Risk: improving government's capability to handle risk and uncertainty [2002]
Strategy Unit
.
 

 

Forward
Chapter 1: Introduction
Chapter 2: Government’s role and responsibility
Chapter 3: Improving government’s handling of risk – the challenge
Chapter 4. Improving capacity

4.1 Ensuring decisions take account of risk
4.2
Establishing risk management techniques
4.3
Organising to manage risk
4.4
Developing skills
4.5
Ensuring quality

Chapter 5: Handling and communicating about risks to the public
Chapter 6: The role of leadership and culture change

 

 

Foreword by Tony Blair: All life involves some risk. We … need to be sure that … there is a proper balance between the responsibilities of government and the responsibilities of the individual.

 

Chapter 1: Introduction

1.1 The language of risk is used to cover a wide range of different types of issue:

  • safety issues – from BSE; in connection with the Measles, Mumps and Rubella (MMR) vaccine; and other issues of risk to the public.
  • the risk of damage to government’s reputation in the eyes of stakeholders and the public and the harm this can do to its ability to carry out its programme.

1.20 The risks that the public faces may be voluntarily undertaken (for example, smoking or dangerous sports), with greater or lesser degrees of awareness of the risk, or imposed by other individuals or organisations (for example, risks from crime, commercial products or technologies or the risk of nuclear accidents) or natural events (such as flooding or severe weather). We explore the consequences of this distinction for government.

 

Chapter 2: Government’s role and responsibility

2.3 Government’s role … reflects the extent to which individuals and organisations can be expected to understand and respond to the risk, and the extent to which government has the capacity to bear the risk:

• governments have a regulatory role in providing the legal framework where the activities of businesses and individuals give rise to risks to others.

Regulatory role

2.6 Governments will not normally intervene where individuals take risks voluntarily and where they alone are affected. In these circumstances, governments have a role in ensuring that individuals are aware of their responsibility and of the consequences of the risk that they are taking. There is often room for argument about precisely what falls under this definition. For example, smoking, driving without a seatbelt or undertaking dangerous sports are risks that are taken voluntarily and mainly affect the person taking them.
However, they may also indirectly impose costs on others, for example to the taxpayer through the cost of medical treatment.

2.7 Where risks taken voluntarily have direct or indirect consequences for others – for example, other road users, the taxpayer or the environment – government may intervene through regulation or other means to limit or control that activity. Examples include setting road speed limits, or legislating to require the wearing of seatbelts or to restrict tobacco advertising. The issues involved are often complex – for example, over the regulation of tobacco advertising – but the political and legislative processes ensure that any legislation to restrict activities that involve risk receives proper scrutiny.

2.8 In addition, governments will seek to ensure that those who impose risks on others bear the cost of the consequences of the risk.

2.10 In many cases, it will be up to individuals or businesses to manage their own exposure to such risks where they have the knowledge or capacity to do so – for example, through the lifestyle they choose or the investment decisions they take.

 

Chapter 3: Improving government’s handling of risk – the challenge

Summary
Government needs to handle risks at three main levels: strategic, programme and operational. Handling of risk at all three levels has been found wanting in recent crises and policy failures, and reports by the National Audit Office (NAO) and the Public Accounts Committee (PAC) have found systematic weaknesses.

The challenge
3.2 At the strategic level, what is at stake is the government’s political contract with the electorate and the coherence of its overall programme. Decisions will involve the formulation of strategic objectives, the resource allocation decisions to back them, and assessment of policy options in response to changing circumstances.

3.3 At the programme level come the detailed policies governing implementation and the delivery plans that will benefit society. Decisions are made on procurement or acquisition, funding, organisation, establishing projects, service quality and business continuity.

3.4 And at the project and operational level, decisions will be on technical issues, managing resources, schedules, providers, partners and infrastructure.

3.5 In recent years government has faced significant problems in handling risk at each of these levels.

Risk management has been found wanting in recent policy failures and crises…
3.8 The Phillips Inquiry report on BSE highlighted several aspects of the government’s handling of risk and uncertainty that were unsatisfactory, notably the timing, implementation and enforcement of mitigation measures, its use of independent scientific experts, and failure to communicate with the public on the risk to humans. To address the shortcomings, the Inquiry recommended:

• more open communication to the public about risks that affect them;

• better monitoring to ensure effective enforcement of risk management measures;

• ensuring that where action has been taken to reduce the risk, it has resulted in what was intended;

• clearer lines of accountability for risk management decisions; and

• better interdepartmental co-ordination.

3.9 In addition, the Inquiry report highlighted the lack of public confidence in the way government handled food safety risks. It concluded that the only means of improving this state of affairs was through greater openness and acknowledgement of scientific uncertainty.

…and reports by the NAO and the PAC have found systematic weaknesses…
3.11 The NAO report, Supporting Innovation, surveyed risk management practices across a broad range of public sector bodies. It found that on the following issues less than half of the Departments surveyed agreed that:

  • they knew the strengths and weaknesses of the risk management of the organisations they worked with;
  • there was a common definition of risk used throughout the Department;
  • risk management objectives had been clearly set out;
  • regular risk management reports to senior management were effective;
  • the Department’s executive sponsorship and focus for risk management was effective.

It recommended that:

  • the Cabinet Office should continue to encourage Departments to adopt a coherent approach to managing risks, which is likely to lead to sustainable improvements in public services;
  • the Treasury should press ahead with work already under way to improve risk management and corporate governance in government Departments; and
  • Departments should ensure that the principles of sound risk management are understood and widely adopted.

3.12 The PAC report, Managing Risk in Government Departments, confirmed that more progress still needs to be made and pointed out that "Numerous reports by this Committee have emphasised the need for Departments to improve their risk management".

3.14 It also pointed to the need to develop skills and for adequate monitoring of progress: "It will be important for the Cabinet Office and Treasury to continue to monitor how Departments implement their risk management plans, to ensure that they are underpinned by effective action to manage risks. These plans should include reliable contingency arrangements to deal with the unexpected, which might put service delivery for citizens at risk."

What are the causes?
3.18 In summary, government risk management is too often judged, both by practitioners and others, to fall short of expectations and best practice. Why is this?

3.20 Some of the problems for government arise from inherited structures. The organisation of government in functional Departments has made it harder to deal with cross-cutting risks. BSE was a classic example; so in a different way was Foot and Mouth Disease (FMD), which had a major impact on tourism, as well as on farming. Similar considerations apply to risks that span international and domestic Departments or parts of a Department.

The social context within which government works is becoming more demanding…
3.22 The Strategy Unit commissioned MORI to undertake analysis of published material on social attitudes to risk. (See annex 4 for more detail.) This showed that people expect government to be more open about risk issues, and that they seek reassurance from government, but are sceptical of what they are told unless they can clearly see that it is not influenced by vested interests:

  • the public wants more openness and independent advice on risk issues. … the public values independence and will trust pressure groups and "independent" scientists over private companies or the government;
  • trust is particularly important when dealing with and communicating uncertainty. Nine in ten people agree with the statement that "When the government is unsure of the facts, it should nonetheless publish what information it does have available". Research also suggests that admitting that the case for or against a particular risk is uncertain is much more likely to be believed than claiming it is risk-free;
  • however, qualitative and quantitative research both also indicate the need for reassurance from government. The public wants to know the official line and believes that government has a role in reducing panic and legislating against dangerous risks. However, there is also a feeling that action does not always succeed in preventing risks.

…and there are greater expectations in terms of corporate governance
3.35 … any Department that does not have, or is not developing, risk management processes will face criticism in the NAO’s review of the SIC appended to their accounts.

But actions are not so far sufficient to deliver benefits across the range of government’s business…
3.43 … there is a concern that some of the application of risk management concepts has been mechanistic, and not integrated into decision-making at the highest level. There is not always the demand for risk management, for example, demand for rigorous, timely and wide-ranging risk assessment from Ministers and senior officials.

Aims
3.44 The aims of a more fully developed approach to risk management, and the measures by which their success should be judged, include the following:

  • higher levels of safety and confidence (less loss of life and injury);
  • better understanding of risks and trade-offs between different options by public and government (for example, better decisions on pensions, smoking and diet); and
  • better balance of risk and opportunity - good risk management can provide the confidence necessary for taking innovative decisions (limiting risk through pilots or careful management of project risks).

Further responding to the challenge
3.45 In order to achieve these benefits, this report makes the case for the systematic development of the government’s approach to handling risk.

