Forward
Chapter
1: Introduction
Chapter
2: Government’s role and responsibility
Chapter
3: Improving government’s handling of risk
– the challenge
Chapter
4. Improving capacity
4.1 Ensuring
decisions take account of risk
4.2 Establishing risk management
techniques
4.3 Organising to manage risk
4.4 Developing skills
4.5 Ensuring quality
Chapter
5: Handling and communicating about risks to the
public
Chapter
6: The role of leadership and culture change
Foreword by Tony
Blair: All life involves some risk. We …
need to be sure that … there is a proper balance
between the responsibilities of government and the
responsibilities of the individual.
Chapter
1: Introduction
1.1 The language of
risk is used to cover a wide range of different types
of issue:
- safety
issues – from BSE; in connection
with the Measles, Mumps and Rubella (MMR)
vaccine; and other issues of risk to the
public.
- the risk of
damage to government’s reputation in
the eyes of stakeholders and the public
and the harm this can do to its ability
to carry out its programme.
1.20 The risks that
the public faces may be voluntarily undertaken (for
example, smoking or dangerous sports), with greater
or lesser degrees of awareness of the risk, or
imposed by other individuals or organisations (for
example, risks from crime, commercial products or
technologies or the risk of nuclear accidents) or
natural events (such as flooding or severe weather).
We explore the consequences of this distinction for
government.
Chapter
2: Government’s role and responsibility
2.3
Government’s role … reflects the extent to
which individuals and organisations can be expected
to understand and respond to the risk, and the extent
to which government has the capacity to bear the
risk:
•
governments have a regulatory role in providing
the legal framework where the activities of
businesses and individuals give rise to risks to
others.
Regulatory role
2.6 Governments will
not normally intervene where individuals take risks
voluntarily and where they alone are affected. In
these circumstances, governments have a role in
ensuring that individuals are aware of their
responsibility and of the consequences of the risk
that they are taking. There is often room for
argument about precisely what falls under this
definition. For example, smoking, driving without a
seatbelt or undertaking dangerous sports are risks
that are taken voluntarily and mainly affect the
person taking them.
However, they may also indirectly impose costs on
others, for example to the taxpayer through the cost
of medical treatment.
2.7 Where risks
taken voluntarily have direct or indirect
consequences for others – for example, other
road users, the taxpayer or the environment –
government may intervene through regulation or other
means to limit or control that activity. Examples
include setting road speed limits, or legislating to
require the wearing of seatbelts or to restrict
tobacco advertising. The issues involved are often
complex – for example, over the regulation of
tobacco advertising – but the political and
legislative processes ensure that any legislation to
restrict activities that involve risk receives proper
scrutiny.
2.8 In addition,
governments will seek to ensure that those who impose
risks on others bear the cost of the consequences of
the risk.
2.10 In many cases,
it will be up to individuals or businesses to manage
their own exposure to such risks where they have the
knowledge or capacity to do so – for example,
through the lifestyle they choose or the investment
decisions they take.
Chapter
3: Improving government’s handling of risk
– the challenge
Summary
Government needs to handle risks at three main
levels: strategic, programme and operational.
Handling of risk at all three levels has been found
wanting in recent crises and policy failures, and
reports by the National Audit Office (NAO) and the
Public Accounts Committee (PAC) have found systematic
weaknesses.
The challenge
3.2 At the strategic level, what is at stake is the
government’s political contract with the
electorate and the coherence of its overall
programme. Decisions will involve the formulation of
strategic objectives, the resource allocation
decisions to back them, and assessment of policy
options in response to changing circumstances.
3.3 At the programme
level come the detailed policies governing
implementation and the delivery plans that will
benefit society. Decisions are made on procurement or
acquisition, funding, organisation, establishing
projects, service quality and business continuity.
3.4 And at the
project and operational level, decisions will be on
technical issues, managing resources, schedules,
providers, partners and infrastructure.
3.5 In recent years
government has faced significant problems in handling
risk at each of these levels.
Risk management has
been found wanting in recent policy failures and
crises…
3.8 The Phillips Inquiry report on BSE highlighted
several aspects of the government’s handling of
risk and uncertainty that were unsatisfactory,
notably the timing, implementation and enforcement of
mitigation measures, its use of independent
scientific experts, and failure to communicate with
the public on the risk to humans. To address the
shortcomings, the Inquiry recommended:
• more open
communication to the public about risks that
affect them;
• better
monitoring to ensure effective enforcement of
risk management measures;
• ensuring
that where action has been taken to reduce the
risk, it has resulted in what was intended;
• clearer
lines of accountability for risk management
decisions; and
• better
interdepartmental co-ordination.
3.9 In addition, the
Inquiry report highlighted the lack of public
confidence in the way government handled food safety
risks. It concluded that the only means of improving
this state of affairs was through greater openness
and acknowledgement of scientific uncertainty.
…and reports by
the NAO and the PAC have found systematic
weaknesses…
3.11 The NAO report, Supporting Innovation, surveyed
risk management practices across a broad range of
public sector bodies. It found that on the following
issues less than half of the Departments surveyed
agreed that:
- they knew
the strengths and weaknesses of the risk
management of the organisations they
worked with;
- there was a
common definition of risk used throughout
the Department;
- risk
management objectives had been clearly
set out;
- regular
risk management reports to senior
management were effective;
- the
Department’s executive sponsorship
and focus for risk management was
effective.
It recommended that:
- the Cabinet
Office should continue to encourage
Departments to adopt a coherent approach
to managing risks, which is likely to
lead to sustainable improvements in
public services;
- the
Treasury should press ahead with work
already under way to improve risk
management and corporate governance in
government Departments; and
- Departments
should ensure that the principles of
sound risk management are understood and
widely adopted.
3.12 The PAC report,
Managing Risk in Government Departments, confirmed
that more progress still needs to be made and pointed
out that "Numerous reports by this Committee
have emphasised the need for Departments to improve
their risk management".
3.14 It also pointed
to the need to develop skills and for adequate
monitoring of progress: "It will be important
for the Cabinet Office and Treasury to continue to
monitor how Departments implement their risk
management plans, to ensure that they are underpinned
by effective action to manage risks. These plans
should include reliable contingency arrangements to
deal with the unexpected, which might put service
delivery for citizens at risk."
What are the causes?
3.18 In summary, government risk management is too
often judged, both by practitioners and others, to
fall short of expectations and best practice. Why is
this?
3.20 Some of the
problems for government arise from inherited
structures. The organisation of government in
functional Departments has made it harder to deal
with cross-cutting risks. BSE was a classic example;
so in a different way was Foot and Mouth Disease
(FMD), which had a major impact on tourism, as well
as on farming. Similar considerations apply to risks
that span international and domestic Departments or
parts of a Department.
The social context
within which government works is becoming more
demanding…
3.22 The Strategy Unit commissioned MORI to undertake
analysis of published material on social attitudes to
risk. (See annex 4 for more detail.) This showed that
people expect government to be more open about risk
issues, and that they seek reassurance from
government, but are sceptical of what they are told
unless they can clearly see that it is not influenced
by vested interests:
- the public
wants more openness and independent
advice on risk issues. … the public
values independence and will trust
pressure groups and
"independent" scientists over
private companies or the government;
- trust is
particularly important when dealing with
and communicating uncertainty. Nine in
ten people agree with the statement that
"When the government is unsure of
the facts, it should nonetheless publish
what information it does have
available". Research also suggests
that admitting that the case for or
against a particular risk is uncertain is
much more likely to be believed than
claiming it is risk-free;
- however,
qualitative and quantitative research
both also indicate the need for
reassurance from government. The public
wants to know the official line and
believes that government has a role in
reducing panic and legislating against
dangerous risks. However, there is also a
feeling that action does not always
succeed in preventing risks.
…and there are
greater expectations in terms of corporate governance
3.35 … any Department that does not have, or is
not developing, risk management processes will face
criticism in the NAO’s review of the SIC
appended to their accounts.
But actions are not
so far sufficient to deliver benefits across the
range of government’s business…
3.43 … there is a concern that some of the
application of risk management concepts has been
mechanistic, and not integrated into decision-making
at the highest level. There is not always the demand
for risk management, for example, demand for
rigorous, timely and wide-ranging risk assessment
from Ministers and senior officials.
Aims
3.44 The aims of a more fully developed approach to
risk management, and the measures by which their
success should be judged, include the following:
- higher
levels of safety and confidence (less
loss of life and injury);
- better
understanding of risks and trade-offs
between different options by public and
government (for example, better decisions
on pensions, smoking and diet); and
- better
balance of risk and opportunity - good
risk management can provide the
confidence necessary for taking
innovative decisions (limiting risk
through pilots or careful management of
project risks).
Further responding
to the challenge
3.45 In order to achieve these benefits, this report
makes the case for the systematic development of the
government’s approach to handling risk.
