Examination of Witnesses (Questions 40
WEDNESDAY 24 JANUARY 2001
CB AND MR
40. It seemed to me to be a non phenomenon that
Government is now sort of taking risk. I will come on to that
later so perhaps I can return to that. I remember the joke now:
Why don't sharks eat solicitors? Professional courtesy. That just
came to mind. Page 73, paragraph 3.5, I will just quote the paragraph.
"Some of the private sector companies which we consulted
told us of the tendency for some organisations to put too much
emphasis on the identification of risk and not enough on action
planning and risk management. And in doing so create risk identification
overload such that every conceivable risk, however small and remote,
is identified and recorded and then simply filed and forgotten
and no action taken". That is quite worrying. How would you
prevent that from happening? If it just becomes a sort of rote
theme, that is fine, but how do you stop that happening? How do
you take things seriously?
(Mrs McDonald) I think if you embed it properly in
the business planning process which by definition means you have
to start focusing on what your key main objectives are and what
your priorities are and how you are going to achieve those, if
you look at risk within that framework then your view of risk
is associated with your view of your overall priorities. Then
once you have got a set of priorities you can then decide how
to handle them. Within any big organisation of the kind you are
talking about there are going to be varieties of risk at different
levels and you may need different rules of handling.
41. I use this word a lot here, but how do you
stop becoming complacent about it and saying "There could
be a risk here" or "There could be a risk there"
and it is just filed away and forgotten about and then something
does happen and you have known about it but you have not done
it because it was picked up with so many other things? Do you
have a system which picks it out?
(Mrs McDonald) I think you need some kind of challenge
function and that is a role an audit committee can play within
a department and it is a role that the NAO can play in terms of
the overall activity of the department.
42. When I was in local government, for example,
and leader of the local authority, and you made a decision, I
always used the theory of the domino effect, the knock-on effect.
If we decide to do this, what is the knock-on effect of doing
that and right the way down the line does it affect so and so
on? Do Government departments do that? They do not seem to.
(Mrs McDonald) I think the picture varies across the
board. I think people have done and in some cases have done it
very well. In other areas they have not been quite as used to
doing that complete follow through. We have examples of policy
development where people have not thought about the implementation
as they thought about how they wanted to achieve the policy objective.
That is an area where, again, we think we ought to do a bit more.
43. There are plenty of examples of this. How
do you identify the major risks, the potentially greatest risks?
How do you make provisions for them? There must be instances when
policies are made and there is a huge risk, and I will come to
that. How do you pick them out and make provision for them?
(Mrs McDonald) I think you have a systematic approach
to risk management so you do embed it in the processes where you
have to think about what it is you are doing and how you are going
to achieve what you are doing. If you are setting targets and
milestones that you are going to be measured against then you
ought to be able to associate risks to that every day management
of the business and you ought to be able to assign responsibilities
as you are doing that as well. At any stage there are going to
be different kinds of risk you identify. It is not a composite,
there are risks to policy, there are risks to back-up systems
within your own infrastructure, for example, so there are different
kinds of processes.
(Mr Glicksman) I think it is a very important point
that you are discussing here. In the Office of Government Commerce
and the new arrangements they are putting in place for IT projects
there are specific points at which the project owners will be
challenged on the extent to which they have identified risks and
evaluated them. In our Orange Book on Guidance to Departments
we suggest two ways in which departments can do this, either a
top down approach or a bottom up approach, where they either have
a risk group which they give the responsibility to of going round
the department and challenging people or by asking people who
are responsible for the particular services and programmes to
sit down and describe the risks. There are a variety of different
ways in which this can be done and I think you need to choose,
according to the circumstances, which is the best way to do it.
44. The Chairman and Mr Griffiths have both
mentioned the passport fiasco. We have seen another instance,
I am not sure whether that is possibly such a failed comparison,
but the immigration and asylum applications, where these major
public services, which have a lot of risk to them, went badly
wrong and yet nobody seemed to be able to pick it up at the time.
