Services Delivery

Operations
  • Harvard Advisory Solutions partners with you to identify transformation opportunities, building on existing cultural strengths, promoting healthy risk conduct, providing strategies to manage your most important third-party relationships, whilst capitalising on available intelligence to enable greater certainty in decision making.

  • Transformation: Leverage off your strengths (employees, stakeholder relationships, data, technologies, operational processes/controls) to manage operational risk and identify value.
  • Third-party management: Identify and assess risks relating to third parties (outsourcing, alliances and partnerships) to strengthen existing relationships and identifies opportunities for business process optimisation/streamlining.
  • Capitalise data: Take full advantage of existing enterprise-wide data systems, and/or building the business case for expanded data management transformation and metrics-building capacity, to provide the tools needed for improving decision making certainty.

Projects

Every Project is a process that delivers significant change to an established system. Traditional processes, cultures, systems/platforms, are all impacted (some positively, others adversely) by a Project, and this will have a material effect on the risk profile of a business. Our experience has shown us that 90% of project risks arise not because of a failure to hold workshops, or a failure to actions to mitigate risks. It is true that project risk management focuses upon minimising cost, schedule or quality risks, however, these in itself are not the reasons why project risks materialise. We advocate a structured approach to undertaking Project Risk Management, through the alignment of people, technology, strategy, process and knowledge, to manage the key uncertainty interfaces that influence objectives.
  • Lack of Executive Leadership participation in risk workshops: Leaders who fail to attend and proactively participate in risk workshops, set an incorrect tone for remaining peers reporting to them. This sets in place a negative approach appreciation for risk, and becomes the crux behind risks materialising post contract award or design initiative, often at considerable capital and/or schedule cost.
  • Poorly defined risks: All too often risks are raised as background issues. There is a stark difference between what constitutes a risk, and what constitutes an issue. Even if a risk has been clearly defined (cause, risk, effect), a common failure is to rate the likelihood of a risk, rather than rating the likelihood of the consequence of a risk. By definition, a risk event consists of both the likelihood of an event, and also the consequences should that event materialise. If either sides of the equation do not exist, there is no risk, but rather simply a hazard (root cause of a potential risk down the line). Without a consequence being properly defined, and without the likelihood of the consequence of that specific risk being assessed, there is no justification in assigning contingency allowance to manage a particular concern.
  • Workshop facilitation that is personal: We offer an approach to workshop facilitation that is different to most organisations. We sit with each Executive Leadership Team (ELT) member to understand the concerns behind your functional service line, its drivers, its limitations, its delivery concerns, its planning priorities. Only by meeting with each ELT member can we then develop a ‘whole-of-project’ or ‘whole-of-enterprise’ perspective on risks, including interdependencies between risks across service delivery functions. We then facilitate a project-wide or business-wide risk management session, focussing on the cross-agency impacts of the identified risks, their interdependencies, and the assumptions underlying each risk. Often, the set of assumptions held by one service function need adjustment once a cross-agency perspective is obtained. Then and only then, can there be a ‘group’ consensus on the cost and/or schedule delay of identified risk, with flow on contingency being correctly assigned, through the use of quantitative risk analysis (QRA).
  • Failing project turnaround: We can assist in running deep-dive investigations to uncover the reasons behind a failing project, whilst offering solutions for getting the project back on course.
  • Anticipated Final Cost (AFC): Often referred to as either an AFC or an ‘estimate-at-completion (EAC)’, the process by which the project arrives at its final cost can be quite complex. Whatever the methodology adopted, we can review it to ensure it encompasses correct elements, so that hidden costs are not uncovered post contract award, or post-design completion.
  • Links with Project Controls and Pre/Post-Contracts management: Our team has in-depth experience of running mega projects from an Owner/Operator perspective. As such we understand the correct process, order and linkages between risks, hazards, variations, post-contract reviews, and change. We can develop smart metrics that track the progress of a risk, as it evolves and matures to conception, including its flow-on effect on other control functions.
  • Value Assurance and Stage-gate reviews: We recognise that Mega-Projects, as well as Major Capital Projects, can benefit from a disciplined approach to ensuring Value is defined, and optimised. There is a need to provide stage-gate Value Assurance (VA) services to the service delivery of a large scale Project. VA is a systematic process whereby a series of stage-gates are introduced to the Capital Project lifecycle, with intent of ensuring that the business selects the “Right Project”, and delivers the Project in the “Right Manner”. The goal is to identify early warnings before they materialise and present significant problems. VA gives Executives the assurance that the right business decisions were selected, based upon a sound and tested selection methodology. VA is a structures independent assessment of Project metrics, prior to a key stage-gate between Project phasing. Risk management controls are adopted at each stage to ensure the Project is delivering to its commitments, without over-committing itself to unrealistic scenarios. Controls are adopted in key stages and phases to bring a Project back on track where needed. As the Project progresses, the chances of influencing outcomes through greater spending decreases. The goal of VA is to take all corrective action required during the front-end of a Project, as this is where the majority of high value, high risk decisions are made (concept pre-selection). Without sufficient front-end design (front-end loading), or a rigorous method to chart and progress change/variation to baseline, remedial costs can grow exponentially.
  • VA framework review: Our team of experts can review your existing VA framework to determine its adequacy in delivering Mega or Major Projects. If required, our team of experts can develop a VA governance framework from conception, and work with your business in a step-by-step fashion to introduce and embed the process through culture change. Often, adopting a VA process requires significant change to pre-existing operating rhythms, and our team of experts can sit with you to identify obstacles to change implementation throughout a VA delivery engagement.
  • Impact on Operations: The Operations or Service Delivery functions must be informed of any Project risk, to allow for a business impact review to be undertaken by Operational risk staff. We can assist leading such reviews to assess whether any change being introduced by a Project is tailored, with minimal effect on remaining functional units. Having an upfront understanding of the scale of change being delivered through a Project, will enable the business/project controls function, to assess the adequacy of controls in the delivery schedule. It presents an ideal opportunity to streamline existing project risks and controls to increase efficiency.
  • Project speed: The speed at which a Project is intended for delivery, will determine the best approach to assessing risk. Different project delivery methods (waterfall, agile, etc.) each have their own delivery risk profiles.
  • Project delivery structure: Depending on the nature of the Project (EPC, EPCM, PPP, etc.), as well as the scale of delivery, at times a Project can be large enough to act as a business on its own. In this manner, the Project’s ‘organisational’ structure and delivery model itself, will have inherent risks. We can sit with your team to review proposed partnership arrangements to identify the most appropriate delivery method to minimise risk exposure.