3.46
- a clear
strategic framework for government’s
handling of risk, including its roles and
responsibilities (chapter 2) in handling
risks to the public and to the delivery
of its business; the aims (chapter 3) to
be achieved through good management of
risk; and the principles (chapter 5) used
to guide its actions in handling risk to
the public;
- arrangements
to ensure that all major decisions about
programmes and policies take explicit
account of risks and opportunities
(chapter 4.1);
- systems,
processes and incentives to ensure that
risks are well managed (chapter 4.2);
- effective
organisation to ensure that risks are
dealt with where they can best be managed
(chapter 4.3);
- skills
developed widely amongst government
decision makers and advisers,
and amongst
supporting experts (chapter 4.4);
- clear
quality standards and a quality assurance
approach (chapter 4.5);
- effective
communication of the approach to handling
risk and uncertainty, so that the public
will be better informed about risks,
their consequences and trade-offs and so
better able to make choices (chapter 5);
- crucially,
top level leadership, to drive the
improvements we recommend, and to foster
a culture that fully supports well
managed risk taking (chapter 6); and
- a clear aim
of improving the quality of decisions and
achieving better outcomes (chapter 7).
Chapter
4. Improving capacity
Every aspect of
government’s work involves some risk: policy
making and decision taking; action and
implementation; regulation and spending. And there is
an expectation that government should manage these
risks well, to cut waste and inefficiency, and reduce
unanticipated problems and crises that undermine
trust. To deliver the expected benefits fully, a
systematic and explicit approach is required,
integrated into key decision processes.
Government needs to
develop its capacity to handle risk, by:
• ensuring
that decisions take account of risk (chapter
4.1);
• firmly
establishing risk management techniques (chapter
4.2);
•
organising to manage risk (chapter 4.3) –
making sure that responsibility for handling
risks is with those who can best manage them;
that information flows support this; and that the
risk management improvement programme is well
managed;
•
developing skills (chapter 4.4); and
• ensuring
quality (chapter 4.5).
4.1
ENSURING DECISIONS TAKE ACCOUNT OF RISK
Summary
An explicit, systematic approach is recommended in
order to improve the quality of decisions and
delivery, to provide an audit trail of risk
judgements, and to join up risk management actions
within and across Departments. Risk is not yet fully
embedded in core government decision processes …
there are particular weaknesses in risk analysis in
the policy phase of the process of policy development
and delivery.
4.1.1 Effective
government depends, among other things, on the
ability to:
•
understand trends, opportunities and challenges;
• use this
understanding to underpin decisions and make
resource allocations to back them;
• respond
quickly to changing circumstances and crises; and
• identify
and prepare for a range of strategic futures.
[Levels]
4.1.2 These considerations are relevant at three
levels. The strategic level includes major policy
decisions and concerns the government’s
political contract with the electorate and the
coherence of its overall programme. External factors
(including oil supply crises, weather, disease, wars
and personalities) are likely to be critical to this
contract, as are some endogenous factors (e.g.
failures in key public services). At this level there
will often be fundamental uncertainties surrounding
decisions.
4.1.3 The programme
level is the level at which most policy is made.
Decisions are made on procurement/acquisition,
funding, organisation, establishing projects, service
quality and business continuity. Uncertainty will be
bounded at this level, as strategic parameters will
have been set, and risks are more likely to come from
internal rather than external sources.
4.1.4 The
operational and project level is where services are
delivered.
4.1.5 Although each
of these levels has distinct characteristics, some
common approaches are necessary at all three:
• risks
have to be identified and assessed, with
responsibility and accountability allocated and
clear;
• judgement
is needed about their importance;
•
mitigation and contingency plans may need to be
considered;
• the
impact of actions on risks need to be reviewed
and reported; and
• the
information and decisions need to be effectively
communicated.
4.1.6 At the higher
levels risks will tend to be less easy to spot, more
disruptive, less easy to quantify, and often less
stable. A broader range of inputs is likely to be
needed to identify risks, assessment is likely to be
based more on judgements than measurable facts, and
mitigation and contingency plans are likely to be
less robust.
4.1.7 Decisions will
very often be taken in the context of one of the core
processes of government. Examples include:
• the
policy making process and the Spending Review
(strategic level);
• business
planning, programme management (programme level);
and
• service
management, project management
(operational/project level).
4.1.8 Some
Departments have already integrated risk assessment
into many of their planning processes. However,
practice is uneven, and crucially may not be well
integrated in the initial development of policy
options and in policy decision taking. This confirms
the findings of the NAO report, Supporting
Innovation, and the PAC’s Managing Risk in
Government Departments, that managing risk needs to
be more clearly an integral part of the way
government’s business is done. The NAO has also
highlighted the need for Departments to take greater
account of the identification and management of risk
in the development and implementation of policies
[29].
[29] NAO, Modern
Policy Making: Ensuring Policies Deliver Value for
Money, November 2001.
4.1.10 Some key
issues have emerged:
• early
risk identification and assessment at policy
option and development stages;
• a wider
scope of risk assessment, including
"soft" areas such as public perceptions
and stakeholder views, the stability of the
external environment, and political risk; as well
as the more quantifiable risks (such as financial
or economic risk); and availability of relevant
and timely information; and
•
continuing reassessment of risk and
opportunities.
4.1.11 The lack of
explicitness about risk issues and their management
is a key concern. This undermines accountability and
means that there is often no auditable trail of
judgements about risks, making it impossible
continuously to review risk judgements.
4.1.12 Some tools
have been developed to embed risk management: RIAs
require regulatory proposals to take account of
risks; Departments have developed and published Risk
Management Frameworks, which seek to establish
comprehensive approaches; and the need to produce
Statements of Internal Control (SICs), which will be
prepared for the first time with accounts for
2001/02, are driving further improvements in
processes.
4.1.13 The main
barriers to effective assessment of risk in decisions
include [31]:
• a lack of
planning – decisions often need to be made
quickly, and risk assessment will be compromised
if information is not readily available, and
issues anticipated;
• pressure
on resources – encouraging planning on
optimal assumptions;
• short
planning horizons – traditionally Ministers
have been more focused on announcements than on
longer-term implementation and delivery –
when risks might be realised (though this is
changing with the current emphasis on delivery);
• lack of
good quality, relevant information;
• limited
in-house skills, experience and tools;
• the real
difficulty of assessing and balancing risks and
opportunities, and weighing, for example,
financial versus other risks;
• fear of
failure acting as a disincentive to innovation;
and
• in some
cases political anxiety about explicit
acknowledgement of risk.
[31] as referenced
in CMPS, Better Policy Making, November 2001 and the
Strategy Unit Risk Project Board Survey (see annex
3).
4.1.15 They
emphasise the need to ensure that there is a good
current assessment of risks and a supporting
knowledge base (see chapter 4.2); that decision
makers and their advisers are fully equipped and
incentivised (see chapters 4.2 and 4.4), and that the
culture supports well judged risk taking (see chapter
6).
4.1.17 … we
propose that government should aim for all major
decisions to be informed by a systematic appraisal of
risk and opportunity [33]. Our overall recommendation
(rec.1) is that there should be an explicit appraisal
of risks, as well as benefits and costs, in all the
main business processes (including the Spending
Review, policy making, business planning, project and
programme management, performance management and
investment analysis), where this does not happen
already.
4.1.18 We therefore
recommend (rec.1a) that strategic risks should be
regularly considered by Departmental Boards, and the
Civil Service Management Board (CSMB) as appropriate.
The responsibility for handling and reporting risk
should be aligned with accountability for delivery.
Non-executive directors should play an important part
in helping to identify strategic risk and provide an
independent perspective on the level of risk faced
and the adequacy of measures to address risk.
Policy making
4.1.20 Policy making is the process by which
governments translate their political vision and
priorities into programmes and actions to deliver
outcomes. Failure explicitly to consider risk
management in policy making and decisions can lead to
serious problems, with costs and impact being borne
by the public, or to opportunities for high risk/high
reward options being passed over through lack of
confidence in handling the threats. However, in many
areas, there is at present no structured and enforced
requirement to consider risks. Some very high
priority policies have been implemented without
adequate attention to risks, often leading to very
costly exercises to put them right.
4.1.21 Some risk is
unavoidable. Life is by its nature complex and messy
and no formulae exist for making the business of
policy making and implementation wholly predictable.
4.1.22 However, a
more systematic approach to policy making can
significantly reduce unnecessary failures. We
therefore recommend (rec.2a) that policy making
should include a proportionate and wider ranging
consideration of risk, to provide an adequate review
before proposals move into full development. Further,
we recommend (rec.2b) that a more systematic
requirement to consider risks should be implemented,
which might be based on the OGC Gateway Reviews.
Gateway Reviews were introduced in 2001 as
checkpoints in the life of projects and programmes.
They provide a thorough review, and sign-off, before
work is allowed to proceed to the next stage of
development (See Figure 4.1). Gate Zero, the first
review, is a strategic assessment, checking that
there is a sound business case for proceeding with
the proposed change.
