Select Committee on Public Accounts Minutes of Evidence


Examination of Witnesses (Questions 40 - 59)

WEDNESDAY 24 JANUARY 2001

MRS MAVIS MCDONALD CB AND MR BRIAN GLICKSMAN

  40. It seemed to me to be a non phenomenon that Government is now sort of taking risk. I will come on to that later so perhaps I can return to that. I remember the joke now: Why don't sharks eat solicitors? Professional courtesy. That just came to mind. Page 73, paragraph 3.5, I will just quote the paragraph. "Some of the private sector companies which we consulted told us of the tendency for some organisations to put too much emphasis on the identification of risk and not enough on action planning and risk management. And in doing so create risk identification overload such that every conceivable risk, however small and remote, is identified and recorded and then simply filed and forgotten and no action taken". That is quite worrying. How would you prevent that from happening? If it just becomes a sort of rote theme, that is fine, but how do you stop that happening? How do you take things seriously?
  (Mrs McDonald) I think if you embed it properly in the business planning process which by definition means you have to start focusing on what your key main objectives are and what your priorities are and how you are going to achieve those, if you look at risk within that framework then your view of risk is associated with your view of your overall priorities. Then once you have got a set of priorities you can then decide how to handle them. Within any big organisation of the kind you are talking about there are going to be varieties of risk at different levels and you may need different rules of handling.

  41. I use this word a lot here, but how do you stop becoming complacent about it and saying "There could be a risk here" or "There could be a risk there" and it is just filed away and forgotten about and then something does happen and you have known about it but you have not done it because it was picked up with so many other things? Do you have a system which picks it out?
  (Mrs McDonald) I think you need some kind of challenge function and that is a role an audit committee can play within a department and it is a role that the NAO can play in terms of the overall activity of the department.

  42. When I was in local government, for example, and leader of the local authority, and you made a decision, I always used the theory of the domino effect, the knock-on effect. If we decide to do this, what is the knock-on effect of doing that and right the way down the line does it affect so and so on? Do Government departments do that? They do not seem to.
  (Mrs McDonald) I think the picture varies across the board. I think people have done and in some cases have done it very well. In other areas they have not been quite as used to doing that complete follow through. We have examples of policy development where people have not thought about the implementation as they thought about how they wanted to achieve the policy objective. That is an area where, again, we think we ought to do a bit more.

  43. There are plenty of examples of this. How do you identify the major risks, the potentially greatest risks? How do you make provisions for them? There must be instances when policies are made and there is a huge risk, and I will come to that. How do you pick them out and make provision for them?
  (Mrs McDonald) I think you have a systematic approach to risk management so you do embed it in the processes where you have to think about what it is you are doing and how you are going to achieve what you are doing. If you are setting targets and milestones that you are going to be measured against then you ought to be able to associate risks to that every day management of the business and you ought to be able to assign responsibilities as you are doing that as well. At any stage there are going to be different kinds of risk you identify. It is not a composite, there are risks to policy, there are risks to back-up systems within your own infrastructure, for example, so there are different kinds of processes.
  (Mr Glicksman) I think it is a very important point that you are discussing here. In the Office of Government Commerce and the new arrangements they are putting in place for IT projects there are specific points at which the project owners will be challenged on the extent to which they have identified risks and evaluated them. In our Orange Book on Guidance to Departments we suggest two ways in which departments can do this, either a top down approach or a bottom up approach, where they either have a risk group which they give the responsibility to of going round the department and challenging people or by asking people who are responsible for the particular services and programmes to sit down and describe the risks. There are a variety of different ways in which this can be done and I think you need to choose, according to the circumstances, which is the best way to do it.

