Prelims

Half Title Page

Public Sector Leadership in Assessing and Addressing Risk

Series Page

EMERALD STUDIES IN FINANCE, INSURANCE, AND RISK MANAGEMENT

Series Editors: Ercan Özen and Simon Grima

Books in this series collect quantitative and qualitative studies in areas relating to finance, insurance, and risk management. Subjects of interest may include banking, accounting, auditing, compliance, sustainability, behaviour, management, and business economics.

In the disruption of political upheaval, new technologies, climate change, and new regulations, it is more important than ever to understand risk in the financial industry. Providing high quality academic research, this book series provides a platform for authors to explore, analyse and discuss current and new financial models and theories, and engage with innovative research on an international scale.

Previously published:

• Uncertainty and Challenges in Contemporary Economic Behaviour

  Ercan Özen and Simon Grima

• New Challenges for Future Sustainability and Wellbeing

  Ercan Özen, Simon Grima and Rebecca Dalli Gonzi

• Insurance and Risk Management for Disruptions in Social, Economic and Environmental Systems: Decision and Control Allocations within New Domains of Risk

  Simon Grima, Ercan Özen and Rebecca Dalli Gonzi

Title Page

Public Sector Leadership in Assessing and Addressing Risk

EDITED BY

PETER C. YOUNG

University of St. Thomas, USA

SIMON GRIMA

University of Malta, Malta

AND

REBECCA DALLI GONZI

University of Malta, Malta

United Kingdom – North America – Japan – India – Malaysia – China

Copyright Page

Emerald Publishing Limited

Howard House, Wagon Lane, Bingley BD16 1WA, UK

First edition 2022

Editorial matter and selection © 2022 Peter C. Young, Simon Grima, and Rebecca Dalli Gonzi. Individual chapters © 2022 The Authors.

Published under exclusive licence by Emerald Publishing Limited.

Reprints and permissions service

Contact: permissions@emeraldinsight.com

No part of this book may be reproduced, stored in a retrieval system, transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise without either the prior written permission of the publisher or a licence permitting restricted copying issued in the UK by The Copyright Licensing Agency and in the USA by The Copyright Clearance Center. Any opinions expressed in the chapters are those of the authors. Whilst Emerald makes every effort to ensure the quality and accuracy of its content, Emerald makes no representation implied or otherwise, as to the chapters’ suitability and application and disclaims any warranties, express or implied, to their use.

British Library Cataloguing in Publication Data

A catalogue record for this book is available from the British Library

ISBN: 978-1-80117-947-8 (Print)

ISBN: 978-1-80117-946-1 (Online)

ISBN: 978-1-80117-948-5 (Epub)

Contents

List of Figures

About the Editors

Peter C. Young holds the 3M Endowed Chair in International Business, and in that position is responsible for global business education initiatives at the University of St. Thomas’ Opus College of Business. From 1994 to 2011, he held the E. W. Blanch, Senior Chair in Risk Management in the Opus College of Business. In that capacity, he was (and remains) responsible for the MBA courses and non-degree programmes in risk management, which includes a leadership role in the actuarial science programme – now designated as a Center for Actuarial Excellence.

He has been a Visiting Professor to City University in London and Aoyama Gakuin University in Tokyo and has held a distinguished Honorary Professorship at Glasgow Caledonian University in Scotland. He was selected as a Distinguished Alumnus of the Year for the University of Nebraska-Omaha, was honoured with the ALARM-UK Lifetime Service award, and was selected as an Honorary Fellow of the Institute of Risk Management in London.

He holds a PhD in Risk Management from the University of Minnesota and a Master’s degree in Public Administration from the University of Nebraska-Omaha. He is considered a leading authority and educator on the subject of risk management. He has written extensively on the subject of risk management, including an influential risk management textbook, Risk Management and Insurance (McGraw-Hill, co-authored with Michael Smith), Managing Risks in Public Organisations (with Martin Fone), and Risk Management and Leadership. His latest book, co-authored with Torben Andersen, Strategic Risk Leadership: Engaging a World of Risk, Uncertainty, and the Unknown, published by Routledge, was released in February 2020. A second book with Torben Andersen was released in September 2021. That book provides a more detailed investigation of risk leadership through the lens of complex adaptive systems theory.

Simon Grima, PhD (Melit.), MSc (Lond), MSc (BCU), BCom (Hons) (Melit.), FFA, FAIA (Acad), is the Head of the Department of Insurance, in charge of the undergraduate and postgraduate degrees in Insurance and Risk Management, an Associate Professor and Deputy Dean of the Faculty of Economics, Management, and Accountancy at the University of Malta. He served as the President of the Malta Association of Risk Management and President of the Malta Association of Compliance Officers. Moreover, he is among the first Certified Risk Management Professional (FERMA), is the Chairman of the Scientific Education Committee of both FERMA and PRIMO and served as a member of the curriculum development team of PRIMIA. His research focus and consultancy is on internal controls (i.e. risk management, internal audit, and compliance) and has over 25 years of experience varied between financial services and with public entities in internal controls, investments, and IT. He acts as an Independent Director for financial services firms sits on risk, compliance, procurement, investment and audit committees and carries out duties as a Compliance Officer, Internal Auditor, and Risk Manager.

