Supply of SQEP Risk Management workforce for Enterprise Risk Management (ERM) capacity building at National Nuclear Laboratory (NNL)

About National Nuclear Laboratory (NNL)

Since 2008, NNL have been providing independent advice to the UK Government and working with other National Laboratories (NNL) around the world as well as delivering a full range of research and technology to support the nuclear fuel cycle. NNL is owned by the UK Government’s Department of Business, Energy, and Industrial Strategy (BEIS).

Key deliverables for the work package were as follows:

Integration structure and framework; covering Governance, risk infrastructure, competency, and capability requirements.
3 Lines of Defence (LOD) Assurance reviews on the NNL’s risk management, governance, and internal control processes.
Laying foundations for implementation of enterprise risk management tool (ARM).
Contract Management during delivery via ISO9001 quality checklist and Quarterly interviews.

What issue were you trying to solve?

Project challenges

NNL’s team had grown significantly and so was a need to ensure that new team members were aware of and engaged with work required to improve NNL’s risk management capability. Also, the biggest challenge was attaining the business agreement and approval for the use of ARM as the enterprise risk management tool due to concerns related to IT security and Data Protection.

Development and inputting of configuration data sets to be used in Active Risk Manager (ARM) to provide a consistent enterprise-wide Risk Management system and capability whilst maintaining current practices to deliver risk management support to ongoing projects.
Input to and creation of an improved set of processes, procedures, guidance, and training documents to ensure that risk management requirements are understood, and are embedded within working practices, and can be quality assured.

What did you do? Who did you involve in finding a solution? Were other BECBC members involved?

Key accountabilities of Risk Managers to overcome these challenges.

Maintained visibility of risk/opportunity trigger points to facilitate risk cost profiling, timely draw down of risk budget or retirement or realisation of risk/opportunity, along with assessing the post mitigation scenarios.
Worked with Supply Chain Managers to assess 3rd-Party Sub-Contractor held risks, and their views on the program held risk that impact upon them.
Designed, and produced risk-based reports to support the effective communication of the risk and opportunity status and monitor identification and closeout of program level risks.
Lead on supporting Project teams to maintain detailed risk registers.
Ensuring that Key Risk Indicators (KRIs) are clearly defined, documented, and regularly reviewed.
Reporting latest risk positions and mitigations to stakeholders through governance reviews.
Undertook periodic quantitative/qualitative Schedule Risk Analysis (SRA) quality assurance.
Provided risk identification/ assessment training to support the program management team
Identified areas of Learning from Experience (LFE), best practice / improvements for sharing and possible incorporation in the Risk and opportunity Management strategy, policies, procedures, and plan.

Our risk maturity key outcomes:

Integrate other functions with the risk function to enable identification, management, and reporting of risk in line with the overarching risk management process.
Process mapping, including roles and responsibilities, to detail how, and when, function specific risk information should be reported as part of standard reporting to determine the risk profile appropriate for that business unit (e.g., Group risk through to Project risk).

What happened as a result?

The Approach

Develop understanding of current processes and practices to identify areas for definition/ improvement to meet the requirements of risk management standards and the planned implementation of Enterprise Risk Management (ERM) software within the Defence and Delivery Operations portfolio’s.
This included identification/ definition of complimentary process such as Assumptions Management, Issues Management etc.
Working with key stakeholders to identify areas of improvement of current documents, defining and drafting configuration lists/ data required to make effective use of the planned ERM tool ARM for presentation, discussion, approval, and implementation.
Socialisation and training of planned key users of ARM to ensure that they understood the functionality of the potential risk software to get their buy-in and approve configuration data.
Defined and drafted complimentary process documents (assumptions & issues) for discussion with the wider PMO teams to agree the need and identify who/ how these could be done and the links to the risk management process.

The Result

Updated and approved processes & procedures for risk management.
Risk team familiarisation and training in the use of Active Risk Manager (ARM).
Configuration data sets for ERM solution ARM created, approved, and implemented in readiness for business approval to migrate risk data and roll-out usage to agreed areas of the organisation.
Engagement with the wider Project Controls teams and supply of draft process documents regarding Assumptions Management, Issues Management, and Commercial Risk Management.

In which way did this tie in with BECBC’s core Values around Energy, Collaboration and Inclusion?

Enabled risk-based assurance activities to be planned, whilst enabling assurance activities to feed risk information (causes / impacts etc.) across a portfolio of projects in:

Nuclear Plant Operations (e.g., Windscale Facility)
Radioactive Waste Processing and Management
Decommissioning (e.g., handling of radioactive sealed sources)

Process mapping, including roles and responsibilities and document detailing how, and when, project specific risk information should be noted and reported as part of standard reporting to determine the risk profile appropriate for that business unit (e.g., Project risk through to Group risks).