Select Committee on Public Accounts First Report


FIRST REPORT


The Committee of Public Accounts has agreed to the following Report:—

MANAGING RISK IN GOVERNMENT DEPARTMENTS

INTRODUCTION AND SUMMARY OF CONCLUSIONS AND RECOMMENDATIONS

1. All activity by government departments involves the risk that projects or programmes may fail, that services may not be delivered on time or to a satisfactory standard, or that opportunities may be missed. Assessment of the likelihood of such contingencies arising is essential if departments are to take decisions on the basis of best information and thus maximise the likelihood of being able to meet their objectives.

2. Numerous reports[1] by this Committee have emphasised the need for departments to improve their risk management. In particular we have drawn attention to the importance of departments undertaking careful risk assessments before embarking on major new projects and programmes, of having strategies for managing risks, and of having reliable contingency arrangements in place for responding to the unexpected, so that service delivery for citizens can be maintained.

3. On the basis of a report by the Comptroller and Auditor General, we examined what the Cabinet Office and the Treasury are doing to encourage departments to improve their risk management. We underline four main points:

      (i)  Innovating to improve public services entails risk. We are rightly critical where risks are ignored, for example where major IT projects are poorly specified and badly managed; but we give due credit where risks are carefully identified, evaluated and managed, recognising that good management reduces but does not eliminate the possibility of adverse outcomes.

      (ii)  Risk taking and innovation are consistent with the careful and proper control of public money. If departments have sound systems of control they are more likely to have the confidence to innovate because they will be better able to cope with adverse circumstances.

      (iii)  Risk management will only become a normal and integral part of the way departments and agencies operate if civil servants have the skills to identify and assess risks and take the action necessary to manage them. In developing action plans to implement their risk frameworks departments should ensure that all staff receive appropriate training.

      (iv)  We welcome the initiatives that have been taken by the Cabinet Office and the Treasury to improve risk management by departments. It will be important for the Cabinet Office and the Treasury to continue to monitor how departments implement their risk management plans, to ensure that they are underpinned by effective action to manage risks. These plans should include reliable contingency arrangements to deal with the unexpected which might put service delivery for citizens at risk.




4. Our specific conclusions and recommendations are as follows.

On the impact of initiatives to improve departments' risk management

      (i)  For risk management to become a standard feature of the way in which departments carry out their activities the benefits of risk management in improving service delivery and safeguarding public money need to be understood and accepted by their staff. But at the time of the NAO's survey in March 2000 only 25 per cent of departments had set clear risk management objectives. In reviewing departments' risk frameworks the Cabinet Office should ensure that the aims and benefits of risk management and responsibility for it are clearly defined (paragraph 18).

      (ii)  The Cabinet Office's initial assessment of departments' risk frameworks indicated that some departments have much more developed frameworks than others. The Cabinet Office should seek improvements where departments appear not to have fully assessed the risks which they face, or not to have reliable arrangements in place to manage such risks (paragraph 19).

      (iii)  Previous reports by this Committee have drawn attention to major programme failures such as the passport delays of summer 1999, when not enough attention was given early enough to managing the risks associated with implementing new policies. Departments should ensure that they identify and assess the risks inherent in any new programme sufficiently early so that effective action can be taken to manage them (paragraph 20).

      (iv)  The Cabinet Office expect that their initiatives to improve risk management will lead to higher levels of performance by departments and will reduce the likelihood of major failures in service delivery. The Cabinet Office should carefully monitor departments' implementation of their risk frameworks, assess their impact in improving risk management and seek corrective action by departments to address deficiencies (paragraph 21).

      (v)  The delivery of a major public service is frequently the responsibility of a number of departments and agencies, as well as private sector and voluntary organisations who need to co-operate to that end. Failure of one organisation to deliver that part of the service for which it is responsible can put the whole service at risk. Only one in eight departments were aware, however, of the strengths and weaknesses of the risk management systems of other organisations with which they worked. Departments should assess the strengths and weaknesses of risk management systems in partner organisations (paragraph 22).

