Post on 11-May-2020
STRATEGY UNIT REPORT – NOVEMBER 2002
Full report – a source document
Risk: Improving government’s capability to handle risk and uncertainty
CONTENTS
Foreword by the Prime Minister 2
Report outline 3
1. Introduction 4
2. Government’s roles and responsibilities 9
3. Improving government’s handling of risk – the challenge 14
4. Improving capacity 27
4.1 Ensuring decisions take account of risk 28
4.2 Establishing risk management techniques 39
4.3 Organising to manage risk 56
4.4 Developing skills 67
4.5 Ensuring quality 72
5. Handling and communicating about risks to the public 74
6. The role of leadership and culture change 92
7. Conclusions, recommendations and implementation – towards better decisions and outcomes 104
Project team and Sponsor Minister 123
Glossary 124
Index to Full Report 126
Annexes (available separately)
1. Project method and team, Sponsor Minister and Expert Groups
2. Definitions
3. Surveys of Departmental Board members and risk experts
4. Public attitudes to risk
5. References and useful websites
6. OGC Gateway process
7. Examples of good practice
8. Managing risk in other countries
9. The precautionary principle
10. People consulted
11. Role of the Strategy Unit
Contents
1
FOREWORD BY THE PRIME MINISTER
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
2
In many ways life today is far less risky than in the past. Yet risk seemsto matter more than ever, partly because we are so much more awareof the risks we face, and partly because of the sheer speed of changein science and technology.
It will rarely be possible for governments to eliminate risks entirely. Alllife involves some risk, and any innovation brings risk as well as reward –so the priority must be to manage risks better. We need to do more toanticipate risks, so that there are fewer unnecessary and costly crises,like BSE or failed IT contracts, and to ensure that risk management isan integral part of all delivery plans. But we also need to be sure thatinnovations are not blocked by red tape and risk aversion, and thatthere is a proper balance between the responsibilities of governmentand the responsibilities of the individual.
Over the last few years we have radically changed our approachto risk. Bodies like the Food Standards Agency, the Human GeneticsCommission and the Monetary Policy Committee have shown that moreopen processes, based on evidence, are more effective at handling risksand winning public confidence than secrecy. More recently, through theCivil Contingencies Secretariat, we have improved the way we preparefor threats of serious disruption to the UK. Right across governmenttoo we have introduced more rigorous methods to manage risks indelivery and big contracts.
But there is more we can and should do. That is why I asked theStrategy Unit to carry out this study. It has drawn on good practice andthinking around the world – from across government, the private sector,and other experts and commentators. The report sets out howgovernment should think about risk, and practical steps for managing itbetter. It proposes principles to guide handling and communication ofrisks to the public – on which we are seeking views from allinterested parties.
Risk management – getting the right balance between innovation andchange on the one hand, and avoidance of shocks and crises on theother – is now central to the business of good government. I see theagenda set out here as an important part of our reform strategy, andencourage all involved to play a full and active part in putting theconclusions of this report into practice.
Tony Blair
Chapter 1 outlines the importance of government’s risk handling and introduces thestudy’s approach, defining key terms.
Chapter 2 distinguishes and explores three roles for government in handling risk anduncertainty: a regulatory role, a stewardship role and a management role.
Chapter 3 sets out the challenge faced by government and proposes a framework forimprovements, which is developed in detail in the rest of the report.
Chapter 4 identifies the ways in which government needs systematically to develop itscapacity to handle risk. This involves ensuring decisions take account of risk, firmlyestablishing risk management techniques, organising to manage risk, developing skills andensuring quality through the application of standards and benchmarking.
Chapter 5 makes proposals for improving the way government handles and communicatesabout risk to the public. These include clearer guidelines on publishing assessments andsupporting information; earlier involvement of stakeholders in decisions; greater use ofimpartial sources in risk communication; and underpinning by clear principles.
Chapter 6 highlights the critical importance of organisational culture in supporting achange programme for handling risk management and encouraging innovation. Itrecommends a leadership approach; and greater coherence and co-ordination ofsupporting programmes and bodies.
Chapter 7 summarises the main conclusions and recommendations of the study andproposes a plan for effective implementation.
The report is supported by a number of annexes, which provide additional material tounderpin the findings including details of research undertaken, references to keydocuments and definitions of key terms.
REPORT OUTLINE
Report outline
33
Further copies
The full and summary reports are also available electronically through the Strategy Unitwebsite – www.strategy.gov.uk
Further copies of the report can be ordered from: The Strategy Unit, Admiralty Arch, TheMall, London SW1A 2WH. Tel: 020 7276 1416. Email: strategy@cabinet-office.x.gsi.gov.uk
The importance of risk1.1 Governments have always beenconcerned with the protection of citizensfrom risks. However, in recent years handlingrisk has become increasingly central to thebusiness of government. The language of riskis used to cover a wide range of differenttypes of issue:
• direct threats – from the events of 11 September 2001, to the threat ofchemical and biological attack, oraccident, and the potential vulnerability ofIT systems;
• safety issues – from BSE; in connectionwith the Measles, Mumps and Rubella
(MMR) vaccine; and other issues of risk tothe public (rail safety, adventure holidays,flooding);
• risks to the environment (risks from climatechange, CFCs);
• risks to delivery of a challenging publicservice agenda;
• continuing debate and growingexperience over transfer of risk (in capitalprojects and service delivery) to and fromthe private sector;
• ambitions to make the public sector moreinnovative, and better able to judge risksthat might deliver high rewards; and
1. INTRODUCTION
Summary
Governments have always had a critical role in protecting their citizensfrom risks. But handling risk has become more central to the work ofgovernment in recent years. The key factors include: addressing difficultiesin handling risks to the public; recognition of the importance of early riskidentification in policy development; risk management in programmes andprojects; and complex issues of risk transfer to and from the private sector.Together these factors have forced a reappraisal of how governmenthandles risk in all its forms, and led to the Prime Minister announcing theStrategy Unit study in July 2001.
The Introduction explains the background to the Strategy Unit study,defines some common language for discussing risk and sets out some keyaspects of the complexity of risk that are addressed in the report.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
4
• the risk of damage to government’sreputation in the eyes of stakeholders andthe public and the harm this can do to itsability to carry out its programme.
1.2 Together these have forced areappraisal of how government does itsbusiness, and how it handles risk in all itsforms.
1.3 These issues matter crucially togovernment because all states are at rootguarantors of the security of their citizens –there to deal with the risks that individuals,families and communities cannot handle ontheir own. And expectations have risen – overtime the public has come to expect fewerexternal risks (to health, physical security andfinancial security) while also wanting to beable to choose to take more risks which theythemselves control, and to have access tohigh quality public services.
1.4 Governments have always faced risksand dangers of their own – unforeseenevents, programmes going wrong, andprojects going awry.
1.5 Such uncertainty is not new. Butthe nature of risk has changed for twofundamental reasons. First, the increasinglyrapid pace of development of new scienceand technology has led to concerns about“manufactured risks”. These requiregovernments and regulators to makejudgements about the balance of benefit andrisk across a huge range of technologies –from genetically modified (GM) food anddrugs, to industrial processes, or cloningmethods.
1.6 The second new factor is the greaterconnectedness of the world, through an
integrated global economy, communicationssystem and a shared environment. This hasbrought huge opportunities. But it alsomeans that citizens in the UK are potentiallymore vulnerable to distant events – rangingfrom economic crises on the other side of theworld, attacks on IT networks, diseasescarried by air travellers, to the indirect impactof civil wars and famines. Globallyinterconnected infrastructure brings with itincreased exposure to catastrophic eventselsewhere, as shown, for example, by theevents of 11 September. These systemic risksare now high on the policy agenda in manycountries.
1.7 As a result of all of these factors,governments are now trying to improve theirhandling of risk.
The Strategy Unit study1.8 In July 2001, the Prime Ministerannounced the Strategy Unit (formerly thePerformance and Innovation Unit) study onrisk and uncertainty. Its origins were part ofthe response to the Phillips Report1 on BSE,but it was established with a remit to lookbroadly across the whole of government’sinvolvement in managing risk. It builds on anumber of recent reports, for example by theNational Audit Office (NAO)2 and the PublicAccounts Committee (PAC),3 highlighting theneed for improvements.
1.9 The study has developed in parallelwith a number of other initiatives andchanges within government, both influencingand feeding off them. The aim has been todevelop recommendations that cancomplement and rationalise the currentprogramme of public service reform.
Introduction
5
1 Lord Phillips, The BSE Inquiry, Volume 1, Findings and Conclusions, Stationery Office, 2000.2 NAO, Supporting Innovation: Managing Risk in Government Departments, August 2000.3 PAC, First Report Session 2001–02, Managing Risk in Government Departments, November 2001.
1.10 The study has not sought to providedetailed technical advice on how toundertake risk management. Guidancealready exists for this. Rather, it hasdeveloped: a broad framework forunderstanding risk; clarification of how riskscan be managed and by whom; proposals fororganisational coherence; and proposals formanaging culture change. The methodologyused is outlined at annex 1, along withdetails of the project team.
1.11 This report makes recommendationsfor government action to improve itshandling of risk, and includes a high-levelstatement on risk to convey the guidingprinciples to a public audience.
Handling risk1.12 The handling of risk is at heart aboutjudgement. Judgement in the context ofgovernment decision making can, andshould, be supported by formal analyticaltools which themselves need enhancing. Butthese cannot substitute for the act ofjudgement itself.
1.13 This report seeks to explore how farformal risk analysis can be usefully enhancedand made systematic, so that there is greaterclarity about where analysis ends – andjudgement begins. It also explores andsuggests what else we need to do to enhanceour handling of risk and innovation.
1.14 In every area of government’s work,effective risk handling depends on attentionto five broad areas:
• what could happen (identification). Inevery area of government regular realitychecks are needed, involving rigorousassessment of trends, possibilities, dangers,their likelihood and impact. Often this
needs to involve people without a directstake in the specific area of work itself toensure objectivity. Wherever possibleinformal channels of information as well asformal ones need to be used;
• what matters (assessment). Havingestablished what could happen,governments need to make judgements ofvalue about the desirability or otherwise ofdifferent outcomes, taking account, forexample, of the importance of thereliability of a service, the advantages tobe gained from an innovation or the placeof an activity in the broader contractbetween the state and citizens;
• what can be done (action). Havingestablished what matters, governmentthen needs to plan ways to avoid,mitigate, anticipate and otherwise copewith the potential risk, and to plan foruncertainty. In some cases contingencyplanning will be essential. In others it maybe important to put in place capacity tocope with unforeseeable events;
• what has happened (review). Having takeninitial action, government needs to assesswhether it has had the intended effect,whether the assessment of risks needs tochange and whether further action isneeded; and
• all of this has to be supported by effectivecommunication, both with thosepotentially affected by the risks and withthose who can help manage the risks.
Risk management language –key concepts1.15 The language of risk managementsometimes implies a neater process than isusually possible in reality. This is particularlythe case in government. Governments have
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
6
to deal with a more complex operatingenvironment, with more variables and agreater impact from subjective perceptionsthan other fields like business. They also haveto balance conflicting viewpoints. Handlingrisk involves values in their widest sense aswell as value in a narrower sense.
1.16 The language can also be confusing.People often give different meanings to keyterms. It is important to develop a commonlanguage, which should be capable of beingunderstood by those outside as well as insidegovernment. Within government, theguidance from OGC4 contains acomprehensive set of definitions. We haveadopted these definitions, where possible,but have found it necessary to adapt andadd, in order to cover the full range ofgovernment risk activity. The key overarchingconcepts are:
• risk refers to uncertainty of outcome,whether positive opportunity or negativethreat, of actions and events. It is thecombination of likelihood and impact,including perceived importance. Thisdefinition acknowledges the uncertaintythat underlies much of the work ofgovernment. We have deliberately avoideddefinitions of risk that are based onmeasurability (for example, the economicdistinction between risk and uncertainty).In many cases the risks that will be mostrelevant to key government decisions willrequire a large element of judgement, aswell as measurements, in their assessment(for example, whether a policy willcommand public support);
• risk management covers all the processesinvolved in identifying, assessing andjudging risks, taking actions to mitigate oranticipate them, and monitoring andreviewing progress. Or as the OGC definesit – ensuring that the organisation makes
cost-effective use of the risk process. Riskmanagement requires processes in place tomonitor risks; access to reliable, up-to-dateinformation about risk; the right balance ofcontrol in place to deal with those risks;and decision-making processes supportedby a framework of risk analysis andevaluation; and
• handling risk – we have used this as abroader term, including the processes ofrisk management, but also embracingwider issues, such as the government’sapproach, its roles and responsibilities andits organisational culture.
1.17 Other key terms, including riskidentification, risk assessment and hazard aredefined at annex 2. There is a danger thatrisk management can be seen as amechanical process. This can be damaging,potentially leading to the real issues beingmissed. This is why the report is at pains toemphasise the key role of judgement in everyaspect of the way risks are managed.
Types of risk1.18 This study considers how governmentshould handle both risks to the public andrisks to the delivery of government business.The focus is on the role of centralgovernment, although many of the issuesdiscussed will also be relevant to the widerpublic sector, including regional and localgovernment.
1.19 The risks to the public thatgovernment needs to deal with are hugelyvaried, and the scope has grown: startingwith early concerns about risks to the securityof the realm and the maintenance of thepeace; through increased involvement inpublic health in the 19th century; socialwelfare risks in the 20th century (Beveridge’s
Introduction
7
4 OGC, Management of Risk – Guidance for Practitioners, 2002.
five giants of want, disease, ignorance,squalor and idleness); to increasingexpectations for measures to protect againstthe uncertainties of scientific andtechnological advances and to control therisks placed on individuals by commercialorganisations. The study considers how riskmanagement can be applied across this wideterritory, and explores the role ofgovernment in allocating responsibility for risk.
1.20 The risks that the public faces may bevoluntarily undertaken (for example, smokingor dangerous sports), with greater or lesserdegrees of awareness of the risk, or imposedby other individuals or organisations (forexample, risks from crime, commercialproducts or technologies or the risk ofnuclear accidents) or natural events (such asflooding or severe weather). We explore theconsequences of this distinction forgovernment.
1.21 And the increasing use of modernmanagement techniques (financialmanagement, project and programmemanagement) provides opportunities forbetter management of a wide range of risksto the business of government (financial,staffing, project delays, service levels).
1.22 Chapter 2 considers the government’sroles and responsibilities in handling suchrisks.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
8
2. GOVERNMENT’S ROLES AND RESPONSIBILITIES
Summary
Governments have three clear roles in managing risk. Where individuals orbusinesses impose risks on others, government’s role is mainly asregulator, setting the rules of the game. Where risks cannot be attributedto any specific individual or body, governments may take on a stewardshiprole to provide protection or mitigate the consequences. In relation totheir own business, including provision of services to citizens,governments are responsible for the identification and management ofrisks.
In each of these areas there are no wholly reliable formulae for definingrisk. Governments need to make judgements in as open a way as possibleabout the nature of risk and how responsibilities should be allocated,recognising that there will always be some unavoidable uncertainty.
Government’s roles
and responsibilities
9
Introduction2.1 This chapter provides a framework forunderstanding the roles government plays inhandling risk, and the responsibilities that areexpected of it in each of its roles. It sets thescene for the following chapters in thereport, which explain how its responsibilitiescan be discharged.
Government has threedistinct roles in handling riskand uncertainty…2.2 Our society faces a large variety ofdifferent types of risk: some highly individual,
some public; some well understood, othersless so; some external and others essentiallyinternal or originating from within.
2.3 Government’s role in relation to eachof these different types of risk reflects theextent to which individuals and organisationscan be expected to understand and respondto the risk, and the extent to whichgovernment has the capacity to bear the risk:
• governments have a regulatory role inproviding the legal framework where theactivities of businesses and individuals giverise to risks to others. Industrial andcommercial activity inevitably involves risk– this is the basis of economic growth and
improved living conditions. But benefitsand risks may fall unevenly across thepopulation. Governments will in practiceoften have a role in balancing risks andrewards, not just between the individualand society but also between differentelements and interests within society –such as consumers, taxpayers orbusinesses;
• governments have a stewardship role toprotect individuals, businesses and theenvironment from risks imposed on themfrom outside – for example, major floodingor other natural disasters, risks to publichealth or safety, external threats tosecurity, or risks to economic stability; and
• governments have a management role inrelation to their own business, includingthe delivery of public services and theperformance of the regulatory andstewardship functions.
Figure 2.1: Government roles
2.4 These three roles, which are illustratedin Figure 2.1, overlap to some extent.For example, Departments must exercise amanagement role in the performance of theirregulatory and stewardship functions.And they may need to take a stewardshiprole to protect individuals from technologicaland social hazards that cannot be tackledthrough regulation.
2.5 The role of regulation in relation torisk has been examined in detail in work bythe Better Regulation Task Force (BRTF)5 andis not explored further in this report. Thisreport looks mainly at risk in relation togovernment’s management and stewardshiproles. There are a number of themes incommon to all roles, including a generalexpectation that the processes will be opento scrutiny.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
10
5 BRTF, Principles of Good Regulation, Cabinet Office Publications and Publicity Team (Section 4, p.6), October 2000.
Regulatoryrole
Stewardshiprole
Managementrole
Technological andsocial hazards
Operational and policy risk
Naturalhazards
Government’s roles
and responsibilities
11
While in practice these roles can often overlap,government’s responsibilitydiffers between roles…Regulatory role
2.6 Governments will not normallyintervene where individuals take risksvoluntarily and where they alone areaffected. In these circumstances,governments have a role in ensuring thatindividuals are aware of their responsibilityand of the consequences of the risk that theyare taking. There is often room for argumentabout precisely what falls under thisdefinition. For example, smoking, drivingwithout a seatbelt or undertaking dangeroussports are risks that are taken voluntarily andmainly affect the person taking them.However, they may also indirectly imposecosts on others, for example to the taxpayerthrough the cost of medical treatment.
2.7 Where risks taken voluntarily havedirect or indirect consequences for others –for example, other road users, the taxpayeror the environment – government mayintervene through regulation or other meansto limit or control that activity. Examplesinclude setting road speed limits, orlegislating to require the wearing of seatbeltsor to restrict tobacco advertising. The issuesinvolved are often complex – for example,over the regulation of tobacco advertising –but the political and legislative processesensure that any legislation to restrict activitiesthat involve risk receives proper scrutiny.Legislative proposals that have an impact onbusiness, charities or the voluntary sectorhave a Regulatory Impact Assessment (RIA),which includes a risk assessment of theproblem being addressed and of the proposalitself.
2.8 In addition, governments will seek toensure that those who impose risks on othersbear the cost of the consequences of the risk.As many physical risks cannot themselves betransferred back to the originator, this willoften need to be done through proxymeasures, such as financial and otherpenalties. One example is the “polluter pays”principle – which transfers to the polluter thecost of clearing up environmental damage.More generally, the civil justice systemprovides a way for businesses and individualsto obtain financial redress for theconsequences of risks taken by others.
Stewardship role2.9 Some risks, such as the risk of disease,flooding or of global economic recession,cannot be attributed to any specificindividual or agency, and responsibilitycannot be allocated straightforwardly. In suchcases, government will seek to ensure thatresponsibility rests with those best placed tomanage the risk. This requires carefuljudgements about the balance of risks andbenefits and the need to protect minorityinterests and the environment.
2.10 In many cases, it will be up toindividuals or businesses to manage theirown exposure to such risks where they havethe knowledge or capacity to do so – forexample, through the lifestyle they choose orthe investment decisions they take. However,where the consequences of a risk are toogreat for any one individual or business tobear, government – either central or local –may intervene directly to provide protectionagainst the risk or the risk may be pooled.
2.11 Decisions to intervene are often takenon a case-by-case basis, and can vary fromcountry to country. Government interventioncan take a number of forms – for example,through the provision of a defence capability,
public health care or publicly fundedemergency services. Governmentintervention can take two main forms: actionto reduce the likelihood of the risk occurring(for example, through the provision of flooddefence); or action to mitigate theconsequences (for example, through theprovision of health care). In neither case,however, can government take the riskentirely away from the citizen.
2.12 Government’s role in pooling risks hasevolved over time. Developments in publiclyprovided health care provide an example of atrend towards risk pooling. Economists havedocumented in great detail why individualpurchase of health care through insurancemarkets can be inefficient and unjust. On theother hand, the move to more fundedpensions, and private pensions, albeitsupported by income guarantees for poorerpensioners, is an example of a trend towardsgreater disaggregation of risk. In practice,most societies combine pooled risks and risksthat individuals handle for themselves (forexample, home contents insurance), orwhich are determined by a commercialcontract (for example, buildings insurance, orlife assurance as a condition of a commercialmortgage).
2.13 Where there is a risk that an activitymay cause serious harm to others, and thatthose taking part may not be able to covertheir liabilities, government may requirethem to pool their risks by taking outinsurance first. The requirement to take outthird party motor insurance is an example. A similar principle might apply to criticalservices provided by business, such as energy,water and telecommunications, where theeffects of service failure on the wider publicwould be severe. In such cases, government’sresponsibility is to monitor and take action toensure that critical networks continue to
function, rather than to protect specificindividuals or industries. In some cases theremay be requirements to maintain buffers,reserves and stocks to reduce the risk of crisis,since markets on their own will tend tounderestimate the impact of low probabilitybut high impact events.
2.14 Where the market cannot providesufficient or universal cover, for example toprotect against the risks of unemployment,and the consequences for society areunacceptable, government may itself step inas insurer of last resort. Government may alsointervene where market provision iswithdrawn in response to an external shock,for example through the Troika scheme for the airline industry in response to 11 September. However, as government-backed schemes are likely to inhibit thedevelopment of competitive commercialproducts, government will only step in aftercareful consideration of the consequences ofmarket failure weighed against theimplications of intervention. The test has tobe not just that there is a market failure butthat there is a good public policy reason tointervene to tackle it. These cases should beseen as exceptions, rather than the rule, andwhere it intervenes in response to marketfailure, government needs to consider its exitstrategy as well. Government is committed toreview all major pieces of regulation afterthree years and time-limit them whereappropriate; this could play a part in any exitstrategy devised during policy development.
2.15 Overall the global trends on risk arecomplex. One of the consequences of a moreconnected world is that there are more risksbeyond the capacity of individuals andbusinesses to control. These includeenvironmental risks, risks of transmission ofdisease, global economic risks, terrorism, andinstability of global systems.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
12
2.16 Public awareness of risk has also led tomore pressures on government to play aregulatory role: food safety, emissions, andfinancial services are examples of wheregreater public understanding has led to ademand for more regulation. At the sametime, in many countries, there has been atrend away from universal provision towardsencouraging greater personal responsibility,notably for financial and retirement planning.Governments must constantly monitor trendsin public expectations and the effectivenessof different models of public sector provisionin use at home and abroad in order to decidewhere responsibility for managing risks best sits. At the same time, they mustcommunicate clearly about the nature of therisk, and about the responsibilities of thoseinvolved.
Management role2.17 In relation to its own business,including its regulatory or stewardshipfunctions and the delivery of services,government has a responsibility to identifyand manage risks. Typical risks may includethe risk of IT failure, delay or unbudgetedexpenditure, or the strategic risk of taking ontoo many high-risk projects at once.
2.18 In some cases, government will notprovide a service direct, but will contractwith another party to deliver it on its behalf,for example, privately-run prisons. Whilegovernments will normally remainresponsible for the outcome of the service (inthis example, protection of the public), theymay transfer responsibility for achievingspecific objectives, and the risks associatedwith achieving those objectives, to anotherbody. In such cases, they need to defineclearly where responsibility should lie. As arule, risks are easier to transfer in clearlydefinable capital projects, where outputs canbe clearly defined and where time-scales are
not too long, than in long-term servicedelivery. While it is relatively straightforwardto transfer financial risks to a third party, it ismore difficult to transfer reputational risk, as the public rightly expects government to be accountable for services delivered on its behalf.
2.19 In addition, when essential services gowrong, people still look to government toput them right, even where these services areprovided privately. The power generationcrisis in California, and failure of Railtrack inthe UK, show that government often retainsultimate responsibility for the continuity ofsuch services through its role as regulator,when those tasked with providing the serviceare no longer capable of doing so.
2.20 Where responsibility for a risk lies withgovernment Departments and agencies,there are well-understood procedures forensuring that it is adequately handled. Forexample, there should be an identifiedindividual within the organisation responsiblefor managing it, and the risk should bemanaged at the lowest level at whichinformed decisions can be made. Chapter 4.3explores these in more detail.
Government’s roles
and responsibilities
13
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
14
3. IMPROVING GOVERNMENT’S HANDLING OF RISK – THE CHALLENGE
Summary
This chapter sets out the challenge to government. Government needsto handle risks at three main levels: strategic, programme andoperational. Handling of risk at all three levels has been found wantingin recent crises and policy failures, and reports by the National AuditOffice (NAO) and the Public Accounts Committee (PAC) have foundsystematic weaknesses.
The causes of this are explored, starting with the inherent complexityand riskiness of government business, and reviewing the social contextwithin which government works, which is becoming more demanding.(Early lessons are drawn, and examined further in subsequentchapters.) The greater expectations of corporate governance are also afactor.
Government is already responding to the challenge, with acombination of specific responses to issues and generic arrangements.But this is not yet sufficient to deliver benefits across the range ofgovernment’s business. The chapter ends by setting out the StrategyUnit’s framework for developing government’s handling of risk.
The challenge3.1 Government needs to be able tohandle risk at three levels: strategic,programme, and operational/project level.
3.2 At the strategic level, what is at stakeis the government’s political contract withthe electorate and the coherence of its
overall programme. Decisions will involve theformulation of strategic objectives, theresource allocation decisions to back them,and assessment of policy options in responseto changing circumstances.
3.3 At the programme level come thedetailed policies governing implementationand the delivery plans that will benefit
society. Decisions are made on procurementor acquisition, funding, organisation,establishing projects, service quality andbusiness continuity.
3.4 And at the project and operationallevel, decisions will be on technical issues,managing resources, schedules, providers,partners and infrastructure.
3.5 In recent years government has facedsignificant problems in handling risk at eachof these levels. At the strategic level, anotable example was the lack of preparationof alternatives to the Exchange RateMechanism (ERM) in the early 1990s. At theprogramme and operational level, althoughconsiderable progress has been made bymany Departments, problems remain thathave been highlighted in reports by the NAOand PAC. Examples include policies that haveproceeded without any proper assessment of
their vulnerability to events, and majorbusiness change projects, often involving IT,that have gone ahead without contingencyplans. These are highlighted in the PACreport, Improving the Delivery of GovernmentIT Projects6 and the NAO report, Better PublicServices through e-Government.7
Risk management has been foundwanting in recent policy failures andcrises…3.6 Poor handling of risk has been cited asa factor throughout the process of policydevelopment and delivery. For example, thememorandum from the Department forEducation and Skills (DfES) to the Educationand Skills Select Committee on IndividualLearning Accounts (ILAs) pointed out that“the ILA programme was managed with a risk
Improving government’s
handling of
risk –
the challenge
1515
Figure 3.1: Hierarchy of risk
Strategic decisions
Decisions transferring strategy into action
Decisionsrequired for implementation
Strategic
Programme
Project andoperational
Unc
erta
intie
s
6 PAC, 1st Report of 99/00, Improving the Delivery of Government IT Projects, January 2000.7 NAO, Better Public Services Through e-Government: Case Studies, April 2002.
log but it is clear with hindsight that thisfocussed too heavily on the risk of failing tomeet programme targets. The Departmentshould have specified a full business modelfor the ILA programme and subjected this totests of how abuse could have occurred. Thiswould have allowed us to identify other risksand design better monitoring systems to pickup early warning indicators.” One of theconclusions drawn was that there was a needfor better risk assessment at the policy designstage. By the end of January 2002, the totalcomplaints received had reached nearly18,300; and the total for funds withheld andclaims outstanding for providers underinvestigation or requiring further follow-upcame to nearly £15 million.
3.7 The NAO report on the passportdelays of summer 19998 highlighted“insufficient contingency planning in theevent that implementation of the newpassport processing system might not goaccording to plan”; that the staffing strategywas “based on a number of mistakenassumptions” about the ability to handle risksfrom demand; and that, although thePassport Agency had learnt from an earlierproject that “more might have been done tomanage risks better within resourceconstraints”, it did not take sufficient accountof these lessons. The cost of failure was £12.6 million. Ten general lessons for publicbodies included: the need for robustforecasting of service demand andcontingency plans to deal with surges; formalrisk assessments for all new computersystems; and good communications aboutservice problems to reduce public anxietyand relieve the consequent pressure onservices from extra enquiries.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
16
3.8 The Phillips Inquiry9 report on BSEhighlighted several aspects of thegovernment’s handling of risk anduncertainty that were unsatisfactory, notablythe timing, implementation and enforcementof mitigation measures, its use ofindependent scientific experts, and failure tocommunicate with the public on the risk tohumans. To address the shortcomings, theInquiry recommended:
• more open communication to the publicabout risks that affect them;
• a more consistent approach to theprecautionary principle;
• better monitoring to ensure effectiveenforcement of risk managementmeasures;
• ensuring that where action has been takento reduce the risk, it has resulted in whatwas intended;
• clearer lines of accountability for riskmanagement decisions; and
• better interdepartmental co-ordination.
3.9 In addition, the Inquiry reporthighlighted the lack of public confidence inthe way government handled food safetyrisks. It concluded that the only means ofimproving this state of affairs was throughgreater openness and acknowledgement ofscientific uncertainty.
3.10 The Cullen Report10 on the LadbrokeGrove rail crash identified that there was a“persistent failure to carry out riskassessments by whatever method wasavailable”. This gave rise to therecommendation for “the greater use of riskassessment in the rail industry”.
16
8 NAO, The UK Passport Agency: the Passport Delays of Summer 1999, October 1999.9 op. cit.10 Lord Cullen, The Ladbroke Grove Rail Inquiry, Part 1, Report, HSE Books, 2001.
…and reports by the NAO and thePAC have found systematicweaknesses…3.11 The NAO report, SupportingInnovation,11 surveyed risk managementpractices across a broad range of publicsector bodies. It found that on the followingissues less than half of the Departmentssurveyed agreed that:
• they knew the strengths and weaknesses ofthe risk management of the organisationsthey worked with;
• the Department had effective training onrisk and risk management;
• there was a common definition of risk usedthroughout the Department;
• risk management objectives had beenclearly set out;
• regular risk management reports to seniormanagement were effective;
• all staff had responsibility for identifyingrisks facing the Department; and
• the Department’s executive sponsorshipand focus for risk management waseffective.
It recommended that:
• the Cabinet Office should continue toencourage Departments to adopt acoherent approach to managing risks,which is likely to lead to sustainableimprovements in public services;
• the Treasury should press ahead with workalready under way to improve riskmanagement and corporate governance ingovernment Departments; and
• Departments should ensure that theprinciples of sound risk management areunderstood and widely adopted.
Improving government’s
handling of
risk –
the challenge
17
11 NAO, Supporting Innovation, op. cit.12 op. cit.
3.12 The PAC report, Managing Risk inGovernment Departments,12 confirmed thatmore progress still needs to be made andpointed out that “Numerous reports by thisCommittee have emphasised the need forDepartments to improve their riskmanagement”. It stressed that well managedrisk taking is to be supported:
• “Innovating to improve public servicesentails risk. We are rightly critical whererisks are ignored, for example where majorIT projects are poorly specified and badlymanaged: but we give due credit whererisks are carefully identified, evaluated andmanaged, recognising that goodmanagement reduces but does noteliminate the possibility of adverseoutcomes.
“Risk taking and innovation are consistentwith the careful and proper control ofpublic money. If Departments have soundsystems of control they are more likely tohave the confidence to innovate becausethey will be better able to cope withadverse circumstances.”
3.13 But there were specific improvementsneeded, for example:
• there should be greater awareness of, andresponsibility for, risk outside finance andaudit functions;
• Departments should assess the strengthsand weaknesses of risk managementsystems in partner organisations;
• senior management should take the leadin risk management; and
• the Accounting Officer Memorandumshould make explicit the consideration ofrisk in relation to value for money.
3.14 It also pointed to the need to developskills and for adequate monitoring ofprogress:
17
• “Risk management will only become anormal and integral part of the wayDepartments and Agencies operate if civilservants have the skills to identify andassess risks and take the action necessaryto manage them. In developing actionplans to implement their risk frameworks,Departments should ensure all staff receiveappropriate training.
“It will be important for the Cabinet Officeand Treasury to continue to monitor howDepartments implement their riskmanagement plans, to ensure that theyare underpinned by effective action tomanage risks. These plans should includereliable contingency arrangements to dealwith the unexpected, which might putservice delivery for citizens at risk.”
…and surveys by the Strategy Unitconfirm this3.15 We surveyed Departmental Boardmembers and risk experts both ingovernment Departments and the privatesector (details are at annex 3). In our surveyof risk experts, we set out 70 statementsabout good risk management practicecovering 11 key areas and asked whetherrespondents strongly agreed/agreed/wereneutral/disagreed/strongly disagreed.
3.16 Government respondents were lessconfident that they applied good practiceand scored lower than the private sector ineach of the 11 areas:
• the lowest government scores were for“systematic management of key risks” and“managing risk in policy development andimplementation” and the major challengesidentified included “moving from riskassessment to risk management” and“moving from implementing systems andprocesses to actually changing
attitudes/culture and focusing on the mainrisks”;
• the private sector is much stronger interms of senior management sponsoring,receiving and communicating results ofrisk reviews; and government recognisesthis as a challenge to be met;
• there was more evidence of the privatesector having rehearsed response plansand having rapid reaction teams in place;
• the private sector’s responses indicatedthat it was much more active andcompetent than the public sector inmanaging opportunities and innovation;
• defining and communicating risk“appetite” was seen as an underdevelopedarea in both sectors, although this wasparticularly evident in government; and
• government respondents recorded lowscores on risk management skills and howthey were valued. Many thought that theorganisation had not invested in adequateskills, resources and training, and thatthe identification, assessment andmanagement of risk and innovation werenot a significant part of performanceappraisal.
3.17 Of the Board members involved in riskmanagement who responded, over half wereunhappy about their Department’smanagement of risk and acknowledged thatmany areas fell short of best practice. Incontrast, only one respondent indicated thatthey were confident that their Departmentemployed best practice. Board membersresponded positively to a range of proposalsfrom the project team – judging most tohave high potential impact on theirDepartments’ work. These are developed inthis report, and cover: embedding risk indecision making; public engagement,openness, transparency and building trust;
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
18
identifying emerging risks, contingencyplanning and crisis management; clarifyingthe roles of the centre and Departments;leadership; developing the risk managementdiscipline; skills; and accountability.
What are the causes? 3.18 In summary, government riskmanagement is too often judged, both bypractitioners and others, to fall short ofexpectations and best practice. Why is this?
3.19 No government can eliminate risk, norshould it, for almost all human activityinvolves risk. Indeed, the advancement andthe improvement of society has to involvenew approaches and processes that maymean new risks. We make continual progressby finding new ways of using resourcesefficiently; new financial mechanisms ensurebetter use of the financial capital available;new technologies can bring the opportunityof improving aspects of people’s lives. Muchof the business of government is inherentlyrisky since it involves complex systems, manyfactors, and an expectation that governmentwill be a protector or insurer of last resorteven in fields where it has no directresponsibility. So it is important tounderstand how shortcomings in riskhandling can arise. These are both internaland external: inadequate processes ofdecision making and organisation withingovernment that have been exacerbated bychanges in the external environment.
3.20 Some of the problems for governmentarise from inherited structures. Theorganisation of government in functionalDepartments has made it harder to deal withcross-cutting risks. BSE was a classic example;so in a different way was Foot and MouthDisease (FMD), which had a major impact ontourism, as well as on farming. Similar
considerations apply to risks that spaninternational and domestic Departments orparts of a Department.
3.21 Some of the current concerns arisenot so much from an increase in risk as froma shift in its focus – three decades ago themain concerns might have been nationalisedindustries, industrial relations ormacroeconomic instabilities. Nowgovernment is much more preoccupied withthe day-to-day delivery of public services byitself and others, the robustness of the IT andother systems that support those services andpotentially improve delivery, and with theregulation of public safety.
The social context within whichgovernment works is becoming moredemanding…3.22 The Strategy Unit commissionedMORI to undertake analysis of publishedmaterial on social attitudes to risk. (Seeannex 4 for more detail.) This showed thatpeople expect government to be more openabout risk issues, and that they seekreassurance from government, but aresceptical of what they are told unless theycan clearly see that it is not influenced byvested interests:
• the public wants more openness andindependent advice on risk issues. Forexample, over nine in ten agree with thestatement, “The government should bemore open about how it makes itsdecisions”. The importance of trust inproviding information is crucial and peopletrust different groups to tell them aboutspecific issues. In each case, the publicvalues independence and will trustpressure groups and “independent”scientists over private companies or thegovernment;
Improving government’s
handling of
risk –
the challenge
19
Adams, Frank Furedi, Chris Hood, Paul Slovic,Roger Kasperson, Baruch Fischoff, and OrtwinRenn13 amongst others have each in differentways addressed the fact that while many ofthe traditional risks (to life, health, economicwellbeing and housing) have been greatlyreduced in modern societies, awareness ofrisk has risen. This is particularly becausethere is a growing sense that risks can becontrolled or are the product of humanactivity (for example, BSE, CO2 emissions,and the possible health effects of mobilephones), rather than being effects of fate orrandom chance.
3.24 A number of broader social trends arealso influencing how the government handlesrisk and uncertainty. These include:
Declining trust in institutions 3.25 Data from MORI (illustrated by Figure3.2 below) suggests that there are higherlevels of trust of the State in Great Britainthan in other countries.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
20
• trust is particularly important when dealingwith and communicating uncertainty. Ninein ten people agree with the statementthat “When the government is unsure ofthe facts, it should nonetheless publishwhat information it does have available”.Research also suggests that admitting thatthe case for or against a particular risk isuncertain is much more likely to bebelieved than claiming it is risk-free;
• however, qualitative and quantitativeresearch both also indicate the need forreassurance from government. The publicwants to know the official line and believesthat government has a role in reducingpanic and legislating against dangerousrisks. For example, 61 per cent believe that“The government should do more toprotect people by passing more laws thatban dangerous activities”. However, thereis also a feeling that action does notalways succeed in preventing risks.
3.23 For several decades, academiccommentators have focused on the risingsalience of risk issues. Ulrich Beck, John
20
13 See annex 5 for selected references.
Figure 3.2: Trust in the State
0
10
20
30
40
50
60
don’tknow
no
yes
FranceItalySpainUSAGermanyGreat Britain
Would you say you basically trust the State or not?
%
Source: MORI 1997
3.28 The House of Lords Science andTechnology Select Committee identified acrisis of trust in society’s attitude to science.19
It reported that “Public confidence inscientific advice to government has beenrocked by BSE, and many people are uneasyabout the rapid advance of areas such asbiotechnology and IT…This crisis ofconfidence is of great importance both toBritish Society and to British science.”
Rising public expectations ofgovernment3.29 Although the level of public trust ingovernment has declined, expectations of theservices government provides have risen. Asthe standard of service has improved in manyparts of the private sector, people expect thesame from the public sector. The People’sPanel surveys20 found that half of respondentsgave a high priority to increased access topublic services at evenings and weekends.A Cabinet Office survey in 199821 found that76 per cent of respondents expected fasterservices and that 46 per cent expectedgreater simplicity. And expectations have notbeen met in the handling of some recent riskissues. A MORI poll in 200122 found that64 per cent of respondents were dissatisfiedwith the way the government was handlingthe FMD outbreak and that 38 per cent ofthe population were unhappy at thegovernment’s handling of the MMRvaccination campaign (NOP February 2002).
3.30 Government’s drive to improve publicservices to meet these rising expectationsitself carries considerable risks, since reformcan involve disruptive changes.
