PLAYING NOT TO LOSE – THE LONG WAIT FOR RISK MANAGEMENT MATURITY…
Sometimes waiting for signs of improving risk management behaviour in the APS (and other organisations) is like Samuel Beckett’s Waiting for Godot – patiently waiting for something that never arrives but encountering other things in the meantime..
For the APS, those other things include the Independent Review into the operation of the Public Governance, Performance and Accountability Act 2013 and Rule by David Thodey AO and Elizabeth Alexander AM, which was released in September 2018 and the impending APS review by the same Mr Thodey.
To recap, the PGPA Act review examined whether the operation of the PGPA Act and Rule was achieving the objects of that Act and how the Act and Rule had been implemented. In relation to the Commonwealth's Risk Management Policy, the review found that it had improved government risk management practices, however:
the pace of reform was patchy across entities and too slow
more work was needed to embed effective risk management into policy development and program management
officials at all levels needed to be incentivised to better engage with risk
the APS overall remained too risk averse, and
APS leaders must actually ‘lead’ on these issues.
On 2 April 2019, the Government (briefly) responded to the review, accepting (in principle) 48 out of the 52 recommendations[1].
Given the lengthy gestation period before the proposed PGPA Act changes are drafted, agreed, passed and implemented, it is worth checking whether the APS has already taken note of the review and is improving the way it manages risk.
One possible indicator of progress is the 2018-19 State of the Service Report (SoSR 2019) recently released by the Australian Public Service Commission. So how does SoSR 2019 compare with last year’s report (SoSR 2018)?
Risk management in the APS
SoSR 2018 (p.39-40) had this to say about risk:
Effective risk management is essential for the APS to achieve its outcomes and to maintain public trust through strong governance…
...The 2018 APS employee census asked questions about employee perceptions of risk management and risk culture within their agency. Encouragingly, most respondents agreed that their agency supports escalating risk-related issues to managers. Almost two-thirds of respondents agreed that risk management concerns are discussed openly and honestly in their agency. However, only 28 per cent agreed that appropriate risk taking is rewarded. A large proportion of respondents neither agreed nor disagreed with the questions posed.
The results suggest that a significant cohort of employees may not understand their agency’s risk management framework, may not observe or experience risk management in action, or simply do not know how the statements apply in practice in their agency. This suggests there is some way to go in building an appropriate risk culture in the APS. Perceptions of risk culture are associated with workplace performance and satisfaction with senior leadership…
By comparison, SoSR 2019 had this to say:
Page 5: Attitudes and approaches to risk—and, by extension, to innovation—also speak volumes about the way the APS approaches its work. Complex public sector challenges require a willingness to experiment with new approaches. This year’s whole-of-APS innovation index continues to improve, but there remain a number of culturally ingrained attitudes to risk that stifle innovative practices. The APS needs to engage more positively with risk to build capacity to innovate.
At page 32:
One key element for promoting innovation is organisational culture—how organisations treat risk, and whether employees feel empowered to experiment and learn from their experiences. If staff are afraid to fail, they are unlikely to take calculated risks and be innovative. Similarly, if an organisation is unclear about its risk tolerance, it cannot expect innovation...
At page 37:
Appropriate behaviours and attitudes to risk are fundamental to driving effective engagement with risk and strengthening confidence and trust in the ability of the APS to deliver for government and the community. A positive risk culture exists when employees understand the risks facing their agency and consistently make appropriate risk-based decisions. Such a culture is likely to include these attributes:
leaders, managers and supervisors consistently and positively demonstrate and discuss the importance of managing risk appropriately
the agency’s risk management framework is integral to its operating model, where employees understand and agree on the need and value of effective risk management
employees are comfortable talking openly and honestly about risk, using commonly understood risk terms and language
employees own and manage complex shared risks with others and incentives reinforce appropriate risk-related behaviour
the agency has a supportive environment for escalating risk issues with the senior executive.
And at page 39:
Moves to increase collaboration across the APS demand a deeper understanding of shared risks—those risks that do not have a single owner—within the Commonwealth. Shared risk is a crucial element of program and policy delivery and failing to identify and manage these risks often impacts a broad range of stakeholders, including within the wider community…
…Comcover’s annual risk management benchmarking program involves public sector agencies completing an annual self-assessment survey that measures the maturity of their risk framework against the nine elements of the Commonwealth Risk Management Policy. It is encouraging that understanding and managing shared risk across the Commonwealth has seen the largest improvement in maturity out of the nine elements, with a 29 percentage point change over five years.
However, understanding and managing shared risk was still assessed as one of the least mature elements of the policy. Fifty-eight per cent of public sector entities participating in the 2019 benchmarking program indicated that the accountability for managing shared risk was not clearly understood. Less than half included details of shared risks in their risk management reports.
There is a clear need for APS agencies to work with stakeholders to better understand common threats, shared vulnerabilities and enhance their collective ability to mitigate and respond to emerging risk.
