Risk management professionals - those brave men and women, usually from insurance, audit or health and safety - have been extolling the virtues of good risk management practices for years. But for many of the rest of us, the dawning realisation that risk management made sense has taken a little longer, despite corporate scandals, central government directives or pressure from our external auditors, the Audit Commission.
Of course, risk management is not a totally new concept in Salford, or subconsciously to the many officers in information and communication technology (ICT). Awareness and developments have been ongoing for years, spearheaded by the audit and risk management unit. New developments which began last year on a council-wide performance management system, which more closely integrates and shows alignment between risk and the high-level strategic priorities of the council (known as the pledges), cabinet work plan and directorate service plans will help with demonstrating how risks are associated with organisational priorities.
We have been told for years by such august bodies as Gartner, that ICT departments are at a crossroads. They need to get into added value, move higher up the food chain, get out of box shifting and into the transformation and exploitation of technology business. Those of us in ICT at Salford have seen this over the last five years and have been at the heart of tremendous technological change, transforming the way ICT is delivered internally, and used to deliver the needs of the 21st century citizens we serve.
Of course, with change comes risk. This is nothing new. It is just the type of risk and the way it manifests itself that has altered, as tolerance to service interruption or prolonged downtime has shrunk. We work in an environment which expects 24/7 system availability, which in turn requires robust continuity arrangements to ensure stability and recovery in the event of an incident. Risk assessment is at the heart of our approach to managing systems and defining fit-for-purpose continuity and recovery arrangements.
In Salford ICT we realised that to deliver not only our core services of network infrastructure, voice over IP, applications, e-mail and internet, we needed to embrace risk management right across the division. This had to include not only technical and customer-facing staff, but everyone, as the success in fully recognising, managing and where appropriate, exploiting, risk are essential skills.
The work on risk management is part of an underlying ICT and council commitment to investing in and developing staff. Underpinning this is an evolving competency framework for managers and staff, which clearly defines risk management as a necessary competence for everyone.
Effectively managing risk is a key aspect of good governance, as highlighted in the Good Governance Standard for Public Services report (January 2005). Public sector organisations face a wide range of strategic, operational and financial risks, from both internal and external factors, which may prevent them from achieving their objectives. Risk management is a planned and systematic approach to identifying, evaluating and responding to risks and providing assurance that responses are effective. Mature organisations are able to perceive trends and gather intelligence, so that potential risks are identified and prevented early in the cycle, thus avoiding expensive remedies.
ICT Services is committed to all-inclusive risk management. All staff, irrespective of their job or function, have a role to play in effectively managing risk. It is a key element of the proposals made in the 2005 Best Value review, and underpins the collective management and staff vision for service improvement, delivery and sound governance.
The ICT management team will review the risks facing the service on an ongoing basis, using customer feedback sessions, staff workshops, analysis of ICT risks in the project management function and the balanced scorecard management system on a regular basis, to ensure the strategic and operational risk registers are aligned with the key business risks facing the division.
Our commitment to risk management in ICT revolves around the following aspects.
- Senior management have given their complete support to creating a risk management culture.
- The necessary resources, including time and money will be made available.
- Risk management will be an integral part of the way we work and do business.
- Tools, training and policies will be needed and rolled out to all staff.
- Everyone will be critical to ensuring good risk management practice within the ICT division.
In addition to our risk management toolkit, strategy, risk assessment forms, risk management policy (which is pinned up throughout the office and has been personally issued to all staff), perhaps the greatest commitment to building risk awareness was building a bespoke web-based training package for staff. We made a conscious decision when putting the course together, that we were not looking to create risk management specialists, but to instil the core ideas arising out of the division's risk management principles, which are as follows:
- create a workforce with a questioning attitude
- if unsure, STOP and seek guidance
- risk aware, not risk averse
- build good awareness skills, based around a 'what if' mentality
- staff commitment and involvement.
Building the package in a virtual way, rather than using a traditional classroom setting, was seen as a way of not only exploiting the ICT investment and the Plato tool, but also enabling people to complete it at their own pace, without the additional overhead and disruption of booking training rooms.
These aims support our risk management policy, which states: 'The risk management policy of ICT Services is to adopt best practices in the identification, evaluation, and cost-effective control of risks to ensure that they are eliminated or reduced to an acceptable level. Where ICT Services is required to be innovative, and make significant investment decisions, it will do so having first analysed and evaluated the risks concerned.
'ICT Services acknowledges that some risks will always exist and may never be eliminated. All employees must understand the nature of risk and accept responsibility for risks associated with their area of operation. The necessary support, assistance and commitment of elected members and senior management will be provided.'
The risk management course we built is browser based and uses the Plato e-learning tool. We rolled the course out to the 120 staff in ICT Services in January 2006, with a target completion date for everyone by the end of February 2006. The course itself is split into the following modules.
An introduction to risk
- underlying principles
- key concepts
- where improvement could occur
- thinking effectively about risk and loss.
Risk analysis
- risk analysis
- identifying risks
- reasons for risk
- evaluating risk.
Risk control
- risk control overview
- develop and implement controls
- develop management
- monitor systems
- monitor effectiveness by reviewing and updating
- putting everything into practice.
- end of course quiz and certificate.
In additions to the modules above, a number of supplementary resources were built, to give further working examples of risk in practice, case studies, a glossary of terms, crossword, and various links and forums to improve knowledge and understanding.
Plato is an extremely flexible development tool, allowing for the inclusion of a wide range of graphics, pictures and tables to break up the text and make it varied and interesting. In total the course takes around two to three hours, depending upon level of knowledge and how much time it takes to complete each section and the end of course test.
The course build itself was done entirely by Salford ICT staff and took approximately three months to complete, from design to proof reading and testing. Extensive use was made of our own case studies, to clearly show key learning points.
Since it was rolled out, all staff have completed it and passed the exam. The course feedback and comments left in the online forum have been extremely positive and very supportive of the syllabus and level of content. This is always difficult to judge: we wanted it to be interesting and informative, without being too long winded. In the end, over 87% said the course was very good to excellent; that they had learned something and they would use their new skills in the office and at home.
One of the many benefits of the Plato e-learning tool is that it is fully customisable and includes considerable management reporting functionality. With this, we were able to track and report on a wide range of statistics - including staff enrolled, time spent by people, grades and percentage completed. To ensure those enrolled on the course were clear about the aims of each module, clear objectives were laid out. Further support also being available through an online forum, questions could be submitted to the course moderator - many of which proved to be interesting and provoked a number of threads of conversation.
Before the Plato course, the exposure of some staff in ICT to formal risk management techniques was limited. For the first time therefore, we exposed ICT trainers, help desk staff, business process engineers, system administrators, software developers, print room staff and systems analysts to a new world. Of course, many had already been thinking about risk management, without necessarily seeing it in a formal way, but as part of their daily jobs.
This of course is not the end. We are using these skills to develop operational risk registers for teams, to encourage a real understanding and ownership of the risks facing managers and staff in their day-to-day roles, and are already reaping the benefits in terms of operational performance, reduction in system downtime and improved change control. Further training offerings are planned at a more advanced level for managers and team leaders.
We built our risk management course for ICT staff, so the graphics, pictures and examples use scenarios that ICT staff can relate to, but the underlying principles are sound for virtually any type of business or organisation. Since we presented a summary of our experiences to the senior management team, several parts of the council have expressed an interest in the syllabus. While there may be a need to make some minor amendments to suit other teams, we firmly believe that everyone in the council would benefit from these core skills, and seeing it more widely established as a corporate standard is something we are pursuing.
- David McIlroy is assistant director - ICT services, Salford City Council, www.salford.gov.uk