3.46

  • a clear strategic framework for government’s handling of risk, including its roles and responsibilities (chapter 2) in handling risks to the public and to the delivery of its business; the aims (chapter 3) to be achieved through good management of risk; and the principles (chapter 5) used to guide its actions in handling risk to the public;
  • arrangements to ensure that all major decisions about programmes and policies take explicit account of risks and opportunities (chapter 4.1);
  • systems, processes and incentives to ensure that risks are well managed (chapter 4.2);
  • effective organisation to ensure that risks are dealt with where they can best be managed (chapter 4.3);
  • skills developed widely amongst government decision makers and advisers,

and amongst supporting experts (chapter 4.4);

  • clear quality standards and a quality assurance approach (chapter 4.5);
  • effective communication of the approach to handling risk and uncertainty, so that the public will be better informed about risks, their consequences and trade-offs and so better able to make choices (chapter 5);
  • crucially, top level leadership, to drive the improvements we recommend, and to foster a culture that fully supports well managed risk taking (chapter 6); and
  • a clear aim of improving the quality of decisions and achieving better outcomes (chapter 7).

 

Chapter 4. Improving capacity

Every aspect of government’s work involves some risk: policy making and decision taking; action and implementation; regulation and spending. And there is an expectation that government should manage these risks well, to cut waste and inefficiency, and reduce unanticipated problems and crises that undermine trust. To deliver the expected benefits fully, a systematic and explicit approach is required, integrated into key decision processes.

Government needs to develop its capacity to handle risk, by:

• ensuring that decisions take account of risk (chapter 4.1);

• firmly establishing risk management techniques (chapter 4.2);

• organising to manage risk (chapter 4.3) – making sure that responsibility for handling risks is with those who can best manage them; that information flows support this; and that the risk management improvement programme is well managed;

• developing skills (chapter 4.4); and

• ensuring quality (chapter 4.5).

4.1 ENSURING DECISIONS TAKE ACCOUNT OF RISK

Summary
An explicit, systematic approach is recommended in order to improve the quality of decisions and delivery, to provide an audit trail of risk judgements, and to join up risk management actions within and across Departments. Risk is not yet fully embedded in core government decision processes … there are particular weaknesses in risk analysis in the policy phase of the process of policy development and delivery.

4.1.1 Effective government depends, among other things, on the ability to:

• understand trends, opportunities and challenges;

• use this understanding to underpin decisions and make resource allocations to back them;

• respond quickly to changing circumstances and crises; and

• identify and prepare for a range of strategic futures.

[Levels]
4.1.2 These considerations are relevant at three levels. The strategic level includes major policy decisions and concerns the government’s political contract with the electorate and the coherence of its overall programme. External factors (including oil supply crises, weather, disease, wars and personalities) are likely to be critical to this contract, as are some endogenous factors (e.g. failures in key public services). At this level there will often be fundamental uncertainties surrounding decisions.

4.1.3 The programme level is the level at which most policy is made. Decisions are made on procurement/acquisition, funding, organisation, establishing projects, service quality and business continuity. Uncertainty will be bounded at this level, as strategic parameters will have been set, and risks are more likely to come from internal rather than external sources.

4.1.4 The operational and project level is where services are delivered.

4.1.5 Although each of these levels has distinct characteristics, some common approaches are necessary at all three:

• risks have to be identified and assessed, with responsibility and accountability allocated and clear;

• judgement is needed about their importance;

• mitigation and contingency plans may need to be considered;

• the impact of actions on risks need to be reviewed and reported; and

• the information and decisions need to be effectively communicated.

4.1.6 At the higher levels risks will tend to be less easy to spot, more disruptive, less easy to quantify, and often less stable. A broader range of inputs is likely to be needed to identify risks, assessment is likely to be based more on judgements than measurable facts, and mitigation and contingency plans are likely to be less robust.

4.1.7 Decisions will very often be taken in the context of one of the core processes of government. Examples include:

• the policy making process and the Spending Review (strategic level);

• business planning, programme management (programme level); and

• service management, project management (operational/project level).

4.1.8 Some Departments have already integrated risk assessment into many of their planning processes. However, practice is uneven, and crucially may not be well integrated in the initial development of policy options and in policy decision taking. This confirms the findings of the NAO report, Supporting Innovation, and the PAC’s Managing Risk in Government Departments, that managing risk needs to be more clearly an integral part of the way government’s business is done. The NAO has also highlighted the need for Departments to take greater account of the identification and management of risk in the development and implementation of policies [29].

[29] NAO, Modern Policy Making: Ensuring Policies Deliver Value for Money, November 2001.

4.1.10 Some key issues have emerged:

• early risk identification and assessment at policy option and development stages;

• a wider scope of risk assessment, including "soft" areas such as public perceptions and stakeholder views, the stability of the external environment, and political risk; as well as the more quantifiable risks (such as financial or economic risk); and availability of relevant and timely information; and

• continuing reassessment of risk and opportunities.

4.1.11 The lack of explicitness about risk issues and their management is a key concern. This undermines accountability and means that there is often no auditable trail of judgements about risks, making it impossible continuously to review risk judgements.

4.1.12 Some tools have been developed to embed risk management: RIAs require regulatory proposals to take account of risks; Departments have developed and published Risk Management Frameworks, which seek to establish comprehensive approaches; and the need to produce Statements of Internal Control (SICs), which will be prepared for the first time with accounts for 2001/02, are driving further improvements in processes.

4.1.13 The main barriers to effective assessment of risk in decisions include [31]:

• a lack of planning – decisions often need to be made quickly, and risk assessment will be compromised if information is not readily available, and issues anticipated;

• pressure on resources – encouraging planning on optimal assumptions;

• short planning horizons – traditionally Ministers have been more focused on announcements than on longer-term implementation and delivery – when risks might be realised (though this is changing with the current emphasis on delivery);

• lack of good quality, relevant information;

• limited in-house skills, experience and tools;

• the real difficulty of assessing and balancing risks and opportunities, and weighing, for example, financial versus other risks;

• fear of failure acting as a disincentive to innovation; and

• in some cases political anxiety about explicit acknowledgement of risk.

[31] as referenced in CMPS, Better Policy Making, November 2001 and the Strategy Unit Risk Project Board Survey (see annex 3).

4.1.15 They emphasise the need to ensure that there is a good current assessment of risks and a supporting knowledge base (see chapter 4.2); that decision makers and their advisers are fully equipped and incentivised (see chapters 4.2 and 4.4), and that the culture supports well judged risk taking (see chapter 6).

4.1.17 … we propose that government should aim for all major decisions to be informed by a systematic appraisal of risk and opportunity [33]. Our overall recommendation (rec.1) is that there should be an explicit appraisal of risks, as well as benefits and costs, in all the main business processes (including the Spending Review, policy making, business planning, project and programme management, performance management and investment analysis), where this does not happen already.

4.1.18 We therefore recommend (rec.1a) that strategic risks should be regularly considered by Departmental Boards, and the Civil Service Management Board (CSMB) as appropriate. The responsibility for handling and reporting risk should be aligned with accountability for delivery. Non-executive directors should play an important part in helping to identify strategic risk and provide an independent perspective on the level of risk faced and the adequacy of measures to address risk.

Policy making
4.1.20 Policy making is the process by which governments translate their political vision and priorities into programmes and actions to deliver outcomes. Failure explicitly to consider risk management in policy making and decisions can lead to serious problems, with costs and impact being borne by the public, or to opportunities for high risk/high reward options being passed over through lack of confidence in handling the threats. However, in many areas, there is at present no structured and enforced requirement to consider risks. Some very high priority policies have been implemented without adequate attention to risks, often leading to very costly exercises to put them right.

4.1.21 Some risk is unavoidable. Life is by its nature complex and messy and no formulae exist for making the business of policy making and implementation wholly predictable.

4.1.22 However, a more systematic approach to policy making can significantly reduce unnecessary failures. We therefore recommend (rec.2a) that policy making should include a proportionate and wider ranging consideration of risk, to provide an adequate review before proposals move into full development. Further, we recommend (rec.2b) that a more systematic requirement to consider risks should be implemented, which might be based on the OGC Gateway Reviews. Gateway Reviews were introduced in 2001 as checkpoints in the life of projects and programmes. They provide a thorough review, and sign-off, before work is allowed to proceed to the next stage of development (See Figure 4.1). Gate Zero, the first review, is a strategic assessment, checking that there is a sound business case for proceeding with the proposed change.

