Risk Management Reports

The Australian/New Zealand Risk Management Standard started the movement in 1995 (see RMR March 1995), expanding in 1999 with specific provisions to fit the public sector. The Treasury Board of Canada Secretariat built on that base and created an integrated risk management framework for government in 2001 (see RMR September 2000). Now Her Majesty’s Government in the United Kingdom raises the ante with the latest, and, I think, the most complete, innovative approach to our discipline for government. Risk: Improving government’s capability to handle risk and uncertainty, published by the UK’s Strategy Unit in November 2002, is a direct result of recent crises that include BSE, rail safety, vaccines, environmental change, and, of course, the shock of September 11, 2001. It is a candid admission that government has lost public trust by failing to address many risks as well as it should. The Report, plus its six major and 66 specific recommendations, will be implemented within the next two years.

In his Foreword, Prime Minister Tony Blair confirms that “risk management—getting the right balance between innovation and change on the one hand, and avoidance of shocks and crises on the other—is now central to the business of good government.” This report, a summary of 16 months of study, incorporates a brief summary, a 133 page primary section and a 71 page Annex. It is the clearest description of the current development of the risk management discipline that I’ve read. It is thorough and logical, expressed in precise prose, avoiding jargon.

First, it acknowledges that “all states are at root guarantors of the security of their citizens” and that public expectations are creating new demands for that security. The nature of risk has changed because of the “rapid pace of development of new science and technology” and because of the “greater connectedness of the world.” Government, including the UK government, must take a new approach to risk and uncertainty.

Second, the Report recognizes that the language of risk management continues to be unclear, even messy, confusing both the public and government officials. It tries to redress the balance, defining both “risk” and “risk management” in sensible terms. Risk refers to “uncertainty of outcome, whether positive opportunity or negative threat, of actions and events. It is the combination of likelihood and impact, including perceived importance.” Bringing the idea of risk perception into this definition is significant. Risk management “covers all the processes involved in identifying, assessing and judging risks, taking actions to mitigate or anticipate them, and monitoring and reviewing process.” The Report carefully avoids the trap of measuring risks, response and results primarily in financial terms. 

Third, the basic Report proceeds in six chapters, following the introduction, to describe the changes that will be made in the next 24 months. 

Chapter 2 addresses the three roles of governments: as a regulator of others who
create risk, as a steward of risks not attributed to others, and as a manager of the
risks arising from its own services.

Chapter 3 defines the challenge at strategic, program and project/operational
levels, with special attention to a global decline of trust in institutions.

Chapter 4 develops a new approach to public sector management of risk:

1. Embedding risk handling in all decision processes
2. Establishing new risk management techniques
3. Creating the organizational structure and responsibilities
4. Developing new skills to embed risk management thinking
5. Creating a comprehensive quality standard

Chapter 5 focuses on the critically important area of communicating with the public: more transparency in decisions, more reflection of public values and concerns, more information about risks and responses, all to “win public trust.” It correctly emphasizes greater two-way communication.

Chapter 6 identifies the need for leadership from the top by Ministers and Permanent Secretaries, to overcome the current culture. It quotes the UK Comptroller and Auditor General: “The problem is not that the Whitehall culture is risk averse . . . Rather it is risk ignorant. It takes the most fantastic risks without knowing it is doing so.” 

Chapter 7 summarizes the conclusions and six major recommendations:

1. Firmly embed risk handling in government’s policy-making, planning and delivery.
2. Enhance Government’s capacity to handle strategic risks.
3. Support risk handling by good practice, guidance and skills development.
4. Make departments and agencies earn and maintain public trust, a priority when dealing with risks to the public.
5. Ministers and senior officials should take a clear lead in improving risk handling.
6. Improve the quality of government risk handling through a two-year program of change.

The Annexes to this Report include further material on definitions, public attitudes to risk, references and website, five case studies and referrals to governmental risk management in other jurisdictions.

A refreshing comment from the authors refers to the increasing and suspect dominance of quantitative approaches to risk management: "Important common issues are the imaginative use of experience (as opposed to mechanistic process application), and a more systematic approach to the softer areas of risk—including public perceptions, strategic fit, and reputational risk."

This Report is a major contribution to the development of the discipline in the public sector. Those in the private sector will also find rewards in reading it for a new perspective. A Summary Report and the full Report plus its Annexes are available electronically at The Strategy Unit website at www.strategy.gov.uk, or from The Strategy Unit, Admiralty Arch, The Mall, London SW1A 2WH, UK. Email: strategy@cabinetoffice. x.gsi.gov.uk