When it comes to risk management the public sector faces a significant challenge in achieving the right balance between prudence and innovation, yet determining that balance is an exercise in risk management itself.
And Commonwealth Auditor General Pat Barratt says public sector organisations — which are making some progress — must increasingly move away from managing risks by “silos” to the enterprise risk management approach quickly becoming the best practice standard.
Addressing the Canberra Chapter of the Australian Institute of Risk Management earlier this month, Barratt said governing bodies must embed a culture of risk management in organisations — public and private — that makes consideration of risks and risk mitigation strategies second nature to managers at all levels. This is nowhere more important than in the public sector, where changes in the way services are provided is increasingly opening the way to greater private sector involvement and hence changing the nature and significance of risk.
“From a public sector perspective, I see risk management underlying many of the reforms that are currently taking place,” Barratt says.
The CPA Australia survey of thirty-one public sector agencies from the three tiers of government (CPA Australia Risk Management Survey 2001) showed risk management is becoming entrenched within the public sector and is resulting in better performance. As a result the public sector is now more accountable, better managed and a better service provider than it was in the mid-1990s. But Adam Awty, the public sector policy adviser for CPA Australia, has noted the challenge for the future is to develop mature methodologies such as risk-performance indicators and benchmarking.
“Public-sector agencies also need more sophisticated skills to monitor, communicate and link risks directly with corporate objectives,” Awty has said.
And Barratt notes that risk management is too often seen as a defensive strategy in keeping with the risk averse culture of the day. As one commentator has observed:
“The contemporary view of risk management involves treating risk in the context of business strategy and senior finance professionals and chief risk officers are responsible for moving the agenda away from risk minimisation to risk optimisation so that the process drives performance and creates shareholder value. This is opposed to the traditional view, which has connotations of loss prevention and transfer through insurance mechanisms and the hedging of financial risks with derivatives”.
Barratt says the ANAO’s current audit of “management of risks and insurance”, due to be tabled next month, captures a significant change in attitudes to management of both insurable and the more challenging non-insurable risks over a relatively short time in both the public and private sectors. It also shows the public sector has some way to go in aligning strategic objectives and risk management in the public sector.
“The traditional approach to managing risk has at best produced limited effective results. In the past, risk management was highly fragmented from an organisational perspective and, over time, it has been increasingly apparent that a fragmented approach, such as managing risk by silos, does not work because risks are highly interdependent. Moreover, a segmented approach does not provide senior management nor any board with aggregated risk reporting,” he says.
“The importance of taking a whole of organisation, or holistic, approach to the management of risk cannot be underestimated. James Deloach, an early pioneer and advocate of this approach, considers that an enterprise-wide approach to business risk management improves the linkage of risk and opportunity and positions the business risk management as a competitive advantage. He offers the view that current approaches are too firmly entrenched in command and control and thus rooted in the past. Such practices cannot adequately deal with an entity’s continually evolving risks and opportunities.”
As a result, Barratt endorses the answer Deloach proposed: the Enterprise-wide Risk Management model.
The ERM approach is now widespread enough to be recognised as the emerging orthodoxy. However, the inter-connectedness of risks across an organisation can only be identified and managed when the organisation shares risk and control knowledge across its functions, Barratt says.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.