Risk management within a local authority is driven by many factors. Most important is the need to demonstrate good governance, as outlined in the CIPFA/SOLACE framework A Keystone for Corporate Governance. Further, local authorities must satisfy:
- The statutory requirements within the Accounts and Audit Regulations 2003 to publish a statement on internal control
- the more rigorous Comprehensive Performance Assessment (CPA) requirements applying from June 2005.
Those authorities which previously obtained a level 3 or 4 for risk management will find it more difficult in the future. While the CPA does not prescribe the use of a specific type of risk management tool, powerful, adaptable and robust software is the ideal solution to help achieve high scores.
Despite the need for specialised software, recent research by Grace Governance Solutions revealed that over 20% of UK authorities have no form of electronic risk register, while over 30% hold risks in either a spreadsheet or word format. There are, needless to say, many reasons for this lack of sophistication, not least constraints on budgets. However those local authorities which once found risk registers in spreadsheet, word or paper-based format to be effective are now unable to develop them sufficiently to meet the need for a more comprehensive and flexible risk management tool.
Building the first risk register
If risk management is to be truly embedded, much time must first be spent raising awareness and understanding, securing buy-in from senior management and assisting operational areas to identify and record their risks. This can be a time-consuming and onerous process, even in local authorities with a dedicated risk manager or team.
At the outset of risk management, spreadsheets and other office applications have much to commend them. As shown in Figure 1, they provide a quick solution, enabling the production of elementary reports and graphs to satisfy internal and external scrutiny.
At this early stage there is generally little impetus to invest in specialised risk management software at a time when the approach may still be evolving and exact system requirements are vague.
Version control nightmare
In many authorities risk management is now established, with regular reviews. Those still using spreadsheet-based systems are facing problems with version control. The basic choice with spreadsheet systems is between:
- having one master spreadsheet containing all risks, or
- having one spreadsheet per operational area.
The first option provides better ranking, sorting and reporting and enables the entire register to be easily published, for example on an intranet site. However, maintenance is unwieldy and affords little security. To allow all risk owners direct access to one document increases the likelihood of corruption. Consequently many authorities find it necessary to extract and distribute each owner's risks and then collate and update the master spreadsheet.
The alternative is to have multiple spreadsheets, making direct update by risk owners easier. However, reporting and analysis across the authority now becomes unnecessarily complex. To maintain even a basic history requires keeping a copy of each spreadsheet at each review point, and clearly the number of spreadsheets will start to multiply significantly, as illustrated in Figure 2.
Solihull Metropolitan Borough Council initially recorded its risks on spreadsheets. Catherine Halford, corporate governance manager comments: "We used spreadsheets initially as an interim measure to provide a quick solution. We soon realised it would not meet all our needs. We had too many spreadsheets to manage. For example, to identify all financial risks across the authority would require us to pick risks from dozens of individual spreadsheets. The time we took made it impractical."
Risk mapping allows the data to be 'sliced and diced' so that risks affecting a specific person, group, objective or indicator can be reported and managed. This functionality, very difficult to achieve with multiple individual spreadsheets, is standard in most specialised risk management applications. A variety of categories of data can be chosen, such as the PEFORMANCE acronym, listed in Figure 3, which was coined at Solihull during an early risk management workshop.
Using the appropriate software, Solihull MBC has been able to fulfil a key CPA requirement to map both strategic and operational risks against corporate and operational objectives, performance indicators, risk owner and a variety of risk categories.
Accessibility and management
Although getting authority-wide ownership can be frustrating, in order to meet the requirements of good governance and the CPA working in isolation is no longer an option. To facilitate both ownership and openness any risk management tool must be both accessible and user-friendly.
Data presentation is vital if risk information is to be meaningful. In its simplest form openness can be demonstrated by publishing a risk register in spreadsheet format on the authority's intranet. However, this has only limited appeal, as people do not have the option to sort, filter and manipulate data according to their needs.
What is required is a powerful reporting tool - see Figure 4. Such a tool, ideally web-enabled, will allow all those involved in the risk management process, including members and directors, to get the data they want in a format that is really useful.
Reporting and data communication were big issues for Ribble Valley Borough Council. The risk management process was well developed, but chairman of the risk management support group, Chris Shuttleworth, needed to "simplify the way in which information was communicated between the risk managers and the database." According to Shuttleworth, the breakthrough came with the introduction of Grace risk management software, where each service manager could have input to a system that enabled update and review of the existing departmental risk register on a regular basis.
A history facility that records changes to the risk register can clearly demonstrate active risk management, and through understanding of year-on-year changes, can allow more informed and effective decision making. A risk history is also useful in demonstrating reduced risk level, especially graphically, to those that are working on and funding risk management - See Figure 5.
Even if spreadsheet copies are made at each review point, detailed historical analysis is never going to be easy. The powerful database behind a specialised risk management tool allows a risk history to be easily created and can also help satisfy the information security management requirements of BS 7799/ISO 17799.
At the outset spreadsheets certainly provide a quick and flexible solution to risk management. However, as the process matures, ever greater demands are made on the chosen risk management tool. Spreadsheet-based solutions in particular fail in the way they can manipulate and present data. A good risk management tool armed with flexible reporting can deliver the power to the desktop that will outperform spreadsheets in both areas.
Given not only the need for good governance, but also the 'harder test' promised by the CPA, those responsible for risk management in local authorities need to be active in implementing a proper risk management tool.
Mark Collingwood is co-founder and technical director of Grace Governance Solutions Ltd, E-mail: email@example.com; Stephanie Gardner and Catherine Harley are corporate governance and risk support officers at Solihull Metropolitan Borough Council, E-mail: firstname.lastname@example.org
The authors would like to thank Ribble Valley Borough Council for their help in producing this article.
Figure 1: The advantages of office products at the outset of a risk management programme
- Readily available on everyone's PC
- No additional licence costs
- No installation required
- No training needed
- Allows flexibility of approach
Figure 3: The PERFORMANCE risk category acronym
P - Political
E - E-government
R - Regulatory & Legislative
F - Financial & Fraud
O - Opportunities
R - Reputational
M - Management
A - Asset
N - New Partnerships & Projects
C - Customer
E - E-government
Figure 4 Key features required from a report writer
- Simple to use and easy to learn
- Ability to 'Slice and Dice' using a range of selection criteria
- Choice of fields and report layout
- Sorting options
- Font settings to support corporate identity
- Ability to save and re-run reports at a later date.
CPA - THE HARDER TEST
The UK Audit Commission introduced comprehensive performance assessment (CPA) in 2002. CPA measures how well councils are delivering services for local people and communities while reducing the overall regulatory burden on them. It distills a complex set of judgements on local government bodies and the services that they provide into one simply understood rating. The Commission says that the strength of CPA is that it looks at performance from various perspectives, which provide a more complete picture and a better understanding of where to focus activities to secure improvement.
A new framework for CPA from June 2005 to 2008 will carry this further, in line with the Commission's principles of strategic regulation. CPA has become a more stringent test, with more emphasis on outcomes for local people and value for money. The Commission is strengthening its methodologies for assessing user focus and will include, within corporate assessments, an explicit judgement on this. It will also be challenging those authorities which are not improving as quickly as others to do more to match the pace that many are already achieving. Under the new CPA framework a council must attain a higher standard to achieve a particular category or rating, such as 'good' or 'excellent'.