Improving government’s
handling of
risk –
the challenge
21
14 Source: The Henley Centre.15 OECD, Citizens as Partners: Information, Consultation and Public Participation in Policy Making, 2001.16 World Values Survey http://wvs.isr.umich.edu/papers/trust.html.17 Inglehart, R, Postmodernization brings declining respect for authority but rising support for democracy In Norris P (ed.), Critical Citizens:
Global Support for Democratic Government, Oxford University Press, 1999.18 Inglehart, R, Trust, well-being and democracy, In Warren (ed.), Democracy and Trust, Cambridge University Press, 1999 (pp. 88–120).19 House of Lords Science and Technology Select Committee, Third Report: Science and Society, February 2000.20 People’s Panel, 4th Wave Results, Open All Hours, April 2000.21 Office of the e-Envoy, Electronic Government: the view from the queue, Cabinet Office, October 1998.22 MORI/The Times, Political Attitudes in Great Britain for April 2001 (Representative Quota Sample of 1,935 Adults across GB), 2001.
3.26 But even so, a very wide range of UKinstitutions has suffered from a significantdrop in trust over the past two decades. Forexample, the proportion of surveyrespondents14 who said they had either “agreat deal” or “quite a lot” of trust inParliament fell from 54 per cent in 1983 toonly 10 per cent in 1996. Trust in the CivilService fell from 46 per cent to 14 per centover the same period. Since then, those levelshave recovered slightly, but only slightly – to14 per cent and 17 per cent respectively in2000. This phenomenon is mirrored in othercountries. A recent Organisation forEconomic Co-operation and Development(OECD) report15 confirms that “severaldriving forces have led OECD countries tofocus attention on strengthening theirrelations with citizens including the steadyerosion of voter turnout in elections, fallingmembership in political parties and surveysshowing declining confidence in key publicinstitutions”. Moreover, the decline in trustinternationally has been reported by severalacademics and commentators, for examplethrough the World Values Survey16 and thework of Ronald Inglehart on decliningrespect17 and on trust, well-being anddemocracy.18
3.27 This is closely related to parallel trendsof declining deference. These trends havesignificant implications for risk managementbecause often risks can only be successfullymanaged if there is sufficient trust to ensuregovernment can exercise leadership (forexample, over measles, mumps and rubella(MMR) or the threat from anthrax).
21
Activism3.31 There has been a significant growth inthe number of individuals or groups willingto become activists, either withinorganisations or looser networks. Activistsand non governmental organisations (NGOs)have been highly effective at focusing publicattention, in part through the media, onspecific risks – from threats to biodiversity topossible emissions from incinerators. In somecases, they have created a climate of opinionin which a neutral assessment of risksbecomes harder to achieve. An influentialmedia, seeking market share and aiming tomeet the demands of round the clockcoverage, can amplify concerns significantly.
Networks3.32 A more networked society brings withit more effective transmission of certain kindsof risks (such as computer viruses) andmore rapid communication of informationabout risks.
More diverse sources of information3.33 Government can no longer expect tobe the sole source of information about risksin any area. Diverse media, websites andNGOs can all provide information andadvice, often challenging the views ofgovernment and professions.
…there are new andunpredictable external risks…3.34 Advances in science and technologyhave created novel and highly uncertain risks(such as risks associated with geneticallymodified (GM) crops, cloning, radiation frommobile phones and computer fraud) oftenrequiring high levels of technical expertise toanalyse. Governments are increasingly being
asked to assess, communicate and mitigatethese risks (for example, through regulation),with relatively little historical experience todraw on.
…and there are greaterexpectations in terms ofcorporate governance3.35 A succession of crises in the privatesector has led to greater pressure to improvecorporate governance, including thehandling of risk. In 1998, the Stock Exchangeintroduced its Combined Code on CorporateGovernance for listed companies23 and in1999, the Institute of Chartered Accountantsin England and Wales published InternalControl: Guidance for Directors on theCombined Code (the “Turnbull Report”).24
3.36 The provisions of the Turnbull Reporthave been adapted to the public sector,resulting in Statements of Internal Control(SIC) being introduced by the Treasury inDecember 2000. The first of these statementsare being produced for the financial year2001/02 and will include: a brief butcomprehensive summary of the actualprocesses in place in each Department; adescription of how current initiatives(whether centrally or locally driven) are beingtaken forward; and, where processes are notin place, plans for addressing gaps. Theserequirements are already drivingimprovements in risk management processesin Departments. It is now the case that anyDepartment that does not have, or is notdeveloping, risk management processes willface criticism in the NAO’s review of the SICappended to their accounts.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
22
23 London Stock Exchange Committee on Corporate Governance, The Combined Code: Principles of Good Governance and Code ofBest Practice, May 2000.
24 Institute of Chartered Accountants in England and Wales, Internal Control: Guidance for Directors on the Combined Code (TurnbullReport), September 1999.22
Similar factors affect theprivate sector…3.37 The private sector has also faced awider set of pressures to modernisegovernance and to take greater responsibilityfor risks that arise from their activities(polluter pays, product liability,environmentally friendly packaging). TheEconomist Intelligence Unit (EIU) survey,Enterprise Risk Management,25 highlights:
• trust issues, with “shareholders increasinglyholding boards of directors and seniorexecutives to higher accountabilitystandards, prompting the adoption ofmore systematic and uniform riskmanagement”;
• external pressures for accountability.“Outsiders are pushing companies tomanage risk more comprehensively andsystematically. For example, regulators inmany countries are pressing firms forbetter risk reporting and for moreintegrated and comprehensive riskmanagement”; and
• new and unfamiliar risks. “Manycompanies perceive a rise in the numberand severity of the risks they face. Someindustries confront unfamiliar risksstemming from deregulation. Others worryabout increasing dependence on businessto business information systems and just-in-time supply/inventory systems. Andeveryone is concerned about the emergingrisks of e-business – from online security tocustomer privacy. With such risks, manyare searching for a way to identify risksmore comprehensively and evaluate themmore precisely.”
…and other governmentsaround the world3.38 Other governments have faced similarpressures and are developing new tools formanaging risk. In Canada, the government’sIntegrated Risk Framework cites:
• “The need for more affordable andeffective government combined withtrends towards revitalizing humanresources capacity and redesigning servicedelivery are dramatically affecting thestructure and culture of publicorganizations. The faster pace and needfor innovation, combined with significantrisk-based events from computer failures tonatural disasters, has focused attention onrisk management as essential in sounddecision-making and accountability”; and
• “Increased demand by parliamentarians forgreater transparency in decision-making,better educated and discerning citizens,globalization, technological advances, andnumerous other factors” means that“adapting to change and uncertainty whilestriving for operating efficiency is afundamental part of the Public Service.Such an environment requires strongerfocus on integrated risk managementpractices within organisations in order tostrategically deal with uncertainty,capitalize upon opportunities, and informand increase involvement of stakeholders(including parliamentarians), to ensurebetter decisions in the future.”
3.39 These factors are shaping how riskmanagement is developing, and similar issuesare acknowledged in Australia and NewZealand, where a standard model forhandling risk has been developed. In the USAand many Scandinavian and Europeancountries, developments are being driven bythe events of 11 September 2001 and thecollapse of Enron and WorldCom.
Improving government’s
handling of
risk –
the challenge
23
25 EIU, Enterprise Risk Management – Implementing new solutions, 2001.
23
Government is responding tothe challenge…3.40 Government has already responded tomany of these challenges. For example, inresponse to the BSE crisis:
• the Food Standards Agency wasestablished as a public watchdog – atarm’s length from Ministers – to protectagainst risks to public health and to furtherthe interests of consumers;
• the Agency was given the power to publishinformation and advice to the governmentabout food safety issues – without needingto seek Ministers’ agreement first; and
• the government proposed a series ofmeasures to strengthen its risk governanceand communication strategies. Thesemeasures included more widespread andeffective training, more research into howthe public perceives and responds to risk,better interdepartmental working and amore robust programme for handling riskand uncertainty in public policy.
3.41 And in response to concerns aboutbiotechnology and genetic engineering, anumber of Departments have also set upstructures such as the Agriculture andEnvironment Biotechnology Commission(AEBC) to ensure the better engagement ofstakeholders in discussions about public risk.The Research Councils have undertaken web-based public consultations, and taken othersteps to strengthen public and consumerinterest in research strategy and development.
3.42 The government has also set up moregeneric arrangements:
• individual Departments, agencies andprojects are in many cases using orintroducing risk management systems, inresponse to the need for robust SICs. A number of Departments, such as theDepartment for Environment, Food and
Rural Affairs (DEFRA), have made a start indeveloping overall strategies in this area,building on requirements to publish riskmanagement framework documents;
• the Civil Contingencies Secretariat (CCS) inthe Cabinet Office was established in July2001. It is a co-ordinating body and centreof expertise set up to improve theresilience of central government and theUK. Resilience is defined as “our ability tohandle disruptive challenges that can leadto or result in crisis”; and
• the Prime Minister’s Delivery Unit (DU) wasset up to ensure that the governmentachieves its delivery priorities during thisParliament across the key areas of publicservice (health, education, crime andasylum, and transport), but has yet fully toaddress risk management.
But actions are not so farsufficient to deliver benefitsacross the range ofgovernment’s business…3.43 These steps remain partial andsomewhat uneven. There is plenty of goodpractice but the coverage is notcomprehensive, and is not always at the rightlevels. In particular, there is a concern thatsome of the application of risk managementconcepts has been mechanistic, and notintegrated into decision-making at the highestlevel. There is not always the demand for riskmanagement, for example, demand forrigorous, timely and wide-ranging riskassessment from Ministers and senior officials.There is room for more visible and ongoingcommitment to this and for its communicationto staff at all levels. In addition, there is scopefor strengthening incentives for effective riskmanagement, for example by linking them togreater financial or management autonomy.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
2424
Improving government’s
handling of
risk –
the challenge
25
26 NAO, The 2001 Outbreak of Foot and Mouth Disease, Report by the Comptroller and Auditor General, June 2002, p.13.
Aims3.44 The aims of a more fully developedapproach to risk management, and themeasures by which their success should bejudged, include the following:
• fewer surprises to the public andgovernment, and better managed impactof unexpected events (less anxiety andpanic, and lower costs);
• higher levels of safety and confidence (lessloss of life and injury);
• fewer direct costs resulting from failure toanticipate risks, for example from failedprojects such as the Passport Officeprocessing system (£12.6 million) orBenefits Payment Card (£127 million). Thecost of addressing crises can be very highindeed. For example, the direct cost to thepublic and private sector of handling FMDis estimated to be over £8 billion,26 andsome £2.5 billion was spent on BSE-relatedschemes between 1996 and 1998. TheOffice for Government Commerce’s (OGC)new Gateway process, involving riskassessment, is estimated to deliver up to£500 million annually once full roll-out ofthe programme is achieved in 2–3 yearstime;
• better understanding of risks and trade-offsbetween different options by public andgovernment (for example, better decisionson pensions, smoking and diet); and
• better balance of risk and opportunity –good risk management can provide theconfidence necessary for taking innovativedecisions (limiting risk through pilots orcareful management of project risks). Forexample, the Home Office used riskassessment to reduce the prisonpopulation through electronic tagging sothat by May 2000, 21,000 prisoners hadbeen released early in this way).
Further responding to thechallenge3.45 In order to achieve these benefits, thisreport makes the case for the systematicdevelopment of the government’s approachto handling risk. Though the business of eachpart of government is unique, and the waythey handle specific risks will be unique inmany respects (such as managing the threatof an economic downturn, or a majorbusiness change involving IT), we haveidentified a number of common elementsthat need to be developed. We havestructured these as in Figure 3.3.
25
Leading change and establishing culture
Communicating about risk and uncertainty
Figure 3.3: Strategy Unit framework for handling risk and uncertainty: improvinggovernment’s capability
3.46 These elements have driven the reportstructure and the recommended programmeof action to establish:
• a clear strategic framework forgovernment’s handling of risk, including itsroles and responsibilities (chapter 2) inhandling risks to the public and to thedelivery of its business; the aims(chapter 3) to be achieved through goodmanagement of risk; and the principles(chapter 5) used to guide its actions inhandling risk to the public;
• arrangements to ensure that all majordecisions about programmes and policiestake explicit account of risks andopportunities (chapter 4.1);
• systems, processes and incentives toensure that risks are well managed(chapter 4.2);
• effective organisation to ensure that risksare dealt with where they can best bemanaged (chapter 4.3);
• skills developed widely amongstgovernment decision makers and advisers,and amongst supporting experts(chapter 4.4);
• clear quality standards and a qualityassurance approach (chapter 4.5);
• effective communication of the approachto handling risk and uncertainty, so thatthe public will be better informed aboutrisks, their consequences and trade-offsand so better able to make choices(chapter 5);
• crucially, top level leadership, to drive theimprovements we recommend, and tofoster a culture that fully supports wellmanaged risk taking (chapter 6); and
• a clear aim of improving the quality ofdecisions and achieving better outcomes(chapter 7).
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
26
Every aspect of government’s work involvessome risk: policy making and decision taking;action and implementation; regulation andspending. And there is an expectation thatgovernment should manage these riskswell, to cut waste and inefficiency, andreduce unanticipated problems and crisesthat undermine trust. To deliver the expectedbenefits fully, a systematic and explicitapproach is required, integrated into keydecision processes.
Government needs to develop its capacity tohandle risk, by:
• ensuring that decisions take account of risk(chapter 4.1) – embedding risk handling inthe decision processes;
• firmly establishing risk managementtechniques (chapter 4.2) – ensuring thatthe underpinning tools and methods ofrisk management are established andapplied;
• organising to manage risk (chapter 4.3) –making sure that responsibility forhandling risks is with those who can bestmanage them; that information flowssupport this; and that the riskmanagement improvement programme iswell managed;
• developing skills (chapter 4.4) – makingsure that those involved in decisionmaking are equipped to give due weightto risk issues, and that they are supportedby professional expertise; and
• ensuring quality (chapter 4.5) – throughapplication of standards andbenchmarking.
The recommended approach recognises thevariety of risk (for example, ownership of aspecific risk may either be clear and itsimpact bounded or it may cut across others’interests) and the need to handle risksappropriately (actions need to beproportionate; unthinking application canlead to unnecessary bureaucracy and delay,so there is a need to tailor the approach tothe circumstances).
Improving capacity
27
4. IMPROVING CAPACITY
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
28
Risk issues differ according tothe level of decisions to betaken…4.1.1 Effective government depends, amongother things, on the ability to:
• understand trends, opportunities andchallenges;
• use this understanding to underpindecisions and make resource allocations toback them;
4.1 ENSURING DECISIONS TAKE ACCOUNT OF RISK
Summary
At each level of decision making (strategic, programme, operational) thenature of the risks and the depth of uncertainty will differ. However, acommon approach can be taken. Risk is often an implicit consideration,and the approach to dealing with it is too often unstructured. An explicit,systematic approach is recommended in order to improve the quality ofdecisions and delivery, to provide an audit trail of risk judgements, and tojoin up risk management actions within and across Departments.
Risk is not yet fully embedded in core government decision processes,including policy making, the Spending Review, business planning,programme management, service management, and project management.Although formal procedures exist in some areas, there are particularweaknesses in risk analysis in the policy phase of the process of policydevelopment and delivery.
Policy making should include a standard consideration of risk, perhapslinked to the Office for Government Commerce (OGC) Gateway Review process– to provide a thorough review before proposals move into fulldevelopment. In the Spending Review, risk guidance should be enhancedand risk assessments should be attached to Public Service Agreements(PSAs). Handling risk has been developed further in other processes, suchas project management, but there is still scope for better use anddevelopment of existing guidance.
recruiting sufficient skilled staff, getting valuefor money from a contract) are more likely tobe internal at this level, except where aproject is being delivered by a partner.
…but a broad commonapproach can be taken at alllevels4.1.5 Although each of these levels hasdistinct characteristics, some commonapproaches are necessary at all three:
• risks have to be identified and assessed,with responsibility and accountabilityallocated and clear;
• judgement is needed about theirimportance;
• mitigation and contingency plans mayneed to be considered;
• the impact of actions on risks need to bereviewed and reported; and
• the information and decisions need to beeffectively communicated.
4.1.6 At the higher levels risks will tend tobe less easy to spot, more disruptive, lesseasy to quantify, and often less stable. Abroader range of inputs is likely to be neededto identify risks, assessment is likely to bebased more on judgements than measurablefacts, and mitigation and contingency plansare likely to be less robust. The consequencesof this, for example that strategic issuesrequire the use of “horizon scanning” orsimilar techniques to spot risks, are exploredfurther in chapter 4.2.
Ensuring decisions
take account
of risk
29
• respond quickly to changing circumstancesand crises; and
• identify and prepare for a range ofstrategic futures.
4.1.2 These considerations are relevant atthree levels. The strategic level includes majorpolicy decisions and concerns thegovernment’s political contract with theelectorate and the coherence of its overallprogramme. External factors (including oilsupply crises, weather, disease, wars andpersonalities) are likely to be critical to thiscontract, as are some endogenous factors(e.g. failures in key public services). At thislevel there will often be fundamentaluncertainties surrounding decisions (apowerful foreign leader may not yet havemade a key decision; or the impact of naturalevents may be unpredictable).
4.1.3 The programme level is the level atwhich most policy is made. Decisions aremade on procurement/acquisition, funding,organisation, establishing projects, servicequality and business continuity. Uncertaintywill be bounded at this level, as strategicparameters will have been set, and risks (suchas unexpected service demand, poorlyspecified contracts, setting over-ambitioustargets, budget cuts, widespread industrialaction or computer failure) are more likely tocome from internal rather than externalsources.
4.1.4 The operational and project level iswhere services are delivered. Here, an evenclearer direction will have been set, and thekey decisions will be on technical issues,resource management, managing schedules,managing providers/partners andinfrastructure. Risks (for example, indelivering a project to cost/time/quality,
Risk is not yet fully embeddedin core government decisionprocesses4.1.7 Decisions will very often be taken inthe context of one of the core processes ofgovernment. Examples include:
• the policy making process and theSpending Review (strategic level);
• business planning, programmemanagement (programme level); and
• service management, project management(operational/project level).
4.1.8 These are already supported in somemeasure by tools such as investmentappraisal and Regulatory Impact Assessments(RIAs). Guidance for these processes alreadytends to refer to risk. But this can sometimesnot be well developed, and is not based onany common model. Some Departmentshave already integrated risk assessment intomany of their planning processes. However,practice is uneven, and crucially may not bewell integrated in the initial development ofpolicy options and in policy decision taking.This confirms the findings of the NAO report,Supporting Innovation,27 and the PAC’sManaging Risk in Government Departments,28
that managing risk needs to be more clearlyan integral part of the way government’sbusiness is done. The NAO has alsohighlighted the need for Departments to takegreater account of the identification andmanagement of risk in the development andimplementation of policies.29
4.1.9 Although awareness is growing of theneed to include risk in decision making andformal procedures such as RIAs exist in someareas, the core business processes do notconsistently give sufficient weight to analysis
of risks. Risk can still often be seen as aseparate issue. Departmental Board memberscommented that although progress had beenmade in some areas, for example in “changemanagement projects, investment analysisand business cases” its “application appearspatchy” and “in policy areas it is often notsystematic, or even explicit”. Considerationof risk “ought to be a key feature of betterpolicy making”, and ought to be done moreexplicitly. “Risk is no doubt addressedimplicitly in many of these processes, butcannot then be reviewed or compared forconsistency of approach.”
4.1.10 Some key issues have emerged:
• early risk identification and assessment atpolicy option and development stages;
• a wider scope of risk assessment, including“soft” areas such as public perceptions andstakeholder views, the stability of theexternal environment, and political risk; aswell as the more quantifiable risks (such asfinancial or economic risk); and availabilityof relevant and timely information; and
• continuing reassessment of risk andopportunities.
4.1.11 The lack of explicitness about riskissues and their management is a keyconcern. This undermines accountability andmeans that there is often no auditable trail ofjudgements about risks, making it impossiblecontinuously to review risk judgements. This also inevitably creates difficulties forDepartments when they are held to accountby the PAC. The PAC has commented on thisin several reports30 and this may well beholding back innovation and serviceimprovements by undermining confidencethat innovative approaches can be wellmanaged.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
30
27 op. cit.28 op. cit.29 NAO, Modern Policy Making: Ensuring Policies Deliver Value for Money, November 2001.30 Reference to this is made in the PAC report, Managing Risk in Government Departments, op. cit.
There are some positivedevelopments…4.1.12 Some tools have been developed toembed risk management: RIAs requireregulatory proposals to take account of risks;Departments have developed and publishedRisk Management Frameworks, which seek toestablish comprehensive approaches; and theneed to produce Statements of InternalControl (SICs), which will be prepared for thefirst time with accounts for 2001/02, aredriving further improvements in processes.Furthermore, the Treasury is now undertakinga major exercise to follow up progress sincethe NAO survey, evaluating the effectivenessof work already done and identifying areaswhere further support and guidance arerequired. A report based upon the findings ofthis survey is expected in autumn 2002.
…but there are furtherbarriers to overcome4.1.13 The main barriers to effectiveassessment of risk in decisions include:31
• a lack of planning – decisions often needto be made quickly, and risk assessmentwill be compromised if information is notreadily available, and issues anticipated;
• pressure on resources – encouragingplanning on optimal assumptions;
• short planning horizons – traditionallyMinisters have been more focused onannouncements than on longer-termimplementation and delivery – when risksmight be realised (though this is changingwith the current emphasis on delivery);
• lack of good quality, relevant information;
• limited in-house skills, experience andtools;
• the real difficulty of assessing andbalancing risks and opportunities, andweighing, for example, financial versusother risks;
• fear of failure acting as a disincentive toinnovation; and
• in some cases political anxiety aboutexplicit acknowledgement of risk.
4.1.14 Many of these factors combine tocreate a lack of sufficient demand for riskassessment.
These barriers need to beaddressed in practical ways…4.1.15 They emphasise the need to ensurethat there is a good current assessment ofrisks and a supporting knowledge base (seechapter 4.2); that decision makers and theiradvisers are fully equipped and incentivised(see chapters 4.2 and 4.4), and that theculture supports well judged risk taking (seechapter 6).
4.1.16 A further important way of ensuringthat the right information is available at theright times is to embed risk thinking clearlyinto existing planning and operationaldecision processes. This is starting to happenin some other countries, for example in NewZealand since 1997/98 “chief executives inthe public service have been expected toinclude risk management in their strategicand operational planning, to take a proactiveapproach and to foster organisationalcultures towards these ends. As part of newwork to enhance the New Zealandgovernment focus on outcomes the StateServices Commission is currently developinga planning framework that balancesstrategies, capabilities and riskmanagement”.32 And in Canada their
Ensuring decisions
take account
of risk
31
31 as referenced in CMPS, Better Policy Making, November 2001 and the Strategy Unit Risk Project Board Survey (see annex 3).32 Information provided to SU by the Department of the Prime Minister and Cabinet, Wellington, New Zealand, 11 March 2002.
Integrated Risk Management Framework setsout, for the whole of government, how riskshould be factored into decision processes.
4.1.17 To address this issue in the UK, wepropose that government should aim for allmajor decisions to be informed by asystematic appraisal of risk and opportunity.33
Our overall recommendation (rec.1) is thatthere should be an explicit appraisal of risks,as well as benefits and costs, in all the mainbusiness processes (including the SpendingReview, policy making, business planning,project and programme management,performance management and investmentanalysis), where this does not happenalready. This should provide the material forconsideration of risks on a regular basis byDepartments’ Management Boards. This is inline with the SIC initiative which is alreadyleading to the need for Boards, or delegatedstructures reporting to the Board, to regularlyconsider risk. (Departments might considerappointing a Board member to beresponsible for risk issues being coveredadequately, while non-executive memberswould have a key challenge role.) Forexample, in the Ministry of Defence (MoD)Strike Command, the process which isemerging for risk management is one of riskchampions and owners at Board level toenable consideration of risk on a monthlybasis, teamed with a formal review of the riskregister every six months and activeinvolvement of the Audit Committee, whichis chaired by a non-executive director. This isbecoming a common approach.
4.1.18 We therefore recommend (rec.1a) thatstrategic risks should be regularly consideredby Departmental Boards, and the CivilService Management Board (CSMB) asappropriate. The responsibility for handlingand reporting risk should be aligned with
accountability for delivery. Non-executivedirectors should play an important part inhelping to identify strategic risk and providean independent perspective on the level ofrisk faced and the adequacy of measures toaddress risk.
4.1.19 The following sections set out specificimplications for action.
Policy making4.1.20 Policy making is the process by whichgovernments translate their political visionand priorities into programmes and actions todeliver outcomes. Failure explicitly to considerrisk management in policy making anddecisions can lead to serious problems, withcosts and impact being borne by the public,or to opportunities for high risk/high rewardoptions being passed over through lack ofconfidence in handling the threats. However,in many areas, there is at present nostructured and enforced requirement toconsider risks. Some very high priority policieshave been implemented without adequateattention to risks, often leading to very costlyexercises to put them right.
4.1.21 Some risk is unavoidable. Life is by itsnature complex and messy and no formulaeexist for making the business of policymaking and implementation whollypredictable.
4.1.22 However, a more systematic approachto policy making can significantly reduceunnecessary failures. We thereforerecommend (rec.2a) that policy makingshould include a proportionate and wider-ranging consideration of risk, to provide anadequate review before proposals move intofull development. The Office for PublicServices Reform’s (OPSR) initiative to Improve
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
32
33 In its report, Managing Risk in Government Departments (op. cit.), the PAC also looks at this and recommends that the Treasuryconsiders the need for explicit consideration of risk in the facility for an Accounting Officer to take direction from a Minister. Inresponse, the Treasury has agreed to do so in the review of the Accounting Officer Memorandum.
Figure 4.1: Policy development and delivery – assessing risk through OGC Gateway Reviews
Programme/Project Delivery (IPPD) will makea significant step in this direction bydeveloping an assurance process to supportDepartments in undertaking adequatedelivery planning before policyannouncements are made. Further, werecommend (rec.2b) that a more systematicrequirement to consider risks should beimplemented, which might be based on theOGC Gateway Reviews (see annex 6), thoughthe specific way forward should be subject tofurther discussion with PermanentSecretaries. Several Departments haveresponded positively to this in principle, butwith some concerns around the level ofresource required, and the need to avoidduplication with other processes (such asRIAs). Gateway Reviews were introduced in2001 as checkpoints in the life of projectsand programmes. They provide a thoroughreview, and sign-off, before work is allowedto proceed to the next stage of development(See Figure 4.1). Gate Zero, the first review, isa strategic assessment, checking that there isa sound business case for proceeding withthe proposed change.
4.1.23 We recommend (rec.2c) that thisshould include a sign-off that: there has beenadequate identification and assessment of riskacross the range of policy options; that anymitigation and contingency plans are sound;
and that any assumptions should bereviewed and formally tested against futurescenarios. This could be incorporated inexisting assessments where these exist, suchas the RIA and Investment Appraisals. Theseare externally reviewed and, if developed,would fulfil this requirement, avoiding theneed for multiple reviews of the sameproposal. It may also be possible, in carryingout the Gateway Review, to draw on, forexample, the Regulatory Impact Unit’s (RIU)Policy Effects Framework or the IntegratedPolicy Assessment tool being piloted by theOffice of the Deputy Prime Minister/Department for Transport (ODPM/DfT)(which allows appraisal of policies againsteconomic, social and environmental impactand distributional categories). This explicit,shared process of review should ensure thatMinisters are given open and honest adviceabout the risks entailed in decisions, and helpto make better quality decisions, balancingthe threats and opportunities in the contextof the government’s risk tolerance in therelevant policy area.
4.1.24 Each Gateway Review should beunderpinned by an explicit assessment of therisks and opportunities of proceeding,informed where necessary by the views of allrelevant stakeholders. This should involverisk/hazard identification, assessment, and
Ensuring decisions
take account
of risk
33
PolicyDelivery
ProjectImplementation:
FullDevelopment
ProjectImplementation:
RequirementDefinition
ProjectImplementation:
Start Up
InitialProposal
PolicyDevelopment
ClosurePolicyOptions
Gate 0:strategic
assessment
Gate 1:business
justification
Gate 2:procurement
strategy
Gate 3:investment
decision
Gate 4:readiness
forservice
Gate 5:benefits
evaluation
34 Published jointly by DEFRA and the Environment Agency, August 2000.35 op. cit.36 NAO/OGC, Getting Value for Money from Procurement – How Auditors can Help, 2001.37 Policy Hub is a web-based resource to support evidence-based policy making. It carries examples of successful policy making and
delivery, and supports the exchange of information and ideas through innovative “knowledge pools” designed to break downorganisational and geographical barriers and improve collaborative working within and beyond government.
judgement of risks drawing on empiricalevidence and the public context, anddevelopment of options for managing therisks (mitigation actions and contingencyplans). Figure 4.2 illustrates this at the policydevelopment stage, where this is likely to bean interactive process, with policy optionsdeveloped, risks identified and assessed, andpolicy options refined, leading to furtherconsideration of risk. Risk assessment is likelyto combine quantitative factors with softerjudgements, such as the social aspects of risk.This approach is recommended in, forexample, the Department for theEnvironment, Food and Rural Affairs’ (DEFRA)Guidelines for Environmental Risk Assessmentand Management.34
4.1.25 The challenge function at this stageshould involve a range of disciplinesincluding policy makers, risk experts, finance,auditors, and service deliverers. Theinvolvement of auditors (probably frominternal audit) could be particularly valuableas an independent assessor with professionalexpertise on risk (and could, for example,
feed in the NAO approach to handling risksto value for money set out in Modern PolicyMaking: Ensuring Policies Deliver Value ForMoney).35
4.1.26 The NAO has also suggested that aguide on risk for Departments’ internalauditors, might be developed along the linesof its guide Getting Value for Money fromProcurement.36
4.1.27 We recommend (rec.2d) that thesedevelopments should be supported bysupplementary guidance on risk, issued topolicy makers to follow up the CabinetOffice’s Guide to Better Policy Making andaccessible through the CorporateDevelopment Group’s (CDG) web-basedPolicy Hub.37 This guidance should also reflectthe guidance on RIAs (which is currentlybeing revised).
4.1.28 On its own, guidance of this kind risksbeing ignored. It is therefore essential thatpolicy makers receive support in using suchtools in real-world situations.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
34
Figure 4.2: Risk judgement in policy making
4.1.29 To ensure that the quality ofinformation used for risk assessment is good,we recommend (rec.2e) that policy makersmake increasing use of knowledge pools,linked to the Policy Hub (currently coveringStrategic Futures, Excellence in Policy Makingand Area Based Initiatives). The risk contentof these pools should be enhanced, drawingon examples of good practice aroundgovernment.
The Spending Review 4.1.30 The Spending Review results in agreedobjectives and targets, PSAs, and, from 2002, supporting Delivery Plans for allDepartments; and spending plans acrossgovernment. These plans cover a three-yearperiod. The guidance given to Departmentsclearly details how they should set out theanalysis of resources required and the basis oftheir targets. The link between resources andoutcomes has been dramatically improved inrecent years, and is likely to lead to greatlyimproved value for money. But risk is still anunderdeveloped area, with little mention inthe guidance. Although plans are required tomention risk, and the Ministerial Committeeon Public Services and Public Expenditure(PSX) considers these in reaching decisions,there is no required content and structure forrisk information, and the quality of debate onrisk is likely to be much less well informedthan it could be.
4.1.31 This matters because plans may notstrike the best balance of risk andopportunity to improve services, both withina Department and across government as awhole. It will also be less easy to spot risksthat cut across Departmental boundaries(“cross-cutting risks”), because there is nocommon approach or format to aggregatethem. And the baseline recording of risks willnot be sharply focused.
4.1.32 We recommend (rec.3a) that theTreasury should further develop the approachto risk in the Spending Review. This shouldinvolve developing the guidance forDepartments before the 2004 SpendingReview and issuing specific guidance onassessing risk to the Treasury Spending Teams(similar to recent guidance on Deliverability)for use in finalising delivery plans in autumn2002.
4.1.33 The Treasury should supportDepartments to ensure that plans, producedby Departments as part of the 2002Spending Review, include enhanced coverageof risk and are developed in the context ofresilience to threat. The Prime Minister’sDelivery Unit (DU) has already beendeveloping this approach for risks to keyobjectives on health, transport, educationand crime. It is recommended (rec.3b) thatthe Treasury, DU and Civil ContingenciesSecretariat (CCS) should work together withDepartments in autumn 2002 to ensure thattheir delivery plans adequately address risk,balancing the need to invest in resiliencewith the pursuit of other objectives; and thatcross-cutting risks are identified andaccountability for action established.Monitoring arrangements should track riskassessments and progress with mitigationplans, reporting to the PSX cabinetcommittee.
4.1.34 We also recommend (rec.3c) that forthe 2004 Spending Review:
• there should be an increased, mandatoryrequirement for risk assessment (perhapslinked to OGC Gate Zero) to be fulfilledbefore PSAs are published and funding isreleased. Risk assessments should includean assessment of the resilience of servicedelivery and potential threats;
Ensuring decisions
take account
of risk
35
• incentives could be introduced toencourage good quality risk assessment,for example this could lead to increasedautonomy and delegated financialauthority. More radically (perhaps for2006) this could be linked to mutual (or“captive”) insurance arrangements similarto those introduced for public sectorbodies in Australia (operated byComcover), or by the NHS to cover clinicalnegligence risks; and
• the Treasury should consider whether amore explicit portfolio approach to riskmight be taken in the 2004 SpendingReview – with the outcome being a mix ofhigh risk/high return objectives and lowerrisk areas with less challenging servicedelivery targets. Better risk informationwould also enable a more structuredapproach to cross-cutting risks, with theTreasury being well placed to facilitatediscussion between Departments. Thiscould be in addition to the current cross-cutting reviews which look in depth at asmall number of issues.
Business planning4.1.35 We recommend (rec.4a) that businessplanners make full use of the Cabinet Officeguide, Your Delivery Strategy: a Practical Lookat Business Planning and Risk.38 This providesspecific guidance and incorporates othersources such as the Treasury Orange Book.The CDG should promote use of the guidethrough the Business Planners’ network.
4.1.36 Delivery plans need to include betterquality risk management plans. Even for thegovernment’s most important objectivesthese have recently been found wanting.When the DU first received plans for keyprogrammes on education, health, crime and
transport in 2001 the information providedon risks was much less developed than otherparts. So we recommend (rec.4b) thatDepartments should review the quality of riskinformation in their plans. We recommend(rec.4c) that the format of the DU plansshould be further developed to show detail ofrisks, their likelihood and impact, andmitigation and contingency plans. Thisformat should then be made widely availableto Departments as a model.
Project and programmemanagement4.1.37 Risk management is perhaps bestdeveloped in the area of projects andprogrammes. The best managed projectshave moved well beyond passive logging ofrisks and have very active approaches toidentifying, assessing and managing risks. Forexample, the NAO reported positively on theHome Office Electronic Tagging Scheme,where there were extensive risk managementprocedures such as evaluation of key risks,clear communication, and contingency plansthat were regularly tested.39 And there is goodguidance available from the OGC, forexample in Managing Successful Programmes,40
Managing Successful Projects (the PRINCE 2manual),41 and Management of Risk: Guidancefor Practitioners.42 Even so, the NAO and PAChave reported on risk managementweaknesses in a range of projects (inparticular in reports on the Passport Office,and IT projects generally), and theconsequences will often be felt directly by thepublic. We recommend (rec.5) thatDepartments follow the OGC guidance onmanaging risk in projects and programmesand apply this guidance to their GatewayReviews, where risks must be weighed up and
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
36
38 Cabinet Office and HM Treasury, Your Delivery Strategy: a Practical Look at Business Planning and Risk, September 2001.39 NAO, Supporting Innovation, op. cit. 40 OGC, Managing Successful Programmes, Version 2, April 2002. 41 OGC, Managing Successful Projects, Version 2, April 2002. 42 op. cit.
plans to manage them signed off beforemoving to the next project stage.
4.1.38 The need for this to be done properly,and the scale of improvement needed, evenin this relatively advanced area, isdemonstrated by a recent study of OGCGateway findings. This found that 63 percent of Gateway Reviews had identifiedweaknesses in risk management (the secondmost significant problem area, after skillsshortages), and little evidence of lessonsbeing learnt. Key issues remain around:proactive review of risks, particularly inanticipating those external factors which mayseriously damage delivery prospects; andcontingency planning (where projects needto have fallback arrangements including, forexample, arrangements for parallel runningof existing and new systems, with an optionto revert to existing systems if necessary).
Investment appraisal4.1.39 Decision making needs to beunderpinned by investment appraisal focusedon benefits, costs and risks, explicitlyidentifying and assessing risks and developingrisk mitigation plans for priority risks fromconception to appraisal and into execution.This approach needs to be taken as part of allkey submissions (Spending Review, businessplanning, policy development and delivery,programme appraisal) and addressed at alllevels. We recommend (rec.6a) that proformas or templates are used by Departmentsto help with this, which could build on RIAs.Using post-project evaluations (PPEs) as ameans of formally reviewing risk outcomes atthe operational level could be beneficial. Werecommend (rec.6b) that cost benefit analysisbe developed to include explicit riskassessment as a significant element of optionappraisal. Tools should handle subjective riskassessments adequately, not just harder
evidence. Decisions need to deal with gapsbetween perception of risk and objectivemeasures (such as the risk of rail versus roadtravel). In the short term, decisions need toacknowledge perceptions, but efforts shouldbe made to close the gap over themedium/long term. We recommend (rec.6c)that the Treasury’s guide to investmentappraisal (known as the “Green Book”)43
should be developed to deal with theseissues. The study team has contributed to therevised edition of the Green Book, which hasrecently been published for consultation bythe Treasury.
Operational management4.1.40 A recent internal study commissionedby the Treasury suggests that effectivemanaging of risk in operations managementis being held back by a number of factors:
• Government Accounting guidelines on riskmanagement and risk financing are notgenerally being implemented;
• risks and likely costs involved are notadequately identified;
• there is no readily accessible mechanismfor pooling risk within government;
• organisations have little incentive tocapture loss data. Any available data ispoor quality and incomplete; and
• operational managers in government donot have financial incentives to improverisk management.
4.1.41 Operating units in government do notusually carry the cost of losses from insurablerisks (such as property risks or liability risks) –these are borne corporately by government(rather than using commercial insurance – asgovernment as a whole is large enough tostand the losses). This undermines incentivesto manage these effects properly. Large
Ensuring decisions
take account
of risk
37
43 HM Treasury, Appraisal and Evaluation in Central Government, 1997 (the “Green Book”).
commercial organisations commonly set uptheir own dedicated insurance companies(“captives”) in order to ensure that theincentives exist for good risk managementbut that they do not have to pay marketpremiums. The Treasury study raises theoption of a pilot to explore use of these risk pooling arrangements by government.They estimate that the potential savingsacross government as a whole could be asmuch as 0.3 per cent of operating revenue,i.e. £640 million pa. We recommend (rec.7)that the Treasury should consider running a pilot of the use of captive insurancearrangements in government.
Likely impact ofrecommendations in thischapter4.1.42 The majority view of the Boardmembers consulted by the Strategy Unit wasthat implementing many of therecommendations in this chapter would havea high potential impact for their Departments(see annex 3). In particular, there was generalagreement on the importance of all majordecisions being informed by a systematicappraisal of risk and opportunity. Manyreplied that progress had already been madein this area but as one commented “it needsto be applied systematically to all decisionmaking processes and ought to be a keyfeature of better policy making”.
4.1.43 On the same subject another Boardmember added, “This is a key part of theDepartment’s developing risk managementstrategy. Risk assessments, which include
consideration of costs and benefits, will berequired at corporate/strategic level andoperational level”.