[policy options assessed]
4.1.23 We recommend (rec.2c) that this should include a sign-off that: there has been adequate identification and assessment of risk across the range of policy options; that any mitigation and contingency plans are sound; and that any assumptions should be reviewed and formally tested against future scenarios. This could be incorporated in existing assessments where these exist, such as the RIA and Investment Appraisals. These are externally reviewed and, if developed, would fulfil this requirement, avoiding the need for multiple reviews of the same proposal. It may also be possible, in carrying out the Gateway Review, to draw on, for example, the Regulatory Impact Unit’s (RIU) Policy Effects Framework or the Integrated Policy Assessment tool being piloted by the Office of the Deputy Prime Minister/Department for Transport (ODPM/DfT) (which allows appraisal of policies against economic, social and environmental impact and distributional categories). This explicit, shared process of review should ensure that Ministers are given open and honest advice about the risks entailed in decisions, and help to make better quality decisions, balancing the threats and opportunities in the context of the government’s risk tolerance in the relevant policy area.

4.1.24 Each Gateway Review should be underpinned by an explicit assessment of the risks and opportunities of proceeding, informed where necessary by the views of all relevant stakeholders. This should involve risk/hazard identification, assessment, and judgement of risks drawing on empirical evidence and the public context, and development of options for managing the risks (mitigation actions and contingency plans). Risk assessment is likely to combine quantitative factors with softer judgements, such as the social aspects of risk.

Figure 4.2

Risk Identification: Empirical - research & incident occurrence; Imaginative – horizon scanning & experience

Risk Assessment: Trends & statistics; Technical quantification; Evaluation evidence; Values & ethics; Public views of acceptable risks; Social, cultural & political issues; Economics & international policy.

Development of policy options: Judgements – selection of options and cost-benefit trade off; Consultation & engagement.

4.1.30 The Spending Review results in agreed objectives and targets, PSAs, and, from 2002, supporting Delivery Plans for all Departments; and spending plans across government. These plans cover a three-year period. The guidance given to Departments clearly details how they should set out the analysis of resources required and the basis of their targets. The link between resources and outcomes has been dramatically improved in recent years, and is likely to lead to greatly improved value for money. But risk is still an underdeveloped area, with little mention in the guidance.

4.1.31 It will also be less easy to spot risks that cut across Departmental boundaries ("cross-cutting risks"), because there is no common approach or format to aggregate them. And the baseline recording of risks will not be sharply focused.

4.1.32 We recommend (rec.3a) that the Treasury should further develop the approach to risk in the Spending Review. This should involve developing the guidance for Departments before the 2004 Spending Review and issuing specific guidance on assessing risk to the Treasury Spending Teams (similar to recent guidance on Deliverability) for use in finalising delivery plans in autumn 2002.

4.1.33 It is recommended (rec.3b) that the Treasury, DU and Civil Contingencies Secretariat (CCS) should work together with Departments in autumn 2002 to ensure that their delivery plans adequately address risk, balancing the need to invest in resilience with the pursuit of other objectives; and that cross-cutting risks are identified and accountability for action established. Monitoring arrangements should track risk assessments and progress with mitigation plans, reporting to the PSX cabinet committee.

4.1.34 We also recommend (rec.3c) that for the 2004 Spending Review:

• there should be an increased, mandatory requirement for risk assessment (perhaps linked to OGC Gate Zero) to be fulfilled before PSAs are published and funding is released.

• incentives could be introduced to encourage good quality risk assessment, for example this could lead to increased autonomy and delegated financial authority.

• the Treasury should consider whether a more explicit portfolio approach to risk might be taken in the 2004 Spending Review – with the outcome being a mix of high risk/high return objectives and lower risk areas with less challenging service delivery targets. Better risk information would also enable a more structured approach to cross-cutting risks, with the Treasury being well placed to facilitate discussion between Departments.

Business planning
4.1.35 We recommend (rec.4a) that business planners make full use of the Cabinet Office guide, Your Delivery Strategy: a Practical Look at Business Planning and Risk. This provides specific guidance and incorporates other sources such as the Treasury Orange Book.

4.1.36 Delivery plans need to include better quality risk management plans. Even for the government’s most important objectives these have recently been found wanting. When the DU first received plans for key programmes on education, health, crime and transport in 2001 the information provided on risks was much less developed than other parts. So we recommend (rec.4b) that Departments should review the quality of risk information in their plans. We recommend (rec.4c) that the format of the DU plans should be further developed to show detail of risks, their likelihood and impact, and mitigation and contingency plans. This format should then be made widely available to Departments as a model.

Project and programme management
4.1.37 We recommend (rec.5) that Departments follow the OGC guidance on managing risk in projects and programmes and apply this guidance to their Gateway Reviews, where risks must be weighed up and plans to manage them signed off before moving to the next project stage.

4.1.38 The need for this to be done properly, and the scale of improvement needed, even in this relatively advanced area, is demonstrated by a recent study of OGC Gateway findings. This found that 63 per cent of Gateway Reviews had identified weaknesses in risk management (the second most significant problem area, after skills shortages), and little evidence of lessons being learnt. Key issues remain around: proactive review of risks, particularly in anticipating those external factors which may seriously damage delivery prospects; and contingency planning.

[cost-benefit of options]
Investment appraisal
4.1.39 Decision making needs to be underpinned by investment appraisal focused on benefits, costs and risks, explicitly identifying and assessing risks and developing risk mitigation plans for priority risks from conception to appraisal and into execution. This approach needs to be taken as part of all key submissions (Spending Review, business planning, policy development and delivery, programme appraisal) and addressed at all levels. We recommend (rec.6a) that pro formas or templates are used by Departments to help with this, which could build on RIAs. Using post-project evaluations (PPEs) as a means of formally reviewing risk outcomes at the operational level could be beneficial. We recommend (rec.6b) that cost benefit analysis be developed to include explicit risk assessment as a significant element of option appraisal. Tools should handle subjective risk assessments adequately, not just harder evidence. Decisions need to deal with gaps between perception of risk and objective measures. In the short term, decisions need to acknowledge perceptions, but efforts should be made to close the gap over the medium/long term. We recommend (rec.6c) that the Treasury’s guide to investment appraisal (known as the "Green Book") should be developed to deal with these issues.

Likely impact of recommendations in this chapter
4.1.44 In order to be sure that progress is being made and benefits are being delivered, we recommend (rec.8) that there should be a full review of the position after a specific period. This will need to be underpinned by monitoring and evaluation arrangements, as an integral part of the recommended improvements. This should help carry forward the PAC’s conclusion that: "The Cabinet Office should carefully monitor Departments’ implementation of their risk frameworks, assess their impact in improving risk management and seek corrective action by Departments to address deficiencies". We agree with the need for a central role of this sort, to drive change forward more uniformly across the range of government business, though as discussed later (in chapter 4.3) not necessarily either based in the Cabinet Office, or centred specifically on risk frameworks.

4.2 ESTABLISHING RISK MANAGEMENT TECHNIQUES

Summary
The use of risk management techniques in government has been developing along a similar path to the private sector – from audit/finance and health and safety, to operational management and projects, and finally to strategic areas. There are a number of drivers of change including the focus on achieving outcomes and improving performance, which inevitably turns attention to the risks of not achieving targets; and requirements to demonstrate adequate control systems. There are particular gaps at the strategic level, where practice is less developed. We consider developments in horizon scanning, contingency planning, crisis management, and building resilience. Important common issues are the imaginative use of experience (as opposed to mechanistic process application), and a more systematic approach to softer areas of risk – including public perceptions, strategic fit, and reputational risk.

4.2.9 The EIU report of 2001, Enterprise Risk Management (ERM) [45] found that:

• non-traditional risks pose the greatest threat. Executives reported that their most significant risks aren’t those traditionally managed by the risk management or treasury departments. The top three are customer loyalty, competitive threats, and operational failure. These are also among the risks companies believe they manage least well. Equivalents in the public sector would be public satisfaction and trust in services, and maintaining service delivery;

[Orange Book]
4.2.13 The Treasury’s guide, Management of Risk – A Strategic Overview (known as the "Orange Book"), published in January 2001, sets out an approach, which is becoming widely used in government.

