What is good risk management?

2015 represents somewhat of a watershed for public services in the UK. With public finances continuing to be constricted and the need to transform pubic service delivery to fit new fiscal norms, there’s never been a greater need to ensure that risks are well managed. As the pace of change accelerates, so does the level of uncertainty; risks become more complex, more interdependent and their impact more critical.
    
Alarm is a vibrant community of over 1,100 risk professionals from over 500 organisations, including local authorities, housing associations, fire, police and government agencies. In 2009 Alarm launched its National Performance Model that answered the question ‘What does good risk management look like in a public service organisation?’
    
When it introduced the National Performance Model and the associated Benchmarking annual assessment, Alarm’s aim was to increase the overall level of performance across the public sector in risk management and to raise the levels of consistency in the practice and performance of organisations. Alarm’s recently published report ‘The risk success story: improving performance in risk management’ shows that Alarm has succeeded in this.
    
Alarm has been running an annual benchmarking exercise in conjunction with CIPFA Information Services for five years. This has provided Alarm with a unique set of data that depicts how risk management has developed during a period of unprecedented change for public services.

The National Performance Model
The idea that we could create a tool that could be used to measure the progress of our risk management arrangements in our employing organisations and then share those results with colleagues across the country had been in the minds of a number of Alarm members for a good many years. We wanted to define, in detail, what really good risk management in a public sector organisation actually looked like and what it would look like during the journey to achieving embedded risk management.     
    
Most importantly we wanted those definitions to be driven, and controlled, by practitioners in the field - people who make risk management work, rather than theorists. Using the HM Treasury Self Assessment Framework as a basis, Alarm risk managers developed clear definitions of what they would expect to see at differing levels of maturity in a public service organisation when it came to formal risk management arrangements.
    
The Assessment Framework of the Alarm National Performance Model breaks down risk management activity into seven strands. The Model then tests the extent to which risk management is making a positive effect on the organisation. Risk management maturity is assessed in five levels from risk management is engaging with the organisation to risk management is driving the organisation.
    
In the best organisations senior management uses consideration of risk to drive excellence through the business, with strong support and reward for well-managed risk-taking. Additionally, risk management capability in policy and strategy making helps to drive organisational excellence, allowing all staff to be empowered as responsible for risk management. There is clear evidence of improved partnership delivery through risk management.
    
Management of risk and uncertainty is well-integrated with all key business processes and shown to be a driver in business success and there is clear evidence that risks are being effectively managed throughout the organisation, ensuring that risk management arrangements are clearly acting as a driver for change.
    
Sharing information
A number of public service organisations have been sharing the results of a performance assessment of their risk management arrangements in the safe environment of a benchmarking exercise organised by Alarm and CIPFA. These are mostly local authorities, but the benchmarking exercise is open to any public service organisation.
    
The performance assessment takes place annually, in the form of a questionnaire. Around 40 questions focus on what resources are available for risk management, levels of compliance and, most importantly, the results that risk management efforts deliver for the organisation. In that sense, it’s a balanced scorecard approach. It’s a self assessment process that focuses on what conclusions can be drawn for future improvement, rather than counting what’s happened in the past. It is evidence based and so can be tested by the organisations audit service, in fact, a number of Club Members use their questionnaire submissions as the basis for their internal audit on risk management.
    
Other Club Members use the findings from the Club as the basis for their Annual Governance Statement, reporting to their Audit committee, as well as obtaining advice from fellow Club Members. After five years of the Benchmarking Club there are some real successes, with a number of risk managers using the annual findings to identify the strengths and weaknesses to management, build their risk management plans, drive improvement, and above all, gain credibility within their employing organisations.
    
As one member put it: “Benchmarking has been invaluable in proving my/my team’s worth over the past five years as each year we have steadily improved as our risk strategy became better embedded. My Audit and Risk Committee love this and the data it provides. They present it to full Council each year to prove the effectiveness of risk management.”

Key Conclusions for 2015
Having run an annual benchmarking exercise for the last five years, this has provided Alarm with a unique set of data that outlines the changing face of risk management across the public sector. However, with most members of the Benchmarking exercise representing local authorities, we have limited our conclusions to this sector, but the results will resonate with managers across other public service organisations.
    
The story the data tells is a remarkable one. Although risk managers often feel like an endangered species in a hostile and uncertain environment, the overall story is of success. The data shows that, in general, public service organisations have more mature arrangements in place to manage risk now than in 2010. The picture is not the same everywhere, but overall performance standards are higher. This is despite reduced resources, combined with ever more complex risks.
    
However, Alarm is also sounding a warning. Having more mature risk management arrangements in place will be vital if organisations are to deliver the transformation that will be needed to public services over the next five years. The number of specialist risk management resources has dramatically reduced across the public sector according to Alarm. The danger is that public service organisations are being tempted to reduce their expertise just as the risk environment becomes more complex.
    
The message from the report is clear, those organisations that invest in competency and capacity in risk management are those that manage uncertainty the most successfully.

Further information
www.alarm-uk.org