Lessons from a practitioner

While I was Chief Risk Officer of PWGSC, my office undertook in April 2007 a review of the experience of several countries in embedding the discipline and culture of risk management into government practices. Based on the results of the study, we learned that strengthening risk management requires governments to:

• improve the machinery of risk management
• overcome the challenges to embedding risk management into organizational culture.

The machinery of risk management

Getting clarity on purpose, desired outcomes and objectives
Defining key success factors and risks
Performance measures and risk indicators
Integration of risk management into business processes
On-going learning and re-alignment.

We found there has been a marked shift from a risk assessment approach (that limits its scope to identification, quantification, and monitoring of risk without making a strong link to organizational performance) to a risk management approach (that focuses on anticipating threats and opportunities so that the organization is ready to respond and adapt to ensure the achievement of objectives and desired outcomes).

Modern risk management approaches involve defining objectives, strategies, and criteria for success; managing performance to achieve objectives; being ready for risk (opportunities and threats to objectives); and learning and adapting.

Defining key success factors and risks

• Define the key factors for success up front. This means understanding the interdependencies between people, processes and systems and the resulting cause and effect relationships for success (and failure).
• Manage these well throughout the implementation phase of programs, projects and contracts. At a basic level, failure to deliver on key success factors for quality is the essence of operational risk.

Then and only then:

• Identify the risks to objectives. Typically consider those events or changes (to circumstances as they are currently understood) that would hinder or help the agency in the achievement of its objectives.

Performance measures and risk indicators

Lack of clarity regarding measures (past results) and indicators (expected future results) of performance can lead to misalignments between strategic and implementation levels within organizations as well as between policy and service arms of the bureaucracy.

Organizations need to translate organizational performance measures into key performance indicators for individual managers and employees. Australia Post, for example, uses key performance indicators to drive alignment with corporate objectives.

Integration of risk management into business processes

Recently, leading organizations have worked to weave risk management into other existing critical business management processes, such as:

• Policy making
• Strategic planning
• Program and project planning
• Implementation/operational management
• Program/performance monitoring
• Audit
• Assurance
• Spending review
• Continuous improvement and organizational learning.

On-going learning and re-alignment

A robust and embedded risk management process helps to navigate expected and unexpected events and circumstances, whether they are positive or negative.

To navigate these changing circumstances, organizations need to establish a learning atmosphere:

• This should include a process of realigning strategies and plans to reflect new circumstances and a deepening of knowledge.
• Learning also extends to the organization in terms of identifying and addressing systemic issues that lead to implementation difficulties and ineffective risk management.
• Enterprise risk management pioneers in both the public and private sectors warn against taking a 'big bang' approach. Instead they recommend taking small, manageable steps, i.e., an incremental approach of continuous learning.

A safe learning environment is needed for innovation. A safe learning environment means focusing on what needs to be done to bring performance back into line with expectations or where things can be done better or more efficiently.

This requires a blame-free culture. Blame-free does not mean a lack of accountability or an excuse for negligence. It means being encouraged to, expected to and rewarded for raising risk issues.

The cultural challenges to embedding risk management

Improving the machinery of risk management is only half of the equation. Culture is the other half. To reap the full benefit of risk management, it needs to become ingrained in how people make decisions and do their jobs.

Our review identified a number of common challenges to embedding risk management into organizational culture:

• Getting executives to engage in risk management
• Lack of buy-in from middle managers
• Managing complexity and delivery partnerships
• Dealing with external factors
• Establishing appropriate accountability / resisting bureaucratic approach
• Collaborating to support whole-of-government approaches
• Nurturing risk management practices until the culture reaches maturity.

Getting executives to engage in risk management

At a senior level, executives need to move beyond being briefed on risk to:

• actually determining what needs to be done to manage risk
• allocating resources to manage it
• assigning accountability, i.e., a risk owner who has authority and resources to manage risk.