4.1.44 In order to be sure that progress isbeing made and benefits are being delivered,we recommend (rec.8) that there should be afull review of the position after a specificperiod. This will need to be underpinned bymonitoring and evaluation arrangements, asan integral part of the recommendedimprovements. This should help carryforward the PAC’s conclusion that: “TheCabinet Office should carefully monitorDepartments’ implementation of their riskframeworks, assess their impact in improvingrisk management and seek corrective actionby Departments to address deficiencies”. Weagree with the need for a central role of thissort, to drive change forward more uniformlyacross the range of government business,though as discussed later (in chapter 4.3) notnecessarily either based in the Cabinet Office,or centred specifically on risk frameworks.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
38
4.2 ESTABLISHING RISK MANAGEMENT TECHNIQUES
Summary
The use of risk management techniques in government has beendeveloping along a similar path to the private sector – from audit/financeand health and safety, to operational management and projects, andfinally to strategic areas.
There are a number of drivers of change including the focus on achievingoutcomes and improving performance, which inevitably turns attention tothe risks of not achieving targets; and requirements to demonstrateadequate control systems.
A base for progress has been established, with many pockets of goodpractice and emerging guidance. But all aspects of managing risk(identification, evaluation and assessment, mitigation and contingencyaction, review and communication) can be improved. The range ofguidance should be reviewed, brought together, and simplified wherepossible to provide a common standard. This should build on the findingsof this report, ensuring a shared approach to handling risk in government.
There are particular gaps at the strategic level, where practice is lessdeveloped. We consider developments in horizon scanning, contingencyplanning, crisis management, and building resilience.
Important common issues are the imaginative use of experience (asopposed to mechanistic process application), and a more systematicapproach to softer areas of risk – including public perceptions, strategicfit, and reputational risk.
Establishing risk
management techniques
39
professional experts). In each of these areasthe benefits of a systematic approach are wellestablished and widely recognised.
4.2.3 The use in government of a systematicapproach to risk management has developedsteadily in recent years. It has always beenimplicit in the work of government. And insome Departments explicit risk managementtechniques have been used for many years.The system in the Health and SafetyExecutive (HSE) has evolved in the course ofundertaking its own statutory responsibilitiesand in advising and assisting the Health andSafety Commission, for example inimplementing policies on modernising healthand safety legislation.44 And MoD has longanalysed military threats in a systematic way,making extensive use of scenario planningand simulation. More recently there havebeen three main drivers for change: therequirement to demonstrate the existence ofadequate control systems for audit purposes;the setting of performance and outcome
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
40
44 For more detail see HSE, Reducing Risk, Protecting People: HSE’s Decision Making Process, 2001.
EarlierMoreRecent
Focus of Attention
Audit/Finance Line Managers Board andpolicy makers
StrategicInitiatives andGrowth
Complianceand Prevention
Opportunity(Enhance)
Hazard(Protect)
OperatingPerformance
–
Im
pact
+
Figure 4.3: Typical development of risk management within an organisation
Risk management has beendeveloping…4.2.1 Explicit risk management is a relativelyrecent phenomenon outside certainspecialised areas. It developed earlier in thefinancial sector (insurance, banking), themilitary, and in audit and health and safetyfunctions. But it is now developing steadily asa mainstream management activity acrossboth public and private sectors. Risk hasmoved from being seen as a technical subjectto being viewed as central to managing thewhole organisation. Our study combinedwith other studies of risk management ingovernment, and the Economist IntelligenceUnit’s (EIU) survey of the private sector,suggests the common path in Figure 4.3.
4.2.2 There are strong parallels with otherdisciplines such as financial management andproject management, which have becomeincreasingly seen as necessary mainstreammanagement skills (albeit supported by
Establishing risk
management techniques
41
45 op. cit.
targets which have made clear the needexplicitly to manage risks in order to achievethese aims; and the development of projectand programme management methodologies(such as PRINCE 2) which incorporate riskmanagement.
4.2.4 During the late 1990s this gainedmomentum, and our surveys of Boardmembers and risk experts in Departmentsshowed that most now have developingpolicies and processes in place for identifyingand handling risks.
…but further progress needsto be made4.2.5 Even so, the average response byBoard members was that they were midwaybetween being “not happy – many areas fallshort of good practice” and “content – a fewareas to be improved”. Risk experts agreedthat the importance of good riskmanagement had been established andcommunicated, but they tended to be lesshappy with implementation. They identifiedthe need “to move from risk assessment torisk management” as a key challenge andtended not to agree that their Departmentwas “active and competent incommunicating on actual risks andopportunities”.
4.2.6 And, for example, in the wake of thePhillips Report, a government workshop onrisk and public health held during summer2001 concluded that a priority fordevelopment was “a common approachacross government with shared criteria andsystems for managing the risk process. Thisoverarching risk framework would serve as aquality assurance for the policy makingprocess and delivery of outcomes”.
4.2.7 The introduction of SICs (the first are tobe produced in 2002) has started to drivefurther progress, as Departmental AccountingOfficers are required to sign a statementconfirming that they have adequate controlsystems in place. But SICs are likely toconfirm the need for further work, especiallyin terms of embedding risk management inthe core work of Departments.
The pattern of development issimilar to that of the privatesector4.2.8 The private sector has developedalong similar lines to the public sector.Starting with risk management in technicalareas that traditionally focus on control(managing financial portfolios, health andsafety, audit). There is now movement toembrace a more widely based and proactiveapproach to grasping risk and innovation.
4.2.9 The EIU report of 2001, Enterprise RiskManagement (ERM),45 found that:
• non-traditional risks pose the greatestthreat. Executives reported that their mostsignificant risks aren’t those traditionallymanaged by the risk management ortreasury departments. The top three arecustomer loyalty, competitive threats, andoperational failure. These are also amongthe risks companies believe they manageleast well. Equivalents in the public sectorwould be public satisfaction and trust inservices, and maintaining service delivery;
• 41 per cent of the 40 companies surveyedare implementing some form of ERM.Europeans (53 per cent) are furthestahead, which reflects the continuingevolution of corporate governance reformsand directives in Europe;
• firms adopt ERM for a wide range ofreasons (reflecting their individualcircumstances) but the most importantwas to develop a common understandingof risk across functions and business units.Other important factors include ability tomanage and avoid low probabilitycritical/catastrophic risks and cost savingsthrough better management of internalresources; and
• there is a firm belief that ERM can improveperformance: 84 per cent reported thatthey believe ERM can improve their price/earnings ratio and cost of capital. There is as yet relatively little hard evidence ofthis but companies using ERM weresignificantly more confident in their riskmanagement processes (90 per cent veryconfident compared with 45 per cent ofthose not using it).
4.2.10 All of these findings have resonancewith the public sector. And our survey of riskexperts (details at annex 3) suggests thatalthough government has made progress, itis currently somewhat behind the privatesector in developing its approach.
A base for further progress isbeing established…4.2.11 Despite indications that the privatesector has developed risk management morerapidly, there is now a good opportunity forthe public sector to move forward based onthe establishment and application of soundapproaches and techniques, and through
sharing best practice. This can build oncurrent initiatives to modernise governmentand improve corporate governance. Theevidence of the Strategy Unit study’sinterviews and surveys of senior managementshow that this will have strong support fromthe top.
4.2.12 Managing risk is a hugely variedactivity in government (for example, it caninvolve managing business risks such asinfrastructure, budgetary, policy or projectrisks or risks to the public such as health,environmental or safety risks). And sodifferent parts of government find that thespecific way they manage risk is closelytailored to their circumstances. Even so it ispossible to provide a common approach,which Departments can use flexibly. Thedevelopment of project managementmethods is a good comparator.
…including guidance fromTreasury and the OGC…4.2.13 The Treasury’s guide, Management ofRisk – A Strategic Overview (known as the“Orange Book”), published in January 2001,sets out an approach, which is becomingwidely used in government.
4.2.14 The Orange Book provides aframework for linking risks to keyorganisational objectives, indicates thesort of tools which might be used, andoutlines a cycle of risk management activity(see Figure 4.4).
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
42
Embed andreview
Identify risksand define
a frameworkEvaluate
risks
Assess riskappetite
Gainassurance
abouteffectiveness
of controlIdentifysuitableresponse
to risk
Figure 4.4: The risk cycle (HM Treasury, Management of Risk – A Strategic Overview)
4.2.15 This framework is applied flexibly ingovernment with some Departmentsdeveloping a simpler representation of thecycle, to ease communications, and couching
guidance in more general terms. Forexample, DEFRA’s Risk Management Strategyis based on a four-stage cycle (see Figure 4.5).
Establishing risk
management techniques
43
Figure 4.5: The four elements of risk management (DEFRA)
Reviewing andreporting risks
Addressingrisks
Assessingrisks
(Begin)Identifying
risks
4.2.16 It may be that this could be usefullydeveloped to include risk communication andlearning, retaining much of its simplicity, butrecognising the critical importance ofcontinuous, active communication (seeFigure 4.5a).
4.2.17 The OGC has published its RiskGuidelines, Risk Briefing and Management ofRisk: Guidance for Practitioners, which areintended to help organisations put in placeeffective frameworks for taking informeddecisions about risk, providing pointers tomore detailed sources of advice on tools andtechniques.46 It offers detailed help inestablishing risk management and inimplementing techniques. It has developedthe Treasury risk cycle further. Through itsIPPD work, OPSR will provide a simpleintroduction to the OGC’s guidance,accessible to policy makers. This will be partof an overarching Programme/ProjectManagement framework located on theOGC’s website as part of the SuccessfulDelivery Toolkit (www.ogc.gov.uk).
4.2.18 This guidance provides a base fordeveloping the practice of risk managementin government. We recommend (rec.9) thatthere should be an ongoing programme ofwork to ensure that the guidance isintegrated, comprehensive andcomprehensible, and provides a flexible andaccessible framework for Departments. Theguidance should incorporate the findings ofthis report and develop a standard forgovernment. This can then be the basis forstandardisation of training material and forbenchmarking (see chapter 4.4 andparagraph 4.2.46). It should adopt thesimplest possible models and language. Forexample, it should consider the merits of afour- or five-stage process against morecomplex models. Lower levels of detail couldbe made available to technical experts.Arrangements for using the standard shouldbe flexible, recognising current practice, andthe investment made in current approaches,and the differing needs of differentDepartments.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
44
46 OGC, Management of Risk: Guidance for Practitioners, op. cit.
Reviewingand reporting
risks
Addressingrisks Assessing
risks
Identifyingrisks
Communicationand learning
Figure 4.5a: The risk management process
Establishing risk
management techniques
45
47 Strategy Unit, A futurist’s toolbox: methodologies in futures work, September 2001.
…but there are significantareas for improvement inapplying techniques…4.2.19 Application of the elements of the riskmanagement cycle is mixed. The followinghighlights some examples of good practice(annex 7 also gives short descriptions of fourorganisations – BP, Unilever, the InlandRevenue and the Strategic Rail Authority(SRA)).
Risk identification 4.2.20 Risk identification requires creativity,ingenuity and wide involvement to ensurethe key risks are spotted. At the strategic levelthis involves methods to spot future risks:
• for example, a Strategy Unit paper47
presents six methods which can be used(quantitative trend analyses; qualitativetrend analyses; Delphi survey (a methodfor gathering information or beliefs from apanel of experts); scenario methods; wildcards (events with a low probability ofoccurring but which would have a bigimpact if they did); and futures workshops(an open process which consists ofengaging a wide range of people inenvisioning the future);
• futures workshops are being used by theDepartment of Trade and Industry (DTI) toexplore the risks and opportunities ofpotential future scenarios. TheDepartment’s IT supported facilities, suchas Futurescope, are available to, andincreasingly used by, other governmentDepartments and private sectororganisations; and
• horizon scanning is a key feature of thework of the CCS and is used to try andspot potential disruptive challenges acrossgovernment.
4.2.21 Individual Departments are alsostarting to undertake this sort of work. Forexample, DEFRA has established its horizonscanning website which is an open forum forcontributions about likely future issues. It also has an important role in shapingDEFRA’s research funding decisions, inparticular horizon scanning researchconcerned with threats and opportunitiesthat may influence food and agriculture,environmental protection and sustainable development in the future(www.defra.gov.uk/horizonscanning).
4.2.22 A survey by the Strategy Unit in early2001 found a wide range of strategicscanning activity across government. Thisinvolved an estimated 1800 civil servants, butfew appeared to look explicitly at risk. MoDwas found to do more than most in this area,involving, for example, scenario planningexercises, and using Risk Task Forces toidentify certain types of risk.
4.2.23 For programme and operational risks:
• a combination of top down and bottomup approaches are recommended (rec.10),for example combining a risk review(external assessment by seniormanagement or a designated team) withrisk self-assessment (by those directlyinvolved), feeding up diagnosis of riskthrough the levels of the organisation. Thisappears to be recognised as best practiceand is increasingly being used byDepartments such as the Department ofWork and Pensions (DWP) and DEFRA. Thisis borne out in one of our examples ofgood practice, Unilever (see annex 7),where two of their “three pillars of riskmanagement” are bottom up Control RiskSelf Assessment and top downdissemination of key risk themes forattention; and
• developing business models can help toidentify which potential risks needattention. For example, the Departmentfor Education and Skills (DfES), reflectingon its experience with Individual LearningAccounts (ILAs), said that it would build abusiness model for any successor schemeto help ”identify other risks and designbetter monitoring systems to pick up earlywarning indicators”.
4.2.24 To facilitate identification andmanagement of risk, both the OGC andTreasury guidance provide checklists of risktypes. Our study found that in practice a lotof organisations have developed short,grouped lists of risks. For example, the SRAuses: corporate and strategic; businessdelivery; and asset, and looks separately atmajor impact mitigation (including crisishandling, business continuity planning (BCP)and use of insurance). No common checklisthas yet developed although there aresimilarities (rough groupings are:strategic/corporate/ external;activity/operational/delivery includingproject/programme; and financial/ assetmanagement). The establishment of a broadcommon categorisation could significantlyhelp communication across government – werecommend (rec.11) that the Treasury shouldlead efforts to establish this. A starting pointcould be to consider three categories:strategic (including major external threats,significant cross-cutting risks, and longer-term threats and opportunities); delivery(both operational and project/ programmerisks, including resourcing risks) and financial(a separate cross-cutting category).Project/programme risks might warrant aseparate category.
4.2.25 As might be expected, riskidentification practice appears furthest
forward in considering financial, operationaland project risks. For example, the SRAstarted by assessing these types of risk beforemoving on to consider strategic risks.Systematic assessment of policy risks is muchless apparent.
4.2.26 The importance of assigningownership to identified risk is taking root.This is critical to the success of the riskmanagement process. Departmental Boardmembers (such as those in DWP and DEFRA)are increasingly taking ownership of strategicrisks, and these Boards are identifyingindividual members to act as risk owners onbehalf of the Board, promoting personalresponsibility. DEFRA, for example, has a listof 12 top threats, selected using agreedcriteria for senior action, and assigned toindividuals; and DWP has created a strongdialogue between its Board and Ministers onthe handling of key risks. Despite areas ofgood practice, systems still need to bedeveloped that replicate the accountabilityand responsibility frameworks that exist forfinancial management.
Assessment/evaluation4.2.27 Most progress has been made withassessing risks which lend themselves toquantification – particularly financial risk, andrepeatable health and safety risks.48 For otherrisks, where the role of judgement is greater,risk assessment is less well established. Thispattern of development is clear acrossgovernment, where auditors and health andsafety experts still stand out in terms of riskmanagement skills. Our experience alsoshows that executive agencies tend to bemore advanced than policy departments.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
46
48 e.g. see HSE, Five Steps to Risk Assessment, 1996. In addition, MOD’s Defence Science and Technology Laboratory (DSTL) hasproduced specific guidance including on “three-point estimation” – identifying minimum, maximum and most likely out-turns, todefine a range of uncertainty around risks.
Establishing risk
management techniques
47
4.2.28 Areas for development include wideruse of public perceptions of risk, andtechniques to bring together judgementsfrom a wide range of stakeholders to informdecisions. A recent example of good practiceis an event organised by DEFRA to share withits stakeholders its current progress and theprinciples of its new approach to riskmanagement, and to begin the process ofimproving how it engages with stakeholderson issues of risk and uncertainty. The recentEIU study highlighted the importance ofreputational risk to private sectororganisations. A similar focus is likely todevelop for the public sector, linked toestablishing and maintaining the trust of thepublic.
4.2.29 Many of the key risks governmentfaces do not lend themselves readily toquantification. They may well be novel
(for example, from a new policy or a newuntested type of computer system), sohistorical data may not help much, or theirsignificance may be linked to the values of aheterogeneous group of stakeholders.
4.2.30 The level of uncertainty will play a keyrole in determining the approach to riskassessment. Figure 4.6, based on an HSEmodel, shows how conventional riskassessment may need to be adapted, movingfrom a position where risk assessment can beundertaken with assumptions whoserobustness can be tested to one whereassumptions are made that are precautionaryin nature and cannot be tested. In strategicdecision making, where uncertainty is high,the approach to risk assessment will tend torely on exploring scenarios, past experienceof generic hazards, and analysis of whetheraction needs to be taken to avoid seriousconsequences of very uncertain events.
Figure 4.6: Risk assessment and uncertainty
Like
lihoo
d in
crea
sing
ly u
ncer
tain
Consequences increasingly uncertain
Focus on any serious/irreversibleconsequences: or areas ofhigh public concern
Rely on past experience of generic hazard
Considerscenariosfor consequences
Conventional riskassessment
Towardsignorance
4.2.31 Judgements will also be a key elementhere. A commonly used approach is todevelop a risk profile matrix (Figure 4.7),mapping risks against likelihood and impact,combining judgements with numericalanalysis where possible into High, Medium,and Low ratings. Further analysis of theconfidence of managing the risks successfullycan then be used to prioritise managementaction.
Getting value from riskassessment4.2.32 Risk assessment can be a timeconsuming and resource intensive process. Inprinciple it should be carried out for everypolicy decision, but the approach should bescaled according to the significance of thedecision to be taken. General criteria include:
• the potential risk to the public;
• the scale of financial or other resourcecommitment;
• whether the policy is novel or contentious;
• the complexity of delivery – for example,where more than one Department oragency (government or non-government)is involved in delivering a programme, orthe policy design is complex (riskingmisunderstanding or failure); and
• whether the proposed area for action has ahistory of failures.
4.2.33 We recommend (rec.12) that criteriashould be developed as part of thearrangements for embedding risk in policymaking proposed in chapter 4.1. A genericlist could be developed which Departmentscould tailor, drawing on a systematic analysisof key or common risks that have occurred intheir programmes. For example, where anerror has led to expensive litigation orcompensation claims, future programmes ofwork should actively build contingency forsuch events, as well as taking action to avoidrepetition of the problem.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
48
Figure 4.7: Risk profile matrix
X
XX
X
X
X
X
X
Low(remote)
Medium(possible)
Assurance
X Monitoring andcontingency planning
Likelihood
High(probable)
Need for mitigation action
Significant scope forimprovement of risk response
Moderate scope for improvementof risk response
Risk response is comprehensivewith limited/no scope for improvement
High
Medium
Low
Impa
ct
Establishing risk
management techniques
49
4.2.34 Different parts of government willhave different priorities and needs and, forexample, may wish to develop a set ofcommon decision criteria to help assess risksacross a broad policy area, for example onhealth, or to reflect a more consistentapproach where “value of life” criteria arealready used, such as in transport. We donot, however, recommend the developmentof decision criteria in every case. This couldencourage inflexibility and a “tick box”approach to risk assessment, which wouldwork against the exercise of risk judgementthat we seek to promote.
Assessment of risk tolerance/risk appetite4.2.35 Most risks cannot be eliminatedaltogether, and risk management involvesmaking judgements about what level of riskis acceptable – risk tolerance or risk appetite.Such judgements are often difficult, both forindividual risks and across a programme ofactivity.
4.2.36 Governments are generally keen tofind ways to improve ways of working andpublic services – for example, by pilotingnew projects or introducing new technology– but they will be averse to: risks that affectpublic health and safety, such as the risk ofcontagious disease; risks with irreversibleconsequences, such as the risks associatedwith climate change; or risks that threatenpeople’s access to essential services. In allcases, they need to weigh up the risks andbenefits associated with each course ofaction, and judge whether they aredistributed fairly. A further example would bein deciding on what measures to take tomeet the Landfill Directive targets, where thelikelihood and impact of missing the targetwould need to be assessed for each option,
and an acceptable level of risk determinedbefore an option is chosen.
4.2.37 This is an implicit feature of alldecision making in government. There willbe an underlying level of willingness totake risks in particular situations (areas ofbusiness, at different times). Risk tolerancecan be indicated on the risk profile diagram(Figure 4.7 above) by the solid black line –with all of those risks to the right requiringmitigation action to make them acceptable.This approach is often used where riskmanagement is well developed, on specificprojects or in service delivery areas (such asby the Welsh Development Agency), or inassessing the continuing viability of projectsor the capacity of service providers. Werecommend (rec.13) that more use could bemade by Departments at the policy makingstage to ensure that Ministers are aware ofthe pattern of risks they will be taking andthe prospects of adequately managing them.DfES has considered risk appetite at Boardlevel and is communicating guidance acrossthe Department. DEFRA’s Board has used risktolerance to determine timescales for action –clarifying priorities and providing impetus.
4.2.38 A similar approach could also be usedto introduce a portfolio approach to riskmanagement of Departmental programmes,or parts of programmes. The profile of riskacross elements of the existing programmecould be combined with a risk assessment ofproposed new policies, factoring inconstraints such as use of scarce skilledresource across the programme. This couldbe matched against risk tolerance to ensure amanageable portfolio of risk. We recommend(rec.14) that this could be piloted in eitherDepartmental business planning or the 2004Spending Review. This could draw on OGC’swork on risk/capability assessment, which
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
50
High
High
LowLow Impact: Scale of incident
Tolerability of risks in the area between the dotted lines and the area between the solid lines must bejudged on a case-by-case basis
Likelihood:Frequency of incident
Risks in this regionare broadly tolerable
Risks reduced as low as reasonablypracticable (ALARP)
Risks in this region areintolerable
Figure 4.8: Responding to risk – tolerability and ALARP
links likely success in delivery to the level of risks faced and the capability of theorganisation to manage them.
Identification of responses 4.2.39 The Orange Book details fourcategories of response: transfer; tolerate;treat; and terminate. The government’sapproach to risk transfer has developed inrecent years (for example, through thePrivate Finance Initiative (PFI), whereguidance now talks about “optimum riskallocation” rather than maximising risktransfer) (see chapter 4.3 on organising tomanage risk). Most often risks are “treated”,for example, through developing mitigationplans. There has been considerabledevelopment in this area, particularly inprojects and programmes where the OGCGateway requires good quality responses tokey risks to be in place before approval isgiven to proceed to the next stage. There is,
however, little evidence of responses to riskbeing thoroughly identified at the policydevelopment stage.
4.2.40 Well-developed decision makingframeworks regarding the control of riskalready exist in the UK. For example, in thearea of occupational health and safety a setof principles and criteria have beendeveloped in support of the legalrequirement to reduce risks “as low asreasonably practicable” (ALARP). This isillustrated in Figure 4.8, which shows howboth the likelihood and impact of the riskcontribute to a decision on tolerability (andis, for example, used in assessing theresponse to risks from fire).
4.2.41 We recommend (rec.15) thatconsideration be given to the extension ofsuch systematic approaches to strategicpolicy making, adapting them as necessary torecognise the less quantifiable nature of thedata involved.
Establishing risk
management techniques
51
49 See annex 3 – Surveys of Departmental Board members and risk experts.50 The PSBS (a partnership between the Cabinet Office and HM Customs and Excise) is a knowledge management system that also
provides an information and advisory service specifically geared to spreading good practice across traditional public sectorboundaries. Risk management is a key area covered.
Internal controls4.2.42 Detective controls to identify when arisk has been realised are perhaps the mostwell developed. These are “after the event”assessments, including Post ImplementationReviews, and Evaluations. Although theseassessments are becoming more routinelyapplied, there is a clear need to ensure bettercapturing of lessons learned and applicationto subsequent decisions (for example, in thePassport Agency when earlier lessons werenot applied to the problems in 1997).Directive and preventive controls coverspecific risk mitigation measures, aiming toensure that particular outcomes are achievedor to prevent the possibility of an undesirableoutcome being realised. As risk managementbecomes more established, explicit use andmonitoring of such measures is becomingmore widespread outside traditional financialareas. Corrective controls are designed tocorrect undesirable outcomes, which havebeen realised – these include crisismanagement arrangements and thecontingency planning which underpins them.These are both areas where recent eventshave highlighted a need for attention. Theestablishment of the CCS is directed atimproving practice at the highest level ingovernment, and Departments havedeveloped business continuity arrangementsin recent years, which have becomeprogressively more sophisticated.49
Assurance about effectivenessof control4.2.43 SICs are a key mechanism forproviding assurance about control. They willincreasingly drive improvements. However,currently, our survey of risk experts suggeststhat in both the public and private sectors
assessment of implementation of riskmanagement was most likely to be done only“in pockets across the organisation”.
Embedding risk in the way theorganisation works4.2.44 This study makes the case that riskhandling is embedded very unevenly acrossDepartments and throughout the end-to-endprocess of policy development and delivery.It is more developed in implementation andservice delivery areas and, as already noted,the application to policy development ismore patchy.
4.2.45 In summary, there is unevenapplication of risk management techniquesacross government – these tend to be betterestablished in financial and projectmanagement areas. This needs to beextended, crucially to policy development aswell as to policy/programme planning.
4.2.46 But there are an increasing number ofexamples of good practice, some of whichare identified in this report. Good practiceneeds to be encouraged and spread. Thereare some mechanisms in place already: theInterdepartmental Liaison Group on RiskAssessment (ILGRA), the Risk ManagementSteering Group (RMSG) and the NAO haveall played a large part in this, and examplescan be found in the Public Sector Benchmarking Service (PSBS)50 website(www.benchmarking.gov.uk) and the riskmanagement section of the NAO website(www.nao.gov.uk). But there is a case forstrengthening and supporting the networksand other arrangements (this is taken up inchapter 4.3) and we recommend (rec.16)that specific risk management benchmarkingarrangements be developed. This could
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
52
adapt the benchmarking service developed inAustralia by Comcover (established toprovide insurance and risk managementservices for government bodies), which ratesten Key Performance Indicators (KPIs) aseither:
• Level 1 – Early – Evolving a riskmanagement culture
• Level 2 – Intermediate – Implementing arisk management system
• Level 3 – Advanced – Continuouslyimproving risk management practices
Their KPIs are:
• Integrated risk management approach
• Committed and led
• Positive and proactive focus
• Process-driven
• Planned for continuous improvement
• Active communication
• Audited and documented
• Resourced
• Trained and educated
• Value-based decisions
4.2.47 This represents a very similarframework to that proposed by this study,the elements of which would lend themselvesto benchmarking. Early findings from 67Australian public sector organisations showedKPIs being met at Level 2. Improvedperformance earns discounts on insurancepremiums.
Techniques for handlingstrategic risks4.2.48 There are particular gaps at thestrategic level, where practice is less welldeveloped, and where the CCS is starting to
fill the gap. With the CCS we have reviewedthe current situation and recommend furtherdevelopments in the paragraphs below.
4.2.49 Early Strategy Unit work on risk wasan important factor in setting up the CCS in2001. The CCS was established to improvethe UK’s resilience to major disruptivechallenges (like FMD or the fuel crisis)through anticipation, preparation, preventionand resolution. It aligns with existingcounter-terrorism and defence arrangements.
4.2.50 There are four main areas of the CCS’sactivity:
• identification and assessment (includinghorizon scanning);
• contingency planning;
• consequence management (crisismanagement when serious risks arerealised); and
• building resilience to disruptive threats.
Identification and assessment4.2.51 The CCS is starting to provideconfidential horizon scanning reports toMinisters and Permanent Secretaries,identifying developments with potential tocause serious disruption to the running of theUK nationally or regionally. These mightinclude issues such as major industrialdisputes affecting key public services, healthissues likely to overburden the health serviceor challenge public confidence, signs ofinfrastructure failure, or tensions betweenlocal communities that might lead todisturbances.
4.2.52 The key area where further work isrecommended (rec.17) is in linking to, andhelping develop, Departmental capacity forhorizon scanning. We recommend that theCCS and Strategy Unit should work with
Establishing risk
management techniques
53
Departments to help them develop theirhorizon scanning capabilities, seeking tospread best practice, including ways ofassessing significance and prioritisation; werecommend that the CCS and the StrategyUnit develop a network of Departmentalhorizon scanners to share information andprovide mutual challenge.
4.2.53 This should draw on examples ofinternational best practice, for exampleSingapore’s approach to considering low-probability but potentially high-impactevents. The Singapore government has usedhorizon scanning extensively since the 1980s.All policy makers are encouraged to exposetheir analysis to possible future trends inorder better to prepare themselves. Duringthe 1990s, for example, they used one formof horizon scanning – scenario planning – togood effect. They prepared scenarios aroundpossible economic shocks that could hitthem. As a result, they were judged to havereacted faster and more effectively than othergovernments in the region to the Asianeconomic crisis of the late 1990s. Forexample, their GDP growth was much lessaffected than neighbouring economies suchas Malaysia, Thailand and Indonesia.
4.2.54 Simulation events, built aroundscenarios, can help to identify and preparefor such low probability/high impactcontingencies and we recommend (rec.18)that these methods be explored.
4.2.55 Other parts of government may alsoneed to build up their role in scanning forpotential risks. For example, we recommend(rec.19) that the Social Exclusion Unit (SEU),working with the Neighbourhood RenewalUnit, the Regional Co-ordination Unit andrelevant Departments, could consider playinga larger role in tracking potential cross-cutting risks, including the impact of
government initiatives on these risks. Thesemight include: new groups coming on tobenefits or likely to become socially excluded;or towns and cities failing to regenerate orfacing economic problems because of over-dependence on declining industries. In someof these cases official statistical data willalways be too late for adequate action.Anecdotal and subjective information needsto be drawn in from front-line staff, thepublic, inspectorates and others.
Contingency planning4.2.56 This has been a rapidly developingarea in government, with the focus being onBCP (i.e. continuing governmentadministration and services in the face ofdisruption). There are two further areas fordevelopment. The CCS has reviewed BCPsand concluded that, when viewed together,inconsistencies emerge. For example, severalDepartments may aim to move staff to thesame place, overloading capacity, or theymay rely on the same supplier of IT or officeequipment, who could not meetsimultaneous demand. So we recommend(rec.20) that the CCS should continue todevelop its role in ensuring integration ofBCPs, with particular focus on improvingresilience at the strategic level (for example,dealing with failures in cross-governmenttelecommunications or IT systems).
4.2.57 A second area for development isbusiness continuity planning for programme(as opposed to administrative) outcomes. Agood example here is contingency planningfor dealing with a serious outbreak of animaldisease. The various reports on FMD haveraised a number of areas for improvement ofcontingency plans: risk analysis around morescenarios, clear definition of responsibilities,reporting lines and accountabilities,
consultation of stakeholders in preparing theplans, plans tested on a regular basis;51
systematic analysis of available information,developing a database of information to useduring an outbreak, prior debate aboutoptions;52 and building mutual trust andconfidence in plans through training andpractice, and ensuring plans include capacityto scale up communications systems andresources rapidly at the onset of any crisis.53
DEFRA’s new plan for dealing with anoutbreak of FMD is a potential model, whichincludes arrangements and procedures foralerting others across government. Werecommend (rec.21) that the CCS shouldwork with Departments to spread goodpractice.
Consequence management4.2.58 The CCS is developing a range ofapparatus to help Departments managecrises. These are intended to providescaleable, flexible responses – not justapplying the arrangements used for the lastcrisis (for example, using the fuel crisisarrangements for FMD).
4.2.59 The CCS is also developing a CrisisCo-ordination Centre (a sort of mini-Whitehall brought together in more or lesspermanent session during a crisis to ensureco-ordination of Departments involved). Thiswould complement the existing CabinetOffice Briefing Room (COBR) arrangementsfor handling military and counter-terroristoperations. This will be supported byguidance on who should lead in a specificcrisis situation. Before the last election, theHome Office Emergency Planning Divisionmaintained Dealing with Disaster,54 which setout rules for handling crises with reference totypes of event such as flooding. We
recommend (rec.22) that the CCS shouldupdate and maintain this to reflect therevised structure of Whitehall, to takeaccount of emerging issues that potentiallypose disruptive challenges, and to set inplace clearer definitions of the role of thelead Department. This should be supportedby a database of past crises, detailing theirimpact and the lessons learned (with links toreports or inquiry findings where available).
4.2.60 Most countries covered in our survey(see annex 8) appear to have no comparablestructure and the Ministry with the majorstake in a crisis takes the leading role.
4.2.61 A further tool for managing crises is toestablish arrangements for augmentation ofDepartments’ resources during times of crisis.This was done on an ad hoc basis, forexample during the FMD crisis, where staffwere drawn in from a number ofDepartments to help out. The experience ofthe response was patchy, however, and werecommend (rec.23) that the CCS and CDGlook carefully at this area. It will be necessaryto create a framework in which, at certaintimes, corporate objectives will overrideDepartmental objectives (perhaps byembedding corporate objectives in theframework of Departmental and personal jobplans). A critical element will be the ability tocall on staff with key skills (such as projectmanagement skills) at short notice. This willinevitably be challenging and requiresensitive handling. It may be possible to drawon private sector models such as BP’sarrangements here.
Resilience4.2.62 Building resilience to disruption is aproactive way of mitigating risks. It requires
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
54
51 NAO, The 2001 Outbreak of Foot and Mouth Disease, op. cit.52 Royal Society, Infectious Diseases in Livestock, July 2002.53 Anderson et al., Foot and Mouth Disease 2001 Lessons to be learned Inquiry, July 2000.54 Home Office, Dealing with Disaster, 3rd Edition, 2000.
actions to develop the desired componentsof resilience: anticipation, detection,prevention and the effective management ofchallenges that arise. The CCS’s programmeof work is constructed on this basis and isalready yielding progress in a number ofareas. A comprehensive structure of horizonscanning and assessment is complementedby work to ensure the development ofresponse capabilities at all levels ofgovernance, the effective co-ordination ofeffort in a crisis, and measures to improveunderstanding of the importance ofresilience.
4.2.63 In addition, ways need to be found ofmainstreaming resilience into organisations’planning and the development of policy (seeparagraph 4.1.33). This should include freshconsideration of the legislative frameworkrequired in respect of civil contingencies, fora society which faces different threats, and ismuch more highly networked and inter-dependent, than the one for which the civildefence legislation now on the Statute Bookwas framed.
4.2.64 We recommend (rec.24) that the CCScontinues to develop its work on resilienceand link closely with contingency planningwork in Departments.
Working with Treasury andthe DU4.2.65 As the work of the CCS develops, we recommend (rec.25) that it should bedesigned to complement the work of theTreasury and the DU in identifying andmonitoring risks to the delivery of thegovernment’s business programme.
Establishing risk
management techniques
55
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
56
Organisational issues forDepartments4.3.1 Accountability for risk managementlies with Departments as part of theiraccountability for government programmes.This includes both managing risks anddeveloping the capabilities to enable this tobe done well. The central Departments(Cabinet Office and Treasury) also providecross-government support for both of thesefunctions.
4.3.2 Within Departments specific risks maybe managed by agencies or outside bodiesworking in partnership with the Department(for example, delivery risks often lie withagencies). Best practice is that risks should bemanaged at the lowest possible level withinthe organisations, with clear accountabilityestablished, and systems and processesdesigned to support that.
4.3.3 Chapters 4.1 and 4.2 demonstratehow current guidance, best practice andsome further developments can shape the
4.3 ORGANISING TO MANAGE RISK
Summary
Implementing effective risk management across government dependsheavily on the primary responsibility of Departments to handle specificrisks. They in turn can transfer responsibility to agencies, Non-Departmental Public Bodies (NDPBs), and through Public PrivatePartnerships (PPP) and PFI contracts.
The centre of government has a role in anticipating and providing supportfor handling crises; in tracking and responding to cross-cutting risks; andsupporting delivery where there are significant risks to key governmentobjectives. The centre also has a role in supporting and advisingDepartments on developing their risk management capabilities.
Risk management can be improved by ensuring that risk is handled bythose best placed to do so. Further use of arm’s-length bodies should beconsidered, along with ways of improving service delivery partnershipswith other organisations.
way Departments organise to manage risk. Anexample of this would be the establishmentof Risk Review teams (for example in MoD).
4.3.4 Key organisational issues forDepartments include:
• ensuring risk ownership is aligned withaccountability for delivery and authority toact – and the extent to which placingresponsibility on those accountable forresults needs to be supported by a centralfocus of expertise;
• Reporting arrangements – feeding up to the Board the results of Risk Self-Assessments, as in many governmentDepartments and elsewhere. For example,in Unilever, significant risk themes aresummarised into a corporate risk profile,which draws out the major risks for MainBoard attention; and
• ensuring risk specialists are closely enoughlinked to policy and operational decisionmakers to offer effective support.
4.3.5 Departments are at different stages ofdevelopment of risk management, reflectedin different arrangements. (For example,there is a path taken by some that involvesmoving towards more centralisedmanagement of risk during a period ofdeveloping risk awareness, followed by a re-embedding of risk with line functions.)Further developments need to recognise thisand the current agenda for change,especially on corporate governance. Thischapter considers further measures forDepartments and the supporting role of thecentre of government.
Central support4.3.6 The centre of government – No. 10,Cabinet Office and Treasury – will typically
take a supporting role in managing risks,other than in exceptional circumstanceswhere it may be involved in more hands-onco-ordination. This includes:
• providing the strategic context fordecisions;
• assurance – regularly testing judgementsabout key risks and procedures;
• crisis management – co-ordinating actionwhen risk is escalated beyond a certainlevel;
• co-ordination of communication andlearning in agreed circumstances, such astaking a strategic view of high profile riskcommunication issues;
• taking an overview of large-scale threatsand opportunities;
• identifying cross-cutting risks, that are lesslikely to be dealt with adequately, andensuring that accountabilities are clearlyunderstood and acted on;
• managing interdependencies betweenindividual Departmental operations, wherenecessary anticipation and/or resilienceneeds to be built up in other Departments;and
• providing a centre of risk managementexpertise.
4.3.7. This strategic, corporate approach isconsistent with the findings of the EIU, thatin the private sector the predominant role ofthe centre is one of co-ordination andsupport.55 The EIU found that “co-ordinatingcentrally but implementing locally” was themost common mode (one example of manyis Danone where the director of group riskmanagement is designing risk identificationworkshops for subsidiaries to carry out; thecentral risk team brought local directorstogether to help them determine objectives
Organising to
manage risk
57
55 EIU, Enterprise Risk Management – Implementing New Solutions, op. cit.
and methodology of a risk mappingprogramme, but responsibility for riskmanagement was with local units; and thecentral risk team acts mainly as consultants tothe business units).
4.3.8 Recent developments havesignificantly enhanced the capability forproviding central support, most notablythrough the establishment of the CCS andthe DU. However, our study suggests thatimprovements could be made in:
• providing systematic assurance that keyrisks are being managed effectively;
• providing accurate real-time information;
• developing a wider range of sources ofinformation. The structure of government,with issues usually being dealt with insingle Departmental channels, tends towork against this;
• identifying or co-ordinating handling ofrisks, or areas of risk, across Departmentalboundaries;
• assessing the risk portfolio as a whole andjudging the capacity to take on new risks;and
• clarity about who does what on risk at thecentre of government.
4.3.9 Feedback from Departmental Boardmembers suggests that there is support forthe centre taking more of an overview ofrisks. But there were important caveats:“Departments have to own risks” and “toomuch central control is likely to be counter-productive” were typical comments. Therewas a feeling that “efforts should be aimed atensuring more joined up working”, whichwas seen by one as “the classic case for thecentre to assume the lead”, and “the centreshould have a co-ordinating role in re-deploying resources if the lead Department
cannot accomplish this itself. For the cross-cutting issues the centre should decide whichDepartment should be given the lead (andadditional resources). This is really like amachinery of government change butfaster”.
4.3.10 And there was support for “effectiveand early central engagement” in crises,though not at the expense of Departments’primary responsibility. For example,“responsibility for crisis management shouldremain with the lead Department and in onlythe most extreme situations should controlcome from the centre”. There was asuggestion that there might need to be a“review of the use/need for contingencyfunds”.