[policy options
assessed]
4.1.23 We recommend (rec.2c) that this should include
a sign-off that: there has been adequate
identification and assessment of risk across the
range of policy options; that any mitigation and
contingency plans are sound; and that any assumptions
should be reviewed and formally tested against future
scenarios. This could be incorporated in existing
assessments where these exist, such as the RIA and
Investment Appraisals. These are externally reviewed
and, if developed, would fulfil this requirement,
avoiding the need for multiple reviews of the same
proposal. It may also be possible, in carrying out
the Gateway Review, to draw on, for example, the
Regulatory Impact Unit’s (RIU) Policy Effects
Framework or the Integrated Policy Assessment tool
being piloted by the Office of the Deputy Prime
Minister/Department for Transport (ODPM/DfT) (which
allows appraisal of policies against economic, social
and environmental impact and distributional
categories). This explicit, shared process of review
should ensure that Ministers are given open and
honest advice about the risks entailed in decisions,
and help to make better quality decisions, balancing
the threats and opportunities in the context of the
government’s risk tolerance in the relevant
policy area.
4.1.24 Each Gateway
Review should be underpinned by an explicit
assessment of the risks and opportunities of
proceeding, informed where necessary by the views of
all relevant stakeholders. This should involve
risk/hazard identification, assessment, and judgement
of risks drawing on empirical evidence and the public
context, and development of options for managing the
risks (mitigation actions and contingency plans).
Risk assessment is likely to combine quantitative
factors with softer judgements, such as the social
aspects of risk.
Figure 4.2
Risk
Identification: Empirical - research &
incident occurrence; Imaginative – horizon
scanning & experience
Risk Assessment:
Trends & statistics; Technical
quantification; Evaluation evidence; Values &
ethics; Public views of acceptable risks; Social,
cultural & political issues; Economics &
international policy.
Development of
policy options: Judgements – selection of
options and cost-benefit trade off; Consultation
& engagement.
4.1.30 The Spending
Review results in agreed objectives and targets,
PSAs, and, from 2002, supporting Delivery Plans for
all Departments; and spending plans across
government. These plans cover a three-year period.
The guidance given to Departments clearly details how
they should set out the analysis of resources
required and the basis of their targets. The link
between resources and outcomes has been dramatically
improved in recent years, and is likely to lead to
greatly improved value for money. But risk is still
an underdeveloped area, with little mention in the
guidance.
4.1.31 It will also
be less easy to spot risks that cut across
Departmental boundaries ("cross-cutting
risks"), because there is no common approach or
format to aggregate them. And the baseline recording
of risks will not be sharply focused.
4.1.32 We recommend
(rec.3a) that the Treasury should further develop the
approach to risk in the Spending Review. This should
involve developing the guidance for Departments
before the 2004 Spending Review and issuing specific
guidance on assessing risk to the Treasury Spending
Teams (similar to recent guidance on Deliverability)
for use in finalising delivery plans in autumn 2002.
4.1.33 It is
recommended (rec.3b) that the Treasury, DU and Civil
Contingencies Secretariat (CCS) should work together
with Departments in autumn 2002 to ensure that their
delivery plans adequately address risk, balancing the
need to invest in resilience with the pursuit of
other objectives; and that cross-cutting risks are
identified and accountability for action established.
Monitoring arrangements should track risk assessments
and progress with mitigation plans, reporting to the
PSX cabinet committee.
4.1.34 We also
recommend (rec.3c) that for the 2004 Spending Review:
• there
should be an increased, mandatory requirement for
risk assessment (perhaps linked to OGC Gate Zero)
to be fulfilled before PSAs are published and
funding is released.
•
incentives could be introduced to encourage good
quality risk assessment, for example this could
lead to increased autonomy and delegated
financial authority.
• the
Treasury should consider whether a more explicit
portfolio approach to risk might be taken in the
2004 Spending Review – with the outcome
being a mix of high risk/high return objectives
and lower risk areas with less challenging
service delivery targets. Better risk information
would also enable a more structured approach to
cross-cutting risks, with the Treasury being well
placed to facilitate discussion between
Departments.
Business planning
4.1.35 We recommend (rec.4a) that business planners
make full use of the Cabinet Office guide, Your
Delivery Strategy: a Practical Look at Business
Planning and Risk. This provides specific guidance
and incorporates other sources such as the Treasury
Orange Book.
4.1.36 Delivery
plans need to include better quality risk management
plans. Even for the government’s most important
objectives these have recently been found wanting.
When the DU first received plans for key programmes
on education, health, crime and transport in 2001 the
information provided on risks was much less developed
than other parts. So we recommend (rec.4b) that
Departments should review the quality of risk
information in their plans. We recommend (rec.4c)
that the format of the DU plans should be further
developed to show detail of risks, their likelihood
and impact, and mitigation and contingency plans.
This format should then be made widely available to
Departments as a model.
Project and
programme management
4.1.37 We recommend (rec.5) that Departments follow
the OGC guidance on managing risk in projects and
programmes and apply this guidance to their Gateway
Reviews, where risks must be weighed up and plans to
manage them signed off before moving to the next
project stage.
4.1.38 The need for
this to be done properly, and the scale of
improvement needed, even in this relatively advanced
area, is demonstrated by a recent study of OGC
Gateway findings. This found that 63 per cent of
Gateway Reviews had identified weaknesses in risk
management (the second most significant problem area,
after skills shortages), and little evidence of
lessons being learnt. Key issues remain around:
proactive review of risks, particularly in
anticipating those external factors which may
seriously damage delivery prospects; and contingency
planning.
[cost-benefit of
options]
Investment appraisal
4.1.39 Decision making needs to be underpinned by
investment appraisal focused on benefits, costs and
risks, explicitly identifying and assessing risks and
developing risk mitigation plans for priority risks
from conception to appraisal and into execution. This
approach needs to be taken as part of all key
submissions (Spending Review, business planning,
policy development and delivery, programme appraisal)
and addressed at all levels. We recommend (rec.6a)
that pro formas or templates are used by Departments
to help with this, which could build on RIAs. Using
post-project evaluations (PPEs) as a means of
formally reviewing risk outcomes at the operational
level could be beneficial. We recommend (rec.6b) that
cost benefit analysis be developed to include
explicit risk assessment as a significant element of
option appraisal. Tools should handle subjective risk
assessments adequately, not just harder evidence.
Decisions need to deal with gaps between perception
of risk and objective measures. In the short term,
decisions need to acknowledge perceptions, but
efforts should be made to close the gap over the
medium/long term. We recommend (rec.6c) that the
Treasury’s guide to investment appraisal (known
as the "Green Book") should be developed to
deal with these issues.
Likely impact of
recommendations in this chapter
4.1.44 In order to be sure that progress is being
made and benefits are being delivered, we recommend
(rec.8) that there should be a full review of the
position after a specific period. This will need to
be underpinned by monitoring and evaluation
arrangements, as an integral part of the recommended
improvements. This should help carry forward the
PAC’s conclusion that: "The Cabinet Office
should carefully monitor Departments’
implementation of their risk frameworks, assess their
impact in improving risk management and seek
corrective action by Departments to address
deficiencies". We agree with the need for a
central role of this sort, to drive change forward
more uniformly across the range of government
business, though as discussed later (in chapter 4.3)
not necessarily either based in the Cabinet Office,
or centred specifically on risk frameworks.
4.2
ESTABLISHING RISK MANAGEMENT TECHNIQUES
Summary
The use of risk management techniques in government
has been developing along a similar path to the
private sector – from audit/finance and health
and safety, to operational management and projects,
and finally to strategic areas. There are a number of
drivers of change including the focus on achieving
outcomes and improving performance, which inevitably
turns attention to the risks of not achieving
targets; and requirements to demonstrate adequate
control systems. There are particular gaps at the
strategic level, where practice is less developed. We
consider developments in horizon scanning,
contingency planning, crisis management, and building
resilience. Important common issues are the
imaginative use of experience (as opposed to
mechanistic process application), and a more
systematic approach to softer areas of risk –
including public perceptions, strategic fit, and
reputational risk.
4.2.9 The EIU report
of 2001, Enterprise Risk Management (ERM) [45] found
that:
•
non-traditional risks pose the greatest threat.
Executives reported that their most significant
risks aren’t those traditionally managed by
the risk management or treasury departments. The
top three are customer loyalty, competitive
threats, and operational failure. These are also
among the risks companies believe they manage
least well. Equivalents in the public sector
would be public satisfaction and trust in
services, and maintaining service delivery;
[Orange Book]
4.2.13 The Treasury’s guide, Management of Risk
– A Strategic Overview (known as the
"Orange Book"), published in January 2001,
sets out an approach, which is becoming widely used
in government.
4.2.14 The Orange
Book provides a framework for linking risks to key
organisational objectives, indicates the sort of
tools which might be used, and outlines a cycle of
risk management activity (see Figure 4.4).
