C: Creating a positive risk culture

Last updated: 05 Feb 2016

This page is: current

Problems exposed

The potential for failure goes with the territory of public administration. Risk cannot be avoided. Not all potential dangers can be foreseen. The important thing is to identify as many risks as possible and to develop a strategy by which they can be handled. In discussion with ministers and advisers, a flexible plan needs to be prepared to manage program risks, which can be revised as execution challenges become more apparent.

Government needs to weigh carefully the risks of a major project against its expected benefits. In the case of the HIP this did not take place in a considered manner. There was no clear understanding or agreement between the Government and the APS on risk appetite. While the Government exhibited a heightened willingness to countenance risk in response to the Global Financial Crisis,[125] the reservations of officials, particularly about the proposed speed of implementation, were not effectively conveyed. Nor were public servants upfront with ministers about the ramifications of changes to program design which materially increased risks.[126]

Hanger recognised that the "APS ought to brief ministers on the risks inherent in a recommended approach".[127] This did not occur. In fact, the identification and management of risks in the HIP "was seriously deficient".[128] It is imperative that risk assessments are hard-nosed and do not provide an overly optimistic view of what may eventuate. With the HIP this was not the case. A crucial step in risk management, understanding the operating environment, was skipped entirely in favour of identifying internal or procedural risk.[129] Responsible officials did not demonstrate capability in assessing, documenting and analysing risks within the broader context of the industry. Nor did they employ information from similar program roll-outs in order to assess emerging problems as they manifested. Effective risk management was hampered by poor understanding of industry dynamics, of regulatory frameworks, and of how government intervention would impact the existing industry and behaviour of individuals within it. Time pressures exacerbated the failures.[130]

A lack of responsibility and accountability for managing the risks also proved to be a major problem. Responsibility for risk was abrogated. Hanger found a governance structure in which no-one seemed to accept personal accountability for ensuring that risks were appropriately managed.[131] Teamwork became a convenient excuse to cloak individual responsibility. Internal management structures prevented effective review and oversight of risk management once things started to go wrong.[132] When a significant number of parties are involved in program delivery, it is critical to understand how risks are allocated between them. This did not happen. Hanger found that the APS failed to consider what would happen if its delivery partners (whether the States and Territories or the insulation installers themselves) did not understand or accept responsibility for risk management.[133]

Problems addressed

At one level, risk management can be perceived as just a term for 'what could go wrong'. That is only one aspect. Indeed, too often in the APS, 'managing risk' is reduced to 'managing issues' – seeking to address problems that have already emerged. Moving from a culture of issues management to one of risk management is difficult: it involves thinking systematically rather than reactively and identifying opportunities and not just threats.

The APS still places the weight of program and risk management on templates, tools and processes, rather than instilling a culture of judgement, initiative and capability. Risks often manifest because the desire to 'do something' results in 'solutioneering': governments announce a solution before properly scoping the problem, and then try to retrofit the appropriate risk, governance and oversight requirements. Whether because of policy arrogance or 'cookie-cutter' compliance, this is a lost opportunity.

Public servants have a reputation for risk-aversion when it comes to implementation design and for taking the path of least innovation. Often this is deserved, and it reflects in part at least the higher public expectations and levels of scrutiny that apply to government compared with the private sector. Yet when it comes to considering risk during the policy design phase the public service has too often been impetuous, designing policies without reference to those that best understand the risks.