4.3.11 The study has identified two broadgroups of risk, where Departmental Boardmembers consider central support can bevaluable:
• risks which have the clear potential tobecome, or already are, crises, where thereis likely to be a rapid escalation of publicconcern (and where the CCS has a keyrole); and
• certain ongoing delivery risks, includingsignificant risks to key governmentobjectives, and risks which are notmanageable by one Department alone.Risks may fall into this latter categorybecause they require extra resources or areinherently cross-cutting and their severityis only apparent when viewed across thewhole of government. In these cases,Departments may benefit from a more co-ordinated approach to mitigation.Examples include dealing with therecruitment of staff with key skills, or thecapacity of key partner organisations suchas computer service providers.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
58
4.3.12 The two categories are not mutuallyexclusive, but provide a framework foranalysing the functions of the centre, and arereflected in current organisationalresponsibilities.
Crises4.3.13 The CCS has a clear role inanticipating and providing support forhandling crises. It deals with civil domesticissues, complementing long-establishedarrangements for military and terrorist risks.The CCS has started to produce regularhorizon scans of potential disruptivechallenges – “trends or sets of circumstanceswith potential to cause serious disruption tothe running of the UK nationally orregionally” – focused mainly on the next 12months, but with occasional longer-rangeitems. Examples of the sorts of challengescovered would include those leading totransport disruption, industrial action, humanor animal disease epidemics, social unrestand disruptive protests. This draws on arange of sources of information, includingDepartments, to identify and assess the risks.The Domestic Horizon Scanning Committeeconsiders these assessments and ensures thatthe final approved assessment is passed tothe relevant Departments to consider anynecessary mitigation action or contingencyplanning. If a crisis does occur, the CCS Co-ordination Centre can provide enhancedsupport.
4.3.14 These arrangements are relatively new,and should be allowed to bed in. They needto be complemented by a capacity to reviewlonger-term threats and opportunities, whichwe recommend (rec.26) should beundertaken by the Strategy Unit, building onits current Strategic Futures work. The CCSand the Strategy Unit could also increasinglyuse their expertise to work with Departments
to help them develop their own horizonscanning capabilities; and the CCS could helpDepartments to develop their resilience tothe threats which can lead to crises.
Delivery risks4.3.15 In addition, the centre needsassurance that risks to the delivery of thegovernment’s programme are beingmanaged, and should provide support whereneeded. Whereas crises are primarily aboutdealing with threat (the negative aspect ofrisk), managing delivery risks will also cover“opportunity risk” – i.e. the issues which arisefrom seeking improvements (such asincreased demand for scarce resources,difficulties with implementing and operatingnew services, including levels of publicacceptance and media reaction). Failure tomanage these risks well may often not havesuch visible, immediate and high profileconsequences, but the long-term impact canbe equally significant. The Treasury and DUhave key roles here, which could beenhanced by our recommendations inchapter 4.1.
4.3.16 We considered whether there was aneed to bring together more closely theseparate CCS and Treasury/DU arrangements,but concluded that the recommendationsand the Treasury’s membership of theDomestic Horizon Scanning Committeeprovided strong enough links. So we do notrecommend any change.
Reporting risks4.3.17 There are currently several parallelstrands of reporting corporately on risks:
• the CCS reports on disruptive challengesto the Prime Minister;
• the DU reports on risks to key programmesto the Prime Minister;
Organising to
manage risk
59
• the PSX Cabinet Committee reports to theCabinet on current issues with deliveringPSAs;
• the Joint Intelligence Committee providesregular intelligence assessments on a rangeof situations and issues of current concernto Ministers and senior officials; and
• media reports, highlighting threats to thegovernment’s reputation, are sent by theMedia Monitoring Unit to all Departments,including No. 10.
4.3.18 We considered whether we mightpilot a consolidated report on risk for thePrime Minister. However, the No. 10 PolicyUnit is content with the current reportingarrangements, which provide quality adviceon specific issues, so we recommend nochange, though the re-organisation of theCabinet Office (July 2002) and the new roleof Security and Intelligence Co-ordinator maybring some reporting strands together.
Active support by the centreof government for developingrisk management4.3.19 The study has found that:
• there are currently a wide range ofdifferent units and committees whoinfluence risk management, including:ILGRA; the Risk Management SteeringGroup; several parts of the Cabinet Office(CCS, CDG) and Treasury (SpendingReview, Investment Appraisal, Audit), aswell as partnerships such as OPSR andOGC on IPPD. Further details are at Figure4.9. Most of the individual functionscarried out are valued, but the overallpicture causes confusion;
• there is a perception of advice beingdelivered through “initiatives”, with the
centre moving on to the next initiative andfailing to provide ongoing support. Thisadds to Departments’ workload;
• informal risk networks are developing, butthey need support to be effective inidentifying and sharing good practice; and
• fragmented approaches to riskmanagement across the centre ofgovernment have contributed to confusionwithin government bodies. Many differentguides exist and Departments andagencies have been left to their owndevices to decide on the method ofimplementation, which has consequentlybeen disparate. There is no single point ofcontact or centre of expertise to whomDepartments can turn.
4.3.20 We recommend that the centre should provide active support to assistDepartments to implement a more effectiverisk approach across government. The centreshould invest in:
• co-ordinating and supporting an overallprogramme of change, includingmonitoring progress and assessing theeffectiveness of risk handling acrossgovernment;
• better co-ordinated and more accessibleguidance;
• a contingency resource and expertisewhich Departments can draw on inmanaging and arresting crises;
• a shared, more established risk/crisiscommunications approach;
• an expert resource in the management ofrisk to assist Department staff in improvingthe quality of implementation; and
• a more accessible and active approach tothe sharing of good practice acrossgovernment.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
60
Organising to
manage risk
61
4.3.21 These recommended types of supportare all backed by Board survey responsessuggesting high or medium impact onDepartments’ activities.
4.3.22 Key points that we considered include:
• to provide effective support across theoverall programme requires a range ofskills to be applied; and
56 Responsibilities may change with reorganisation of the Cabinet Office.
Organisation Role
Treasury:
• Public Services Directorate and Finance Corporate governance initiatives, SICs, Management and Reporting guidance on risk management (Orange Book),
Green Book on investment appraisal, SpendingReview guidance.
• Office of Government Commerce General guidance on risk management; PFI;project and programme management.
Cabinet Office:
• Corporate Development Group56 Civil Service reform; Senior Civil Service (SCS)competencies and leadership; training anddevelopment programmes; Risk in BusinessPlanning.
• Civil Contingencies Secretariat Improving the government’s ability to handledisruptive challenges that can lead to or resultin crisis.
• Delivery Unit Supporting delivery of key governmentpriorities.
• Office for Public Service Reform Model of High Performing Department; IPPDending December 2002.
• Strategy Unit Study of risk management. Strategic futures.Policy Studies Directorate Guidance on better policy making.
• Regulatory Impact Unit Supporting the development of riskframeworks and the risk portal; guidance,advice and training on RIAs.
• Better Regulation Task Force Examining models of risk communication.
Committees:
• Risk Management Steering Group Advise/facilitate consistent and co-ordinateddevelopment of policy and guidance relatingto risk across central government.
• Interdepartmental Liaison Group on Risk Help secure coherence and consistency within Assessment and between policy and practice in risk
assessment and help disseminate and advancegood practice.
• Risk Advisory Group Develop a government statement on risk.
Other organisations:
• Health and Safety Executive To offer advice and guidance on health andsafety issues.
Figure 4.9: Units and committees that influence risk management (summer 2002)
• for the support to be most effective itshould be fully integrated with the processof agreeing Departments plans, to ensurethat it is delivering real business benefits. Itshould also be linked closely to theprogramme of work to improve riskmanagement as part of corporategovernance.
4.3.23 This leads us to specificrecommendations.
4.3.24 It is recommended (rec.27) that thequality of government risk managementshould be improved through a two-yearprogramme of change to improve itscapabilities. The timetable should beintegrated with that of the Spending Reviewand the production of SICs. The programmeshould include the following strands(integrating the Strategy Unitrecommendations with existing initiatives):
• communications with the public;
• embedding risk (in the Spending Review,policy making, business planning, projectand programme management);
• leadership and culture change;
• skills;
• guidance, standards and benchmarking;and
• corporate governance.
4.3.25 Departments are accountable forimproving their risk management in theseareas. The centre should be responsible forproviding a clear framework for change andensuring Departments have the support theyneed. Existing central risk functions should berationalised to implement this approach.
4.3.26 It is recommended (rec.28) that anImplementation Steering Group should beestablished (replacing the various existing
groups – the Risk Management SteeringGroup, ILGRA, and Risk Advisory Group) todrive change over the two-year periodleading into the next Spending Review(2004). This group should draw together themain interests across government and bechaired by an authoritative figure, perhaps amember of the CSMB. Progress should bereported regularly to PSX and the CSMB.Outline terms of reference and membershiphave been developed as part of theimplementation plan.
4.3.27 The Steering Group should besupported by a small central team in theTreasury, the Risk Support Team, drawn fromexisting sources of activity (including theTreasury, OGC, HSE, the Cabinet Office, theGovernment Information andCommunication Service (GICS) and others)who would monitor progress; provide acentral expert resource; review and co-ordinate advice and guidance on riskmanagement; help establish and support aninterdepartmental risk network; and considerfurther steps to rationalise current centralresponsibilities and initiatives.
4.3.28 We recommend (rec.29) thatDepartments should consider whether theymight establish similar individuals or teamsinternally to drive and support change.
Placing risk where it can bestbe managed4.3.29 Responsibility for handling risk shouldlie with those best placed to deal with it. Thiscan only be judged on a case-by-case basis,but criteria include:
• competence – who has the skills andexperience and/or can best recruit andretain the right people?
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
62
Organising to
manage risk
63
• capacity – does the capacity exist? Can itbe developed?
• public interest – is there sufficientassurance that the public interest will beprotected?
• value for money – who will offer the besttrade-off between costs and benefits?
• management – can the arrangements beadequately managed?
• subsidiarity – operational decisions willoften be best made by those closest toservice delivery.
Policy making4.3.30 Organisational change has beenactively used to enable government topursue better outcomes and better managerisk (see Figure 4.10). This has involvedplacing operational responsibilities with arange of bodies from agencies withingovernment Departments, to NDPBs andlocal government, to private and voluntarysector organisations. It has also involvedtransferring policy responsibilities to others.For example, policy advice is now oftenprovided by outside bodies where specific
technical expertise is involved, andgovernment has relatively recently gonefurther by setting up the Food StandardsAgency as an arm’s-length body with a roleto provide advice direct to the public withoutrecourse to Ministers. The National Institutefor Clinical Excellence (NICE) offers guidancedirect to patients, health professionals andthe public on best practice. And even moreradically, some policy decisions are nowtaken outside government, for example bythe Monetary Policy Committee (MPC).
4.3.31 It is worth exploring whether the useof arm’s-length bodies in policy making couldbe increased. The benefits of careful use areclear: they may be much better placed thangovernment Departments to recruit andretain the specific expertise needed and thusbe able to provide better advice/decisions;and they may well be more trusted thangovernment (for example, the FoodStandards Agency, where consumer ratings ofthe reliability of their information has risen to93 per cent from 75 per cent between 2000 and 2001 and the MPC, where publicsatisfaction is high – 55 per cent were verysatisfied with the way interest rates werebeing set to control inflation).57
57 NOP, Survey of Public Attitudes to Inflation, February 2001.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
64
4.3.32 We recommend (rec.30) thatDepartments should consider whether theconditions exist for them to be used. Theseinclude: the ability to set a clear strategicframework within which experts can work(for example, the framework for monetarypolicy); confidence that the body wouldcommand public support; and a significantrole for expert knowledge. This may be
particularly appropriate where risks to thepublic make trust a key concern.
Service delivery4.3.33 In service delivery and investmentareas, current PFI guidance highlights theimportance of appropriate risk allocation
Figure 4.10: Putting risk where it can best be managed – organisational options
GovernmentDepartments
Operations
Delegatedoperationaldecisions
Transfer of operations
Delegatedspecialistadvice
function
Agencies and othergovernment bodies
Non government/independent bodies
e.g.HighwaysAgency,Welsh
DevelopmentAgency
e.g. localauthorities(HousingBenefit)
e.g. privatelyrun prisons,
railways, NewDeal serviceproviders,privatisedindustriese.g. coal
PFI/PPP/Privatisation
e.g. FoodStandards
Agency, NICE
e.g. MonetaryPolicy
Committee
Delegated policy decisions
Policy
between the public and private sectors(seeking an optimum rather than maximumrisk transfer). It points out that to obtaingood value for money, transferred risks needto be within the control of the partnerorganisation, otherwise they will seek tocharge a premium for taking it on. The maincategories of risk to be considered have beenestablished as: design and construction;commissioning and operating; demand;residual value; technology/obsolescence;regulation; project financing; contractordefault; and refinancing. It has becomeincreasingly apparent that Departmentscannot transfer the underlying political risk offailure, or any consequent impacts on theircore business. This points to the importanceof working in partnership, and highlights theneed for sound management arrangements.
4.3.34 Where partnerships with otherprivate/public/voluntary sector organisationsare used to deliver services, there aremanagement issues that could be betterhandled:
• the PAC has highlighted the need toimprove understanding of the riskmanagement systems of partnerorganisations,58 both in terms ofconfirming quality and in terms of havingan integrated approach. We recommend(rec.30a) that use of a risk managementstandard as the basis for accreditingpartners’ risk management arrangementsshould be considered;
• recent rail incidents have highlighted theneed for clear accountability for managingrisks, especially when there may be acomplex pattern of organisations involvedin service delivery. We recommend(rec.30b) that where responsibility for riskis transferred to a partner organisation,particular care is taken to ensure thataccountabilities are clearly established by
Departments, procedures for escalatingrisks are agreed,59 and capacity maintainedto manage and monitor performance(including provision of relevantinformation) and to take early action in theevent of difficulty; and
• the PAC’s review of PFI projects60 also findsthat public bodies are not doing enoughto manage their PFI contracts after theyhave been agreed. Findings include theneed to ensure a clear ongoing linkbetween risk and reward – avoiding theimpression that government will alwaysbail out contractors, as has happened insome individual cases, such as the RoyalArmouries Museum or the Channel TunnelRail Link.
4.3.35 It is also recommended (rec.30c) thatthere is a case for developing furtherapproaches to contracting with partners,especially where the aim is primarily todeliver a service rather than, for example, alarge-scale capital project. This might involveshorter contract periods, more flexiblecontracting arrangements and lowertransaction costs than are typical with PFIarrangements. The Treasury and OGC shouldconsider this in developing government’sapproach to partnerships.
Departments workingtogether – networking andpeer review4.3.36 Establishing an effective network isseen as an important way of helpingDepartments to develop quickly throughsharing best practice. There are thebeginnings of this network, linked to contactlists held by the Risk Management SteeringGroup and ILGRA. But we recommend thatthis should be strengthened, rationalised andpublicised. It is particularly important to
Organising to
manage risk
65
58 PAC, Managing Risks in Government Departments, op. cit.59 For example, as recommended in the Interim Recommendations of the Investigation Board into the Hatfield Derailment, August 2002.60 PAC, 42nd Report: Managing the Relationship to Secure a Successful Partnership in PFI Projects, July 2002.
facilitate contact between those responsiblefor leading development of risk managementpractice in Departments. The centre has arole to play in establishing, and initially inrunning, this network. We recommend(rec.31a) that a network could be set up ofthe “risk improvement managers” proposedin chapter 4.4.
4.3.37 We recommend (rec.31b) that thisnetwork, combined with the ImplementationSteering Group, could take on ILGRA’s currentresponsibilities (reviewing management ofcross-cutting risks; ensuring risk is consideredin agreeing PSAs; promoting a consistentapproach to risk; and improving riskcommunication). This could build on thestrong track record of ILGRA, effectivelyembedding in the machinery of governmentits current role as a champion group.
4.3.38 We also recommend (rec.31c) that thepeople network could be supported by thedeveloping IT-based knowledge networks,from existing Cabinet Office web-based tools:including the Risk Portal, the Policy Hub’sknowledge pools, and the PSBS.
4.3.39 A specific role for the network wouldbe to provide peer group reviews andchallenges. Peer review has been a growingarea in government, but has been hamperedby availability of suitable reviewers. Thenetwork would provide a ready source ofexpertise, but this would have to beunderpinned by an understanding that peerreview work is part of the participant’s job –justified on the basis that their would bereciprocal gains. Peer review could also beused within Departments, where there maywell be several centres of risk expertise (forexample, within audit, projects andprogrammes and individual deliveryorganisations, and we hope increasingly inpolicy areas).
4.3.40 Peer review is used extensively by BP,an acknowledged leader in risk management.Within BP, the use of peers forms thebackbone of risk management, in order toensure consistency in approach, improved useof knowledge and adoption of best practice.Projects are required to make use of peer assistand peer review to ensure all risks are dealtwith. Networks are created on issues such asoperational integrity, technological issues, crisismanagement, and health and safety. At higherlevels peer groups meet on at least a quarterlybasis in order to assess and contribute toperformance and risk management, and thereis a clear expectation that those unitsperforming better than average will assist theimprovement of those units that are under-performing. This structure assists in:
• ensuring consistent quality and approachto risk management;
• leveraging knowledge across theorganisations;
• ensuring greater openness;
• ensuring that best practices are adopted;
• circulating lessons learned; and
• creating contacts in a formal setting thatwill be used on an informal basis.
4.3.41 We recommend (rec.32) a similarapproach in government. This would providea good basis, for example, for developingresponses to risks that span more than oneDepartment, enabling the right contacts tobe made to gather intelligence and shareinformation, and assess risks holistically acrossfunctions. Within Departments this approachis already developing, for example DEFRA isestablishing a Risk Forum where riskpractitioners share good practice and lessonslearned. This is one of the vehicles theDepartment will use to take forward therecommendations of the FMD inquiries.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
66
Developing skills
67
4.4 DEVELOPING SKILLS
Summary
• To embed risk management thinking and capability in government’sway of doing business, risk management needs to become anintegral part of mainstream learning and development at allmanagement levels.
• Although the importance of developing risk managementawareness and skills is well recognised, risk management thinking isstill at an early stage within government.
• There should be a co-ordinated and systematic approach to theprovision of risk management skills and training under CDGleadership.
• This should be based on a common understanding of good practiceon risk handling, including the possible “standard” for riskmanagement in government (discussed in chapter 4.2).
• Risk management should become more prominent within the fullrange of Civil Service management systems, for example throughdeveloping the risk management elements in the core competences,similar to developments in project management.
• Each Department or agency should appoint a risk improvementmanager to spearhead its programme of work to develop processes,systems and skills to support the effective handling of risk. Thisshould include a review of current spend on risk managementspecialists and the scope for in-house expertise.
Development of riskmanagement thinking is stillat an early stage in manyorganisations, includinggovernment4.4.1 To embed risk management thinkingand capability in government’s way of doingbusiness, risk management needs to becomean integral part of mainstream learning anddevelopment at all levels. It is widelyaccepted that, in order to handle risk better,employees need both the right skills and theright attitudes. Although risk management isdeveloping as a professional discipline in itsown right, a growing number of privatesector companies now recognise the need tospread risk management thinking morewidely across their operations. However,development of risk management as a corecompetence is still at an early stage in manyorganisations, including government.
4.4.2 Some of this can be achieved byformal training. Equally important areexperiences – for example, simulations – thathelp people to understand, emotionally aswell as rationally, the importance of handlingrisk more professionally. A successful examplewas the Y2K simulation run across the wholeof government, which in itself raisedawareness of the importance of identifyingand building contingency for strategic risks.MoD war games are another example.
4.4.3 The importance of developing riskmanagement awareness and skills at all levelsin the Civil Service is well recognised.61 And anumber of Ministerial and Joint Policyseminars have covered various aspects of riskmanagement:
• three important corporate programmes forthe SCS have a session on risk (the TopManagement Programme, Developing Top
Management and the Introduction toCorporate Leadership).62 Furtherprogrammes and seminars are planned tofocus on risk, including further work onbetter policy making; and
• in the Civil Service College, more than 25programmes include a focus on someaspects of risk.
4.4.4 In addition, there are a number ofdifferent organisations that lead riskmanagement training and development:
• the Treasury sponsors a number ofseminars on risk/SIC issues and supportsCDG in its corporate governance courseand in its training for new NDPB Boardmembers;
• the Treasury has also supported a numberof organisations directly by working withtheir Boards, senior management groupsand audit committees; and
• the OGC has developed a training moduleaimed at people who wish to develop aspecial expertise in risk management,which could support a wider best practicemodel.
4.4.5 These would benefit from a commonframework, to ensure that the messages areconsistent with wider government policythinking on risk. We recommend that (rec.33):
• there should be a co-ordinated andsystematic approach to the provision ofrisk management skills and training, underCDG leadership. This should include:
– the development of a common core ofrisk management material (linked to theproposed standard) on which allprogrammes could be based;
– a review of key mainstreamdevelopment programmes that could
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
68
61 This topic is covered in Cabinet Office, Modernising Government White Paper, March 1999 and CDG, Better Policy Making, op. cit.,November 2001.
62 CDG sponsored.
63 These include the joint Ministerial/Senior Civil Servants’ programme, Engaging with Government, an Introduction to CorporateLeadership, the Cabinet Secretary’s Programme, the Partnership Programme, Leadership in Partnership and the “e” learningleadership toolkit.
64 op. cit.
usefully cover risk management andinnovation, including centrally-ledprogrammes for general managementtraining, specific training focused oneffective policy making, financialmanagement and project management,and senior management developmentprogrammes;63 and
– integration with the training framework,developed by OGC to complementManagement of Risk: Guidance forPractitioners.64
• the review should be included in the two-year programme of work that werecommend to achieve a step change ingovernment’s capability to handle risk;
• Departments’ heads of human resourcesshould conduct similar reviews of theirown training and developmentprogrammes, which in turn might formpart of the new Departmental ChangeProgrammes; and
• CDG should support action by Ministersand senior officials to foster a culture inwhich well-judged decisions about risksand opportunities can be made (seerec.42, chapter 6).
4.4.6 CDG may wish to review a number ofits work areas to take account of theserecommendations, and look specifically atdeveloping a risk module for inclusion in SCStraining in effective policy making (coveringrisk identification, assessment, mitigation andcontingency planning). In addition, the RiskSupport Team should work with the relevantparts of the Cabinet Office (the ReformStrategy Group, OPSR, the SU and others) to ensure that the recommendations onencouraging risk awareness and managementare incorporated into Departments’ policymaking.
Other developmentopportunities and tools4.4.7 The formal training/seminar approachis only one element in a wider programme ofinitiatives to help embed risk thinking andtechniques in the culture. But it is animportant one. It is key to generating acommon framework, which can then beapplied in day-to-day work experiences.
4.4.8 Formal training needs both to feed offand into real life experiences. The acid test ofwhether training is consistent and hasimpact, is whether, over time, the sameapproach to risk is recognised in all forums,resulting in good quality handling across theboard. Whether Departments see easy routesto getting help and best practice from thecentre and around Whitehall is also anindicator.
4.4.9 To complement formal training, arange of other approaches can help supportchanging attitudes and building confidence,including:
• working through existing managementnetworks, such as those for PrincipalFinance Officers, HR Directors, IT Directors,etc (see list at paragraph 6.47);
• building new risk-specific collaborativeteams to share good practice; and
• using existing mechanisms, such as peerreview, to learn from others.
4.4.10 We have also looked at key initiativesoutside the formal CDG programmes whichcould help focus leaders’ attention on riskmanagement thinking, including those led bythe OPSR, CDG and the DU. These include:
• the joint CDG/Treasury PSA+ initiative;
• the OPSR model of the high performingDepartment; and
Developing skills
69
• Strategy Unit work with Departments topromote strategic thinking and skills.
The Strategy Unit Risk study team has helpedto develop thinking on some of theseinitiatives. The new Reform Strategy Group,in its work with Departments on their changeprogrammes, can also be expected to play akey role in influencing behaviour andpractice.
Professional risk managementskills4.4.11 At present, Departments and othersoften employ specialist arms of managementconsultancies to introduce risk managementsystems. We recommend (rec.34) that, insuch cases:
• there is a continuous effort to pass on skillsand to ensure that learning is capturedand used – passing on the skills to bothmanage, evaluate and reassess systems willbe essential to achieve best value; and
• Departments and others actively identifytheir likely level of future need for riskmanagement specialists, with the aim ofdeveloping suitable in-house people, inparticular, to take over any continuing rolecurrently performed by outside consultantsin this area. While we consider that there isa case for developing a small core of riskmanagement specialists to supportembedding of risk handling in the day-to-day business of government, this shouldnot be a substitute for improving riskmanagement skills more generally acrossgovernment.
4.4.12 To support this, we recommend(rec.34a) that:
• each Department nominates a riskimprovement manager to support this
process – setting standards, and advisingthe Board on what is required. There are anumber of different models that might besuitable, for example, the model adoptedin some Departments for the projectmanagement and procurementspecialisms. Departments may want toencourage their agencies to appointseparate risk improvement managers; and
• OGC should provide an advisory resourceon systems and skills, drawing whereverpossible on existing training andqualifications, but considering thepossibility of introducing a uniform basicmodel.
People management systems4.4.13 There are many and variedapproaches to the people systems aroundWhitehall that govern the formal handling ofindividuals – in terms of performance,rewards, promotion, etc. These can be usedto reinforce and encourage positiveapproaches to handling risk and opportunity.
4.4.14 Key to a number of these systems isthe SCS competence framework,65 whichincludes risk management in a number ofareas. There is currently no central evaluationof how Departments have used this model.
4.4.15 We recommend (rec.35) thatDepartments are encouraged to explore theway they use competence frameworks tosupport their risk management objectives, asDEFRA has recently done. To further this, wesuggest:
• an evaluation by CDG, under the aegis ofthe new central team, of how competenceframeworks and appraisal and rewardsystems for the SCS are being used tosupport risk aware behaviour (work on this
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
70
65 Competence frameworks are used in many organisations to identify the behaviours that employees must have, or be able to acquire,in order to achieve high levels of performance. The competence framework for the Senior Civil Service can be found on the CabinetOffice website at http://www.cabinet-office.gov.uk/civilservice/scs/competences.htm
has already been commissioned by IPPDand CDG in the context of project andprogramme management); and
• that Departments build the competencesand behaviours to develop riskmanagement capability into all key peoplemanagement systems:
– design of job objectives, and the linkedperformance review process;
– 360° feedback;
– promotion – particularly to SCS level;and
– pay and rewards – financial and non-financial.
Developing skills
71
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
72
66 ed. Kloman, Risk Management Reports 1995–2000, Risk Management Standards October 2001 – (www.riskreports.com/standards.html)67 ISO/IEC, Guide 73, Risk Management Vocabulary: Guidelines for Use in Standards, July 2002.
4.5.1 Risk management procedures can beimplemented mechanistically (ticking boxes)– or in ways that have a substantial impacton the success of organisations. To ensuregenuine quality, arrangements for qualityassurance are needed. Simple checklists canbe useful and a number of these are alreadyin use (such as the Orange Book – whichcontains a checklist of types of risk toconsider; RIU’s guidance on RIAs; andODPM/DfT’s Integrated Policy Assessmentframework) or are being developed.
Standards for risk managementshould be adopted…4.5.2 But there is also a move to introducesystematic quality standards for riskmanagement in response to a perceived needfor practical assistance in applying riskmanagement in public and private sectororganisations. National standards firstappeared in Australia and New Zealand in1995 (now AS/NZS 4360:1999), then in
Canada in 1997 (CAN/CSA-Q850:1997). TheUK followed in 2000 (BS-6079-3:2000), andJapan in 2001(JIS Q 2001:2001).66 The BritishStandards Institution (BSI) has also producedPD6668:2000 on managing risk for corporategovernance. Other countries and regions(Europe) are currently considering similarstandards, and the International StandardsOrganisation has produced a list of commonglobal definitions for risk managementterms.67
4.5.3 These standards define the riskmanagement process (including steps suchas: establish the context; identify, analyse,evaluate and treat the risks; communicateand consult; monitor and review) and theactivities that underpin it, providing guidanceon tools and techniques.
4.5.4 The most established, AS/NZS 4360,has been very well received internationally,widely influential, and adopted by, forexample, the majority of governmentorganisations in Australia and the National
4.5 ENSURING QUALITY
Summary
Raising the government’s game in relation to risk will require carefulattention to how well new approaches are implemented. We recommendthat a comprehensive quality standard be established for riskmanagement. This should be co-ordinated by the new Risk Support Teamand be complemented by benchmarking arrangements. Skills trainingshould be linked to the new standard.
Health Service and Office of NationalStatistics in the UK. The Department ofHealth also proposes to adopt the standard.
4.5.5 There is not yet widespread use of astandard in the UK. Indeed, government hasdeveloped its own guidance (the Treasuryand the OGC) in parallel with BS-6079-3,which in any case is project based. TheTreasury is developing its own set of RiskManagement Standards for Departments,linked to application of the “Orange Book”cycle, as a tool to evaluate how wellDepartments are implementing riskmanagement.
4.5.6 We recommend (rec.36) that the OGCand the Treasury should review the directionfor quality standards for government,drawing on best practice internationally anddrawing on the findings of this report, toensure a comprehensive and useablestandard for UK government. This shouldbuild on current good practice, progressivelyproviding a common framework andlanguage. This work should be commissionedand overseen by the Implementation SteeringGroup proposed in chapter 4.3.Departmental Risk Frameworks should thenbe reviewed in light of the emergingstandards.
…and also benchmarking4.5.7 Benchmarking is a further tool forimproving quality in the application of riskmanagement. We recommend (see rec.16)that government should develop thebenchmarking approach set out in paragraph4.2.46, utilising the expertise and facilities ofthe PSBS.
Quality standards should beapplied to training4.5.8 Skills training should be developedagainst a standard approach to ensurequality, as proposed in chapter 4.4. OGC hasdeveloped a Risk Management Qualificationlinked to its Practitioner Guide. This will bean important step forward.
4.5.9 It is also important to ensureappropriate quality assurance of thedevelopment of behaviour and culture, notjust of the implementation of processchanges. This should be incorporated in thebenchmarking criteria.
4.5.10 In summary, we recommend that acomprehensive set of quality arrangementsare set in place and that these should beco-ordinated by the new Risk Support Team.
Ensuring quality
73
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
74
5. HANDLING AND COMMUNICATING ABOUTRISKS TO THE PUBLIC
SummaryThe handling of risks to the public has become more challenging inrecent years, as information sources multiply and public expectationschange. Recent cases have demonstrated that, in order to handle andcommunicate effectively about risks to the public, government needs towin public trust. In particular, they suggest the need for:
• building public confidence in the basis of decisions made bygovernment about risks;
• more transparency about decisions so that they demonstrate a cleargrounding in evidence;
• decisions that better reflect public values and concerns; and
• providing enough information to allow individuals to make balancedjudgements.
Although steps have been taken to improve the handling of risks to thepublic, this study suggests that the government’s approach to handlingrisks to the public needs to become:
• more open, particularly in cases of uncertainty;
• more transparent about the processes it has used to reach itsdecisions; and
• more participative, by involving stakeholders and the wider public atan earlier stage in the decision process.
In addition, Departments should consider the scope for extending therole of arm’s-length bodies in areas where issues of public trust areparamount.
Where this has been done, public trust has been maintained, anddamaging and costly crises have been avoided.
Introduction5.1 Citizens face risks to their health,property, wellbeing and environment from avariety of sources as part of their daily lives.Many risks are taken willingly and with a fairamount of understanding, and require littledirect intervention from government. Otherrisks can be prevented or contained throughregulation or other measures such as publichealth care. Some risks, for example the riskof contracting new variant Creutzfeldt-JakobDisease (vCJD) from eating infected beef, areby their nature hard to understand. Ourunderstanding of other risks, and of howthey interact with each other, is alsoconstantly changing. In these cases,government’s most important role is toprovide information so that individuals candecide how best to control their ownexposure to the risk or judge the action thatgovernment is taking on their behalf. Forgovernment to be able to discharge thisresponsibility, it is vital that it is trusted.
5.2 In the UK, government has developeda number of well-established ways ofinforming members of the public about risksthat affect them, some of them statutory.Examples include:
• awareness campaigns to highlight thehealth issues of smoking, to reduce thenumber of road deaths, or to raiseawareness of the effects of climate change;and
• setting up public bodies such as the FoodStandards Agency with a specificresponsibility for providing informationand advice to the public on issues they arelikely to encounter in their daily life.
5.3 Government also has well-establishedresponsibilities for regulating technologies,products and processes that could pose a riskto the public. Some of these are also
statutory. For example, the EnvironmentAgency, Health and Safety Executive (HSE),Financial Services Authority, Food StandardsAgency, Medicines Control Agency, HumanGenetics Commission (HGC) and HumanFertilisation and Embryology Authority (HFEA)are all involved in regulating risks that affectthe public, employees, business or theenvironment.
The handling of risks to thepublic has become moredifficult in recent years5.4 Governments need to be able toidentify issues that pose risks to the public orthat could cause public anxiety and, wherenecessary, take action to tackle the risk oraddress people’s concerns. This role is part ofthe core business of some Departments andarms of government that are responsible forensuring the health and safety of the public.For others, these concerns are less significantand the issues we discuss here may not needto form such a central part of their riskmanagement strategies.
5.5 Handling and communicating aboutrisks that may affect the public has becomemore difficult, as information sources multiplyand public expectations change. Challengesthat government has had to face in recentyears have included:
• rapidly escalating crises (such as the fuelblockade in September 2000) that havetaken the government and media bysurprise;
• difficult judgements about public safety,where the evidence about the likelihoodand impact is unclear (such as BSE);
• public concern, amplified by sections ofthe news media, about new forms of risk
Handling and
communicating about
risks to
the public
7575
(for example concerns about “the flesh-eating bug” or about a possible linkbetween the MMR vaccine and autism);
• public concern about the measures usedby government to tackle certain risks (suchas the policy of mass slaughter to tackleFoot and Mouth Disease (FMD) or thepurchase of smallpox vaccine);
• public scepticism about the balancebetween the benefits and risks of newtechnologies (such as Genetically Modified(GM) crops);
• concern about individual choice (forexample over the banning of beef on thebone or over the triple vaccine for MMR);
• public pressure for access to informationabout the source of perceived risks (forexample the whereabouts of convicted sexoffenders);
• pressure from the public and media forgovernment to take wider action inresponse to high profile tragedies (such asLyme Bay, Soham, or the Hatfield,Paddington and Potters Bar rail crashes);and
• concerns, following 11 September, aboutthe emergence of new forms of terrorism,including the use of biological agents.
5.6 These cases demonstrate that, in orderto handle risks to the public effectively,government needs to win and retain publictrust. They raise a number of commonthemes, some of which (such as the need forbetter horizon scanning and the effectivehandling of risk in decision making) areaddressed in earlier chapters. In addition,they suggest the need for:
• greater public confidence in the basis ofdecisions, grounded on more relevant andup-to-date information and greater clarityabout what assumptions are being made,
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
76
particularly where there is uncertainty, alack of information or conflicting views;
• a more public and transparent basis fordecisions about risks to the public, thatdemonstrates a clear grounding inevidence and is responsive to publicconcerns;
• decisions that better reflect public attitudesand values, based on earlier identificationof concerns about potential risks and amore proactive two-way communicationprocess involving both the public and themedia, that is sufficiently robust in crisisconditions;
• more realistic expectations of thegovernment’s ability to protect the publicfrom risk;
• greater recognition of the expectationsand responsibilities of individuals tomanage the risks that affect them directly;and
• information that enables individuals toform balanced judgements about the scaleand likelihood of risks and the choice ofresponse.
5.7 The MMR case showed how muchgovernment relies on the participation of thepublic in tackling certain risks, and the extentto which that participation relies on anestablished base of trust and confidence.Research suggests that trust can only be builtup over a number of years on the basis of aclear track record of competence andcredibility.68 Other studies have suggestedthat trust is more likely to be strong where:
• institutions are clear about their objectivesand values;
• there is openness and transparency arounddecisions;
• decisions are clearly grounded in evidence;
76
68 Lofstedt and Rosa, The Strength of Trust in Sweden, UK and the US, Trustnet.
• public values and concerns are taken intoaccount in making decisions;
• sufficient information is provided to allowindividuals to make balanced judgements;and
• mistakes are quickly acknowledged andacted on.69
The recent experiences of a number ofleading businesses, for example Ford andFirestone in America and Coca Cola inBelgium,70 provide a practical illustration ofhow quickly public confidence can bedamaged if some of these factors areoverlooked.
5.8 Concerns about public confidence canoften go beyond particular crises71 and caninfluence the handling of subsequent issues.Leading print journalists we interviewed saidthat, even though they themselves believedthat the government had acted in the publicinterest on MMR, its track record on BSE andother issues meant that this was not theperception of many of their readers.
The role of the news media5.9 As well as having a legitimatechallenge role, the news media are often the government’s main channel ofcommunication with the wider public on riskissues. Although there is much responsiblereporting, the news media can sometimesgive an unbalanced picture by selecting themost newsworthy aspects of a story. Forexample, in their reporting of the “flesh-eating bug” and the fuel blockade inSeptember 2000, sections of the news media
Handling and
communicating about
risks to
the public
77
69 For example, the Better Regulation Task Force’s Fourth Annual Report (Cabinet Office, October 2001) identified a number ofguidelines for risk communication, including acknowledging the problem, providing the public with evidence, and acknowledginggaps in information.
70 Ford and Firestone both suffered serious reputational damage as a result of their handling of a product recall in the United States.Coca Cola suffered similar damages in Belgium as a result of its response to consumer safety concerns about its products. These casesare discussed on the Regester Larkin website (www.regesterlarkin.com).
71 Professor David King, The BSE Inquiry: Lessons for Government, FST Journal, Vol. 17, No.2, July 2001.
exaggerated potential concerns. During thefuel blockade, this helped provoke panicbuying of fuel in some local areas, withpotentially serious consequences. In othercases, reports of increases in the likelihood ofcertain health risks have failed to indicate thescale, which would have put the risk intocontext. Where misreporting of risks hashappened, it has been more difficult for thepublic to gauge accurately the issues at stake,and for government to engage in aninformed public debate on the issues. Thereare a number of safeguards in legislation toensure fair and accurate reporting. Forexample, the Broadcasting Act 1990 requiresbroadcasters to report with “due accuracyand impartiality”. These safeguards are beingcarried forward into the Communications Bill,currently in draft, which will create a singleregulator, the Office of Communications(OFCOM), to take over the functions of thefive existing broadcasting regulators.
77
Declining trust in institutions5.10 All this is set against a background ofdeclining public trust in some institutions andin science (discussed in chapter 3). Theresults of a MORI survey in 1999 (set out inFigure 5.1 below) provide a snapshot of howthe public judged government’s handling of certain topical risks. This shows that levelsof public trust were generally low, evenwhere some risks (such as the Millenniumbug) were judged with hindsight to havebeen handled well.
5.11 Public attitude research has alsoshown that government Ministers andofficials are often trusted less than sources of
information that are seen to be independentof government. (This is illustrated by Figure5.2 below, which is taken from the samesurvey.) A study in 200172 found that 60 percent of the population believed that charitieswere more trustworthy than government.While these survey findings ignore the factthat governments have to make difficult andoften unpopular decisions in the publicarena, they show that it can be difficult forDepartments themselves to be seen asproviding credible information about risk,particularly in cases where the facts are indispute. The surveys also suggest that peopleare more likely to trust local and more visiblesources of information (such as GPs) thanmore remote sources such as governments.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
78
72 Charity Awareness Monitor/nVision, Base 1,050 adults, 2001.73 Research conducted by MORI Research Unit and BRU in January 1999. Cited in MORI, Public Attitudes to Risk, a research paper
produced by MORI for the Strategy Unit, February 2002.74 ibid.