[OGC Guidelines -
£35]
4.2.17 The OGC has published its Risk Guidelines,
Risk Briefing and Management of Risk: Guidance for
Practitioners, which are intended to help
organisations put in place effective frameworks for
taking informed decisions about risk, providing
pointers to more detailed sources of advice on tools
and techniques [46]. It offers detailed help in
establishing risk management and in implementing
techniques. It has developed the Treasury risk cycle
further. Through its IPPD work, OPSR will provide a
simple introduction to the OGC’s guidance,
accessible to policy makers. This will be part of an
overarching Programme/Project Management framework
located on the OGC’s website as part of the
Successful Delivery Toolkit (www.ogc.gov.uk).
[46] OGC, Management
of Risk: Guidance for Practitioners, op. cit.
4.2.18 We recommend
(rec.9) that there should be an ongoing programme of
work to ensure that the guidance is integrated,
comprehensive and comprehensible, and provides a
flexible and accessible framework for Departments.
The guidance should incorporate the findings of this
report and develop a standard for government. This
can then be the basis for standardisation of training
material and for benchmarking. It should adopt the
simplest possible models and language.
Risk identification
4.2.20 Risk identification requires creativity,
ingenuity and wide involvement to ensure the key
risks are spotted. At the strategic level this
involves methods to spot future risks:
• for
example, a Strategy Unit paper [47] presents six
methods which can be used (quantitative trend
analyses; qualitative trend analyses; Delphi
survey (a method for gathering information or
beliefs from a panel of experts); scenario
methods; wild cards (events with a low
probability of occurring but which would have a
big impact if they did); and futures workshops
(an open process which consists of engaging a
wide range of people in envisioning the future);
• horizon
scanning is a key feature of the work of the CCS
and is used to try and spot potential disruptive
challenges across government.
[47] Strategy Unit,
A futurist’s toolbox: methodologies in futures
work, September 2001.
4.2.24 To facilitate
identification and management of risk, both the OGC
and Treasury guidance provide checklists of risk
types. Our study found that in practice a lot of
organisations have developed short, grouped lists of
risks. For example, the SRA uses: corporate and
strategic; business delivery; and asset, and looks
separately at major impact mitigation (including
crisis handling, business continuity planning (BCP)
and use of insurance). No common checklist has yet
developed although there are similarities (rough
groupings are: strategic/corporate/ external;
activity/operational/delivery including
project/programme; and financial/ asset management).
The establishment of a broad common categorisation
could significantly help communication across
government – we recommend (rec.11) that the
Treasury should lead efforts to establish this. A
starting point could be to consider three categories:
strategic (including major external threats,
significant cross-cutting risks, and longer term
threats and opportunities); delivery (both
operational and project/ programme risks, including
resourcing risks) and financial (a separate
cross-cutting category). Project/programme risks
might warrant a separate category.
4.2.26 Despite areas
of good practice, systems still need to be developed
that replicate the accountability and responsibility
frameworks that exist for financial management.
Assessment/evaluation
4.2.27 Most progress has been made with assessing
risks which lend themselves to quantification –
particularly financial risk, and repeatable health
and safety risks [48]. Our experience also shows that
executive agencies tend to be more advanced than
policy departments.
[48] e.g. see HSE,
Five Steps to Risk Assessment, 1996. In addition,
MOD’s Defence Science and Technology Laboratory
(DSTL) has produced specific guidance including on
"three-point estimation" – identifying
minimum, maximum and most likely out-turns, to define
a range of uncertainty around risks.
4.2.28 Areas for
development include wider use of public perceptions
of risk, and techniques to bring together judgements
from a wide range of stakeholders to inform
decisions. The recent EIU study highlighted the
importance of reputational risk to private sector
organisations. A similar focus is likely to develop
for the public sector, linked to establishing and
maintaining the trust of the public.
4.2.30 The level of
uncertainty will play a key role in determining the
approach to risk assessment. In strategic decision
making, where uncertainty is high, the approach to
risk assessment will tend to rely on exploring
scenarios, past experience of generic hazards, and
analysis of whether action needs to be taken to avoid
serious consequences of very uncertain events.
4.2.31 Judgements
will also be a key element here. A commonly used
approach is to develop a risk profile matrix (Figure
4.7), mapping risks against likelihood and impact,
combining judgements with numerical analysis where
possible into High, Medium, and Low ratings. Further
analysis of the confidence of managing the risks
successfully can then be used to prioritise
management action.
Getting value from
risk assessment
4.2.32 Risk assessment can be a time consuming and
resource intensive process. In principle it should be
carried out for every policy decision, but the
approach should be scaled according to the
significance of the decision to be taken. General
criteria include:
• the
potential risk to the public;
• the scale
of financial or other resource commitment;
• whether
the policy is novel or contentious;
• the
complexity of delivery – for example, where
more than one Department or agency (government or
non-government) is involved in delivering a
programme, or the policy design is complex
(risking misunderstanding or failure); and
• whether
the proposed area for action has a history of
failures.
4.2.33 We recommend
(rec.12) that criteria should be developed as part of
the arrangements for embedding risk in policy making
proposed in chapter 4.1. A generic list could be
developed which Departments could tailor, drawing on
a systematic analysis of key or common risks that
have occurred in their programmes.
4.2.34 Different
parts of government will have different priorities
and needs and, for example, may wish to develop a set
of common decision criteria to help assess risks
across a broad policy area, for example on health, or
to reflect a more consistent approach where
"value of life" criteria are already used,
such as in transport.
Assessment of risk
tolerance/risk appetite
4.2.35 Most risks cannot be eliminated altogether,
and risk management involves making judgements about
what level of risk is acceptable – risk
tolerance or risk appetite. Such judgements are often
difficult, both for individual risks and across a
programme of activity.
[cost-benefit,
equality]
4.2.36 Governments are generally keen to find ways to
improve ways of working and public services –
for example, by piloting new projects or introducing
new technology – but they will be averse to:
risks that affect public health and safety, such as
the risk of contagious disease; risks with
irreversible consequences, such as the risks
associated with climate change; or risks that
threaten people’s access to essential services.
In all cases, they need to weigh up the risks and
benefits associated with each course of action, and
judge whether they are distributed fairly.
4.2.37 This [risk
appetite] is an implicit feature of all decision
making in government. There will be an underlying
level of willingness to take risks in particular
situations (areas of business, at different times).
Risk tolerance can be indicated on the risk profile
diagram (Figure 4.7 above) by the solid black line
– with all of those risks to the right requiring
mitigation action to make them acceptable.
This approach is
often used where risk management is well developed,
on specific projects or in service delivery areas
(such as by the Welsh Development Agency), or in
assessing the continuing viability of projects or the
capacity of service providers. We recommend (rec.13)
that more use could be made by Departments at the
policy making stage to ensure that Ministers are
aware of the pattern of risks they will be taking and
the prospects of adequately managing them.
[Orange Book]
Identification of responses
4.2.39 The Orange Book details four categories of
response: transfer; tolerate; treat; and terminate.
The government’s approach to risk transfer has
developed in recent years (guidance now talks about
"optimum risk allocation" rather than
maximising risk transfer). Most often risks are
"treated", for example, through developing
mitigation plans. There is, however, little evidence
of responses to risk being thoroughly identified at
the policy development stage.
4.2.40
Well-developed decision making frameworks regarding
the control of risk already exist in the UK. For
example, in the area of occupational health and
safety a set of principles and criteria have been
developed in support of the legal requirement to
reduce risks "as low as reasonably
practicable" (ALARP). This is illustrated in
Figure 4.8, which shows how both the likelihood and
impact of the risk contribute to a decision on
tolerability (and is, for example, used in assessing
the response to risks from fire).
4.2.41 We recommend
(rec.15) that consideration be given to the extension
of such systematic approaches to strategic policy
making, adapting them as necessary to recognise the
less quantifiable nature of the data involved.
Internal controls
4.2.42 Detective controls to identify when a risk has
been realised are perhaps the most well developed.
These are "after the event" assessments,
including Post Implementation Reviews, and
Evaluations. Although these assessments are becoming
more routinely applied, there is a clear need to
ensure better capturing of lessons learned and
application to subsequent decisions.
Directive and preventive controls cover specific risk
mitigation measures, aiming to ensure that particular
outcomes are achieved or to prevent the possibility
of an undesirable outcome being realised. As risk
management becomes more established, explicit use and
monitoring of such measures is becoming more
widespread outside traditional financial areas.
Corrective controls are designed to correct
undesirable outcomes, which have been realised –
these include crisis management arrangements and the
contingency planning which underpins them.
Assurance about
effectiveness of control
4.2.43 SICs are a key mechanism for providing
assurance about control. They will increasingly drive
improvements. However, currently, our survey of risk
experts suggests that in both the public and private
sectors assessment of implementation of risk
management was most likely to be done only "in
pockets across the organisation".