To address this challenge, New Zealand and UK have embedded risk management specialists in departments to support senior management in the development of risk methodology and to coordinate risk management improvements.

Organizations need to find a way to bring mistakes and barriers (unforeseen or not) forward in timely fashion and in a way that is safe. And they need to improve assurance and monitoring.

Finally, governments can raise the profile of risk management. For example, the most senior officials (e.g., Australia's Auditor General and the Secretary of the Department of the Prime Minister and Cabinet) give speeches regularly on risk management related topics.

Lack of buy-in from middle managers

Middle managers often believe that risk management is a process that “gets in the way”.

They may need to recover from years of consultants doing risk management reports that end up on a shelf. When approached about risk management, they may seek a pro-forma quick-fix solution.

To address this challenge, organizations need to market the benefits of risk management as a process that produces worthwhile results. They need to demonstrate the short-term and long-term value of risk management. Supportive senior managers can push risk management down through middle management by, for example, advising on the kinds of questions to ask that would force middle managers to think through their particular risk management circumstances and strategies.

Managing complexity and delivery partnerships

The growing complexity in service delivery chains that often involve multiple organizations from both the public and private sector can significantly increase both

• the level of risk and
• the management burden to address it.

Governments are addressing this challenge by:

• Encouraging open scrutiny and understanding by leaders of where risk fits into the overall scheme of things.
• Creating mechanisms to promote open communication and to support learning from each other.
• Promoting better mechanisms for, capabilities in, and attitudes towards collaboration.

Dealing with external factors

Many public sector managers struggle with how to incorporate external risks into their risk management framework.

Organizations must recognize that a different management stance is needed for external factors (events and conditions originating outside the organization, e.g., weather, actions of stakeholders and regulators, socio-economic trends, etc.) than for internal factors (over which the organization has control, i.e., people, processes and systems).

For effective management of external factors, the focus should be on:

• awareness (e.g., environmental scans, development of warning systems)
• relationships (with key stakeholders, including delivery partners customers and citizens)
• responsiveness (to changes in the environment, e.g., the impact of the internet on communications, including the ability to disseminate and disclose information).

Establishing appropriate accountability / resisting bureaucratic approach

Organizations often lack appropriate and effective lines of accountability and reporting about performance and risk management that align through all management levels and across organizational silos. Not every risk has an owner who has both accountability and authority to make decisions about what to do to manage risk.

To address this challenge, organizations should:

• Align corporate, business unit, and individual performance measures and link them to incentives, e.g., incorporate risk management into key performance indicators and employment contracts.
• Align consequences with desired outcomes:
  • People should be rewarded for making decisions and for early escalation of issues that require a decision or other action.
  • They should get into trouble for undue delay in making a decision and not communicating about emerging issues.
  • Encourage open dialogue to ensure informed judgment.
  • Encourage a blame-free culture to enable sharing and learning.

Collaborating to support whole-of-government approaches

At an institutional level, governments can establish working groups to deal with multi-jurisdictional issues. For example:

• The Council of Australian Governments (the Prime Minister + State Premiers).
• The UK's Civil Contingencies Secretariat, which coordinates cross-departmental responses to significant emerging risks, such as SARS.

At a cultural level, governments can encourage collaboration between officials across departments.

• Australia's Management Advisory Committee, a forum of Secretaries and Agency Heads, has produced Guidance on “Connected Government” and “Working Together”.
• New Zealand has published guidance on “Getting Better at Managing for Shared Outcomes” to improve inter-agency collaboration, decision-making, and delivery.

Nurturing risk management practices until the culture reaches maturity

One technique for maintaining the interest of executive leadership is to align risk management practices with high profile management initiatives.

Governments can also facilitate the tracking of progress towards risk management maturity by developing self-assessment tools for departments.

Finally, governments can provide resources to central agencies for outreach and coordination of networks that support sharing across departments.

Copyright © 2007 CCAF-FCVI
Privacy Policy