Workshop on Enterprise Risk Management: Southern Africa Development Community, Garobone, Botswana
Presentation to the 2017 CPA Public Sector Conference, Ottawa, October, 2017
I have recently completed some work with the Southern Africa Development Community to help them put their Enterprise Risk Management in place. As part of the work, I will be delivering workshops on risk and the business case for integrated or enterprise risk management. Here are the presentations I will be giving:
Either in government or teaching, I have continually been interested in risk, how we see and understand it and what we do about it. A talk I gave to a group of federal Associate Deputy Ministers in 2011, pretty well sums up my take on risk management in government.I have edited it and provide it for a tableau here. i also list some valuable risk resources below.
Ten years out of the day-to-day of government, but very much engaged in in-depth teaching, research and thinking about the public sector confirms my admiration for public sector leaders and their capacity to manage multiple risks, multiple timeframes, a level of inter-connectedness that boggles the mind. I do not believe that risk and risk management are flavour of the month terms. I believe that there have been intellectual and organizational developments that have increased our sophistication in managing risk and our understanding of its role in the public discourse.
We are awash in risks in the public sector. We manage, address, mitigate them, for the most part, with amazing skills. Contrary to media-driven iconography (which is pretty wrong), we are highly adaptable and manage most of the risks we face very well. As a paper from the UK’s Strategy Unit notes: ‘Governments have always had a critical role in protecting their citizens from risks. But handling risk has become more central to the working of government in recent years. The key factors include: addressing difficulties in handling risks to the public; recognition of the importance of early risk identification in policy development; risk management in programs and projects; and complex issues of risk transfer to and from the private sector’.
Zero risk or risk aversion are the enemy of effective risk management. Ministers expect us to manage a myriad of risks without even telling them about them. They expect us to inform of relevant risks and what is to be done about them. Yes, they also expect us to make sure that the moose in the room kind of risks are something we acknowledge and keep an eye on. Read Dan Gardner’s The Science and Politics of Fear. I am sure that there have been plenty of risk discussions around town in the process of the strategic and operational review. In fact, I fully expect that those discussions are at the heart of the decision process.
I am doing a lot of work in my teaching and as IPAC’s Editor of the Case Study Program on how organizations address risk. I feel privileged to have these windows on projects and activities in the public sector that have made changes, large and small and have found ways to identify, mitigate and manage risk in the face of great challenges. I think of LAC and how it brought in a private sector partner to digitalize and commercialize the census and immigration data. Small matter? Watch and learn. I think of the federal government’s incredible collaborative efforts at the Vancouver Olympics and how that was organized. Risk management at its best. Pandemic responses have almost gotten ahead of the curve on risk management. Again and again we see better approaches and better tools. Collaborative government also means collaborative risk. To make that effective it cannot rely on the old skills-based notion of risk (we can handle anything) but on more systematic and formal full risk management systems.
It pays to have a good understanding of risk management as pervasive and, to borrow a cliché, a whole meal deal. It is not just what is going to happen in Question Period. It has operational, environmental and strategic elements. It strikes me that organizations are effective when they have their operational risks firmly scanned, tracked and systematically mitigated through ERM, that they have plenty of tentacles out and feedback loops on environmental risks and, most importantly for today, that their executives are constantly assessing strategic risk – risks to the business not risks in the business.
Arnold Howitt and Herman Leonard —both in their book Managing Crises, and in their executive-education program, Leadership in Crises—distinguish between common, routine crises and emergency crises, which are novel. An emergency crisis is one that we have never experienced before. Thus, the challenge for leaders at the top of organizations if to build systems to accommodate the former and to be constantly on the lookout for the later. This is how I see the way CEOs and near CEOs deal with risk as well. Build the systems to manage those risks we know and can mitigate and constantly be scanning the environment for the knowable unknowns and building resiliency for the unknown unknowns.
I don’t buy the so-called dichotomy between risk and innovation. Read Steven Johnson’s Where Good Ideas Come From. His most important contribution in thinking is that innovation seldom springs out of the blue: it is generally both derivative of its current environment and incremental. I see plenty of innovation in government; it is just dull, lacking the sense of pizzazz that some think of as the only way to innovate.
So what does risk savvy look like from the central office:
· Systematic risk management has to take place and be seen to take place
· Leaders define risk tolerance by their actions not their words
· Risk is a whole mean deal: you do not start unless you are actually going to mitigate and control
· Risk management needs to be actively applied – this is not something that happens somewhere with senior management not involved
· Senior managers need to track and be seen to track critical risks - what gets watched gets done.
· Risk language is risky and can scare people; it is also easily misinterpreted.
· Risk is not seen as a science – there is a head and a gut element that have to coexist: statistics do not relieve anxiety, experts are only as good as the empathy they convey, ranges of probability do not address the “me” question.
· Risk needs increasingly to be tied to resilience: that means a focus on weaknesses, response capacity and the opportunities it creates.
Above all, senior officials serve their masters well when they think hard, avoid clichés like risk aversion, ensure they have a robust understanding of their risk environment and, above all, treat issues on their merits, never dismissing them as “too risky”. For their staff that means just risky. Cycling down the streets of Ottawa is risky.
As Robert Behn of Harvard says, “Public executives never have time to think. Yet, whenever they say to themselves, “that’s funny,” they ought to recognize this as a signal that they need to stop and think.” That’s part of the risk sense that CEO develop when they perform well.
I will end my comments with a reflection by Ian McPhee, Auditor General for Australia in a talk he gave in 2005:
“We in the public sector have traditionally been seen to adopt a more risk-averse approach to management generally. Some of this no doubt arises due to the importance of the legal framework which guides public administration, and the fact that public moneys need to be managed with due care. Parliamentary Committees, in my experience, have generally been open to the explicit application of risk management by public sector entities – it is when entities are not able to adequately explain their approach to risk management that issues arise from time to time. In its report on Contract Management in the APS, the Joint Committee of Public Accounts and Audit makes the point that risk management is an integral part of good management practice and where risks are managed poorly there can be significant costs for agencies. However the Committee also noted that a key benefit of risk management is the optimization of opportunities and must be managed proactively rather that reactively.”
Risk going forward:
· Emergence of business analytics in the public sector (meta and spacial data) increases precision of risk,
· Increasingly resilience or capacity to absorb shocks is an issue in risk management: the circle is widening – infrastructure protection as an example,
· Major cultural challenges still exist where it is clear that many public sector organizations do not use risk in a systematic way and, therefore, the default approach is seen as error avoidance not risk management.