[50] The PSBS (a
partnership between the Cabinet Office and HM Customs
and Excise) is a knowledge management system that
also provides an information and advisory service
specifically geared to spreading good practice across
traditional public sector boundaries. Risk management
is a key area covered.
Embedding risk in
the way the organisation works
4.2.45 In summary, there is uneven application of
risk management techniques across government –
these tend to be better established in financial and
project management areas. This needs to be extended,
crucially to policy development as well as to
policy/programme planning.
4.2.46 … we
recommend (rec.16) that specific risk management
benchmarking arrangements be developed. This could
adapt the benchmarking service developed in Australia
by Comcover (established to provide insurance and
risk management services for government bodies),
which rates ten Key Performance Indicators (KPIs) as
either:
• Level 1
– Early – Evolving a risk management
culture
• Level 2
– Intermediate – Implementing a risk
management system
• Level 3
– Advanced – Continuously improving
risk management practices
Their KPIs are:
•
Integrated risk management approach
• Committed
and led
• Positive
and proactive focus
•
Process-driven
• Planned
for continuous improvement
• Active
communication
• Audited
and documented
• Resourced
• Trained
and educated
•
Value-based decisions
Techniques for
handling strategic risks
4.2.48 There are particular gaps at the strategic
level, where practice is less well developed, and
where the CCS is starting to fill the gap. With the
CCS we have reviewed the current situation and
recommend further developments in the paragraphs
below.
4.2.50 There are
four main areas of the CCS’s activity:
•
identification and assessment (including horizon
scanning);
•
contingency planning;
•
consequence management (crisis management when
serious risks are realised); and
• building
resilience to disruptive threats.
Identification and
assessment
4.2.51 The CCS is starting to provide confidential
horizon scanning reports to Ministers and Permanent
Secretaries, identifying developments with potential
to cause serious disruption to the running of the UK
nationally or regionally. These might include issues
such as … health issues likely to overburden the
health service or challenge public confidence.
4.2.54 Simulation
events, built around scenarios, can help to identify
and prepare for such low probability/high impact
contingencies and we recommend (rec.18) that these
methods be explored.
4.2.55 Other parts
of government may also need to build up their role in
scanning for potential risks. For example, we
recommend (rec.19) that the Social Exclusion Unit
(SEU), working with the Neighbourhood Renewal Unit,
the Regional Co-ordination Unit and relevant
Departments, could consider playing a larger role in
tracking potential crosscutting risks, including the
impact of government initiatives on these risks.
Anecdotal and subjective information needs to be
drawn in from front-line staff, the public,
inspectorates and others.
4.3
ORGANISING TO MANAGE RISK
Summary
Implementing effective risk management across
government depends heavily on the primary
responsibility of Departments to handle specific
risks. They in turn can transfer responsibility to
agencies, Non- Departmental Public Bodies (NDPBs).
The centre of government has a role in anticipating
and providing support for handling crises; in
tracking and responding to cross-cutting risks; and
supporting delivery where there are significant risks
to key government objectives. The centre also has a
role in supporting and advising Departments on
developing their risk management capabilities. Risk
management can be improved by ensuring that risk is
handled by those best placed to do so. Further use of
arm’s-length bodies should be considered, along
with ways of improving service delivery partnerships
with other organisations.
Organisational
issues for Departments
4.3.1 Accountability for risk management lies with
Departments as part of their accountability for
government programmes. This includes both managing
risks and developing the capabilities to enable this
to be done well. The central Departments (Cabinet
Office and Treasury) also provide cross-government
support for both of these functions.
4.3.2 Within
Departments specific risks may be managed by agencies
or outside bodies working in partnership with the
Department (for example, delivery risks often lie
with agencies). Best practice is that risks should be
managed at the lowest possible level within the
organisations, with clear accountability established,
and systems and processes designed to support that.
4.3.4 Key
organisational issues for Departments include:
• ensuring
risk ownership is aligned with accountability for
delivery and authority to act – and the
extent to which placing responsibility on those
accountable for results needs to be supported by
a central focus of expertise;
• Reporting
arrangements – feeding up to the Board the
results of Risk Self-Assessments, as in many
government Departments and elsewhere; and
• ensuring
risk specialists are closely enough linked to
policy and operational decision makers to offer
effective support.
Central support
4.3.6 The centre of government – No. 10, Cabinet
Office and Treasury – will typically take a
supporting role in managing risks, other than in
exceptional circumstances where it may be involved in
more hands-on co-ordination. This includes:
• providing
the strategic context for decisions;
• assurance
– regularly testing judgements about key
risks and procedures;
• crisis
management – co-ordinating action when risk
is escalated beyond a certain level;
•
co-ordination of communication and learning in
agreed circumstances, such as taking a strategic
view of high profile risk communication issues;
• taking an
overview of large-scale threats and
opportunities;
•
identifying cross-cutting risks, that are less
likely to be dealt with adequately, and ensuring
that accountabilities are clearly understood and
acted on;
• managing
interdependencies between individual Departmental
operations, where necessary anticipation and/or
resilience needs to be built up in other
Departments; and
• providing
a centre of risk management expertise.
4.3.7. This
strategic, corporate approach is consistent with the
findings of the EIU, that in the private sector the
predominant role of the centre is one of
co-ordination and support. The EIU found that
"co-ordinating centrally but implementing
locally" was the most common mode.
4.3.8 … our
study suggests that improvements could be made in:
• providing
systematic assurance that key risks are being
managed effectively;
• providing
accurate real-time information;
•
developing a wider range of sources of
information. The structure of government, with
issues usually being dealt with in single
Departmental channels, tends to work against
this;
•
identifying or co-ordinating handling of risks,
or areas of risk, across Departmental boundaries;
• assessing
the risk portfolio as a whole and judging the
capacity to take on new risks; and
• clarity
about who does what on risk at the centre of
government.
4.3.9 Feedback from
Departmental Board members suggests that
"Departments have to own risks" and
"too much central control is likely to be
counterproductive",… that "efforts
should be aimed at ensuring more joined up
working", which was seen by one as "the
classic case for the centre to assume the lead",
and "the centre should have a co-ordinating role
in redeploying resources if the lead Department
cannot accomplish this itself".
4.3.11 The study has
identified two broad groups of risk, where
Departmental Board members consider central support
can be valuable:
• risks
which have the clear potential to become, or
already are, crises, where there is likely to be
a rapid escalation of public concern (and where
the CCS has a key role); and
• certain
ongoing delivery risks, including significant
risks to key government objectives, and risks
which are not manageable by one Department alone.
Risks may fall into this latter category because
they require extra resources or are inherently
cross-cutting and their severity is only apparent
when viewed across the whole of government. In
these cases, Departments may benefit from a more
coordinated approach to mitigation.
Delivery risks
4.3.15 In addition, the centre needs assurance that
risks to the delivery of the government’s
programme are being managed, and should provide
support where needed. Whereas crises are primarily
about dealing with threat (the negative aspect of
risk), managing delivery risks will also cover
"opportunity risk" – i.e. the issues
which arise from seeking improvements (such as
increased demand for scarce resources, difficulties
with implementing and operating new services,
including levels of public acceptance and media
reaction). Failure to manage these risks well may
often not have such visible, immediate and high
profile consequences, but the long-term impact can be
equally significant.
Reporting risks
4.3.17 There are currently several parallel strands
of reporting corporately on risks:
• the CCS
reports on disruptive challenges to the Prime
Minister;
• the DU
reports on risks to key programmes to the Prime
Minister;
• the PSX
Cabinet Committee reports to the Cabinet on
current issues with delivering PSAs;
• media
reports, highlighting threats to the
government’s reputation, are sent by the
Media Monitoring Unit to all Departments,
including No. 10.
Active support by
the centre of government for developing risk
management
4.3.19 The study has
found that:
• there are
currently a wide range of different units and
committees who influence risk management,
including: ILGRA; the Risk Management Steering
Group; several parts of the Cabinet Office (CCS,
CDG) and Treasury (Spending Review, Investment
Appraisal, Audit), as well as partnerships such
as OPSR and OGC on IPPD. Further details are at
Figure 4.9. Most of the individual functions
carried out are valued, but the overall picture
causes confusion;
• there is
a perception of advice being delivered through
"initiatives", with the centre moving
on to the next initiative and failing to provide
ongoing support. This adds to Departments’
workload;
• informal
risk networks are developing, but they need
support to be effective in identifying and
sharing good practice; and
•
fragmented approaches to risk management across
the centre of government have contributed to
confusion within government bodies. Many
different guides exist and Departments and
agencies have been left to their own devices to
decide on the method of implementation, which has
consequently been disparate. There is no single
point of contact or centre of expertise to whom
Departments can turn.