He has been a member of the scientific committees and Chair of international conferences and is a Reviewer and Chief Editor of some journals, books, and book series. Moreover, he has been awarded Outstanding Reviewer for Journal of Financial Regulation and Compliance in the 2017.

Rebecca Dalli Gonzi, PhD (Glasg), MSc (Edin), B (Melit) (Hons), A & C, A (Lond), is an Architect, Project Co-ordinator, and Lecturer. She is a registered and certified Civil Engineer by the Chamber of Architects Malta, and a registered chartered member of the Royal Institute for British Architects London. She has worked in the private and public sectors, both in Malta and in Scotland. She is a Resident Academic at the University of Malta and teaches Project Management, Geopolitics, and Environmental Risk, and Business Continuity Management. She founded the DALI model, an organisational risk assessment tool that can be used when organisations need recovery action due to a crisis. Her book titled Change and Continuity Management in the Public Sector presents a model for managing organisational risk to help companies and institutions achieve their goals with minimal setbacks and using limited resources. Her research emphasises the idea that good management requires the right decision-making methods if an organisation is to be successful. Her research interests include organisational management, strategic project management, and construction management. She is a member of the PRIMO European Risk Board, Chair of the Faculty for the Built Environment Student Well-being Committee at the University of Malta, and President of YWCA (Malta) which is a not-for-profit organisation working to support young and vulnerable women.

Preface

Early in this book we offer an observation that, once made, quickly recedes into the background. However, it remains present and – indeed – reappears in various forms and at various points throughout the 12 chapters. That observation is simply this – there is very little academic writing on risk management in public sector organisations. This is something of a mystery. In a complex world where risk, uncertainty, and the unexpected (even unknowable) are – perhaps – its most significant features, it seems that assessing and addressing risk and uncertainties would be first-order concerns for public organisations, and therefore for public sector scholars. Risk makes appearances throughout the literature … yes. So does Uncertainty … of course. Phenomena like crises and catastrophes are featured topics. Specific topics like governance, strategic planning, operational management, finance, and audit serve as subjects in which risk and uncertainty (and occasionally responses to them) appear. But very little effort has been expended investigating how to think about risk management in, say, a municipality, its objective purposes, and how it should function? Really, the limited treatment is nearly embarrassing.

Alongside this, the professional or practitioner literature has its own issues. There is an abundance of how-to reports, some ‘state of the profession’ studies, and some featured treatment of technical subjects (worker injuries, buying insurance, accident prevention, etc.). And there are, of course, a myriad of topics that, conceptually, are risk management topics but are not framed as such – policing, firefighting, road and street design, and water and sewage management. This is not a criticism of those specific fields, but it does lead to the question: why are these subjects almost never fitted into the larger consideration of an organisation’s overall effort to manage risks?

Well, as this book will attempt to set forward, there are reasons for this. While not wishing to ruin the ‘surprises’, the academic side of things has not produced anything approaching a unitary rationale (or dare we say it, theory), which essentially prevents critical testing of hypotheses and measurement of performance. Does risk management matter to public organisations? We cannot say definitively because there is no clear assertion of what risk management is and what it does. But why is that? This is what the book sets out, in part, to answer.

On the practitioner side, the issue is related to the aforementioned lack of a rationale, but our book will contend that part of the problem is a consequence of the transference of private sector risk management principles and practices into a public sector setting. Risk management was first formalised in the private sector, so understandably public authorities followed and adopted those practices. It turns out (well, we think so) that there are several reasons to believe risk management effectively becomes a different thing when applied to public organisations and – thus – requires a different way of thinking.

To be sure, much of traditional risk management is worth doing. Public organisations want to prevent fires to public buildings, avoid injuries to employees and citizens, and prevent decisions that could lead to law suits. They should buy insurance, establish policies, procedures, and practices; they should monitor their work; and they should even pursue opportunities when appropriate (risk management is not only about threat management). However, the missing ingredient is a clearer understanding of why this should be done and how.

This preceding paragraph gets to the substance of our book, and here it is necessary to briefly explain a critical aspect of risk management that comes in for discussion in the first four chapters of the book. The evolution of risk management features a moment where recent developments lead to a somewhat unintentional swerve in the actual meaning and purpose of risk management. Enterprise risk management (ERM) is the emblematic cause of that swerve, which – it is fair to say – was not its intention. Rather, ERM argued for a kind of aggregation and integration of all that had transpired from the 1940s to the early 2000s. Risk management began as a technical managerial function (insurance buying) but over time became a collection of largely independent functions (financial risk management, health and safety, business continuity, IT security, supply chain risk management, etc.). The ERM initiative sought to integrate and consolidate these efforts into a holistic, organisation-wide, strategy-driven, function. If some risk management was good, wouldn’t more comprehensive and coordinated risk management be better?