Figure 5.1: Public assessments of the government’s handling of certain risks73
Care in the communityCrimePollutionGenetically modified foodMillennium bugFood safetyMis-selling of pensionsTransport accidentsSmokingHealthy dietHealth and safety at workImmunisationDrink driving
-2%-9%
-11%-13%-23%-25%-28%
+27%+26%+26%
+7%+3%
-44%
Government’shandling of risk
Which of these issues, if any, do you think have been handled successfully/unsuccessfully by the government?
Q
–Net successful (+%)
Trust mostTrust least
PoliticiansGovt. Ministers
SupermarketsFriends/family
Food manufacturersNewspapers
TelevisionGovt. scientists
MAFF civil servants
National Farmers UnionFarmersIndustry scientists 2%
23%15%
19%25%
5%
16%
28%
3%
19%41%
23%
57%
22%21%
18%17%
16%
12%
11%
9%
6%4%
2%
Trust on BSENow thinking about BSE, which two orthree, if any, of these sources would you trust most/least to advise you on the risks posed by BSE?
Q
Figure 5.2: Public trust in information sources on BSE74
The need for moretransparentand evidence-based decisionsabout risks that affect thepublic is widely recognised5.12 The need for greater openness andtransparency in decisions about risk has beenhighlighted by a number of commentators,including the Phillips Inquiry on BSE andboth the House of Lords and House ofCommons Select Committees on Science andTechnology.75 Lord Phillips suggested that“perhaps the most important single lessonwe learned is the importance of opencommunication of information to thepublic”.76 The recent Defence SelectCommittee report on Defence and Security inthe UK77 makes a number ofrecommendations about openness, andsuggests that information should be withheldfrom the public only where its publicationwould give rise to a specific and identifiablerisk. The NAO report into FMD78
recommends that the Department for theEnvironment, Food and Rural Affairs (DEFRA)should consult widely with stakeholdersabout its contingency plans for dealing withanimal diseases. In the private sector, thecontrasting experiences of Johnson &Johnson (over Tylenol) and Exxon (over thehandling of the Exxon Valdez oil spill)79
provide well-documented lessons to businessabout the importance of openness andtransparency in communicating about riskwith the public.
5.13 Baroness O’Neill explored the linksbetween openness, transparency and trust inher recent series of Reith lectures.80 Althoughshe questioned the case for wider availabilityof information, she argued that conditions oftrust were only feasible where individualscould check the information provided byothers. This suggests that the issue forgovernment is not necessarily to providemore information, but rather to expose itsdecision processes to public scrutiny in a waythat allows the public to understand andjudge the decisions it makes in the light ofthe balance of expert opinion on the natureand scale of the risk.
5.14 Important lessons have been learnedabout the value of evidence-based decisionmaking, openness and engagement,proportionality, consistency and targeting aspart of the government’s reform agenda. Thegovernment has taken a number of steps tolay the foundations for better decisionmaking about risks affecting the public.Principles of evidence-based decision making,openness and engagement are among thoseincluded in Better Policy Making.81 Theseprinciples are reflected in other cross-cuttingpolicy initiatives, such as the BetterRegulation Task Force’s (BRTF) Principles forGood Regulation.82
5.15 The debate over the precautionaryprinciple83 in recent years has helped todevelop a framework for handling risks incases where there is good reason to believethat there may be harmful effects and wherethere is significant uncertainty about thenature or scale of the risks involved. Recent
Handling and
communicating about
risks to
the public
79
75 See also House of Commons Select Committee on Science and Technology, Fourth Report: The Scientific Advisory System, March2001.
76 Lord Phillips, The BSE Inquiry: Lessons from the Inquiry, FST Journal, Vol. 17, No.2, July 2001.77 House of Commons Select Committee on Defence, Sixth Report: Defence and Security in the UK, July 2002.78 op. cit.79 Johnson & Johnson’s handling of the Tylenol incident, in which a number of its products were laced with cyanide, is widely regarded
as exemplary. For a discussion of both these cases, see Larkin, Strategic Reputation Risk Management, Palgrave MacMillan, 2002 andRegester and Larkin, Risk Issues and Crisis Management (Second Edition), Kogan Page, 2002.
80 Baroness O’Neill, Trust and Transparency, BBC Reith Lecture 4, 2002.81 op. cit.82 op. cit.83 A definition of the precautionary principle is contained in annex 9.
work by the Interdepartmental Liaison Groupon Risk Assessment (ILGRA) has helped clarifywhen the precautionary principle should beinvoked and how it should be applied. Whiletools such as the precautionary principle canact as a valuable aid to making judgementsabout handling risk, no decision frameworkcan remove the critical role of judgementbased on a careful assessment of the availableevidence and close involvement of relevantstakeholder groups.
5.16 The Code of Practice on Access toGovernment Information84 has set out a clearpresumption towards openness in all areas ofpolicy making, while recognising that someinformation needs to remain confidential.The Freedom of Information Act 2000, whichcomes fully into force in 2005, enshrinesthose principles in legislation. The Act will bea major tool of change within government
and is likely to provide a strong impetus foropenness in risk communication. In addition,Departments are now required to publishRisk Frameworks that set out how decisionsare made on risks that affect the public.
5.17 Recent studies by the Green Alliance85
and the National Consumer Council86 havehighlighted the benefits of publicinvolvement in policy decisions. Therecommendations later in this chaptersuggest that two-way communication onrisks that may affect the public should be anintegral part of the policy developmentprocess. This should help provide theinformation on stakeholder and user viewsthat form part of the routine risk assessmentprocess carried out before key decisions aremade.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
80
84 Lord Chancellor’s Department, Code of Practice on Access to Government Information, Second Edition, 1997.85 ESRC/Green Alliance, Steps into Uncertainty: Handling Risk & Uncertainty in Environmental Policy-Making, June 2000.86 National Consumer Council, Involving Consumers: Everyone Benefits, September 2002.
DNA Technology
SST
Electric Fields
D E S
N i t r o g e n F e r t i l i z e r s
R a
i o a c t i v e W a s t eC a m i u m U s a g e
M i r e
T r i c h l o r o e t h y l e n e
P C B s
s
S a t e l l i t e C r a s h e s
M e r c u r y
N e r v e G a s A c c i d e n t s
D - C O N
T r a n s p o r t
C o a l M i n i n g ( D i s e a s e )
L a r g e D a m s
S k y s c r a p e r F i r e s
H i g h C o n s t r u c t i o n
R a i l r o a d C o l l i s i o n s
l
c
o
h
o
l
c c i d e n t su t o R a c i n gu t o A c c i d e n t s
H a n d g u n s
F i r e w o r k s
S m o k i n gR e c r e a t i o n a l B o a t i n gD o w n h i l l S k i i n g
H o m e S w i m m i n g P o o l sE l e v a t o r s
l
c
o
h
o
l
T
r
a
c
t
o
r
s
S
n
o
w
m
o
b
i
l
e
s
S
k
a
t
e
b
o
a
r
d
s
S
m
o
k
i
n
g
(
D
i
s
e
a
s
e
)
C
a
f
f
e
i
n
e
s p i r i na c c i n e s
R u b b e r
u t o L e a d
A n t i b i o t i c sD a r v o n
D i a g n o s t i c
X - R a y s
O r a l C o n t r a c e p t i v e s
e
x
a
c
o
r
o
p
e
n
e
W
a
t
e
r
C
h
l
o
r
i
n
a
t
i
o
n
M
i
c
r
o
w
a
v
e
O
v
e
n
s
L
a
e
t
r
i
l
e
E f f e c t d e l a y e d
N e w r i s k
R i s k u n k n o w n t o s c i e n c e
G
l
o
b
a
l
c
a
t
a
s
t
r
o
p
h
i
c
C
o
n
s
e
q
u
e
n
c
e
s
f
a
t
a
l
N
o
t
e
q
u
i
t
a
b
l
e
C
a
t
a
s
t
r
o
p
h
i
c
H
i
g
h
r
i
s
k
t
o
f
u
t
u
r
e
g
e
n
e
r
a
t
i
o
n
s
N
o
t
e
a
s
i
l
y
.
r
e
d
u
c
e
d
R
i
s
k
i
n
c
r
e
a
s
i
n
g
I
n
v
o
l
u
n
t
a
r
y
D
D
T
F
o
s
s
i
l
F
u
e
l
s
C
h
a
i
n
s
a
w
s
E
l
e
c
t
r
i
c
W
i
r
i
n
g
&
A
p
p
l
.
(
F
i
r
e
s
)
C
h
l
o
r
i
d
e
E l e c t r i c W i r i n g & A p p l .
A number of Departmentshave issued guidance onrisk communication basedon research into publicperceptions about risk5.18 There has been considerable researchover the last 20 years, aimed at improvingour understanding of how people perceiveand react to risks. Figure 5.3 above, drawnfrom an influential study carried out in theUnited States,87 shows how public concernsare likely to increase significantly where the issues are unfamiliar or where theconsequences inspire dread, regardless of thelikelihood of the hazard. Other studies haveidentified that people are more likely toaccept or tolerate risks where they feel thatthey are taking them voluntarily or that theyhave a say in how the risks are managed. Ourown studies suggest that public perceptionsof empowerment are becoming increasinglyimportant in the handling of risks to thepublic. Annex 4 contains a more detaileddiscussion of the main thinking in relation topublic risk perception.
5.19 This thinking has helped to informguidance published by a number ofDepartments. The Department of Health(DoH) and ILGRA have published guidance toregulators and policy makers on riskcommunication, and HSE, in conjunctionwith other sponsors of the original research,is developing new guidance on riskcommunication based on recent researchinto the social amplification of risk. Thisguidance is well regarded by riskmanagement professionals withingovernment.
5.20 Research into public perceptions ofrisk has also helped to inform the ChiefScientific Adviser’s Guidelines 200088 and Code
of Practice for Scientific Advisory Committees,89
which provide guidelines on the presentationof scientific advice. While Guidelines 2000 hasachieved a high profile among science policymakers, the lack of a centrally placed sponsorfor risk has meant that guidance on riskcommunication has not been disseminated aswidely within government as it deserves.
Action is already being takenacross government to improveits ability to handle and communicate about risk to the public5.21 A number of Departments involved in risk management are taking a lead inincorporating principles of evidence-baseddecision making, transparency andengagement in their handling of risks to thepublic. For example, DEFRA has recentlyinvited stakeholder views on the design of its risk management strategy, throughparticipation at a risk seminar. In doing so, ithas been upfront about past mistakes andabout the principles guiding its newapproach.
5.22 The NHS Plan90 sets out DoH’s plansfor involving patients and the public in healthcare. This includes the creation of a newCommission for Patient and PublicInvolvement in Health, and a Citizen’sCouncil to advise the National Institute forClinical Excellence (NICE). Training on riskcommunication is provided for staff at alllevels in DoH through a unit based in thePublic Health and Clinical ServicesDirectorate.
5.23 A number of government agenciesoperate to published policies of evidence-based decision making, openness and
Handling and
communicating about
risks to
the public
81
87 Slovic, P. Perception of Risk, Science Vol. 236, 1987.88 Chief Scientific Adviser, Guidelines 2000: Scientific Advice and Policy Making, Office of Science and Technology, July 2000.89 Chief Scientific Adviser, Code of Practice for Scientific Advisory Committees, Office of Science and Technology, December 2000.90 Department of Health, The NHS Plan: a Plan for Investment, a Plan for Reform, July 2000.
stakeholder engagement. For example, theFood Standards Agency provides open accesson its website91 to the research that hasinformed its decisions, and its Board sets thestandard for openness by meeting andmaking policy decisions in public. Since itsinception in 2000, public confidence in theAgency increased significantly, from 55 percent in 2000 to 61 per cent in 2001. HSE has published the principles that guide itshandling of risks to the public and employeesin the document, Reducing Risks, ProtectingPeople.92 The HGC has formal proceduresrequiring it to take advice from stakeholdersand the public before putting advice toMinisters. It uses a number of routes,including the Internet, to obtain views frommembers of the public to inform its ownadvice. These and other examples arediscussed in more detail in annex 7.
5.24 The Civil Contingencies Secretariat(CCS) is currently taking forward a number ofstrands of work to improve thecommunication and reporting of risks duringemergencies. It has set up a website, UKResilience,93 which provides ongoing access toinformation on a range of potential risks,including flooding, major accidents andterrorism. It has established planning andoperational relationships with the nationaland regional news media through the MediaEmergency Forum (MEF), which meets todiscuss the handling and reporting of majorincidents. By working closely with the newsmedia following 11 September, thegovernment was able to ensure balancedreporting of concerns about bio-terrorism,specifically around fears over the use ofanthrax.94 It has also developed a “tool kit”with the BBC to bring local radio stationmanagers and emergency planners andservices closer together in the interest ofproviding factual information to the public
during crises. The CCS involves mediarepresentatives wherever possible in planningmeetings and is developing, through theGovernment News Network, close relationswith the local broadcast media.
However, there is still roomfor improvement5.25 The Strategy Unit study has identifiedthree main areas where there may be scopefor improvement:
• more openness in providing access toinformation about risks to the public andabout where Departments have mademistakes. This does not necessarily meanpublishing every detail about every risk,but suggests that Departments shouldfocus on issues where public concerns arehighest. Our analysis suggests thatconcerns are particularly marked wherethere is uncertainty about the nature orscale of the risk, for example over GMfoods, or where there is public disputeabout the issues, such as over MMR. Inthese circumstances, members of thepublic are least likely to trust theinformation they receive, and more likelyto want to know the assumptions thatDepartments have used to inform theirjudgements;
• more transparency about the processesused to reach decisions. Our analysissuggests that scepticism tends to behighest where members of the publicperceive themselves or their families to bedirectly at risk, for example over vCJD, orwhere they cannot perceive direct benefitsto them, such as with GM foods. In thesecircumstances, Departments may need toreview whether they are doing enough toaddress this – in particular, by
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
82
91 Available on http://www.food.gov.uk/science/research92 HSE, Reducing Risks, Protecting People: HSE’s Decision Making Process, 2001.93 http://www.ukresilience.info94 The MEF’s report on communications issues arising from the events of 11 September, published in June 2002, can be found on
http://www.ukresilience.info/mefreport.htm
demonstrating that the approach they aretaking is based on firm evidence, isresponsive to public concerns, and is opento acknowledging uncertainty or dissent;
• more systematic involvement of the publicin decisions about risks that affect them orconcern them. This is closely linked to theissue of empowerment discussed earlier inthis chapter. A number of people weinterviewed during our study, both withinand outside government, observed thatcommunication is not always fullyintegrated into Departments’ riskmanagement strategies, and that in somecases it is something of an add-on. Threespecific concerns were raised in our studyin relation to communication with thepublic about risks they face:
– communication needs to start earlier inthe policy development and decisionprocess, wherever possible whenframing decisions are being made. Anumber of NGOs told us that they werefrequently approached for commentson a narrowly defined solution to riskissues, rather than being involved earlyon in analysing the problem and therange of options available for tackling it;
– communication with the public on risksthat affect them needs to be agenuinely two-way process. NGOs havesuggested that a one-way approach torisk communication is more likely toincrease public anxiety about risks thanto provide reassurance; and
– involvement of the public in decisionsabout risks, both formal and informal,needs to be as widespread andbalanced as possible. Stakeholders wespoke to suggested that, by restrictingformal consultation to their usual list ofcontacts, Departments were morevulnerable to “group think” and as a
result, key risks were sometimes missed.Similar concerns were voiced aboutinformal soundings such as publicattitude surveys, with one politician wespoke to suggesting that Departmentssometimes confuse market research withgenuine involvement in the decisionprocess.
5.26 In the recent past, arm’s-length bodiessuch as the Monetary Policy Committee(MPC), Food Standards Agency and FinancialServices Authority have shown that they maybe better able to sustain public trust andeffective decision making in handling certainrisks. There may be scope for extending therole of bodies of this kind in other areaswhere issues of public trust are paramount.
5.27 Most of those we consulted agreedthat government’s ability to handle risk to the public would be improved by moreopenness, transparency and engagement.The examples of the Danish and Swedishfood standards agencies and the experienceof the UK Food Standards Agency so far (atannex 7) suggest that, where this has beendone, public trust has been maintained andpotentially damaging or costly crises havebeen avoided. They also suggest that thepublic will become more accepting of anopen approach towards uncertainty, and thatthis will enhance the government’s ability tolead. Although there is a risk that the mediamay use information from a more openapproach towards uncertainty to portraygovernment as uncertain and weak, BSE andother cases demonstrate that the potentialdamage to public confidence by being toocategorical is far greater.
...but there are also concerns5.28 We heard a number of concerns aboutthe practicalities of a more open and
Handling and
communicating about
risks to
the public
83
inclusive approach to handling risks to thepublic. A number of Departments mentionedthe resource-intensive nature of involving thepublic and stakeholders and the risk of“consultation fatigue” among respondents.While some NGOs we interviewed mentioned“consultation fatigue” as a concern, this wasgenerally only seen as an issue where theywere asked to comment on what they saw asirrelevant or narrowly defined issues. Thissuggests that consultation about risks needsto be more carefully planned and targeted byDepartments as part of a broader riskcommunication strategy. Other respondentscommented that effective involvement oftenrequired investment in capacity and skills –particularly in contacting hard-to-reachgroups and in explaining the significance ofthe choices involved where the issues arehighly technical or complex.
5.29 A number of Departments we spoketo said that a widespread lack ofunderstanding about basic risk conceptssometimes made it difficult for them toconduct an informed public debate aboutrisks. The most frequent areas of concernwere low levels of awareness aboutprobabilities – leading to disproportionatelevels of concern about high-impact, low-probability risks – and a reluctance to acceptthat no activity could be entirely “risk free”.
Departments and agenciesshould make earning andmaintaining public trust apriority when dealing withrisks to the public5.30 This will require action in a number ofareas, including more openness andtransparency, wider engagement ofstakeholders and the public, wider availability
of choice and more use of arm’s-lengthbodies to provide advice on risk decisions.The focus is on the handling of risks thataffect the public directly – such as risks tohealth, property, investments or theenvironment. It is not intended to coverinternal business management risks unlessthese are likely to result in significant risks tothe public or environment. Detailedrecommendations to support this objectiveare set out in the sections below.
As a first step towards earningpublic trust, governmentshould publish its principles for handling risks to the public(rec.37)5.31 Government should publish itsprinciples for handling and communicatingabout risk to the public. These should includeprinciples of evidence-based decision making,transparency and communication with thepublic and stakeholders. The aim of theprinciples would be to provide a clear steerto all decision makers within government, aclear statement of where responsibility shouldrest in managing risk, and a benchmark forParliament, the media and NGOs againstwhich to assess Departments’ performance. A set of suggested principles, building on thethemes discussed in this chapter, is set out at the end of the chapter.
5.32 We recommend that these principlesare published by the Risk Support Team forwidespread consultation in autumn 2002, aspart of the two-year programme of changedescribed in paragraph 4.3.24. The newsmedia should be invited to participate in theconsultation.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
84
Departments should developaction plans to implementthese principles (rec.38)5.33 Departments should implement theseprinciples as part of their wider action toimprove risk management set out in chapter 7. They will need to ensure that theprinciples apply across the range of publicservices for which they are responsible. Thiswill be particularly important where theDepartment’s business is directly related tohandling risks to the public, such as safety orhealth. While it may take a number of yearsto increase levels of public trust significantly,there are a number of steps that can betaken now to address some of the keyunderlying issues.
5.34 Action to implement these principleswithin Departments and their agenciesshould be co-ordinated, along with other riskmanagement action, by risk improvementmanagers. (These are proposed in chapter4.4.) Risk improvement managers should alsoensure that these principles are reflected intheir Departmental Publication Schemesrequired under the Freedom of InformationAct 2000, and in their Departments’published Risk Framework documents. TheRisk Support Team should consider whetherexisting guidance on Risk Frameworks needsto be updated to refer more explicitly toprinciples of openness and transparency.Departments’ action to improve riskcommunication should include the elementsin paragraphs 5.35–5.49.
Access by the public to informationabout the risks that affect them(rec.38a)5.35 Departments’ communication aboutrisk should be based on principles ofopenness and transparency. Unless there areclear grounds for exemption, Departmentsthat handle risks to members of the publicshould publish their risk assessments(discussed in chapter 4.2), and also theunderlying facts, assumptions, sources ofinformation and procedures behind them, asearly as possible to enable public scrutiny totake place, as they will be required to dounder the Freedom of Information Act. Oneway that Departments can be more open isto publish the values, including the valueplaced on saving human lives, that haveinformed major investment decisions.Departments should also make public theirplans for handling major risks, as DEFRA hasdone with its interim contingency plans fordealing with FMD and for responding to therisk of BSE in sheep.95 When information mustbe kept private, for example for reasons ofnational security, Departments must explaintheir reasons and consider what otherinformation can be published to enable thepublic to judge the extent of the risk.
5.36 Similar principles should apply to thehandling of risks where the issues areuncertain or unknown. In these cases,Departments should be open about areas ofuncertainty, what assumptions they haveused, and what they are doing to fill the gapsin their knowledge.
Handling and
communicating about
risks to
the public
85
95 This follows a similar recommendation by the NAO in its report, The 2001 Outbreak of Foot and Mouth Disease (op. cit.). While theinterim arrangements draw on the experience of those involved in the recent crisis, DEFRA aims to develop a contingency plan thatcan be used in the future by those with no such experience, and to adapt this plan for other animal diseases.
Two-way communication, to enableearly and widespread involvement indecisions about key risks (rec.38b)5.37 Risk improvement managers shouldensure that their Departments have systemsto involve stakeholders and the wider publicin decisions about key risks affecting thepublic. Communications should beconsidered at the start of the policydevelopment process for major policiesinvolving risk to the public. Departments’communication strategies should plan for aprocess of stakeholder and wider publicengagement on key risks. Where possible,this process should begin when the key issuesare framed, and allow public discussion of arange of possible solutions. This will beimportant, not only to ensure that thesolution is widely accepted, but also as amatter of principle to ensure that individualshave a say over the management of risks thataffect them. Organisations such as the FoodStandards Agency have developed checkliststo ensure that a full range of views are takeninto account in policy decisions, and that keyissues are not missed.96 DEFRA’s consultationon the handling of radioactive waste and itsrecent announcement that it will facilitate apublic debate on GM crops, provideexamples of programmes of stakeholderengagement that begin with open discussionof the key underlying issues, principles andchoices.
5.38 The extent to which Departmentsneed to involve the public in the decisionprocess will depend on each particular case,and no one approach is likely to suit allrisks.97 A more participative approach is likelyto be needed where there are potentialconcerns that a risk is being imposed on thepublic with little perceived benefit in return.In such cases, Departments may wish to
consider using some of the followingapproaches:
• involving members of the public instakeholder forums and focus groups tohelp define issues and frame key decisions.DEFRA’s consultation on its riskmanagement strategy provides anexample of the use of a stakeholder forumto help define issues at the start of thecommunication process;
• using groups from a wide range ofbackgrounds to evaluate information,provide advice or take decisions in areaswhere risks occur frequently. HGC and the Agriculture and EnvironmentBiotechnology Commission (AEBC) areexamples of advisory bodies with a broadly-based membership;
• exploring new ways of involvingstakeholders and the wider public, inparticular using the Internet to obtainviews direct from the public. HGC’swebsite provides an example of thisapproach. The Risk Support Team should,as part of its work to develop a network ofDepartmental risk improvement managers,encourage Departments to share bestpractice and expertise with each other;and
• exploring the scope for allowing decisionsto be taken at a local or regional level,where it is often more feasible to engageand involve individuals in specificdecisions.
Targeted public involvement, informedby systematic identification andevaluation of the risks most likely tocause public concern (rec.38c)5.39 We recommend that Departmentsshould develop the capacity to identify which
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
86
96 The Food Standards Agency’s checklist is reproduced in annex 7.97 The Cabinet Office has recently published Viewfinder: a Policy Maker’s Guide to Public Involvement, on the Policy Hub website
(www.cmps.gov.uk/policyhub), which includes advice on selecting the right approach to public involvement. The NationalConsumer Council’s report, Involving Consumers (op. cit.), also contains recommendations about approaches to involving consumers.
risk issues are likely to generate the mostpublic concern or require public co-operation to tackle. This action shouldfocus their efforts on risk communication.The information should be fed intoDepartments’ risk registers andcommunication strategies, to enable earlyand widespread public involvement indecisions of key concern to them and avoidthe risk of “consultation fatigue” on otherissues.
5.40 Monitoring of public concerns shouldbe carried out as part of Departments’horizon-scanning work, which is discussed inmore detail in chapter 4.2. It should includethe systematic monitoring and analysis ofpublic attitudes, values and concerns, to pickup issues that might otherwise be missed.Approaches for tracking and forecastingpublic concerns could include:
• media scanning, public attitude surveysand interviews with service users across thebroad range of the Department’sresponsibilities;
• scenario planning; and
• the use of focus groups to gain a morethorough understanding of underlyingpublic concerns on specific issues.98
5.41 Departments should also considerproviding incentives for wider participation inpublic attitude research, particularly amongmarginalised groups, to ensure that theirviews are adequately reflected in riskassessments. DEFRA’s Rural Affairs Forum is anexample of a step taken to ensure that thevoice of the rural community is properlyreflected in policy decisions that affect them.
Increased availability of choice forindividuals in managing the risks thataffect them (rec.38d)5.42 Chapter 2 suggests that responsibilityfor managing risks should be allocated tothose who are in the best position to controlthe risk. In many cases, individuals will bebest placed to manage the risks that affectthem and will expect to be able to do so. Ithas long been accepted that individuals aremore likely to tolerate a risk when theyperceive that they are able to control theirown exposure to it.99 (The theme ofempowerment is discussed earlier in thischapter, and is closely linked to the theme ofpublic involvement discussed in theparagraphs above.) This suggests that, evenwhere exposure to risk is inevitable,individuals are more willing to accept itwhere they have a role in choosing how bestto manage it. DoH has recognised thisprinciple in the NHS plan, and has an explicitpolicy of providing greater patient choice inpublic health care provision.
5.43 Where Departments have policyresponsibility for handling risks that directlyaffect the public, they should consider thescope for increasing the availability of choiceto individuals, supported by relevantinformation and advice. The availability ofchoice should not, however, place an unfairburden on the individual or expose others tounacceptable risk. Departments should alsoconsider the advantages and disadvantagesof providing increased choice, including thefinancial implications. Where new optionscost more, Departments should considerwhether individuals who choose the moreexpensive options should bear part or all ofthe increased costs.
Handling and
communicating about
risks to
the public
87
98 HSE is currently developing a model framework for gauging societal concerns, which is intended to be used alongside survey andfocus groups to help Departments identify emerging concerns about individual risk issues.
99 Starr, Chauncey, Social Benefit vs. Technological Risk: What is our Society Willing to Pay for Safety? Science, Vol. 165, 1969.
Clear procedures for communicatingin crisis conditions (rec.38e)5.44 The Civil Contingencies Committeehas recommended that Departments shouldhave robust and tested crisis communicationstrategies as part of their contingency plansthat are capable of engaging effectively withkey stakeholders and the wider public. Werecommend that Departments strengthentheir links with the News Co-ordinationCentre within the Government Informationand Communication Service (GICS), whichprovides advice and support to Departmentsin dealing with disruptive situations. Whilethe lead role should remain with the homeDepartment, improved links with the NewsCo-ordination Centre should help ensuregreater consistency in crisis communicationacross government. Where misreporting bythe media is a concern, Departments shouldconsider making more use of more directchannels of communication, such as theInternet. Where they are already using theInternet to provide information, Departmentsshould consider how this medium can beused to its full potential, for example byenabling users to sign up to receive regular e-mail updates on a particular issue.
5.45 It will help Departments’ handling ofcrises if an existing base of trustedinformation and knowledge is already in thepublic arena. The CCS website, UK Resilience,has the potential to be a pivotal source ofauthoritative information in crises, both forthe news media and the public, and avaluable aid to Departments. To be effective,though, it will need to maximise its publicand media profile. Departments can helpraise the profile of UK Resilience by makingactive use of it and reference to it in futurecrisis communication.
5.46 Departments may also develop active,ongoing, two-way communication strategies,
both with the news media and the widerpublic, in areas where public input todecisions is likely to be critical, for example asDoH does in relation to vaccination policy.Where emerging risks have a regional or localdimension, Departments should considerengaging regional bodies or local authoritiesin early discussions. DEFRA has recentlyconsulted publicly on its revised interimcontingency plan for FMD, and the plan isnow available on its website for publicscrutiny and comment. Organisations such asthe Food Standards Agency have developedparticular expertise in involving stakeholdersin discussions about the risks that theymanage. The Risk Support Team shouldconsider the scope for drawing on theirexpertise to help other Departments establishsimilar forums. The Food Standards Agencyhas already indicated that it would be willingin principle to share its experiences throughsuch a forum.
Improved use of information providedby trusted impartial sources (rec.38f)5.47 Departments should consider thescope for making more use of informationprovided by arm’s-length bodies where thereis a high degree of uncertainty or dissentabout a risk. This will make it easier forpeople to distinguish between facts,assumptions and judgements. Examplesinclude information published byindependent agencies, leading academics,industry bodies and NGOs, as long as theyhave a reputation for impartiality. In addition,Departments should consider making moreuse of local channels of information, such asGPs, to put across key messages on riskissues. Departments should also protect theintegrity of advice of experts such as thegovernment’s Chief Scientific Adviser, ChiefMedical Officer or Chief Veterinary Officer,and of arm’s-length government
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
88
organisations such as the Food StandardsAgency, by being clear about the source ofthe information provided and the existenceof conflicting expert views.
Improved dialogue between scientificand lay interests (rec.38g)5.48 The Chief Scientific Adviser hasalready recommended that scientific advisorycommittees include at least one lay memberand should where necessary seek advice oncommunicating about risk issues.100 Werecommend that this principle should extendto other types of risk advisory or decision-making bodies, where issues are known to beuncertain or raise ethical or social questions.Risk improvement managers should makearrangements to ensure that expert bodiesthat advise on risks to the public contain abroad-based membership and have access toadvice on risk communication.
Integration with other elements ofDepartments’ risk managementstrategies (rec.38h)5.49 Chapter 4.4 recommends thatDepartments should review their competenceframeworks. Where they do so, werecommend that they consider whetheropenness and transparency are adequatelyreflected in their frameworks – for example,as components of other competencies suchas “working with people” or “customerservice”. Chapter 4.4 also recommends a“standard” for all training on risk issues. Werecommend that training on riskcommunication is included in this standard.Departments that deal frequently with risksto the public should consider adopting DoH’sapproach in providing tailored training onrisk communication to relevant staff.
Existing guidelines on riskcommunication should beconsolidated and targeted to a wider range of specificaudiences (rec.39)5.50 We recommend that guidance on riskcommunication, reflecting the principlesproposed in this report and those of theFreedom of Information Act, should be issuedacross government as a whole. Steps shouldalso be taken to ensure that it is adopted andfollowed by units involved in handling risksthat affect the public. We recommend thatthis work is taken forward by a project teamwithin the Risk Support Team, as part of thetwo-year risk management improvementprogramme described in chapter 4.3. Theproject team should have a thoroughunderstanding of the media and experienceof dealing closely with stakeholders, a clearunderstanding of how the public perceiveand respond to risks, and should be able toinfluence the behaviour of Departments. Itwill need to draw on expertise alreadyavailable within government, for examplewithin the Office of Science and Technology(OST), HSE and DoH. The project teamshould consider how specific messages canbe targeted at key audiences such ascommunications staff, how attitudes to riskcommunication can be influenced throughother measures such as training, and howguidance can be kept up to date in the lightof research and lessons learned. This workshould inform action to change the culture ofrisk thinking within government, described inchapter 6.
Handling and
communicating about
risks to
the public
89
100 Cheif Scientific Adviser, Guidelines 2000, op.cit.
Current initiatives should bedeveloped to improve levels ofpublic and news mediaunderstanding about riskconcepts (rec.40)5.51 Current guidance provides somepractical pointers to Departments incommunicating about the more complexaspects of risk issues, and we recommendthat risk improvement managers ensure thatthis advice is followed in their Departments.We also recommend that the Chief ScientificAdviser considers what steps can be taken,for example as part of Departments’ riskcommunication action plans, to helpmembers of the public and the news mediato evaluate conflicting or new scientificadvice. One option would be to raise theprofile of the peer review process, where newscientific research is scrutinised by otherexperts to ensure that it is based on rigorousanalysis.
5.52 The teaching of risk concepts inschools, introduced into the NationalCurriculum in England in September 2000,provides a cost-effective way of improvingthe ability of the public to recognise andassess health and safety risks. We recommendthat this programme should be developed toinclude broader categories of risk likely to beencountered by the public. It should alsoinclude the wider consideration of the rightsand responsibilities of individuals in relationto risks. HSE should discuss with theDepartment for Education and Skills (DfES),the National Assembly for Wales and theScottish Executive, the scope for building thisinto the existing programme in a way thatdoes not put additional pressure on thecurriculum.101
Government should work withthe media and regulators toimprove the accuracy ofreporting of crises (rec.40a)5.53 The CCS should continue its workwith all sections of the news media toimprove the handling of reporting of crises.Work should continue with the MediaEmergency Forum, ensuring that commercialradio is fully involved. The News Co-ordination Centre, as part of its dialogue withthe Commercial Radio Companies Associationand Independent Radio News, shouldunderline stations’ responsibilities at times ofcrisis and propose a model of joint workingduring emergencies along the lines of the“tool kit” developed with the BBC. It shouldalso consider the scope for agreeing aprotocol with commercial radio on reportingof emergencies. We also recommend thatregulators, including the Office ofCommunications (OFCOM), review whetherthey are giving sufficient priority in theirmonitoring activity to ensuring that reportingof crises by the news media is accurate andimpartial.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
90
101 This is in line with Action Point 33 of the Health and Safety Commission’s Revitalising Health and Safety Strategy Statement,June 2000.
Principles of managing risks tothe public102
Government should follow five principles inmanaging risks to the public:
• Openness and transparency
• Engagement
• Proportionality and precaution
• Evidence
• Responsibility
Government will be open andtransparent about its understandingof the nature of risks to the public andabout the process it is following inhandling themGovernment will publicise its assessments of risksthat affect the public, and explain what data,assumptions, values and methods it has used, andhow it will handle the risk. When information hasto be kept private, government will explain why.Where facts are uncertain or unknown,government will make clear what the gaps in itsknowledge are, set out clearly the assumptions ithas used, and outline the action it is taking to fillthe gaps. It will be open about where it has mademistakes, and what it is doing to rectify them.
Government will seek wideinvolvement of those affected by risksin the decision processGovernment will actively involve a wide range ofrepresentative groups, and the public, throughoutthe risk identification, assessment andmanagement process. Two-way communicationwill be used in all stages of policy development,risk assessment and risk management.
Government will act proportionatelyin dealing with risks to the public,and will take a precautionaryapproach where necessaryAction taken to tackle risks to the public willbe proportionate to the level of protection
needed, consistent with other action, andtargeted to the risk. Regulations on risks tothe public will meet the principles set out inthe Principles of Good Regulation. Governmentwill apply the precautionary principle wherethere is good reason to believe that harmfuleffects might occur, and where scientificevaluation of the consequences andlikelihood reveals such uncertainty that it isimpossible to assess the risk with sufficientconfidence to inform decision making.Decisions reached by invoking theprecautionary principle should be activelyreviewed, and revisited when furtherinformation that reduces uncertaintybecomes available.
Government will seek to basedecisions on all relevant evidenceGovernment will identify and assess risks tothe public as a core part of its business. It willaim to ensure that all relevant factors havebeen taken into account, includingperceptions of risks faced and publicconcerns and values. It will seek impartial andinformed advice wherever possible. Where itreceives conflicting advice, it will clarify theissues through open discussion. It will not usethe absence of evidence alone to prove theabsence or presence of threat, and willacknowledge alternative interpretations ofthe available evidence.
Government will seek to allocateresponsibility for managing risks tothose best placed to control them Where possible, government will ensure thatthose who willingly take risks also bearresponsibility for the consequences. It willconsider the need to regulate where risks areimposed on others. It will aim to giveindividuals a choice in how to manage risksthat affect them, where this does not exposeothers to unacceptable risk or cost.
Handling and
communicating about
risks to
the public
91
102 These principles are intended to complement existing published frameworks, including: the Freedom of Information Act; the Code ofPractice on Access to Government Information; the Principles of Good Regulation; and guidance on the production of Departmentalrisk frameworks.
6. THE ROLE OF LEADERSHIP AND CULTURE CHANGE
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
92
Summary
A sharper focus on risk needs to be led from the top by Ministers andPermanent Secretaries. This report identifies a number of roles where topmanagement needs to take an active lead:
• driving implementation of the improvements in risk management setout in the report;
• taking key judgements and providing clear direction;
• ensuring that managers are equipped with skills, guidance and othertools;
• supporting innovation; and
• ensuring clear accountability for managing risks.
Experience elsewhere suggests that getting the culture right is essential tomanaging risk effectively. Despite recent efforts, government is often seenas having a risk-averse culture, and as being frequently unaware of the risksit takes. While the nature of government’s business can often requiregovernment to be more cautious than many businesses, there areavoidable factors that could hamper well-judged risk taking. These include:
• mismatches between accountability, responsibility and authority to act;
• the nature of performance incentives in use within Departments; and
• a perception that the high profile given to failure by the PublicAccounts Committee (PAC) and the media remains a significantdeterrent to positive risk taking, despite PAC and National Audit Office(NAO) support for “well managed risk taking”.
A sharper focus on risk willrequire leadership from thetop of government6.1 This chapter outlines the critical roleto be played by leadership and culturechange in managing risk and opportunityeffectively. It draws on the analysis inprevious sections of this report, which hasidentified the need for changes to the waythat government handles risks to theachievement of its own objectives and to thewider public. In addition, the government’sown agenda for change has placed a highemphasis on improving innovation andentrepreneurship within the public sector.
6.2 A number of external factors are likelyto put pressure on government to improveits ability to take calculated risks. Theseinclude:
• increasing public expectations aboutacceptable levels of safety and about thelevel of services required fromgovernment;
• developments in other countries, forexample health care provision in France,that can serve to raise expectations withinthe UK;
• competition from private sector providersin areas of core public sector provision –for example in health care, education andpostal delivery; and
• the advent of new technology, providingopportunities for improving andstreamlining public services.
6.3 Chapters 4 and 5 recommend anumber of organisational and proceduralchanges to improve the government’scapability to handle risk. Chapter 4 outlinesa two-year programme to achieve thesechanges, which aim to lay a foundation for
the effective management of risk withingovernment.
6.4 These changes will not take rootwithout a strong lead from Ministers andPermanent Secretaries and action to developa culture in which well-judged decisionsabout managing and taking risks can bemade. In particular, a more open, transparentand inclusive approach to handling risks thataffect the public will require a culture that isitself more inclusive, more open to outsidescrutiny, and more open to acknowledgingmistakes. These two themes – leadership andculture change – are the main strands ofargument within this chapter.
Leadership has an important rolein improving risk managementwithin government6.5 Leadership was identified by a numberof senior officials we interviewed as a keyelement of effective risk management.Comments we received included:
• “Senior management buy-in is vital inembedding risk management throughoutan organisation.”
• “We have the intellectual andorganisational capacity to manage risk.Effective leadership is needed to embedthe practice into departmental culture.”
6.6 We have identified in earlier chapters anumber of areas where a lead from topmanagement will be critical:
• driving implementation of theimprovements in risk management set outin this report. Senior management willneed to be engaged in the development ofnew frameworks for managing risk withinDepartments and at the centre, and will
The role
of leadership
and culture
change
93
need to ensure that risk improvementmanagers and the proposed Risk SupportTeam have the support and engagementof Departments. Top level interest will addfurther momentum to embedding riskmanagement processes throughoutgovernment;
• taking key judgements and providing cleardirection. Proposals in chapter 4recommend developing a corporateapproach to risk management – involvingthe systematic monitoring of top-level risksand strategic decisions on the level of riskthat should be accepted. These processeswill require the ongoing involvement oftop management – in particular, inprioritising risks for action and in decisionsabout the organisation’s overall appetitefor risk;
• ensuring managers are equipped withskills, guidance and other tools. Theseissues are discussed in more detail inchapter 4.4;
• supporting innovation; and
• ensuring clear accountability for managingrisks.