4.3.20 We recommend
that the centre should provide active support to
assist Departments to implement a more effective risk
approach across government. The centre should invest
in:
•
co-ordinating and supporting an overall programme
of change, including monitoring progress and
assessing the effectiveness of risk handling
across government;
• better
co-ordinated and more accessible guidance;
• a
contingency resource and expertise which
Departments can draw on in managing and arresting
crises;
• a shared,
more established risk/crisis communications
approach;
• an expert
resource in the management of risk to assist
Department staff in improving the quality of
implementation; and
• a more
accessible and active approach to the sharing of
good practice across government.
Figure 4.9: Units
and committees that influence risk management (summer
2002)
Treasury:
• Public
Services Directorate and Finance Management and
Reporting: Corporate governance initiatives,
SICs, guidance on risk management (Orange Book),
Green Book on investment appraisal, Spending
Review guidance.
• Office of
Government Commerce: General guidance on risk
management; PFI; project and programme
management.
Cabinet Office:
• Corporate
Development Group: Civil Service reform; Senior
Civil Service (SCS) competencies and leadership;
training and development programmes; Risk in
Business Planning.
• Civil
Contingencies Secretariat: Improving the
government’s ability to handle disruptive
challenges that can lead to or result in crisis.
• Delivery
Unit: Supporting delivery of key government
priorities.
• Office
for Public Service Reform: Model of High
Performing Department; IPPD ending December 2002.
• Strategy
Unit: Study of risk management. Strategic
futures.
+ Policy Studies
Directorate: Guidance on better policy making.
•
Regulatory Impact Unit: Supporting the
development of risk frameworks and the risk
portal; guidance, advice and training on RIAs.
• Better
Regulation Task Force: Examining models of risk
communication.
Committees:
• Risk
Management Steering Group: Advise/facilitate
consistent and co-ordinated development of policy
and guidance relating to risk across central
government.
•
Interdepartmental Liaison Group on Risk
Assessment: Help secure coherence and consistency
within and between policy and practice in risk
assessment and help disseminate and advance good
practice.
• Risk
Advisory Group: Develop a government statement on
risk.
Other organisations:
• Health
and Safety Executive: To offer advice and
guidance on health and safety issues.
4.3.22 Key points
that we considered include:
• to
provide effective support across the overall
programme requires a range of skills to be
applied; and
• for the
support to be most effective it should be fully
integrated with the process of agreeing
Departments plans, to ensure that it is
delivering real business benefits. It should also
be linked closely to the programme of work to
improve risk management as part of corporate
governance.
4.3.24 It is
recommended (rec.27) that the quality of government
risk management should be improved through a two-year
programme of change to improve its capabilities. The
timetable should be integrated with that of the
Spending Review and the production of SICs. The
programme should include the following strands
(integrating the Strategy Unit recommendations with
existing initiatives):
•
communications with the public;
• embedding
risk (in the Spending Review, policy making,
business planning, project and programme
management);
•
leadership and culture change;
• skills;
• guidance,
standards and benchmarking; and
• corporate
governance.
4.3.25 Departments
are accountable for improving their risk management
in these areas. The centre should be responsible for
providing a clear framework for change and ensuring
Departments have the support they need. Existing
central risk functions should be rationalised to
implement this approach.
4.3.26 It is
recommended (rec.28) that an Implementation Steering
Group should be established (replacing the various
existing groups – the Risk Management Steering
Group, ILGRA, and Risk Advisory Group) to drive
change over the two-year period leading into the next
Spending Review (2004). This group should draw
together the main interests across government and be
chaired by an authoritative figure, perhaps a member
of the CSMB. Progress should be reported regularly to
PSX and the CSMB. Outline terms of reference and
membership have been developed as part of the
implementation plan.
4.3.27 The Steering
Group should be supported by a small central team in
the Treasury, the Risk Support Team, drawn from
existing sources of activity (including the Treasury,
OGC, HSE, the Cabinet Office, the Government
Information and Communication Service (GICS) and
others) who would monitor progress; provide a central
expert resource; review and coordinate advice and
guidance on risk management; help establish and
support an interdepartmental risk network; and
consider further steps to rationalise current central
responsibilities and initiatives.
4.3.28 We recommend
(rec.29) that Departments should consider whether
they might establish similar individuals or teams
internally to drive and support change.
Placing risk where
it can best be managed
4.3.29 Responsibility for handling risk should lie
with those best placed to deal with it. This can only
be judged on a case-by-case basis, but criteria
include:
•
competence – who has the skills and
experience and/or can best recruit and retain the
right people?
• capacity
– does the capacity exist? Can it be
developed?
• public
interest – is there sufficient assurance
that the public interest will be protected?
• value for
money – who will offer the best trade-off
between costs and benefits?
•
management – can the arrangements be
adequately managed?
•
subsidiarity – operational decisions will
often be best made by those closest to service
delivery.
[Arm's-length
bodies]
Policy making
4.3.30 Organisational change has been actively used
to enable government to pursue better outcomes and
better manage risk (see Figure 4.10). This has
involved placing operational responsibilities with a
range of bodies from agencies within government
Departments, to NDPBs and local government, to
private and voluntary sector organisations. It has
also involved transferring policy responsibilities to
others. For example, policy advice is now often
provided by outside bodies where specific technical
expertise is involved, and government has relatively
recently gone further by setting up the Food
Standards Agency as an arm’s-length body with a
role to provide advice direct to the public without
recourse to Ministers. The National Institute for
Clinical Excellence (NICE) offers guidance direct to
patients, health professionals and the public on best
practice. And even more radically, some policy
decisions are now taken outside government, for
example by the Monetary Policy Committee (MPC).
4.3.31 It is worth
exploring whether the use of arm’s-length bodies
in policy making could be increased. The benefits of
careful use are clear: they may be much better placed
than government Departments to recruit and retain the
specific expertise needed and thus be able to provide
better advice/decisions; and they may well be more
trusted than government (for example, the Food
Standards Agency, where consumer ratings of the
reliability of their information has risen to 93 per
cent from 75 per cent between 2000 and 2001 and the
MPC, where public satisfaction is high – 55 per
cent were very satisfied with the way interest rates
were being set to control inflation) [57].
[57] NOP, Survey of
Public Attitudes to Inflation, February 2001.
4.3.32 We recommend
(rec.30) that Departments should consider whether the
conditions exist for them to be used. These include:
the ability to set a clear strategic framework within
which experts can work (for example, the framework
for monetary policy); confidence that the body would
command public support; and a significant role for
expert knowledge. This may be particularly
appropriate where risks to the public make trust a
key concern.
Service delivery
4.3.33 In service delivery and investment areas,
current PFI guidance highlights the importance of
appropriate risk allocation between the public and
private sectors (seeking an optimum rather than
maximum risk transfer). It points out that to obtain
good value for money, transferred risks need to be
within the control of the partner organisation,
otherwise they will seek to charge a premium for
taking it on. The main categories of risk to be
considered have been established as: design and
construction; commissioning and operating; demand;
residual value; technology/obsolescence; regulation;
project financing; contractor default; and
refinancing. It has become increasingly apparent that
Departments cannot transfer the underlying political
risk of failure, or any consequent impacts on their
core business. This points to the importance of
working in partnership, and highlights the need for
sound management arrangements.
4.3.34 Where
partnerships with other private/public/voluntary
sector organisations are used to deliver
services, there are management issues that could
be better handled:
• the PAC
has highlighted the need to improve understanding
of the risk management systems of partner
organisations [58] both in terms of confirming
quality and in terms of having an integrated
approach. We recommend (rec.30a) that use of a
risk management standard as the basis for
accrediting partners’ risk management
arrangements should be considered;
• recent
rail incidents have highlighted the need for
clear accountability for managing risks,
especially when there may be a complex pattern of
organisations involved in service delivery. We
recommend (rec.30b) that where responsibility for
risk is transferred to a partner organisation,
particular care is taken to ensure that
accountabilities are clearly established by
Departments, procedures for escalating risks are
agreed [59], and capacity maintained to manage
and monitor performance (including provision of
relevant information) and to take early action in
the event of difficulty; and
• the
PAC’s review of PFI projects [60] also finds
that public bodies are not doing enough to manage
their PFI contracts after they have been agreed.
Findings include the need to ensure a clear
ongoing link between risk and reward –
avoiding the impression that government will
always bail out contractors, as has happened in
some individual cases, such as the Royal
Armouries Museum or the Channel Tunnel Rail Link.
4.3.35 It is also
recommended (rec.30c) that there is a case for
developing further approaches to contracting with
partners, especially where the aim is primarily to
deliver a service rather than, for example, a
large-scale capital project. This might involve
shorter contract periods, more flexible contracting
arrangements and lower transaction costs than are
typical with PFI arrangements. The Treasury and OGC
should consider this in developing government’s
approach to partnerships.
[58] PAC, Managing
Risks in Government Departments, op. cit.
[59] For example, as
recommended in the Interim Recommendations of the
Investigation Board into the Hatfield Derailment,
August 2002.
[60] PAC, 42nd
Report: Managing the Relationship to Secure a
Successful Partnership in PFI Projects, July 2002.