4.2.14 The Orange Book provides a framework for linking risks to key organisational objectives, indicates the sort of tools which might be used, and outlines a cycle of risk management activity (see Figure 4.4).

[OGC Guidelines - 35]
4.2.17 The OGC has published its Risk Guidelines, Risk Briefing and Management of Risk: Guidance for Practitioners, which are intended to help organisations put in place effective frameworks for taking informed decisions about risk, providing pointers to more detailed sources of advice on tools and techniques [46]. It offers detailed help in establishing risk management and in implementing techniques. It has developed the Treasury risk cycle further. Through its IPPD work, OPSR will provide a simple introduction to the OGC’s guidance, accessible to policy makers. This will be part of an overarching Programme/Project Management framework located on the OGC’s website as part of the Successful Delivery Toolkit (www.ogc.gov.uk).

[46] OGC, Management of Risk: Guidance for Practitioners, op. cit.

4.2.18 We recommend (rec.9) that there should be an ongoing programme of work to ensure that the guidance is integrated, comprehensive and comprehensible, and provides a flexible and accessible framework for Departments. The guidance should incorporate the findings of this report and develop a standard for government. This can then be the basis for standardisation of training material and for benchmarking. It should adopt the simplest possible models and language.

Risk identification
4.2.20 Risk identification requires creativity, ingenuity and wide involvement to ensure the key risks are spotted. At the strategic level this involves methods to spot future risks:

• for example, a Strategy Unit paper [47] presents six methods which can be used (quantitative trend analyses; qualitative trend analyses; Delphi survey (a method for gathering information or beliefs from a panel of experts); scenario methods; wild cards (events with a low probability of occurring but which would have a big impact if they did); and futures workshops (an open process which consists of engaging a wide range of people in envisioning the future);

• horizon scanning is a key feature of the work of the CCS and is used to try and spot potential disruptive challenges across government.

[47] Strategy Unit, A futurist’s toolbox: methodologies in futures work, September 2001.

4.2.24 To facilitate identification and management of risk, both the OGC and Treasury guidance provide checklists of risk types. Our study found that in practice a lot of organisations have developed short, grouped lists of risks. For example, the SRA uses: corporate and strategic; business delivery; and asset, and looks separately at major impact mitigation (including crisis handling, business continuity planning (BCP) and use of insurance). No common checklist has yet developed although there are similarities (rough groupings are: strategic/corporate/ external; activity/operational/delivery including project/programme; and financial/ asset management). The establishment of a broad common categorisation could significantly help communication across government – we recommend (rec.11) that the Treasury should lead efforts to establish this. A starting point could be to consider three categories: strategic (including major external threats, significant cross-cutting risks, and longer term threats and opportunities); delivery (both operational and project/ programme risks, including resourcing risks) and financial (a separate cross-cutting category). Project/programme risks might warrant a separate category.

4.2.26 Despite areas of good practice, systems still need to be developed that replicate the accountability and responsibility frameworks that exist for financial management.

Assessment/evaluation
4.2.27 Most progress has been made with assessing risks which lend themselves to quantification – particularly financial risk, and repeatable health and safety risks [48]. Our experience also shows that executive agencies tend to be more advanced than policy departments.

[48] e.g. see HSE, Five Steps to Risk Assessment, 1996. In addition, MOD’s Defence Science and Technology Laboratory (DSTL) has produced specific guidance including on "three-point estimation" – identifying minimum, maximum and most likely out-turns, to define a range of uncertainty around risks.

4.2.28 Areas for development include wider use of public perceptions of risk, and techniques to bring together judgements from a wide range of stakeholders to inform decisions. The recent EIU study highlighted the importance of reputational risk to private sector organisations. A similar focus is likely to develop for the public sector, linked to establishing and maintaining the trust of the public.

4.2.30 The level of uncertainty will play a key role in determining the approach to risk assessment. In strategic decision making, where uncertainty is high, the approach to risk assessment will tend to rely on exploring scenarios, past experience of generic hazards, and analysis of whether action needs to be taken to avoid serious consequences of very uncertain events.

4.2.31 Judgements will also be a key element here. A commonly used approach is to develop a risk profile matrix (Figure 4.7), mapping risks against likelihood and impact, combining judgements with numerical analysis where possible into High, Medium, and Low ratings. Further analysis of the confidence of managing the risks successfully can then be used to prioritise management action.

Getting value from risk assessment
4.2.32 Risk assessment can be a time consuming and resource intensive process. In principle it should be carried out for every policy decision, but the approach should be scaled according to the significance of the decision to be taken. General criteria include:

• the potential risk to the public;

• the scale of financial or other resource commitment;

• whether the policy is novel or contentious;

• the complexity of delivery – for example, where more than one Department or agency (government or non-government) is involved in delivering a programme, or the policy design is complex (risking misunderstanding or failure); and

• whether the proposed area for action has a history of failures.

4.2.33 We recommend (rec.12) that criteria should be developed as part of the arrangements for embedding risk in policy making proposed in chapter 4.1. A generic list could be developed which Departments could tailor, drawing on a systematic analysis of key or common risks that have occurred in their programmes.

4.2.34 Different parts of government will have different priorities and needs and, for example, may wish to develop a set of common decision criteria to help assess risks across a broad policy area, for example on health, or to reflect a more consistent approach where "value of life" criteria are already used, such as in transport.

Assessment of risk tolerance/risk appetite
4.2.35 Most risks cannot be eliminated altogether, and risk management involves making judgements about what level of risk is acceptable – risk tolerance or risk appetite. Such judgements are often difficult, both for individual risks and across a programme of activity.

[cost-benefit, equality]
4.2.36 Governments are generally keen to find ways to improve ways of working and public services – for example, by piloting new projects or introducing new technology – but they will be averse to: risks that affect public health and safety, such as the risk of contagious disease; risks with irreversible consequences, such as the risks associated with climate change; or risks that threaten people’s access to essential services. In all cases, they need to weigh up the risks and benefits associated with each course of action, and judge whether they are distributed fairly.

4.2.37 This [risk appetite] is an implicit feature of all decision making in government. There will be an underlying level of willingness to take risks in particular situations (areas of business, at different times). Risk tolerance can be indicated on the risk profile diagram (Figure 4.7 above) by the solid black line – with all of those risks to the right requiring mitigation action to make them acceptable.

This approach is often used where risk management is well developed, on specific projects or in service delivery areas (such as by the Welsh Development Agency), or in assessing the continuing viability of projects or the capacity of service providers. We recommend (rec.13) that more use could be made by Departments at the policy making stage to ensure that Ministers are aware of the pattern of risks they will be taking and the prospects of adequately managing them.

[Orange Book]
Identification of responses
4.2.39 The Orange Book details four categories of response: transfer; tolerate; treat; and terminate. The government’s approach to risk transfer has developed in recent years (guidance now talks about "optimum risk allocation" rather than maximising risk transfer). Most often risks are "treated", for example, through developing mitigation plans. There is, however, little evidence of responses to risk being thoroughly identified at the policy development stage.

4.2.40 Well-developed decision making frameworks regarding the control of risk already exist in the UK. For example, in the area of occupational health and safety a set of principles and criteria have been developed in support of the legal requirement to reduce risks "as low as reasonably practicable" (ALARP). This is illustrated in Figure 4.8, which shows how both the likelihood and impact of the risk contribute to a decision on tolerability (and is, for example, used in assessing the response to risks from fire).

4.2.41 We recommend (rec.15) that consideration be given to the extension of such systematic approaches to strategic policy making, adapting them as necessary to recognise the less quantifiable nature of the data involved.

Internal controls
4.2.42 Detective controls to identify when a risk has been realised are perhaps the most well developed. These are "after the event" assessments, including Post Implementation Reviews, and Evaluations. Although these assessments are becoming more routinely applied, there is a clear need to ensure better capturing of lessons learned and application to subsequent decisions.
Directive and preventive controls cover specific risk mitigation measures, aiming to ensure that particular outcomes are achieved or to prevent the possibility of an undesirable outcome being realised. As risk management becomes more established, explicit use and monitoring of such measures is becoming more widespread outside traditional financial areas.
Corrective controls are designed to correct undesirable outcomes, which have been realised – these include crisis management arrangements and the contingency planning which underpins them.

Assurance about effectiveness of control
4.2.43 SICs are a key mechanism for providing assurance about control. They will increasingly drive improvements. However, currently, our survey of risk experts suggests that in both the public and private sectors assessment of implementation of risk management was most likely to be done only "in pockets across the organisation".

