25 February 2005
Risk registers are becoming ever-more numerous and elaborate, but they are not worth the Word documents they are printed on if they fail to engage with the everyday business of their organisation
There has been a trend in the past three years in the public sector to spend a great deal of money and management time in building superb risk registers encapsulating a wealth of information. So much so that it is thought that 90% of public sector organisations now have some form of register in place.
This trend has been encouraged by the recent Civil Contingencies Act, which requires local resilience forums to establish community risk registers. The forums include representatives from local, police and fire authorities as well as health bodies and the Environment Agency.
There is also pressure on councils and fire authorities through the Comprehensive Performance Assessment process. This requires 'arrangements for risk identification, assessment and management [to be] in place for all key financial and operational risks'.
Other public sector bodies that are not (yet) part of the CPA structure have their own guidance, which is more or less prescriptive, but often the only evidence for compliance is a risk register.
Registers have their uses. Their construction can improve relationships between 'the silos of silence' that still exist in the public sector, and they can improve transparency of goals, decision-making, role-taking and accountability. But in getting embroiled in any lengthy and expensive exercise, it is sometimes easy to lose track of the ultimate goal. So what is it?
Risk management is not about being risk averse – it's about recognising that risk exists in all aspects of the business and service provision, and wrapping a common and consistent approach around it that enables innovative decision-making. Is that goal met by having a risk register?
The register is supposed to show that risk is under control. But I have come across many public sector organisations that proudly point to their registers, binders and fancy spreadsheets and Word documents, but still cannot show that risk is really being managed.
An example I came across recently was of a 'direct' operation for a major city council where the service risk register contained high-impact risks such as fire, interruption of supply, skill shortages and flooding. During an audit it turned out that most of the real risks were about internal communication, feedback and lack of knowledge about the services. The management had identified many risks over which the service had no control, and failed to include the ones that were hitting the service on a daily basis, for which they had remedies.
The risk register is a useful tool for encouraging transparency, but only if it is a living process that supports risk management and is 'owned' by the risk-owners. It is a means to an end, not an end in itself.
A major public body in the last few months suffered a significant internal fraud. It was not one of the risks that had been identified on the beautifully constructed risk register.
Many of the people who were touched by that event had known it was a possibility, but 'didn't dare mention it' when the risk register exercise was undertaken. The hierarchy would not allow the mention of a lack of internal control.
Many risk-owners, inadequately involved in the process, become confused and relieved — confused because they didn't know why they were doing it or whether what they did was right, and relieved because the process is over and they can move on to the next initiative.
The best risk management programmes will be an integral part of the business planning and performance management process. They will inform and drive resource allocation, encourage behaviour change and be linked to the internal controls through key indicators. There will be a wide involvement with members, senior management and officers, as well as operational staff. This needs to be driven by an in-depth training, audit and review programme centred on ownership of decision-making.
In addition to the risk register as a measurable output, there should be performance indicators that measure the real benefits from the risk exercise, including improved accountability and clarity of action planning, improved internal and external communication, risk reduction that improves service delivery, and projects that come in on time and on budget.
Ultimately the risk management process will underpin the service continuity plans that support the duties under the Civil Contingencies Act.
These outcomes will not happen if the be-all and end-all of the risk process is a register. If you haven't used your risk register to improve service delivery, I encourage you to throw it out and start again.
Liz Taylor is the managing director of Public Risk Management Ltd