Risk and organisational culture


Strategy Unit's Risk: improving government's capability to handle uncertainty

4.1.11 The lack of explicitness about risk issues and their management is a key concern. This undermines accountability and means that there is often no auditable trail of judgements about risks, making it impossible continuously to review risk judgements.

3.8 The Phillips Inquiry report on BSE highlighted several aspects of the government’s handling of risk and uncertainty that were unsatisfactory, notably the timing, implementation and enforcement of mitigation measures, its use of independent scientific experts, and failure to communicate with the public on the risk to humans. To address the shortcomings, the Inquiry recommended:

  • more open communication to the public about risks that affect them;
  • better monitoring to ensure effective enforcement of risk management measures;
  • ensuring that where action has been taken to reduce the risk, it has resulted in what was intended;
  • clearer lines of accountability for risk management decisions; and
  • better interdepartmental co-ordination.

3.11 The NAO report, Supporting Innovation, surveyed risk management practices across a broad range of public sector bodies. It found that on the following issues less than half of the Departments surveyed agreed that:

  • they knew the strengths and weaknesses of the risk management of the organisations they worked with;
  • there was a common definition of risk used throughout the Department;
  • risk management objectives had been clearly set out;
  • regular risk management reports to senior management were effective;
  • the Department’s executive sponsorship and focus for risk management was effective.

It recommended that:

  • the Cabinet Office should continue to encourage Departments to adopt a coherent approach to managing risks, which is likely to lead to sustainable improvements in public services;
  • the Treasury should press ahead with work already under way to improve risk management and corporate governance in government Departments; and
  • Departments should ensure that the principles of sound risk management are understood and widely adopted.

3.12 The PAC report, Managing Risk in Government Departments, confirmed that more progress still needs to be made and pointed out that "Numerous reports by this Committee have emphasised the need for Departments to improve their risk management".
3.14 It also pointed to the need to develop skills and for adequate monitoring of progress: "It will be important for the Cabinet Office and Treasury to continue to monitor how Departments implement their risk management plans, to ensure that they are underpinned by effective action to manage risks. These plans should include reliable contingency arrangements to deal with the unexpected, which might put service delivery for citizens at risk."
3.43 … there is a concern that some of the application of risk management concepts has been mechanistic, and not integrated into decision-making at the highest level. There is not always the demand for risk management, for example, demand for rigorous, timely and wide-ranging risk assessment from Ministers and senior officials.
3.44 The aims of a more fully developed approach to risk management, and the measures by which their success should be judged, include the following:

  • higher levels of safety and confidence (less loss of life and injury);
  • better understanding of risks and trade-offs between different options by public and government (for example, better decisions on pensions, smoking and diet); and
  • better balance of risk and opportunity - good risk management can provide the confidence necessary for taking innovative decisions (limiting risk through pilots or careful management of project risks).

4.1 An explicit, systematic approach is recommended in order to improve the quality of decisions and delivery, to provide an audit trail of risk judgements, and to join up risk management actions within and across Departments. Risk is not yet fully embedded in core government decision processes … there are particular weaknesses in risk analysis in the policy phase of the process of policy development and delivery.
4.1.2 These considerations are relevant at three levels. The strategic level includes major policy decisions and concerns the government’s political contract with the electorate and the coherence of its overall programme. External factors (including oil supply crises, weather, disease, wars and personalities) are likely to be critical to this contract, as are some endogenous factors (e.g. failures in key public services). At this level there will often be fundamental uncertainties surrounding decisions.
4.1.3 The programme level is the level at which most policy is made. Decisions are made on procurement/acquisition, funding, organisation, establishing projects, service quality and business continuity. Uncertainty will be bounded at this level, as strategic parameters will have been set, and risks are more likely to come from internal rather than external sources.
4.1.4 The operational and project level is where services are delivered.
4.1.5 Although each of these levels has distinct characteristics, some common approaches are necessary at all three:

• risks have to be identified and assessed, with responsibility and accountability allocated and clear;

• judgement is needed about their importance;

• mitigation and contingency plans may need to be considered;

• the impact of actions on risks need to be reviewed and reported; and

• the information and decisions need to be effectively communicated.

