CULTURE SHOCK: THE NEW WORLD OF MANAGING GOVERNMENT RISK
A culture clash of Titanic proportions between Governments and their public service is coming, which will disrupt and change the way bureaucracies operate and how risks are managed.
Governments (the Captain of the Ship of State) are increasingly expecting their public servants to be able to seamlessly implement policies and services for the greater good across multiple portfolios, minimise red tape, process and rules (for public servants and the wider community), flatten structures and provide a single access point for the public.
These expectations struggle to be met by public service cultures of iceberg proportions and inflexibility that remain tied to hierarchies, enclavism, the carrot & stick approach to incentives, which does not willingly share information and continues to proliferate rules instead of outcomes.
It will take a significant change of direction to get the public service to begin the journey towards its new destination. Here is why.
Let me start with some background..
Managing risks in Australian government jurisdictions usually involves referring/adhering to a jurisdictional risk management policy. Risk management policies are usually part of broader governance frameworks which oversight the general expenditure of public resources.
By way of example, the Commonwealth Risk Management Policy (CRMP) sits within the Public Governance, Performance and Accountability Act 2014, and the ACT Government’s (new) Risk Management Framework sits under the ACT’s Financial Management Act 1996 and the ACT Insurance Authority Act 2005.
Risk management policies exist because, as the Commonwealth Minister for Finance, Sen Mathias Cormann, said in the Foreword to the CRMP:
..A more productive, innovative and efficient public sector requires a focussed approach to managing risk in order to achieve the Commonwealth’s strategic objectives and to limit unnecessary red tape…This new approach to managing risk is crucial to facilitate innovation, and in turn, improved policy development and service delivery..
What is required under a risk management policy?
Risk management policies vary across jurisdictions, but most incorporate key elements of the relevant International Standard (currently ISO 31000:2018).
The CRMP has 9 elements: Establishing a risk management policy; Establishing a risk management framework; Defining responsibility for managing risk; Embedding systematic risk management into business processes; Developing a positive risk culture; Communicating and consulting about risk; Understanding and managing shared risk; Maintaining risk management capability; and Reviewing and continuously improving the management of risk.
The ACT risk management framework adopts similar language, although in a slightly different order: Cultivate a positive risk culture; Establishing a Risk Management Framework and Plan; Establishing a robust Risk Assessment process; Defining responsibility and accountability; Aligning risk management activities with strategic objectives; and Embedding risk management activities into all operations and processes.
Whichever policy path is taken, it needs to be an effective part of organisational decision making, which requires a reasonable (and ongoing) organisational resource investment relative to the size and scope of the organisation, its operating environment, activities, financial and human capacity etc.
Making risk management policies work
All organisations need some form of governance to provide a common understanding of their role, how they function, how they use resources, what behaviour is expected and to enable decisions to be made and accounted for. That inevitably involves developing rules and processes. While the abovementioned policies usefully adopt a principles-based philosophy, filling the middle of the risk framework sandwich to make it useful is a trickier proposition.
This is firstly because rules, of themselves, are not very effective behavioural guidelines. Rules are almost always reactive and passive, resulting from past misfeasance, therefore don’t deal well with the future or encourage innovation or creativity (despite the wishes of Ministers).
Dealing with rules also generates a productivity tax, as rules have to be found on the intranet (in random locations and in various degrees of completion) requiring further time and effort to piece the whole framework together.
Rules are neither efficient nor systematic, providing only a rough proxy for what needs to be done. So when gaps in rules emerge from not dealing with every situation, prospective rule followers comfortable with only black/white thinking struggle to fill the gaps, or then start ignoring the rules altogether (if it mattered, there would be a rule for it, right?). And sometimes, to fill the ‘gap’, the risk framework goes into verbiage overdrive, generating pages of largely ignored risk registers, matrices, frameworks, corporate and business plans etc.
And so, risk management policies, which are intended to lessen the red tape burden, often unfortunately add to it.
But culture remains the biggest challenge to implementing a risk management policy. Of course that is not surprising, as risk culture is an integral element of any risk management policy - the ACT risk management policy lists risk culture as the first element to consider, compared to the CRMP (element 5).
Current public service organisational cultures are not usually supportive of effective risk management. This is for a number of reasons.
Firstly, I will look at the Australian Public Service (APS) through the lens of a 2017 study of the APS between the 1940s and 1990s.[1] The study found that the APS (consistent with most large organisations) was subject to four cultures. While elements of each culture were present in each classification level, not surprisingly, the first two cultures were dominated by the Senior Executive Service and Executive Levels (SES and ELs). The four cultures are set out below, together with the types of behaviour found in each.
