While there is a clear need for public sector risk management, does the approach differ from that in commercial organisations and if so, why?
Peter Young: Well, there are a couple of different ways to answer this question. First, I think the challenge is different for public entities because they operate in an environment with stakeholders who differ in notable ways from commercial organisation stakeholders. For example, citizens are not the same as stockholders, and their expectations are different. Additionally, the purposes of public entities are different from commercial concerns - even in this era of privatisation - and things like continuity of service and fair service delivery to all citizens can tend to have an importance that rivals 'value maximisation'. So, public risk management differs from the commercial side by virtue of the different pressures that come to bear as a result of differing environmental pressures and expectations.
Second, a case can be made that public risks have different properties from private risks. Public risks tend to have broad, even non-appropriable, characteristics (put simply, these risks do not neatly fit into the concept of markets and market-based solutions). Further, many risks are public because they cannot be handled privately (things like defence, public health, and public safety may have some private sector aspects, but mainly are responses to risk that require public sector involvement). Indeed, it might be possible to argue that governments exist in a large part to address risks (public risks) that cannot be managed privately. We might even say that government is risk management.
Are public sector organisations as keen to introduce enterprise wide risk management (ERM) as commercial businesses appear to be?
Peter Young: The private sector has many more pressures today to adopt ERM practices. Most of the emerging standards, best practices, accounting guidelines, rules and laws are directly focused on commercial organisations, and thus motivations and sources of motivation are quite different. This has tended to mean that ERM has hitherto been seen as a largely private sector preoccupation.
This is changing, however, and several countries (the UK included) have begun to apply ERM principles to public sector risk management. This is happening in varying ways, but generally it is through emerging audit standards and principles that we are seeing an emerging expectation that public entities take an ERM-style approach to risk management.
What are the main problems or barriers for public sector organisations in trying to embed enterprise risk management?
Peter Young: Practically speaking, the big barrier has been the absence of external pressure. As I said previously, the private sector now operates in an environment where numerous external expectations (legal and otherwise) are effectively requiring firms to move towards an ERM approach. That environment does not yet exist in the public sector, at least not in any comprehensive sense. As a consequence of this, I think the executive-level awareness of ERM is quite low in the public sector, and of course, if the boss does not think something is important, no one else will think so either.
On a more philosophical level, I think there are some problems with improving the efficiency of public entities (and ERM is nothing if not an efficiency enhancing practice). While no one would dispute the unvarnished value of improving service delivery for refuse collection or meals at schools, or even public sector investment in large projects, western democracies have all been constructed to address the problem of power consolidation, so we have to recognise that some inefficiency in government is intentional. ERM can encounter this issue in a number of different ways - through legal barriers to data sharing and data privacy issues, through separation of responsibilities such as one might find with counties and cities facing overlapping authority for certain risks.
Put simply, I guess I would say that efficiency is not as easily achieved in public entities, and often this is for deeply philosophical reasons.
How far have public sector organisations progressed with ERM? Have there been any studies on this?
Peter Young: Progress has been limited, but I expect that the answer will be quite different two to three years from now. We happen to be at a time when change is just beginning to occur in the public sector. A number of organisations in Europe, North America, Australia and New Zealand have begun working with the ERM framework, and some very compelling case studies can be found. And no, there is not any kind of comprehensive set of data detailing ERM developments in the public sector.
- Sue Copeman is editor, StrategicRISK. Peter Young occupies the E W Blanch, Sr Chair in Risk Management at the University of St. Thomas College of Business. In that capacity he is responsible for the MBA Concentration in Risk and Insurance Management, a programme recently ranked fourth in the US by Best's Review. Dr Young also serves as the director of research and education at the European Institute of Risk Management in Copenhagen, Denmark, and is an academic adviser to the Institute of Risk Management in London.