Yet really, to a layman, it would appear to be quite clear something
could quite easily go wrong and if it did go wrong there was going
to be a hell of a mess. Why was this not picked up?
(Mrs McDonald) If I may make one general point. However
good our systems at some point they are only as good as how they
are actually managed. People have to take judgments about what
to do in particular sets of circumstances. You are not going to
be able to second guess that through a system. I think the objective
we are seeking between the two of us is to make sure that people
do earlier on know that they need to work out what the likely
consequences of actions or inactions might be and decide within
some kind of framework the point at which it is important enough
for you to need to take action or whether you need to up your
level of concern and watch it or whether it is all right, it is
acceptable. It is possible to develop
45. Do you think this should have been prevented?
Should it have happened, particularly the passport fiasco, should
it have ever happened?
(Mrs McDonald) I do not really think you can ask me
46. I can ask you that.
(Mrs McDonald) I do not know enough about why it happened.
47. Of course I can ask you.
(Mrs McDonald) In any sort of circumstances like that
you are probably talking about what is affordable at any one point
in time, what degree of priority handling that issue has as opposed
to handling another issue in a department. There are political
decisions which make trade-offs as well as just having risk management
frameworks in place. I think in terms of project management, I
would certainly agree that we need better systems and we need
to make sure that kind of approach does not just apply to projects
which are about buying a piece of equipment or developing a system
but can also be applied to how you think about policy development
and the way in which you implement policy.
(Mr Glicksman) I think to a large extent the initiatives
that we are talking about today and the Cabinet Office and the
Treasury and the Office of Government Commerce, which is part
of the Treasury, have taken over the last couple of years are
partially a reaction to those sorts of problems, the sorts of
recommendations that this Committee has made in its reports, the
things that the NAO has drawn attention to and similar things
which have happened in the private sector as well which have led
the private sector to try and improve its corporate governance
arrangements, and which we are following.
48. Do you think something like that could happen
again now the systems are in position? Could that fiasco happen
again? Could that calamity happen again?
(Mrs McDonald) I do not think systems prevent events,
as it were. I think what you can hope for is a higher level of
general performance and awareness which hopefully reduces a likelihood
of that happening. I think the NAO report itself says at some
point somebody has to take judgments and things just occur.
49. For example, I think it is page 65, paragraph
2.24, when I read this: "Early warning indicatorssuch
as sudden increases in claims for damages, increases in customer
complaints, IT or quality failures, and significant time delays
in processing benefit claimsare useful for alerting managers
that risk is increasing...", it is not surprising that events
occurred. What it says here is that "Fifty-three per cent
of departments say that such early warning reporting mechanisms
are not in place or are ineffective". So it is not surprising
these things happen because even when it comes and hits you in
the face it is still ignored because it says 53 per cent of departments
say early warning reporting mechanisms are not even in place or
effective. How can you hope to stop the problems when over half
the departments are not in a position to do so anyway?
(Mrs McDonald) What we would hope is that we can increase
on that percentage very significantly in areas where it is critical
and that some of the work we have asked departments to do will
have already helped them to do that. I think the PSA/SDA targeting
approach will also help them to do that but there may well be
areas where people need better early warning performance indicators
and that is the kind of area where we think from the centre we
ought to be keeping an eye on, finding whether we ought to be
giving further guidance and helping draw attention to things that
work. The Y2K kind of traffic light system, for example, we know
is being picked up and run within a number of areas as a good
way of developing an early warning system.
Mr Steinberg: I will move on to something different.
I do not know if I will be ruled out of order here but I am going
Chairman: Thank you for the early warning.
50. One of the big risks in the public sector,
I suppose, at the present time is the PFI arrangements, particularly
those of the new hospitals which have started to be built. I am
particularly interested in the PFI because I have a 100 million
pound development taking place in Durham. I must admit I was not
all that keen on the PFI to begin with. This is not risk assessment,
this is I suppose called risk transfer. You are transferring a
risk out of the public sector into the private sector. I was told
the high cost of the PFI compared to public sector was offset
by improvements in performance. That is what we were told and
that is why the Treasury has allowed it to go ahead. Is the Government
really taking a risk here or is the private sector being cushioned
to the extent that if anything does go wrong the public sector
moves in anyway?