Hierarchy: multiple levels, specialised, rules based, defined status, privileged, self righteous
Individualism: primarily pursuing self-interest & material rewards (promotion & political power)
Egalitarianism: enclavism, insular, suspicious, adversarial (virtuous insiders vs. demonic outsiders)
Fatalism: lack of control, mobility or discretion; socially isolated; apathetic, cynical, pessimistic.
Another way of looking at these cultures and how they impact risk management is set out in Dov Seidman’s book: How: why how we do anything means everything (2007).
Seidman considers that organisations have been evolving over time from anarchy (loose and lawless groups), to blind obedience (early industrial age, plentiful/cheap labour, use of coercion, information hoarded) to the current twentieth century capitalist model of informed acquiescence (efficient/scalable, rules based, top down hierarchy). This third model also has elements familiar to the public service: bureaucracy based on function/expertise, information based on need to know, controls for fairness, carrot/stick motivators for rational professionals, rules for black/white decisions only.
My 20+ years of personal experience in the APS until 2017 (and my work with agencies since as a consultant) also suggests that the cultures identified by Matheson and Seidman remain dominant – and all of them have a deleterious impact on the way decisions are made and risks are managed.
Seidman suggests that successful organisations are those that move beyond informed acquiescence to self-governance, a values based (rather than rules obsessed) model of individual leadership, high trust, high personal accountability, organisational wide transparency and access to information, with a particularly strong emphasis on lateral engagement and relationships rather than vertical.
Seidman is not the only one who thinks this is where public service organisational culture should go.
On 19 September this year, the Prime Minister, the Hon Scott Morrison MP, in a speech to the APS, said:
…Departmental Secretaries will need to be proactive in identifying ways to bust congestion in the Commonwealth bureaucracy…I also want congestion busted in the public service hierarchy... You don’t have to be in the SES to have a good idea. Did anyone know that’s true?...
… I recently learned that in a survey, just over a quarter of the APS does not really feel they can impact what’s going on…I think that result is a failure of public service management to enable real engagement...This is one of the things I expect to see our public service leaders change in the future…
[The APS]… needs to evolve and adapt amidst constant change. Old ways of doing things need to be challenged …disruption and cultural change are needed in breaking down the bureaucratic silos and hierarchies that constrain our capacity to fix problems. We’ve only had this problem in the public service for 118 years… We need an APS that’s more joined-up internally and flexible in responding to challenges and opportunities…
And earlier this year, the New Zealand Government, in delivering its 2019-20 Wellbeing Budget, noted at p.5:
..We now know that we cannot meaningfully address complex problems like child poverty, inequality and climate change through traditional ways of working. Making the best choices for current and future generations requires looking beyond economic growth on its own and considering social, environmental and economic implications together. The Wellbeing Budget does this in three ways:
Breaking down agency silos and working across government to assess, develop and implement policies that improve wellbeing
Focusing on outcomes that meet the needs of present generations at the same time as thinking about the long-term impacts for future generations
Tracking our progress with broader measures of success, including the health of our finances, natural resources, people and communities..
On 4 September 2019, the New Zealand Minister of State Services (the Hon Chris Hipkins) issued a media release proposing changes to the NZ Public Service, stating that:
…On a system wide level, the changes would see the Public Service operate as one joined up system to tackle the big, complex challenges facing New Zealand…Under the current model individual departments deliver services that they have sole accountability for. This doesn’t work as well when agencies need to be working collectively where citizens often must deal with a number of different agencies on a single issue…
The Minister also noted that organisational options to deliver better services and outcomes may include: Chief Executives being jointly responsible for achieving complex government priorities; joint ventures of people and resources from different agencies to work on common issues; and one stop shops to bring related services together.
Managing risk in the new world
From the above, it seems to me that a cultural clash (crash?) is inevitable. To survive the impact and manage risk in this new world, start using the following cultural safety gear:
simplify and harmonise your risk management framework so that it is simple to find, read and adopt
build individual trust, autonomy & accountability instead of defaulting to
hierarchies, micro-management & self interest
increase transparency of and access to information instead of defaulting to hoarding and need to know
build internal and external lateral relationships instead of only vertical ones, and
focus more on long term outcomes (legacy, significance) instead of short/medium term payoffs.
Good luck!