The quality of risk management in every local authority in the United Kingdom is coming under the scrutiny of the Audit Commission as a result of the comprehensive performance assessments (CPA) process now under way. The CPAs are part of the national programme for improvement in local government.
In the first batch of CPAs published at the end of 2002, the Audit Commission gave an excellent rating to only three of 150 larger authorities for the risk management element of the assessment. One of the top three was Sunderland City Council, whose head of procurement and risk management, Dave Fleetwood, is also the chairman of ALARM, the national forum for risk management in the public sector. The other two were Dorset County Council and St Helens Metropolitan District Council.
According to ALARM, the vast majority of councils received an 'adequate' rating for risk management, but a number were judged inadequate. While naturally delighted with the report on his own council, Fleetwood commented: "Comparing the marks awarded to risk management and other specific issues within the corporate assessment scrutinised by the CPA, it appears that this is one of the weakest areas throughout all 150 councils which underwent assessment. This demonstrates that there is still some way to go in identifying the risk associated with the work of local authorities and managing out that risk."
The Audit Commission has taken an official interest in formalised risk management in local government since 1997, and in July 2001 it published a major report, Worth the Risk – improving risk management in local government. The Audit Commission believes that, while good risk management is important in all organisations, it is especially so for local government to deliver public services effectively and ensure that the council is well run. Authorities are not expected to eliminate risks, but control the ones which could damage its strategic objectives or reputation.
Further guidance for local authorities has come from a number of organisations, notably the Society of Local Authority Chief Executives and Senior Managers (SOLACE) and Chartered Institute of Public Finance and Accountancy (CIPFA). It divides governance measures into five dimensions, of which risk management and internal control are one.
ALARM has also been involved in setting out best practice for the public sector, first in cooperation with CIPFA and, in 2002, in the creation and publication of the risk management standard, working with the AIRMIC and the risk management educational body, the Institute of Risk Management (IRM).
Despite this extensive attention to the subject, a survey of all local authority chief executives, directors, finance and risk managers in England, carried out in March 2003 by Zurich Municipal, found that only about two-thirds of larger, single tier authorities, those which have already been assessed, believe that risk management played a key part in preparing their authority for the CPA.
All the authorities who achieved an excellent rating considered risk management as significant, but 28 % of those graded satisfactory or unsatisfactory regarded risk management as not significant. However, among district councils, where CPAs are taking place during 2003 and 2004, over 90% of respondents felt that risk management will play a key part in preparing their authority for the corporate assessment element.
Dave Fleetwood believes that many authorities still give insufficient priority to strategic risk management. "Many of our members are still struggling to gain senior management and elected member commitment and input to both strategic and operational risk management."
The main obstacle to better risk management in local authorities, says Ian Horwood, risk management adviser to the CIPFA's better governance forum, is that they have so many other priorities. However, he underlines the stated view of SOLACE: "If a council does not have effective risk management, then it does not have effective management"
Horwood says that few senior officers have risk management training, and that smaller authorities often do not have a professional risk manager. He believes that making the chief internal auditor responsible for risk management, as some councils have done, has drawbacks, but that authorities can quite reasonably adopt different approaches. The main issue is to get risk management embedded in the culture of the organisation.
Embedded is a word used by all concerned in improving risk management in local government. It is key, because of the diversity of the objectives and responsibilities involved.
Lindsay Cox, managing director of Risk Governance, which has created a software application of the same name, believes the task does not have to be as daunting as it seems. "What the authority has to be able to do is to demonstrate what it did, why it did it and when." With web-based technology and XML web language, he argues, this can be comparatively straightforward and inexpensive. Licence fees for Risk Governance, for example, can be under £20,000 a year for a small district council.
From a design point of view, says Cox, to be successfully embedded in the organisation any risk management system will need a high degree of usability and scalability so it can support a large number of users.
Certainly, he says, the authority has to structure the risk management process in the first place and clear lines of authority and risk definitions are essential. But then, the Audit Commission will require that as part of CPA in any case.
Lee Coppack is a risk management and insurance journalist and former local government reporter.