  44. The Chairman and Mr Griffiths have both mentioned the passport fiasco. We have seen another instance, I am not sure whether that is possibly such a failed comparison, but the immigration and asylum applications, where these major public services, which have a lot of risk to them, went badly wrong and yet nobody seemed to be able to pick it up at the time. Yet really, to a layman, it would appear to be quite clear something could quite easily go wrong and if it did go wrong there was going to be a hell of a mess. Why was this not picked up?
  (Mrs McDonald) If I may make one general point. However good our systems at some point they are only as good as how they are actually managed. People have to take judgments about what to do in particular sets of circumstances. You are not going to be able to second guess that through a system. I think the objective we are seeking between the two of us is to make sure that people do earlier on know that they need to work out what the likely consequences of actions or inactions might be and decide within some kind of framework the point at which it is important enough for you to need to take action or whether you need to up your level of concern and watch it or whether it is all right, it is acceptable. It is possible to develop—

  45. Do you think this should have been prevented? Should it have happened, particularly the passport fiasco, should it have ever happened?
  (Mrs McDonald) I do not really think you can ask me that.

  46. I can ask you that.
  (Mrs McDonald) I do not know enough about why it happened.

  47. Of course I can ask you.
  (Mrs McDonald) In any sort of circumstances like that you are probably talking about what is affordable at any one point in time, what degree of priority handling that issue has as opposed to handling another issue in a department. There are political decisions which make trade-offs as well as just having risk management frameworks in place. I think in terms of project management, I would certainly agree that we need better systems and we need to make sure that kind of approach does not just apply to projects which are about buying a piece of equipment or developing a system but can also be applied to how you think about policy development and the way in which you implement policy.
  (Mr Glicksman) I think to a large extent the initiatives that we are talking about today and the Cabinet Office and the Treasury and the Office of Government Commerce, which is part of the Treasury, have taken over the last couple of years are partially a reaction to those sorts of problems, the sorts of recommendations that this Committee has made in its reports, the things that the NAO has drawn attention to and similar things which have happened in the private sector as well which have led the private sector to try and improve its corporate governance arrangements, and which we are following.

  48. Do you think something like that could happen again now the systems are in position? Could that fiasco happen again? Could that calamity happen again?
  (Mrs McDonald) I do not think systems prevent events, as it were. I think what you can hope for is a higher level of general performance and awareness which hopefully reduces a likelihood of that happening. I think the NAO report itself says at some point somebody has to take judgments and things just occur.

  49. For example, I think it is page 65, paragraph 2.24, when I read this: "Early warning indicators—such as sudden increases in claims for damages, increases in customer complaints, IT or quality failures, and significant time delays in processing benefit claims—are useful for alerting managers that risk is increasing...", it is not surprising that events occurred. What it says here is that "Fifty-three per cent of departments say that such early warning reporting mechanisms are not in place or are ineffective". So it is not surprising these things happen because even when it comes and hits you in the face it is still ignored because it says 53 per cent of departments say early warning reporting mechanisms are not even in place or effective. How can you hope to stop the problems when over half the departments are not in a position to do so anyway?
  (Mrs McDonald) What we would hope is that we can increase on that percentage very significantly in areas where it is critical and that some of the work we have asked departments to do will have already helped them to do that. I think the PSA/SDA targeting approach will also help them to do that but there may well be areas where people need better early warning performance indicators and that is the kind of area where we think from the centre we ought to be keeping an eye on, finding whether we ought to be giving further guidance and helping draw attention to things that work. The Y2K kind of traffic light system, for example, we know is being picked up and run within a number of areas as a good way of developing an early warning system.

  Mr Steinberg: I will move on to something different. I do not know if I will be ruled out of order here but I am going to try.

  Chairman: Thank you for the early warning.