Departments working
together – networking and peer review
4.3.36 Establishing an effective network is seen as
an important way of helping Departments to develop
quickly through sharing best practice. We recommend
(rec.31a) that a network could be set up of the
"risk improvement managers" proposed in
chapter 4.4.
4.3.37 We recommend
(rec.31b) that this network, combined with the
Implementation Steering Group, could take on
ILGRA’s current responsibilities (reviewing
management of cross-cutting risks; ensuring risk is
considered in agreeing PSAs; promoting a consistent
approach to risk; and improving risk communication).
This could build on the strong track record of ILGRA,
effectively embedding in the machinery of government
its current role as a champion group.
4.3.38 We also
recommend (rec.31c) that the people network could be
supported by the developing IT-based knowledge
networks, from existing Cabinet Office web-based
tools: including the Risk Portal, the Policy
Hub’s knowledge pools, and the PSBS.
4.3.39 A specific
role for the network would be to provide peer group
reviews and challenges. Peer review has been a
growing area in government, but has been hampered by
availability of suitable reviewers. The network would
provide a ready source of expertise, but this would
have to be underpinned by an understanding that peer
review work is part of the participant’s job
– justified on the basis that their would be
reciprocal gains. Peer review could also be used
within Departments, where there may well be several
centres of risk expertise (for example, within audit,
projects and programmes and individual delivery
organisations, and we hope increasingly in policy
areas).
4.3.40 Peer review
is used extensively by BP, an acknowledged leader in
risk management. Within BP, the use of peers forms
the backbone of risk management, in order to ensure
consistency in approach, improved use of knowledge
and adoption of best practice.
This structure
assists in:
• ensuring
consistent quality and approach to risk
management;
•
leveraging knowledge across the organisations;
• ensuring
greater openness;
• ensuring
that best practices are adopted;
•
circulating lessons learned; and
• creating
contacts in a formal setting that will be used on
an informal basis.
4.3.41 We recommend
(rec.32) a similar approach in government. This would
provide a good basis, for example, for developing
responses to risks that span more than one
Department, enabling the right contacts to be made to
gather intelligence and share information, and assess
risks holistically across functions.
4.4
DEVELOPING SKILLS
Summary
• To embed
risk management thinking and capability in
government’s way of doing business, risk
management needs to become an integral part of
mainstream learning and development at all
management levels.
• Although
the importance of developing risk management
awareness and skills is well recognised, risk
management thinking is still at an early stage
within government.
• There
should be a co-ordinated and systematic approach
to the provision of risk management skills and
training under CDG leadership.
• This
should be based on a common understanding of good
practice on risk handling, including the possible
"standard" for risk management in
government (discussed in chapter 4.2).
• Risk
management should become more prominent within
the full range of Civil Service management
systems, for example through developing the risk
management elements in the core competences,
similar to developments in project management.
• Each
Department or agency should appoint a risk
improvement manager to spearhead its programme of
work to develop processes, systems and skills to
support the effective handling of risk. This
should include a review of current spend on risk
management specialists and the scope for in-house
expertise.
4.4.1 It is widely
accepted that, in order to handle risk better,
employees need both the right skills and the right
attitudes.
4.4.2 Some of this
can be achieved by formal training. Equally important
are experiences – for example, simulations
– that help people to understand, emotionally as
well as rationally, the importance of handling risk
more professionally.
4.4.4 In addition,
there are a number of different organisations that
lead risk management training and development:
• the
Treasury sponsors a number of seminars on
risk/SIC issues and supports CDG in its corporate
governance course and in its training for new
NDPB Board members;
• the OGC
has developed a training module aimed at people
who wish to develop a special expertise in risk
management, which could support a wider best
practice model.
4.4.5 These would
benefit from a common framework, to ensure that the
messages are consistent with wider government policy
thinking on risk. We recommend that (rec.33):
- there should be
a co-ordinated and systematic approach to the
provision of risk management skills and
training, under CDG leadership. This should
include:
– the
development of a common core of risk
management material (linked to the proposed
standard) on which all programmes could be
based;
– a
review of key mainstream development
programmes that could usefully cover risk
management and innovation, including
centrally-led programmes for general
management training, specific training
focused on effective policy making, financial
management and project management, and senior
management development programmes [63]; and
–
integration with the training framework,
developed by OGC to complement Management of
Risk: Guidance for Practitioners [64].
- the review
should be included in the two year programme
of work that we recommend to achieve a step
change in government’s capability to
handle risk;
- Departments’
heads of human resources should conduct
similar reviews of their own training and
development programmes, which in turn might
form part of the new Departmental Change
Programmes; and
- CDG should
support action by Ministers and senior
officials to foster a culture in which
well-judged decisions about risks and
opportunities can be made (see rec.42,
chapter 6).
4.4.12 To support
this, we recommend (rec.34a) that:
• each
Department nominates a risk improvement manager
to support this process – setting standards,
and advising the Board on what is required. There
are a number of different models that might be
suitable, for example, the model adopted in some
Departments for the project management and
procurement specialisms. Departments may want to
encourage their agencies to appoint separate risk
improvement managers; and
• OGC
should provide an advisory resource on systems
and skills, drawing wherever possible on existing
training and qualifications, but considering the
possibility of introducing a uniform basic model.
4.5
ENSURING QUALITY
Summary
Raising the
government’s game in relation to risk will
require careful attention to how well new approaches
are implemented. We recommend that a comprehensive
quality standard be established for risk management.
This should be co-ordinated by the new Risk Support
Team and be complemented by benchmarking
arrangements. Skills training should be linked to the
new standard.
4.5.3 These
standards define the risk management process
(including steps such as: establish the context;
identify, analyse, evaluate and treat the risks;
communicate and consult; monitor and review) and the
activities that underpin it, providing guidance on
tools and techniques.
4.5.4 The most
established, AS/NZS 4360, has been very well received
internationally, widely influential, and adopted by,
for example, the majority of government organisations
in Australia and the National Health Service and
Office of National Statistics in the UK. The
Department of Health also proposes to adopt the
standard.
[66] ed. Kloman,
Risk Management Reports 1995–2000, Risk
Management Standards October 2001 –
(www.riskreports.com/standards.html)
[67] ISO/IEC, Guide
73, Risk Management Vocabulary: Guidelines for Use in
Standards, July 2002.
4.5.5 There is not
yet widespread use of a standard in the UK. Indeed,
government has developed its own guidance (the
Treasury and the OGC) in parallel with BS-6079-3,
which in any case is project based. The Treasury is
developing its own set of Risk Management Standards
for Departments, linked to application of the
"Orange Book" cycle, as a tool to evaluate
how well Departments are implementing risk
management.
4.5.6 We recommend
(rec.36) that the OGC and the Treasury should review
the direction for quality standards for government,
drawing on best practice internationally and drawing
on the findings of this report, to ensure a
comprehensive and useable standard for UK government.
This should build on current good practice,
progressively providing a common framework and
language. This work should be commissioned and
overseen by the Implementation Steering Group
proposed in chapter 4.3. Departmental Risk Frameworks
should then be reviewed in light of the emerging
standards.
4.5.7 Benchmarking
is a further tool for improving quality in the
application of risk management. We recommend (see
rec.16) that government should develop the
benchmarking approach set out in paragraph 4.2.46,
utilising the expertise and facilities of the PSBS.
Chapter
5: Handling and communicating about risks to the
public
5.14 Important
lessons have been learned about the value of
evidence-based decision making, openness and
engagement, proportionality, consistency and
targeting as part of the government’s reform
agenda. The government has taken a number of steps to
lay the foundations for better decision making about
risks affecting the public. Principles of
evidence-based decision making, openness and
engagement are among those included in Better Policy
Making. These principles are reflected in other
cross-cutting policy initiatives, such as the Better
Regulation Task Force’s (BRTF) Principles for
Good Regulation.
5.16 The Code of
Practice on Access to Government Information has set
out a clear presumption towards openness in all areas
of policy making, while recognising that some
information needs to remain confidential.
The Freedom of
Information Act 2000, which comes fully into force in
2005, enshrines those principles in legislation. The
Act will be a major tool of change within government
and is likely to provide a strong impetus for
openness in risk communication. In addition,
Departments are now required to publish Risk
Frameworks that set out how decisions are made on
risks that affect the public.
5.18 … public
concerns are likely to increase significantly where
the issues are unfamiliar or where the consequences
inspire dread, regardless of the likelihood of the
hazard. Other studies have identified that people are
more likely to accept or tolerate risks where they
feel that they are taking them voluntarily or that
they have a say in how the risks are managed.