Maturity Assessments

  • It is vital for an organisation to understand whether its risk management function (culture, governance, processes, policies, practices) meets the current needs of the business (Board, CEO expectations), as well as serves to support the business’ vision (3 and/or 5 year plan). Undertaking a benchmark maturity assessment will serve to demonstrate where the risk governance framework lies in comparison to best practice in the similar industries.

  • Maturity health review: We can undertake a risk governance maturity review to highlight common short comings in risk management governance. Tailored solutions can be developed regarding a number of items. These include, the suitability of the organisational structure of the risk function, its consistencies in practice, and room for improvement. It also includes the degree of closeness in its relationship with other business support divisions. The ability to serve the needs of the Board and CEO and the suitability of existing risk management tools/process to monitor and report current compliance risks are of critical importance. Of equal importance is the suitability of existing risk management tools/process to monitor and report on future strategic risk (e.g. whether existing risk tools are suitable for monitoring against major project risks, whilst simultaneously serving operations and enterprise risk).
  • ISO31000 alignment: We utilise a maturity model benchmarking approach that is aligned with industry ISO31000 international risk management standards. Not all organisations require the full enterprise-risk management (ERM) suite of solutions. In fact, aiming to replicate and embed a mature ERM approach from an established business into an organisation which is going through its growth phase and relatively new to market, is in itself ill-advised and adds risk.
  • Risk maturity reflects current/future needs: We recognise that the sophistication of an ERM risk management capability needs to reflect the growth of the organisation, whilst being tailored to suit the needs of the business at a specific point in time. This can be either reflecting a business’ current efforts to consolidate its presence in the market (stabilise), divest and streamline its operations (downsize and create niche), or capitalise on growth (expand). We will identify the appropriate ERM solution for your organisation, provide a delivery plan for its embedding, and assist in its step-by-step roll out.

