The Commonwealth Auditor General is urging public sector leaders to adopt a more Churchillian view of risk management that looks on risks as opportunities, rather than being solely focussed on their potential threats.
Winston Churchill famously once said “the pessimist sees difficulty in every opportunity. The optimist sees the opportunity in every difficulty.” The Commonwealth is in the throes of sweeping reforms to its accounting, budgeting and governance frameworks and systems. Auditor General Pat Barrett wants the public service to capitalize on the opportunities the reforms present to advance the government’s pursuit of greater responsiveness and cost effectiveness, not to mention increased involvement of the private sector in service delivery.
Barrett concedes many of the reforms have posed real policy and administrative difficulties. But, he says, the optimists — himself included — also see them as creating significant opportunities, such as:
— a greater focus on the better use of resources, budgeting and accounting;
— promotion of greater understanding, transparency and ownership of financial information; using financial information to make more informed decisions; and
— cultivation of a culture of accountability and performance based on sound values and ethical conduct.
The ANAO sees risk management as an integral component of good governance that underpins the agency’s approaches to achieving both performance and conformance objectives, Barrett told an international conference organized by the Institute of Chartered Accountants of India, in Jaipur on the 12th and 13th March 2004.
“Risk management involves the identification, analysis, treatment, monitoring and communicating of risks,” he said. “In the public sector, risks are generally taken to represent threats rather than opportunities. That is, risks are identified as events that may prevent the achievement of business objectives much more frequently than events that may provide the opportunity to achieve additional benefits.
“Organizations in the public sector need to more frequently and comprehensively consider beneficial risks, as this would assist them to become less risk averse, and thereby enable them to more fully embrace the performance aspects of their conformance and performance objectives.”
While agency heads retain ultimate responsibility for risk management, all managers and staff have a responsibility to manage risk. Before they can do so the agency must create a risk assessment culture supporting a holistic approach to the identification and management of risk. Risk management must not only be a factor in higher-level strategy and planning processes but must also be seamlessly integrated into the organization’s day-to-day business.
“This concept of risk management is particularly important as the nature and significance of risks change in the public sector as the role of the public sector itself changes,” Barrett says.
And he says a lack of suitable risk management practices often lies behind adverse reports on administrative practices coming out of the ANAO.
An integrated risk management system develops the control environment and control activities, making it reasonably sure the organization will be able achieve its objectives with an acceptable degree of residual risk. Agencies taking such an integrated approach ensure all major decisions are considered in terms of sound risk management principles.
And Barrett says in the ANAO’s experience, integrating an organization’s approach to control with its overall risk management strategy is vital if the agency is to be able to determine and prioritize the functions and activities that need to be controlled. Control activities to mitigate risk must be well designed and implemented and relevant information regularly collected and communicated throughout the organization.
The control framework needs to reach the right balance between an environment that is unnecessarily restrictive and one that unduly encourages risk adverse behaviour, he says.
And the control structure must provide a linkage between the agency’s strategic objectives and the functions and tasks undertaken to achieve those objectives.
“A good governance model will include a control and reporting regime which is geared to the achievement of the organization’s objectives and which adds value by focusing control efforts largely on the ‘big picture’ and not simply on particular processes,” he says.
And he recommends boards should formally accept responsibility for reviewing the effectiveness of internal controls.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.