Mr Steinberg

  50. One of the big risks in the public sector, I suppose, at the present time is the PFI arrangements, particularly those of the new hospitals which have started to be built. I am particularly interested in the PFI because I have a 100 million pound development taking place in Durham. I must admit I was not all that keen on the PFI to begin with. This is not risk assessment, this is I suppose called risk transfer. You are transferring a risk out of the public sector into the private sector. I was told the high cost of the PFI compared to public sector was offset by improvements in performance. That is what we were told and that is why the Treasury has allowed it to go ahead. Is the Government really taking a risk here or is the private sector being cushioned to the extent that if anything does go wrong the public sector moves in anyway?
  (Mrs McDonald) I think the answer to that depends on the way in which the PFI deal is constructed and the report itself is a good example of the risk sharing PFI approach in the National Savings Siemens approach. I think, Brian, you might like to say something?
  (Mr Glicksman) Yes. I think this is an important point. The NAO last week published a report about a PFI project where one of the conclusions was that too much risk was transferred. This Committee is going to be taking evidence on it a week today. One of the outcomes of that was that some of the risk was transferred back into the public sector when the PFI contract went wrong. The guidance on PFI projects now does not recommend the maximum transfer of risk; it recommends the optimum transfer of risk. You have to look at which is the best organisation to manage the risk. Is it in the private sector? Is it in the public sector? You have to make sure that you have the balance of risk in the right place and you only transfer to the private sector the risk that the private sector can best manage.

  51. On the basis of risk adjustment that takes place, I do not 100 per cent understand it, but my understanding is that it makes sure that the Treasury have ensured that the public sector comparator never wins. You can always adjust it so that the private sector get the deal and they take the risk. That could be innovation as far as the government is concerned, I suppose, but at the end of the day the taxpayer has to either pay more or bail out a project that goes wrong. Is the taxpayer getting a good deal on that basis?
  (Mr Glicksman) I do not think it is the case that the rules are arranged so that the public sector comparator always loses out. I do not have any examples, but I do not think that is the case.

  52. I can give you two examples. I am not complaining. I have had two very good deals out of it for my constituency and a number of jobs as well. There is no way, if one could be honest, that the public sector comparator was not cheaper than a private financial initiative. One was in the National Savings and the other is the hospital. Figures clearly show that the public sector comparator, if it was on a level playing field, was the cheaper option. I am not complaining because what has happened has turned out to be very successful. We have a brand new hospital and lots more jobs in National Savings, but has that been at a cost to the taxpayer?
  (Mr Glicksman) I do not know the details but there may be cases where the public sector comparator was not done properly. If the public sector comparator is done properly and if the public sector comparator is cheaper, my understanding is that the PFI project is not supposed to go ahead.

  Mr Steinberg: Risk adjustment.

Chairman

  53. I think the report you were referring to was the Royal Armouries Report?
  (Mr Glicksman) Yes.

  54. I think you gave the Committee a not entirely accurate steer on that. Probably the major outcome of the Royal Armouries Report was that in reality the risk was not properly transferred. Once closure was in prospect, the government had to shoulder the burden which is precisely what Mr Steinberg was about to say but he let you off the hook. Could you answer that question? How can you be sure that the risk does not come zooming back like a boomerang to government on projects which the government cannot afford to see fail, as one might expect, with hospitals, the Royal Armoury and others.
  (Mr Glicksman) It was not my intention to suggest that the point I mentioned was the main point in the NAO report. In general, in PFI projects, the guidance is that one of the main issues that has to be addressed very early on is where is the optimum allocation of risk. That has to take into account the sort of considerations that you are talking about. In the light of looking at the sort of circumstances that may arise, the sort of risks that may arise to this project and what the response to them would be, where is the risk best placed? The report we were talking about was one of the very earliest PFI projects and the guidance has developed an awful lot since that project was undertaken. The point that you draw attention to is now one of the important areas in PFI guidance.

  Chairman: You still leave me feeling that Mr Steinberg had a point, nevertheless.

