« Previous | Contents | Next »
Listen
SECTION 4: ORGANISATIONAL PERFORMANCE MANAGEMENT AND RISK
Section introduction
4.1 This section considers the ways in which risk management systems can be used to enhance the effectiveness of organisational performance management in government. Risk management is complementary to systems of strategic planning, incorporating internal and external assessments of capabilities and constraints. Effective performance management requires continuous risk assessment to ensure that organisational member, leaders, the public and other stakeholders are kept informed of organisational risk including risks to public safety. However it should be noted that this review of literature has not generated examples of performance management frameworks which incorporate comprehensive risk assessment and management.
Risk assessment and management
4.2 Risk can be defined as the combination of the probability of an event and its consequences. In all types of undertaking, there is the potential for events and consequences that constitute opportunities for benefit (upside) or threats to success (downside). Risk Management is increasingly recognized as being concerned with both positive and negative aspects of risk.
4.3 According to the Treasury (2006), in recent years all sectors of the economy have focused on management of risk as the key to making organisations successful in delivering their objectives whilst protecting the interests of their stakeholders. Risk is uncertainty of outcome, and good risk management allows an organisation to:
- have increased confidence in achieving its desired outcomes;
- effectively constrain threats to acceptable levels; and
- take informed decisions about exploiting opportunities.
4.4 Good risk management also allows stakeholders to have increased confidence in the organisation's corporate governance and ability to deliver.
Current risk management
4.5 Audit Scotland (1999) identified a risk management process for the public sector:
Stage 1 - Risk identification
Identifying and understanding the hazards and risks facing the organisation is crucial if informed decisions are to be made about policies or service delivery methods. The risks associated with these decisions can then be effectively managed.
Stage 2 - Risk analysis
Once risks have been identified they need to be systematically and accurately assessed using proven techniques. Analysis should make full use of any available data on the potential frequency of events and their consequences. If a risk is seen to be unacceptable, then steps need to be taken to control it or respond to it.
Stage 3 - Risk control
Risk control is the process of taking action to minimise the likelihood of the risk event occurring and/or reducing the severity of the consequences should it occur. Risk control usually requires managers to identify and implement projects or revised operating procedures.
Stage 4 - Risk monitoring
The risk management process does not finish with the risk control projects/procedures in place. Their effectiveness in controlling risk must be monitored and reviewed. It is also important to assess whether the nature of the risk has changed over time.
4.6 Audit Scotland (2008) has identified a local government Priorities and Risk Framework as a national tool used by auditors to plan the risk-based audits of local authorities in Scotland. It is updated annually and identifies the key national initiatives and priorities facing clients in the coming year as well as the main risks to their achievement. This helps to ensure that audit work is properly focused and takes account of sector specific national priorities and risks. It is also used to deliver an integrated audit across Scotland which addresses the priorities and risks of local government from a top down (national) and bottom up (local) perspective.
4.7 Audit Scotland (2007) has also published a Performance and Risk Framework ( PRF) for the National Health Service ( NHS) in Scotland. The PRF forms an agenda for discussion with senior client officers to help auditors assess their client's arrangements to address the issues and risks identified in the PRF. Auditors may need to meet with many, if not most, of a client's management team to discuss their organisation's risks. These discussions are supported by auditors' cumulative knowledge and experience of NHS bodies and a review of relevant evidence, including the reports of other scrutiny bodies. When combined with an assessment of local issues, audit activity can then be targeted to areas of greatest audit risk.
4.8 The National Audit Office Report 'Managing Risks to Improve Public Services' ( NAO 2004) identified five key aspects of risk management and made recommendations for improving risk management practice in central government.
- Sufficient time, resource and top level commitment needs to be devoted to handling risks.
- Responsibility and accountability for risks need to be clear, backed up by scrutiny and robust challenge to provide assurance.
- Departments need to base their judgements about risks on reliable, timely and up to date information.
- Risk management needs to be applied throughout departments' delivery networks.
- Departments need to continue to develop their understanding of the common risks they share and work together to manage them.
4.9 This Section has identified key features of contemporary risk management systems in a public sector context. There is no doubt that many organisational performance management systems should incorporate organisational risk assessment and management and such risk assessment and management elements must complement the elements of the organisational performance management system.
4.10 Risk exists in all organisations which are committed to continuous improvement. The objective is to be 'risk aware', with sound processes of risk management, rather than 'risk averse'. Indeed according to Audit Scotland (2007:3) organisations which seek to avoid risk entirely are unlikely to achieve Best Value.
4.11 There is an evidence base for better integrating risk assessment and management into organisational performance management systems in a central government context drawing on the work of Audit Scotland on local government and the NHS.
Key points
- There was a lack of evidence in the literature of performance management frameworks which incorporate comprehensive risk management.
- Risk Management is increasingly important in the public sector and should be an integral part of any system of organisational performance management.
- Such processes involve risk identification, risk analysis, risk control and risk monitoring.
- External risks can be identified through comprehensive, continuous environmental scanning.
- Audit Scotland has developed risk frameworks for local government and the National Health Service
« Previous | Contents | Next »