(Mrs McDonald) I think the answer to that depends
on the way in which the PFI deal is constructed and the report
itself is a good example of the risk sharing PFI approach in the
National Savings Siemens approach. I think, Brian, you might like
to say something?
(Mr Glicksman) Yes. I think this is an important point.
The NAO last week published a report about a PFI project where
one of the conclusions was that too much risk was transferred.
This Committee is going to be taking evidence on it a week today.
One of the outcomes of that was that some of the risk was transferred
back into the public sector when the PFI contract went wrong.
The guidance on PFI projects now does not recommend the maximum
transfer of risk; it recommends the optimum transfer of risk.
You have to look at which is the best organisation to manage the
risk. Is it in the private sector? Is it in the public sector?
You have to make sure that you have the balance of risk in the
right place and you only transfer to the private sector the risk
that the private sector can best manage.
51. On the basis of risk adjustment that takes
place, I do not 100 per cent understand it, but my understanding
is that it makes sure that the Treasury have ensured that the
public sector comparator never wins. You can always adjust it
so that the private sector get the deal and they take the risk.
That could be innovation as far as the government is concerned,
I suppose, but at the end of the day the taxpayer has to either
pay more or bail out a project that goes wrong. Is the taxpayer
getting a good deal on that basis?
(Mr Glicksman) I do not think it is the case that
the rules are arranged so that the public sector comparator always
loses out. I do not have any examples, but I do not think that
is the case.
52. I can give you two examples. I am not complaining.
I have had two very good deals out of it for my constituency and
a number of jobs as well. There is no way, if one could be honest,
that the public sector comparator was not cheaper than a private
financial initiative. One was in the National Savings and the
other is the hospital. Figures clearly show that the public sector
comparator, if it was on a level playing field, was the cheaper
option. I am not complaining because what has happened has turned
out to be very successful. We have a brand new hospital and lots
more jobs in National Savings, but has that been at a cost to
(Mr Glicksman) I do not know the details but there
may be cases where the public sector comparator was not done properly.
If the public sector comparator is done properly and if the public
sector comparator is cheaper, my understanding is that the PFI
project is not supposed to go ahead.
Mr Steinberg: Risk adjustment.
53. I think the report you were referring to
was the Royal Armouries Report?
(Mr Glicksman) Yes.
54. I think you gave the Committee a not entirely
accurate steer on that. Probably the major outcome of the Royal
Armouries Report was that in reality the risk was not properly
transferred. Once closure was in prospect, the government had
to shoulder the burden which is precisely what Mr Steinberg was
about to say but he let you off the hook. Could you answer that
question? How can you be sure that the risk does not come zooming
back like a boomerang to government on projects which the government
cannot afford to see fail, as one might expect, with hospitals,
the Royal Armoury and others.
(Mr Glicksman) It was not my intention to suggest
that the point I mentioned was the main point in the NAO report.
In general, in PFI projects, the guidance is that one of the main
issues that has to be addressed very early on is where is the
optimum allocation of risk. That has to take into account the
sort of considerations that you are talking about. In the light
of looking at the sort of circumstances that may arise, the sort
of risks that may arise to this project and what the response
to them would be, where is the risk best placed? The report we
were talking about was one of the very earliest PFI projects and
the guidance has developed an awful lot since that project was
undertaken. The point that you draw attention to is now one of
the important areas in PFI guidance.
Chairman: You still leave me feeling that Mr
Steinberg had a point, nevertheless.
55. I want to start at paragraph 2.13 on page
57, which carries two sentences which I am not entirely sure are
logical: "Generally finance personnel and internal audit
are heavily involved in providing reports to senior management
on risks. This is consistent with practice in the private sector
where line managers generally take lead responsibility for identifying
and reporting on risks." One could say it is consistent in
that there is no particular reason to say it is inconsistent,
but it seems slightly different. Line managers are not invariably
internal audit or financial staff. Could you tell us who you think
should be in charge of identifying and monitoring risk?
