INITIATIVES TO IMPROVE RISK MANAGEMENT
5. The Cabinet Office have responsibility for encouraging
departments to adopt well managed risk taking where it is likely
to lead to sustainable improvements in service delivery. To this
end, government departments were asked to produce and publish
on their websites plans for handling those risks for which they
are responsible which could directly affect the public, in particular
health, safety and environmental risks.[2]
We questioned the Cabinet Office and the Treasury on the following
main aspects of risk management.
Internal controls
6. Reliable controls can minimise the likelihood
of risks maturing, for example by preventing unauthorised use
of expenditure or by highlighting deficiencies in the quality
of a service, and can minimise the adverse consequences if a risk
does mature. In recognition of the need for sound controls, a
working party was established by the Financial Reporting Council,
the London Stock Exchange and the accounting profession in 1998
to develop guidance on internal controls. The report of the working
party - the Turnbull report - recommended that internal controls
should be embedded in companies' operations so as to enable them
to manage significant risks to the achievement of their business
objectives. This requirement now applies to listed companies of
all sizes incorporated in the UK.[3]
7. Guidance for departments on internal controls
is the responsibility of the Treasury which is seeking to apply
to central government departments the principles of the Turnbull
Report. Departments are expected to prepare statements of internal
control as part of their annual accounts from 2001-2002 to give
assurance that they have an on-going process for identifying,
evaluating and managing significant risks. Departmental progress
reports indicated that 76 per cent of departments expected to
have all appropriate risk systems in place for 2001-02. The remainder
(9 departments) expected controls to be in place but with more
work still to be done. Fifty per cent of departments said that
risk management is now being embedded in their business planning
mechanisms.[4]
8. The Committee asked whether more needed to be
done given that, in response to a survey by the NAO of departments'
approach to risk management, while 82 per cent agreed that risk
management was important to the achievement of their objectives
only 25 per cent of departments said they had established risk
management objectives.[5]
9. The Cabinet Office said in evidence that statements
of internal control required departments to consider risks in
terms of the totality of their business and not just parts of
it, and to ensure that risk management is embedded into their
basic business planning systems. Together with an Interdepartmental
Liaison Group on Risk Assessment, they were evaluating departments'
risk frameworks to identify areas either requiring best practice
guidance or revealing gaps that needed to be filled. The Cabinet
Office said that together with the Treasury they had, over the
last ten years, issued a considerable amount of advice to departments
about handling different aspects of risk. The Treasury told us
that, to assist departments, they had in 1999 published guidance
which set out the key components of an effective risk management
system. The Cabinet Office said that, in the past, departments
had focussed more on better known risks, such as safety hazards
and risks associated with scientific uncertainty. They re-emphasised
their objective to promote risk management as important to all
departments' activities.[6]
10. The initial view of the Cabinet Office was that
departments' risk frameworks were mixed and that those departments
which had greater exposure to potentially high impact risks had
produced better frameworks. But other departments were beginning
to think harder about the risks they faced. The Cabinet Office
said that they would be asking risk experts who work with the
Interdepartmental Liaison Group on Risk Assessment to give an
independent view of departments' risk frameworks, and that they
would use this assessment to identify the better frameworks and
those requiring improvement as a means of promoting best practice
across departments.[7]
Delivering outcomes and having contingency arrangements
11. The survey by the National Audit Office of departments
found that their approach to risk management was focussed on minimising
financial loss or preventing impropriety. Around 90 per cent of
departments referred to this as the key risk which they had identified
and clearly it is very important. There is however less recognition
by departments that risk management is also about ensuring the
achievement of outputs and outcomes, and having reliable contingency
arrangements to deal with the unexpected which might put service
delivery at risk. The Committee's report on the passport delays
of Summer 1999 highlighted a clear example of where service delivery
was significantly at risk and where contingency arrangements had
not been established to minimise the adverse impact on service
delivery for the public. We asked the Cabinet Office what they
were doing to help departments focus on output and outcome achievement
as essential requirements of effective risk management.[8]
12. The Cabinet Office said that they had a number
of initiatives underway to ensure that risk management covered
all aspects of departments' business from policy development to
managing projects and service delivery on the ground. These initiatives
included reviewing departments' risk frameworks, with the assistance
of independent consultants, to identify good practice and areas
requiring improvement, work with the Treasury to improve the quarterly
monitoring of how well departments are meeting their Public Service
Agreement and Service Delivery Agreement targets,[9]
and seminars between ministers and officials on risk management.[10]
13. The Treasury referred to new arrangements, known
as gateway reviews, which the Office of Government Commerce had
put in place for all new high risk projects including IT, specifying
stages in the project's development and procurement when those
responsible for the project would be challenged by an independent
review team on the extent to which they had identified risks and
evaluated them. The Committee asked why risks had not been identified
in the case of the Passport Office, when a major new IT system
was being introduced, to prevent the passport delays experienced