[50] The PSBS (a partnership between the Cabinet Office and HM Customs and Excise) is a knowledge management system that also provides an information and advisory service specifically geared to spreading good practice across traditional public sector boundaries. Risk management is a key area covered.

Embedding risk in the way the organisation works
4.2.45 In summary, there is uneven application of risk management techniques across government – these tend to be better established in financial and project management areas. This needs to be extended, crucially to policy development as well as to policy/programme planning.

4.2.46 … we recommend (rec.16) that specific risk management benchmarking arrangements be developed. This could adapt the benchmarking service developed in Australia by Comcover (established to provide insurance and risk management services for government bodies), which rates ten Key Performance Indicators (KPIs) as either:

• Level 1 – Early – Evolving a risk management culture

• Level 2 – Intermediate – Implementing a risk management system

• Level 3 – Advanced – Continuously improving risk management practices

Their KPIs are:

• Integrated risk management approach

• Committed and led

• Positive and proactive focus

• Process-driven

• Planned for continuous improvement

• Active communication

• Audited and documented

• Resourced

• Trained and educated

• Value-based decisions

Techniques for handling strategic risks
4.2.48 There are particular gaps at the strategic level, where practice is less well developed, and where the CCS is starting to fill the gap. With the CCS we have reviewed the current situation and recommend further developments in the paragraphs below.

4.2.50 There are four main areas of the CCS’s activity:

• identification and assessment (including horizon scanning);

• contingency planning;

• consequence management (crisis management when serious risks are realised); and

• building resilience to disruptive threats.

Identification and assessment
4.2.51 The CCS is starting to provide confidential horizon scanning reports to Ministers and Permanent Secretaries, identifying developments with potential to cause serious disruption to the running of the UK nationally or regionally. These might include issues such as … health issues likely to overburden the health service or challenge public confidence.

4.2.54 Simulation events, built around scenarios, can help to identify and prepare for such low probability/high impact contingencies and we recommend (rec.18) that these methods be explored.

4.2.55 Other parts of government may also need to build up their role in scanning for potential risks. For example, we recommend (rec.19) that the Social Exclusion Unit (SEU), working with the Neighbourhood Renewal Unit, the Regional Co-ordination Unit and relevant Departments, could consider playing a larger role in tracking potential crosscutting risks, including the impact of government initiatives on these risks. Anecdotal and subjective information needs to be drawn in from front-line staff, the public, inspectorates and others.

4.3 ORGANISING TO MANAGE RISK

Summary
Implementing effective risk management across government depends heavily on the primary responsibility of Departments to handle specific risks. They in turn can transfer responsibility to agencies, Non- Departmental Public Bodies (NDPBs). The centre of government has a role in anticipating and providing support for handling crises; in tracking and responding to cross-cutting risks; and supporting delivery where there are significant risks to key government objectives. The centre also has a role in supporting and advising Departments on developing their risk management capabilities. Risk management can be improved by ensuring that risk is handled by those best placed to do so. Further use of arm’s-length bodies should be considered, along with ways of improving service delivery partnerships with other organisations.

Organisational issues for Departments
4.3.1 Accountability for risk management lies with Departments as part of their accountability for government programmes. This includes both managing risks and developing the capabilities to enable this to be done well. The central Departments (Cabinet Office and Treasury) also provide cross-government support for both of these functions.

4.3.2 Within Departments specific risks may be managed by agencies or outside bodies working in partnership with the Department (for example, delivery risks often lie with agencies). Best practice is that risks should be managed at the lowest possible level within the organisations, with clear accountability established, and systems and processes designed to support that.

4.3.4 Key organisational issues for Departments include:

• ensuring risk ownership is aligned with accountability for delivery and authority to act – and the extent to which placing responsibility on those accountable for results needs to be supported by a central focus of expertise;

• Reporting arrangements – feeding up to the Board the results of Risk Self-Assessments, as in many government Departments and elsewhere; and

• ensuring risk specialists are closely enough linked to policy and operational decision makers to offer effective support.

Central support
4.3.6 The centre of government – No. 10, Cabinet Office and Treasury – will typically take a supporting role in managing risks, other than in exceptional circumstances where it may be involved in more hands-on co-ordination. This includes:

• providing the strategic context for decisions;

• assurance – regularly testing judgements about key risks and procedures;

• crisis management – co-ordinating action when risk is escalated beyond a certain level;

• co-ordination of communication and learning in agreed circumstances, such as taking a strategic view of high profile risk communication issues;

• taking an overview of large-scale threats and opportunities;

• identifying cross-cutting risks, that are less likely to be dealt with adequately, and ensuring that accountabilities are clearly understood and acted on;

• managing interdependencies between individual Departmental operations, where necessary anticipation and/or resilience needs to be built up in other Departments; and

• providing a centre of risk management expertise.

4.3.7. This strategic, corporate approach is consistent with the findings of the EIU, that in the private sector the predominant role of the centre is one of co-ordination and support. The EIU found that "co-ordinating centrally but implementing locally" was the most common mode.

4.3.8 … our study suggests that improvements could be made in:

• providing systematic assurance that key risks are being managed effectively;

• providing accurate real-time information;

• developing a wider range of sources of information. The structure of government, with issues usually being dealt with in single Departmental channels, tends to work against this;

• identifying or co-ordinating handling of risks, or areas of risk, across Departmental boundaries;

• assessing the risk portfolio as a whole and judging the capacity to take on new risks; and

• clarity about who does what on risk at the centre of government.

4.3.9 Feedback from Departmental Board members suggests that "Departments have to own risks" and "too much central control is likely to be counterproductive",… that "efforts should be aimed at ensuring more joined up working", which was seen by one as "the classic case for the centre to assume the lead", and "the centre should have a co-ordinating role in redeploying resources if the lead Department cannot accomplish this itself".

4.3.11 The study has identified two broad groups of risk, where Departmental Board members consider central support can be valuable:

• risks which have the clear potential to become, or already are, crises, where there is likely to be a rapid escalation of public concern (and where the CCS has a key role); and

• certain ongoing delivery risks, including significant risks to key government objectives, and risks which are not manageable by one Department alone. Risks may fall into this latter category because they require extra resources or are inherently cross-cutting and their severity is only apparent when viewed across the whole of government. In these cases, Departments may benefit from a more coordinated approach to mitigation.

Delivery risks
4.3.15 In addition, the centre needs assurance that risks to the delivery of the government’s programme are being managed, and should provide support where needed. Whereas crises are primarily about dealing with threat (the negative aspect of risk), managing delivery risks will also cover "opportunity risk" – i.e. the issues which arise from seeking improvements (such as increased demand for scarce resources, difficulties with implementing and operating new services, including levels of public acceptance and media reaction). Failure to manage these risks well may often not have such visible, immediate and high profile consequences, but the long-term impact can be equally significant.

Reporting risks
4.3.17 There are currently several parallel strands of reporting corporately on risks:

• the CCS reports on disruptive challenges to the Prime Minister;

• the DU reports on risks to key programmes to the Prime Minister;

• the PSX Cabinet Committee reports to the Cabinet on current issues with delivering PSAs;

• media reports, highlighting threats to the government’s reputation, are sent by the Media Monitoring Unit to all Departments, including No. 10.

Active support by the centre of government for developing risk management

4.3.19 The study has found that:

• there are currently a wide range of different units and committees who influence risk management, including: ILGRA; the Risk Management Steering Group; several parts of the Cabinet Office (CCS, CDG) and Treasury (Spending Review, Investment Appraisal, Audit), as well as partnerships such as OPSR and OGC on IPPD. Further details are at Figure 4.9. Most of the individual functions carried out are valued, but the overall picture causes confusion;

• there is a perception of advice being delivered through "initiatives", with the centre moving on to the next initiative and failing to provide ongoing support. This adds to Departments’ workload;

• informal risk networks are developing, but they need support to be effective in identifying and sharing good practice; and

• fragmented approaches to risk management across the centre of government have contributed to confusion within government bodies. Many different guides exist and Departments and agencies have been left to their own devices to decide on the method of implementation, which has consequently been disparate. There is no single point of contact or centre of expertise to whom Departments can turn.