(Mrs McDonald) Our general feeling is that it ought
to be a senior management responsibility. There ought to be oversight
at board level, where there is a board. There ought to be an audit
committee, which might be an audit or risk committee, which is
there to help the board. The responsibility for identifying and
being responsible for risk should lie with the line managers.
It should be part of their day to day responsibilities for management
that element of their business. You might have a risk manager
who can be of support in the sense of providing help in how you
do that or in providing information through the finance and audit
route as to what is going on. We were not quite clear what was
meant, but we are not very happy particularly with the concept
of a risk manager who manages risk, apart from what is going on
in the business. Most of the reports we have seen published in
the returns of the Treasury suggest that departments are taking
the approach of business planning with support from the financial
and audit team in the normal way that you would expect.
56. We understand and support your view that
the responsibility has to lie with senior management. "...
heavily involved in providing reports to senior management on
risks." In the private sector, it is the line managers who
identify and report on risks. I guess what I am talking about
is people who do the job in the first instance of finding out
what the risks are, how large they are likely to be, and what
you can do about potentially trying to overcome those risks or
minimise them. That is part of the process, if you like, before
it ever gets to senior management. I wonder whether financial
staff in particular are the best people to do that.
(Mrs McDonald) In a lot of departments, the financial
staff will probably have a business planning team. They will be
responsible for things like monthly financial monitoring. They
will also be responsible for quarterly monitoring against PSA
and SDA targets, which most departments now do for themselves
and for ministers. They will have a route through that to collect
information. If you are assessing risk against your main objectives
and the PSA targets as part of your business planning, you will
have identified in your business plan what those key risks are.
You might indeed have a corporate overview of what the key risks
are across the organisation.
57. You seem to be moving towards something
which is not entirely based on financial stuff. I am quite relieved
to hear that because it did slightly worry me that this whole
business of dealing with risk in the public sector has apparently
been passed over to the Treasury. I do not necessarily regard
the Treasury as being the only people who will know about or ought
to know about how to assess and manage the risk. It does strike
me that there is a danger always in those who do leave it to financial
managementI have been in this position as an internal auditor
myselfthat risk is seen almost solely in terms of financial
risk and, particularly in the public sector, there are all sorts
of other risks which may be just as important as the financial
risk. Therefore, to leave the organisation of identifying risks
to financial people could be quite dangerous.
(Mrs McDonald) I agree with you. That is not what
we are promoting in terms of thinking about best practice in business
planning. We are promoting the approach that it should be embedded
into the normal processes of managing a business.
58. The second question I have is on figure
four, page eight. 14 per cent of departments have effective training
on risk and risk management but 25 per cent claim they already
have clearly set out risk management objectives. It surprises
me that they have managed to do that if they do not have any training
in risk and risk management. Does this not show a very considerable
lack of training and perhaps rather an over-simplistic view of
quite how clearly they have set out their objectives?
(Mrs McDonald) It is a bit difficult to second guess
some of the answers to this. I do not want to repeat what we said
earlier. Some people were setting out quite clear objectives which
they did not view as risk objectives, but if you look at some
of the earlier PSA targets you will see that, to know that they
were going to get to the target, they were going to have to take
an overview about what would work and what would not work. They
may not have been thinking of that in terms of a risk concept
or associating that kind of approach to it. What we are trying
to do is to make people clearly articulate that that is what they
are trying to do.
59. Are you insisting on better training?
(Mrs McDonald) We have asked people to tell us how
they are going to do the training as part of the returns for the
(Mr Glicksman) We do not know how departments interpreted
some of these questions but it may be that they interpreted that
question as: "Do you have training on risk management as
a subject in itself? No, we do not"; whereas it may be that
there is quite a lot of training, in the context of training on
IT projects and procurement and financial management, which incorporates
risk as part of that training, but it is actually training on
a different subject. It may be that that is why these answers
appear to be inconsistent because of the way departments may have
interpreted the questions.