in 1999. The Cabinet Office said that their objective was to get
civil servants to identify much earlier than hitherto the likely
consequences of their action or inactions. Better systems were
needed, as were civil servants skilled to make sound judgements
on risk and how to manage it.[11]
14. The Cabinet Office told the Committee that, while
senior management should have responsibility for monitoring risk,
line managers should be responsible for identifying risks because
those who have direct day-to-day experience of the work were best
placed to do this. Relying on financial staff to identify risks,
as had often happened, could be insufficient because they might
concentrate on financial risk and not on risks which could adversely
affect service delivery. The Cabinet Office advised us that they
were promoting greater stakeholder engagement in policy development
to improve the perception of risk to all those involved in a policy.[12]
15. With all procedures, including those intended
to support risk management, there is a danger that staff will
follow them unthinkingly and not exercise appropriate judgement
about whether the controls in place are reliable enough to deal
with all significant risks. We asked the Cabinet Office whether
they were satisfied that the evaluation and proper management
of risks was becoming part of each department's culture. They
said that new definitions of the skills and competencies required
at senior levels in the civil service promoted innovation and
the taking of measured risks. Embedding risk management into departments'
main business planning processes and giving responsibility for
risk management to those who lead for particular departmental
activities should help to avoid risk management becoming simply
another process.[13]
Dividing projects into more manageable units
16. Many projects and programmes for which departments
are responsible are large and technically complex, and as a consequence
the risks of failure or of things going wrong can be proportionally
greater. We have in previous reports, such as our consideration
of lessons for improving the delivery of Government IT projects,
recommended that such projects be broken down into more manageable
units to make the risks smaller for each individual part of the
project. We asked the Cabinet Office what was being done to encourage
private sector partners to divide projects, particularly those
involving complex IT, down into small and more manageable units.
The Cabinet Office referred to the new review process which the
Office of Government Commerce had introduced so that projects
were scrutinised at critical stages in their development. The
process was being used to promote a modular approach to project
management.[14]
Risks associated with working with others
17. Joint working between departments and agencies
and other voluntary and private sector organisations which provide
complementary services for citizens can help to improve service
delivery by ensuring that services are sufficiently co-ordinated
and developed. Joint working, however, involves risks. For example,
if part of the service provided by one organisation is delayed
or is of poor quality the success of the whole programme is put
at risk. Departments need therefore to be alert
to the risks associated with working with others which might adversely
affect service delivery. In responding to the National Audit Office's
survey only one in eight departments said that they knew about
the strengths and weaknesses of the risk management systems of
other organisations with which they worked. The Committee asked
the Cabinet Office how the situation could be improved. In evidence
they said that a number of initiatives were in train which might
help civil servants think in a more cross-cutting manner. Programmes
such as Sure Start, which spanned the responsibilities of more
than one department, the establishment of a number of cross-cutting
units such as the Social Exclusion Unit and the Drugs Unit, and
the cross-cutting Risk Management Steering Group which the Treasury
chaired were all intended to promote more joint working.[15]
Conclusions
18. For risk management to become a standard feature
of the way in which departments carry out their activities the
benefits of risk management in improving service delivery and
safeguarding public money need to be understood and accepted by
their staff. But at the time of the NAO's survey in March 2000
only 25 per cent of departments had set clear risk management
objectives. In reviewing departments' risk frameworks the Cabinet
Office should ensure that the aims and benefits of risk management
and responsibility for it are clearly defined.
19. The Cabinet Office's initial assessment of departments'
risk frameworks indicated that some departments have much more
developed frameworks than others. The Cabinet Office should seek
improvements where departments appear not to have fully assessed
the risks which they face, or not to have reliable arrangements
in place to manage such risks.
20. Previous reports by this Committee have drawn
attention to major programme failures such as the passport delays
of summer 1999, when not enough attention was given early enough
to managing the risks associated with implementing new policies.
Departments should ensure that they identify and assess the risks
inherent in any new programme sufficiently early so that effective
action can be taken to manage them.
21. The Cabinet Office expect that their initiatives
to improve risk management will lead to higher levels of performance
by departments and will reduce the likelihood of major failures
in service delivery. The Cabinet Office should carefully monitor
departments' implementation of their risk frameworks, assess their
impact in improving risk management and seek corrective action
by departments to address deficiencies.
22. The delivery of a major public service is frequently
the responsibility of a number of departments and agencies, as
well as private sector and voluntary organisations who need to
co-operate to that end. Failure of one organisation to deliver
that part of the service for which it is responsible can put the
whole service at risk. Only one in eight departments were aware,
however, of the strengths and weaknesses of the risk management
systems of other organisations with which they worked. Departments
should assess the strengths and weaknesses of risk management
systems in partner organisations.