5.25 The Strategy
Unit study has identified three main areas where
there may be scope for improvement:
• more
openness in providing access to information about
risks to the public and about where Departments
have made mistakes. Our analysis suggests that
concerns are particularly marked where there is
uncertainty about the nature or scale of the risk
or where there is public dispute about the
issues. In these circumstances, members of the
public are least likely to trust the information
they receive, and more likely to want to know the
assumptions that Departments have used to inform
their judgements;
• more
transparency about the processes used to reach
decisions. Our analysis suggests that scepticism
tends to be highest where members of the public
perceive themselves or their families to be
directly at risk or where they cannot perceive
direct benefits to them. In these circumstances,
Departments may need to review whether they are
doing enough to address this – in
particular, by demonstrating that the approach
they are taking is based on firm evidence, is
responsive to public concerns, and is open to
acknowledging uncertainty or dissent;
• more
systematic involvement of the public in decisions
about risks that affect them or concern them.
This is closely linked to the issue of
empowerment discussed earlier in this chapter.
Three specific concerns were raised in our study
in relation to communication with the public
about risks they face:
–
communication needs to start earlier in the
policy development and decision process,
wherever possible when framing decisions are
being made.
–
communication with the public on risks that
affect them needs to be a genuinely two-way
process; and
–
involvement of the public in decisions about
risks, both formal and informal, needs to be
as widespread and balanced as possible.
Stakeholders we spoke to suggested that, by
restricting formal consultation to their
usual list of contacts, Departments were more
vulnerable to "group think" and as
a result, key risks were sometimes missed.
Similar concerns were voiced about informal
soundings such as public attitude surveys,
with one politician we spoke to suggesting
that Departments sometimes confuse market
research with genuine involvement in the
decision process.
5.26 In the recent
past, arm’s-length bodies such as the Monetary
Policy Committee (MPC), Food Standards Agency and
Financial Services Authority have shown that they may
be better able to sustain public trust and effective
decision making in handling certain risks. There may
be scope for extending the role of bodies of this
kind in other areas where issues of public trust are
paramount.
5.29 A number of
Departments we spoke to said that a widespread lack
of understanding about basic risk concepts sometimes
made it difficult for them to conduct an informed
public debate about risks. The most frequent areas of
concern were low levels of awareness about
probabilities – leading to disproportionate
levels of concern about high-impact, low probability
risks – and a reluctance to accept that no
activity could be entirely "risk free".
5.30 This will
require action in a number of areas, including more
openness and transparency, wider engagement of
stakeholders and the public, wider availability of
choice and more use of arm’s-length bodies to
provide advice on risk decisions. The focus is on the
handling of risks that affect the public directly
– such as risks to health, property, investments
or the environment.
5.33 Departments
should implement these principles as part of their
wider action to improve risk management set out in
chapter 7. They will need to ensure that the
principles apply across the range of public services
for which they are responsible. This will be
particularly important where the Department’s
business is directly related to handling risks to the
public, such as safety or health.
5.35
Departments’ communication about risk should be
based on principles of openness and transparency.
Unless there are clear grounds for exemption,
Departments that handle risks to members of the
public should publish their risk assessments
(discussed in chapter 4.2), and also the underlying
facts, assumptions, sources of information and
procedures behind them, as early as possible to
enable public scrutiny to take place, as they will be
required to do under the Freedom of Information Act.
5.37 Risk
improvement managers should ensure that their
Departments have systems to involve stakeholders and
the wider public in decisions about key risks
affecting the public. Communications should be
considered at the start of the policy development
process for major policies involving risk to the
public. Departments’ communication strategies
should plan for a process of stakeholder and wider
public engagement on key risks. Where possible, this
process should begin when the key issues are framed,
and allow public discussion of a range of possible
solutions. This will be important, not only to ensure
that the solution is widely accepted, but also as a
matter of principle to ensure that individuals have a
say over the management of risks that affect them.
5.38 The extent to
which Departments need to involve the public in the
decision process will depend on each particular case,
and no one approach is likely to suit all risks. A
more participative approach is likely to be needed
where there are potential concerns that a risk is
being imposed on the public with little perceived
benefit in return. In such cases, Departments may
wish to consider using some of the following
approaches:
• involving
members of the public in stakeholder forums and
focus groups to help define issues and frame key
decisions.
• using
groups from a wide range of backgrounds to
evaluate information, provide advice or take
decisions in areas where risks occur frequently.
• exploring
new ways of involving stakeholders and the wider
public, in particular using the Internet to
obtain views direct from the public.
5.39 We recommend
that Departments should develop the capacity to
identify which risk issues are likely to generate the
most public concern or require public co-operation to
tackle. This action should focus their efforts on
risk communication.
5.41 Departments
should also consider providing incentives for wider
participation in public attitude research,
particularly among marginalised groups, to ensure
that their views are adequately reflected in risk
assessments.
5.42 Chapter 2
suggests that responsibility for managing risks
should be allocated to those who are in the best
position to control the risk. In many cases,
individuals will be best placed to manage the risks
that affect them and will expect to be able to do so.
It has long been accepted that individuals are more
likely to tolerate a risk when they perceive that
they are able to control their own exposure to it.
5.43 Where
Departments have policy responsibility for handling
risks that directly affect the public, they should
consider the scope for increasing the availability of
choice to individuals, supported by relevant
information and advice.
5.47 Departments
should consider the scope for making more use of
information provided by arm’s-length bodies
where there is a high degree of uncertainty or
dissent about a risk. This will make it easier for
people to distinguish between facts, assumptions and
judgements.
5.48 Risk
improvement managers should make arrangements to
ensure that expert bodies that advise on risks to the
public contain a broad-based membership and have
access to advice on risk communication.
5.50 We recommend
that guidance on risk communication, reflecting the
principles proposed in this report and those of the
Freedom of Information Act, should be issued across
government as a whole. Steps should also be taken to
ensure that it is adopted and followed by units
involved in handling risks that affect the public.
This work should inform action to change the culture
of risk thinking within government, described in
chapter 6.
5.51 We also
recommend that the Chief Scientific Adviser considers
what steps can be taken, for example as part of
Departments’ risk communication action plans, to
help members of the public and the news media to
evaluate conflicting or new scientific advice.
Principles of
managing risks to the public [now
official guidance from Cabinet Office/HM Treasury]
Chapter
6: The role of leadership and culture change
Organisational
culture can hamper effective risk taking and
management
6.20 Organisational
culture was also seen by a number of those we
interviewed as one of the main potential barriers to
implementing the proposed new approach towards risk
management within government. In contrast with some
leading private sector firms, the culture within
government has often been characterised as being risk
averse, lacking in innovation, and excessively
concerned about failure and blame.
6.21 This has been
seen by some external commentators as leading to a
reactive and defensive approach to risk taking and
management, which places disproportionate emphasis on
inaction in the face of change and can take the form
of a "bunker mentality" in times of crisis.
This was not, however, a universally held view. The
NAO, for example, sees the main problem as a lack of
understanding of risk and risk management.
6.22 There was
evidence to support both views from the interviews we
carried out during our research. Typical examples
include:
• high
importance being given to protecting senior
officials and Ministers from mistakes (this point
was made a number of times during our interview
programme);
• an
emphasis on identifying potential problems rather
than focusing on opportunity;
• a focus
on crisis management rather than forward
planning;
•
unwillingness to be open about risks to projects;
and
• a
tendency to take decisions either to embark on
risky programmes or to exercise caution without
undertaking a proper risk assessment.
Unclear or
incomplete lines of accountability
6.28 Our research
suggests that attitudes towards risk may be
influenced by the structure of accountability within
government. Issues raised include:
•
mismatches between accountability,
responsibility, and authority to act. Where these
are not properly aligned, this can encourage
individuals either to be excessively cautious or
to disregard key risks;
• the
placing of accountability for all policy
decisions, no matter how small, with Ministers.
This can provide little incentive for officials
to innovate and could encourage them to exercise
excessive caution to protect themselves from
criticism from Ministers; and
• the
organisation of responsibility and accountability
around individual Departments, rather than around
government programmes, which increasingly require
joint working between Departments and other
partners.
In some cases,
tensions between joint responsibilities and
individual Departmental accountabilities can prevent
Departments from exploiting opportunities, such as
the opportunity to develop e-government strategies.
Weaknesses in risk
management processes
6.32 The NAO argues
that the main reason Departments are criticised on
risk issues stems from a weakness of risk management
across government, and from the fact that mistakes
are often not learnt from.
6.33 Sir John Bourn,
the Comptroller and Auditor General, has commented
that the problem is more one of "risk
ignorance" than risk aversion. He commented
that: "The problem is not that the Whitehall
culture is risk averse…Rather it is risk
ignorant. It takes the most fantastic risks without
knowing it is doing so."
6.34 A number of NAO
and PAC reports have highlighted cases where there
has been no evidence that key risks were identified
and assessed early enough or at all, and where there
was a lack of contingency planning.
6.43 Some specific
points where Departments and the NAO and PAC might
work together to ensure the right culture include:
• clearer
accountability and responsibility.
• creating
a better evidence base.
Departments can
overcome potential hindsight bias by developing
better audit trails of risk judgements and risk
management actions.
• ensuring
a balanced picture.