Balancing politics and performance (RMIA conference 2018)
Today I will be looking at public sector program risk, and the political and performance factors that impact on program delivery.
This will be based on my 20+ years in the Australian Public Service managing or delivering programs, policies and projects, and in particular managing Comcover, the Commonwealth’s general insurance fund, for three years.
In particular, I will look at some of the challenges in the Commonwealth public service operating environment, with a focus on:
the legislative and administrative framework
APS and risk management
political and public scrutiny.
I will also look at some recent case studies, identify some common themes for both the public and private sectors, and consider some strategies to try to keep things on track
The APS operating environment
All governments have operating controls on public expenditure through combinations of legislative and administrative frameworks – governance controls on how public monies are appropriated, provided to government agencies, expended and accounted for.
At the Commonwealth level, the key piece of governance & expenditure legislation is the Public Governance, Performance and Accountability Act 2013. This Act also requires government agencies are to establish risk frameworks and manage risks to Commonwealth activities (the Commonwealth Risk Management Policy).
The PGPA Act is supported by many other legislative and administrative rules and processes, including the Commonwealth Procurement Rules, and since 19 October, the Government Procurement (Judicial Review) Act 2018.
Oversight mechanisms of public expenditure include:
contract managers, senior managers and internal audit committees within agencies
external bodies such as the Australian National Audit Office and Parliamentary committees, primarily the Joint Committee of Public Accounts and Audit, and
the media.
So what effect does this have on project management? Let’s look at the PGPA Act and the Commonwealth Risk Management Policy first..
PGPA Act 2013
The Risk Management Policy came into effect on 1 July 2014 as part of sweeping governance reforms in the PGPA Act.
It is mandatory for non-corporate Commonwealth entities.
It aligns with the risk management frameworks reflected in the (then current) Australia/New Zealand standard: ISO 31000:2009 – Risk management – principles and guidelines.
The Policy aims to improve the accountability of public expenditure by increasing the focus on internal controls and the way the APS engages with, and manages, risk.
The Policy is principles based.
With any regulatory framework, there is always a tension between adopting a ‘principles based’ framework and delving into more detail – Commandments vs. the Bible – to provide people with a level of certainty they are comfortable with.
But increased content leads to increased complexity, an increased focus on divining the meaning of terms and hiding behind a ‘tick-a-box’ mentality.
So what has the APS learned about risk management since 1 July 2014?
As the Commonwealth Auditor-General mentioned yesterday, agencies are getting better at establishing a risk management policy, articulating it and promulgating it throughout the organisation.
However, in my view, a number of concerns remain:
The pace of cultural change remains slow and there are few incentives for the APS to become less risk averse
Risk maturity is highly variable across the APS
There remains an obsession with risk process at the expense of broadening understanding about risk and the need to engage with it. Examples include:
Professor Peter Shergold’s 2015 report into lessons learned from the Home Insulation Program – Learning from Failure (CROs, more Cabinet process)
The Ric Smith review of 300 missing Cabinet documents – 28 recommendations, 5-6 across the APS, report cards for agency readiness. (10 information related policies, 300+ page Cabinet Handbook)
Independent review into the operation of the Public Governance, Performance and Accountability Act 2013 and Rule by David Thodey AO and Elizabeth Alexander AM - publicly released mid-September 2018.
Linked to this, there remains a fundamental failure to allocate responsibility and accountability for risk management. It is notional and not actual. There is no real understanding of the different roles played by Risk Owners, Chief Risk Officers, Audit and Risk Committees and the Accountable Authority (Secretary/CEO)
Communicating and consulting about risk also remains introverted – people are unwilling to share data, experiences, near misses or even just talk about risks.
Shared risk: it is not well understood or managed effectively, particularly within and across governments. Shared risks are not usually fully identified, allocated owners nor effectively managed. MOUs between agencies are poorly conceived, badly drafted and implemented by organisations with no real skin in the game to manage or enforce them.
Shared risk = scared about risk
My observations are also supported to some extent by the Independent review into the PGPA Act. The review considered the Risk Management Policy but not the principles in depth – the review looked at what the APS could do to better implement the Policy (e.g. independent Audit/Risk committees), rather than seek to change/update the Policy.
The review emphasised the need for public sector leaders ‘to step up’ to drive and shape risk culture.
There certainly needs to be more leadership – recently Professor Peter Shergold undertook a survey of over 800 public servants across federal, state and territory governments. Only 41% of those surveyed believed that the public service made efficient use of taxpayers’ money
Next I will consider the forces outside the APS which also shape project management.
Political awareness
The scrutiny of government expenditure and the project management dynamic for public servants was usefully highlighted in a 2007 speech by Ken Henry, the then Secretary of the Cwth Treasury. In that speech, he used a case study of Treasury’s management over 16 years of the Australian Government’s debt and bond market. The policy was initiated under a Labor government, and to date had delivered net (unrealised) benefits of $800m.
