Tony Cherry summarises the findings of the idRisk/Risk Counsel/StrategicRISK joint survey of UK risk managers in the public sector, and how they differ from the earlier survey of AIRMIC members
In our last edition we published the results of our survey at the AIRMIC conference in June, looking at the challenges facing risk managers in industry and commerce. The ALARM conference later in the month offered a fascinating opportunity to compare experiences and views between the public and private sectors.
The survey was adapted to take account of key differences, for example the questions about the Enterprise Act were removed and we looked at the risk advice received by elected members rather than by non-executives, but the core elements remained the same.
Identifying the challenges
Respondents were invited to pick as many as they liked from a list of five main challenges facing businesses. The weighting of responses was very different to the private sector, where the hard insurance market figured prominently. Less than a third of these respondents rated it highly and less than 20% identified economic conditions. This time it was corporate governance which stood out as the only issue named by more than half the respondents, with regulatory and cultural issues second and third, attracting roughly equal interest.
The lack of financial pressures, either through general economic conditions or because of the availability and/or price of risk transfer, may perhaps be explained by the specific financial environment within which local authorities operate. It is interesting, however, that the level of concern about the purer risk issues of governance, regulation and culture is sufficient on its own to drive a perceived need for training, development and change.
Economic conditions
Here again we could detect a different economic atmosphere. Only a quarter of respondents said they had cancelled or postponed development or acquisition plans because of financial constraints. However, interestingly enough, almost three quarters confirmed that activities had been terminated, outsourced or divested, pointing to a tendency for local authorities to delegate tasks as against tackling them in-house.
We went on to ask whether the risks of not doing something (in the case of M&A and development activity) or stopping doing something (in the case of outsourcing) had been fully assessed. We wanted to test whether the message that risk is not a bad thing, merely an element in the process of making business decisions, was as strong in the public sector as it is in commerce.
Over 60% of these respondents considered the risks associated with outsourcing on the continuing activities of the organisation had been fully assessed. The true worth of the processes used for this risk assessment seems to be doubted by some, who felt motivated enough to add comments indicating (although couched in suitably careful language) that the risk assessment method in use by their organisation needs a review.
It is important to note that a significant few were unaware of any sort of activities occurring but could not be sure.These answers were taken at face value and entered into the data as 'no'. There may be underlying issues here concerning the level of involvement of risk managers in business decisions.
Corporate governance
Bearing in mind the apparent level of concern about the purer risk issues of governance, it was slightly surprising that over 85% of respondents felt that their senior officers and in particular chief executive were well advised on risk.
59% stated that their elected members had access to independent risk advice. The form this advice takes was not addressed in the survey. However, judging from some of the more detailed information volunteered, the definition of 'independent' seems to vary. As with the private sector, it does not seem clear that the advice is independent of the advice given to the officers.
One striking difference from the private sector emerged in the area of reputation. In the earlier survey, 93% considered reputation risk to be equally or more important than operational or hazard risks. Less than a quarter of the public sector respondents thought this to be the case.
Possibly because of this low value attached to reputation risk, 40% did not know the extent of their organisation's degree of preparation for risk to reputation. Perhaps it is the case that in the absence of competition, the building and maintenance of a reputation is not considered significant. However, given the importance of local government in attracting industry and jobs to an area, this does seem to be an area which should be further examined.
The positive responses with regard to protection for whistle blowers were encouraging, with 77% saying such protection was implemented.
Insurance market
Surprisingly, when asked if their organisation had reduced or terminated a class of insurance cover, 70% answered 'no', reaffirming the relatively low impact of financial constraint on the risk management of local authorities. Of course, the very specialised market for insuring these bodies may also play a part in determining the level of cover available and its price.
Of the 30% that said their organisation had reduced or terminated some class of insurance 74% thought the ability of the organisation to sustain uninsured losses had been properly assessed.
Over half said that their status and influence had been increased as a result of the hard insurance market, yet several of these thought that this increase will be short lived.
This tends to confirm that we are in a window of opportunity, during which risk managers can develop their role towards a broader involvement in business risk.
Internal control and culture
A further difference with the AIRMIC survey was apparent in the approach to appointing a chief risk officer. 54% of respondents said that a chief risk officer had either been appointed or was planned in their organisation; of the remaining 46%, less than half thought that their organisation had identified every individual who has responsibility for advising the chief executive on an aspect of risk.
It may be that within the culture of local authorities, it is easier to reconcile the executive and risk functions within one job.
Some people highlighted the dangers of creating an 'off guard' culture within the organisation if an individual is given the sole responsibility for risk. This point came up in the AIRMIC survey too, and demonstrates an important potential misunderstanding, which could inhibit progress. It has never been suggested that a CRO would relieve anyone else of the obligation to manage risk in their own area; in fact a key element in the task would be to ensure the operation and co-ordination of that embedded effort. The issue, really, is at what level in the organisation should that ultimate power and responsibility lie - hence the argument for a CRO at the very top level.
In other words, the key with operational risks is to embed the risk management systems within operational management, but at strategic level what is important is accountability to the board and to stakeholders. Those that had experienced obstacles when trying to integrate such programmes stated that cultural and financial hurdles stood in their paths.
Individual challenges
As before, the final stage in the survey was to relate some of the findings about the organisation to the challenges that impact personally on the risk manager. Respondents were invited to pick as many as they liked from a list of five main challenges that would have the biggest impact on them personally.
We obtained a similar spread of answers to those found in the AIRMIC survey. Over 55% of these answers indicated that internal risk control and culture could have the biggest impact and needed attention if respondents were to achieve the full potential of their future role.
Conclusion
Whereas in industry, we were not surprised to find that the role of risk managers had changed substantially under the influence of increased corporate governance demands and the hard insurance market, the position amongst ALARM members seems more varied and complex.
The culture of risk management in the public sector is obviously different, but cultural blockers to integrated risk management were nevertheless identified, as were unstructured communication and imperfect transfer of knowledge about risk internally. There is probably also a dimension of political risk, which has a marked effect at the strategic level, but which did not really emerge at all from this survey. Any conclusions which fail to take that into account may be flawed.
Nevertheless it seems likely that as in the private sector, senior management face a very real problem in understanding and measuring the risks in their business, and will not always look to the risk manager to provide the joined-up solution. Whether the problem is perceived at all, is another matter.
Tony Cherry is head of risk counsel, Beachcroft Wansbroughs, Tel: 0117 918 2181, E-mail: acherry@bwlaw.co.uk
BASIS OF SURVEY
Like the AIRMIC survey, the ALARM survey was designed to investigate the different approaches risk managers, and the organisations for whom they work, adopt in response to the challenges they face, and in particular whether these organisations see their risk management model incorporating a chief risk officer at very senior level.
RESPONSE
A total of 35 risk managers completed the questionnaire with the majority, unsurprisingly, coming from local authorities. Three respondents were from outside the UK, so their responses have been omitted from the analysis, although their inclusion would have made little difference to the outcome. They do, however, provide some interesting anecdotal commentary on how similar issues are viewed elsewhere.
No obvious biases exist within the balance of the sample. The only possibility is of varying constituencies having different views on risk due to geographical location. This bias is deemed to be no different to same sector businesses operating in different geographical locations, and so it was dismissed.
Due to the sample size, we have treated any statistical conclusions with caution. However, we feel that the results give a fair reflection of, and provide a useful indicative guide to, the present risk management framework and views in the industry about likely developments.
A number of questions prompted subjective responses, and these assisted in making an informed interpretation of the present state of risk management strategies. It is worth remembering however, that the survey was undertaken within a public sector risk management association conference, and that may have discouraged overtly critical comments.