      (vi)  There needs to be greater awareness and acceptance by staff in departments that risk management is the responsibility of those involved in the delivery of services and management of programmes and not just finance and internal audit staff. Senior management in particular should take the lead in risk management (paragraph 23).

On responsibility for risks

      (vii)  Where a Private Finance Initiative project concerns the delivery of an essential public service the department may have no option, if the project fails, but to take back responsibility for delivering the service. In these circumstances it would be misleading for the contract to be drawn up on the basis that the risk of failing to deliver the service had been wholly transferred to the private sector supplier. It is therefore important that departments should carefully follow Treasury guidance that optimum, not maximum, risk should be transferred to private sector suppliers (paragraph 30).

      (viii)  The Accounting Officer Memorandum requires the Accounting Officer to seek a Direction if required by the Minister to implement a proposal which the Accounting Officer does not consider to represent value for money. The Memorandum does not however explicitly mention the need to consider the level and allocation of risk. We note the Treasury's assurance that risk is an integral part of value for money decisions which Accounting Officers should consider. In order to put the matter beyond doubt, we recommend that the Treasury should amend the Accounting Officer Memorandum to make explicit the consideration of risk in relation to assessing value for money (paragraph 31).

On developing skills to manage risk

      (ix)  The Cabinet Office are providing training on risk management for departmental staff but have limited information on the extent to which departments are providing their own training in risk management. If civil servants are to develop greater competence in risk management they need to be trained in how to identify, evaluate and manage risks. The training required and how best to provide it should be a key element of departments' action plans to implement their risk frameworks (paragraph 34).

      (x)  In assessing departments' risk frameworks, and having regard to their public sector benchmarking project, the Cabinet Office should seek to identify examples of good practice in risk management and disseminate them so that departments are able to learn from each other's experience (paragraph 35).

INITIATIVES TO IMPROVE RISK MANAGEMENT

5. The Cabinet Office have responsibility for encouraging departments to adopt well managed risk taking where it is likely to lead to sustainable improvements in service delivery. To this end, government departments were asked to produce and publish on their websites plans for handling those risks for which they are responsible which could directly affect the public, in particular health, safety and environmental risks.[2] We questioned the Cabinet Office and the Treasury on the following main aspects of risk management.

Internal controls

6. Reliable controls can minimise the likelihood of risks maturing, for example by preventing unauthorised use of expenditure or by highlighting deficiencies in the quality of a service, and can minimise the adverse consequences if a risk does mature. In recognition of the need for sound controls, a working party was established by the Financial Reporting Council, the London Stock Exchange and the accounting profession in 1998 to develop guidance on internal controls. The report of the working party - the Turnbull report - recommended that internal controls should be embedded in companies' operations so as to enable them to manage significant risks to the achievement of their business objectives. This requirement now applies to listed companies of all sizes incorporated in the UK.[3]

7. Guidance for departments on internal controls is the responsibility of the Treasury which is seeking to apply to central government departments the principles of the Turnbull Report. Departments are expected to prepare statements of internal control as part of their annual accounts from 2001-2002 to give assurance that they have an on-going process for identifying, evaluating and managing significant risks. Departmental progress reports indicated that 76 per cent of departments expected to have all appropriate risk systems in place for 2001-02. The remainder (9 departments) expected controls to be in place but with more work still to be done. Fifty per cent of departments said that risk management is now being embedded in their business planning mechanisms.[4]

8. The Committee asked whether more needed to be done given that, in response to a survey by the NAO of departments' approach to risk management, while 82 per cent agreed that risk management was important to the achievement of their objectives only 25 per cent of departments said they had established risk management objectives.[5]

9. The Cabinet Office said in evidence that statements of internal control required departments to consider risks in terms of the totality of their business and not just parts of it, and to ensure that risk management is embedded into their basic business planning systems. Together with an Interdepartmental Liaison Group on Risk Assessment, they were evaluating departments' risk frameworks to identify areas either requiring best practice guidance or revealing gaps that needed to be filled. The Cabinet Office said that together with the Treasury they had, over the last ten years, issued a considerable amount of advice to departments about handling different aspects of risk. The Treasury told us that, to assist departments, they had in 1999 published guidance which set out the key components of an effective risk management system. The Cabinet Office said that, in the past, departments had focussed more on better known risks, such as safety hazards and risks associated with scientific uncertainty. They re-emphasised their objective to promote risk management as important to all departments' activities.[6]