We recommend that senior managers shouldtake an active lead in these areas (rec.41).The last two issues are discussed in moredetail in this chapter.
Organisational culture can alsoplay an important role6.7 In our discussions with leading privatesector companies, a number of underlyingvalues were suggested as contributingtowards building an effective riskmanagement culture within organisations. Inparticular, companies interviewed said thatthey placed a high value on:
• recognising individual responsibility andachievement;
• delivering results;
• accepting new ideas and ways of doingthings;
• rigorous and evidence-based analysis andjudgements;
• challenging established assumptions andprocedures;
• openness, transparency and honesty;
• understanding the needs of stakeholdersand customers;
• anticipating and sharing problems; and
• learning from mistakes and avoiding aculture of blame.
6.8 These values are by no means uniqueto risk. They are reflected in wider corporatestatements of vision and values, such as thosedeveloped by the Civil Service ManagementBoard (CSMB).
6.9 Chapter 5 suggests that a culture ofopenness and stakeholder engagement is animportant step towards building the levels oftrust necessary to communicate effectivelyabout risk. Moving towards greater opennessand transparency is itself a risky step, as itprovides government’s critics withammunition to use against it. To make thatstep less painful, government needs also todevelop a culture that is able to absorb andrespond positively to criticism.
Government is taking steps to develop a culture that supportswell-judged risk taking andinnovation6.10 The need to encourage risk taking andinnovation within government has beenrecognised as an important element of the
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
94
suggests that risk aversion in the publicsector is perceived to be a common featurein many other countries. Nonetheless,leading figures in a number of governmentsabroad have taken steps to raise the profile ofrisk management within their organisations.
6.14 In Australia, the Auditor-General hasmade a point of emphasising the need forrisk management as an integral part ofeffective corporate governance withinDepartments, authorities and government-owned corporations for almost 10 years. InCanada, the head of the Civil Service hasspoken publicly on several occasions of theimportance of addressing risk and supportingrisk taking in the public services.
6.15 This lead has been followed up byaction in these countries. The Comcoverscheme,105 developed by the Commonwealthto improve the management of insurablerisks, is beginning to provide new incentivesfor public sector organisations to managerisks effectively. In addition, Australia andNew Zealand led the way in developing riskmanagement standards in 1995. These andother examples are set out at annex 8.
Developments are also takingplace in the private sector6.16 Our discussions with risk managementprofessionals in the private sector suggestthat many of the issues raised during ourstudy are not confined to the public sector. A number of firms we spoke to thought thata culture that supports effective riskmanagement is still at a relatively early stageof development in many parts of the privatesector. Nonetheless, all businesses weinterviewed agreed that getting the cultureright is essential to managing risk effectivelywithin organisations.
The role
of leadership
and culture
change
95
programme of Civil Service reform launchedin 1999. In a speech in May 1999 on thefuture of the Civil Service, Sir Richard Wilsonsaid:
“Encouraging and nurturing innovation in theCivil Service is one of the most importantchallenges which we face… We want to look atconcepts of accountability and make sure thatthey do not reward too highly the “safe” way ofdoing things, at the expense of improving ourservices. Risk is not an easy concept when dealingwith the taxpayers’ money but it is clear that weneed to explore new ways of introducing a moreprofessional approach to risk management.”103
6.11 The initial two-year programme ofwork has now ended. Tangible progress hasbeen reported in all areas.104 All Departmentsnow have large change managementprogrammes, which are starting to make adifference, and a number have started toproduce innovative and customer-focusedservices. However, there is scope for moreimprovement in changing the culture aroundrisk, particularly in policy making andstrategic business planning.
6.12 In parallel with the programme of CivilService reform, the Treasury has taken steps tostrengthen and clarify lines of accountabilityacross government through the developmentof Public Service Agreements (PSAs) withDepartments. By linking resources to theachievement of three-year headline targets,these agreements provide a powerful tool forencouraging Departments to develop newand innovative approaches to delivering publicservice objectives.
Similar steps are beginning tobe taken abroad6.13 Feedback from our survey on attitudestowards risk internationally (see annex 8)
103 Wilson, Sir Richard, The Civil Service in the New Millennium, May 1999.104 Cabinet Office, Civil Service Reform: Making a Difference, December 2001.105 See chapter 4.2.
6.17 A number of leading businesses haveexplicit policies, driven by top management,to raise the profile of risk management withintheir organisations and to link riskmanagement objectives to their businessstrategies and culture. All of the firms weinterviewed emphasised that a strong leadfrom the top of the organisation, supportedby effective internal communications, isessential to getting the culture right.
6.18 Summaries of the approaches takenby some private sector organisations are setout at annex 7. Examples include:
• Reuters, which has introduced a BusinessRisk Management process to identify,evaluate and manage risk; like thebalanced scorecard, this is linked tobusiness objectives;
• Unilever, which has linked risk takingdirectly to its “Path to Growth” businessstrategy. Its risk management process hasbeen positioned as a fundamental tomeeting its business goals. Niall Fitzgerald,Chairman of Unilever, made these linksexplicit:
“Enterprise is about being prepared to gofor it – it’s about having a real passion forwhat you are doing and wanting to win.It’s about being courageous and takingrisks. Accepting that when you take risksyou can make mistakes, but that these canprovide a rich learning opportunity.”;106
• BP, in which senior management havemade explicit their view that superiorperformance is delivered through superiorrisk management. The senior managementpolicy is “we want no surprises”; and overthe last nine years they have undertaken amajor culture change programme tocreate a more risk conducive culture,focused on clearer accountability butaiming to avoid “blame”; and
• Diageo, whose risk management objectivesare explicitly business driven: “becauseshare prices reflect the market’s perceptionof risk and standards of governance;because consistently exceedingperformance expectations means avoidingthe things that can go wrong; andbecause being the best means intelligentrisk taking.”
A number of factorscontribute to effective risktaking and management6.19 A number of Departmental staff weinterviewed thought that the culture withintheir organisations supported them inmanaging risks and opportunities. Theysuggested that a more confident approach intaking risks and grasping opportunities ispossible where:
• there is a clear drive from Ministers or thePermanent Secretary for service deliveryimprovement or for the development ofnew policies;
• the body has a focused remit (for examplein many government agencies);
• budgets, responsibility and authority arealigned (for example in the preparatorywork by the Health and Safety Executive(HSE) for its risk governance framework);
• the leader encourages and is able toreward innovation (for example inPartnerships UK, where a substantial partof staff salaries are related toperformance); and
• staff can produce new ideas in theknowledge that they will be supported ifsensible risk taking goes wrong.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
96
106 Fitzgerald, Niall, “Path to Growth”, January 2001.
Organisational culture canhamper effective risk takingand management6.20 Organisational culture was also seenby a number of those we interviewed as oneof the main potential barriers toimplementing the proposed new approachtowards risk management withingovernment. In contrast with some leadingprivate sector firms, the culture withingovernment has often been characterised asbeing risk averse, lacking in innovation, andexcessively concerned about failure andblame.
6.21 This has been seen by some externalcommentators as leading to a reactive anddefensive approach to risk taking andmanagement, which places disproportionateemphasis on inaction in the face of changeand can take the form of a “bunkermentality” in times of crisis. This was not,however, a universally held view. The NAO,for example, sees the main problem as a lackof understanding of risk and riskmanagement107 (see paragraphs 6.32–6.33below).
6.22 There was evidence to support bothviews from the interviews we carried outduring our research. These suggest that anumber of the characteristics identified in theModernising Government White Paper 108 in1999 and by the NAO in 2000109 are stillprevalent. Typical examples include:
• high importance being given to protectingsenior officials and Ministers from mistakes(this point was made a number of timesduring our interview programme);
• an emphasis on identifying potentialproblems rather than focusing onopportunity;
• a focus on crisis management rather thanforward planning;
• unwillingness to be open about risks toprojects; and
• a tendency to take decisions either toembark on risky programmes or toexercise caution without undertaking aproper risk assessment.
There are a number ofunderlying factors...6.23 A number of underlying reasons forthe prevalent attitudes towards risk withingovernment were suggested to us during thecourse of our research.
Nature of government’s business6.24 The perception that government is riskaverse can be partly explained by the natureof government’s business. In the private andcommercial sector, effective risk handling is inlarge part driven by the need to grasp well-judged business opportunities. Companiesthat fail to act well in these twin areas faceserious consequences. There have been well-documented examples from large privatesector organisations – ICI in the 1980s, IBMin the 1990s and, until recently, Marks andSpencer – of the problems that flow fromlosing innovative edge.
6.25 The public sector is not so obviouslydriven by competition in the marketplaceeither to innovate or to anticipate andmanage risk effectively. Government has tomanage a far wider portfolio of issues thanmost businesses, with far more limited scopeto shed existing responsibilities or to diversifyinto new areas. Most significantly, theexternal pressures facing it are more oftenlikely to require it to take a cautious
The role
of leadership
and culture
change
97
107 NAO, Supporting Innovation, op. cit.108 Cabinet Office, The Modernising Government White Paper, op. cit. (p.11).109 NAO, Supporting Innovation, op. cit.
approach, particularly in areas where thelivelihood or safety of individuals is directly atstake, such as the economy, national securityand public health. While investors are able tomatch the risk they are prepared to takeagainst the reward they expect, taxpayershave no such discretion, and are therefore farless likely to tolerate high-risk investmentsthat go wrong.
6.26 While there are differences betweenthe environments in which government andfirms operate, the need for well-judged risktaking leading to innovation and reward isnonetheless important in the public sector.The Organization for Economic Cooperationand Development (OECD) and otherinternational organisations producebenchmarks that allow the UK’s performanceto be compared with that of other countries,and the interest these generate can putpressure on governments to improve servicesin areas where their country’s performance islagging behind. Grasping opportunities todeliver better public service or innovating toimprove government’s business involveschange and therefore risk. In many ways, thegovernment has to take huge risks, oftenembarking on major change programmesaffecting millions of people, such as taxchanges or changes in the machinery ofgovernment, which by definition cannot betest-marketed.
6.27 While the nature of government’sbusiness often requires it to be more cautiousthan many businesses, there are avoidablefactors that could hamper well-judged risktaking. These are outlined below.
Unclear or incomplete lines ofaccountability6.28 Our research suggests that attitudestowards risk may be influenced by thestructure of accountability withingovernment. Issues raised include:
• mismatches between accountability,responsibility, and authority to act. Wherethese are not properly aligned, this canencourage individuals either to beexcessively cautious or to disregard key risks;
• the placing of accountability for all policydecisions, no matter how small, withMinisters. This can provide little incentivefor officials to innovate and couldencourage them to exercise excessivecaution to protect themselves fromcriticism from Ministers; and
• the organisation of responsibility andaccountability around individualDepartments, rather than aroundgovernment programmes, whichincreasingly require joint working betweenDepartments and other partners.In some cases, tensions betweenjoint responsibilities and individualDepartmental accountabilities can preventDepartments from exploitingopportunities, such as the opportunityto develop e-government strategies.
Performance incentives6.29 The nature of individual performanceincentives was also mentioned frequently bythose we spoke to as a potential barrier totaking well-managed risks. Althoughperformance-related incentives are used inmost Departments, these are seen to haveonly a limited influence on staff behaviourbecause they are based on performanceagainst a range of indicators and have only alimited effect on salaries. As a result, otherfactors tend to encourage risk-aversebehaviour. This was contrasted with thewidespread use of performance incentives ina number of private sector organisationswhich, when linked to the achievement ofprofit-related targets, encourage innovationand risk-taking behaviour.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
98
The role
of leadership
and culture
change
99
6.30 However, there may be limited scopefor using performance objectives toencourage risk taking and innovation in someareas of public policy. There are a number ofreasons for this:
• a risk-taking approach is not necessarilywhat is required in many areas of publicpolicy. In areas such as the management ofthe economy or health and safety, thepublic expects government to adopt aprudent approach;
• our research indicates that innovationworks best where there is a clearly definedremit (see paragraph 6.19 above). Whilesome public sector bodies (such as theFood Standards Agency) do have a clearlydefined remit, the remit for most centralpolicy departments is by necessity muchbroader and more fluid; and
• in many parts of government, theachievement of certain objectives – forexample reducing crime rates – relies onthe co-ordinated effort of a range ofDepartments and agencies across centraland local government. The need for co-ordination gives individual Departmentsless room in which to innovate, and makesit more difficult to identify and reward thecontribution of individual units.
6.31 Nonetheless, there is likely to be scopefor greater use of performance incentives toreward positive risk taking and underlinepersonal responsibility for avoiding crises. Thescope for their use is likely to be greatest inareas where there are clearly definedobjectives and where there is room for localdiscretion over delivery.
Weaknesses in risk managementprocesses6.32 The NAO argues that the main reasonDepartments are criticised on risk issues stemsfrom a weakness of risk management acrossgovernment, and from the fact that mistakesare often not learnt from. There is evidence tosupport this view from the Office ofGovernment Commerce’s (OGC’s) GatewayReviews of projects and programmes, where63 per cent of reviews found weaknesses inrisk management (the second most significantproblem area after skills shortages).
6.33 Sir John Bourn, the Comptroller andAuditor General, has commented that theproblem is more one of “risk ignorance” thanrisk aversion. He commented that:
“The problem is not that the Whitehall culture is risk averse…Rather it is risk ignorant. It takesthe most fantastic risks without knowing it isdoing so.”110
6.34 A number of NAO and PAC reportshave highlighted cases where there has beenno evidence that key risks were identified andassessed early enough or at all, and wherethere was a lack of contingency planning. Thechanges proposed in chapter 4 are intendedto help address these concerns, and givepolicy makers greater confidence ininnovation and taking risks, by making theconsideration of risk more systematic andexplicit in the key processes of government.
The role of the PAC and NAO6.35 The NAO and PAC have emphasisedtheir support for “well managed risktaking”.111 The NAO has said that “as theexternal auditor of government Departmentsthe NAO support well-managed risk takingintended to result in tangible benefits fortaxpayers”.112 It has issued a number of
110 Financial Times, 5 January 2000, quoted in Stanley, Martin, How to be a Civil Servant, Politico’s Publishing, August 2000,available at: http://www.civilservant.org.uk/updates.shtml
111 NAO, The Cancellation of the Benefit Payment Card Project, August 2000.112 NAO, Supporting Innovation, op. cit. (p.3).
taking, and ensure that their work lives up tothe spirit of statements made on attitudes toinnovation”.
6.38 The reasons behind these concernsappear to include:
• high profile of failure. The PAC hearings onValue for Money reports (around 50 ayear) inevitably and rightly focus mainly onpotential failure. The media then tend toamplify the messages arising. This gives amuch higher profile than, for example,Select Committee reviews of Departments’overall performance against objectives,which are by their nature more likely toreach a balanced view across the piece.This effect (an unbalanced profile of goodand bad news) is of course not unique togovernment, but it appears to be morepronounced. This may be because a failureof public services is likely to have a moresignificant and deeply felt impact than abusiness failure, due to the fundamentalnature of public services and the relianceof service users on them. Even so, there isa perception of an unduly unbalancedsituation which, officials report, inhibits risktaking; and
• dangers of hindsight. Although NAOreports are agreed with Departments,scrutiny taking place after the event canmake it difficult to understand the contextin which decisions were made, especially ifthere is insufficient evidence of why certainjudgements or courses of action weretaken at the time. Comments fromDepartmental Board members includedthe need for “overt recognition that at thetime risks were assessed the departmentmade a well-informed decision” wherethat was the case.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
100
reports that focus not on the mistakes of thepast but on the future and good practicedrawn from government (for example inpolicy making113 and procurement114). ThePAC’s report on risk management bygovernment115 said, “innovating to improvepublic services entails risk. We are rightlycritical where risks are ignored, for examplewhere major IT projects are poorly specifiedand badly managed; but we give due creditwhere risks are carefully identified, evaluatedand managed, recognising that good riskmanagement reduces but does not eliminatethe possibility of adverse outcomes. Risktaking and innovation are consistent with thecareful and proper control of public money.”
6.36 Despite this, however, the Strategy Unitsurvey of Departmental Board members foundthat they believed strongly that the roles ofthe PAC, and to a lesser extent the NAO,should be “re-aligned with a more balancedapproach to risk and opportunity”. Commentsincluded, “concerns about NAO/PAC scrutinyremain a significant deterrent to risk taking”,and, “… a sea change [is required] in how riskassessment is viewed by both the NAO andthe PAC. Otherwise a risk averse culture will beperpetuated and radical government policyobjectives will not be achieved as effectively,cost-effectively or as quickly as they could be.”
6.37 This underlines the finding of theSharman report on Audit and Accountability116
that “accountability mechanisms areperceived by some in government as adiscouragement to innovate and change”.These views are important if only becausethey are widely held, and so are likely toaffect behaviour. Although Lord Sharmanpoints clearly to the need for Departments toimprove their risk management, he alsorecommends that “it is important thatauditors recognise the dangers of beingperceived as discouraging well managed risk
113 Modern Policy Making, op. cit.114 NAO, Modernising Procurement, October 1999.115 PAC, Managing Risk in Government Departments, op. cit.116 Lord Sharman, Holding to Account: the Review of Audit and Accountability for Central Government, February 2001.
Recommendations6.39 A full investigation of the issuesrelating to the development of a culture thatsupports effective risk taking and innovationwithin government falls outside the scope ofthis study. We also recognise that it can takeconsiderable time and effort to bring aboutthe changes in culture we describe. However,there are a number of specific areas wherewe have identified the scope for furtheraction, which are set out under the headingsbelow.
Leading the development of a culturethat supports effective risk decisions 6.40 Ministers and senior officials shouldaim to foster a culture in which well-judgeddecisions about risks and opportunities canbe made, and where innovation can behandled with confidence. Their personalleadership will be key in driving thebehaviour and actions that will support bothwell-judged risk taking and successfulinnovation. Permanent Secretaries and theirBoards should visibly support a programmeof action within their Departments toimplement the arrangements we recommend(rec.42), which might include:
• identifying areas where innovation isnecessary or desirable (i.e. where there is ahigh potential for reward and a low risk ofcatastrophic effects) and sendingconsistent signals that this is what isexpected;
• setting realistic but challenging targets tostimulate innovation;
• ensuring that incentive and rewardsystems support rather than obstruct well-judged risk taking;
• developing a learning environment;
• providing sufficient flexibility over deliveryto allow innovation to take place;
• recognising and planning for the risk offailure;
• piloting new initiatives to identify anddesign out problems;
• encouraging a diversity of approaches(such as a mix between state and privateprovision) to ensure better resilience ofcore services and to stimulate newthinking; and
• ensuring that blame is avoided wherecalculated risks fail.
Building confidence through qualityassurance of risk decisions6.41 Senior management should ensurethat decision makers are supported by anaudit trail that provides a clear and balancedaccount of their risk judgements and riskmanagement actions in the light of theinformation available at the time (rec.43).This may be validated by independentreview, for example by using the OGCGateway. It will help to improve the qualityof decisions, build confidence, and reducethe risk of subsequent criticism.
6.42 We recognise that it is in the nature ofgovernment accountability and the PAC’s rolethat there will be high profile criticism offailure. And it is not the place of governmentto make recommendations about how thePAC carries out its role. But there is a need toensure that:
• where there is criticism it takes account ofthe risk decisions taken at the time; and
• this is in the context of the overall pictureon delivery and provides a balancedpicture of the quality of risk managementpractice.
The role
of leadership
and culture
change
101
6.43 Some specific points whereDepartments and the NAO and PAC mightwork together to ensure the right cultureinclude:
• clearer accountability and responsibility.There is a growing practice by the PAC toinvite those responsible for programmesand policy to answer for these, to ensurethat the events under scrutiny are properlyand fully represented. Cleareraccountability for risk issues, asrecommended in chapter 4, will also helpto ensure that scrutiny can involve thoseresponsible for action;
• creating a better evidence base.Departments can overcome potentialhindsight bias by developing better audittrails of risk judgements and riskmanagement actions, for example, asproposed in chapter 4.1, through use ofthe OGC Gateway process. If audit(probably internal audit) functions wereinvolved in this process (especially at theearly stage of policy clearance), this wouldhelp in verifying whether risk judgementsand actions were deemed to besatisfactory at the time; and
• ensuring a balanced picture. Departmentswill in future be able to engage with thePAC and NAO against the background oftheir Statements of Internal Control (SICs),which might for example point to theexceptional nature of a lapse in controlleading to failure.
6.44 In addition, the government’sresponse to Lord Sharman in March 2002said that “external auditors need to ensurethat in reporting their findings they do so ina way which is objective, proportionate tofaults identified, and positive inacknowledging good practice. It notes thatthe NAO seeks to ensure that its reports arebalanced and fair, include studies of
successful programmes, and highlightexamples of good practice that might beapplied more widely”. We endorse this ascrucial.
Developing performance measuresthat support more effective risk takingby Departments 6.45 Ways should also be explored toprovide a more balanced focus on overallDepartmental performance, to avoid unduefocus on failure, for example by the mediaand PAC (rec.44). The announcement by thenew Cabinet Secretary that he will focus onCivil Service reform and service deliveryprovides an opportunity to consider how thiscan be promoted. The use of PSAs alreadyprovides a strong foundation for the co-ordination of systems for appraisingDepartments’ performance (and thegovernment response to Sharman proposesthat reporting of performance against PSAtargets should be further strengthened, withexternal validation by NAO of underpinningdata systems). There may be scope to buildon this framework by incorporating elementsof other appraisals, including the annualaudit of Departmental accounts and reportson corporate governance and planning.Integrating these appraisals into one exercise,for example into an occasional cross-government strategic exercise, would alsoprovide useful means of supporting jointworking and priorities. We recommend thatCSMB should look at this, bearing in mindthe opportunity to pull together the currentdemands already made on Departments forend-of-year reporting.
Building on the Civil Service reformprogramme 6.46 The Cabinet Office, supporting theCabinet Secretary, should ensure that the riskmanagement programme is incorporated
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
102
into the broader public service reformagenda, recognising the need for widerculture change. In particular, this shouldconsider the ability of Departments to fosterinnovation (rec.45). There may be scope forspecific further studies to identify:
• areas where there is a need or scope formore experimentation and innovation inpublic service delivery;
• areas where Departments have succeededin encouraging positive risk taking andinnovation, and the reasons for theirsuccess; and
• the potential barriers to positive risk takingand innovation, and ways in which thesemight be overcome.
6.47 In parallel with this activity, werecommend that the Risk Support Team,together with risk improvement managerswithin Departments, should promote andchampion the values needed to supporteffective risk taking within government (rec.46). In doing so, use should be made of key network groups, including:
• the Principal Finance Officers’ Group;
• SPRITE (Successful Projects in an ITEnvironment – the IT Directors’ Group setup by the OGC to implement theMcCartney Report117 on good projectmanagement practice);
• the HR Directors’ network;
• the Business Planners’ network; and
• the Consumer Champions’ network.
The role
of leadership
and culture
change
103
117 Office of the e-Envoy, Review of Government IT Projects – Successful IT: Modernising Government in Action, Cabinet Office, May 2001(the McCartney Report).
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
104
7. CONCLUSIONS, RECOMMENDATIONS ANDIMPLEMENTATION – TOWARDS BETTER DECISIONS AND OUTCOMES
Summary
This chapter summarises the main conclusions and recommendations ofthe Strategy Unit study and outlines an implementation plan.
We propose that:
• the recommendations should be taken forward as a two-year programmelinked to the 2004 Spending Review (see rec.27). This will be primarily forgovernment Departments to deliver, supported by the centre. Progresswill be driven forward by an Implementation Steering Group, withreports to the Civil Service Management Board (CSMB) and MinisterialCommittee on Public Services and Public Expenditure (PSX), and thePrime Minister, in the usual way for the Strategy Unit projects; and
• the principles proposed in this report will be issued for formal consultation.
The chapter also considers the costs and benefits of the recommendationsin the report, and the necessary monitoring and evaluation arrangements.
Conclusions andrecommendations7.1 A comprehensive programme ofchange to improve risk management acrossgovernment is proposed. This would build onDepartments’ current programmes in this area,particularly those on developing corporategovernance, and have a two-year timetable totie in with the 2004 Spending Review. The aimwould be to provide a clear direction,rationalised guidance and support, and a drivefor change from the centre of government.
7.2 The programme is built aroundDepartments’ primary responsibility formanaging risk and improving riskmanagement. The extent and nature ofaction will necessarily vary from Departmentto Department. The centre’s primary role isto support this.
7.3 The programme aims to improvegovernment decision making, and theoutcomes that are delivered, to ensure: fewersurprises to the public and government, andbetter managed impact of unexpected events;
Conclusions, recommendations
and implementation
– towards
better decisions
and outcomes
105
Summary of recommendations
7.4 We recommend action in six key areas. This is summarised below. Table 7.1 later in this chapter sets out the full list of recommendations in morespecific detailNB The numbers in square brackets refer to the specific recommendations in the body of thisreport.
1. Handling risk should be firmly embedded in government’s policy making,planning and delivery.
1.1 There should be an explicit appraisal of risks, as well as benefits and costs, in all themain decision processes including: policy making; the Spending Review – with riskassessments attached to PSAs and risk embedded in delivery plans; business planning;project and programme management; and performance management. Criteria should bedeveloped to ensure risk assessment effort is proportionate to the potential risks. [1, 2a–e, 3a–c, 4a–c, 5, 6a–c: pp.32–37; 12, 13, 14, 15: pp.48–50]
1.2 The Treasury should support Departments to ensure that new delivery plans,produced by Departments as part of the 2002 Spending Review, include enhancedcoverage of risk and resilience to threat. The DU has already been developing thisapproach for risks to key objectives on health, education, crime and asylum, and transport.The Treasury, the DU and the CCS should work together with Departments in autumn2002 to ensure that: delivery plans are in place for all Departments; these adequatelyaddress risk, balancing the need to invest in resilience with the pursuit of other objectives;and cross-cutting risks are identified and accountability for action established. Monitoringarrangements should track risk assessments and progress with mitigation plans, reportingto PSX. [3a–c: p.35]
1.3 Departments should ensure that plans are underpinned by an assessment of resilienceto threat, and actively develop their resilience to ensure there is the capacity to respondflexibly to potential risk. [3b: p.35]
1.4 Strategic risks should be regularly considered by Departmental Boards and the CSMB.The responsibility for handling and reporting risk should be aligned with accountability fordelivery. Non-executive directors should play an important part in helping to identifystrategic risk and provide an independent perspective on the level of risk faced and theadequacy of measures to address risk. [1a: p.32]
higher levels of safety and confidence; fewerdirect costs resulting from failure to anticipaterisks; better understanding of risks and trade-offs (both by the public and government); a
better balance of risk and opportunity; andgreater clarity of responsibilities and the bestways to manage risks.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
106
1.5 A combination of top down and bottom up approaches to risk assessment isrecommended, for example combining a risk review by a designated team with riskself-assessment. [10: p.45]
1.6 The Treasury should explore whether risk management can be improved in relation toproperty and liability risks, through the use of “captive insurance” arrangements. A pilotcould explore the costs and benefits of insurance against current non-insurancearrangements. [7: p.38]
1.7 Where responsibility for risk is transferred to a partner organisation, accountabilitiesshould be clearly established by Departments, and capacity maintained to manage andmonitor performance and to take early action in the event of difficulty. OGC, the Treasuryand OPSR should consider steps to improve risk handling where partnerships with theprivate and voluntary sectors are used to deliver services:
• benchmarking against a standard could be used for accreditation of partnerorganisations’ risk management arrangements; and
• further approaches to procurement of public services from the private sector should beexplored, to complement PFI. These might involve shorter contract periods and moreflexible contracting arrangements. [30a–c: p.65]
2. Government’s capacity to handle strategic risks should be enhanced.
2.1 The CCS should continue to develop its key role in relation to potential disruptivechallenges to the running of the UK, identifying and assessing the key risks within a12-month horizon, ensuring adequate mitigation action and contingency planning takeplace, and providing additional support and leadership where crises occur. Priority shouldbe given to: improving integration of business continuity plans; supporting the delivery ofimproved resilience across government; updating crisis management arrangements,including those for augmentation of Departmental resources in times of crisis; and learninglessons from past crises. [20, 21, 22, 23, 24: pp.53–55]
2.2 The work of the CCS in identifying and assessing disruptive challenges to the UKshould be complemented by a longer-term horizon-scanning role for the Strategy Unit.The CCS and the Strategy Unit should work with Departments to help them develop their horizon-scanning capabilities, including the use of scenarios and simulation events.[17: p.52; 18: p.53; 26: p.59]
2.3 There should be a greater focus on tracking potential cross-cutting risks, by those withspecial expertise. For example, the Social Exclusion Unit, working with the NeighbourhoodRenewal Unit and the Regional Co-ordination Unit, could consider playing a larger role intracking risks including: new groups becoming eligible for benefits or likely to becomesocially excluded; or towns and cities failing to regenerate or facing economic problemsbecause of over-dependence on declining industries. [19: p.53]
Conclusions, recommendations
and implementation
– towards
better decisions
and outcomes
107
2.4 As the work of the CCS develops, it should complement the work of the Treasury andDU in identifying and monitoring risks to the delivery of the government’s businessprogramme. [25: p.55]
3. Risk handling should be supported by good practice, guidance and skillsdevelopment.
3.1 Guidance from the Treasury, OGC and Cabinet Office should be integrated,developed, promoted and maintained in line with developing good practice inDepartments, and UK and international standards, drawing on the recommendations ofthis study to provide a simplified standard for government risk management. This shouldbuild on current developments, progressively providing a common framework andlanguage. Benchmarking arrangements should be developed on the Australian Comcovermodel, and improvements linked to financial and management freedoms, such as earnedautonomy or delegated financial authority. [9: p.44; 11: p.46; 16: p.51; 36: p.73]
3.2 The standard should be the basis for skills development and used to develop acommon language for understanding and communicating on risk. Departments and CDGshould review their core training and development programmes to ensure risk isadequately covered. Networks should also be used to spread good practice. Departmentsshould consider the need for developing in-house specialists to provide support to thosemanaging risks. [33, 34, 34a, 35: pp.68–71]
4. Departments and agencies should make earning and maintaining publictrust a priority when dealing with risks to the public.
4.1 As a first step towards earning public trust, government should publish its principlesfor handling and communicating about risk to the public. These should be subject towidespread consultation. [37: p.84]
4.2 Departments should implement these principles as part of their wider plans forimproving risk management. This will be particularly important where the Department’sbusiness is directly related to handling risks to the public, such as safety or health. Actionplans should cover the following areas:
• public access to information about risks that affect them;
• two-way communication to enable early and widespread involvement in decisions onkey risks;
• targeted consultation, informed by systematic identification of the risks most likely tocause public concern;
• availability of choice for individuals in managing the risks that affect them;
• procedures for communicating in crisis conditions; and
• use of information provided by trusted impartial sources.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
108
Information on these arrangements should be widely available, for example inDepartments’ Risk Framework Documents and, where relevant, actively explained. [38, 38a–h: pp.85–89]
4.3 Action by Departments should be underpinned by clear government-wide guidelineson risk communication, initiatives to improve levels of public understanding about riskconcepts, and work with the media and regulators to improve the accuracy of reporting ofcrises. [39, 40, 40a: pp.89–90]
4.4 Departments should consider where giving greater responsibility to arm’s-lengthbodies in policy making could help in handling risk and building trust. This may beparticularly appropriate where risks to the public make trust a key concern. [30: p.64]
5. Ministers and senior officials should take a clear lead in improving riskhandling.
5.1 Ministers and senior officials should take an active lead in: driving implementation ofthe improvements in risk management set out in this report; taking key judgements andproviding clear direction, for example in prioritising risks for action, and in defining theappetite for taking on further risk; supporting innovation; ensuring clear accountability formanaging risks; and ensuring that managers are equipped with skills, guidance and othertools. [41: p.94]
5.2 They should aim to foster a culture in which well-judged decisions about risks and opportunities can be made, and where innovation can be handled with confidence.[42: p.101]
5.3 In addition, they should ensure that decision makers are supported by an audit trail thatprovides a clear and balanced account of their risk judgements and risk management actionsin the light of the information available at the time. This may be validated by independentreview, for example by using the OGC Gateway. This will help to improve the quality ofdecisions, build confidence, and reduce the risk of subsequent criticism. [43: p.101]
5.4 Ways should also be explored to provide a more balanced focus on overallDepartmental performance, to avoid undue focus on failure, for example by the media and PAC. We recommend CSMB should look at this, bearing in mind the opportunity topull together the current demands already made on Departments for end-of-yearreporting. [44: p.102]
5.5 The Cabinet Office, supporting the Cabinet Secretary, should ensure that the riskmanagement programme is incorporated into the broader public service reform agenda,recognising the need for wider culture change. In particular, this should consider the abilityof Departments to foster innovation. [45: p.103]
5.6 In parallel with this activity, the Risk Support Team, together with risk improvementmanagers within Departments, should promote and champion the spread of values neededto support effective risk management within government. [46: p.103]
Conclusions, recommendations
and implementation
– towards
better decisions
and outcomes
109
Implementation/next steps7.5 A full set of recommendations, withproposed responsibilities and timings, is atTable 7.1. The recommendations aim toimprove the way government manages riskthrough a two-year programme of change
linked into the next Spending Review (2004).It will be overseen by an ImplementationSteering Group, supported by the RiskSupport Team.
6. The quality of government risk management should be improved througha two-year programme of change, linked to the Spending Review timetable,and clearly set in the context of public sector reform.
6.1 A two-year programme of change should be established, linked to the SpendingReview timetable and that for production of SICs. The programme should include thefollowing strands (integrating the Strategy Unit recommendations with existing initiatives):communications with the public; embedding risk (in Spending Review, policy making, etc);leadership and culture change; skills; guidance, standards and benchmarking; corporategovernance. This is primarily for Departments to deliver, but with central support, as partof the Cabinet Secretary’s overall reform programme. [27: p.62]
6.2 Departmental Accounting Officers should ensure that there is a senior official withdelegated responsibility for encouraging and supporting change. This risk improvementmanager could: provide a focal point for driving change; be part of a cross-governmentnetwork – sharing best practice and learning; and be a potential source of peer review. This role should be closely linked to delegation of accountability for corporate governance.[29: p.62; 32: p.66; 34a: p.70]
6.3 Existing central risk functions should be rationalised to support the delivery of theprogramme:
• an Implementation Steering Group should be established (replacing the various existinggroups – Risk Management Steering Group, ILGRA, and Risk Advisory Group) to drivechange over the two-year period leading into the next Spending Review (2004). Thisgroup should draw together the main interests across government and be chaired by anauthoritative figure who might be a member of the CSMB appointed by the CabinetSecretary. Progress should be reported regularly to PSX and the CSMB, leading to a fullreview of the position at the end of the two-year programme. [28: p.62];
• the Steering Group should be supported by a small, time-limited, multidisciplinary teambased in the Treasury – the Risk Support Team. The team should be drawn from existingsources of activity (including Treasury, OGC, HSE, Cabinet Office, GICS) who would: leador co-ordinate strands of the programme; monitor progress and the effectiveness of thenew arrangements; provide a central expert resource; review and co-ordinate advice andguidance on risk management; help establish and support the interdepartmentalnetwork of risk improvement managers; and lead a review further to rationalise currentcentral responsibilities and initiatives. [8: p.38; 31a–c: p.66]
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
110
• Departments will be responsible for taking forward most of the report’srecommendations – integratingresponsibility for improvements withaccountability for delivery; but they canlook to the Risk Support Team for supportand guidance in developing their riskmanagement capabilities. They will alsoreceive enhanced support from theTreasury and Delivery Unit (in respect ofrisks to the delivery of their plans) and theCCS and the Strategy Unit (in respect ofhorizon scanning for strategic risks, andhelp with contingency planning andhandling crises). The proposedarrangements are set out in Figure 7.1below;
• Ministers, Permanent Secretaries (or ChiefExecutives) and their Boards will be vital inleading change, in particular to helpsupport changes in behaviour. Werecommend some specific actions they cantake.
It is proposed that the implementationtimetable would have three broad phases:
• Start up (November 2002 – March 2003).Establish leadership – engage Ministersand senior Departmental officials. Appointrisk implementation managers; establishImplementation Steering Group, RiskSupport Team and interdepartmentalnetwork. Start implementing programmeof recommendations – establishing skills,systems and processes. Completeconsultation on principles. Risk programmeintegrated with Departmental ChangeProgramme. Report on progress (March)and confirm next phase;
• Phase 1 (April 2003 – October 2003).Improve communications with public.Establish standard for government riskmanagement, and develop and testbenchmarking. Establish common modelfor training. Initiate peer reviews. Applypolicy appraisals (including riskassessments) to business plans, projectsand programmes, especially thosedelivering a PSA or Service Delivery
Agreement (SDA) target, and performancemanagement. Report on progress(October) and confirm next phase; and
• Phase 2 (October 2003 – November2004). Further progress across the wholeprogramme. Initiate benchmarkingarrangements. Spending Review 2004delivery plans to be based on explicit,systematic consideration of risk. Measureimprovements in risk handling. Review endof programme and plan any further work.
An early implementation task will be todevelop a detailed programme plan,prioritising activities in the light of availableresources.
Implementation to date7.6 As the Strategy Unit’s study hasprogressed, opportunities have been taken tofeed its findings into existing initiatives andarrangements and to stimulate furtherdevelopments. This has included:
• the establishment of the CCS, drawing onvery early Strategy Unit work on risk;
• the OPSR work on IPPD, including amechanism to ensure adequate deliveryplanning before policies are launched, and the Departmental Change Programme (DCP);
• RIU guidance on RIAs;
• ODPM/DfT guidance on their integratedpolicy assessment tool;
• DEFRA’s risk management strategy;
• the latest version of the Treasury “GreenBook” on investment appraisal; and
• ILGRA’s Third Report to Ministers.
Principles of good risk management7.7 In addition, the study took over thedevelopment of a set of high-level principlesto guide government’s handling of risk.These are included in this report in chapter 5.The next step is to consult on their content.
Conclusions, recommendations
and implementation
– towards
better decisions
and outcomes
111
DO
MES
TIC
HO
RIZO
NSC
ANN
ING
CO
MM
ITTE
E
JOIN
TIN
TELL
IGEN
CE
CO
MM
ITTE
E
PSX
CIV
IL S
ERVI
CE
MAN
AGEM
ENT
BOAR
D
CIV
IL C
ON
TIN
GEN
CIE
S SE
CRE
TARI
AT(C
ivil,
dom
estic
, disr
uptiv
e ch
alle
nges
, sho
rt te
rm)
STRA
TEG
Y U
NIT
(Lon
ger-
term
str
ateg
ic c
halle
nges
an
d op
port
uniti
es)
JOIN
T AS
SESS
MEN
T ST
AFF
(Ove
rsea
s, m
ilita
ry, t
erro
rist)
RISK
SU
PPO
RT T
EAM
(Tre
asur
y)
TREA
SURY
SPE
ND
ING
TEA
MS
AND
DEL
IVER
Y U
NIT
CUSTOMERS – MINISTERS AND SENIOR OFFICIALS
CORP
ORA
TE D
ECIS
ION
-MAK
ING
GRO
UPS
CEN
TRAL
SUP
PORT
DEP
ARTM
ENTS
Risk
Impr
ovem
ent
Prog
ram
me
Asse
ssm
ents
Asse
ssm
ents
Oth
erin
form
atio
n
Nee
d fo
rre
silie
nce
build
ing
Inte
llige
nce
and
asse
ssm
ents
CC
S he
lp w
ithco
ntin
genc
y pl
anni
ng
and
crise
s
Dra
ft pl
ans
(incl
udin
g ris
kas
sess
men
ts, m
itiga
tion/
cont
inge
ncy
plan
s) a
ndpr
ogre
ss in
form
atio
n
Agre
ed/a
djus
ted
plan
s(in
clud
ing
risk
asse
ssm
ents
,m
itiga
tion/
cont
inge
ncy
plan
s) a
nd re
sour
ces
Prog
ress
info
rmat
ion;
requ
ests
for c
entr
al s
uppo
rt
Gui
danc
e, tr
aini
ng, e
tc
Inte
llige
nce
and
asse
ssm
ents
Plan
s
(in
clud
ing
risk
ass
essm
ents
, m
itiga
tion/
con
tinge
ncy
plan
s)
POLI
CY
AND
PLA
NS
– D
EVEL
OPM
ENT
AND
DEL
IVER
Y
MANAGING RISKSDEVELOPINGCAPABILITIES
DEP
ARTM
ENTA
L RI
SK S
UPP
ORT
Dev
elop
ing
risk
man
agem
ent c
apab
ilitie
s(s
peci
fic g
uida
nce,
trai
ning
, etc
)
Revi
ewin
gan
d re
por
ting
risks
Add
ress
ing
risks
Ass
essi
ngris
ks
Iden
tifyi
ngris
ks
Com
mun
icat
ion
and
lear
ning
Hor
izon
scan
ning
Eval
uatio
n of
curr
ent
prac
tice
Impr
oved
capa
bilit
ies
Figu
re 7
.1: G
over
nmen
t ri
sk h
andl
ing
This exercise will be handled by the new RiskSupport Team, and will last for three months,after which an agreed public document willbe available.