4.3.20 We recommend that the centre should provide active support to assist Departments to implement a more effective risk approach across government. The centre should invest in:

• co-ordinating and supporting an overall programme of change, including monitoring progress and assessing the effectiveness of risk handling across government;

• better co-ordinated and more accessible guidance;

• a contingency resource and expertise which Departments can draw on in managing and arresting crises;

• a shared, more established risk/crisis communications approach;

• an expert resource in the management of risk to assist Department staff in improving the quality of implementation; and

• a more accessible and active approach to the sharing of good practice across government.

Figure 4.9: Units and committees that influence risk management (summer 2002)

Treasury:

• Public Services Directorate and Finance Management and Reporting: Corporate governance initiatives, SICs, guidance on risk management (Orange Book), Green Book on investment appraisal, Spending Review guidance.

• Office of Government Commerce: General guidance on risk management; PFI; project and programme management.

Cabinet Office:

• Corporate Development Group: Civil Service reform; Senior Civil Service (SCS) competencies and leadership; training and development programmes; Risk in Business Planning.

• Civil Contingencies Secretariat: Improving the government’s ability to handle disruptive challenges that can lead to or result in crisis.

• Delivery Unit: Supporting delivery of key government priorities.

• Office for Public Service Reform: Model of High Performing Department; IPPD ending December 2002.

• Strategy Unit: Study of risk management. Strategic futures.

+ Policy Studies Directorate: Guidance on better policy making.

• Regulatory Impact Unit: Supporting the development of risk frameworks and the risk portal; guidance, advice and training on RIAs.

• Better Regulation Task Force: Examining models of risk communication.

Committees:

• Risk Management Steering Group: Advise/facilitate consistent and co-ordinated development of policy and guidance relating to risk across central government.

• Interdepartmental Liaison Group on Risk Assessment: Help secure coherence and consistency within and between policy and practice in risk assessment and help disseminate and advance good practice.

• Risk Advisory Group: Develop a government statement on risk.

Other organisations:

• Health and Safety Executive: To offer advice and guidance on health and safety issues.

4.3.22 Key points that we considered include:

• to provide effective support across the overall programme requires a range of skills to be applied; and

• for the support to be most effective it should be fully integrated with the process of agreeing Departments plans, to ensure that it is delivering real business benefits. It should also be linked closely to the programme of work to improve risk management as part of corporate governance.

4.3.24 It is recommended (rec.27) that the quality of government risk management should be improved through a two-year programme of change to improve its capabilities. The timetable should be integrated with that of the Spending Review and the production of SICs. The programme should include the following strands (integrating the Strategy Unit recommendations with existing initiatives):

• communications with the public;

• embedding risk (in the Spending Review, policy making, business planning, project and programme management);

• leadership and culture change;

• skills;

• guidance, standards and benchmarking; and

• corporate governance.

4.3.25 Departments are accountable for improving their risk management in these areas. The centre should be responsible for providing a clear framework for change and ensuring Departments have the support they need. Existing central risk functions should be rationalised to implement this approach.

4.3.26 It is recommended (rec.28) that an Implementation Steering Group should be established (replacing the various existing groups – the Risk Management Steering Group, ILGRA, and Risk Advisory Group) to drive change over the two-year period leading into the next Spending Review (2004). This group should draw together the main interests across government and be chaired by an authoritative figure, perhaps a member of the CSMB. Progress should be reported regularly to PSX and the CSMB. Outline terms of reference and membership have been developed as part of the implementation plan.

4.3.27 The Steering Group should be supported by a small central team in the Treasury, the Risk Support Team, drawn from existing sources of activity (including the Treasury, OGC, HSE, the Cabinet Office, the Government Information and Communication Service (GICS) and others) who would monitor progress; provide a central expert resource; review and coordinate advice and guidance on risk management; help establish and support an interdepartmental risk network; and consider further steps to rationalise current central responsibilities and initiatives.

4.3.28 We recommend (rec.29) that Departments should consider whether they might establish similar individuals or teams internally to drive and support change.

Placing risk where it can best be managed
4.3.29 Responsibility for handling risk should lie with those best placed to deal with it. This can only be judged on a case-by-case basis, but criteria include:

• competence – who has the skills and experience and/or can best recruit and retain the right people?

• capacity – does the capacity exist? Can it be developed?

• public interest – is there sufficient assurance that the public interest will be protected?

• value for money – who will offer the best trade-off between costs and benefits?

• management – can the arrangements be adequately managed?

• subsidiarity – operational decisions will often be best made by those closest to service delivery.

[Arm's-length bodies]
Policy making
4.3.30 Organisational change has been actively used to enable government to pursue better outcomes and better manage risk (see Figure 4.10). This has involved placing operational responsibilities with a range of bodies from agencies within government Departments, to NDPBs and local government, to private and voluntary sector organisations. It has also involved transferring policy responsibilities to others. For example, policy advice is now often provided by outside bodies where specific technical expertise is involved, and government has relatively recently gone further by setting up the Food Standards Agency as an arm’s-length body with a role to provide advice direct to the public without recourse to Ministers. The National Institute for Clinical Excellence (NICE) offers guidance direct to patients, health professionals and the public on best practice. And even more radically, some policy decisions are now taken outside government, for example by the Monetary Policy Committee (MPC).

4.3.31 It is worth exploring whether the use of arm’s-length bodies in policy making could be increased. The benefits of careful use are clear: they may be much better placed than government Departments to recruit and retain the specific expertise needed and thus be able to provide better advice/decisions; and they may well be more trusted than government (for example, the Food Standards Agency, where consumer ratings of the reliability of their information has risen to 93 per cent from 75 per cent between 2000 and 2001 and the MPC, where public satisfaction is high – 55 per cent were very satisfied with the way interest rates were being set to control inflation) [57].

[57] NOP, Survey of Public Attitudes to Inflation, February 2001.

4.3.32 We recommend (rec.30) that Departments should consider whether the conditions exist for them to be used. These include: the ability to set a clear strategic framework within which experts can work (for example, the framework for monetary policy); confidence that the body would command public support; and a significant role for expert knowledge. This may be particularly appropriate where risks to the public make trust a key concern.

Service delivery
4.3.33 In service delivery and investment areas, current PFI guidance highlights the importance of appropriate risk allocation between the public and private sectors (seeking an optimum rather than maximum risk transfer). It points out that to obtain good value for money, transferred risks need to be within the control of the partner organisation, otherwise they will seek to charge a premium for taking it on. The main categories of risk to be considered have been established as: design and construction; commissioning and operating; demand; residual value; technology/obsolescence; regulation; project financing; contractor default; and refinancing. It has become increasingly apparent that Departments cannot transfer the underlying political risk of failure, or any consequent impacts on their core business. This points to the importance of working in partnership, and highlights the need for sound management arrangements.

4.3.34 Where partnerships with other private/public/voluntary sector organisations are used to deliver services, there are management issues that could be better handled:

• the PAC has highlighted the need to improve understanding of the risk management systems of partner organisations [58] both in terms of confirming quality and in terms of having an integrated approach. We recommend (rec.30a) that use of a risk management standard as the basis for accrediting partners’ risk management arrangements should be considered;

• recent rail incidents have highlighted the need for clear accountability for managing risks, especially when there may be a complex pattern of organisations involved in service delivery. We recommend (rec.30b) that where responsibility for risk is transferred to a partner organisation, particular care is taken to ensure that accountabilities are clearly established by Departments, procedures for escalating risks are agreed [59], and capacity maintained to manage and monitor performance (including provision of relevant information) and to take early action in the event of difficulty; and

• the PAC’s review of PFI projects [60] also finds that public bodies are not doing enough to manage their PFI contracts after they have been agreed. Findings include the need to ensure a clear ongoing link between risk and reward – avoiding the impression that government will always bail out contractors, as has happened in some individual cases, such as the Royal Armouries Museum or the Channel Tunnel Rail Link.

4.3.35 It is also recommended (rec.30c) that there is a case for developing further approaches to contracting with partners, especially where the aim is primarily to deliver a service rather than, for example, a large-scale capital project. This might involve shorter contract periods, more flexible contracting arrangements and lower transaction costs than are typical with PFI arrangements. The Treasury and OGC should consider this in developing government’s approach to partnerships.

[58] PAC, Managing Risks in Government Departments, op. cit.

[59] For example, as recommended in the Interim Recommendations of the Investigation Board into the Hatfield Derailment, August 2002.