10. The initial view of the Cabinet Office was that departments' risk frameworks were mixed and that those departments which had greater exposure to potentially high impact risks had produced better frameworks. But other departments were beginning to think harder about the risks they faced. The Cabinet Office said that they would be asking risk experts who work with the Interdepartmental Liaison Group on Risk Assessment to give an independent view of departments' risk frameworks, and that they would use this assessment to identify the better frameworks and those requiring improvement as a means of promoting best practice across departments.[7]

Delivering outcomes and having contingency arrangements

11. The survey by the National Audit Office of departments found that their approach to risk management was focussed on minimising financial loss or preventing impropriety. Around 90 per cent of departments referred to this as the key risk which they had identified and clearly it is very important. There is however less recognition by departments that risk management is also about ensuring the achievement of outputs and outcomes, and having reliable contingency arrangements to deal with the unexpected which might put service delivery at risk. The Committee's report on the passport delays of Summer 1999 highlighted a clear example of where service delivery was significantly at risk and where contingency arrangements had not been established to minimise the adverse impact on service delivery for the public. We asked the Cabinet Office what they were doing to help departments focus on output and outcome achievement as essential requirements of effective risk management.[8]

12. The Cabinet Office said that they had a number of initiatives underway to ensure that risk management covered all aspects of departments' business from policy development to managing projects and service delivery on the ground. These initiatives included reviewing departments' risk frameworks, with the assistance of independent consultants, to identify good practice and areas requiring improvement, work with the Treasury to improve the quarterly monitoring of how well departments are meeting their Public Service Agreement and Service Delivery Agreement targets,[9] and seminars between ministers and officials on risk management.[10]

13. The Treasury referred to new arrangements, known as gateway reviews, which the Office of Government Commerce had put in place for all new high risk projects including IT, specifying stages in the project's development and procurement when those responsible for the project would be challenged by an independent review team on the extent to which they had identified risks and evaluated them. The Committee asked why risks had not been identified in the case of the Passport Office, when a major new IT system was being introduced, to prevent the passport delays experienced in 1999. The Cabinet Office said that their objective was to get civil servants to identify much earlier than hitherto the likely consequences of their action or inactions. Better systems were needed, as were civil servants skilled to make sound judgements on risk and how to manage it.[11]

14. The Cabinet Office told the Committee that, while senior management should have responsibility for monitoring risk, line managers should be responsible for identifying risks because those who have direct day-to-day experience of the work were best placed to do this. Relying on financial staff to identify risks, as had often happened, could be insufficient because they might concentrate on financial risk and not on risks which could adversely affect service delivery. The Cabinet Office advised us that they were promoting greater stakeholder engagement in policy development to improve the perception of risk to all those involved in a policy.[12]

15. With all procedures, including those intended to support risk management, there is a danger that staff will follow them unthinkingly and not exercise appropriate judgement about whether the controls in place are reliable enough to deal with all significant risks. We asked the Cabinet Office whether they were satisfied that the evaluation and proper management of risks was becoming part of each department's culture. They said that new definitions of the skills and competencies required at senior levels in the civil service promoted innovation and the taking of measured risks. Embedding risk management into departments' main business planning processes and giving responsibility for risk management to those who lead for particular departmental activities should help to avoid risk management becoming simply another process.[13]


Dividing projects into more manageable units

16. Many projects and programmes for which departments are responsible are large and technically complex, and as a consequence the risks of failure or of things going wrong can be proportionally greater. We have in previous reports, such as our consideration of lessons for improving the delivery of Government IT projects, recommended that such projects be broken down into more manageable units to make the risks smaller for each individual part of the project. We asked the Cabinet Office what was being done to encourage private sector partners to divide projects, particularly those involving complex IT, down into small and more manageable units. The Cabinet Office referred to the new review process which the Office of Government Commerce had introduced so that projects were scrutinised at critical stages in their development. The process was being used to promote a modular approach to project management.[14]