Unfortunately however, the results of SoSR 2019 suggest that, not only have the above attributes not exactly materialised, there is an overall decline in positive risk management responses since SoSR 2018, as follows[2]:
My agency supports employees to escalate risk-related issues with managers (0.7% less agree and 0.2% more disagree)
Risk management concerns are discussed openly and honestly in my agency (2.5% less agree and 1.4% more disagree)
My agency provides me with opportunities to develop and enhance my skills to manage risk effectively*(3.2% more agree and 0.4% disagree)
Employees in my agency are encouraged to consider opportunities when managing risk (1.1% less agree and 2% more disagree)
When things go wrong, my agency uses this as an opportunity to learn* (2% less agree and 2% more disagree)
When appropriate risk taking results in failure, my immediate supervisor does not reprimand employees (not asked in 2018 - 46% agree and 18.2% disagree)
SES in my agency demonstrate the importance of managing risk appropriately* (5% less agree)
In my agency, the benefits of risk management match the time required to complete risk management activities (2.4% less agree and 2.5% more disagree)
Appropriate risk taking is rewarded in my agency (2.7% less agree and 3.6% more disagree)
As SoSR 2019 noted at p.40:
The largest increase in negative responses (four percentage points) related to risk taking being rewarded by the agency. A large proportion of respondents also selected ‘neither agree nor disagree’ for risk culture items. This was particularly the case for items relating to the perceived benefits from time invested in risk management, agency-level attitudes towards risk taking, and the attitudes of supervisors when risk taking leads to failure.
General research suggests that risk culture is often hindered by a lack of communication from senior leaders, resulting in lack of staff awareness around expectations for risk management. Analysis of the APS employee census data tends to confirm this within the APS context: there were substantial differences in positive perceptions relating to risk culture between SES and non-SES respondents. This is no doubt partly due to SES employees having greater exposure to and engagement with risk, but it may also point to poor communication about appropriate risk taking and management.
The Independent Review of the PGPA Act found that risk practice across the Commonwealth was still relatively immature. The review suggested that significant work was required to embed an active engagement with risk and to have APS employees at all levels appreciate their role in identifying and managing risk. The 2019 APS employee census results suggest that agencies still have significant steps to take to instil a positive risk culture.
While cultural change, including risk culture, takes ongoing time and effort, it is unfortunate that the trend is going the wrong way in the context of the PGPA Act review and APS review and the elapse of five years since the Commonwealth Risk Management Policy was implemented.
The PGPA Act review noted the need for leaders to ‘lead’ in relation to risk culture, so it is perhaps useful to compare leadership data between 2018 and 2019.
APS leadership
Page 123 of SoSR 2018 noted that:
…Managers play a vital role in developing the leadership capability of their employees. One measure in the program evaluation data that consistently scores the lowest is ‘support’ from the workplace to implement program learning, including from managers. Between 20 and 40 per cent of participants indicate they do not have the support they need. This presents a risk that a significant proportion of those attending APS leadership programs will not build the required skills. There is also potential for some wastage in the investment.
This finding aligns with the 2018 APS employee census results. There are generally lower ratings for supervisors developing capability through coaching, providing development opportunities, and encouraging experimentation. It appears that a significant element in improving the leadership capability of the APS will be shifting the perceptions of managers about their role and equipping them with the skills to incorporate development and feedback into their daily engagement with employees.
The SoSR 2019 results on SES leadership show a slightly upward trend, with most percentages of agreement around 60%, several areas remain problematic and consistently lower, in particular:[3]
My SES manager is sufficiently visible (14.8% disagree)
In my agency, the SES are sufficiently visible (55.2% agree and 21% disagree)
My SES manager gives their time to identify and develop talented people (47.7% agree and 16.4% disagree)
In my agency, communication between the SES and other employees is effective (48.9% agree and 21.6% disagree)
In my agency, the SES work as a team (45.9% agree and 15.7% disagree)
If the major leadership cohort have trouble communicating to their own staff, do not spend time developing staff, are not sufficiently visible and do not work effectively with other SES, it is perhaps not surprising that risk management, and particularly managing shared risk, show little sign of improvement.
Fear of failure
It is also likely that one element driving this behaviour is the fear of failure.
This point is noted in SoSR 2019 at page 32 with a quote (also from Samuel Beckett) imploring the APS to: Try again. Fail again. Fail better..
Getting leaders to encourage ‘failure’ is not easy for a number of reasons and requires a change of mindset. As Amy Edmondson notes in her book The Fearless Organisation[4]:
The basic asymmetry of the psychological and societal forces favouring silence over voice, or self-protection over self-expression, will always be with us...
…It’s the difference between playing not to lose and playing to win. Playing not to lose is a mindset that focuses, consciously or not, on protecting against the downside; playing to win, in contrast, is focused on the upside, seeks opportunity and necessarily takes risks.
As Edmondson points out, leaders need to destigmatise failure as a natural by-product of experimentation, learning and sharing as well as recognise and respond differently to three types of failure – preventable failure, complex failure and intelligent failure[5].
Preventable failure: Training; Retraining; Process improvement; System redesign; Sanctions if repeated or other blameworthy actions are found
Complex failure: Failure analysis from diverse perspectives; Identification of risk factors to address; and System improvement.
Intelligent failure: Thoughtful analysis of results to understand implications; · Brainstorming new hypotheses; and Design of next steps or additional experiments.
Treating failure always the same way via the default setting of the preventable failures playbook dooms the learning experience and entrenches risk avoidance.
Still waiting…
The above results don’t indicate the arrival of risk maturity just yet – despite the PGPA Act review, the APS review and the suggestions in SoSR 2019.
For leaders to ‘lead’ on risk management requires not just the ‘structural’ activities like risk frameworks, risk policies and risk registers, but a parallel focus on behaviours such as how SES (and others) communicate about risk, how they navigate and ‘own’ risks in relation to other SES in their organisation and externally and how they frame and deal with decision making outcomes, especially ‘failure’.
Playing ‘not to lose’ just means more waiting…