The ACT government is confident that it’s new “cradle-to-grave” risk management framework will reduce wasteful spending of citizens’ tax dollars.
The collapse of the HIH insurance company has a lot of things to answer for. But among the horror stories of half-finished buildings, children’s playgrounds closed and lives and businesses ruined, there is one positive outcome — a greater awareness of the importance of risk management.
Suddenly faced with rising insurance costs (or worse, an inability to get insurance cover at all), many organizations realized that they needed to apply more stringent alarms and controls to their day-to-day activities, their expenditure and procurement, their dealings with the public and OHS. This has been driven largely by insurance companies demanding greater and more transparent risk management procedures from their clients.
For many organizations, particularly smaller ones, this has come as something of a shock as they suddenly realise how liable they have been in the past, and how much prevention they need to apply if they are to remain insurable.
Not least among these have been government agencies. Although many larger public sector organizations have had established risk management practices for some time, a lot of smaller ones are finding this a new and potentially burdensome responsibility.
The ACT government, which has hundreds of such agencies, is one of the first to do something about this, on a grand scale.
Earlier this year it rolled out its enterprise-wide risk management framework. This is designed to be “a uniform approach for departments and agencies to assess, manage and report key risks to government programs”, said ACT Treasurer Ted Quinlan when launching the program in February. “What this means for the community is an assurance that if there are risks to government spending, they are identified, assessed and mitigated so they are less likely to cause excess leakage from the public purse.”
The ACT government is confident the cradle-to-grave risk analysis, mitigation and treatment tool will help reduce the risk associated with IT projects and minimize wasteful spending of citizens’ tax dollars.
Employees involved in IT and other projects will be able to select a risk profile and receive a standardized set of risk exposures online in an AS4360-compliant risk matrix backed up by information and assistance tools to help them identify and mitigate operational risk.
To add spice to the declaration, and “to ensure that the framework is implemented seriously”, all senior executive performance agreements will include a risk management framework indicator written into new contracts and existing contracts on renewal.
And that might well include some CIOs.
ERM In Development
Enterprise risk management is really the third stage of a program to raise risk management awareness and build a risk management culture within the entire ACT community. Tom McDonald, director of Legal and Insurance Policy within the ACT government’s treasury department, says the risk management program is unique.
“We decided some time ago, once the insurance crisis really bit, that we needed to take a different approach. We saw that community organizations which were having the hardest time obtaining insurance cover were not well served in terms of understanding what business insurance risk meant,” McDonald says.
“The problem is that with the group scheme that was set up by Community Care, an underwriting agency that is a combination of three large insurance companies, the conditions under which insurance is available for community organizations includes two major criteria. One of them is risk awareness, and the other is fiscal responsibility.
“What we did for these people and for small business in the Australian capital region is that we built a full flow-through system within which you can profile your insurance risk — you can then identify what those risks are, you can plan for them, you can manage them, you can report on them, and you can exercise mitigation strategies — all online through the one Web site. That is unique. No one else has ever done it.”
The Web site (www.insuranceriskadvice.act.gov.au) gives managers of small businesses and community groups an overview of risk management, including preparation, structure, process, identification and evaluation, and reporting. It also includes a quick quiz to see how RM-minded you are, and a qualitative risk analysis matrix for establishing the level of risk and consequences. All of this is written in an admirably user-friendly style (“engaging rather than imperious” is how McDonald describes it).
“I took it upon myself as part of my communication responsibilities,” McDonald says, “as a result of two things — statutory changes to tort reform as a result of the insurance crisis, and secondly to take a communication strategy out to the public to help to explain what the insurance crisis was about, what had caused it, what we’re doing about it to attempt to resolve the problems, and what facilities we were going to bring to bear to make it easier for our community in general to be able to understand its obligations under the new regime of insurance contracting.”
This community service program began in June 2002. The second phase of the program involved ensuring that agency personnel have as good a grip on the issues as the clients they are dealing with.
“It’s no good having a bunch of small or medium sized businesses tendering for contracts with the ACT government if when the time comes for them to interact with the relevant sponsoring agency, there’s no understanding within the agency of what these people had to go through in order to maintain, say, mandated insurance levels for dealings with the government.
“I thought that was a major potential communications flaw.
“We were able to put everyone on the same page as far as what business insurance risk really is, what the obligations are on both sides of the aisle, and enable the organization and the agency to understand each other.”
With the communities and the agency personnel in sync, the third stage was to apply the same risk management practices to internal activities.