Metrics

It is vital for an organisation’s strategy to be supported by strong risk analytics and metrics. Analytical insights can assist a business to transform markets, shaping the way a market responds to a user group. At its full potential, strong analytics can bring a market to your business, for your business to set the trend that others follow. Market enablers/disrupters in the form of social media, mobile data, and increasingly, bringing a service to a home (e.g. bringing the hotel experience to a home), has the potential to reform traditional business structures. Most companies now understand the power that comes with leveraging off smart analytics to accommodate social change.
  • Align data with strategy: We can assist your organisation align its key analytical insights to support intended decision making, enabling decisions to be made with greater certainty.
  • Risk driven insights: In order for maximise opportunities, minimise risks, and enable quicker risk/reward decisions, we can assist in developing reliable data analytics that will give a business greater control over its ability to monitor revenue, drive down costs, and mitigate risk. We ask questions such as;
- Are the right processes in place to keep track of changes in the business and external environment? - Is the data dependent upon a single or holistic view of the key business risks? - Do we track compliance risks effectively across multiple jurisdictions? - Do we track regulatory changes in our operating environment? - Are there embedded business risk units and what is the quality of data they are capturing (if at all)?
  • Obstacle management: Our team can provide solutions to common challenges such as:
- Data being collated without user or end use in mind, leading to data integrity in doubt. - Extracting intelligence from the overload of information/data collated. - Collated data being found to be silo-focussed (e.g. project risk data collated without any links to other business platforms).

Controls Effectiveness

Controls Effectiveness Assessment (CEA) can be applied to assess the effectiveness of current controls within a business. It allows an organisation to have greater insight as well as oversight of their internal controls capability. Once risks have been identified, it is likely that some of these risks will already have controls in place for their ongoing monitoring. We have found that 80% of risks have controls in place that are either irrelevant (do not address the risk in question), out-dated (not adapted to current operating context), ill-defined (unclear, ambiguous) or are not time/metrics bound (review dates, assigned responsibility, escalation routes, close out dates). We can provide a business with an independent overview of the effectiveness of proposed current risk controls by:
  • Front line reviews: Gathering data evidence on 1st line controls in place to mitigate current risks (assuming these risks have been correctly identified to begin with, reflect the business’ current operating context and/or future strategy), then reviewing these controls through our CEA process to determine effectiveness. This includes a two-step analysis, reviewing the selection and relevancy of the control, as well as how the control supports operations. If controls are deemed ineffective whilst in operations mode, they will be overhauled, regardless of their effectiveness at the time of inception/design.
  • Cost effective: Utilising the above approach negates the need for a business to spend large sums of money on costly and cumbersome Governance, Risk and Compliance (GRC) software platforms, and the added costs of integrating such platforms with existing systems/infrastructure.
  • Interviews with key risk owners: We then hold 1-1 meetings with key risk owners to determine the adequacy of current control measures. Our team holds these meetings, after first speaking with Executive Leadership Team members to understand each member’s current operating context, their concerns, limitations, opportunities and external pressures.
  • Cycle oversight: We speak 1-1, and we solve problems 1-1, because we know a Client doesn’t want to be overburdened by information. A Client wants a catered/tailored and personalised solution. Our CEAs are mobile, can be called upon to support annual/quarterly reviews and/or deep dives, are accessible across a business’ multiple sites, and available to the Board and/or CEO, as part of controls assurance monitoring.



Business Continuity & Crisis Management - Ready, Respond, Recover (RRR)

  • Being ready for a crisis depends upon identifying the most likely set of crisis relevant to the business, and is dependent upon having a full understanding of the operating context and interdependencies of the business. Harvard Advisory Solutions will sit with key Executive Leadership Team members to understand the critical dependencies upon which the business relies. The maturity curve of an incident spans initial surprise, pressurised decision-making, strategy disruption, intense media/stakeholder demands, overloading of remaining systems/people, regulator pressure, loss of key staff members (voluntary leave) and business paralysis. A failure to address these will cause trust, reputation and employee confidence to be undermined.