Risks associated with working with others

17. Joint working between departments and agencies and other voluntary and private sector organisations which provide complementary services for citizens can help to improve service delivery by ensuring that services are sufficiently co-ordinated and developed. Joint working, however, involves risks. For example, if part of the service provided by one organisation is delayed or is of poor quality the success of the whole programme is put at risk. Departments need therefore to be alert to the risks associated with working with others which might adversely affect service delivery. In responding to the National Audit Office's survey only one in eight departments said that they knew about the strengths and weaknesses of the risk management systems of other organisations with which they worked. The Committee asked the Cabinet Office how the situation could be improved. In evidence they said that a number of initiatives were in train which might help civil servants think in a more cross-cutting manner. Programmes such as Sure Start, which spanned the responsibilities of more than one department, the establishment of a number of cross-cutting units such as the Social Exclusion Unit and the Drugs Unit, and the cross-cutting Risk Management Steering Group which the Treasury chaired were all intended to promote more joint working.[15]

Conclusions

18. For risk management to become a standard feature of the way in which departments carry out their activities the benefits of risk management in improving service delivery and safeguarding public money need to be understood and accepted by their staff. But at the time of the NAO's survey in March 2000 only 25 per cent of departments had set clear risk management objectives. In reviewing departments' risk frameworks the Cabinet Office should ensure that the aims and benefits of risk management and responsibility for it are clearly defined.

19. The Cabinet Office's initial assessment of departments' risk frameworks indicated that some departments have much more developed frameworks than others. The Cabinet Office should seek improvements where departments appear not to have fully assessed the risks which they face, or not to have reliable arrangements in place to manage such risks.

20. Previous reports by this Committee have drawn attention to major programme failures such as the passport delays of summer 1999, when not enough attention was given early enough to managing the risks associated with implementing new policies. Departments should ensure that they identify and assess the risks inherent in any new programme sufficiently early so that effective action can be taken to manage them.

21. The Cabinet Office expect that their initiatives to improve risk management will lead to higher levels of performance by departments and will reduce the likelihood of major failures in service delivery. The Cabinet Office should carefully monitor departments' implementation of their risk frameworks, assess their impact in improving risk management and seek corrective action by departments to address deficiencies.

22. The delivery of a major public service is frequently the responsibility of a number of departments and agencies, as well as private sector and voluntary organisations who need to co-operate to that end. Failure of one organisation to deliver that part of the service for which it is responsible can put the whole service at risk. Only one in eight departments were aware, however, of the strengths and weaknesses of the risk management systems of other organisations with which they worked. Departments should assess the strengths and weaknesses of risk management systems in partner organisations.

23. There needs to be greater awareness and acceptance by staff in departments that risk management is the responsibility of those involved in the delivery of services and management of programmes and not just finance and internal audit staff. Senior management in particular should take the lead in risk management.

RESPONSIBILITY FOR RISKS

Private Finance Initiative

24. The assessment of risk, and who is best able to manage it, needs to be carefully considered in the design of Private Finance Initiative projects. We asked the Treasury and the Cabinet Office whether the assumptions which departments make about risk transfer were realistic where the private sector failed to deliver, so that a department had to step in and rescue the project. The Treasury said that their guidance on Private Finance Initiative projects now recommended optimum not maximum risk transfer, and that departments should make sure that the balance of risk is right and only transfer to the private sector risk which it could manage.[16]

25. The Treasury stated that the need to ensure that services to the public were maintained meant that the risk of ultimate failure was one that sometimes could not be transferred to the private sector. In the case of an operational facility, such as a hospital, it would be normal in current contracts to have provisions enabling the public sector partner to take over the assets and their operation in the event of failure and/or to seek a new private sector partner. The contract might provide for the private sector partner to receive compensation for the transfer of assets to the public sector, thus addressing the problem of security for the project's financing.[17]

