • Ensuring all supporting systems work effectively and efficiently together. • Scaling change management activities to the extent, complexity, and speed of the change. Identifying, Selecting, and Developing Change Management Competencies• Changing management competency program.• Developing employees. Focus for the Change Initiative• Building communication assets: models, methods, and requirements methods. • Clearly communicating the change vision early outlining the benefits and impacts of the change. • Ensuring that the organization’s leaders actively communicate throughout the change process. • Providing opportunities for dialogue and true representation to promote a sense of ownership.• Monitoring and measuring the effectiveness of the communications.

Develop and Deploy Change Management Measurement Processes and Tools• Measuring the success of change and determining what existing organizational indicators are in place for measuring change. • Capturing and sharing lessons learned retaining them in a knowledge management repository.

SHOCK

DENIAL

DEPRESSION

POOR FOLLOW TROUGH

TESTING

CONSOLIDATION

Page 5Fabrizio Rotundi

Change is GOOD (!?!)

Before embarking on organizational change, it is important to assess:

What do we want to achieve with this change?

How will we know that the change has been achieved?

Who is affected by this change?

How will they react to it?

How much of this change can we achieve ourselves?

What parts of the change do we need help with?

Page 6Fabrizio Rotundi

Organizational ChangeChange must be realistic, achievable and measurable and change effortsshould be geared and managed to improve performances and alignpeople, processes and culture with changes due to different culture, risk-taking, risk-aversion, openness to change, innovation, etc..

Managing changes not only helps organization ensure that thetransition being implemented is successful, it also helps managersdiagnose risks with the transition, before they become unbearable.

‒ is a comprehensive, cyclic and structured approach to transitioningindividuals and organizations from a current to a desired future state;

‒ helps organizations drive their strategy through portfolio, program,and project management;

‒ offers a standardized method that efficiently evaluates the potential positive and negativeimpact of change;

‒ aims at applying a systematic approach that helps "the change" be successful supporting theindividuals involved, addressing resistance and developing knowledges.

“Change management”:

Page 7Fabrizio Rotundi

Among the others, some theories embrace the holistic approach to change:

Change Process Theories

All those theories view change as a series of interconnected events, decisions and actions, but thesequence of stages whose direction is constructed is considered in a different way: Teleological and Dialectical theories: change trajectories is predetermined, but goals and steps

taken to achieve goals can be changed at the will of those involved in the change process. TheMcKinsey 7S model belongs to this kind of theories.

Life cycle and Evolutionary theories: change is a predetermined process that unfolds over time ina specified direction. These theories include the Kotter's integrative model.

3. Life cycle, change is a process that progresses through a necessary sequence of cumulative stages,each of them contributes to the final outcome.

1. Teleological: organizations are purposeful and adaptive, andchange is an unfolding cycle of goal formulation, implementation,evaluation and learning.

2. Dialectical, focusing on conflicting goals between differentinterest groups and explaining stability and change in terms ofcomparison between the opposing entities.

4. Evolutionary: change proceeds through a continuous cycle of variation, selection and retention.

Page 8Fabrizio Rotundi

Change and Risk Management StandardsITIL V.2 & V.3 (Information Technology Infrastructure Library) and COBIT V. 4.1 & 5.0(Control OBjectives for Information and related Technology) aren’t formal standards butframeworks for good practice in IT Service Management.

These describes processes, procedures, tasks not organization-specific but applicablefor an integrated strategy to maintain a suitable level of quality and competency in theService support processes optimizing risk levels and resource use.

ISO/IEC 20000:2011 (ITSM – IT Service Management) & ISO/IEC 27001:2013 define a set ofrequirements against which an organization can be independently audited and, if theysatisfy those requirements, focusing on goals rather than outputs, can be certificated.

They establish high-level objectives for change management to ensure the implementationof strategies through actions for mitigating risks associated with ineffective controls.

sets the practices, processes and disciplines to guide executives in managingchange providing practitioners from different fields such as organizationaldevelopment or human resource management;

The PMI’s standard illustrates how portfolio, program, and project management help organizations developthe effective practice of change management so that strategy can be executed reliably and effectively, and:

describes the change life cycle framework that reflects the portfolio, program and project managementprocess and its purposes and demonstrates resilience resulting from unforeseen changes.

Page 9Fabrizio Rotundi

Change Life Cycle Framework

3. Implementing the change by preparing the organization for change, mobilizing the stakeholders, anddelivering project outputs. Planning, implementation, and transition processes are overlapping due tochange implementation is an iterative process.

4. Managing the change transition by transitioning the outputs into business operations, measuring theadoption rate and the outcomes and benefits, and adjusting the plan to address discrepancies.