Costs and benefits7.8 In the longer term, the benefits acrossgovernment of measures to improve riskmanagement are expected to more thancover the costs. The financial benefits aloneof a new approach to risk management couldbe vast, for example by:
• avoiding or reducing the scale of crises(the direct total cost of FMD is estimatedto be over £8 billion);118
• reducing the likelihood of project andprogramme failure (for example the BenefitsPayment Card, £127 million; Passport Officecomputer system £12.6 million);
• reducing the cost and time taken indealing with hostile media campaigns(such as MMR); and
• reducing the scale of losses arising from,for example, property and liability risks (afeasibility study has estimated a potentialsaving of up to £640 million a year fromintroducing captive insurance, risk poolingarrangements).
7.9 The OGC Gateway process, involvingrisk assessments, to be applied to projects isexpected to save £500 million a year. Thefinancial benefits of better risk managementwill accrue jointly to Departments and thecontingency reserve.
7.10 In addition, there are likely to besignificant non-financial benefits, including:
• increased reassurance for the public;
• increased ability for the public andgovernment to make appropriate choicesin the face of uncertainty; and
• increased likelihood of achieving policyoutcomes, quickly and fully, especiallywhere these require the support of thepublic to be effective (such as vaccination).
7.11 There will be resource implications forDepartments and the centre (Treasury andCabinet Office). The scale of these will belessened to the extent that action on risk isalready under way or planned. For manyDepartments and central functions this reportis likely primarily to involve a refocusing ofcurrent efforts. However, some extrainvestment may be involved for:
• Departments – implementing riskimprovement managers and any support(though much of this may be in place toimplement corporate governance changes),and improving systems and processes, andcommunications with the public. The scaleof cost will depend on the size ofDepartment, their stage of developmentand the nature of their business; and
• centre – some extra costs, primarily from:the new Risk Support Team which mayrequire up to six staff initially; CDGdeveloping and delivering extra trainingmaterials; and Treasury/OGC developingrisk management standards andbenchmarking.
7.12. These may be offset by some savings,accruing over the two-year period, throughrationalising existing activity and from thebenefits of effective risk management. Moredetailed cost/benefit analysis of programmeactivities should be undertaken by theimplementation team.
Monitoring and evaluating progress7.13 The information drawn together bythe Strategy Unit’s study team, and theNAO’s survey in Supporting Innovation(shortly to be updated by the Treasury),provides a baseline against which to judgeprogress. We recommend that Departmentsand the centre should establish regularmonitoring arrangements to assess internaland external satisfaction with progress. TheStrategy Unit’s surveys could be repeated toassess confidence within government. Therecould also be public satisfaction surveys,repeated at regular intervals.
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
112
118 NAO, The 2001 Outbreak of Foot and Mouth Disease, op. cit. (p.13).
Conclusions, recommendations
and implementation
– towards
better decisions
and outcomes
113
TABLE 7.1 SUMMARY OF RECOMMENDATIONS
CONTENTS:
Departments
– Ministers and Permanent Secretaries
– Risk improvement managers
Implementation Steering Group
Risk Support Team
Cabinet Office/Office of the Deputy Prime Minister
Civil Contingencies Secretariat (CCS)
Corporate Development Group (CDG)
Reform Strategy Group (RSG)
Strategy Unit
Social Exclusion Unit (SEU)
Delivery Unit (DU)
Treasury
Chief Scientist
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
114
Rec
om
men
dat
ion
Lead
res
po
nsi
bili
tySu
pp
ort
ed b
yTi
met
able
Dep
artm
ents
: M
inis
ters
an
d P
erm
anen
t Se
cret
arie
s
Rec
.no
Ref
.
41 42 43 1 1 29 30 30a,
b,c
6.6
6.40
6.41
4.1.
17
4.1.
17
4.3.
28
4.3.
32
4.3.
34–3
5
Min
iste
rs a
nd s
enio
r of
ficia
ls s
houl
d ta
ke a
n ac
tive
lead
in:
driv
ing
imp
lem
enta
tion
ofth
e im
pro
vem
ents
in r
isk
man
agem
ent
set
out
in t
his
rep
ort;
tak
ing
key
judg
emen
tsan
d p
rovi
ding
cle
ar d
irect
ion,
for
exa
mp
le in
prio
ritis
ing
risks
for
act
ion,
and
inde
finin
g th
e ap
pet
ite f
or t
akin
g on
fur
ther
ris
k; s
upp
ortin
g in
nova
tion;
ens
urin
g cl
ear
acco
unta
bilit
y fo
r m
anag
ing
risks
; an
d en
surin
g th
at m
anag
ers
are
equi
pp
ed w
ithsk
ills,
gui
danc
e an
d ot
her
tool
s.
Min
iste
rs a
nd s
enio
r of
ficia
ls s
houl
d ai
m t
o fo
ster
a c
ultu
re in
whi
ch w
ell-j
udge
dde
cisi
ons
abou
t ris
ks a
nd o
pp
ortu
nitie
s ca
n be
mad
e, a
nd w
here
inno
vatio
n ca
n be
hand
led
with
con
fiden
ce.
To d
emon
stra
te c
lear
lead
ersh
ip f
rom
the
top
in h
andl
ing
risk,
Per
man
ent
Secr
etar
ies
shou
ld v
isib
ly s
upp
ort
a p
rogr
amm
e of
act
ion
toim
ple
men
t be
tter
ris
k m
anag
emen
t.
Seni
or m
anag
emen
t sh
ould
ens
ure
that
dec
isio
n m
aker
s ar
e su
pp
orte
d by
an
audi
ttr
ail t
hat
pro
vide
s a
clea
r an
d ba
lanc
ed a
ccou
nt o
f th
eir
risk
judg
emen
ts a
nd r
isk
man
agem
ent
actio
ns in
the
ligh
t of
the
info
rmat
ion
avai
labl
e at
the
tim
e. T
hese
may
be v
alid
ated
by
inde
pen
dent
rev
iew
, fo
r ex
amp
le b
y us
ing
the
OG
C G
atew
ay.
Dep
artm
ents
mig
ht c
onsi
der
app
oint
ing
a Bo
ard
mem
ber
to b
e re
spon
sibl
e fo
r ris
kis
sues
bei
ng c
over
ed a
deq
uate
ly,
whi
le n
on-e
xecu
tive
mem
bers
wou
ld h
ave
a ke
ych
alle
nge
role
.
Our
ove
rall
reco
mm
enda
tion
is t
hat
ther
e sh
ould
be
an e
xplic
it ap
pra
isal
of
risks
, as
wel
l as
bene
fits
and
cost
s, in
all
the
mai
n bu
sine
ss p
roce
sses
(in
clud
ing
the
Spen
ding
Revi
ew,
pol
icy
mak
ing,
bus
ines
s p
lann
ing,
pro
ject
and
pro
gram
me
man
agem
ent,
and
per
form
ance
man
agem
ent
and
inve
stm
ent
anal
ysis
), w
here
thi
s do
es n
ot h
app
enal
read
y.
We
reco
mm
end
that
Dep
artm
ents
sho
uld
cons
ider
whe
ther
the
y m
ight
est
ablis
hsi
mila
r un
its t
o th
e Ri
sk S
upp
ort
Team
inte
rnal
ly t
o dr
ive
chan
ge.
Dep
artm
ents
sho
uld
cons
ider
whe
ther
the
con
ditio
ns e
xist
for
the
use
of
arm
’s-le
ngth
bodi
es in
pol
icy
mak
ing
to b
e in
crea
sed.
a)It
is r
ecom
men
ded
that
use
of
a ris
k m
anag
emen
t st
anda
rd a
s th
e ba
sis
for
accr
editi
ng p
artn
ers’
ris
k m
anag
emen
t ar
rang
emen
ts s
houl
d be
con
side
red.
b)
It is
rec
omm
ende
d th
at w
here
res
pon
sibi
lity
for
risk
is t
rans
ferr
ed t
o a
par
tner
orga
nisa
tion,
par
ticul
ar c
are
is t
aken
to
ensu
re t
hat
acco
unta
bilit
ies
are
clea
rlyes
tabl
ishe
d by
Dep
artm
ents
, an
d ca
pac
ity m
aint
aine
d to
man
age
and
mon
itor
per
form
ance
(in
clud
ing
pro
visi
on o
f re
leva
nt in
form
atio
n) a
nd t
o ta
ke e
arly
act
ion
inth
e ev
ent
of d
iffic
ulty
.c)
It is
als
o re
com
men
ded
that
the
re is
als
o a
case
for
dev
elop
ing
furt
her
app
roac
hes
to c
ontr
actin
g w
ith p
artn
ers,
esp
ecia
lly w
here
the
aim
is p
rimar
ily t
o de
liver
a s
ervi
cera
ther
tha
n, f
or e
xam
ple
, a
larg
e-sc
ale
cap
ital p
roje
ct.
Min
iste
rs a
ndPe
rman
ent
Secr
etar
ies
Min
iste
rs a
ndPe
rman
ent
Secr
etar
ies
Perm
anen
t Se
cret
arie
s
Perm
anen
t Se
cret
arie
s
Perm
anen
t Se
cret
arie
s
Perm
anen
t Se
cret
arie
s
Perm
anen
t Se
cret
arie
s
Perm
anen
t Se
cret
arie
s
Risk
imp
rove
men
tm
anag
ers
Risk
imp
rove
men
tm
anag
ers
Risk
imp
rove
men
tm
anag
ers
OG
C
Mar
ch 2
003
Mar
ch 2
003
July
200
3
Janu
ary
2003
Oct
ober
200
3
July
200
3
Mar
ch 2
003
July
200
3
Conclusions, recommendations
and implementation
– towards
better decisions
and outcomes
115
Rec
om
men
dat
ion
Lead
res
po
nsi
bili
tySu
pp
ort
ed b
yTi
met
able
Dep
artm
ents
: M
inis
ters
an
d P
erm
anen
t Se
cret
arie
s
Rec
.no
Ref
.
34a
35 1a 4b 5 6a 10 12
4.4.
12
4.4.
15
4.1.
18
4.1.
36
4.1.
37
4.1.
39
4.2.
23
4.2.
33
Dep
artm
ents
and
oth
ers
activ
ely
iden
tify
thei
r lik
ely
leve
l of
futu
re n
eed
for
risk
man
agem
ent
spec
ialis
ts,
with
the
aim
of
deve
lop
ing
suita
ble
in-h
ouse
peo
ple
. To
sup
por
t th
is p
roce
ss t
here
sho
uld
be a
n id
entif
ied
risk
imp
rove
men
t m
anag
er in
eac
hD
epar
tmen
t, s
ettin
g st
anda
rds
and
advi
sing
the
Boa
rd o
n w
hat
is r
equi
red.
The
re a
re a
num
ber
of d
iffer
ent
mod
els
that
mig
ht b
e su
itabl
e, b
ut o
ne m
ight
be
the
mod
elad
opte
d in
som
e D
epar
tmen
ts f
or t
he p
roje
ct m
anag
emen
t an
d p
rocu
rem
ent
spec
ialis
ms.
The
OG
C s
houl
d p
rovi
de a
n ad
viso
ry r
esou
rce
on s
yste
ms
and
skill
s,in
clud
ing
cons
ider
ing
the
pos
sibi
lity
of in
trod
ucin
g a
unifo
rm b
asic
mod
el.
Dep
artm
ents
sho
uld
be e
ncou
rage
d to
exp
lore
the
way
the
y us
e co
mp
eten
cefr
amew
orks
to
sup
por
t th
eir
risk
man
agem
ent
obje
ctiv
es.
To s
upp
ort
this
, w
e su
gges
tan
eva
luat
ion
by C
DG
, un
der
the
aegi
s of
the
new
cen
tral
tea
m,
of h
ow t
heco
mp
eten
ce a
nd a
pp
rais
al/r
ewar
d sy
stem
is b
eing
use
d to
sup
por
t ris
k aw
are
beha
viou
r; a
nd t
hat
Dep
artm
ents
bui
ld t
he c
omp
eten
ces
and
beha
viou
rs t
o de
velo
pris
k m
anag
emen
t ca
pab
ility
into
all
key
peo
ple
man
agem
ent
syst
ems:
des
ign
of jo
bob
ject
ives
and
the
link
ed p
erfo
rman
ce r
evie
w p
roce
ss;
360°
feed
back
; p
rom
otio
n –
par
ticul
arly
to
SCS
leve
l; an
d p
ay a
nd r
ewar
ds –
fin
anci
al a
nd n
on-f
inan
cial
.
Risk
s sh
ould
be
regu
larly
con
side
red
by d
epar
tmen
tal B
oard
s an
d th
e C
SMB
asap
pro
pria
te.
Dep
artm
ents
sho
uld
revi
ew t
he q
ualit
y of
ris
k in
form
atio
n in
the
ir p
lans
.
Dep
artm
ents
sho
uld
follo
w t
he O
GC
gui
danc
e on
man
agin
g ris
k in
pro
ject
s an
dp
rogr
amm
es a
nd a
pp
ly t
his
guid
ance
to
thei
r G
atew
ay R
evie
ws.
Dec
isio
n m
akin
g ne
eds
to b
e un
derp
inne
d by
inve
stm
ent
app
rais
al f
ocus
ed o
nbe
nefit
s, c
osts
and
ris
ks.
This
ap
pro
ach
need
s to
be
take
n as
par
t of
all
key
subm
issi
ons
and
addr
esse
d at
all
leve
ls.
Prof
orm
as o
r te
mp
late
s ar
e us
ed b
y D
epar
tmen
ts t
o he
lpw
ith t
his,
for
exa
mp
le b
uild
ing
on R
IAs.
For
pro
gram
me
and
oper
atio
nal r
isks
, a
com
bina
tion
of t
op d
own
and
bott
om u
pap
pro
ache
s ar
e re
com
men
ded,
for
exa
mp
le c
ombi
ning
a r
isk
revi
ew b
y a
desi
gnat
edte
am w
ith r
isk
self
asse
ssm
ent.
Crit
eria
sho
uld
be d
evel
oped
as
par
t of
the
arr
ange
men
ts f
or e
mbe
ddin
g ris
k in
pol
icy
mak
ing
pro
pos
ed in
cha
pte
r 4.
1. A
gen
eric
list
cou
ld b
e de
velo
ped
whi
chD
epar
tmen
ts c
ould
tai
lor,
draw
ing
on a
sys
tem
atic
ana
lysi
s of
key
or
com
mon
ris
ksth
at h
ave
occu
rred
in t
heir
pro
gram
mes
.
Perm
anen
t Se
cret
arie
sth
en
Risk
imp
rove
men
tm
anag
ers
CD
G
Perm
anen
t Se
cret
arie
s/H
R D
irect
ors
Risk
imp
rove
men
tm
anag
ers
Risk
imp
rove
men
tm
anag
ers
Risk
imp
rove
men
tm
anag
ers
Risk
imp
rove
men
tm
anag
ers
Risk
imp
rove
men
tm
anag
ers
Risk
imp
rove
men
tm
anag
ers
Risk
imp
rove
men
tm
anag
ers
Risk
sup
por
tte
am
Perm
anen
tSe
cret
arie
s –
Dec
embe
r 20
02
Risk
imp
rove
men
tm
anag
ers
– M
arch
2003
CD
G –
Mar
ch 2
003
Dep
artm
ents
–O
ctob
er 2
003
Janu
ary
2003
Janu
ary
2003
Ong
oing
Oct
ober
200
3
Oct
ober
200
3
July
200
3
Dep
artm
ents
: D
epar
tmen
tal r
isk
imp
rove
men
t m
anag
ers
– to
lead
a p
rog
ram
me
of
revi
ewin
g a
nd
imp
rovi
ng
ris
k m
anag
emen
t p
ract
ice
and
co
mm
unic
atio
n w
ith
th
e p
ublic
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
116
Rec
om
men
dat
ion
Lead
res
po
nsi
bili
tySu
pp
ort
ed b
yTi
met
able
Dep
artm
ents
: D
epar
tmen
tal
risk
imp
rove
men
t m
anag
ers
– to
lead
a p
rog
ram
me
of
revi
ewin
g a
nd
imp
rovi
ng
ris
k m
anag
emen
t p
ract
ice
and
co
mm
unic
atio
n w
ith
th
e p
ublic
Rec
.no
Ref
.
13 14 18 34 38 38a
38b
38c
38d
4.2.
37
4.2.
38
4.2.
54
4.4.
11
5.33
–5.
49
5.35
–5.
36
5.37
–5.
38
5.39
–5.
41
5.42
–5.
43
Mor
e us
e co
uld
be m
ade
of a
n as
sess
men
t of
ris
k to
lera
nce
or a
pp
etite
by
Dep
artm
ents
at
the
pol
icy
mak
ing
stag
e to
ens
ure
that
Min
iste
rs a
re a
war
e of
the
pat
tern
of
risks
the
y w
ill b
e ta
king
and
the
pro
spec
ts o
f ad
equa
tely
man
agin
g th
em.
A p
ortf
olio
ap
pro
ach
to r
isk
man
agem
ent
coul
d be
pilo
ted
in e
ither
Dep
artm
enta
lbu
sine
ss p
lann
ing
or t
he 2
004
Spen
ding
Rev
iew
.
Sim
ulat
ion
even
ts,
built
aro
und
scen
ario
s, c
an h
elp
to
iden
tify
and
pre
par
e fo
r su
chlo
w p
roba
bilit
y/hi
gh im
pac
t co
ntin
genc
ies
and
we
reco
mm
end
that
the
se m
etho
dsbe
exp
lore
d.
Whe
re D
epar
tmen
ts e
mp
loy
cons
ulta
ncie
s to
intr
oduc
e ris
k m
anag
emen
t sy
stem
s,th
ere
shou
ld b
e a
cont
inuo
us e
ffort
to
pas
s on
ski
lls a
nd d
evel
op s
uita
ble
in-h
ouse
peo
ple
, in
par
ticul
ar,
to t
ake
over
the
rol
e cu
rren
tly p
erfo
rmed
by
outs
ide
cons
ulta
nts
in t
his
area
.
Dep
artm
ents
sho
uld
deve
lop
act
ion
pla
ns t
o im
ple
men
t th
eir
prin
cip
les
for
hand
ling
and
com
mun
icat
ing
abou
t ris
k to
the
pub
lic.
This
sho
uld
incl
ude
the
follo
win
gel
emen
ts:
(38a
–38h
)
The
pub
lic s
houl
d ha
ve a
cces
s to
info
rmat
ion
abou
t th
e ris
ks t
hat
affe
ct t
hem
.D
epar
tmen
ts t
hat
hand
le r
isks
tha
t af
fect
mem
bers
of
the
pub
lic s
houl
d p
ublis
h th
eir
risk
asse
ssm
ents
, an
d al
so t
he u
nder
lyin
g fa
cts,
ass
ump
tions
, so
urce
s of
info
rmat
ion
and
pro
cedu
res
behi
nd t
hem
, as
ear
ly a
s p
ossi
ble
to e
nabl
e p
ublic
scr
utin
y.
Ther
e sh
ould
be
two-
way
com
mun
icat
ion
to e
nabl
e ea
rly a
nd w
ides
pre
ad in
volv
emen
tin
dec
isio
ns a
bout
key
ris
ks.
Risk
imp
rove
men
t m
anag
ers
shou
ld e
nsur
e th
at t
heir
Dep
artm
ents
hav
e sy
stem
s to
con
sult
and
enga
ge s
take
hold
ers
and
the
wid
er p
ublic
inde
cisi
ons
abou
t ke
y ris
ks a
ffect
ing
the
pub
lic.
Com
mun
icat
ions
sho
uld
be c
onsi
dere
dat
the
sta
rt o
f th
e p
olic
y de
velo
pm
ent
pro
cess
for
maj
or p
olic
ies
invo
lvin
g ris
k to
the
pub
lic.
Dep
artm
ents
’ com
mun
icat
ion
stra
tegi
es s
houl
d p
lan
for
a p
roce
ss o
fst
akeh
olde
r an
d w
ider
pub
lic e
ngag
emen
t on
key
ris
ks.
Ther
e sh
ould
be
targ
eted
con
sulta
tion,
info
rmed
by
syst
emat
ic id
entif
icat
ion
and
eval
uatio
n of
the
ris
ks m
ost
likel
y to
cau
se p
ublic
con
cern
. Dep
artm
ents
sho
uld
deve
lop
the
capa
city
to
iden
tify,
for
the
Dep
artm
ent
as a
who
le o
r ea
ch m
ajor
pol
icy
area
,w
hich
ris
k is
sues
are
like
ly t
o ge
nera
te t
he m
ost
publ
ic c
once
rn o
r re
quire
the
mos
tpu
blic
co-
oper
atio
n.
Dep
artm
ents
sho
uld
cons
ider
opt
ions
for
pro
vidi
ng in
crea
sed
avai
labi
lity
of c
hoic
e fo
rin
divi
dual
s in
man
agin
g th
e ris
ks t
hat
affe
ct t
hem
.
Risk
imp
rove
men
tm
anag
ers
Risk
imp
rove
men
tm
anag
ers;
Tre
asur
y
Risk
imp
rove
men
tm
anag
ers
Risk
imp
rove
men
tm
anag
ers
Risk
imp
rove
men
tm
anag
ers
Risk
imp
rove
men
tm
anag
ers
Risk
imp
rove
men
tm
anag
ers
Risk
imp
rove
men
tm
anag
ers
Risk
imp
rove
men
tm
anag
ers
Dep
artm
enta
lIn
form
atio
n O
ffice
rs,
Risk
Sup
por
t Te
am
Stra
tegy
Uni
t
July
200
3
July
200
3Ju
ly 2
004
July
200
3
July
200
3
July
200
3
July
200
3
July
200
3
Oct
ober
200
3
July
200
3
Conclusions, recommendations
and implementation
– towards
better decisions
and outcomes
117
Rec
om
men
dat
ion
Lead
res
po
nsi
bili
tySu
pp
ort
ed b
yTi
met
able
Dep
artm
ents
: D
epar
tmen
tal
risk
imp
rove
men
t m
anag
ers
– to
lead
a p
rog
ram
me
of
revi
ewin
g a
nd
imp
rovi
ng
ris
k m
anag
emen
t p
ract
ice
and
co
mm
unic
atio
n w
ith
th
e p
ublic
Rec
.no
Ref
.
38e
38f
38g
38h
28 1
5.44
–5.
46
5.47
5.48
5.49
4.3.
26–2
7
4.1.
17
Cle
ar p
roce
dure
s fo
r co
mm
unic
atin
g in
cris
is c
ondi
tions
sho
uld
be in
pla
ce.
Dep
artm
ents
sho
uld
stre
ngth
en t
heir
links
with
the
New
s C
o-or
dina
tion
Cen
tre
with
inth
e C
CS.
Whi
le t
he le
ad r
ole
shou
ld r
emai
n w
ith t
he h
ome
Dep
artm
ent,
imp
rove
dlin
ks w
ith t
he N
ews
Co-
ordi
natio
n C
entr
e sh
ould
hel
p e
nsur
e gr
eate
r co
nsis
tenc
y in
cris
is c
omm
unic
atio
n ac
ross
gov
ernm
ent.
Ther
e ne
eds
to b
e im
pro
ved
use
of in
form
atio
n p
rovi
ded
by t
rust
ed im
par
tial s
ourc
esw
here
the
re is
a h
igh
degr
ee o
f un
cert
aint
y or
dis
sent
abo
ut r
isk.
Dep
artm
ents
sho
uld
aim
to
imp
rove
dia
logu
e be
twee
n sc
ient
ific
and
lay
inte
rest
s, f
orex
amp
le t
hrou
gh t
he p
artic
ipat
ion
of a
t le
ast
one
lay
mem
ber
in r
isk
advi
sory
or
deci
sion
-mak
ing
bodi
es,
whe
re is
sues
are
kno
wn
to b
e un
cert
ain
or r
aise
eth
ical
or
soci
al q
uest
ions
. Ri
sk im
pro
vem
ent
man
ager
s sh
ould
see
tha
t ar
rang
emen
ts a
re in
pla
ce t
o en
sure
tha
t ex
per
t bo
dies
tha
t ad
vise
on
risks
to
the
pub
lic c
onta
in a
bro
ad-
base
d m
embe
rshi
p.
Risk
com
mun
icat
ion
shou
ld b
e in
tegr
ated
with
oth
er e
lem
ents
of
Dep
artm
ents
’ ris
km
anag
emen
t st
rate
gies
, su
ch a
s p
erfo
rman
ce m
anag
emen
t an
d tr
aini
ng.
An
Imp
lem
enta
tion
Stee
ring
Gro
up s
houl
d be
est
ablis
hed
(rep
laci
ng t
he v
ario
usex
istin
g gr
oup
s –
the
Risk
Man
agem
ent
Stee
ring
Gro
up,
ILG
RA a
nd R
isk
Adv
isor
yG
roup
) to
driv
e ch
ange
ove
r th
e tw
o-ye
ar p
erio
d le
adin
g in
to t
he n
ext
Spen
ding
Revi
ew (
2004
). It
will
be
sup
por
ted
by a
sm
all c
entr
al t
eam
in T
reas
ury,
the
Ris
kSu
pp
ort
Team
(RS
T).
The
Risk
Sup
por
t Te
am s
houl
d be
dra
wn
from
exi
stin
g so
urce
s of
act
ivity
(in
clud
ing
Trea
sury
, O
GC
, H
SE,
Stra
tegy
Uni
t an
d ot
hers
) w
ho w
ould
mon
itor
pro
gres
s; p
rovi
de a
cent
ral e
xper
t re
sour
ce;
revi
ew a
nd c
o-or
dina
te a
dvic
e an
d gu
idan
ce o
n ris
km
anag
emen
t; h
elp
est
ablis
h an
d su
pp
ort
an in
terd
epar
tmen
tal r
isk
netw
ork;
and
cons
ider
fur
ther
ste
ps
to r
atio
nalis
e cu
rren
t ce
ntra
l res
pon
sibi
litie
s an
d in
itiat
ives
.
Ther
e sh
ould
be
an e
xplic
it ap
pra
isal
of
risks
, as
wel
l as
bene
fits
and
cost
s, in
all
the
mai
n bu
sine
ss p
roce
sses
(in
clud
ing
the
Spen
ding
Rev
iew
, p
olic
y m
akin
g, b
usin
ess
pla
nnin
g, p
roje
ct a
nd p
rogr
amm
e m
anag
emen
t, p
erfo
rman
ce m
anag
emen
t an
din
vest
men
t an
alys
is),
whe
re t
his
does
not
hap
pen
alre
ady.
Risk
imp
rove
men
tm
anag
ers
Risk
imp
rove
men
tm
anag
ers
Risk
imp
rove
men
tm
anag
ers
Risk
imp
rove
men
tm
anag
ers
Cha
ir of
Imp
lem
enta
tion
Stee
ring
Gro
up
Trea
sury
Imp
lem
enta
tion
Stee
ring
Gro
up
Dep
artm
enta
l Hea
ds o
fIn
form
atio
n
Risk
Sup
por
t Te
am a
ndC
CS
Dep
artm
enta
l Hea
ds o
fIn
form
atio
n
Chi
ef S
cien
tist,
OST
Hea
ds o
f H
uman
Reso
urce
s
Risk
Sup
por
t Te
am
Risk
Sup
por
t Te
am
July
200
3
July
200
3
July
200
3
July
200
3
Oct
ober
200
2
Oct
ober
200
2
Oct
ober
200
4
Imp
lem
enta
tio
n S
teer
ing
Gro
up
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
118
Rec
om
men
dat
ion
Lead
res
po
nsi
bili
tySu
pp
ort
ed b
yTi
met
able
Ris
k Su
pp
ort
Tea
m
Rec
.no
Ref
.
8 9 15 16
31a,
b,
c 39 36 37 46
4.1.
44
4.2.
18
4.2.
41
4.2.
46an
d4.
5.7
4.3.
36–3
8
5.50
4.5.
6
5.31
–5.
32
6.47
In o
rder
to
be s
ure
that
pro
gres
s is
bei
ng m
ade
and
bene
fits
are
bein
g de
liver
ed t
here
shou
ld b
e a
full
revi
ew o
f th
e p
ositi
on a
fter
a s
pec
ific
per
iod.
Thi
s w
ill n
eed
to b
eun
derp
inne
d by
mon
itorin
g an
d ev
alua
tion
arra
ngem
ents
, as
an
inte
gral
par
t of
the
reco
mm
ende
d im
pro
vem
ents
.
Ther
e sh
ould
be
an o
ngoi
ng p
rogr
amm
e of
wor
k to
ens
ure
that
cen
tral
gui
danc
e is
com
pre
hens
ive
and
com
pre
hens
ible
, an
d p
rovi
des
a fle
xibl
e fr
amew
ork
for
Dep
artm
ents
to
oper
ate
with
in.
Wel
l-dev
elop
ed d
ecis
ion
mak
ing
fram
ewor
ks r
egar
ding
the
con
trol
of
risk
alre
ady
exis
tin
the
UK.
Con
side
ratio
n sh
ould
be
give
n to
the
ext
ensi
on o
f su
ch s
yste
mat
icap
pro
ache
s to
str
ateg
ic p
olic
y m
akin
g, a
dap
ting
them
as
nece
ssar
y to
rec
ogni
se t
hele
ss q
uant
ifiab
le n
atur
e of
the
dat
a in
volv
ed.
Ther
e ar
e an
incr
easi
ng n
umbe
r of
exa
mp
les
of g
ood
pra
ctic
e in
ris
k m
anag
emen
t, b
utth
is n
eeds
to
be e
ncou
rage
d an
d sp
read
. C
urre
nt n
etw
orks
and
oth
er a
rran
gem
ents
shou
ld b
e st
reng
then
ed a
nd s
pec
ific
risk
man
agem
ent
benc
hmar
king
arr
ange
men
tssh
ould
be
deve
lop
ed.
Net
wor
ks s
houl
d be
str
engt
hene
d an
d p
ublic
ised
. A
net
wor
k co
uld
be s
et u
p o
f ris
kim
pro
vem
ent
man
ager
s w
ho w
ould
lead
the
dev
elop
men
t of
ris
k m
anag
emen
tp
ract
ice
in t
he D
epar
tmen
t an
d co
uld
take
on
ILG
RA’s
cur
rent
res
pon
sibi
litie
s.Th
is c
ould
be
sup
por
ted
by t
he d
evel
opm
ent
of a
n IT
-bas
ed k
now
ledg
e ne
twor
k.
Exis
ting
guid
elin
es o
n ris
k co
mm
unic
atio
n sh
ould
be
cons
olid
ated
and
tar
gete
d to
aw
ider
ran
ge o
f sp
ecifi
c au
dien
ces
and
step
s sh
ould
be
take
n to
ens
ure
that
it is
adop
ted
and
follo
wed
by
units
invo
lved
in h
andl
ing
risks
tha
t af
fect
the
pub
lic.
The
Trea
sury
and
OG
C s
houl
d re
view
the
dire
ctio
n fo
r q
ualit
y st
anda
rds
for
gove
rnm
ent,
dra
win
g on
bes
t p
ract
ice
inte
rnat
iona
lly a
nd d
raw
ing
on t
he f
indi
ngs
ofth
is r
epor
t, t
o en
sure
a c
omp
rehe
nsiv
e an
d us
eabl
e st
anda
rd f
or U
K go
vern
men
t.
The
gove
rnm
ent
shou
ld p
ublis
h a
stat
emen
t of
prin
cip
les
abou
t its
han
dlin
g of
ris
ks t
oth
e p
ublic
. Th
is s
houl
d in
clud
e p
rinci
ple
s of
evi
denc
e-ba
sed
deci
sion
mak
ing,
tran
spar
ency
and
com
mun
icat
ion
with
the
pub
lic a
nd s
take
hold
ers.
The
aim
of
the
prin
cip
les
wou
ld b
e to
pro
vide
a c
lear
ste
er t
o al
l dec
isio
n ta
kers
with
in g
over
nmen
tan
d a
clea
r be
nchm
ark
for
Parli
amen
t, t
he m
edia
and
NG
Os
agai
nst
whi
ch t
o as
sess
Dep
artm
ents
’ per
form
ance
.
The
Risk
Sup
por
t Te
am,
toge
ther
with
ris
k im
pro
vem
ent
man
ager
s w
ithin
Dep
artm
ents
, sh
ould
pro
mot
e an
d ch
amp
ion
the
valu
es n
eede
d to
sup
por
t ef
fect
ive
risk
taki
ng w
ithin
gov
ernm
ent.
Risk
Sup
por
t Te
am
Risk
Sup
por
t Te
am
Risk
Sup
por
t Te
am
Risk
Sup
por
t Te
am
Risk
Sup
por
t Te
am
Risk
Sup
por
t Te
am
Risk
Sup
por
t Te
am
Risk
Sup
por
t Te
am
Risk
Sup
por
t Te
am
OG
C
OG
CRi
sk im
pro
vem
ent
man
ager
s
PSBS
CD
G
GIC
S, C
CS,
HSE
Stra
tegy
Uni
t
OG
C
Risk
imp
rove
men
tm
anag
ers
HR
Dire
ctor
s
Mar
ch 2
003
Oct
ober
200
3
Net
wor
ks –
Oct
ober
2003
Benc
hmar
king
–O
ctob
er 2
004
Mar
ch 2
003
July
200
3
July
200
3
Oct
ober
200
2
July
200
3
Conclusions, recommendations
and implementation
– towards
better decisions
and outcomes
119
Rec
om
men
dat
ion
Lead
res
po
nsi
bili
tySu
pp
ort
ed b
yTi
met
able
Cab
inet
Off
ice:
Civ
il C
on
tin
gen
cies
Sec
reta
riat
(C
CS)
Rec
.no
Ref
.
17 20 21 22 23 24 25 40a
4a 32 33
4.2.
52
4.2.
56
4.2.
57
4.2.
59
4.2.
61
4.2.
64
4.2.
65
5.53
4.1.
35
4.3.
41
4.4.
5
The
CC
S an
d St
rate
gy U
nit
shou
ld w
ork
with
Dep
artm
ents
to
help
the
m d
evel
op t
heir
horiz
on s
cann
ing
capa
bilit
ies,
see
king
to
spre
ad b
est
prac
tice,
incl
udin
g w
ays
of a
sses
sing
signi
fican
ce a
nd p
riorit
isatio
n; t
he C
CS
and
Stra
tegy
Uni
t sh
ould
dev
elop
a n
etw
ork
ofD
epar
tmen
tal h
oriz
on s
cann
ers
to s
hare
info
rmat
ion
and
prov
ide
mut
ual c
halle
nge.
The
Civ
il C
ontin
genc
y Se
cret
aria
t (C
CS)
sho
uld
cont
inue
to
deve
lop
its
role
inen
surin
g in
tegr
atio
n of
BC
Ps,
with
par
ticul
ar f
ocus
on
imp
rovi
ng r
esili
ence
at
the
stra
tegi
c le
vel.
The
CC
S sh
ould
wor
k w
ith D
epar
tmen
ts t
o sp
read
goo
d p
ract
ice
in B
CP
for
pro
gram
me
(as
opp
osed
to
adm
inis
trat
ive)
out
com
es.
The
CC
S sh
ould
up
date
Dea
ling
with
Disa
ster
, w
hich
set
s ou
t ru
les
for
hand
ling
cris
essu
ch a
s flo
odin
g. T
he C
CS
shou
ld u
pda
te t
his
to f
ully
ref
lect
the
rev
ised
str
uctu
re o
fW
hite
hall,
to
take
acc
ount
of
emer
ging
issu
es t
hat
pot
entia
lly p
ose
disr
uptiv
ech
alle
nges
, an
d to
set
in p
lace
cle
arer
def
initi
ons
of t
he r
ole
of t
he le
ad D
epar
tmen
t.
The
CC
S an
d C
DG
sho
uld
look
car
eful
ly a
t ar
rang
emen
ts f
or a
ugm
enta
tion
ofD
epar
tmen
ts’ r
esou
rces
dur
ing
times
of
cris
is.
The
CC
S sh
ould
con
tinue
to
deve
lop
its
wor
k on
res
ilien
ce,
linke
d cl
osel
y w
ithco
ntin
genc
y p
lann
ing
wor
k in
Dep
artm
ents
.
As
the
wor
k of
the
CC
S de
velo
ps,
it s
houl
d be
des
igne
d to
com
ple
men
t th
e w
ork
ofth
e Tr
easu
ry a
nd D
U in
iden
tifyi
ng a
nd m
onito
ring
risks
to
the
deliv
ery
of t
hego
vern
men
t’s b
usin
ess
pro
gram
me.
Gov
ernm
ent
shou
ld w
ork
with
the
med
ia a
nd r
egul
ator
s to
imp
rove
the
acc
urac
y of
rep
ortin
g cr
ises
.
Busi
ness
pla
nner
s sh
ould
mak
e fu
ll us
e of
the
Cab
inet
Offi
ce g
uide
, Yo
ur D
eliv
ery
Stra
tegy
: a P
ract
ical L
ook
at B
usin
ess
Plan
ning
and
Risk
.C
DG
to
pro
mot
e us
e of
the
guid
e th
roug
h th
e Bu
sine
ss P
lann
ers’
net
wor
k.
A s
pec
ific
role
for
the
net
wor
k w
ould
be
to p
rovi
de p
eer
grou
p r
evie
ws
and
chal
leng
es.
A s
imila
r ap
pro
ach
shou
ld b
e es
tabl
ishe
d in
gov
ernm
ent
to t
hat
used
in B
P.. Th
ere
shou
ld b
e a
co-o
rdin
ated
and
sys
tem
atic
ap
pro
ach
to t
he p
rovi
sion
of
risk
man
agem
ent
skill
s an
d tr
aini
ng,
unde
r C
DG
lead
ersh
ip.
This
sho
uld
incl
ude:
•th
e de
velo
pm
ent
of a
com
mon
cor
e of
ris
k m
anag
emen
t m
ater
ial (
linke
d to
the
pro
pos
ed s
tand
ard)
on
whi
ch a
ll p
rogr
amm
es c
ould
be
base
d;•
a re
view
of
key
mai
nstr
eam
dev
elop
men
t p
rogr
amm
es t
hat
coul
d us
eful
ly c
over
ris
km
anag
emen
t an
d in
nova
tion,
incl
udin
g ce
ntra
lly-le
d p
rogr
amm
es.
The
revi
ew s
houl
d be
incl
uded
in t
he t
wo-
year
pro
gram
me
of w
ork
reco
mm
ende
d, t
oac
hiev
e a
step
cha
nge
in g
over
nmen
t’s c
apab
ility
to
hand
le r
isk.
