Councils can find it difficult to grasp risk management. Graham Liddell argues its time for local authorities to undertake an honest appraisal of their management processes.
Why do local authorities so often get risk management wrong? They are exposed to a range of challenging and diverse risks: declining financial resources, keeping vulnerable adults and children safe, providing other essential services, keeping sensitive data secure and so on. But all too often risk management is treated as a yet another box ticking corporate process. How often do senior managers have meaningful conversations about how to manage their key risks?
The text book answer to assessing the effectiveness of risk management is to review the risk maturity of an organisation. And there are a range of diagnostic tools, full of worthy questions, to do this:
- Is responsibility for risk management included in job descriptions?
- Does the board regularly review its risks?
- Has the organisation defined its risk appetite?
But assessing risk management in this way often gives false assurance. Does ticking all the “risk mature” boxes mean that we have identified all our risks and are managing them effectively? I doubt it.
Furthermore, I am not sure that a positive internal audit report on risk management is always that helpful. We auditors like systems and might well report that expected controls are in place and operating as they should. But how often does this consider the quality of the thinking, or the robustness of the risk register? I think it’s time for an honest appraisal of the effectiveness of our risk management arrangements.
Emotions
Pretty much all senior management teams spend some time reviewing their strategic risks, even if it is just once a quarter. So the simplest starting point is to reflect on your emotions following one of these meetings. Which of the following best represents how you feel?
- Blissfully ignorant, we don’t really bother with the risk register.
- Gnawing with doubt: we’ve ticked the box but not much more.
- Cautiously optimistic: we’re beginning to understand some of this stuff.
- Enthusiastic: some great discussion and now we need to translate these into robust actions.
- Confident: we’ve identified our key risks and robust plans are in place to bring risks down to an acceptable level.
And just to show that this is a well thought out management tool and not something been dreamt up on a sunny Sussex afternoon, here is a picture to help you decide.
I suspect that most senior officers would assess themselves as cautiously optimistic. My job as an auditor is to instil some gnawing doubt. So, let’s revisit that self-assessment. Here are four challenge questions. If you want to skip the detail scroll down to another diagram.
1 Does your risk management system really identify all your key risks?
- What has your risk register management system missed in previous years?
- Are you fixing stuff that could have been prevented?
- What are you spending money on that would not have been needed if only pre-emptive action had been taken 5 or 10 years ago?
- What is your risk register missing now?
- Does your risk register set out clearly the main things that keep you awake at night?
2 Do you have clear mitigating controls in place?
- Are these summarised clearly?
- Can you tell whether these bring the risk down to an acceptable level?
3 Are robust plans in place?
- Have you set out what level of risk you need to get to?
- Is there a robust, time bound, action plan in place to achieve this?
- Does the action plan address both likelihood and impact?
4 Do you have robust assurance that controls are working and actions are on track?
- How quickly would you find out if controls weren’t working or actions not addressed?
- Does progress on the action plan form a key part of your one to one meetings with managers?
- Is the risk register updated on a regular basis?
- If you have adopted the three lines of defence model, how robust is the assurance you get from your second and third lines?
Still feeling confident? If not, perhaps it’s time to start taking risk management seriously. Don’t get me wrong, I’m all for a well-structured risk management process. But don’t be fooled, risk management is about managing risks. It’s not about ticking boxes.
Graham Liddell is head of Internal Audit at Brighton & Hove City Council.