4.1.6 At the higher levels risks will tend to be less easy to spot, more disruptive, less easy to quantify, and often less stable. A broader range of inputs is likely to be needed to identify risks, assessment is likely to be based more on judgements than measurable facts, and mitigation and contingency plans are likely to be less robust.
4.1.7 Decisions will very often be taken in the context of one of the core processes of government. Examples include: the policy making process and the Spending Review (strategic level);
4.1.13 The main barriers to effective assessment of risk in decisions include [31]:

  • a lack of planning – decisions often need to be made quickly, and risk assessment will be compromised if information is not readily available, and issues anticipated;
  • pressure on resources – encouraging planning on optimal assumptions;
  • short planning horizons – traditionally Ministers have been more focused on announcements than on longer-term implementation and delivery – when risks might be realised (though this is changing with the current emphasis on delivery);
  • lack of good quality, relevant information;
  • limited in-house skills, experience and tools;
  • the real difficulty of assessing and balancing risks and opportunities, and weighing, for example, financial versus other risks;
  • fear of failure acting as a disincentive to innovation; and
  • in some cases political anxiety about explicit acknowledgement of risk.

Policy making
4.1.20 Policy making is the process by which governments translate their political vision and priorities into programmes and actions to deliver outcomes. Failure explicitly to consider risk management in policy making and decisions can lead to serious problems, with costs and impact being borne by the public, or to opportunities for high risk/high reward options being passed over through lack of confidence in handling the threats. However, in many areas, there is at present no structured and enforced requirement to consider risks. Some very high priority policies have been implemented without adequate attention to risks, often leading to very costly exercises to put them right.
4.1.21 Some risk is unavoidable. Life is by its nature complex and messy and no formulae exist for making the business of policy making and implementation wholly predictable.
4.1.22 However, a more systematic approach to policy making can significantly reduce unnecessary failures. We therefore recommend (rec.2a) that policy making should include a proportionate and wider ranging consideration of risk, to provide an adequate review before proposals move into full development.
4.1.23 We recommend (rec.2c) that ... there has been adequate identification and assessment of risk across the range of policy options; that any mitigation and contingency plans are sound; and that any assumptions should be reviewed and formally tested against future scenarios. This could be incorporated in existing assessments where these exist, such as the RIA and Investment Appraisals. These are externally reviewed and, if developed, would fulfil this requirement, avoiding the need for multiple reviews of the same proposal.
4.1.24 Each Gateway Review should be underpinned by an explicit assessment of the risks and opportunities of proceeding, informed where necessary by the views of all relevant stakeholders. This should involve risk/hazard identification, assessment, and judgement of risks drawing on empirical evidence and the public context, and development of options for managing the risks (mitigation actions and contingency plans). Risk assessment is likely to combine quantitative factors with softer judgements, such as the social aspects of risk.
Figure 4.2

Risk Identification: Empirical - research & incident occurrence; Imaginative – horizon scanning & experience

Risk Assessment: Trends & statistics; Technical quantification; Evaluation evidence; Values & ethics; Public views of acceptable risks; Social, cultural & political issues; Economics & international policy.

Development of policy options: Judgements – selection of options and cost-benefit trade off; Consultation & engagement.

4.2 Summary: Important common issues are the imaginative use of experience (as opposed to mechanistic process application), and a more systematic approach to softer areas of risk – including public perceptions, strategic fit, and reputational risk.
5.29 A number of Departments we spoke to said that a widespread lack of understanding about basic risk concepts sometimes made it difficult for them to conduct an informed public debate about risks. The most frequent areas of concern were low levels of awareness about probabilities – leading to disproportionate levels of concern about high-impact, low probability risks – and a reluctance to accept that no activity could be entirely "risk free".