Reaching judgements about risks

6. If thorough risk assessments are made at the outset of the design and implementation of major government initiatives, risks associated with proposals are more likely to be managed effectively. Risk management therefore provides scope for bold, ambitious and imaginative proposals to be implemented successfully.[22] Increasingly, risk assessments are used to inform the decision-making process. The Risk Steering Group's view was that assessments of risks and their management, such as those included in Gateway Reviews of major projects and programmes should provide frank, independent feedback to departments to help address risks. One view is that if such reviews were published they might no longer be sufficiently critical or open in their assessment of risks, and therefore of less value to officials in departments managing programmes. Information included in such assessments could, however, also enhance Parliamentary scrutiny of how decisions have been reached and whether they were soundly based taking account of risks.[23]

7. Departments routinely collect and monitor data and intelligence about the risks they face to enable them to identify problems early which may require attention.[24] Careful judgements are required about the level of information needed to manage risks effectively. Too little and decisions can be flawed; too much and there can be information overload, paralysing decision-making.[25] Having relevant information on which to base decisions and prioritise action may require departments to share data with other departments[26] and to engage with the public about their views on particular risks.[27]

Risks in policy-making and implementation

8. Just 45% of departments in the NAO survey said that they identified and assessed risks in policy-making,[28] for instance whether the department had sufficient capability and expertise to implement a policy as planned.[29] In the 2004 Spending Review departments delivery plans were required to identify risks and how they would be managed,[30] for example by providing a clear assessment of risks to the costs, timetables and resources involved in implementing new policies.[31] Treasury Spending teams also assess departments' delivery plans and risks to them every six months.[32]

Adequate resourcing of policies and programmes at the outset

9. Without sufficient effort and time at the outset to plan the skills, costs and staff and other resources needed to manage programmes and allocate resources accordingly there is a risk that programmes may result in failure to deliver services of appropriate quality.[33] Experience reported to us by the Department of Trade and Industry's Coal Liabilities Unit[34] and the Department for Culture, Media and Sports' Culture Online programme[35] suggests that programmes are more likely to succeed if they are properly resourced and risks are thoroughly assessed at the outset (Figure 5).[36] Figure 5: Lessons learned about assessing risks at the outset of programmes

The Department of Trade and Industry's Coal Liabilities Unit did not undertake a risk analysis to estimate how many claims might be generated under the coal liabilities compensation schemes.[37] 684,000 claimants are now registered under the schemes with estimated total payments expected to be some £7 billion. The Department experienced significant problems initially due to the complexity of the schemes, the fact that no similar schemes had been run to provide a template, and a general underestimate by all parties involved of the volume of potential claims. In the early stages of the scheme, slow processing of claims led to criticism by Parliament and by the media.[38] The Department has however learned lessons about the need to plan resources properly from the outset to minimise the risk of problems materialising later on, has retrospectively applied some of the processes it should have had in place, and now has adequate resources to manage the schemes.[39] It has also captured the lessons from running the schemes for others in the department to learn from.[40]

The Department for Culture Media and Sports established its Culture Online programme in 2002 with a budget of £13 million to make a range of arts events much more accessible to groups of people who would normally have little contact with the arts. It provides funding and project management expertise to bring together cultural organisations and cutting edge technical providers using new technologies including internet, digital television and mobile devices. To maximise the likelihood of the arts bodies it contracts with delivering what it has commissioned, Culture Online puts in time and technical expertise at the planning stage and works with project teams to produce contingency plans to address potential risks materialising, such as that of broadcasters and other bodies outside the project dropping their support.[41]

Source: C&AG's Report; Qq 10, 19, 87

Tracking how risks are being managed in programmes

10. Where programmes are not well planned and early action is not taken to address problems promptly, remedial action to bring programmes back on track may be expensive or impossible, and can result in programmes running behind time and over budget and not delivering services as intended.[42]

