What does the risk professional of 2030 look like?

What constitutes good risk management and how can risk professionals in the public sector be trained and supported as they strive to tackle the many challenges that face them? Jane O’Leary, chair of Alarm, discusses

What does good risk management look like? What constitutes a good risk professional? Both are topics frequently debated amongst Alarm members. There are the obvious to list with respect to a risk professional - a confident communicator, a technical expert, a good negotiator, being persuasive, have an inherent curiosity, possess commercial acumen, and have the ability to adapt and respond to our ever-changing environment. What constitutes good risk management – a framework that aligns to the organisation, processes understood and accessible by all, risk management embedded through the organisation, leadership buy in and drive and risk based decision-making and planning? As a risk professional I can attest that what good looks like is constantly challenged, debated and aspired to by those working in this field.

It is certainly true that however good or mature our organisations have been at managing risk within the public sector, over the last few years we have seen a significant change to the risk profile and to the skills needed as a risk professional in response to this. Long gone are the days of what we know as the staple of public services, social care, highways, leisure, cemeteries, housing and waste management to name but a few. All delivered by our local council. The stakes do feel higher and are a long way from our traditional core business of property and casualty risk.

We know that over the last 10 years public services have changed, some beyond recognition, forced by years of austerity and changes to funding from central government. The ever increasing need to commercialise, to ‘earn’ money from commercial ventures, making cuts to public services, moving to a commissioning body, sharing services and joint ventures with the community and third sector. Changes that have required the risk professionals within these organisation to rise to the challenge. To understand the changing risk profile and provide the expertise to support the leadership and senior management teams in understand the risks these create, understanding how to manage those risks and having the best chance to maximise successful delivery of our business objectives.

Technology progressions
The question now in our minds - is our traditional role sustainable in the 2020 and beyond? What does the risk professional of 2030 look like?

Technology advances must be the number one consideration for the future risk professional as are the risks this brings. Upskilling to keep abreast of cyber risk and threats to our organisation is a role  not just for IT, leadership and risk managers but for the every employee. We have heard many times over, relative to a cyber attack, that it is not a matter of if but a matter of when. One cannot envisage these risks and threats decreasing and with advances in technology it is vital that risk professionals keep pace. Of course understanding technology is not just about risk and threats but about understanding new technologies that brings opportunities to how we deliver public services. Driverless vehicles, carebots specifically designed to assist in the care of the elderly, artificial intelligence, and a machine based workforce. With the major role technology and information systems play in delivering our core business the risk professional must be upskilled to understand as much as possible about information technology risk.

The use of big data and ability to analyse and forecast in numerous ways using the interconnected information we collect can be an asset. Its use should not just be reactive, such as analyses of losses or claims to prevent future losses but used proactively as a risk management tool. For example, it allows the measurement, integration and management of financial risk across all areas of the business; allows for better fraud management with faster identification and control; enhanced scenario analysis such as flood profiling and in emergency planning; developing new business models and project risk management and better understanding of our community and its needs, allowing for more accurate future planning of services.

With our need to boast depleted funds and get positive returns on investment, in order to sustain our public services, the risk professional of now and the future needs to understand not just the core business risks, but those of the commercial projects we are involved in. Running energy companies, building commercial property portfolios, managing airports and hotels, and selling support services are a few examples. Skills in project risk management must be a requirement for the risk professional in our new world. Understanding the business objectives and potential threats and opportunities; worst case scenario assessments (how much will this cost if it goes wrong); the use of qualitative techniques to identify the relative significance of identified risks and quantitative analysis to determine the effects of cumulative risk on objectives. How do all these risks interface with the organisation as a whole?

There needs to be a re-evaluation of the organisations risk appetite relative to the commercial agenda, which may vastly differ from the appetite applied to the core statutory business. The risk appetite applied to setting up and growing an energy company cannot be aligned to the risk appetite applied to children’s safeguarding, such are the complexities of the services offered by the public sector. Maybe the way to address this is for a specialist project risk professional within each organisation allowing for a dedicated resource. In my view, well worth the money if they are effectively supporting the identification of risk in commercial projects, thereby increasing the likelihood of meeting the commercial objectives, which are vital in underwriting the continuation of statutory services to our citizens.

Recent tragedies
Closer to the present day the risk professional of today and undoubtedly the near future has a role to play in public safety and continuation of services in the event of a major incident. Sadly over the last year we have experienced a number of terrorist atrocities in the UK and witnessed the destruction of Grenfell Tower, all of which have called upon public services to respond in the immediate and in the aftermath. Risk management is the overarching term for Emergency Planning, Crisis Management, Business Continuity and Disaster Recovery. All of which have a different role but all are part of properly managing a risk. What we have learnt to date from these terrible events and, what we will learn in the future is that building and embedding a robust business continuity and crisis management plan and ensuring a close and aligned working relationship with leadership and the risk professional is critical.

Establishing an effective education and awareness programme is vital for ensuring all staff are aware of the implications of business continuity as well as their roles and responsibilities in a recovery situation. The success of the business continuity programme depends on this.  It can greatly enhance the ability of the organisation to anticipate, identify and respond effectively to an incident. It should also consider both internal and external stakeholders, including third parties such as utilities companies and other partners. This links directly to the Civil Contingencies Act 2004 duty to promote BCM among the business community.

The impact of a disruption to services in the public sector is a risk that many have identified at a strategic level and it figures largely in corporate and strategic risk registers. The wide range of threats, the increasing reliance on technology and public expectations, often voiced through social media, all mean that the need for plans and alignment to risk management, to deal with disruptions is more important than ever before.

Commercialism, technological advances, climate change, Brexit, changing demographics and terrorism are all here to stay and the future risk professional must develop knowledge and skills in these areas complimentary to the knowledge and skills we have already in risk management attributable to our core statutory services.
   
On a final note, the risk professional of the future is only as successful as the leadership of the organisation they work in. Risk management only works with ‘leadership buy in’. However competent and experienced the risk manager, the success of managing risk can only be properly realised when leaders of an organisation drive the risk agenda and lead the embedding of good risk management from the top, giving risk and opportunity the time, resource and attention it deserves.