Navigation * Home / News / Turnbull: Meeting the guidance

-------------------------------------------------------------------------------------------------------------------

Turnbull: Meeting the guidance

Risk Management (UK)

Executive Summary

-------------------------------------------------------------------------------------------------------------------

Effective business risk management is fundamental to delivering the modernising government agenda. This is a bold statement and in this paper we explain the benefits to the public sector of improved business risk management and argue that it can be applied effectively to a much wider range of public sector activity.

HM Treasury has asked Principal Finance Officers to comment on their proposal to implement the Turnbull Working Party's guidance on Internal Control in central government departments. Their desire is to secure real benefit through implementing effective risk management in departments rather than simply playing lip service to the guidance. A draft implementation timetable is due to be issued soon.

Work done in some departments has brought about significant improvements in performance by taking control of risk. We describe a more dynamic view of risk than that normally applied, set out the key principles that should underpin its management in the public sector and describe how risk management can be implemented effectively to improve delivery of the modernising government agenda as well as provide better corporate governance.

-------------------------------------------------------------------------------------------------------------------

This paper answers the following questions:

So what is risk management? It is a combination of avoiding hazards, dealing effectively with uncertainty and knowing when to take the right risk.

Where can risk management make a difference in the public sector? Quite apart from meeting the Turnbull guidance on Internal Control, it can help identify the main departmental risks, their relative priority, the tolerance to each risk and the responsibilities for managing them. Unnecessary duplication of efforts or assignment of resources can then be identified. What follows is better capital efficiency because the information identified can help inform adjustments in expenditures from a risk-based perspective.

Is risk a dilemma for the Civil Service? Some in Whitehall are encouraging more risk taking, yet at lower levels 'fear of failure' makes many Civil Servants risk averse. What principles underpin effective public sector risk management? Quite simply, a system that allows effective visibility at the appropriate levels, with appropriate control measures and a suitable mechanism to sanction and monitor investment.

The steps to implementing effective business risk management. Effective risk management needs to be tied into the business at every level through a framework of risk management strategies, informed by an overall policy and managed with an effective process. For this to succeed in the public sector a culture shift will be required.

Effective business risk management is fundamental to delivering the modernising government agenda. This is a bold statement and in this paper we explain the benefits to the public sector of improved business risk management and argue that it can be applied effectively to a much wider range of public sector activity.

HM Treasury, following the established principle that the government will follow private sector best practice in respect of accounting, reporting and audit (unless there is good reason for not doing so), asked Principal Finance Officers to comment on their proposal to implement the Turnbull Working Party's guidance on Internal Control1. Their desire is to secure real benefit through implementing more effective risk management in departments rather than simply playing lip service to the guidance. A draft implementation timetable is due to be issued soon.

Work done by PA Consulting Group illustrates how some Government Departments have brought about significant improvements in performance by taking control of risk. We describe a more dynamic view of risk than that normally applied, set out the key principles that should underpin its management in the public sector and describe how risk management can be implemented effectively to improve delivery of the modernising government agenda and provide better corporate governance.

-------------------------------------------------------------------------------------------------------------------

So what is risk?

Traditionally, risk management has been regarded by civil servants as hazard avoidance, for example avoiding anything that may reflect poorly on the decision-maker and, ultimately, upwards to ministerial level. However, potential hazards are many and efforts to chart a course around each can simply result in a loss of momentum.

We have come across examples where a policy initiative has been worked up with great thoroughness and wide consultation. The final blue print is impressive but has been achieved at a cost as the time for implementation is severely truncated by the additional planning time. The net effect is that the total risk of implementation failure – e.g. that results fail to materialise inside the required time horizon – has been increased.

We believe ‘risk’ is more dynamic than mere hazard avoidance and should be viewed as a combination of:

• Hazards or threats (what happens if things go wrong). This is the traditional view of risk.

• Uncertainty resulting from the effects of changes in key variables (e.g. delivery time or cost fluctuation), affecting an operation or project and relates to the variance between anticipated and actual outcomes.

• And the potential Benefits of taking calculated risks or seizing opportunities, sometimes referred to as the balance of risk and reward. This concept may appear alien, but is common in the private sector where profit is, in part, the reward for successful risk taking in business. It is focused on investment and action to achieve positive gain, where a decision to take a risk would be driven by a desire for the investment to achieve better value for money. At a corporate level, taking this type of risk is implicit in many departments’ ongoing modernisation programmes, especially where initiatives are developed internally rather being imposed by ministers.

-------------------------------------------------------------------------------------------------------------------

Where can risk management make a difference in the public sector?

Risk management is not new; any department with formal project management processes or one that uses methodologies like PRINCE will be well aware of risk analysis as they will be if, as one hopes they should, use the Treasury Green Book in their investment appraisals. However we question whether sufficient real value is derived from this at present. Risk management has yet to become the fundamental part of corporate governance that it has in the private sector, where pressure on the bottom line and the requirements of stock markets have encouraged companies to develop comprehensive risk management procedures:

"…recognising that business decisions require the incurrence of risk, [companies must] achieve a proper balance between the risks incurred and the potential returns…" (Toronto Stock Exchange Company Manual)

The Turnbull Working Party’s recent report on Internal Control will place visibility of corporate risks firmly on the Board's agenda. In the public sector, the treasury is likely to expect departments to comply with Turnbull-style conditions too, so placing business risk management responsibility firmly with the Accounting Officer².