[60] PAC, 42nd Report: Managing the Relationship to Secure a Successful Partnership in PFI Projects, July 2002.

Departments working together – networking and peer review
4.3.36 Establishing an effective network is seen as an important way of helping Departments to develop quickly through sharing best practice. We recommend (rec.31a) that a network could be set up of the "risk improvement managers" proposed in chapter 4.4.

4.3.37 We recommend (rec.31b) that this network, combined with the Implementation Steering Group, could take on ILGRA’s current responsibilities (reviewing management of cross-cutting risks; ensuring risk is considered in agreeing PSAs; promoting a consistent approach to risk; and improving risk communication). This could build on the strong track record of ILGRA, effectively embedding in the machinery of government its current role as a champion group.

4.3.38 We also recommend (rec.31c) that the people network could be supported by the developing IT-based knowledge networks, from existing Cabinet Office web-based tools: including the Risk Portal, the Policy Hub’s knowledge pools, and the PSBS.

4.3.39 A specific role for the network would be to provide peer group reviews and challenges. Peer review has been a growing area in government, but has been hampered by availability of suitable reviewers. The network would provide a ready source of expertise, but this would have to be underpinned by an understanding that peer review work is part of the participant’s job – justified on the basis that their would be reciprocal gains. Peer review could also be used within Departments, where there may well be several centres of risk expertise (for example, within audit, projects and programmes and individual delivery organisations, and we hope increasingly in policy areas).

4.3.40 Peer review is used extensively by BP, an acknowledged leader in risk management. Within BP, the use of peers forms the backbone of risk management, in order to ensure consistency in approach, improved use of knowledge and adoption of best practice.

This structure assists in:

• ensuring consistent quality and approach to risk management;

• leveraging knowledge across the organisations;

• ensuring greater openness;

• ensuring that best practices are adopted;

• circulating lessons learned; and

• creating contacts in a formal setting that will be used on an informal basis.

4.3.41 We recommend (rec.32) a similar approach in government. This would provide a good basis, for example, for developing responses to risks that span more than one Department, enabling the right contacts to be made to gather intelligence and share information, and assess risks holistically across functions.

4.4 DEVELOPING SKILLS

Summary

• To embed risk management thinking and capability in government’s way of doing business, risk management needs to become an integral part of mainstream learning and development at all management levels.

• Although the importance of developing risk management awareness and skills is well recognised, risk management thinking is still at an early stage within government.

• There should be a co-ordinated and systematic approach to the provision of risk management skills and training under CDG leadership.

• This should be based on a common understanding of good practice on risk handling, including the possible "standard" for risk management in government (discussed in chapter 4.2).

• Risk management should become more prominent within the full range of Civil Service management systems, for example through developing the risk management elements in the core competences, similar to developments in project management.

• Each Department or agency should appoint a risk improvement manager to spearhead its programme of work to develop processes, systems and skills to support the effective handling of risk. This should include a review of current spend on risk management specialists and the scope for in-house expertise.

4.4.1 It is widely accepted that, in order to handle risk better, employees need both the right skills and the right attitudes.

4.4.2 Some of this can be achieved by formal training. Equally important are experiences – for example, simulations – that help people to understand, emotionally as well as rationally, the importance of handling risk more professionally.

4.4.4 In addition, there are a number of different organisations that lead risk management training and development:

• the Treasury sponsors a number of seminars on risk/SIC issues and supports CDG in its corporate governance course and in its training for new NDPB Board members;

• the OGC has developed a training module aimed at people who wish to develop a special expertise in risk management, which could support a wider best practice model.

4.4.5 These would benefit from a common framework, to ensure that the messages are consistent with wider government policy thinking on risk. We recommend that (rec.33):

  • there should be a co-ordinated and systematic approach to the provision of risk management skills and training, under CDG leadership. This should include:

– the development of a common core of risk management material (linked to the proposed standard) on which all programmes could be based;

– a review of key mainstream development programmes that could usefully cover risk management and innovation, including centrally-led programmes for general management training, specific training focused on effective policy making, financial management and project management, and senior management development programmes [63]; and

– integration with the training framework, developed by OGC to complement Management of Risk: Guidance for Practitioners [64].

  • the review should be included in the two year programme of work that we recommend to achieve a step change in government’s capability to handle risk;
  • Departments’ heads of human resources should conduct similar reviews of their own training and development programmes, which in turn might form part of the new Departmental Change Programmes; and
  • CDG should support action by Ministers and senior officials to foster a culture in which well-judged decisions about risks and opportunities can be made (see rec.42, chapter 6).

4.4.12 To support this, we recommend (rec.34a) that:

• each Department nominates a risk improvement manager to support this process – setting standards, and advising the Board on what is required. There are a number of different models that might be suitable, for example, the model adopted in some Departments for the project management and procurement specialisms. Departments may want to encourage their agencies to appoint separate risk improvement managers; and

• OGC should provide an advisory resource on systems and skills, drawing wherever possible on existing training and qualifications, but considering the possibility of introducing a uniform basic model.

4.5 ENSURING QUALITY

Summary

Raising the government’s game in relation to risk will require careful attention to how well new approaches are implemented. We recommend that a comprehensive quality standard be established for risk management. This should be co-ordinated by the new Risk Support Team and be complemented by benchmarking arrangements. Skills training should be linked to the new standard.

4.5.3 These standards define the risk management process (including steps such as: establish the context; identify, analyse, evaluate and treat the risks; communicate and consult; monitor and review) and the activities that underpin it, providing guidance on tools and techniques.

4.5.4 The most established, AS/NZS 4360, has been very well received internationally, widely influential, and adopted by, for example, the majority of government organisations in Australia and the National Health Service and Office of National Statistics in the UK. The Department of Health also proposes to adopt the standard.

[66] ed. Kloman, Risk Management Reports 1995–2000, Risk Management Standards October 2001 – (www.riskreports.com/standards.html)

[67] ISO/IEC, Guide 73, Risk Management Vocabulary: Guidelines for Use in Standards, July 2002.

4.5.5 There is not yet widespread use of a standard in the UK. Indeed, government has developed its own guidance (the Treasury and the OGC) in parallel with BS-6079-3, which in any case is project based. The Treasury is developing its own set of Risk Management Standards for Departments, linked to application of the "Orange Book" cycle, as a tool to evaluate how well Departments are implementing risk management.

4.5.6 We recommend (rec.36) that the OGC and the Treasury should review the direction for quality standards for government, drawing on best practice internationally and drawing on the findings of this report, to ensure a comprehensive and useable standard for UK government. This should build on current good practice, progressively providing a common framework and language. This work should be commissioned and overseen by the Implementation Steering Group proposed in chapter 4.3. Departmental Risk Frameworks should then be reviewed in light of the emerging standards.

4.5.7 Benchmarking is a further tool for improving quality in the application of risk management. We recommend (see rec.16) that government should develop the benchmarking approach set out in paragraph 4.2.46, utilising the expertise and facilities of the PSBS.

 

Chapter 5: Handling and communicating about risks to the public

5.14 Important lessons have been learned about the value of evidence-based decision making, openness and engagement, proportionality, consistency and targeting as part of the government’s reform agenda. The government has taken a number of steps to lay the foundations for better decision making about risks affecting the public. Principles of evidence-based decision making, openness and engagement are among those included in Better Policy Making. These principles are reflected in other cross-cutting policy initiatives, such as the Better Regulation Task Force’s (BRTF) Principles for Good Regulation.

5.16 The Code of Practice on Access to Government Information has set out a clear presumption towards openness in all areas of policy making, while recognising that some information needs to remain confidential.

The Freedom of Information Act 2000, which comes fully into force in 2005, enshrines those principles in legislation. The Act will be a major tool of change within government and is likely to provide a strong impetus for openness in risk communication. In addition, Departments are now required to publish Risk Frameworks that set out how decisions are made on risks that affect the public.

5.18 … public concerns are likely to increase significantly where the issues are unfamiliar or where the consequences inspire dread, regardless of the likelihood of the hazard. Other studies have identified that people are more likely to accept or tolerate risks where they feel that they are taking them voluntarily or that they have a say in how the risks are managed.