Process model of change are based on teleological and dialectical theories.The model conceptualizes the change management as a purposeful, structuredbut often discussed process that comprises 7 core activities:

1. Formulating the change consists of: Identifying/clarifying need for change;Assessing readiness for change; Delineating scope of change

5. Sustaining the change on an ongoing basis through: Ongoing communication, consultation, andrepresentation of stakeholders; Conducting sense-making activities; Measuring benefits realization.

6. Communicating the change. Managers should give sufficient attention to communication and other issues,such as: establishing different goals and priorities; trust; motivation and commitment; support for thosewho will be affected by the change.

7. Learning from the experience helps people’s modify their behavior in order to improve performances.

2. Planning the change by defining the change approach and planningstakeholder engagement as well as transition and integrating people,processes, technologies, structures, and cultural issues into the overallportfolio, program, or project plan.

Page 10Fabrizio Rotundi

Change, Risk and Project ManagementChange management is interconnected with Risk management: Innovation requires risks so everychange strategy comes with its own levels of risk; changes can be made less risky if they are adequatelyreviewed, assessed, and coordinated adopting a proper risk management process.

The relationship between Risk and Changemanagement is characterized as having circular nature:

• Change Management acts as a subsystem of Risk Management; the actions aiming at reducing thelikelihood of incoming risky events are themselves changes.

• Risk Management identifies criticalities in changingprocesses and plans fitting response activities tominimize risk of failure both during and postimplementation phases.

Risk Management

Process risk/criticalitydetection

Response action planning= CHANGE PLANNING

Criticality reduction/elimination

ChangeManagem

ent

Change impact assessment

Change risk reduction

Organization improvement(next point)

Starting point

(«understanding and controllingthe exposure to hazards»)

Project management aligns the organization’s components through the implementation of: Portfoliomanagement that optimizes, oversees and selects concurrent organizational initiatives and Programmanagement that defines a set of expected benefits and their transition into the business.

RM is a part of the wider cycle of CM as well as CM isa component of the RM’s cycle.

Page 11Fabrizio Rotundi

Risk Definitions and StandardsRisk is the effect of uncertainty on objectives, where an effect is adeviation from what is expected (positive and/or negative), oftenexpressed in terms of a combination of the consequences of anevent (including changes in circumstances) and the associatedlikelihood of occurrence.

The Co.SO. Model is a multidimensional standard upon which a RiskManagement system stands. It develops along three sides of the cube:1) Objectives; 2) Organization; 3) Process

Among the others (more than 60!), main used standards are:

ISO 31000:2009: Risk Management Principles and Guidelines

ISO/IEC 31010:2009: Risk assessment techniques

ISO TR 31004:2013: Guidance for the implementation of ISO 31000:2009

AS/NZS4360:2004: Australia/New Zealand Risk Management Standard

COSO Model 2004/2013 that defines Enterprise Risk Management “... a process effected by an entity’sboard of directors and management, applied in strategy setting and across the enterprise, designed toidentify potential events that may affect the entity, and manage risk to be within its risk appetite, toprovide reasonable assurance regarding the achievement of entity objectives.”

[AS/NZS 4360:1999, ISO 31000:2009, ISO Guide73:2009, definition 1.1, COSO ERM – IF/IC 2004].

Page 12Fabrizio Rotundi

Risk Complexity

• Risk Appetite, which could be expressed either qualitativelyor quantitatively, maybe in terms of ranges, and exploredgoing through the impacts of past events and the reactionsof key stakeholders (customers, employees, regulators, ..).

• Risk Perception, which describes how people perceive risks according to their values and interests

• Risk Tolerance, which is the level of variation that the entity is willing to accept around specific objectives.

• Risk Retention considers stakeholders’ conservative return expectations and a very low appetite for risk-taking.

Risk Profile is the set of risks that could affect all or part of an organization. It results from a comprehensiveprocess that: concerns risk information from several sources; reflects recommendations from managers;envisages a risk questionnaire, revised guidelines, clearer definitions of risk sources and communication strategy.

• Risk Attitude. (Existing Risk Profile). If an organization isparticularly effective in managing certain types of risks, itmay be willing to take on more risk in that category,conversely, it may not have any appetite in that area.

• Risk Acceptance, which refers to the maximum potentialimpact of a risk event that an organization could withstand.Often, appetite will be well below acceptance.