Comcover conducts an annual benchmarking exercise of agencies' risk management maturity, where maturity ranges from 'fundamental' through 'developed', 'systematic', 'integrated' and 'advanced' to 'optimal' (the highest level of maturity). Benchmarking also enables participating agencies to identify areas for improvement and compare themselves to peers. While some significant progress has been made in recent years, most agencies' risk maturity remains well below the 'optimal' status.[134] It is true that agencies are encouraged to strive for risk maturity ratings that are fit for purpose for their organisation, and that not all agencies will need to achieve the optimal rating. Nevertheless, the link between risk practice, the day-to-day administration of agencies and their strategic objectives remains weak.[135]

The PGPA Act represents a significant and positive step towards developing better risk practice and culture. The risk management policy established under the PGPA Act is designed to assist Accountable Authorities (departmental Secretaries, agency heads and governing boards) to engage positively with risk, in order to embed risk practice into business processes.[136] If fully implemented, the notion of 'earned autonomy' enshrined in the Act has the potential to be a game changer, creating a strong incentive for agency heads to embrace the necessary cultural and organisational changes to achieve this status.[137] However, if the PGPA Act is to achieve its objectives, APS risk culture needs to evolve. Legislation will not change culture: people and their actions do. As recently noted by the Chair of the Australian Prudential Regulation Authority, good risk practice is about behaviour, not structure.[138]

Setting a risk appetite starts with a structured conversation between ministers and Secretaries. It is essential that ministers clearly articulate their risk appetite to departments, having regard not just to a particular project, but to the gamut of risks embodied in the range of programs already being delivered. Once agreed, Secretaries need to devolve this information throughout their agency to align departments' functions with their ministers' risk appetites. Everyone should understand their responsibility. More junior staff should have a clear line of sight to the minister's risk appetite, and the Secretary should have a strong understanding of risks taken at the front line.[139] Information needs to flow freely in both directions.

Risk appetite will vary between programs and sectors. Secretaries and ministers should meet regularly to consider the risk profile of new policy and program initiatives, assess progress to date and identify emerging risks to implementation.

Risk management is a skill that can be learned. A recent survey of Senior Executive Service participants in the APSC's risk management program found that, prior to attending, around half did not feel confident in talking to ministers and senior leaders about risk. Encouragingly, more than 90 per cent of attendees reported that training gave them the confidence, skills and understanding they felt they needed to pursue these conversations.[140]

Ian McPhee AO

"As for many organisations, in the public sector there is still more to be done to embed risk management in organisational behaviour in a way that means all employees contribute positively to stronger outcomes through more effective engagement… risk management and business planning need to be integrated so that the organisation's models and approach are readily understood, at least in a general way, by all employees." (October 2014) [141]

Ian McPhee was Australia's Auditor-General between 2005 and 2015

Cabinet scrutiny of risk is a fundamental part of the decision-making process. Since 2009 a number of steps have been taken to improve the consideration of risk information in the Cabinet process. Currently, all new policy proposals require completion of a Risk Potential Assessment Tool (RPAT), indicating strategic risk, implementation complexity, legal risk and an overall risk assessment. Compliance is checked by the Department of Finance before the proposal proceeds to Cabinet, but the information from the RPAT is not included in the submission itself.

For ministers to make informed decisions, they need to be provided with clear information about the risks they are accepting and the resources available to manage these risks. This must be contextual. Ministers need to understand the specific risks associated with individual projects and the cumulative impact of accepting further risk (financial, legislative, procurement and implementation) relative to the government's overarching risk appetite. Departments now complete a preliminary risk assessment when developing a new policy proposal. Some also formulate a risk plan. This is excellent. There would be value in making these plans mandatory for major projects and programs, and having them scrutinised by the Department of Finance and PM&C and endorsed by the responsible minister(s) before the proposal proceeds to Cabinet. This would provide all members of Cabinet with a degree of comfort that risks had been appropriately assessed, while still ensuring that responsibility for accepting, managing and treating risks sits squarely with the responsible minister and department. The risk plan should be made available to any minister who wants to see it prior to the Cabinet meeting. Critical information about risk that could alter the course of a decision should sit front and centre in the documents that are prepared for Cabinet.

Considering risk on a case-by-case basis at the time of decision does not provide adequate insight into the wider whole-of-government risk landscape within which the proposal sits. Just as Cabinet, or its Expenditure Review Committee, considers the aggregated out-year cost of individual proposals, so it should also be aware of the government's cumulative forward risk profile. Without this, it is difficult for Cabinet to appreciate the full suite of risks to which it has committed across government and make an informed decision about how a particular program may fit with, or be adapted to, the prevailing risk appetite.