  • Nature of a crisis varies: Be it securing supply chains, preventing workplace incidents, security of IT and Communications systems, natural disasters, unintentional or intentional misconduct, cyber-attacks, financial misconduct, fraud, product safety recall, privacy breaches, emergency readiness, safety in design engineering reviews, or any other incident deemed plausible for the business, we will work with you to develop strategies that will minimise the likelihood of a crisis occurring, and/or, minimise the consequences therefrom. Being ready to respond to a crisis can considerably effect a firm’s reputation, balance sheet and assets.
  • Ready, respond, recover: Being ready for a crisis means being prepared. We can sit with the Board, CEO and/or Executive Leadership Team to select the most likely crisis that a business may face, depending on the operating nature of the business. The ability to respond within short timeframes, will determine the scale of a crisis. We can assist by identifying the relevant internal and external stakeholders that form part of a crisis response capability. Post-crisis, the ability to recover is critical. We can assist using ICAM methodology to meticulously log the way an incident evolves over time, the way data is managed, decisions are made, financial matters addressed, insurance coverage delivered, and recovery plans established.
  • Message delivery: During a crisis, it’s imperative to control messaging being relayed through public and social media channels. We can assist training Executive Leadership Team members in responding to intense media scrutiny and parliamentary briefings to protect reputation and ensure brand recovery.

Workplace Health and Safety (WHS) Governance

  • Suffering a workplace incident can be devastating. Whether it concerns employee conduct (bullying, harassment, conflict or discrimination), through to the safety governance culture of the business, Harvard Advisory Solutions can assist your business to ensure it meets all the regulatory work health and safety obligations required. This will lead to a reduction in employee leave taken. We work with your Health and Safety Representatives to review the sustainability of the safety governance structure, identifying trends to create long-term improvements. We do this by making the ‘intent’ personal. The buy-in of employees to be a part of the ‘my safety journey’ is critical to a successful safety strategy.

  • Coaching: We take employees on the journey with us. Each employee is introduced to and becomes a part of the ‘my safety journey’, with coaching provided as to strategies for implementation, review and improvement.
  • Trial-by-jury: We can prepare real life scenarios, in simulated court settings where former legal specialists with WorkCover backgrounds will test your strategy, highlight areas for improvement and give a taste of the pressure of a court scenario by pushing your comfort levels. The intent is to highlight the safety roles/responsibilities/obligations of staff.
  • Safety culture: As with risk, safety is dependent upon the wider organisational culture. The way a firm operates, the rules of conduct in place, will determine the degree to which employees are encouraged to be a part of the ‘my safety journey’, or feel disheartened, inevitably leading to a culture of safety apathy. Often, having a safety technology system in place, doesn’t provide a solution for safety management. If the right cultures aren’t embraced, shared through storytelling and valued, even the most popular or extensive safety management system will become a repository for housing a growing number of workplace incidents.
  • Metrics profiling: Having the right safety culture will enable a higher user uptake in regards to implementing safety initiatives. A basic yet fundamental aspect of safety management is the principle of “if it’s not measured, it’s not managed”. Identifying, assessing and controlling hazards and risks are key to developing long term trends that highlight emerging horizon risks.
  • Incident investigation: Harvard Advisory Solutions is in a unique position to be able to call upon expert services such as former police detectives, prosecutors, WorkCover lawyers, ICAM specialists, to undertake any investigation required, be it a confirmed incident, or allegation, to uncover the root cause behind an incident. Techniques such as HAZOPs, HAZIDs, Failure Mode Effects Analysis (FMEA), Safety Integrity Levels (SIL), Layers of Protection Analysis (LOPA), Human Factors Assessment, Risk Engineering assessments, and other relevant methodologies, can be called upon to assist your organisation in its incident investigation.
  • Safety maturity: By analysing the level of maturity of your business’ safety governance framework, safety management systems, and safety culture, we can develop strategies for strengthening safety management. We can take the lead in undertaking site audits and compliance verification, benchmarking against Australian and International standards, to improve the design and delivery of safety policies and procedures.
  • Interdependencies between risk functions: The integration between the risk management portfolios of Operations, Major Projects and Enterprise, is an example of where safety gaps emerge, due to each division operating in silo and with an inward focus, despite each being responsible for managing risk. Whilst having multiple risk matrices may be justified due to the degree of risk maturity within a business, an overarching governance architecture is often required which brings these divisions together. Risks raised in one forum, may have an impact in another forum across multiple categories (cost, schedule, safety, operations, insurance). We can assist in developing a set of guiding principles between all risk user groups, to develop a united language as to how risk is perceived, its impacts, and flow-on effects on remaining areas of the business.