The PGPA Act Review - Is too much process never enough?
In my earlier article about the PGPA Act review draft report (on 4 June) I suggested that good governance is not sufficiently valued by public sector employees and is also part of a mindset that governance is something someone else does.
In this article, I will look at recommendations 10 to 14 of the draft report, which focus on risk management. I will leave Recommendation 39 (the Comcover Risk management Benchmarking Survey Tool) for another time.
The draft report correctly identifies the need for strong leadership, and for all APS employees to improve their governance and risk management behaviours. Further, that the Commonwealth Risk Management Policy has improved the APS’ approach to risk, but that of itself, this will not be enough to significantly improve engagement with risk.
Recommendations 11-14 then suggest that Accountable Authorities should:
· do more to embed risk management into policies and programs, and incentivise officials to manage risk
· engage with ministers and other key stakeholders on risk appetite and risk management
· consider appointing a Chief Risk Officer, and
· consider establishing a separate risk committee or improving the risk review of existing audit committees.
The ‘other’ PGPA – Process Gets Priority Always..
While a greater focus on risk management is welcomed, I am not so sure that the real answer lies in enhancing existing risk processes or building new ones. Doing so could in fact be counterproductive and may maintain risk management inertia.
Almost inevitably, any review of government activity overemphasises the value of process. If there is one thing the public sector does not need more of, it is process. While the PGPA Act has been a valuable and important public sector governance reform, more process is not necessarily going to ‘embed’ improved risk management behaviour.
It also seems to me that the types of processes suggested in Recommendation 10 of the draft report already exist – they are just not always adhered to. For example, Cabinet processes (including past templates for New Policy Proposals) have tried a variety of different and potentially worthy approaches to identify project/risk management in policy and program proposals. However, often this process is sometimes derailed by extraordinarily short timeframes, policy outcomes pushed through to meet external deadlines (i.e. Budget deadlines) or for a variety of other reasons.
The Royal Commission into the Home Insulation Program (HIP) is but one example of this. Reasons for the program going the way it tragically did included the ridiculously short timeframes to implement the final version of the scheme, which led to poor program design which incentivised market rorting and shoddy practices.
The policy/program process for developing the HIP did not lack for committees, departments, Deputy Secretaries, Senior Ministers, Junior Ministers, briefings, minutes, private sector risk managers, lawyers and other hangers-on. Many of the process boxes were ticked, but in the end, no-one wanted to own responsibility for the decisions taken (or not taken). For example, early on during this process, the risk of electrocution during installation was raised, based on similar risks eventualising in New Zealand. However, this risk was dismissed as the New Zealand program involved floor installation and not ceiling installation. Other risks, such as how to apply WHS regulations effectively to the flood of newly established insulation fitting businesses, were simply considered a state regulation problem and ignored.
In relation to Recommendations 12, 13 and 14, there is nothing intrinsically wrong with setting up specific committees to deal with risk issues or identifying a risk guru called the Chief Risk Officer (CRO). Such initiatives are useful signals of cultural change and identify risk as something that must be addressed. As the draft report noted, Professor Peter Shergold in his 2015 report arising from the HIP (Learning from failure) also suggested that CROs should be seriously considered.[1]
Around the time of the Shergold report, some Commonwealth agencies began to employ CROs. In my discussions with some of them at the time, they observed that businesses in line areas thought the role of the CRO was to own the risks of the line areas, and not to ‘pass them on’ to those undertaking the activity.
A by-product of elevating consideration of risk to CROs and/or committees is that it moves risk further away from those who are actively dealing with the risk, stretching lines of communication and accountability.
Committees are often attended by busy senior people who do not have the time or capacity to dig down into the issues before them. Unless the governance arrangements for committees (and CROs) are very clear about what their roles and responsibilities are, no-one will step up and own the risk.
This was also a concern raised in the Shergold report (page 40):
In organisations that have achieved positive risk cultures, individuals are expected to identify and respond to risks in their own sphere of influence, rather than assuming that responsibility sits with senior managers or risk committees (my emphasis). They know who to approach in their agency if they need help, they receive support to identify and treat risks as early as possible, and they know that when they identify problems their concerns will be appropriately addressed by management. Knowledge of risk needs is widely shared.
… The APS too often places exclusive responsibility for risk management too high up the bureaucracy, away from the people who may be best placed to identify and act on it. This unwittingly creates two problems: it overcrowds senior leaders’ agendas; and it removes management of implementation risk from those who may be most informed about how to manage it.
Conversations and incentives
As mentioned above, the draft report also recommends that Accountable Authorities find ways to incentivise officials to become better risk managers and that they hold conversations with key stakeholders about risk appetite.
Both suggestions are valuable and useful, and would be even more useful if these activities are embraced right throughout the organisation and the chain of command. That not only ministers, but all officials, understand the organisation’s risk appetite, and that ministers also understand the need for risk management processes to be hardwired into policy development and program management.
In terms of how risk management could be improved at organisational level, key elements include the need to:
1. Explain, in the simplest terms possible, what the aim of the behaviour is, what is expected, why it is important and how people can achieve it
2. Set up a relatively simple and useable framework, preferably focused on principles, with supporting information and training to aid understanding for users
3. Live it – at every level of the organisation. Set an appetite for risk. Talk about it, disagree about it, challenge it, review it. Deal with the good and bad of it – reward/incentivise good behaviours and take very transparent steps about not so good ones. Become comfortable with the idea of risk and the reality it is always there.
4. Make decisions.
5. Own those decisions.
Risk is about making decisions. The legal concept of negligence includes the act of not making a decision, yet too often public servants somehow think that not making a decision is safer than making one. Risk is always there, whether you do something or not.
Making risk ‘special’ does little to break down the cultural silos around risk. Risk is a part of daily business, and should be treated as such, and discussed at branch meetings, division meetings etc, and form part of the agenda like everything else. Don’t hide risk behind an endless cycle of process through Minutes/Briefs/Submissions/emails to avoid responsibility for policy development or program delivery. You do need a paper trail – but you don’t need a paper super-highway with endless ‘accountability’ toll booths.
Give people real authority to make decisions, and real accountability for the consequences of those decisions. This enables ‘buy-in’, builds trust and incentivises staff to manage risk.
Risk discussions should also become more general to encourage a wider and more mature perspective on risk, not just for policies and programs, but for all phases of enterprise planning (corporate plans, business plans, annual reports, performance reports). The more risk is ‘specialised’ the more it becomes ‘too difficult’ to do.
Whatever approach is taken, risk maturity will not occur without an increased organisational investment to assist business areas to become risk owners. This requires time, effort and resources (i.e. ASL, training budgets, networking with other CROs, senior management support). The Shergold report (at page 42) suggested that the APS should adopt the private sector approach of spending around 1 per cent of resources on risk management activities. Whatever method you use to determine the 1%, it is unlikely this much is being spent by entities now.
So, for the reasons above, I consider that improving risk management maturity involves less emphasis on process, committees and CROs, and more emphasis on capacity building within organisations to better understand how risk is everyone’s job.
Rob Antich