Roads to Resilience

De-risking the major threat: time Time was a key element of risk for the programme, and represented a major threat. This was recognised early on, and the ODA adopted a strategy they called ‘Two, Four, One’: two years to plan, design and clear the land; four years for construction (the ‘Big Build’); and one year to solve any final issues and to run test events at the key venues. This strategy was a major success “ because we de-risked time, which was our biggest threat in many ways ” (Chief Risk Officer, ODA). As an example, although the Aquatics Centre was completed some three months later than originally scheduled, this did not disrupt the overall programme since it was before the scheduled test event. Government risk register Central government produced a strategic risk register comprising around 200 headline risks, from problems with abnormal weather to major terrorist attacks. The sheer range and level of these risks presented a major challenge: “ could the park be 100 percent resilient to all these 200 risks? No, it couldn’t possibly be. But could you plan for some of them? Yes, you could ” (Chief Risk Officer, ODA). Critically, the ODA worked with government to develop responses to these risks. “ Governance is making sure you have a proper framework and process for managing risk ” (Chief Risk Officer, ODA). The ODA applied the ‘three lines of defence’ risk governance framework, which is widely recognised as being an effective framework. In essence this is, “ a sound framework which, when allied to a common sense and logical approach towards managing risk, produces strong results ” (Chief Risk Officer, ODA). The levels are: line management who are responsible for business operations / programme delivery (detailed analysis of risks); programme assurance (who carry out quality and compliance reviews) and the Risk & Audit team responsible for corporate control (external audit and policy reviews). Each level has different requirements, but they are all closely linked. In the first line of defence, people “ have to understand the risks of business areas they are managing … which are actively managed by the people at the coal face … they would be the ones who tackle the risks which emerged from the projects ” (Deputy Chief Risk Officer). These risks would be managed “ within the parameters set by the third line of defence, the governance side of it ” (Chief Risk Officer, ODA), and it would be monitored “ by a programme assurance office which reports into the chief executive ” (Chief Risk Officer, ODA). In the first 12 months of the ODA’s existence, the Chief Risk Officer worked to embed this governance framework in order to develop a common understanding. This was a key process that was led from the top: “ one of our basic concepts was the fact that you have got to have the right culture tone from the top … risk management isn’t there as a tick box exercise but as something that is in the blood of the business and led from the chief executive down ” (Chief Risk Officer, ODA). As such, risk management was a central feature of ODA operations. The Chief Risk Officer had a very strong relationship with the chief executive and financial director. The audit committee was critical to the risk process and actively challenged the risk schedules. Directors would attend audit committee meetings to discuss risks that they had responsibility for. There was a real view that discussions about risk were positive, facilitating good conversations and helping to deliver solutions. Leadership and governance

134

Appendix A Case study: The Olympic Delivery Authority (ODA)