26. The Treasury also told the Committee that, in general, Private Finance Initiative deals were structured so that, if the contractor got into difficulties, there was a strong incentive for the financier to step in and either get the contractor back on track or, if that was not possible, replace the contractor with an alternative. Only where both these options fail would the department normally step in. In such circumstances the financier's interests in the underlying capital asset would be protected under the direct agreement with the department, although the financier would lose his other costs. The Treasury told us that it was important to bear in mind that the power to step in and keep the service going did not necessarily mean that the contractor would be rescued or would not still pay a substantial financial price in the event of a rescue. They assured us that there was no question of compensating the contractor for his losses.[18]

Accounting Officer Directions and Risk

27. If a Minister contemplates a course of action which raises issues relating to Accounting Officers' wider responsibilities for ensuring economy, efficiency, and effectiveness in the use of public money Accounting Officers are required to draw the relevant factors to the attention of their Minister and advise what they consider is appropriate. If the advice is over-ruled and the proposal is one which the Accounting Officer would not feel able to defend before the Committee of Public Accounts, the Accounting Officer should seek a written instruction -a Direction - from the Minister. Accounting Officers are required to inform the Treasury and the Comptroller and Auditor General that they have sought such an instruction from their Minister.[19]

28. The risk inherent in any programme or course of action can significantly influence whether value for money is likely to be achieved particularly in terms of whether a project will be delivered on time and within budget or whether public services will be maintained to sufficient quality standards. The Memorandum setting out the responsibilities of Accounting Officers does not, however, specifically require them to consider risk in forming a view as to whether value for money is likely to be adversely affected. We therefore asked the Treasury to consider amending the Accounting Officer Memorandum to take account of the importance of considering the risks inherent in a policy or programme particularly if a Minister requires something to be delivered to a demanding timetable.[20]

29. The Treasury considered that while the Memorandum did not explicitly refer to risk issues, risk was an integral part of the value for money decision which the Accounting Officer should take into account. They told the Committee that they expected departments, in considering value for money issues, to follow the Treasury's guidance on investment appraisal which recommends considering costs and outcomes weighted by probabilities, thus bringing risk issues into the equation. The Treasury added that if a proposal were to be implemented in such a short timescale that it would jeopardize value for money, the Accounting Officer would be entitled to evaluate the options in accordance with the Treasury's guidance on investment appraisal and take this into account in considering the value for money of each option.[21]

Conclusions

30. Where a Private Finance Initiative project concerns the delivery of an essential public service the department may have no option, if the project fails, but to take back responsibility for delivering the service. In these circumstances it would be misleading for the contract to be drawn up on the basis that the risk of failing to deliver the service had been wholly transferred to the private sector supplier. It is therefore important that departments should carefully follow Treasury guidance that optimum, not maximum, risk should be transferred to private sector suppliers.

31. The Accounting Officer Memorandum requires the Accounting Officer to seek a Direction if required by the Minister to implement a proposal which the Accounting Officer does not consider to represent value for money. The Memorandum does not however explicitly mention the need to consider the level and allocation of risk. We note the Treasury's assurance that risk is an integral part of value for money decisions which Accounting Officers should consider. In order to put the matter beyond doubt, we recommend that the Treasury should amend the Accounting Officer Memorandum to make explicit the consideration of risk in relation to assessing value for money.

MANAGEMENT SKILLS

32. The NAO's survey of departments found that only 14 per cent of departments provided training on risk management. We asked the Cabinet Office how important they thought it was for departments to provide such training and why the number doing so was so low. They told us that they had provided training and organised workshops for their own staff. In addition the Civil Service College's training which was available to all departments included elements which covered risk management. The Treasury said that from the returns which they had received from departments on their internal controls it was clear that training was a priority. The Cabinet Office said that they did not routinely monitor the type and extent of training which departments provided, but they would be taking stock of the information which they had received with departments' risk frameworks. If that did not provide enough information on the extent of training being undertaken they might repeat the NAO survey.[22]