23. There needs to be greater awareness and acceptance
by staff in departments that risk management is the responsibility
of those involved in the delivery of services and management of
programmes and not just finance and internal audit staff. Senior
management in particular should take the lead in risk management.
RESPONSIBILITY FOR RISKS
Private Finance Initiative
24. The assessment of risk, and who is best able
to manage it, needs to be carefully considered in the design of
Private Finance Initiative projects. We asked the Treasury and
the Cabinet Office whether the assumptions which departments make
about risk transfer were realistic where the private sector failed
to deliver, so that a department had to step in and rescue the
project. The Treasury said that their guidance on Private Finance
Initiative projects now recommended optimum not maximum risk transfer,
and that departments should make sure that the balance of risk
is right and only transfer to the private sector risk which it
could manage.[16]
25. The Treasury stated that the need to ensure that
services to the public were maintained meant that the risk of
ultimate failure was one that sometimes could not be transferred
to the private sector. In the case of an operational facility,
such as a hospital, it would be normal in current contracts to
have provisions enabling the public sector partner to take over
the assets and their operation in the event of failure and/or
to seek a new private sector partner. The contract might provide
for the private sector partner to receive compensation for the
transfer of assets to the public sector, thus addressing the problem
of security for the project's financing.[17]
26. The Treasury also told the Committee that, in
general, Private Finance Initiative deals were structured so that,
if the contractor got into difficulties, there was a strong incentive
for the financier to step in and either get the contractor back
on track or, if that was not possible, replace the contractor
with an alternative. Only where both these options fail would
the department normally step in. In such circumstances the financier's
interests in the underlying capital asset would be protected under
the direct agreement with the department, although the financier
would lose his other costs. The Treasury told us that it was important
to bear in mind that the power to step in and keep the service
going did not necessarily mean that the contractor would be rescued
or would not still pay a substantial financial price in the event
of a rescue. They assured us that there was no question of compensating
the contractor for his losses.[18]
Accounting Officer Directions and Risk
27. If a Minister contemplates a course of action
which raises issues relating to Accounting Officers' wider responsibilities
for ensuring economy, efficiency, and effectiveness in the use
of public money Accounting Officers are required to draw the relevant
factors to the attention of their Minister and advise what they
consider is appropriate. If the advice is over-ruled and the proposal
is one which the Accounting Officer would not feel able to defend
before the Committee of Public Accounts, the Accounting Officer
should seek a written instruction -a Direction - from the Minister.
Accounting Officers are required to inform the Treasury and the
Comptroller and Auditor General that they have sought such an
instruction from their Minister.[19]
28. The risk inherent in any programme or course
of action can significantly influence whether value for money
is likely to be achieved particularly in terms of whether a project
will be delivered on time and within budget or whether public
services will be maintained to sufficient quality standards. The
Memorandum setting out the responsibilities of Accounting Officers
does not, however, specifically require them to consider risk
in forming a view as to whether value for money is likely to be
adversely affected. We therefore asked the Treasury to consider
amending the Accounting Officer Memorandum to take account of
the importance of considering the risks inherent in a policy or
programme particularly if a Minister requires something to be
delivered to a demanding timetable.[20]
29. The Treasury considered that while the Memorandum
did not explicitly refer to risk issues, risk was an integral
part of the value for money decision which the Accounting Officer
should take into account. They told the Committee that they expected
departments, in considering value for money issues, to follow
the Treasury's guidance on investment appraisal which recommends
considering costs and outcomes weighted by probabilities, thus
bringing risk issues into the equation. The Treasury added that
if a proposal were to be implemented in such a short timescale
that it would jeopardize value for money, the Accounting Officer
would be entitled to evaluate the options in accordance with the
Treasury's guidance on investment appraisal and take this into
account in considering the value for money of each option.[21]
Conclusions
30. Where a Private Finance Initiative project concerns
the delivery of an essential public service the department may
have no option, if the project fails, but to take back responsibility
for delivering the service. In these circumstances it would be
misleading for the contract to be drawn up on the basis that the
risk of failing to deliver the service had been wholly transferred
to the private sector supplier. It is therefore important that
departments should carefully follow Treasury guidance that optimum,
not maximum, risk should be transferred to private sector suppliers.
31. The Accounting Officer Memorandum requires the
Accounting Officer to seek a Direction if required by the Minister
to implement a proposal which the Accounting Officer does not
consider to represent value for money. The Memorandum does not
however explicitly mention the need to consider the level and
allocation of risk. We note the Treasury's assurance that risk
is an integral part of value for money decisions which Accounting
Officers should consider. In order to put the matter beyond doubt,
we recommend that the Treasury should amend the Accounting Officer
Memorandum to make explicit the consideration of risk in relation
to assessing value for money.