But can the evolving principles of business risk management be applied to help achieve better value (in terms of outputs and outcomes) for public money whilst achieving the demands of effective internal control? The answer is ‘yes’ – we believe that these two requirements are completely interrelated.

Effective business risk management can bring significant benefits. It can help identify the main Departmental risks, their relative priority, the tolerance to each risk and the responsibilities for managing them. Unnecessary duplication of efforts or assignment of resources can then be identified. The next step is better capital efficiency because the information identified can help inform adjustments in expenditures from a risk-based perspective.

We acknowledge that all departments are striving for incremental increases in the efficiency of their routine operations and the application of a formal risk management structure would not always be appropriate. Yet where the public sector seeks to increase value from investment in a venture such as:

• major projects (a new system, a new delivery method or the establishment of a new organisation, etc)

• mergers of previously separate divisions or agencies
  
• corporate transformation initiatives

-------------------------------------------------------------------------------------------------------------------

Risk management can play a crucial role in ensuring successful delivery and is vital in helping the Permanent Secretary, as Accounting Officer, to understand the risks to which the department's investment is exposed.

For example, there are a series of initiatives underway aimed at transforming the delivery of a very high profile public service through new systems, processes and organisation structures. The failure of these will have potentially serious operational, financial and political implications. Yet we have found numerous examples where the approach to identifying and managing risks has been rudimentary and where a more structured approach could help.

We would go further and argue that risk management could help departments to manage the broader combination of programmes and initiatives which are intended to deliver their Public Service Agreements. Turnbull implies a portfolio approach where a risk management framework might be used to inform the level of resources that are invested in specific initiatives. This may not be appropriate in the public sector, as an aggregated risk threshold is hard to quantify. However the approach can be applied to identifying when continued investments in specific projects should be capped or withdrawn; something which is still rare in both the public and private sectors.

Risk management is not a panacea, but it can make an important contribution to enabling a department or agency to deliver its broader objectives.

-------------------------------------------------------------------------------------------------------------------

Is risk a dilemma for the Civil Service?

Some senior figures in Downing Street and Whitehall have argued strongly that civil servants should be encouraged to take more risks – recognising that without doing so the transformation in management techniques needed to modernise Government is unlikely to be secured.

The Chairman of the Public Accounts Committee (PAC) has been quoted as saying that he would like to see departments demonstrate that, following careful analysis, they had actually taken risks in order to secure benefit, even if they didn’t necessarily achieve them. However, a realist might suggest that this argument would not be credible if presented to the PAC in mitigation of poor performance.

On the other hand, high profile implementation problems periodically remind ministers that failure also has political as well as practical consequences. Combined with the need to satisfy the National Audit Office, this leads some to argue that many civil servants should be encouraged to take less risk and not more – and that the public sector should concentrate on grinding out incremental improvements.

We recognise that because of the nature of the public sector, rapid change is not always possible, or desirable, but these apparently conflicting pressures appear a recipe for management schizophrenia. However, that these points of view are often regarded as conflicting, reflects a widespread misunderstanding of the nature of risk. Both perspectives can be reconciled by the sensible application of risk management techniques.

The key principle underlying effective risk control is accountability. It is now widely accepted that risk management should be undertaken at all levels; business units/projects are responsible for risk management and managers should be responsible for implementing policies for control and risk in their area. Further they should create a risk aware culture, where employees have the collective knowledge, skills, information and authority to establish and maintain the system of control and understand their responsibility for managing risk. This will be difficult in the blame culture that exists in parts of the civil service.

We have seen this work very effectively in a number of departments, especially those that have a reasonable Project Culture, where the execution of projects has helped develop an acceptance that things do go wrong. An effective approach, building on this acceptance, might include specific risk management obligations and performance measures to focus line management and functional specialists on the risk management strategy and objectives.

Internal audit also has an important role to play in 'new style' public risk management. However, business risk management is not simply a job for internal audit, it is a management issue. That said, the traditional role of internal audit is shifting from control to risk based auditing and some government departments are already adopting an approach that involves internal audit in business unit and project decision making to help the business avoid hazards and manage uncertainty more effectively.

The theory's great, how do you implement it?

-------------------------------------------------------------------------------------------------------------------

Conclusion

The need for effective business risk management in the public sector is becoming ever more important. We pointed out how at the same time civil servants were being accused of taking too few risks and too many. In fact both points of view are valid but can be addressed through a systematic and comprehensive approach to risk management. This will include a strategy that makes risks visible and grades them in terms of seriousness – a requirement of Turnbull. The cost of risk should be factored into new and continuing expenditure decisions. There should also be clear criteria for escalating issues upward within the Department if specific trigger points are reached. The overall strategy needs to include plans to mitigate risks or deal with them should they arise.

Whilst such an approach will impose a greater degree of rigour in the management of risks to the business, it must also make clear the freedom of managers and the scope to which limited failure is permitted. Only by appraising and monitoring risks in a controlled way will public sector managers have the confidence to take them and their superiors the confidence to permit them to do so.

Effective business risk management in the public sector will allow government departments to ensure better value for money from their ventures and improved service levels through the effective control of risk. We are aware that some public sector managers will question the value of risk management. However, whilst it is by no means a universal panacea, it has an important role to play in delivering significant transformation of public service delivery and providing better internal controls.