However, in any given year, there were substantial fluctuations, and the 2001-02 period was particularly difficult, with losses (unrealised) of nearly $2bn.
Notwithstanding that the policy had support from both parties when they were in government, and that the net benefit was strongly positive, Labor in Opposition and the media mounted a very public and damaging attack on the policy and Treasury’s handling of it. As Ken Henry observed, the lessons he learned from this were:
1. People who manage projects on behalf of taxpayers operate in an adversarial, combative, political environment – everything they do has the potential to embarrass the government of the day, and the Opposition will take every opportunity to do so
2. While public sector project managers could do things to save money, the operating environment may not value this. In other words, savings are not valued as highly as losses – the $2bn loss in one year was given far more value than the $800m saving over time.
3. Public sector performance is often judged not on actual performance but on perception, in particular, media perception.
4. Short term timelines are overvalued relative to medium to long term
5. “…ministers usually appear to have a tolerance for risk that is close to zero”.
Similar comments were made in the PGPA Review report at page 21:
To effectively instill a more positive risk culture within entities, [agency heads] need support from their ministers, and the Parliament. Put another way, they need to be given some leeway to fail. However, there is no evidence the risk appetite of ministers, or the Parliament, has shifted in recent years.
Case studies
The first one is the Royal Commission report (by Ian Hanger QC) into the Home Insulation Program. Most of you would be broadly familiar with this Royal Commission and its findings. To recap:
In response to the GFC, the Rudd Government in 2009 implemented the HIP as part of its Energy Efficient Home Package (part of the $42bn Nation building & Jobs Plan).
The key driver was fiscal stimulus, with energy efficiency being a secondary consideration. The HIP was put together over a few weeks in early January 2009 and announced on 3 February. The plan was to install insulation into 2.2million homes over the next 2 and a half years – a 15 fold increase in industry capacity.
The HIP was rolled out on 1 July 2009, but after four deaths, three of them by electrocution, the HIP was shut down in April 2010.
Key risk management findings:
The relevant government department did not have the skills, resources or capacity to implement the HIP, particularly in the hopelessly short timeframe of 2-4 months
The risk processes were process heavy, promoted document creation and did not understand the major risks, particularly electrocution – NZ experience was ignored.
OHS and related regulation were ignored/left to the states to manage, without adequate consultation or any funding to manage the significantly increased workload
Risk consultants were ineffective and misunderstood their role
There was a strong emphasis on ‘team players’ and not being critical or ‘obstructive’: despite concerns about the changed rollout model, the relevant department omitted these concerns from briefings to their minister.
Despite a plethora of committees and ‘governance’ the accountability and ownership of the program, its rollout and the consequences was very unclear.
The next case study suggests that these type of risks are not confined to the public sector..
The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry has highlighted some similar attitudes to risk management, particularly the prevailing inappropriate culture and incentives, as well as the subsequent failure to identify or effectively deal with the illegal behaviour of their organisations.
At pages 308-9 Commissioner Hayne noted the following:
When it is the most senior levels of the organisation that applaud and encourage behaviour that yields sales or revenue and profit, but do not adequately applaud and encourage consideration of compliance and conduct risks, the lesson from APRA’s Prudential Inquiry into CBA is that the entity’s culture is compromised.
As the panel said in its report, CBA was ‘vulnerable to missteps’ because the ‘voice of risk’ particularly for ‘non financial risks’ and the ‘customer voice’ were muted and were not heard. And this, the panel found, was brought about by deficiencies in governance and risk management, especially management of conduct risk.
(APRA, Prudential Inquiry into the Commonwealth Bank of Australia, April 2018, 4.)
And at page 320:
Good culture and proper governance cannot be implemented by passing a law. Culture and governance are affected by rules, systems and practices but in the end they depend upon people applying the right standards and doing their jobs properly.
Some suggested strategies
First, we need to acknowledge that while processes are important, they have to be designed to account for inconsistent and aberrant human behaviour. The former (US) National Transportation Safety Board Chairman, Robert L Sumwalt, said this about the hierarchy of controls and human error:
If you don’t account for human error, you yourself have made a basic human error…don’t design for a human who follows every step every time. Design for a human who might miss a step...
Secondly, build a ‘user friendly’ risk framework that acknowledges and tries to deal with the issues I have identified today.
Thirdly, choose and use the right people.
And don’t forget, the theatre of politics is never far away. Engage ministers early to set expectations about the project, the risks, the challenges, how they are to be updated or informed of issues. Try to move their tolerance meter up from zero. Again, get as much as can in writing – briefs, memoranda, file notes, emails etc.
Prepare for and try to condition media reporting and public perceptions – mere facts will not win against hyperbole.
That concludes my presentation today.
Thank you.