Risk Profile takes into account:

Page 13Fabrizio Rotundi

investigating four dimensions:I. the risk perception compared to the activities

of each manager;II. the risk perception in the Institute as a whole;III. the maturity of the control environment in

the structure leaded by each manager;IV. the maturity of the control environment in

the Institute as a whole

ISTAT launched a survey on risk perception involving Top and Executive Managers,carried out trough a questionnaire: composed of about 70 questions and divided into four sections:

1. Internal control environment and organizational culture;2. Objectives of the organization and Risk Management;3. Identification and classification of risk factors;4. "Cataloging" risks

Risk perception analysis in ISTAT

Page 14Fabrizio Rotundi

The Risk Management System – ISO 31000:2009According to the ISO 31000:2009, Risk Management refers to the architecture used to manage risks.This architecture includes Principles, Framework, and Process.

Page 15Fabrizio Rotundi

Top-down and Bottom-up approaches

Three different approaches can be followed in managing risks:

A. Top-Down-approach: the decision making process iscentralized at a government body-level. This approach canput in place in 2 ways: a) Full top-down: the business units’risks are listed at department level so heads of units cannotadd risks themselves; b) Prevailing top-down: the corporaterisk register comes from a detailed operational risk register.

B. Bottom-Up approach: the decision making process is located at management level.Operational risks are identified by any staff member while performing his/her dailywork, in order to encourage the staff to be more active in defining non-conformities.

C. Mixed approach: the board entity states the criteria (top-down) by which the heads ofunit identify and manage risks (bottom-up). Risks may be viewed and assessed at anylevel of the organization.

The selected RM approach impacts on the Hierarchy of Risks.

Page 16Fabrizio Rotundi

Risk Hierarchy

1. Enterprise Risks, strategic and significantly impacting on the organization.Management them is crucial for the long term viability. They are assessed and treatedby the Executive Managers, responsible for monitoring their implementation.Examples are: Regulatory and compliance risks, global financial shocks, agingconsumers and workforce, emerging markets .

The hierarchy of risks is related to the different levels of risks:

3. Project Risks, impacting on the project objectives and outcomes. They are managed bythe project risk manager and where appropriate will be addressed as part of the ProjectManagement Framework. Examples are: Project scope poorly defined; Resources notavailable when required; Quality requirements not clearly specified.

2. Operational Risks, impacting on a program's objectives and/or outcomes; they areassessed and managed by the line managers. In considering them, they should takeinto account the enterprise ones. Examples are: Inappropriate skills mix; resourcesreduced due to budget cuts; outputs not delivered on time; poor quality outputs.

Page 17Fabrizio Rotundi

Roles and Accountabilities1) All staff are responsible for an effective management of risks including identification of any potential risks;

3) An Office is dedicated to the coordination of themanagement process and risk analysis,"impartial" with respect to other structures,supporting the highest level of decision making;

4) The Risk Manager is responsible for:collaborating with Top Management both inidentifying high risk areas related to strategicand business processes and in planningtreatments to mitigate corporate risks;

5) The Risk Committee defines the RiskManagement policy; it is coordinated by theRisk Manager and composed by the topmanagers operating in the most risky areas;

6) Chief Statisticians and Governing body definethe strategies based on the information comingfrom the RM System;

7) The Internal Auditing is responsible for reporting to the Governance on the adequacy of the RM processand the compliance of the mitigating actions.

2) Risk management is driven by the organizational units;

Page 18Fabrizio Rotundi

Risk Management Framework Integrated with Quality of StatisticsStatistical risks are events that potentially could impact on productionprocesses and/or integrity and quality of statistical data. Ex. “statistics that arenot considered by users as fit for purpose which includes, but is not limited to,time series that are not coherent” (Planned changes to systems, processes,methods, data & resources availability or quality).

At operational level, statistical risks can be identified separately by Risk Management and then integratedinto the Quality management framework because of their close connection: a) Quality managementassesses if the original requirements (ISO 9001:2015) are met or corrective actions need to beimplemented; b) Risk management identifies threats that can effect Quality objectives.

The Australian Bureau of Statistics (ABS) has instigated better quality managementpractices by the risk management strategy to mitigate the Statistical Risk that one ormore of the statistical process components fail to meet the quality standard expectedor the data integrity requirement.

The RM integrated approach has been developed as a part of the Internal Control Framework whichcomprises different kind of risks (Strategic, Statistical, Change, Operational & Compliance, Financial, WorkHealth & Safety) associated with Statistical Risk Appetite.

This strategy is based on the risk assessment through the quality gates composed of: Placement, Roles,Actions, Evaluation, Tolerance, Quality Measures (ex. frame size, n. units, units rotated in/out of a sample).