Dep
artm
ents
’ hea
ds o
f hu
man
res
ourc
es s
houl
d co
nduc
t si
mila
r re
view
s of
the
ir ow
ntr
aini
ng a
nd d
evel
opm
ent
pro
gram
mes
, w
hich
in t
urn
mig
ht f
orm
par
t of
the
new
Dep
artm
enta
l Cha
nge
Prog
ram
mes
.
CC
SSt
rate
gy U
nit
CC
S
CC
S
CC
S
CC
S an
d C
DG
CC
S
CC
S
CC
S
CD
G
CD
G
CD
G
Trea
sury
Dep
artm
ents
Trea
sury
, D
U
Regu
lato
rs
Risk
Sup
por
t Te
am
Risk
imp
rove
men
tm
anag
ers
Risk
Sup
por
t Te
am,
Stra
tegy
Uni
t
Dec
embe
r 20
02
Dec
embe
r 20
02
Dec
embe
r 20
02
Dec
embe
r 20
02
Dec
embe
r 20
02
Ong
oing
Ong
oing
July
200
3
Dec
embe
r 20
02
July
200
3
Ong
oing
Cab
inet
Off
ice:
Co
rpo
rate
Dev
elo
pm
ent
Gro
up (
CD
G)
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
120
Rec
om
men
dat
ion
Lead
res
po
nsi
bili
tySu
pp
ort
ed b
yTi
met
able
Cab
inet
Off
ice:
Co
rpo
rate
Dev
elo
pm
ent
Gro
up (
CD
G)
Rec
.no
Ref
.
44 45
2a,
b,
c,d
,e
6.45
6.46
4.1.
22–2
9
Way
s sh
ould
als
o be
exp
lore
d to
pro
vide
a m
ore
bala
nced
foc
us o
n ov
eral
lD
epar
tmen
tal p
erfo
rman
ce, t
o av
oid
undu
e fo
cus
on f
ailu
re, f
or e
xam
ple
by t
he m
edia
and
the
PAC
. CSM
B sh
ould
look
at
this
, bea
ring
in m
ind
the
oppo
rtun
ity t
o pu
llto
geth
er t
he c
urre
nt d
eman
ds a
lread
y m
ade
on D
epar
tmen
ts f
or e
nd-o
f-ye
ar r
epor
ting.
The
Cab
inet
Offi
ce,
sup
por
ting
the
Cab
inet
Sec
reta
ry,
shou
ld e
nsur
e th
at t
he r
isk
man
agem
ent
pro
gram
me
is in
corp
orat
ed in
to t
he b
road
er p
ublic
ser
vice
ref
orm
agen
da,
reco
gnis
ing
the
need
for
wid
er c
ultu
re c
hang
e. In
par
ticul
ar,
this
sho
uld
cons
ider
the
abi
lity
of D
epar
tmen
ts t
o fo
ster
inno
vatio
n.
Polic
y m
akin
g sh
ould
incl
ude
a p
rop
ortio
nate
and
wid
er-r
angi
ng c
onsi
dera
tion
of r
isk
to p
rovi
de a
n ad
equa
te r
evie
w b
efor
e p
rop
osal
s m
ove
into
ful
l dev
elop
men
t. O
PSR’
sw
ork
on IP
PD w
ill m
ake
a si
gnifi
cant
ste
p in
thi
s di
rect
ion
by d
evel
opin
g an
ass
uran
cep
roce
ss t
o su
pp
ort
Dep
artm
ents
in u
nder
taki
ng a
deq
uate
del
iver
y p
lann
ing
befo
rep
olic
y an
noun
cem
ents
are
mad
e.
A m
ore
syst
emat
ic r
equi
rem
ent
to c
onsi
der
risks
shou
ld b
e im
ple
men
ted,
whi
ch s
houl
d be
sub
ject
to
furt
her
disc
ussi
on w
ith P
erm
anen
tSe
cret
arie
s (s
ee a
nnex
6).
This
sho
uld
incl
ude
a si
gn-o
ff th
at t
here
has
bee
n ad
equa
te id
entif
icat
ion
and
asse
ssm
ent
of r
isk
acro
ss t
he r
ange
of
pol
icy
optio
ns,
that
any
miti
gatio
n an
dco
ntin
genc
y p
lans
are
sou
nd,
and
any
assu
mp
tions
sho
uld
be r
evie
wed
and
for
mal
lyte
sted
aga
inst
fut
ure
scen
ario
s. T
his
coul
d be
inco
rpor
ated
in e
xist
ing
asse
ssm
ents
whe
re t
hese
exi
st,
such
as
the
RIA
and
Inve
stm
ent
Ap
pra
isal
s.Th
ese
deve
lop
men
ts s
houl
d be
sup
por
ted
by s
upp
lem
enta
ry g
uida
nce
on r
isk,
issu
edto
pol
icy
mak
ers
to f
ollo
w u
p t
he C
abin
et O
ffice
’s G
uide
to B
ette
r Pol
icy M
akin
gan
dac
cess
ible
thr
ough
the
CD
G w
eb-b
ased
Pol
icy
Hub
. Th
is g
uida
nce
shou
ld a
lso
refle
ctth
e RI
U’s
gui
danc
e on
RIA
s (w
hich
is c
urre
ntly
bei
ng r
evis
ed).
To e
nsur
e th
at t
he q
ualit
y of
info
rmat
ion
used
for
ris
k as
sess
men
t is
goo
d, p
olic
ym
aker
s sh
ould
mak
e in
crea
sing
use
of
know
ledg
e p
ools
, lin
ked
to t
he P
olic
y H
ub(c
urre
ntly
cov
erin
g St
rate
gic
Futu
res,
Exc
elle
nce
in P
olic
y M
akin
g an
d A
rea
Base
dIn
itiat
ives
). T
he r
isk
cont
ent
of t
hese
poo
ls s
houl
d be
enh
ance
d, d
raw
ing
on e
xam
ple
sof
goo
d p
ract
ice
arou
nd g
over
nmen
t.
CD
G r
epor
ting
toC
SMB
Refo
rm S
trat
egy
Gro
up
Dep
artm
ents
Stra
tegy
Uni
t
Risk
Sup
por
t Te
am
OG
C
Risk
Sup
por
t Te
amC
DG
Dec
embe
r 20
02
July
200
3
July
200
3
Cab
inet
Off
ice:
Ref
orm
Str
ateg
y G
roup
Cab
inet
Off
ice:
Str
ateg
y U
nit
Cab
inet
Off
ice:
So
cial
Exc
lusi
on
Un
it (
SEU
)C
abin
et O
ffic
e: D
eliv
ery
Un
it (
DU
)
Conclusions, recommendations
and implementation
– towards
better decisions
and outcomes
121
Rec
om
men
dat
ion
Lead
res
po
nsi
bili
tySu
pp
ort
ed b
yTi
met
able
Rec
.no
Ref
.
4c 26 19 3a 3b 3c
4.1.
36
4.3.
14
4.2.
55
4.1.
32
4.1.
33
4.1.
34
The
form
at o
f D
U p
lans
sho
uld
be f
urth
er d
evel
oped
to
show
det
ail o
f ris
ks,
thei
rlik
elih
ood
and
imp
act,
and
miti
gatio
n an
d co
ntin
genc
y p
lans
. Th
is f
orm
at s
houl
d th
enbe
mad
e w
idel
y av
aila
ble
to D
epar
tmen
ts a
s a
mod
el.
The
rela
tivel
y ne
w a
rran
gem
ents
for
dea
ling
with
cris
es (
CC
S) a
nd o
ngoi
ng s
igni
fican
tris
ks t
o ke
y go
vern
men
t ob
ject
ives
(D
U)
need
to
be c
omp
lem
ente
d by
a c
apac
ity t
ore
view
long
er-t
erm
thr
eats
and
op
por
tuni
ties
whi
ch s
houl
d be
und
erta
ken
by S
trat
egy
Uni
t, b
uild
ing
on it
s cu
rren
t St
rate
gic
Futu
res
wor
k.
The
SEU
, w
orki
ng w
ith t
he N
eigh
bour
hood
Ren
ewal
Uni
t, t
he R
egio
nal C
o-or
dina
tion
Uni
t an
d re
leva
nt D
epar
tmen
ts,
coul
d co
nsid
er p
layi
ng a
larg
er r
ole
in t
rack
ing
pot
entia
l cro
ss-c
uttin
g ris
ks,
incl
udin
g th
e im
pac
t of
gov
ernm
ent
initi
ativ
es o
n th
ese
risks
. Th
ese
mig
ht in
clud
e: n
ew g
roup
s co
min
g on
to
bene
fits
or li
kely
to
beco
me
soci
ally
exc
lude
d; t
owns
and
citi
es f
ailin
g to
reg
ener
ate
or f
acin
g ec
onom
ic p
robl
ems
beca
use
of o
ver-
dep
ende
nce
on d
eclin
ing
indu
strie
s. In
som
e of
the
se c
ases
offi
cial
stat
istic
al d
ata
will
alw
ays
be t
oo la
te f
or a
deq
uate
act
ion.
Ane
cdot
al a
nd s
ubje
ctiv
ein
form
atio
n ne
eds
to b
e dr
awn
in f
rom
fro
nt-li
ne s
taff,
the
pub
lic,
insp
ecto
rate
s an
dot
hers
.
The
Trea
sury
sho
uld
furt
her
deve
lop
the
ap
pro
ach
to r
isk
in t
he S
pen
ding
Rev
iew
. Th
issh
ould
invo
lve
deve
lop
ing
the
guid
ance
for
Dep
artm
ents
bef
ore
the
2004
Sp
endi
ngRe
view
; an
d is
suin
g sp
ecifi
c gu
idan
ce o
n as
sess
ing
risk
to t
he T
reas
ury
Spen
ding
Tea
ms
(sim
ilar
to r
ecen
t gu
idan
ce o
n D
eliv
erab
ility
) fo
r us
e in
fin
alis
ing
deliv
ery
pla
ns f
rom
the
2002
Sp
endi
ng R
evie
w.
The
Trea
sury
, D
U a
nd C
CS
shou
ld w
ork
toge
ther
with
Dep
artm
ents
thi
s au
tum
n to
ensu
re t
hat
thei
r de
liver
y p
lans
ade
qua
tely
add
ress
ris
k, b
alan
cing
the
nee
d to
inve
st in
resi
lienc
e w
ith t
he p
ursu
it of
oth
er o
bjec
tives
; an
d th
at c
ross
cut
ting
risks
are
iden
tifie
dan
d ac
coun
tabi
lity
for
actio
n es
tabl
ishe
d. M
onito
ring
arra
ngem
ents
sho
uld
trac
k ris
kas
sess
men
ts a
nd p
rogr
ess
with
miti
gatio
n p
lans
, re
por
ting
to P
SX.
Ther
e sh
ould
be
an in
crea
sed,
man
dato
ry r
equi
rem
ent
for
risk
asse
ssm
ent
(per
hap
slin
ked
to O
GC
Gat
e Z
ero)
to
be f
ulfil
led
befo
re P
SAs
are
pub
lishe
d an
d fu
ndin
g is
rele
ased
. Tr
easu
ry s
houl
d al
so c
onsi
der
whe
ther
a m
ore
exp
licit
por
tfol
io a
pp
roac
h to
risk
mig
ht b
e ta
ken
in t
he 2
004
Spen
ding
Rev
iew
– w
ith t
he o
utco
me
bein
g a
mix
of
high
ris
k/hi
gh r
etur
n ob
ject
ives
and
low
er r
isk
area
s w
ith le
ss c
halle
ngin
g se
rvic
ede
liver
y ta
rget
s.
DU
Stra
tegy
Uni
t
SEU
Trea
sury
Dep
artm
ents
Trea
sury
, D
U
Trea
sury
Risk
Sup
por
t Te
am
DU
, Tr
easu
ry,
CC
S
Dec
embe
r 20
02
Oct
ober
200
3
Aut
umn
2002
Oct
ober
200
2
Dec
embe
r 20
02
July
200
4
Cab
inet
Off
ice:
Ref
orm
Str
ateg
y G
roup
Cab
inet
Off
ice:
Str
ateg
y U
nit
Cab
inet
Off
ice:
So
cial
Exc
lusi
on
Un
it (
SEU
)C
abin
et O
ffic
e: D
eliv
ery
Un
it (
DU
)
Trea
sury
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
122
Rec
om
men
dat
ion
Lead
res
po
nsi
bili
tySu
pp
ort
ed b
yTi
met
able
Trea
sury
Rec
.no
Ref
.
6b 6c 7 11 27 40
4.1.
39
4.1.
39
4.1.
41
4.2.
24
4.3.
24
5.51
–5.
52
Cos
t be
nefit
ana
lysi
s sh
ould
be
deve
lop
ed t
o in
clud
e ex
plic
it ris
k as
sess
men
t as
asi
gnifi
cant
ele
men
t of
op
tion
app
rais
al.
The
Trea
sury
’s g
uide
to
inve
stm
ent
app
rais
al (
know
n as
the
“G
reen
Boo
k”)
shou
ld b
ede
velo
ped
to
deal
with
the
se is
sues
.
The
Trea
sury
sho
uld
cons
ider
run
ning
a p
ilot
of t
he u
se o
f ca
ptiv
e in
sura
nce
arra
ngem
ents
in g
over
nmen
t.
The
esta
blis
hmen
t of
a b
road
com
mon
cat
egor
isat
ion
of r
isk
typ
es c
ould
sig
nific
antly
help
com
mun
icat
ion
acro
ss g
over
nmen
t –
the
Trea
sury
sho
uld
lead
effo
rts
to e
stab
lish
this
.
The
qua
lity
of g
over
nmen
t ris
k m
anag
emen
t sh
ould
be
imp
rove
d th
roug
h a
two-
year
pro
gram
me
of c
hang
e. T
he t
imet
able
sho
uld
be in
tegr
ated
with
tha
t of
the
Sp
endi
ngRe
view
and
the
pro
duct
ion
of S
tate
men
ts o
f In
tern
al C
ontr
ol.
The
pro
gram
me
shou
ldin
clud
e th
e fo
llow
ing
stra
nds
(inte
grat
ing
the
Stra
tegy
Uni
t re
com
men
datio
ns w
ithex
istin
g in
itiat
ives
): c
omm
unic
atio
ns w
ith t
he p
ublic
; em
bedd
ing
risk
(in t
he S
pen
ding
revi
ew,
pol
icy
mak
ing,
bus
ines
s p
lann
ing,
pro
ject
and
pro
gram
me
man
agem
ent)
;le
ader
ship
and
cul
ture
cha
nge;
ski
lls;
guid
ance
, st
anda
rds
and
benc
hmar
king
;C
orp
orat
e G
over
nanc
e.
Act
ion
by D
epar
tmen
ts s
houl
d be
und
erp
inne
d by
cle
ar c
orp
orat
e gu
idel
ines
on
risk
com
mun
icat
ion,
initi
ativ
es t
o im
pro
ve le
vels
of
pub
lic u
nder
stan
ding
abo
ut r
isk
conc
epts
, an
d w
ork
with
the
med
ia a
nd r
egul
ator
s to
imp
rove
the
acc
urac
y of
rep
ortin
g of
cris
es.
Trea
sury
Trea
sury
Trea
sury
Trea
sury
Trea
sury
Chi
ef S
cien
tific
Adv
iser
and
HSE
OG
C
Risk
Sup
por
t Te
am,
DfE
S
Janu
ary
2003
Mar
ch 2
003
Janu
ary
2003
Janu
ary
2003
Star
t-up
: Se
pte
mbe
r20
02
Fully
est
ablis
hed
Dec
embe
r 20
02
July
200
3
Ch
ief
Scie
nti
st (
CSO
)
PROJECT TEAM AND SPONSOR MINISTER
The report was prepared by a multidisciplinary team, guided by aMinisterial Sponsor, and advised by a number of Expert Groups withgovernment and non-government representation (see annex 1).
The project team comprised:• Tracey Burke – on secondment from the Welsh Development Agency
• Jeremy Hotchkiss – on secondment from the Office of the DeputyPrime Minister
• Chris Howard – on secondment from PricewaterhouseCoopers
• Sarah Graham – deputy director, Strategy Unit
• Sue Jenkins – independent consultant
• Hugh Pullinger – project leader, on secondment from the Departmentfor Work and Pensions
• Tracy Rubenstein – on secondment from the BBC
• John Saltford – on secondment from the Public Record Office
The project team was supported by: • Bernadette Makena-Wanjiku – Strategy Unit
• Meirion Winmill – Strategy Unit
Additional input was provided by: • Ruth Ingamells – Strategy Unit
• Paul Harris – on secondment from Rolls Royce
• Caroline Haynes – on secondment from PricewaterhouseCoopers
• Rob Lloyd-Jones – Strategy Unit
• Keith Palmer – NM Rothschild and Sons
Sponsor Minister:The work of all Strategy Unit teams is overseen by a Sponsor Minister.Barbara Roche MP, Minister of State at the Cabinet Office and Minister for Women, was Sponsor Minister until June 2002, followed by LordMacdonald, Minister for the Cabinet Office and Chancellor of the Duchyof Lancaster.
Project team
and sponsor
minister
123
GLOSSARY
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
124
ALARP As low as reasonably practicableBBC British Broadcasting CorporationBCP Business continuity planningBRTF Better Regulation Task ForceBSE Bovine Spongiform
EncephalopathyBSI British Standards InstitutionCAM Charity Awareness MonitorCCS Civil Contingencies Secretariat(v)CJD Creutzfeldt-Jakob DiseaseCDG Corporate Development Group
(Cabinet Office)CMPS Centre for Management and
Policy Studies (Cabinet Office)COBR Cabinet Office Briefing RoomCSMB Civil Service Management BoardDCP Departmental Change ProgrammeDEFRA Department for Environment,
Food and Rural AffairsDfES Department for Education and
SkillsDfT Department for TransportDTI Department of Trade and IndustryDTLR Department for Transport, Local
Government and the RegionsDU (Prime Minister’s) Delivery Unit
(Cabinet Office)DWP Department for Work and
PensionsEIU Economist Intelligence UnitERM Enterprise Risk ManagementFMD Foot and Mouth DiseaseFSA Food Standards AgencyGICS Government Information and
Communication Service
GLS Government Legal ServiceGM Genetically ModifiedHMT Her Majesty’s TreasuryHSE Health and Safety ExecutiveILA Individual Learning AccountsILGRA Inter-departmental Liaison Group
on Risk AssessmentIPPD Improving Programme/Project
DeliveryIPPR Institute for Public Policy ResearchISO International Organisation for
StandardisationMEF Media Emergency ForumMMR Measles, Mumps, Rubella (vaccine)MOD Ministry of DefenceNAO National Audit OfficeNDPB Non-Departmental Public BodyNFU National Farmers’ UnionNGO Non Governmental OrganisationNICE National Institute for Clinical
ExcellenceODPM Office of the Deputy Prime
MinisterOECD Organization for Economic
Cooperation and DevelopmentOFCOM Office of CommunicationsOFT Office of Fair TradingOGC Office of Government CommerceOPOCE Office des Publications Officielles
des Communautés EuropéennesOPSR Office of Public Services Reform
(Cabinet Office)OST Office of Science and TechnologyPAC Public Accounts CommitteePFI Private Finance Initiative
PPE Post Project EvaluationPPP Public Private PartnershipPRINCE Projects in Controlled
EnvironmentsPSA Public Service AgreementPSX Ministerial Committee on Public
Services and Public ExpenditureRMSG Risk Management Steering GroupSCS Senior Civil ServiceSDA Service Delivery AgreementSEU Social Exclusion Unit (Cabinet
Office)SIC Statement of Internal ControlSPRITE Successful Projects in an IT
EnvironmentSRA Strategic Rail AuthoritySU Strategy Unit (Cabinet Office)
Glossary
125
INDEX
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
126
AAdams, John 20Agriculture and Environmental Biotechnology
Commission 24, 86ALARP (As low as reasonably possible) 50amplification of concern 22, 81anthrax 21, 82arm’s-length bodies 56, 63, 74, 83, 84, 88,108Asian economic crisis 53AS/NZS 4360: 1999 see Australiaassessment, risk see riskasylum 105audit 39, 40, 41, 62, 66,
annual, of Departmental accounts 102Committee 32, 68functions 17, 102internal 34, 102trail 28, 101, 102, 108
Audit and Accountability report see Sharmanaugmentation, of Departments’ resources 54,106Australia 23, 36, 52, 72, 95, 107
Auditor-General 95, 106Comcover 36, 52, 95, 107risk management, national standard for(AS/NZ 4360: 1999) 72, 95
BBBC 82, 90BCP (Business continuity planning) 46, 53,55, 106Beck, Ulrich 20beef on the bone, banning of 76 Belgium 77benchmarking 27, 44, 51, 52, 62, 72, 73,106, 107, 109, 110, 112
Benefit Payment Card 25, 112Better Regulation Task Force (BRTF) 10, 61, 79biodiversity, threats to 22 biological attack 4, 76, 82biotechnology 22, 24blame (culture), avoiding 94, 96, 97, 101Board members see Departmental Board
membersBourn, Sir John (Comptroller and Auditor
General) 99Bovine Spongiform Encephalopathy (BSE)
4, 5, 16, 19, 21, 24, 25, 75, 77, 79, 83,85 see also Phillips, Lord public trust on 78
BP (British Petroleum) 45, 54, 66, 96Broadcasting Act 1990 77BSI (British Standards Institution) 72business:
continuity 16, 29, 46, 51Planners’ network 36, 103planning 29, 30, 32, 36, 37, 49, 61, 62,95, 110
CCabinet Office 17, 18, 38, 56, 57, 60, 61, 62,69, 102, 103, 107, 108, 109, 112, 113,119–122
guidance from 107Guide to Better Policy Making 34, 79guide, Your Delivery Strategy 36survey by 21web-based tools 66Your Delivery Strategy – a Practical Lookat Business Planning and Risk 36
California: power generation crisis in 13Canada:
Index
127
Head of Civil Service 95Integrated Risk Framework 23, 31-32, 72
CAN/CSA-Q850:1997 (Canadian nationalstandard for risk management) 72
CCS (Civil Contingencies Secretariat) 24, 35,45, 51, 52, 53, 54–55, 58, 59–60, 61, 82,88, 105, 106, 110, 113, 119
Crisis Co-ordination Centre 54, 59, 88Media Emergency Forum, working with see media
CDG (Corporate Development Group) 34,36, 54, 60, 61, 71, 107, 112, 113, 119–120
risk management skills and training 67, 68–69web-based Policy Hub 34
Channel Tunnel Rail Link 65charities 78 Chief Medical Officer 88Chief Scientific Adviser 81, 88, 89, 90Chief Veterinary Officer 88Civil Contingencies Committee 87civil defence legislation 55Civil Service 21, 68, 94, 95 see also public
sectorCivil Service College 68management systems 67reform 61, 94–95, 102–103Senior (SCS) 61, 68, 69, 70, 71
Civil Service Management Board (CSMB) 62,94, 102, 104, 108, 109, 111
consideration of strategic risks by 32, 105role in implementation of Risk Report
CJD or vCJD (Creutzfeldt-Jakob Disease) 75,82climate change 4, 49, 75Clinical Services Directorate see Department
of Healthcloning 6, 22CO2 emissions 20 COBR (Cabinet Office Briefing Room) 54Coca Cola 77Code of Practice on Access to Government
Information 80Comcover see Australia
Commercial Radio Companies Association seeradio
communication 6–7, 16, 26, 47, 54, 60, 80,83
risk see riskstrategies 26
Communications bill 77computer:
fraud 22viruses 22
consequence management 54consultation fatigue 84, 87Consumer Champions’ network 103contingency
build 50, 68planning see planningresource 60
Control Risk Self-Assessment 45corporate governance 14, 17, 22, 41, 42, 57,61, 62, 68, 72, 95, 102, 104, 109, 112
Combined Code on see Turnbull ReportCreutzfeldt-Jakob disease see CJDcrime 8, 24, 35, 36, 105crisis:
communications 60, 88conditions 76, 107Co-ordination Centre see CCSmanagement 19, 51, 52, 57, 58, 65, 106reporting of 90
Cullen Report (Ladbroke Grove rail crash) 16
DDanish Food Standards Agency 83Danone 57Dealing with Disaster see Home Officedecision making 18, 28–29, 47, 52, 70, 76,79, 83, 89, 91, 104
evidence based 79, 81frameworks 50processes 8, 38well-judged 69, 93, 101, 108
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
128
defence:arrangements 52capability 11Select Committee Report on Defence and Security in the UK see SelectCommitteesMinistry of see MoD
deference: declining 21Delivery Unit (DU) 24, 35, 36, 55, 58, 59, 61,69, 105, 106, 110 Delphi survey 45Department for Education and Skills (DfES)15, 46, 49, 89Department for Environment, Food and Rural
Affairs (DEFRA) 24, 45, 46, 70, 79consultation on handling radioactivewaste 86GM crops, public debate on 89Guidelines for Environmental RiskAssessment and Management 34list of top twelve threats 46new plan for dealing with F&M outbreak54radioactive waste, consultation on 86Risk Forum, establishment of 66Risk Management Strategy 43–44, 85,110risk tolerance, use of by Board 49stakeholder engagement 47, 81, 85, 86,88
Department of Health (DoH) 73, 81, 87, 88,89
Commission for Patient and Public Involvement in Health 81Public Health and Clinical Services Directorate 81
Department of Trade and Industry (DTI) 45Department for Transport (DfT):
Integrated Policy Assessment framework33, 72, 110
Department for Work and Pensions (DWP) 45,46Departmental Accounting Officer 41, 109Departmental Board members 32, 41
survey of by the Strategy Unit 15, 18–19, 30, 38, 42, 58, 100
Departmental Publication Scheme 85Diageo 96directive and preventative controls 50disease 5, 8, 11, 12, 29, 49, 53, 59, 79Domestic Horizon Scanning Committee see
horizon scanning drivers of change 39
Ee-business: risks of 23e-government strategies 98e-mail updates 88education 25, 35, 36, 93, 105Education and Skills Select Committee see
Select CommitteesEIU (Economist Intelligence Unit) 23, 40, 41,47, 57
Enterprise Risk Management report 23, 42electronic tagging scheme see Home Officeembedding risk management see riskEmergency Planning Division see Home
Officeenergy business 13Enron 23Environmental Agency 75Europe 23, 41,Exchange Rate Mechanism 15Exxon oil spill 79
Ffinancial services 13Financial Services Authority 75, 83Firestone 77Fischoff, Baruch 20Fitzgerald, Niall (Chairman of Unilever) 96“flesh-eating bug” 76, 77flooding 4, 8, 10, 11, 12, 54, 82focus groups 86Food Standards Agency 24, 63, 64, 75, 82,83, 86, 89, 99Foot and Mouth Disease 19, 52, 66
cost of 25, 112DEFRA’s new plans for dealing with 54,85, 88
Index
129
MORI poll on government’s handling of21NAO report into 79reports into 53
Ford 77France, health care provision in 93Freedom of Information Act 2000 80, 85, 89fuel blockade/crisis 52, 54, 75, 77 Furedi, Frank 20futures, strategic 29, 35, 45, 59
GGate Zero see OGCGateway Review see OGC Gateway Reviewgenetic engineering 24 GICS (Government Information and
Communication Service) 62, 88, 109GM (Genetically Modified):
crops 22, 76, 86DEFRA facilitating a public debate on seeDEFRAdrugs 5food 5, 82
Government:News Network 82stewardship role 9, 10, 11, 12
Green Alliance 80Green Book see TreasuryGuide to Better Policy Making see Cabinet
OfficeGuidelines for Environmental Risk Assessment
and Management see DEFRA
HHatfield see rail crasheshealth care see public healthHome Office:
electronic tagging scheme 25, 36Emergency Planning Divisionpublication, Dealing with disaster 54
Hood, Chris 20horizon scanning 3, 29, 39, 45, 52, 53, 55,59, 76, 87, 106
Domestic, committee 59
HR Directors 69network 103
HSC (Health and Safety Commission) 40HSE (Health and Safety Executive) 40, 61, 62,75, 81, 82, 89, 96, 109Human Fertilisation and Embryology
Authority 75Human Genetics Commission (HGC) 56, 75,82
IIBM 97ICI 97ILAs (Individual Learning Accounts) 15, 16,46ILGRA (Inter-departmental Liaison Group on
Risk Assessment) 51, 60, 61, 62, 65, 66,80, 81, 109
Implementation Steering Group 62, 66, 73,86, 104, 109, 110, 113, 117Indonesia 53industrial action 29, 59Inglehart, Ronald 21Inland Revenue 45insurance 12, 95integrated:
Policy Assessment Framework 72Policy Assessment Tool 33, 110risk (management) framework seeCanadarisk management see risk management
Integrated Policy Assessment framework seeDepartment for Transport and ODPM
Internal Control: Guidance for Directors on theCombined Code see Turnbull Report
internal controls 51International Standards Organisation 72Internet 82, 86IPPD (Improving Programme/Project
Delivery – OPSR) 33, 45, 60, 61, 71, 110IT 4, 5, 13, 15, 17, 19, 25, 36, 45, 53, 65,100, 103
Directors 21, 69Directors’ Group see SPRITE
JJapan: risk management, national standard
for (JIS Q 2001:2001) 72Johnson and Johnson 79Joint Intelligence Committee (JIC) 60, 111
KKasperson, Roger 20knowledge networks see networksknowledge pool see policy hubKPI (Key Performance Indicators) 51–52
LLadbroke Grove rail crash see Cullen ReportLandfill Directive targets 49Lyme Bay tragedy 76
MMalaysia 53Managing Risk in Government Departments
see PACMarks and Spencer 97McCartney Report 103media 14, 22, 60, 75, 77, 89, 90, 92, 100,102, 108
broadcast 84Emergency Forum 82, 90mis-reporting by 88Monitoring Unit 60 news 82, 84, 88, 90scanning of 87
Medicines Control Agency 75Millennium bug 68, 78mitigation, risk see riskMMR (Measles, Mumps, Rubella) 4, 21, 76,77, 82, 112mobile phones 20, 22 MoD (Ministry of Defence) 40, 45, 46, 57
Strike Command 32war games 68
Modernising Government White Paper(Cabinet Office) 97
Monetary Policy Committee (MPC) 63, 64,83MORI 19, 20, 21, 78
NNAO (National Audit Office) 5, 14, 15, 16,22, 31, 34, 36, 51, 79, 92, 97, 99–100
Supporting Innovation report 2000 17,30, 112
National Assembly for Wales 89National Consumer Council 80National Curriculum, teaching of risk
concepts 89National Health Service 36, 81, 87National Institute for Clinical Excellence
(NICE) 63, 64, 81national security 85NDPBs (non-departmental public bodies) 56,63, 68Neighbourhood Renewal Unit 53, 106networks 22, 51, 65–66, 107
critical 12cross government 109 knowledge management 66, 69risk 60, 62
New Zealand:risk management, national standard for(AS/NZS 4360: 1999) 23, 31, 72, 95State Services Commission 32
News see mediaNews Co-ordination Centre 88, 89–90NGOs 22, 83, 84, 86
OODPM (Office of the Deputy Prime Minister)33, 72, 110OECD (Organization for Economic
Cooperation and Development) 21, 98Office of Communications (OFCOM) 77, 90OGC (Office for Government Commerce) 7,36, 37, 43–44, 46, 49, 60, 61, 62, 65, 68,69, 70, 72, 73, 101, 102, 103, 106, 107,108, 109, 111
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
130
Gate Zero 33, 35 Gateway Review 25, 28, 33, 37, 50, 99,101, 102, 112Practitioner Guide (on risk) 73Programme/project managementframework 44website 44
oil supply 29O’Neill, Baroness see Reith Lecturesopenness/transparency 19, 23 , 74, 76, 78,79–80, 81–84, 89, 91, 93OPSR (Office for Public Sector Reform) 32,44, 60, 61, 69, 106, 110Orange Book see Treasury
PPAC 5, 14, 18, 31, 36, 38, 65, 92, 99–100,102, 105, 108
Managing Risk in GovernmentDepartments report 2001 17, 30
Paddington see rail crashesPartnerships UK 96Passport Service (Agency), UK 16, 25, 36, 51,112peer review 65–66, 69, 90, 110 People Management Systems 70–71People’s Panel surveys 21PFI 50, 56, 61, 64–65, 106Phillips, Lord Inquiry into BSE 5, 16, 41, 79
see also Bovine SpongiformEncephalopathy
planning:business see businesscontingency 6, 15, 18, 33, 34, 36, 37,51, 52, 53–54, 59, 69, 79, 110delivery 33, 109
plans 16, 31, 35, 38, 81, 88, 90, 91strategic and operational 32
policy:Effects Framework see Regulatory ImpactUnithub 28, 29, 30, 35, 66making/makers 28, 29, 30, 32–35, 50,63–64, 69, 109
polluter pays principle 11Post Implementation Reviews 51post project evaluation 37postal delivery 93Potter’s Bar see rail crashesPPP 56precautionary principle 80, 91Prime Minister’s Delivery Unit see Delivery
Unit“Prince 2” 36, 41Principal Finance Officers 69
Group 103prisons, privately run 13private sector 4, 18, 22, 23, 25, 39, 40,
41–42, 51, 65, 72, 79, 93, 96, 97, 98,106models 54risk management professionals in 95
programme/project management frameworksee OGC website
PSA (Public Service Agreements) 28, 35, 60,66, 69, 95, 102, 105, 110PSBS (Public Sector Benchmarking Service)51, 66, 73PSX Cabinet Committee 35, 60, 62, 104,109, 111 public:
engagement 18, 82–83government information to, about risk75rising expectations 5, 8, 92trust see trustvalues see values
public attitudes 76, 78, 81care 12, 74, 87health 7, 12, 24, 35, 36, 49, 87, 93, 105see also Department of Healthresearch 78, 87risk to 41
Public Health and Clinical ServicesDirectorate see Department of Health
public sector 5, 13, 18, 22, 41, 42, 51, 72,93, 97, 98, 99 see also Civil Service
Australian 36, 52core provision 93
Index
131
improving innovation andentrepreneurship with 93reform 5, 109
Public Services Directorate see Treasury
Rradiation 22radio:
commercial 90independent news 90local 77, 82
radioactive waste, handling of see DEFRArail industry:
crashes 16, 76incidents 65risk assessment in 16safety 4travel 37
Railtrack 14Reform Strategy Group 70Regional Co-ordination Unit 53, 61, 106regulatory impact assessments (RIAs)11, 30,31, 33, 34, 37, 61, 72, 110Regulatory Impact Unit (RIU) 33, 61, 72, 110
Policy Effects Framework 33Reith Lectures 79Renn, Ortwin 20Research Councils 24resilience 24, 35, 39, 52, 53, 54–55, 57, 59,101, 105, 106Reuters, Business Risk Management Process96risk:
Advisory Group/decision making body61, 62, 109appetite 18, 94assessment 7, 12, 16, 22, 25, 28, 29, 30,31, 33, 34, 35, 36, 37, 38, 39, 41, 46,47–48, 49, 57, 79, 85, 86, 91, 97, 100,105, 110, 112attitudes towards by public 19–20aversion 92, 95, 97, 98, 100communication 16, 24, 44, 62, 66, 80,81, 82–93, 94, 110
cross-cutting 19, 35, 36, 46, 53, 57, 106embedding 18, 27, 28, 30, 31, 48, 51,57, 62, 69, 105, 109experts, survey of by the Strategy Unit18–19, 41 Forum see DEFRAframework 18, 38, 42, 61, 73, 80, 85 identification 6, 7, 19, 29, 30, 33, 39,45–46, 57, 86–87, 91, 100, 107Improvement Managers 66, 67, 70, 84,85, 86, 89, 90, 94, 103, 109, 113,115–117mitigation 6, 7,12, 16, 35, 37, 48, 50,69, 105, 111networks see networkspooling 12, 37register 32, 87reporting 32, 59–60reputational 13, 39review 18, 45, 57, 105strategic 13, 32, 39, 42, 52–53, 68, 105strategic handling of 15, 40Support Team 62, 69, 72, 73, 84, 85,88, 89, 94, 103, 108, 109, 110, 111,112, 118taking, well-judged 31, 92, 94–95, 98,101Task Forces 45tolerance 49 see also DEFRAtransfer 4, 65types 7–8
risk management 7, 25, 26, 27, 36, 38,39–55, 60–62, 83
benchmarking 51, 112embedding 31, 68, 93Enterprise 41–42Framework 24, 31language 6–7standard 65, 72, 107Steering Group 51, 60, 61, 62, 65, 109Three Pillars of see Unilevertraining in 68–69
Royal Armouries Museum 65
Risk
: Im
prov
ing
gove
rnme
nt’s
ca
pabi
lity
to
ha
ndle
ri
sk an
d un
cert
aint
y
132
SScandinavian countries 23scenarios 45, 47, 53, 106
planning 40, 45, 87Science and Technology Select Committee
see Select Committeesscientific advisory committees 89Scottish Executive 89Security and intelligence coordinator 60Select Committees (House of Commons and
House of Lords):Defence 79Education and Skills 15Science and Technology 21, 79
September 11th 4, 5, 12, 23, 76, 82 Sharman report 2001(on audit andaccountability) 100
government response to 102SIC (Statements of Internal Control) 22, 24,31, 32, 41, 51, 61, 62, 102, 109Singapore 53Slovic, Paul 20smallpox vaccine, purchase of 76smoking, risks of 75Social Exclusion Unit (SEU) 53, 106Soham murders 76Spending Reviews 28, 30, 32, 35–36, 38, 49,60, 61, 62, 104, 105, 108, 110SPRITE (Successful Projects in an IT
Environment) 103stakeholders 5, 23, 30, 47, 54, 74, 79, 81–86Stock Exchange: Combined Code on Corporate
Governance see Turnbull ReportStrategic Rail Authority (SRA) 45, 46Strategy Unit 19, 45, 52, 53, 59, 69, 70, 82,104, 106, 110, 111, 112
study on risk 5, 14, 82, 110Supporting Innovation report see NAOSwedish Food Standards Agency 83
Ttelecommunications business 13, 53terrorism 13, 54, 59, 76, 82Thailand 53training see risk managementtransparency see openness
Treasury (HMT) 17, 22, 31, 35–38, 44, 46,55, 56, 57, 59, 60, 65, 68, 69, 72, 73, 105,106, 107, 111, 112, 121–122
Green Book 37, 61, 110Orange Book 36, 42, 50, 61, 72, 73Public Services Directorate 61Risk Support Team see Risk Support Team
Troika scheme (for airline industry) 12trust 20–21, 41, 76, 78, 84
and Transparency see Reith Lectures Turnbull Report 22Tylenol see Johnson and Johnson
UUK Resilience (set up by CCS) 52, 82, 88UK risk management, national standard of
(BS-6079-3:2000) 72Unilever 45, 57
“Path to Growth” business strategy 96“Three Pillars of Risk management” 45
United States 23, 81unrest, social 59
VVaccination, MMR see MMR
Policy 88values
from risk assessment 47–48public 74, 76, 77, 81, 91World Values Survey see World ValuesSurvey
Wwater business 13Welsh Development Agency 49, 64Wilson, Sir Richard 95World Values Survey 21
YY2K see Millennium bugYour Delivery Strategy – a Practical Look at
Business Planning and Risksee Cabinet Office
Index
133
Strategy UnitCabinet OfficeFourth FloorAdmiralty ArchThe MallLondon SW1A 2WHTelephone 020 7276 1416Fax 020 7276 1407E-mail strategy@cabinet-office.x.gsi.gov.ukWeb www.strategy.gov.uk
© Crown copyright 2002
Publication date November 2002
The text in this document may be reproduced free of charge in any format or media without requiring specific permission. This is subject to the material not being used in a derogatory manner or in a misleading context. The source of the material must be acknowledged as Crown copyright and the title of the document must be included when being reproduced as part of another publication or service.
Ref: 254205/1102/D16
This report is printed on Revive Silk material. It is made from 100% recycledpost-consumer waste, is totally chlorine free and fully recyclable.