This article was first published in the March 2017 UK edition of Accounting and Business magazine.

Risk management is a key element of corporate governance in public sector organisations, in terms of their structures, processes, corporate values, culture and behaviour. It is a cornerstone of an organisation’s architecture for strategic and operational success and needs to fit well as a management process within the governance framework. 

A typical risk management process in a public sector organisation involves the following:

  • identifying future events or occurrences that threaten success  
  • rating the level of risk in terms of likelihood and extent of impact  
  • considering whether to tolerate, treat, transfer or terminate a risk
  • reviewing mechanisms for ensuring risk management decisions are up to date and robust, and stand up to stakeholder scrutiny 
  • reporting process updates to management and others charged with governance.

A cascade of organisational objectives is typically set for directorate/departmental levels. Risks might be subdivided into categories such as financial, compliance, operational, environmental, reputational, technological and political. Best practice models have risk management as a standard agenda item at operational, departmental and directorate meetings, and include regular peer challenge.

The process is often coordinated by a dedicated risk management team that reports to the executive. Corporate, directorate and departmental risk registers capture relevant risks at each organisational tier and are used to regularly monitor the completion of planned mitigating actions and to decide whether the risk should be escalated to the corporate register as strategically significant. The executive management team typically reviews the corporate register, and regular updates are provided to the organisation’s audit committee. 

Risk is a matter of perception. Risk appetite ranges from ‘risk averse’ at one end of the spectrum to ‘risk seeking’ at the other, with ‘risk aware’ and ‘accepting a calculated risk’ somewhere in between. The significance or nature of a risk can change, so it requires further continual management.

It is therefore important to have consensus over the relative significance of risks across the different levels of the organisation. Cross-departmental communication and challenge, risk register clarity and consistency, and individual responsibility for risk management are all key. 

Finding a balance 

Risk management in the public sector presents some significant differences from its private sector counterpart. In the private sector, it is generally true that the higher the risk, the higher the reward – usually in the form of profits. But in the public sector this trade-off doesn’t necessarily apply. 

Public sector strategic objectives are different – for example, councils typically have to balance their duties of citizen protection, well-being and prosperity with the imperative to deliver services very differently. Citizens are taxpayers and public bodies have legal obligations for many services, adding further complexity to the risk management balancing act in the public sector. Decisions about existing risks (whether to ignore, address, move or remove them) and taking on new risks have to be made in a complicated and changing context. All the more reason then for a robust management process to underpin them. 

There are a number of obstacles to effective risk management. They include the following: 

  • a lack of integration, where risk management is applied as an add-on rather than being integrated with other management processes, or where there is a ‘silo’ rather than a strategic approach at the departmental level
  • a lack of systematic approach, often arising from an incorrect belief that risk management is automatically embedded in day-to-day decisions; an absence of clear reporting to senior management and the audit committee tends to accompany this weakness
  • a misunderstanding of risk management, its purpose and relevance for the organisation, with some regarding it as just a compliance exercise; poor connectivity over risk between the top and bottom levels of an organisation is a further issue
  • an abdication of responsibility, which often arises from individuals’ lack of interest in or awareness of risk; this can arise from poorly written job descriptions and a weak or absent risk management process.

The big trigger

Change is a major trigger of risk, and the public sector is undergoing a lengthy era of major change, with austerity one of the biggest drivers. Transformative change strategies are under way, with new models for delivering services across functional and political boundaries, unparalleled community engagement, and demand management through early intervention. In short, the new focus is on the cause not consequence of citizens’ needs and a more proactive modus operandi.

The risk map for the individual public sector organisation has also changed, with new and possibly less manageable risks emerging. Partnerships are now formed between organisations with quite different governance structures and risk profiles, which cannot be ignored when joint decisions are taken. It is therefore important to agree early on how the parties should share the risks of these new service delivery strategies. 

Public sector approaches to risk management have become more sophisticated. It is now normal to define early on and review the organisation’s appetite for risk, and consider the upside or opportunity associated with each risk. 

Jo Williams FCCA is a member of ACCA UK’s public sector panel