33. Staff can also improve their risk management skills by learning from good practice adopted by other departments and agencies. We asked the Cabinet Office which departments they considered were particularly good or not so good in implementing risk management. The Cabinet Office said in evidence that their role as a central department was to ensure that departments had proper risk management processes in place, but it was for departments to form an overview of their individual projects. Some good practice examples were available through accreditation schemes and competitions which the Cabinet Office had organised. They were now setting up a public benchmarking scheme, but were not attempting to rank departments in a league table according to the quality of their risk management. The Treasury added that, because departments were responsible for many different sorts of activities, a league table approach would be difficult to implement.[23]

Conclusions

34. The Cabinet Office are providing training on risk management for departmental staff but have limited information on the extent to which departments are providing their own training in risk management. If civil servants are to develop greater competence in risk management they need to be trained in how to identify, evaluate and manage risks. The training required and how best to provide it should be a key element of departments' action plans to implement their risk frameworks.

35. In assessing departments' risk frameworks, and having regard to their public sector benchmarking project, the Cabinet Office should seek to identify examples of good practice in risk management and disseminate them so that departments are able to learn from each other's experience.


1  Committee of Public Accounts, First Report, Session 1999-00 - Improving the Delivery of Government IT Projects (HC 65 (99-00))

Seventh Report, Session 1999-00-The Home Office: The Immigration and Nationality Directorate's Case work Programme (HC 130 (99-00))

Twenty-Fourth Report, Session 1999-00-The Passport Delays of Summer 1999 (HC 208 (HC 99-00))

Thirty-Fourth Report, Session 1999-00-State Earnings Related Pension Scheme: The Failure to Inform the Public About Reduced Pension Rights for Widows and Widowers (HC 401 (99-00)) Back

2  C&AG's report (HC 864, Session 1999-00), paras 1.6 and 3.9 and Evidence, pp 1-3, paras 3, 11-15 Back

3  Internal Control: Guidance for Directors on the Combined Code. This guidance was developed by a working party established by the Financial Reporting Council, the London Stock Exchange and the accounting profession and chaired by Nigel Turnbull. It applies to all UK-incorporated listed companies and has been adopted to apply to the central government sector - http://www.icaew.co.uk/internalcontrol  Back

4  C&AG's report (HC 864, Session 1999-00), para 1.8 and Evidence, pp 1-2, paras 4, 6-9 Back

5  Qs 1, 14-15, 17, 79 Back

6  Qs 1-2, 14-20  Back

7  Q9 Back

8  Q4 and Committee of Public Accounts Twenty-Fourth Report, Session 1999-00 - The Passport Delays of Summer 1999 (HC 208 (99-00)) Back

9  Public Service Agreements (PSAs) set out aims, objectives and delivery targets for the main government departments (HM Treasury "Prudent for a Purpose" July 2000 Spending Review, Cm 4807). Service Delivery Agreements (SDAs) explain how departments will deliver their PSA targets, and how they will modernise and reform themselves (HM Treasury "Service Delivery Agreements: A Guide" November 2000, Cm 4915)  Back

10  Qs 2, 4 Back

11  Qs 43-47 Back

12  Qs 57, 67  Back

13  Qs 10, 77, 86 Back

14  Committee of Public Accounts, First Report, Session 1999-00 - Improving the Delivery of Government IT Projects (HC 65 (99-00)), Qs, 10, 66-67, 85, 87  Back

15  C&AG's report (HC 864, (99-00)), paras 10 and 2.20, Q5 Back

16  Qs 50-51, 70-71 Back

17  Evidence, Appendix 1, p21 Back

18  Evidence, Appendix 1, p21 Back

19  Government Accounting Chapter 6, Annex 1 The responsibilities of an Accounting Officer Back

20  Q88 Back

21  Evidence, Appendix 2, p22 Back

22  C&AG's report (HC 864 (99-00)), para 10, Qs 31-38, 58-59, 65  Back

23  Qs 21-25, 27-30 Back


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2001
Prepared 23 November 2001