11. Risk management is likely to be stronger if it is subject to rigorous accountability arrangements.[43] One way of gaining assurance that risks are being managed effectively is by robust, constructive scrutiny and challenge of programmes through, for example, Audit Committees or peer reviews. These can provide departments with comprehensive assessments of risk and help minimise the likelihood of something coming out of the blue for which no contingency arrangements are in place.[44]

12. Gateway Reviews originally introduced by the Office of Government Commerce are one such approach. Gateways, through peer review, assess at critical points in a project's life whether risks are being managed effectively and whether a project is on track to deliver what is intended. Results of Gateway Reviews are submitted to the Senior Responsible Owner for projects in departments, and for mission critical projects, such as those essential to the successful delivery of key government programmes,[45] to the Prime Minister.[46]

13. Increasingly, processes for managing risk focus on departments' performance. 90% of departments in the NAO's survey identified the main risks relating to each of their aims and objectives, 80% used a "traffic light system"[47] to monitor their main risks and how they are changing, and three quarters of departmental boards discuss overall risks and related actions at least quarterly.[48] Linking the reporting of information about risks to key performance objectives helps to ensure that risks are prioritised for attention and action at board level in departments, rather than risk management being a 'bolt on' activity where staff do not see its benefits and where there is no link to performance.[49] Departments need, however, clear channels which staff have the confidence to use for communicating to senior management sufficient and timely information on potential risks, so that action can be taken to mitigate or avoid adverse impacts.[50] We asked HM Customs of Excise how better risk assessments by staff had enabled it to tackle smuggling more effectively[51] (Figure 6).Figure 6: Using information about risks in HM Customs and Excise

Sophisticated smuggling operations constantly change their method to keep ahead of law enforcement. To keep abreast of changing patterns, HM Customs and Excise must have effective and speedy systems for communicating new risks. This relies on effective intelligence operations in the UK and overseas, but also on the ability of front line Customs Officers to identify and report new trends. Staff are actively encouraged to report new risks they identify, such as the arrival of new types of smuggled goods, new methods of concealment, or smuggled goods arriving from new destinations. This information is sent to the Intelligence Division, which distributes it rapidly, immediately if necessary, to Customs Officers at other ports. Individual reports are collated, new trends analysed, and if sufficiently high risk, are incorporated into the priority indicators used by Customs Officers to stop and search vehicles.

Source: C&AG's Report; Q 74

23   Q 92 Back

24   C&AG's Report, para 4.14 Back

25   C&AG's Report, para 4.10 Back

26   Q 30 Back

27   C&AG's Report, para 4.22, and Figure 48; Q 44 Back

28   C&AG's Report, Appendix 4 (iii); Q 80 Back

29   Q 80 Back

30   C&AG's Report, Appendix 4 (iv) Back

31   Q 80 Back

32   C&AG's Report, Figure 8 Back

33   Qq 19, 87 Back

34   Qq 19, 87 Back

35   Q 10 Back

36   C&AG's Report, para 3.11; Q 10 Back

37   Qq 19, 87 Back

38   C&AG's Report, Volume 2, para 2 Back

39   Qq 19, 22 Back

40   Q 21 Back

41   C&AG's Report, Volume 2, para 7 Back

42   Qq 5, 85 Back

43   C&AG's Report, para 4.8 Back

44   ibid, para 4.9 Back

45   Programmes or projects are included in the report as 'mission critical' if they are either: essential to the delivery of (i) a major legislative requirement, (ii) a Public Service Agreement, or (iii)a major policy initiative announced and owned by the Prime Minister or a Cabinet Minister; or, If the project does not work successfully there are catastrophic implications for delivery of a key public service, national security or the internal operation of a public sector operation. Back

46   Q 86 Back

47   A risk marked "red" needs attention; a risk marked "green" is being adequately controlled. Back

48   C&AG's Report, paras 2.17-2.18 Back

49   ibid, para 4.4 Back

50   ibid, para 4.16 Back

51   Q 74 Back