Memorandum submitted by the Cabinet Office
and HM Treasury (PAC 00-01/30)
MANAGING RISK IN GOVERNMENT DEPARTMENTS
1. The report by the Comptroller and Auditor
General, Supporting innovation: Managing risk in government
departments, published on 17 August 2000, describes the evolution
of risk management in government up to August. This memorandum
provides an update on developments since then.
2. This memorandum sets out:
(i) the respective roles of the Cabinet Office
and HM Treasury in improving risk management across government;
(ii) progress by departments in improving
risk management since the publication of the NAO report.
RESPECTIVE ROLES
OF THE
CABINET OFFICE
AND HM TREASURY
IN RISK
MANAGEMENT
3. The Cabinet Office has responsibility
for implementing Modernising Government which aims to improve
service delivery to citizens. As part of the programme to encourage
innovation and manage risks better, the Cabinet Office requried
all departments to prepare a risk management framework by September
2000 and issued guidance and advice to help departments prepare
their frameworks.
4. The Treasury is repsonsible for providing
guidance to departments on risk management needed to support the
production of an annual statement on internal control by Accounting
Officers. Treasury is seeking to apply the principles in the "Turnbull
Report"[1]
to central government. Treasury requires departments and other
bodies to produce a Statement on Internal Control as part of their
annual accounts from 2001-02. Key to this is for each body to
have risk identification and management processes in place. Treasury
asked departments to make a progress report by October 2000 on
the development of risk assessment processes related to their
Statements of Internal Control and issued the "Orange Book"
advice to help them.
5. Treasury and Cabinet Office have set
up a Risk Management Steering Group, chaired by Treasury, and
including representation from Treasury, Cabinet Office, NAO, ILGRA
(the Inter-Departmental Liaison Group on Risk Assessment) and
departments to advise on, and facilitate, the consistent and co-ordinated
development of policies and guidance relating to risk across central
government. It first met in November and embarked on the production
of a map identifying the sources of guidance on risk across central
government. Terms of reference and details of the group are at
Annex 1.
PROGRESS BY
DEPARTMENTS:
(I) PROGRESS
ON PREPARATIONS
FOR A
STRATEGIC RISK
MANAGEMENT PROCESS
FOR STATEMENTS
OF INTERNAL
CONTROL
Requirements on departments and support by Treasury
6. Treasury has consulted departments extensively
on how to incorporate the principles of the Turnbull report into
central government. This culminated in the production of a DAO
letter on 22 December (DAO Gen 13/00 Corporate Governance: Statement
on Internal Control) which will require the introduction of a
Statement of Internal Control (SIC) from the financial year 2001-02
onwards. Departments had been asked to report to Treasury by the
end of October 2000 indicating their progress in putting in place
arrangements to support production of an SIC and the preparations
which they were making with developing and implementing a strategic
risk management process. These reports were intended to keep track
of progress so that Treasury could direct its support appropriately.
The results from an analysis of these progress reports are set
out in the section below.
7. As mentioned in the NAO's report (eg
fig8, page 40) Treasury recognised that departments needed guidance
on applying risk management at a strategic level and consequently
produced "Management of RiskA Strategic Overview"
(the "Orange Book")[2].
8. While there is much guidance related
to the application of the Turnbull report to private sector companies,
Treasury recognised that there were significant differences between
public and private sectors and therefore that guidance tailored
to the public sector was needed.
Progress by departments in meeting Treasury requirements
9. In summary, 38 Progress Reports have
been received by HM Treasury.
10. All departments, where relevant, reported
that they were taking steps to ensure appropriate action in their
Executive Agencies and NDPBs.
(i) 29 (76 per cent) bodies indicated that
they expected to make an SIC for 2001-02 which certifies that
all appropriate systems are in place;
(ii) 9 (24 per cent) bodies indicated that
they expected to make an SIC for 2001-02 which records work still
to be done;
(iii) 11 (29 per cent) bodies indicated that
they had established a new Committee or team to take forward risk
management issues. All bodies indicated that they were actively
undertaking work to ensure that appropriate strategic risk management
processes were put in place;
(iv) 19 (50 per cent) bodies particularly
indicated that risk managment is now being embedded into their
business planning mechanisms.
PROGRESS BY
DEPARTMENTS:
(II) PROGRESS
ON PREPARING
RISK MANAGEMENT
FRAMEWORKS
Requirements on departments and support by Cabinet
Office
11. As part of the Modernising Government
Action Plan, the Cabinet Office required 21 major departments[3]
to publish, by September 2000, the framework and procedures they
use for reaching decisions on the risk for which they were responsible.
These published frameworks were intended to cover the external
risks or risks to the public, in particular, health, safety and
environmental risks, but not the full range of risks faced by
the organisation.
12. Building on earlier guidance provided
by ILGRA, the Cabinet Office told departments to address:
(i) how they identified such risks;
(ii) how they obtained information about
the impact on the public of risks;
(iii) how they are assessed risks, taking
into account expert advice and uncertainty;
(iv) how they identified options to deal
with risks, taking into account constraints, such as international
obligations;
(v) how they made decisions on risk management,
including criteria Departments use to decide when further risk
reduction is necessary, taking into account costs and benefits
to society and, where necessary, using a precautionary approach;
(vi) how they implement such decisions, including
principles guiding interventions (eg education, information, inspection
etc) and on whom to target interventions;
(vii) how they intended to evaluate the effectiveness
of their actions;
(viii) how stakeholders are engaged throughout
the process.
13. The Cabinet Office recognised that in
some cases departments did not have a single overarching framework
under which risk management decisions were takendifferent
areas might have their own tailor-made procedures. In such cases,
Cabinet Office guidance was that it would be appropriate to describe
how these were handled in each area.
Publication of frameworks
14. To date, 17 departments have completed
and published their risk management frameworks. The remianing
four departments have agreed with the Cabinet Office to finalise
and publish their frameworks during January 2000. Most have been
published on departmental web-sites, although three departments
also published hard copies. Copies of the departmental risk frameworks
have been placed in the Libraries of the House of Commons and
House of Lords as they have been published. The web-site addresses
of the published risk-management frameworks are given in Annex
2.
Next Steps: Initial Evaluation
15. Many departments, in producing their
risk management frameworks, were clear that this was only one
step towards developing better risk management. At its meeting
on 7 November 2000, the Interdepartmental Liaison Group on Risk
Assessement (ILGRA), approved progress on the risk management
frameworks so far and asked that all outstanding frameworks should
be published before its third Report to Ministers. ILGRA asked
the Cabinet Office to undertake an analysis of the frameworks,
to check their coherence, the extent to which they met the guidance
issued by ILGRA and the Cabinet Office, and to report the results
to the next meeting of ILGRA in May 2001. This analysis is under
way. In the light of this evaluation, the Group will then advise
on the requirements for new central guidance on risk-assessment
and on evaluation of departments' risk management in practice.
Cabinet Office
HM Treasury
January 2001
1 Internal Control: guidance for Directors on the
Combined Code can be found at http://www.icaew.co.uk/internalcontrol. Back
2
Not printed. Back
3
Ministerial departments plus non-ministerial departments and
agencies responsible for managing significant risks to the public
not covered in departmental risk frameworks. Back
|