The Northern Ireland Audit Office (NIAO) launched its report on Good practice in risk management which is available from The Stationery Office (price £5.00), or in the form of a downloadable PDF copy from the NIAO web site: Link. In essence the report is a good practice guide: a thinking man's reference; not a prescription.
With this thought in mind a number of key points arising from the presentation and discussion that followed at Clifton House are summarised as follows:
- Risk management has a vital role to play in promoting good governance, good management and good outcomes for the organisation.
- Well managed risk taking can produce benefits by highlighting opportunities and anticipating threats; but in public bodies that are traditionally risk averse more emphasis needs to be put on cultivating the right attitudes to risk -- creating an institutional mindset that recognises what its risks are and is geared towards developing adequate responses.
- Risk aversion is one thing; but knowing, understanding and appreciating what the risks are is something else. It is essential that public bodies adopt and embrace innovative approaches to managing risk to assist in the delivery of better outcomes and more cost-effective public services.
- And it's not all about process. Yes, it has to be about assuring the outcomes to be achieved. But arrangements need to be tailored and proportionate. Judgement is just as important as process.
- Risks are best avoided; but you can't be in business without them. Zero tolerance will inevitably mean nothing gets done. An organisation's risk appetite - the extent of exposure that is tolerable with respect to different things, in different circumstances and at different times - is crucial as are contingency plans to minimise negative impacts for those risks that really are unavoidable.
- All parts of the organisation and all activities carry their own risks. They need to be understood and managed at the appropriate level; and elevated to a higher level when any negative fallout is likely to be more extensive than localised. Realistically only around 6-8 risks can be successfully managed at any level; building a framework that ensures the many risks an organisation will be exposed to are identified and managed at the appropriate level is the key to developing a 'bottom to top' awareness of the risks being faced and of the extent of the threat they pose.
- Do you know what your organisation's capability and capacity to manage risk is? Good practice in risk management includes "a risk management checklist": a self assessment tool that public bodies can use to identify what they are doing well and what needs attention.
More information about this or other events organised by the Forum, is available from Kim McKnight, (T) 02890 347400 (DIAL) 58400 (E) mail@ceforum.org.