In other sectors, decision-makers now play an important role in setting risk appetite and instigating a positive risk culture. Governance boards in companies and not-for-profit enterprises receive robust and regular risk briefings, which enable them to align each decision or investment with an overarching organisational strategy. Indeed, such informed decision-making is a core part of the fiduciary duty of directors.[142] Decisions are based on historical experience, aggregation of risk and treatment options throughout the business and the balance of risk versus reward. Cabinet needs to be supported by APS executives to oversight risk in a similar manner. That discipline is as important to public good as it is to profit or social mission.

A periodic risk statement to Cabinet analysing operational, financial, strategic, legislative and procurement risks across government would strengthen its decision-making functions. This should not take the form of a portfolio-by-portfolio co-ordination exercise of detailing every single risk currently present in Commonwealth operations. That would be unnecessary red tape. Rather, it should be a smart, targeted and strategic exercise to identify and assess the status of the most significant risks facing government. The information could be presented in a concise, dashboard-style manner so as to clearly convey the manifestations of risk across government. This periodic Risk Assessment could be developed by the CROs oversighted by the Department of Finance. CROs are discussed below.

Glenys Beauchamp PSM

"I want people who take risks. I think we need to promote and encourage resilience, although we get criticised when we try to do this." (March 2015) [143]

Glenys Beauchamp is the Secretary of the Department of Industry and Science

Reliance on process at the expense of informed professional judgement destroys individual autonomy, diffuses responsibility and compromises the future success of new policies or programs from the start. With performance indicators for risk maturity appearing to have plateaued across the APS,[144] a catalyst is needed to drive cultural change and improve risk engagement and rigour. Despite the gains made through the PGPA Act, there is still significant work to be done to embed a positive risk culture in many government agencies. Legislation alone does not change culture—it is up to the people and the support and leadership they receive.

A positive risk culture allocates resources to monitoring of risk and puts in place efficient systems to escalate information to the person best placed to judge a plan of action. Too often in the APS, more effort is put into managing things that have already gone wrong. Risk management, by contrast, involves identifying and monitoring the potential for things to go wrong, and putting in place lines of defence to mitigate against these. The old adage that 'prevention is better than cure' remains appropriate. While risks cannot be prevented, it is easier and less expensive to manage them when they are considered early in the design phase. However good the planning, implementation risk needs to be considered at every stage of policy development. This is particularly so when delivery is outsourced to third-party organisations. Agency risks need to be addressed in the commissioning process—including the danger that a heavily prescriptive risk-averse process will undermine effective delivery of intended government outcomes.

There is no doubt that this approach is challenging. It requires foresight, judgement and commitment from individuals at all levels to be effective. In organisations that have achieved positive risk cultures, individuals are expected to identify and respond to risks in their own sphere of influence, rather than assuming that responsibility sits with senior managers or risk committees. They know who to approach in their agency if they need help, they receive support to identify and treat risk as early as possible, and they know that when they identify problems their concerns will be appropriately addressed by management. Knowledge of risk needs is widely shared.

There is much to learn from this approach. The APS too often places exclusive responsibility for risk management too high up the bureaucracy, away from the people who may be best placed to identify and act on it. This unwittingly creates two new problems: it overcrowds senior leaders' agendas; and it removes management of implementation risk from those who may be most informed about how to manage it.

Understandably, the APS focuses risk management on big risks to the government, but as a consequence it may underplay the smaller risks which, over time, can lead to significant program failures such as fraud, wastage, delay or poor service. The HIP has taught us that the accretion of multiple minor risks can lead to catastrophe. Devolving more responsibility for risk management to junior levels and paying more attention to 'near-miss' events, especially on the front line, will help build a positive risk culture and minimise the likelihood of large-scale failures in the future. Tasked with identifying and investigating the causes of risks, operational staff should be empowered to contribute their own perspective to the design of new programs and projects. This increases the likelihood that risk can be 'engineered out' at the design stage.