Page 19Fabrizio Rotundi

ISTAT’s Risk Management System: From the project to the process

2009 2010 2011 2012 2013-2014 2015-2016

Project launched Approach trialExperimental

phaseExperimental

phaseFull

implementationDevelopments

Analysis and comparison of practices and models

Identification of appropriate approach

Establishing ISTAT’s RM model

Pilot and rollout of risk management approach

RM training and dissemination

Creation of a risk registers

Risk assessmentRM training and

dissemination

Revision of a risk registers

Identification of risk treatments

RM training and dissemination

Integration w/ operational planning

Risk treatments monitoring

InformationSystem start up

From the bottom-up to the top-down vision

Adapting model to Risk of Corruption

Cooperation in International projects

Dissemination

The project developed following some parallel but related paths:

1. Organization: Both the President and the Directorate general endorsed and sponsored the project. Abusiness unit was involved in implementing and coordinating risk management system

2. Training and dissemination program in order to improve management culture and promote a commonlanguage and understanding throughout the organization

3. All Risk Management process has been implemented

4. Information System has been developed to support the process

5. Change of perspective: Bottom-up/Top-down mixed approach

Page 20Fabrizio Rotundi

ISTAT’s Risk Management - Bottom-up & Top-Down approaches

Corporate risk selection considers: Ability to monitor a risk treatmentsthrough specific indicators; Organizational sustainability; Quality of theCross-cutting risk treatments; Belonging to “priority intervention areas”.

From 2015 on, the previous bottom-up approach is being integrated with a top-down one in order toenhance quality and significance of the information contained in the registers.

Organizational risks are identified by accountable managers and then gathered in strategic categories(corporate risks), in order to be assessed, treated and monitored.

The risks were assessed by the same personnel who identified themwith the C&RSA method to measure likelihood (occurrences in the last 12months) and impact a) Organization (delay, extra workload); b)Reputation, c) Higher costs.

According with the Top-Down perspective, risks have beendramatically decreased from 359 events of the experimentalphase, to 111 in 2015; about 18% are "Corporate".

Also the Risk treatments have been reduced, from 450(2013) to 128 measures (2015); about 19% are associatedwith “Corporate“ risks, monitored by proper output andperformance indicators.

Page 21Fabrizio Rotundi

In 2015, the Committee for the European Statistical System implemented the strategicdirections “ESS Vision 2020” to redesign by 2020 the statistical production methodsthrough a system based on the use of new data sources, standardized methods for thestatistical production process, interoperability and reuse of data and tools.

Risk Management Institutional Activities: ESS 2020 Vision

According to this Vision: Risk identification, analysis and management help NSIs anticipate and remove theobstacles that may prevent the achievement of the strategic objectives.

Three levels of risks associated with the ESS Vision 2020 have been identified:

2. Portfolio management risks, associated withthe projects portfolio as a whole.

1. Risks associated with implementation of theESS Vision 2020 whose common strategicundertaking requires: capability; financialinformation; ownership and commitment;communication within the system and withthe stakeholders.

3. Project related risks identified inimplementing the ESS projects portfolio.These refer to the specific "business" or"infrastructural" categories of the ESS Vision.

1. Lack of common understanding on the strategic aims

4. Lack of coherence among national and ESS modernization programmes

5. Different maturity of national statistical systems regarding the ESS aims

6. Underestimation of the role of communication in implementing ESS 2020

14. Wrong identification of dependencies among projects in the portfolio

15. Affordability of the portfolio

16. Lack of timely availability of skills and human resources

19. Different legislative systems/lack of common EU legislation

20. Lack of a precise cost-benefit assessment

21. Improper project management

Fabrizio Rotundi

UNECE’s project for developing Risk Management practices among NSOs

Dec ‘14

May ‘15

Template

Benchmark analysis

Tuning practices

Guidelines

Nov ‘15

Apr ‘16

Page 23Fabrizio Rotundi

From the Surveys towards the Guidelines In 2015 survey has been carried out to analyze to what extent Risk management systems are

adopted among NSOs and international organizations members of UNECE in order to define criteriafor identifying best practices.

13 countries were selected as the most interesting practices for an in-depth analysis according tosome Items representing consistent sets of significant features for analysis and Parametersto allocate the countries among the Low-Medium-High levels.

The main points highlighted by the data analysis were:

- corporate risks lower than operational ones;

- the occorrrunces of corporate risks varies depending on the riskpolicy (top-down vs bottom-up approach)

- statistical risks are the majority, followed by organizational risks

- other risks related to: financial, ITC, reputational, security

The analysis has allowed theidentification of the RiskManagement practice mostsuitable to the NSOs that isdescribed in the Guidelines.

Page 24Fabrizio Rotundi

Thank you for your attention !!!

Fabrizio ROTUNDI

rotundi@istat.it

fabrizio.rotundi@gmail.com