Select Committee on Public Accounts Minutes of Evidence

Memorandum submitted by the Cabinet Office and HM Treasury (PAC 00-01/30)


  1.  The report by the Comptroller and Auditor General, Supporting innovation: Managing risk in government departments, published on 17 August 2000, describes the evolution of risk management in government up to August. This memorandum provides an update on developments since then.

  2.  This memorandum sets out:

    (i)  the respective roles of the Cabinet Office and HM Treasury in improving risk management across government;

    (ii)  progress by departments in improving risk management since the publication of the NAO report.


  3.  The Cabinet Office has responsibility for implementing Modernising Government which aims to improve service delivery to citizens. As part of the programme to encourage innovation and manage risks better, the Cabinet Office requried all departments to prepare a risk management framework by September 2000 and issued guidance and advice to help departments prepare their frameworks.

  4.  The Treasury is repsonsible for providing guidance to departments on risk management needed to support the production of an annual statement on internal control by Accounting Officers. Treasury is seeking to apply the principles in the "Turnbull Report"[1] to central government. Treasury requires departments and other bodies to produce a Statement on Internal Control as part of their annual accounts from 2001-02. Key to this is for each body to have risk identification and management processes in place. Treasury asked departments to make a progress report by October 2000 on the development of risk assessment processes related to their Statements of Internal Control and issued the "Orange Book" advice to help them.

  5.  Treasury and Cabinet Office have set up a Risk Management Steering Group, chaired by Treasury, and including representation from Treasury, Cabinet Office, NAO, ILGRA (the Inter-Departmental Liaison Group on Risk Assessment) and departments to advise on, and facilitate, the consistent and co-ordinated development of policies and guidance relating to risk across central government. It first met in November and embarked on the production of a map identifying the sources of guidance on risk across central government. Terms of reference and details of the group are at Annex 1.



Requirements on departments and support by Treasury

  6.  Treasury has consulted departments extensively on how to incorporate the principles of the Turnbull report into central government. This culminated in the production of a DAO letter on 22 December (DAO Gen 13/00 Corporate Governance: Statement on Internal Control) which will require the introduction of a Statement of Internal Control (SIC) from the financial year 2001-02 onwards. Departments had been asked to report to Treasury by the end of October 2000 indicating their progress in putting in place arrangements to support production of an SIC and the preparations which they were making with developing and implementing a strategic risk management process. These reports were intended to keep track of progress so that Treasury could direct its support appropriately. The results from an analysis of these progress reports are set out in the section below.

  7.  As mentioned in the NAO's report (eg fig8, page 40) Treasury recognised that departments needed guidance on applying risk management at a strategic level and consequently produced "Management of Risk—A Strategic Overview" (the "Orange Book")[2].

  8.  While there is much guidance related to the application of the Turnbull report to private sector companies, Treasury recognised that there were significant differences between public and private sectors and therefore that guidance tailored to the public sector was needed.

Progress by departments in meeting Treasury requirements

  9.  In summary, 38 Progress Reports have been received by HM Treasury.

  10.  All departments, where relevant, reported that they were taking steps to ensure appropriate action in their Executive Agencies and NDPBs.

    (i)  29 (76 per cent) bodies indicated that they expected to make an SIC for 2001-02 which certifies that all appropriate systems are in place;

    (ii)  9 (24 per cent) bodies indicated that they expected to make an SIC for 2001-02 which records work still to be done;

    (iii)  11 (29 per cent) bodies indicated that they had established a new Committee or team to take forward risk management issues. All bodies indicated that they were actively undertaking work to ensure that appropriate strategic risk management processes were put in place;

    (iv)  19 (50 per cent) bodies particularly indicated that risk managment is now being embedded into their business planning mechanisms.



Requirements on departments and support by Cabinet Office

  11.  As part of the Modernising Government Action Plan, the Cabinet Office required 21 major departments[3] to publish, by September 2000, the framework and procedures they use for reaching decisions on the risk for which they were responsible. These published frameworks were intended to cover the external risks or risks to the public, in particular, health, safety and environmental risks, but not the full range of risks faced by the organisation.

  12.  Building on earlier guidance provided by ILGRA, the Cabinet Office told departments to address:

    (i)  how they identified such risks;

    (ii)  how they obtained information about the impact on the public of risks;

    (iii)  how they are assessed risks, taking into account expert advice and uncertainty;

    (iv)  how they identified options to deal with risks, taking into account constraints, such as international obligations;

    (v)  how they made decisions on risk management, including criteria Departments use to decide when further risk reduction is necessary, taking into account costs and benefits to society and, where necessary, using a precautionary approach;

    (vi)  how they implement such decisions, including principles guiding interventions (eg education, information, inspection etc) and on whom to target interventions;

    (vii)  how they intended to evaluate the effectiveness of their actions;

    (viii)  how stakeholders are engaged throughout the process.

  13.  The Cabinet Office recognised that in some cases departments did not have a single overarching framework under which risk management decisions were taken—different areas might have their own tailor-made procedures. In such cases, Cabinet Office guidance was that it would be appropriate to describe how these were handled in each area.

Publication of frameworks

  14.  To date, 17 departments have completed and published their risk management frameworks. The remianing four departments have agreed with the Cabinet Office to finalise and publish their frameworks during January 2000. Most have been published on departmental web-sites, although three departments also published hard copies. Copies of the departmental risk frameworks have been placed in the Libraries of the House of Commons and House of Lords as they have been published. The web-site addresses of the published risk-management frameworks are given in Annex 2.

Next Steps: Initial Evaluation

  15.  Many departments, in producing their risk management frameworks, were clear that this was only one step towards developing better risk management. At its meeting on 7 November 2000, the Interdepartmental Liaison Group on Risk Assessement (ILGRA), approved progress on the risk management frameworks so far and asked that all outstanding frameworks should be published before its third Report to Ministers. ILGRA asked the Cabinet Office to undertake an analysis of the frameworks, to check their coherence, the extent to which they met the guidance issued by ILGRA and the Cabinet Office, and to report the results to the next meeting of ILGRA in May 2001. This analysis is under way. In the light of this evaluation, the Group will then advise on the requirements for new central guidance on risk-assessment and on evaluation of departments' risk management in practice.

Cabinet Office
HM Treasury

January 2001

1   Internal Control: guidance for Directors on the Combined Code can be found at Back

2   Not printed. Back

3   Ministerial departments plus non-ministerial departments and agencies responsible for managing significant risks to the public not covered in departmental risk frameworks. Back

previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2001
Prepared 31 July 2001