Risk and the public sector
28 January 2002
The services provided by the public sector - healthcare, education and regulatory approvals - require the need to ration resources in a highly charged and political environment.
Public authorities have tended to reduce their insurance spend by self-insuring. Any entity that is exposed to the full extent of a liability will want to manage that liability to reduce its severity and the probability of its manifestation. There is also an understanding that many regulatory and legal pressures apply with even more force to the public sector than they do to the private. In areas such as environmental protection, health and safety and data protection it can be difficult even to identify the true nature of the obligation, let alone ensure compliance with it.
Public bodies should be aware of some of the hazards in implementing a risk management approach. First are the documenting problems. Risk management can look like a paper chase, encouraging a belief that systems, procedures, check lists and audits are an effective way of identifying and managing risk. This attitude is one of the leading heresies. Risk management is, in the main, a state of mind.
The second difficulty is the embedding problem. Any public body or corporation wishing to start from scratch may think about employing a risk management expert. The body may also employ external consultants. No doubt these external consultants will be at the cutting edge of developments in risk management, but if care is not taken, this isolated clique will be nothing more than a bolt on managing problems only when they hear about them. They will be resented by others, who will view the risk management function as the body of individuals who tell them what they cannot do. For risk management to work effectively, it needs to be embedded into the culture of the organisation.
Risk management tends to be an effective tool for ensuring legal compliance. Here, the aims of the organisation are simple - it must ensure that it complies with all relevant laws and regulations. The ambitions of the small start-up company can be no different to those of the city council or FTSE 100 plc, although obviously all three of these will have a different view of the damage to their reputation that might be caused by non-compliance. It is more difficult to extend the principles of risk management into the higher echelons of the business. While it is often remarked that risk management should not dampen innovation, the reality is that a risk management approach is far from a natural way of thinking for most senior business people.
At the level of corporate governance, risk management is not necessarily about reducing risk, it is about ensuring that the level of risk endured is commensurate with the risk appetite of the stakeholders. This would include employees, customers and suppliers, but most especially its shareholders. But how does any company know what the risk appetite of its investors is? In theory, it might question them, but in practice those investors will vote with their feet. Many public bodies do not have direct competitors and while comparative competition and benchmarking is often used as a measure of performance, they cannot shape behaviour in the same way. Similarly, public bodies do not have shareholders who can express their dissatisfaction by putting their money somewhere else.
How is a hospital trust to determine whether it should shut down an accident and emergency unit? Can risk management really help a planning authority faced with determining an application by a supermarket chain? How should public authorities deal with the competing considerations between the business and the community that arise from the laying of underground services? Perhaps there will always be an aspect of public body decision-making which must be driven by political considerations where it might be dangerous to invoke too literally the language of risk management without bearing in mind its limitations.