The management of uncertainty should sit at the core of public policy design. Major programs, if they are to be fit for purpose, need to be able to achieve intended outcomes even in adverse circumstances, rather than only delivering effectively in benign conditions.[145] That will be more likely if management experience gained from policy implementation is incorporated into design. Agencies with positive risk cultures conduct risk workshops at the beginning of policy design and involve their risk experts at every step of the journey. Risk-based policy design creates a clear relationship between individuals implementing a major new program, the leadership of their organisation, and a minister's risk appetite. Importantly, it can reduce the overall impact and number of material risks associated with the program, allowing active risk management to be more focused and easier to execute. Crucial to this approach is close collaboration between ministers, the public service, service delivery agents (public, private or community organisations) and industry stakeholders. This enables risk to become part of day-to-day business, rather than treated as a 'one off' activity.

Dedicated leadership is needed to grow and nurture a culture of positive risk management. The appointment of a Chief Risk Officer (CRO) can put in place a change agent to drive organisational innovation. CROs can play a major role in assisting organisations to build more positive, engaged and active behaviours around risk. They can play the role of a 'critical friend'—not simply saying "no" to proposals, or "have you thought of all the things that could go possibly wrong", but asking "on what basis can we say yes?" and "what needs to go right for this to succeed?". Their strategic importance to an organisation should be reflected in their seniority and by their position as a member of the senior executive team. In the public sector they need to have detailed knowledge of the government's objectives, their operating environment, organisational capability and available resources. It is best if they are directly accountable to the agency head, and have the authority to effectively challenge activities and decisions that may materially affect the department's risk profile.[146] Ideally CROs should look beyond individual risks to appreciate broader trends.[147] No government department should initiate a major new program or large project without the active participation of a CRO.

The position demands full authority from the top to go everywhere and explore everything, ensuring that risk considerations influence work practices, funding decisions, program design and delivery and organisational strategies. The CRO should be tasked with developing a control framework for effective implementation of major projects. More generally, they need to instigate discussions across the agency on what risks can be accepted and managed, and what level of management engagement will be required. Of course, there is a danger that the CRO will be perceived as the 'fall guy' for organisational failure.[148] Even worse, the creation of such a position might allow others to abrogate risk management without exercising their own judgement or shouldering their own responsibilities. This must not be the role of a CRO.

The PGPA Act establishes duties for departmental Secretaries and agency heads to establish and maintain appropriate systems of risk oversight and management.[149] But Secretaries and agency heads have limited time. Appointing suitably experienced and empowered members of the Senior Executive Service as public sector CROs to support them will provide a catalyst to drive best practice risk management and behaviour. In agencies with large project responsibilities, the position should be a full time job. They should have the ability to motivate others and work across organisational boundaries. They should add value, not add new lines of reporting. The CRO must support the agency head to lead the longer term shift to a positive risk culture, creating an organisation in which consciousness of potential failure is part of everyday practice for every employee. A CRO's success should be judged not by the number of systems and structures that they set up, or by the number of guidelines they issue, but by the positive behavioural change they bring about. For this, they will need access to the 'top table', so that risk consideration is brought into the strategic and operational decisions of the agency. They will need to be visible. They also need to be properly resourced. A rule of thumb in the private sector is that around 1 per cent of resources should be devoted to risk management activities. Perhaps that is a good guide to organisational expenditure. However, as will be apparent from any course on Risk Management 101, the key is to recognise the potential returns on investment achieved by reducing future costs.

It is appropriate for the CRO to oversee and co-ordinate the development, monitoring and maintenance of risk management plans by Senior Responsible Officers (SROs). The plans need to be 'living documents' as implementation progresses. Risk planning cannot be a one-off exercise, with a 'set and forget' template mentality. Risks must be continually reassessed to prevent unintended accumulation of risk beyond the agency's and government's risk tolerance. CROs should also be responsible for working with the Department of Finance to prepare the proposed bi-annual Risk Assessment for Cabinet.

