CCAF ~ FCVI Inc.
291 Olmstead Street
Ottawa (Vanier), ON
K1L 7J9 Canada
|Embedding Risk Management Culture in Government by Shahid Minto|
|Thursday, 05 June 2008 19:00|
Mr. Shahid Minto is a chartered accountant with a master's degree in political science and a professional degree in law.
Shahid Minto is a highly experienced senior financial and program Public Sector executive who has specialized in examining and adding value to Canada's public policy and public administration by making fair and balanced recommendations arising from financial, regulatory and compliance reviews.
He has gained this expertise as a result of extensive experience with the Office of the Auditor General of Canada, which he joined in 1977. Mr. Minto was the Assistant Auditor General between 1989 and 2005. He has almost 30 years of experience in providing oversight and strengthening government operations including the management of civilian and military procurement, fixed and real property assets, financial management, privatization of government operations, foreign operations, transportation programs and the operation of Crown Corporations.
Prior to joining the Office of the Auditor General, Mr. Minto was employed in the private sector. He obtained his C.A. Designation while employed at Touche Ross & Co.
Immediately prior to his appointment as Procurement Ombudsman, Mr. Minto was the Chief Risk Officer at Public Works and Government Services Canada since September 2005. He established the first Chief Risk Officer function in the federal government and successfully implemented its mandate to strengthen the fairness, transparency and accountability of the department's operations. This Office is also responsible for the department's Ethics and Fairness Monitoring Programs. In his position as Chief Risk Officer, Mr. Minto operated independently from operational management and reported directly to Public Works and Government Services Canada's Deputy Minister.
Lessons from a Practitioner
While I was Chief Risk Officer of PWGSC, my office undertook in April 2007 a review of the experience of several countries in embedding the discipline and culture of risk management into government practices. Based on the results of the study, we learned that strengthening risk management requires governments to:
The machinery of risk management
The countries interviewed as part of the risk management practice review all described the same essential components to improving risk management:
We found there has been a marked shift from a risk assessment approach (that limits its scope to identification, quantification, and monitoring of risk without making a strong link to organizational performance) to a risk management approach (that focuses on anticipating threats and opportunities so that the organization is ready to respond and adapt to ensure the achievement of objectives and desired outcomes).
Modern risk management approaches involve defining objectives, strategies, and criteria for success; managing performance to achieve objectives; being ready for risk (opportunities and threats to objectives); and learning and adapting.
Defining key success factors and risks
Canada, Australia, New Zealand, the UK and the USA have incorporated a strong quality assurance discipline in their approaches. To produce high quality results, an organization needs to think quality:
Then and only then:
Performance measures and risk indicators
Lack of clarity regarding measures (past results) and indicators (expected future results) of performance can lead to misalignments between strategic and implementation levels within organizations as well as between policy and service arms of the bureaucracy.
Organizations need to translate organizational performance measures into key performance indicators for individual managers and employees. Australia Post, for example, uses key performance indicators to drive alignment with corporate objectives.
Integration of risk management into business processes
Recently, leading organizations have worked to weave risk management into other existing critical business management processes, such as:
On-going learning and re-alignment
A robust and embedded risk management process helps to navigate expected and unexpected events and circumstances, whether they are positive or negative.
To navigate these changing circumstances, organizations need to establish a learning atmosphere:
A safe learning environment is needed for innovation. A safe learning environment means focusing on what needs to be done to bring performance back into line with expectations or where things can be done better or more efficiently.
This requires a blame-free culture. Blame-free does not mean a lack of accountability or an excuse for negligence. It means being encouraged to, expected to and rewarded for raising risk issues.
The cultural challenges to embedding risk management
Improving the machinery of risk management is only half of the equation. Culture is the other half. To reap the full benefit of risk management, it needs to become ingrained in how people make decisions and do their jobs.
Our review identified a number of common challenges to embedding risk management into organizational culture:
Getting executives to engage in risk management
At a senior level, executives need to move beyond being briefed on risk to:
To address this challenge, New Zealand and UK have embedded risk management specialists in departments to support senior management in the development of risk methodology and to coordinate risk management improvements.
Organizations need to find a way to bring mistakes and barriers (unforeseen or not) forward in timely fashion and in a way that is safe. And they need to improve assurance and monitoring.
Finally, governments can raise the profile of risk management. For example, the most senior officials (e.g., Australia's Auditor General and the Secretary of the Department of the Prime Minister and Cabinet) give speeches regularly on risk management related topics.
Lack of buy-in from middle managers
Middle managers often believe that risk management is a process that “gets in the way”.
They may need to recover from years of consultants doing risk management reports that end up on a shelf. When approached about risk management, they may seek a pro-forma quick-fix solution.
To address this challenge, organizations need to market the benefits of risk management as a process that produces worthwhile results. They need to demonstrate the short-term and long-term value of risk management. Supportive senior managers can push risk management down through middle management by, for example, advising on the kinds of questions to ask that would force middle managers to think through their particular risk management circumstances and strategies.
Managing complexity and delivery partnerships
The growing complexity in service delivery chains that often involve multiple organizations from both the public and private sector can significantly increase both
Governments are addressing this challenge by:
Dealing with external factors
Many public sector managers struggle with how to incorporate external risks into their risk management framework.
Organizations must recognize that a different management stance is needed for external factors (events and conditions originating outside the organization, e.g., weather, actions of stakeholders and regulators, socio-economic trends, etc.) than for internal factors (over which the organization has control, i.e., people, processes and systems).
For effective management of external factors, the focus should be on:
Establishing appropriate accountability / resisting bureaucratic approach
Organizations often lack appropriate and effective lines of accountability and reporting about performance and risk management that align through all management levels and across organizational silos. Not every risk has an owner who has both accountability and authority to make decisions about what to do to manage risk.
To address this challenge, organizations should:
Collaborating to support whole-of-government approaches
At an institutional level, governments can establish working groups to deal with multi-jurisdictional issues. For example:
At a cultural level, governments can encourage collaboration between officials across departments.
Nurturing risk management practices until the culture reaches maturity
One technique for maintaining the interest of executive leadership is to align risk management practices with high profile management initiatives.
Governments can also facilitate the tracking of progress towards risk management maturity by developing self-assessment tools for departments.
Finally, governments can provide resources to central agencies for outreach and coordination of networks that support sharing across departments.