Perhaps the greatest challenge for public sector risk practitioners is to develop a framework for measuring risk performance - demonstrating both the activity of their risk functions and the less tangible issue of how risk management adds value to their organisation and its objectives.
Performance measurement of the risk function can be easily reported against attainment of the service plan, or justification as to why it cannot be achieved. In this way, measuring of the risk function is no different from any other function or service.
But we must be clear where the real challenge lies. ALARM believes it is in measuring the impact that the risk management ethos adds to the organisation.
Historically, when risk management was more stringently co-aligned to insurance costs and financial risks, quantitative measures were used as a performance indicator. The cost of procuring insurance, the number of claims that were successfully dealt with and the overheads of running a risk function in terms of the size of the organisation are examples of what was traditionally measured.
However, these costs were difficult to benchmark externally against similar public sector organisations. For example, the roles and responsibilities of functions varied, methods of self-financing risk and levels of deductibles were unique to each organisation, and there was a marked reluctance for insurance providers to exchange data considered commercially sensitive.
This meant that organisations were able to measure their performance internally, but struggled to find any external comparison.
ALARM has previously endeavoured to capture the cost of risk across its members in an effort to develop an effective means of external comparison.
But, given the difficulties, take-up was poor and the results therefore skewed. However, ALARM is currently working on providing a benchmarking opportunity that builds upon the joint exercise undertaken with the Audit Commission.
Measuring performance
With the development of enterprise risk management in the public sector, the measurement of risk performance has become even more difficult, as the impact of risk management initiatives delivers less tangible benefits.
However, we should focus on a definition of risk that is widely accepted - 'the chance of something happening that will have an affect on the organisation's objectives'. This suggests that measurement of risk should provide evidence of risk management initiatives being used to ensure organisational objectives are met, and progress against implementing such measures is an essential performance measure.
So, in terms of public sector organisations, and local authorities in particular, individual services should consider risks that will prevent them achieving their service level objectives as part of their business planning process. Once identified, they should report through an established process on progress in implementing and reviewing those initiatives.
This will provide evidence of a comprehensive and robust approach to risk management.
The Comprehensive Performance Assessment for 2005 will require such evidence as a means to demonstrate how risk management adds value to front line services, and subsequently to the community which the organisations serve.
But such measures also provide demonstrable evidence of that favourite and much abused word 'embedding', both to the corporate management board and other stakeholders, such as insurance providers.
Risk is a dynamic topic and one performance measure will not truly measure the many facets of an enterprise risk approach. Many risk management initiatives lend themselves to an assurance-based approach. Risk standards for the management of property, people, finance and health and safety can easily be set out. The difficulty is in ensuring implementation and sustainability of such standards.
If attainment of risk standards, or striving for attainment of such standards becomes a reportable performance measure for all services, the basis of a governance framework begins to emerge. Such information should be one of the reports regularly considered by the corporate management team, and published in assurance statements to stakeholders and customers.
Perhaps the most challenging of all performance measures are the feel-good factors that demonstrate a robust and thriving organisation, because many will be vested in qualitative rather than quantitative measures.
However, since public sector bodies are service driven and therefore dependent on people, it is important that an organisation recognises that losing experienced and critical staff is a significant risk to its ability to deliver. If recruiting high calibre staff is also difficult, then a further risk develops.
It is a brave organisation that will use a satisfaction survey to identify the robustness of its organisation, and genuinely commit to improving areas of dissatisfaction. Qualitative data can be benchmarked against the quantifiable statistics for staff turnover and absence figures, for example, and an indicator can be developed for year-on-year measurement.
Clearly these are just some of the possible means of measuring risk management.
As time goes on, slicker and more succinct ways may evolve. The challenge for risk practitioners is to consider and identify some form of risk performance measure. Practitioners can no longer hide behind the premise that you cannot prove you prevented a disaster. If risk management is to become an integral way of operating in the public sector, it is essential that it is not seen as an additional responsibility, but as something that can be demonstrated to add value to the real reason organisations exist - to deliver on their objectives.
Carolyn Halpin is chairman of ALARM - The National Forum for Risk Management in the Public Sector,
