One of the greatest frustrations that risk managers face is not being able to get a risk register off the ground. It may be that the risk manager has compiled a proper risk list, has prioritised risks and put together full risk action plans, with actions allocated to various managers.
But sometimes this is just not enough.
This was the case with a recent client. A local authority's risk manager had achieved what he had set out to do. He had got his senior management team to work together on listing and prioritising risks on an enterprise-wide basis, and they had allocated responsibility for implementing the action points between them. Risk managers expect registers to take on a life of their own, organically driving the change process. But in this case, the register had come to a standstill. The risk manager said it was 'dead' and was unable to explain why.
To solve the problem, it was essential to establish the reasons behind the council's decision to set up a risk register in the first place. They clearly desired to comply with the risk management requirements contained in the Comprehensive Performance Assessment (CPA). CPAs are mandated by the Audit Commission, so every local authority will eventually have to comply.
The CPA looks for clear evidence that:
- The main risks to the organisation have been identified
- The risks have been evaluated
- Management have been involved at all levels
- Elected members are involved and engaged
- Action is being taken as appropriate to reduce the risks identified.
The local authority had just had its second assessment on the CPA and had moved from a 1 (weak) to a 2 (poor) on the risk management part of it. The overall CPA assessment was Excellent, so the question had been asked as to why risk management was so out of kilter with the overall picture.
Next, it was important to look at the organisational structure of the council. Like many local authorities they had re-organised themselves to make more sense of the elected members' power and abilities. The 45 elected members who previously had equal power to make or break decisions had been re-organised into a cabinet of 12, with representative numbers of each party. The remaining members formed different scrutiny panels including finance and audit, governance and performance.
The paid staff were led by a chief executive who reported directly to the leader of the council. Five departmental heads reported to her. She and her departmental heads formed what was called the corporate management team (CMT). Below them were the second and third tier management levels.
Now it was time to address the reasons for the process dying. This was done by determining who owned the process, who owned the output, and who owned the follow up. It was found that the risk manager was seen as the owner of the process, the owner of the output and the driver for change.
A list of the issues was then drawn up:
- ISSUE 1 Management do not own risk management
- ISSUE 2 Risk manager is seen as risk management owner
- ISSUE 3 Risk register is not being updated by management
- ISSUE 4 Management do not take action on the risk areas unless reminded by the risk manager.
In order to compile an improvement plan, analysis of the risk register process had to start at the beginning, looking at what had been done and how it had been implemented.
Strategy and plans
The risk management policy was fine up to a point. It stated:
- the overall vision, objectives and goals
- that they were going to manage the risks that threatened to stop them achieving their vision, objectives and goals
- that the necessary resources were going to be put in place to manage those risks.
What it did not say was who was going to lead the process. Nor did it say that all members of staff, senior management and elected officers would be expected to own the management of risk in their area of responsibility.
It also did not say that managing risk was a way to be more innovative by taking risks in a safe way, nor did it specify the expected outputs and measurements.
With the approval of the management board and cabinet committee, the risk management policy was therefore revised. The revised policy set out a draft strategy and plan, and included brief expectations of the risk management process in different areas, which echoed the Public Service Excellence Model (see Fig 1) being used in the performance management policy for the organisation.
Resource and people
The audit manager, to whom the risk manager reported, apparently led the risk management process, although she had clearly abdicated responsibility for it by delegating everything to the risk manager. Although providing lots of support, she gave no input or leadership. There was no clear owner for risk management on the CMT or on the cabinet, nor were the roles of the risk manager and audit team specified.
The recommended action was the implementation of a new reporting structure through the performance management team which reported direct to the CE's office.
Risk assessment processes
The risk assessment process had been fairly thorough, and included risk identification, risk evaluation (with impact being measured on a financial scale only), and risk prioritisation.
However, there was room for improvement. For instance, it would have been better not to measure risk impact on a financial scale alone. Financial impact is not normally the main downside of a risk happening in the public sector - reputation comes higher up the scale, as does failure to achieve performance indicators.
The risk prioritisation process could also have been more sophisticated if it had looked at ways of getting quick wins to gain hearts and minds and had taken risk tolerance into account.
The issue of current controls and their effect on reducing the impact and frequency of risk had also been fudged. This put them at risk, for controls can lose favour if not valued properly, and the residual impact of risk (with existing controls in place) can be over-estimated, resulting in over-managing lesser risks and under-managing more important ones.
But the gravest error was that the council had not involved all levels of management in the risk identification process. Only the CMT had worked on it. This explained why the risk management process was a turn-off for second and third tier management. How could they take ownership of managing a risk that had been identified and prioritised by someone else?
The recommended action was a roll-out of the risk register to the next tier of management on a consultative basis. This meant that the next tier down would help in building up the knowledge base together and gain ownership in the process.
The action plans included in the risk register were looked at and compared to the organisational results outputs contained in the Excellence Model.
There was no clarity of expected outputs, apart from some general statements about reducing the highlighted risks. So a matrix of the key actions required to effect the desired risk improvements was drawn up, based on the Excellence Model's organisational results.
Part of the roll-out exercise was to get second tier management and below to workshop the matrices and draft performance indicators. The objective would be to see if they agreed that the identified risk actions did indeed have the most beneficial effect on the results.
The council had not got it completely wrong. All that was needed was a new framework that fitted the business environment better. As most criticisms in the CPA inspection had centred on the inability of the council to measure whether all staff were taking responsibility for risk management at all levels, this had to be addressed.
Fig 2 summarises the way in which the issues were outlined and solutions suggested.
Putting together a risk register takes time and dedication. It is essential therefore to ensure that it is done in the right way, so as not to waste precious resources. An effective risk register is one that develops under its own steam. This will only happen if all of those affected by the register are involved in its development.
Liz Taylor is managing director, Public Risk Management Ltd, Tel: 01626 355333, www.publicriskmanagement.co.uk
FIG 2: PROBLEMS & SOLUTIONS
Management do not own risk management
SOLUTION: Re-issue the risk management policy to include:
- overall vision
- objectives and goals
- the leadership structure
- outputs and measurements.
Tie the risk management policy to the performance management policy
Risk manager is seen as risk management owner
SOLUTION: Move the leadership of risk management to the performance management team, and give ownership to management at all levels by rolling out the risk register to the next tier:
- consult with them on the key risks
- add risks that they identify
- re-evaluate impact on reputation and failure to achieve performance indicator scales
- evaluate risk tolerance
- re-prioritise risks on quickest wins
- look at current controls.
Risk register is not being updated by management
SOLUTION: The roll-out exercise to be run as a series of workshops on draft matrices and draft performance indicators for improving risk management.
This would link into the results on which they are being measured.
Management do not take action on the risk areas unless reminded to do so by the risk manager
SOLUTION: Management have the incentive to take action on their risk areas once it is clear that they have set their own targets.
Monitoring will be done by the audit team.