Supporting the CRO and the agency head, effective risk and audit processes provide an important means of assurance to the agency head and minister. Audit committees play a critical role in public accountability, reducing the risk of fraud and improving financial processes.[150] It is good practice that they incorporate the experience of independent experts from outside the public sector. Many already do so.[151] However, audit committees, by their nature, tend to look backwards at what has already transpired, rather than forwards at what risks might be approaching.

In some large agencies—particularly those with complex program initiatives to deliver—separation of risk and audit functions would better serve the move towards a positive risk culture.[152] Membership of a risk committee should be sufficiently broad to fully consider the strategic risk posed by the delivery of services to the public, rather than focus only on internal corporate and financial risks. Specialist external appointments may be needed to support this function. A separate risk committee would also provide a forum to proactively address the major risks that may impede the organisation successfully implementing the goals of government. Just as importantly, a risk committee would also consider the potential for activities to adversely impact the community and environment in which the organisation operates. Over time, this will build organisational capability, helping departments and agencies to achieve earned autonomy status as envisaged in the PGPA Act.[153] In addition, SROs for large or complex projects or programs should regularly provide updates to the risk committee on the challenges facing their business and how they propose that implementation obstacles will be overcome.

Risk is one of the most important considerations in the design and delivery of large projects and programs. Unfortunately, as the former Auditor-General Ian McPhee told the Department of Parliamentary Services, good risk management is invisible because, "only risk management failures attract attention and headlines".[154] The challenge is to stop bad things happening. That requires ministers and Secretaries to show by example that engaging with risk is what governments do, and that it is the job of every public servant to play their part in managing it. Risk management lies at the heart of getting the best value from public funds.

CONCLUSIONS | Creating a Positive Risk Culture

C.9 To inform and improve policy design, departments and major agencies should gauge their ministers' appetites for risk on individual programs and across their portfolio, and reach agreement on how implementation challenges will be identified, accepted and managed within agreed resources.

C.10 Departments and major agencies should appoint a Chief Risk Officer, at a senior executive level, who will be responsible for embedding a strong risk culture and behaviours across all levels of the organisation.

C.11 All major Cabinet proposals should be supported by a minister's endorsed Risk Management Plan, submitted to PM&C and the Department of Finance, and available for perusal by other Cabinet ministers.

C.12 In order that governments remain aware of the cumulative impact of their decisions, the Department of Finance should facilitate a bi-annual whole-of-government Risk Assessment for the Cabinet, analysing the system-wide impact of operational, financial, strategic, legislative and procurement risks faced by government.


[125] Hanger, I 2014, p. 22.

[126] Hanger, I 2014, p. 303.

[127] Hanger, I 2014, p. 307.

[128] Hanger, I 2014, p. 308.

[129] International Organization for Standardization, ISO31000—Risk management, <http://www.iso.org/iso/home/standards/iso31000.htm>

[130] Hanger, I 2014, pp. 157, 179-180, 209, 309-310.

[131] Hanger, I 2014, p. 310.

[132] Hawke, A 2010, p. 43.

[133] Hanger, I 2014, pp. 157, 238–239, 309.

[134] Deloitte Touche Tohmatsu 2015, Comcover Risk Management Benchmarking programme 2015: key findings report, Department of Finance, Canberra.

[135] Of the 156 entities surveyed by self-assessment, two thirds of respondents reported not measuring whether their risk management procedures have supported the achievement of agency objectives, around half of respondents do not define responsibility for managing risk with staff performance agreements, and over two thirds of respondents do not provide risk management training to SES officers.

