How do we engage key decision-makers in the process of identifying and managing risks that threaten the achievement of organisational objectives? This remains a difficult nut to crack, despite the requirements of corporate governance, the recommendations of the UK Good Governance Standard for Public Services, the assurance requirements of the Statement on Internal Control and, most recently, the requirement for a community risk register as part of the Civil Contingencies Act.
The identification of strategic risks is often undertaken through the convening of workshops with key decision-makers, to capture a snapshot, or risk profile of the organisational strategic risks. This risk profile is then often uploaded to a database or spreadsheet, and resides only on the risk manager's personal computer.
This system is woefully inadequate for a dynamic business environment, and leads to protests that it is bureaucratic rather than pragmatic. We need to move firmly away from it and anchor the endeavour to a clear-sighted set of objectives for achieving effective risk management, rather than a demonstration that risk management has taken place at some six monthly, or annual workshop. After all, it is in the management of the identified risks where the work of mitigating action needs to take place.
How then to engage key decision-makers in a structured approach to capture the changing risk profile of the organisation and communicate this, where appropriate, to other key decision-makers who might be affected by the risk, or capable of implementing effective controls?
Our answer is - you need a desk-top system for key decision-makers, so that they can swiftly and effectively share risk information on a need-to-know basis. The system must provide for communicating and implementing control requirements, provide diary and reminder functions and give the capability of tracking and monitoring progress in achieving an acceptably-managed risk profile.
The procurement and implementation of an intranet-based risk register management system for Sussex Police was an identified requirement in the Force Risk Management Strategy established in 2003.
For Sussex Police, this led to the development of a specification of requirements for the IT solution, taking into account not only the functional specification, but also the organisational culture that would influence the potential for successful implementation. This is no mean feat in an organisation that is adept at daily taking and managing risks as a fundamental part of its core business.
With the specification of requirements drafted, we then researched the available options in off-the-shelf risk management systems. At the time we carried out this research, there were relatively few computer-based risk management systems available within our budget, and many were being actively developed and changed as the market for them matured.
This presented problems with evaluation. It soon became apparent that in adopting an off-the-shelf system, you are offered a whole raft of functionality, some of which is useful and some of which may be unwelcome or unsuitable for your organisation. This is quite understandable from a supplier's marketing point of view, but can result in an overly-complicated system that reduces the user-friendly component so essential for buy-in to new information systems.
With a clearer understanding of our requirements, and having already established that the in-house development potential of a system was not realisable, we carried out a marketing exercise and evaluated the results.
This led to the award of a contract to Orchid Software of Newcastle-upon-Tyne, who were prepared to develop a software tool to meet our specific requirements for a windows-based intuitive risk register management system.
A project board was then established, overseen by the force risk management group, to smooth the development and implementation process. The board consisted of the director of resources, the risk manager, performance analysts, corporate planners, a senior police officer, an IS manager, the IT training manager and a contractor representative.
What we got
What are some of the functions that the intranet-based risk register management system provides for Sussex Police?
- A structured system for identifying, assessing, managing, reviewing, monitoring and reporting of risks to key decision-makers within Sussex Police.
- A 100 user base capacity.
- On the force intranet.
- Easy access.
- Intuitive windows-based system
- E-mail system requiring review of risks by risk owners
- E-mail reminders
- E-mail system advising those with a responsibility for controls
- Review function reminders by diary system
- Support structure and systems for key decision-makers to be aided in the day-to-day management of risks.
- Search and sort functions
- Reports in view only and printable format.
- Risks linked to functional responsibilities
- System to track interdependencies
- Control over access to view risks
- Audit trail linking user with actions taken
- History of versions of risk each time reviewed
- Archiving facility
- System for transferring risks to new user with functional responsibility
- Capacity for further development of the system functions in the future.
Interestingly, Orchid Software have as part of their logo the statement 'power through simplicity'. This is highly appropriate as it is just what we have been trying to achieve. That said, sitting behind that simplicity is an immense number of complicated structures to make the user interface simple and intuitive. To support the user further, a help screen of additional information can be accessed by clicking a radial help button at key points in the process of logging and managing risks.
Throughout the development process there were demonstrations of progress to the project board and the risk management group. In addition, we carried out a limited pilot stage, where selected users tested the functionality and user-friendliness of the system. This enabled us to engage users with the system prior to full implementation, so that any suggestions for amendment could be secured prior to the full implementation on 1 June 2005.
In advance of the pilot stage and full implementation, users were provided with a half day training course. Just prior to full implementation, this was supplemented by the publishing of a user manual and procedures for reviewing and uploading the existing risks from our old risk register within a fixed period of time. This provided a kick-start to getting the users onto and using the system.
Moving to an intranet-based system confers many advantages. Importantly, one of these is that risks identified can have a very short or long timeline. Thus, if an imminent risk needs action, you can log it within a structured, recognised system for assessment; communicate it virtually instantly to those who need to know, identifying those that may be affected by the risk occurring. Hitherto, such communications are likely to have had significantly less structure and probably do not outline in a structured way the cause, the risk and the consequence, that the risk register facilitates.
The successful achievement of any intranet-based risk register with multiple user access relies heavily upon the engagement of users in the process of identifying and managing risks in this way. Training in use of the system and why the system is necessary is of course essential, but of greater importance is the evidence that key decision-makers themselves are not only supportive but are active users of the risk register. This last point will doubtless be the greatest challenge to successful implementation in any organisation.
A risk register system like this, aligned with internal processes for setting organisational strategic plans, or divisional/departmental plans, allows users to continually assess the threats to the achievement of those plans and implement actions to reduce those threats by effective control measures. For us, it is aligned with the National Intelligence Model and Strategic Tasking, and together these will drive the performance challenge.
With our intranet-based risk register in place we have facilitated the process of embedding risk management into our organisation. Having taken this strategic decision we must now ensure that we meet the challenge of using it effectively. Risk registers and risk assessment are now part of the expected approach to systems of internal control and good governance.
It is only a matter of time before public enquiries and legal processes demand access to the state of these just preceding some adverse event. If we have adopted a structured system to identify, assess, share, manage, review, monitor and report on significant risks, we will be best placed to show ourselves in a good light.
Finally, it is important to remember that embarking upon a project to develop software for a risk register should not be entered into lightly, and we did not do so. The result is that we have an application which is best suited to the organisational needs of a policing service, and which has the potential for enhancement in functionality in the future. Quite simply, it is the pragmatic approach we desired.
- Linda Manley is risk manager, Sussex Police.
The Good Governance Standard for Public Services
The standard presents six principles of good governance that are common to all UK public service organisations and are intended to help all those with an interest in public governance to assess good governance practice.
1. Good governance means focusing on the organisation's purpose and on outcomes for citizens and service users
2. Good governance means performing effectively in clearly defined functions and roles
3. Good governance means promoting values for the whole organisation and demonstrating the values of good governance through behaviour
4. Good governance means taking informed, transparent decisions and managing risk
5. Good governance means developing the capacity and capability of the governing body to be effective
6. Good governance means engaging stakeholders and making accountability real.