Mr Rendel

  55. I want to start at paragraph 2.13 on page 57, which carries two sentences which I am not entirely sure are logical: "Generally finance personnel and internal audit are heavily involved in providing reports to senior management on risks. This is consistent with practice in the private sector where line managers generally take lead responsibility for identifying and reporting on risks." One could say it is consistent in that there is no particular reason to say it is inconsistent, but it seems slightly different. Line managers are not invariably internal audit or financial staff. Could you tell us who you think should be in charge of identifying and monitoring risk?
  (Mrs McDonald) Our general feeling is that it ought to be a senior management responsibility. There ought to be oversight at board level, where there is a board. There ought to be an audit committee, which might be an audit or risk committee, which is there to help the board. The responsibility for identifying and being responsible for risk should lie with the line managers. It should be part of their day to day responsibilities for management that element of their business. You might have a risk manager who can be of support in the sense of providing help in how you do that or in providing information through the finance and audit route as to what is going on. We were not quite clear what was meant, but we are not very happy particularly with the concept of a risk manager who manages risk, apart from what is going on in the business. Most of the reports we have seen published in the returns of the Treasury suggest that departments are taking the approach of business planning with support from the financial and audit team in the normal way that you would expect.

  56. We understand and support your view that the responsibility has to lie with senior management. "... heavily involved in providing reports to senior management on risks." In the private sector, it is the line managers who identify and report on risks. I guess what I am talking about is people who do the job in the first instance of finding out what the risks are, how large they are likely to be, and what you can do about potentially trying to overcome those risks or minimise them. That is part of the process, if you like, before it ever gets to senior management. I wonder whether financial staff in particular are the best people to do that.
  (Mrs McDonald) In a lot of departments, the financial staff will probably have a business planning team. They will be responsible for things like monthly financial monitoring. They will also be responsible for quarterly monitoring against PSA and SDA targets, which most departments now do for themselves and for ministers. They will have a route through that to collect information. If you are assessing risk against your main objectives and the PSA targets as part of your business planning, you will have identified in your business plan what those key risks are. You might indeed have a corporate overview of what the key risks are across the organisation.

  57. You seem to be moving towards something which is not entirely based on financial stuff. I am quite relieved to hear that because it did slightly worry me that this whole business of dealing with risk in the public sector has apparently been passed over to the Treasury. I do not necessarily regard the Treasury as being the only people who will know about or ought to know about how to assess and manage the risk. It does strike me that there is a danger always in those who do leave it to financial management—I have been in this position as an internal auditor myself—that risk is seen almost solely in terms of financial risk and, particularly in the public sector, there are all sorts of other risks which may be just as important as the financial risk. Therefore, to leave the organisation of identifying risks to financial people could be quite dangerous.
  (Mrs McDonald) I agree with you. That is not what we are promoting in terms of thinking about best practice in business planning. We are promoting the approach that it should be embedded into the normal processes of managing a business.

  58. The second question I have is on figure four, page eight. 14 per cent of departments have effective training on risk and risk management but 25 per cent claim they already have clearly set out risk management objectives. It surprises me that they have managed to do that if they do not have any training in risk and risk management. Does this not show a very considerable lack of training and perhaps rather an over-simplistic view of quite how clearly they have set out their objectives?
  (Mrs McDonald) It is a bit difficult to second guess some of the answers to this. I do not want to repeat what we said earlier. Some people were setting out quite clear objectives which they did not view as risk objectives, but if you look at some of the earlier PSA targets you will see that, to know that they were going to get to the target, they were going to have to take an overview about what would work and what would not work. They may not have been thinking of that in terms of a risk concept or associating that kind of approach to it. What we are trying to do is to make people clearly articulate that that is what they are trying to do.

  59. Are you insisting on better training?
  (Mrs McDonald) We have asked people to tell us how they are going to do the training as part of the returns for the Treasury.
  (Mr Glicksman) We do not know how departments interpreted some of these questions but it may be that they interpreted that question as: "Do you have training on risk management as a subject in itself? No, we do not"; whereas it may be that there is quite a lot of training, in the context of training on IT projects and procurement and financial management, which incorporates risk as part of that training, but it is actually training on a different subject. It may be that that is why these answers appear to be inconsistent because of the way departments may have interpreted the questions.


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2001
Prepared 31 July 2001