[136] Department of Finance 2014, Commonwealth Risk Management Policy, p. 3, Australian Government, Canberra, <http://www.finance.gov.au/sites/default/files/commonwealth-risk-management-policy.pdf.>

[137] Earned autonomy in the PGPA Act means taking a targeted and risk-based approach to financial framework regulation. The nature and extent of oversight and regulatory intervention exercised will depend on an entity's risk profile and performance. See the Explanatory Memorandum at <http://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r5058>

[138] Laker, J F 2013, 'The importance of good governance', Speech presented to the Australian British Chamber of Commerce, Melbourne, 27 February, <http://www.apra.gov.au/Speeches/Pages/The-importance-of-good-governance.aspx>

[139] The Public Governance, Performance and Accountability Act 2013 (sections 15-19) outlines the duties and responsibilities of the accountable authority under the Act, including the requirement to keep the responsible Minister and Finance Minister informed of decisions relating to the entity. Supporting this, the Commonwealth Risk Management Policy outlines nine elements underpinning the Commonwealth's risk management policy, including the requirement to develop a positive risk culture (Element Five), communicate and consult on risk in a timely manner with internal and external stakeholders (Element Six).

[140] Survey of attendees at the APSC's SES Risk Management Program between November 2014 and February 2015. Attendees were asked prior to and after attendance at the course whether "I am confident I am able to effectively advise senior APS decision-makers and relevant portfolio ministers on a coordinated response to whole-of-government and shared risks". Prior to the course, only 57 per cent agreed or strongly agreed with this statement, this number rose to 91 per cent after attending the course.

[141] McPhee, I 2014, 'Public Sector Risk Management—not walking too early to the winner's circle', Speech presented to the Risk Management Institutions of Australasia, 2 October, <http://www.anao.gov.au/~/media/Files/Speeches/2014/Public%20Sector%20Risk%20Management.pdf>

[142] The general duties of company directors are prescribed in the Corporations Act 2001, sections 180-190B. This includes the requirement to make judgements in good faith for a proper purpose, informed about the subject matter of the judgement to the extent that a reasonable person would believe to be appropriate.

[143] Thomson, P 2015, 'Public Service boss' pep talk: Industry Department Secretary Glenys Beauchamp', The Canberra Times, 29 March.

[144] Deloitte Touche Tohmatsu, 2015.

[145] Dunn, J 2015, 'Risk remains much the same in the public sector', Australian Financial Review, 13 April, online <http://www.afr.com/news/special-reports/evolving-business-risk/risk-remains-much-the-same-in-the-pblic-sector-20150412-1mi15u/.>

[146] Australian Prudential Regulation Authority 2015, Prudential Standard CPS 220, para. 39.

[147] Kaplan R S, Mikes A, Simmons R, Tufano P & Hofman M 2009, 'Managing risk in the new world', Harvard Business Review, October 2009, <https://hbr.org/2009/10/managing-risk-in-the-new-world.>

[148] Jackall, R 1983, 'Moral mazes: bureaucracy and managerial work', Harvard Business Review, September – October 1983, p. 120.

[149] Public Governance, Performance and Accountability Act 2013, section 16.

[150] Australian National Audit Office 2015, Public Sector Audit Committees: independent assurance and advice for Accountable Authorities, Australian Government, Canberra.

[151] Since 1 July 2015, the Public Governance, Performance and Accountability Rule 2014, section 17(4), has required that for a non-corporate Commonwealth entity the majority of members on an audit committee must be persons who are not officials of the entity; and that for a corporate Commonwealth entity the majority of members must be persons who are not employees of the entity.

[152] PricewaterhouseCoopers 2012, 'Forward thinking for the audit and risk committee', Audit and Risk Committee Matters, March, p. 3, <http://www.pwc.com.au/assurance/assets/audit-committee/Audit-and-Risk-Committee-Matters-Mar12.pdf.> pWC suggests that the decision to separate the risk committee from the audit committee may be influenced by the complexity of the operating environment (especially if it has recently changed), the segregation (or not) of risk and audit in the rest of the organisation, and whether dealing with risk matters distracts the audit committee from dealing with audit matters.

[153] Explanatory Memorandum, Public Governance and Performance Accountability Bill 2013, [54-60], Public Governance and Performance Accountability Act 2013, section 101(2).

[154] McPhee I, 2014.