5.25 The Strategy Unit study has identified three main areas where there may be scope for improvement:

• more openness in providing access to information about risks to the public and about where Departments have made mistakes. Our analysis suggests that concerns are particularly marked where there is uncertainty about the nature or scale of the risk or where there is public dispute about the issues. In these circumstances, members of the public are least likely to trust the information they receive, and more likely to want to know the assumptions that Departments have used to inform their judgements;

• more transparency about the processes used to reach decisions. Our analysis suggests that scepticism tends to be highest where members of the public perceive themselves or their families to be directly at risk or where they cannot perceive direct benefits to them. In these circumstances, Departments may need to review whether they are doing enough to address this – in particular, by demonstrating that the approach they are taking is based on firm evidence, is responsive to public concerns, and is open to acknowledging uncertainty or dissent;

• more systematic involvement of the public in decisions about risks that affect them or concern them. This is closely linked to the issue of empowerment discussed earlier in this chapter. Three specific concerns were raised in our study in relation to communication with the public about risks they face:

– communication needs to start earlier in the policy development and decision process, wherever possible when framing decisions are being made.

– communication with the public on risks that affect them needs to be a genuinely two-way process; and

– involvement of the public in decisions about risks, both formal and informal, needs to be as widespread and balanced as possible. Stakeholders we spoke to suggested that, by restricting formal consultation to their usual list of contacts, Departments were more vulnerable to "group think" and as a result, key risks were sometimes missed. Similar concerns were voiced about informal soundings such as public attitude surveys, with one politician we spoke to suggesting that Departments sometimes confuse market research with genuine involvement in the decision process.

5.26 In the recent past, arm’s-length bodies such as the Monetary Policy Committee (MPC), Food Standards Agency and Financial Services Authority have shown that they may be better able to sustain public trust and effective decision making in handling certain risks. There may be scope for extending the role of bodies of this kind in other areas where issues of public trust are paramount.

5.29 A number of Departments we spoke to said that a widespread lack of understanding about basic risk concepts sometimes made it difficult for them to conduct an informed public debate about risks. The most frequent areas of concern were low levels of awareness about probabilities – leading to disproportionate levels of concern about high-impact, low probability risks – and a reluctance to accept that no activity could be entirely "risk free".

5.30 This will require action in a number of areas, including more openness and transparency, wider engagement of stakeholders and the public, wider availability of choice and more use of arm’s-length bodies to provide advice on risk decisions. The focus is on the handling of risks that affect the public directly – such as risks to health, property, investments or the environment.

5.33 Departments should implement these principles as part of their wider action to improve risk management set out in chapter 7. They will need to ensure that the principles apply across the range of public services for which they are responsible. This will be particularly important where the Department’s business is directly related to handling risks to the public, such as safety or health.

5.35 Departments’ communication about risk should be based on principles of openness and transparency. Unless there are clear grounds for exemption, Departments that handle risks to members of the public should publish their risk assessments (discussed in chapter 4.2), and also the underlying facts, assumptions, sources of information and procedures behind them, as early as possible to enable public scrutiny to take place, as they will be required to do under the Freedom of Information Act.

5.37 Risk improvement managers should ensure that their Departments have systems to involve stakeholders and the wider public in decisions about key risks affecting the public. Communications should be considered at the start of the policy development process for major policies involving risk to the public. Departments’ communication strategies should plan for a process of stakeholder and wider public engagement on key risks. Where possible, this process should begin when the key issues are framed, and allow public discussion of a range of possible solutions. This will be important, not only to ensure that the solution is widely accepted, but also as a matter of principle to ensure that individuals have a say over the management of risks that affect them.

5.38 The extent to which Departments need to involve the public in the decision process will depend on each particular case, and no one approach is likely to suit all risks. A more participative approach is likely to be needed where there are potential concerns that a risk is being imposed on the public with little perceived benefit in return. In such cases, Departments may wish to consider using some of the following approaches:

• involving members of the public in stakeholder forums and focus groups to help define issues and frame key decisions.

• using groups from a wide range of backgrounds to evaluate information, provide advice or take decisions in areas where risks occur frequently.

• exploring new ways of involving stakeholders and the wider public, in particular using the Internet to obtain views direct from the public.

5.39 We recommend that Departments should develop the capacity to identify which risk issues are likely to generate the most public concern or require public co-operation to tackle. This action should focus their efforts on risk communication.

5.41 Departments should also consider providing incentives for wider participation in public attitude research, particularly among marginalised groups, to ensure that their views are adequately reflected in risk assessments.

5.42 Chapter 2 suggests that responsibility for managing risks should be allocated to those who are in the best position to control the risk. In many cases, individuals will be best placed to manage the risks that affect them and will expect to be able to do so. It has long been accepted that individuals are more likely to tolerate a risk when they perceive that they are able to control their own exposure to it.

5.43 Where Departments have policy responsibility for handling risks that directly affect the public, they should consider the scope for increasing the availability of choice to individuals, supported by relevant information and advice.

5.47 Departments should consider the scope for making more use of information provided by arm’s-length bodies where there is a high degree of uncertainty or dissent about a risk. This will make it easier for people to distinguish between facts, assumptions and judgements.

5.48 Risk improvement managers should make arrangements to ensure that expert bodies that advise on risks to the public contain a broad-based membership and have access to advice on risk communication.

5.50 We recommend that guidance on risk communication, reflecting the principles proposed in this report and those of the Freedom of Information Act, should be issued across government as a whole. Steps should also be taken to ensure that it is adopted and followed by units involved in handling risks that affect the public. This work should inform action to change the culture of risk thinking within government, described in chapter 6.

5.51 We also recommend that the Chief Scientific Adviser considers what steps can be taken, for example as part of Departments’ risk communication action plans, to help members of the public and the news media to evaluate conflicting or new scientific advice.

Principles of managing risks to the public [now official guidance from Cabinet Office/HM Treasury]

 

Chapter 6: The role of leadership and culture change

Organisational culture can hamper effective risk taking and management

6.20 Organisational culture was also seen by a number of those we interviewed as one of the main potential barriers to implementing the proposed new approach towards risk management within government. In contrast with some leading private sector firms, the culture within government has often been characterised as being risk averse, lacking in innovation, and excessively concerned about failure and blame.

6.21 This has been seen by some external commentators as leading to a reactive and defensive approach to risk taking and management, which places disproportionate emphasis on inaction in the face of change and can take the form of a "bunker mentality" in times of crisis. This was not, however, a universally held view. The NAO, for example, sees the main problem as a lack of understanding of risk and risk management.

6.22 There was evidence to support both views from the interviews we carried out during our research. Typical examples include:

• high importance being given to protecting senior officials and Ministers from mistakes (this point was made a number of times during our interview programme);

• an emphasis on identifying potential problems rather than focusing on opportunity;

• a focus on crisis management rather than forward planning;

• unwillingness to be open about risks to projects; and

• a tendency to take decisions either to embark on risky programmes or to exercise caution without undertaking a proper risk assessment.

Unclear or incomplete lines of accountability

6.28 Our research suggests that attitudes towards risk may be influenced by the structure of accountability within government. Issues raised include:

• mismatches between accountability, responsibility, and authority to act. Where these are not properly aligned, this can encourage individuals either to be excessively cautious or to disregard key risks;

• the placing of accountability for all policy decisions, no matter how small, with Ministers. This can provide little incentive for officials to innovate and could encourage them to exercise excessive caution to protect themselves from criticism from Ministers; and

• the organisation of responsibility and accountability around individual Departments, rather than around government programmes, which increasingly require joint working between Departments and other partners.

In some cases, tensions between joint responsibilities and individual Departmental accountabilities can prevent Departments from exploiting opportunities, such as the opportunity to develop e-government strategies.

Weaknesses in risk management processes

6.32 The NAO argues that the main reason Departments are criticised on risk issues stems from a weakness of risk management across government, and from the fact that mistakes are often not learnt from.

6.33 Sir John Bourn, the Comptroller and Auditor General, has commented that the problem is more one of "risk ignorance" than risk aversion. He commented that: "The problem is not that the Whitehall culture is risk averse…Rather it is risk ignorant. It takes the most fantastic risks without knowing it is doing so."

6.34 A number of NAO and PAC reports have highlighted cases where there has been no evidence that key risks were identified and assessed early enough or at all, and where there was a lack of contingency planning.

6.43 Some specific points where Departments and the NAO and PAC might work together to ensure the right culture include:

• clearer accountability and responsibility.

• creating a better evidence base.

Departments can overcome potential hindsight bias by developing better audit trails of risk judgements and risk management actions.

• ensuring a balanced picture.