MANAGEMENT SKILLS
32. The NAO's survey of departments found that only
14 per cent of departments provided training on risk management.
We asked the Cabinet Office how important they thought it was
for departments to provide such training and why the number doing
so was so low. They told us that they had provided training and
organised workshops for their own staff. In addition the Civil
Service College's training which was available to all departments
included elements which covered risk management. The Treasury
said that from the returns which they had received from departments
on their internal controls it was clear that training was a priority.
The Cabinet Office said that they did not routinely monitor the
type and extent of training which departments provided, but they
would be taking stock of the information which they had received
with departments' risk frameworks. If that did not provide enough
information on the extent of training being undertaken they might
repeat the NAO survey.[22]
33. Staff can also improve their risk management
skills by learning from good practice adopted by other departments
and agencies. We asked the Cabinet Office which departments they
considered were particularly good or not so good in implementing
risk management. The Cabinet Office said in evidence that their
role as a central department was to ensure that departments had
proper risk management processes in place, but it was for departments
to form an overview of their individual projects. Some good practice
examples were available through accreditation schemes and competitions
which the Cabinet Office had organised. They were now setting
up a public benchmarking scheme, but were not attempting to rank
departments in a league table according to the quality of their
risk management. The Treasury added that, because departments
were responsible for many different sorts of activities, a league
table approach would be difficult to implement.[23]
Conclusions
34. The Cabinet Office are providing training on
risk management for departmental staff but have limited information
on the extent to which departments are providing their own training
in risk management. If civil servants are to develop greater competence
in risk management they need to be trained in how to identify,
evaluate and manage risks. The training required and how best
to provide it should be a key element of departments' action plans
to implement their risk frameworks.
35. In assessing departments' risk frameworks, and
having regard to their public sector benchmarking project, the
Cabinet Office should seek to identify examples of good practice
in risk management and disseminate them so that departments are
able to learn from each other's experience.
1 Committee of Public Accounts, First Report, Session
1999-00 - Improving the Delivery of Government IT Projects (HC
65 (99-00))
Seventh Report, Session 1999-00-The
Home Office: The Immigration and Nationality Directorate's Case
work Programme (HC 130 (99-00))
Twenty-Fourth Report, Session 1999-00-The
Passport Delays of Summer 1999 (HC 208 (HC 99-00))
Thirty-Fourth Report, Session 1999-00-State
Earnings Related Pension Scheme: The Failure to Inform the Public
About Reduced Pension Rights for Widows and Widowers (HC 401 (99-00)) Back
2 C&AG's
report (HC 864, Session 1999-00), paras 1.6 and 3.9 and Evidence,
pp 1-3, paras 3, 11-15 Back
3 Internal
Control: Guidance for Directors on the Combined Code. This guidance
was developed by a working party established by the Financial
Reporting Council, the London Stock Exchange and the accounting
profession and chaired by Nigel Turnbull. It applies to all UK-incorporated
listed companies and has been adopted to apply to the central
government sector - http://www.icaew.co.uk/internalcontrol Back
4 C&AG's
report (HC 864, Session 1999-00), para 1.8 and Evidence, pp 1-2,
paras 4, 6-9 Back
5 Qs
1, 14-15, 17, 79 Back
6 Qs
1-2, 14-20 Back
7 Q9 Back
8 Q4
and Committee of Public Accounts Twenty-Fourth Report, Session
1999-00 - The Passport Delays of Summer 1999 (HC 208 (99-00)) Back
9 Public
Service Agreements (PSAs)
set out aims, objectives and delivery targets for the main government
departments (HM Treasury "Prudent for a Purpose" July
2000 Spending Review, Cm 4807). Service Delivery Agreements
(SDAs) explain how departments will deliver their PSA targets,
and how they will modernise and reform themselves (HM Treasury
"Service Delivery Agreements: A Guide" November 2000,
Cm 4915) Back
10 Qs
2, 4 Back
11 Qs
43-47 Back
12 Qs
57, 67 Back
13 Qs
10, 77, 86 Back
14 Committee
of Public Accounts, First Report, Session 1999-00 - Improving
the Delivery of Government IT Projects (HC 65 (99-00)), Qs, 10,
66-67, 85, 87 Back
15 C&AG's
report (HC 864, (99-00)), paras 10 and 2.20, Q5 Back
16 Qs
50-51, 70-71 Back
17 Evidence,
Appendix 1, p21 Back
18 Evidence,
Appendix 1, p21 Back
19 Government
Accounting Chapter 6, Annex 1 The responsibilities of an Accounting
Officer Back
20 Q88 Back
21 Evidence,
Appendix 2, p22 Back
22 C&AG's
report (HC 864 (99-00)), para 10, Qs 31-38, 58-59, 65 Back
23 Qs
21-25, 27-30 Back