“Once we had tested our community and business engagement policy, then we felt comfortable that we had sufficient grip on the principles that we needed to impart to proceed with an enterprise-wide risk management framework for inside the government.
“As soon as we went to Cabinet with the ERM framework, it was well understood by the government exactly where we were headed.”
All ACT government agencies were invited to comment on the draft ERM policy.
There are two important points to note about the recently announced framework.
One is that it applies to all activities within government agencies. As the ACT Insurance Authority’s senior risk manager, Peter Heal, puts it: “Risk in the context of the ERM applies to all levels of risk in the organization: strategic, program and operational.
“The ERM is aimed at all activities and risks applicable to agencies. The generic risk management process can be applied to all these areas and its standardized approach ensures a uniform response across government.”
The second point is that it is a work in progress, with many agencies still coming to grips with the full implications of the framework for their activities and responsibilities.
Some agencies had already taken steps towards risk management in differing areas such as procurement. Heal says some have appointed risk managers and others are starting to work towards creating risk management coordinator positions.
The ERM approach recommends all agencies undertake a consistent approach to the assessment, management and reporting of risks. To ensure this, there will be a modified version of the existing community and small business Web site for use by government agencies. “It will be no less chatty than the existing sites,” says McDonald.
Included on this site will be packaged risk profiles covering different types of procurement, particularly IT, which agencies’ tender evaluators and contract managers will be able to access. These will represent the collective experience of the Legal and Insurance Policy division, procurement groups, the ACT government’s internal IT provider (InTACT), and anyone else from within or outside government circles.
These will not go as far as fully automated solutions (“because every project is different”); however, McDonald suggests that, in the case of IT, “there are particular bandwidths of procurement activity or consultancy activity that lend themselves to this type of thing”. He suggests areas such as recognized software “where you can identify what the risks are; integration is the main one [that springs to mind]. If you’re looking at new hardware, new software, different types of service provision, then you’re building your risk determinants from scratch”.
McDonald’s group will establish a series of risk benchmarks and standards that can be applied to particular types of projects. “We’re going to be able to identify a series of pattern risks which we can then program into our online risk planning tool.”
Anyone involved in an IT project (or any other project, for that matter) will be able to dial up the system, key in a particular profile, and they will then have a standardized set of risk exposures on an AS4360-compliant risk matrix.
Impact on IT
Views differ as to how the ERM will impact on IT units.
McDonald thinks it will be profound, while Michael Vanderheide, general manager of InTACT, thinks it is too early to tell.
“Everyone has a different perspective,” Vanderheide says, “although the more help we have in how to apply the policy, the better. One thing it will do is highlight areas where we are not currently doing any risk management.”
The ACT government and its agencies currently spend about $140 million a year on IT, of which half is through InTACT.
InTACT is the insourcing agency for computing and telecommunications for the whole of the ACT government (excepting some Territory-owned corporations), serving approximately 14,000 customers situated in over 300 locations. Primarily it looks at infrastructure (“desktop and back, telephone and back, Microsoft platforms”), leaving applications issues to individual agencies.
As an IT consultancy, Vanderheide says InTACT will likely develop RM plans with its customers. Some agencies, however, may choose to use external consultants, which Heal considers an effective way of fast-tracking the RM process. Nevertheless, he adds that this will only prove useful as long as the agencies do not lose sight of the fact that they are best able to manage the risk facing their agencies. “The external consultant can only facilitate the process. The Insurance Authority has provided tools and training that will greatly assist agencies to do their own risk assessment but this does not mean they cannot seek external help.”
Ultimately, McDonald wants the ERM to be seen as a positive move rather than an additional bureaucratic burden. “It’s all about facilitation, not frustration. It will be seen as a help to IT departments and managers. If it’s seen as a restriction, then I’ll have to change the strategy, because that’s not what I’m on about.
“These tools will raise their level of understanding of the generic risk descriptors of particular procurements, and enable them to see these risks a lot further up the track and down the track. Hopefully it will make for a shorter and more efficient procurement cycle and contract management.”
Risk management, whatever the attitude, is now part of the landscape.
“These things have come up, we know they exist, here’s one of the ways we can use to get around them, and to resolve them.”
And if they do not use them? There are always those executive contracts.
The Auditor-General will review the contracts of approximately 150 senior executives, down to second level (heads of agencies) across the ACT government, looking at their output statements and how they identify the risks applicable to those outputs.
New and existing chiefs will have their performances benchmarked. And of course, there is an incentive. If you do not comply, McDonald thinks it’s pretty simple: “You’ll lose your job”.
That’s a real risk.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.