To be clear, the motive for ERM was not simply the response to the preceding question. There was a recognition that organisational risks were related and highly interconnected. It made more sense to look at the exposure to risk comprehensively. But here comes the swerve. If an organisation decides to take a comprehensive approach, the practical question is ‘how does this happen?’ Much ink has been spilled on this, and – in fact – this book sets out the how and why in some detail. The more impactful question, however, is this … if the intention is to comprehensively assess the potential effects of an uncertain world on an organisation, then the task really is not limited to assessing and addressing risks, is it? Risks (as we will explain) are measurable uncertainties so it becomes quickly apparent that risks are only a part of an organisation’s exposure. Unmeasurable uncertainty (well, just uncertainty), complexity, the unknown and unknowable, and emergent phenomena are much more prominent. Furthermore, human perceptions of these things are front and centre in any effort to comprehensively understand what we will call the uncertainty field of an organisation. Suddenly the job is not just about mathematical measurement of risks – which nevertheless will be shown to continue to shape the identity of the field. Rather it is more of a social science function, leading to very different ways of thinking about and practicing risk management. It turns out that this insight is applicable to private sector organisations too, but the book will make the case that it is particularly critical to the development of both the rationale and practice of public sector risk management.

Moving on, our book was conceived as a textbook, an introductory textbook on public organisation risk management – particularly focussing on European public organisations. That term, introductory textbook, is suggestive of several things. First, it signals the intended audience; university-level students and individuals entering careers where a basic understanding of risk management is seen as useful. Second, it implies that something else will follow – that is, further and advanced treatments of the subject matter with possible forays into specialised topics – additional books, for example. In other words, it suggests that there might be an entire programme of study around the subject – an undergraduate degree or an MSc in Public Risk Management, for example (we shall have to see about that!). Third, as a textbook, it should present evidence of the linkage between academic thinking professional practice. And here we remind ourselves that one of the problems with public organisation risk management is the limited research. This last point presents a challenge, so perhaps the most ambitious view we can take here is that we will attempt to provide a baseline or starting point for future research efforts.

One final point on our intentions. For reasons already mentioned, risk management finds itself at an interesting point in time. Thinking and practices are changing or adapting, and there are obstacles and issues that need to be better understood and addressed. Furthermore – let’s face it – the world of risk, uncertainty, the unexpected, and the complex is certainly not going away. If 2020–2021 taught us anything, it is that the public sector has a huge role to play in assessing and addressing risk and uncertainty – and there are severe consequences to failure. Considering this assertion, our book needs to both describe the history and context of risk management, its present state, but also to offer a view of its future. Do textbooks attempt to address what was, what is, and what might/should be? Ours does.

The book is divided into four sections. The first section is focussed on establishing a context for understanding risk management (in all settings) but ultimately drawing a sharper view on risk management in European public organisations. The second section looks at what might be called the ‘spine’ of organisational risk management – structured approaches to assessing and analysing complexity, risk, uncertainty, the unknown, and the emergent. The third section examines the array of responses that an organisation might employ to address complexity, risk, uncertainty, etc. The final section steps back to look more holistically at how risk managers and leaders decide what to do and then how they do it.

Finally, note that we are certain public organisation risk management is an important function and that the need for competent risk managers and leaders has never been more important. There is an old adage in our field: ‘Nothing promotes risk management like a disaster’. If this is true (it is) 2022 will provide a huge demonstration case and we predict a period of keen interest. How long will that interest last – well, we say something about that in the book too. Among several key points will be the Sisyphean challenge of getting people interested in disasters before they occur! Nevertheless, we are willing to bet that there will be an elevated interest in risk management competence for the foreseeable future and are therefore hopeful our book will ignite interest in the field among – at least – some readers.

Acknowledgements

Luck. The topic never quite surfaces in this book, but if we look closely it lurks beneath the words on nearly every page. Risk management might be (nearly) fully recast as luck management and in doing so I don’t think we would be missing much in terms of description. Whatever the terminology we employ, the essential message in this book is that we control much less of our lives than we would care to admit. Yes, we take measures to prevent bad luck from befalling us and we aspire to enhance the prospects of good fortune. But this only takes us so far and somehow we have to come to terms with the idea that striving to be resilient is the best overall policy we can follow.

So it is with the subject matter of this book. We buy insurance, we make plans, we learn how to be safe, and how to take calculated gambles, and – so do risk managers. There are many concrete things that can be done in the service of managing risks, but in the face of a complex environment, with uncertainty, emergent phenomena, the unknown and even the unknowable, our overall strategy is to focus on being able to bounce back, minimise impacts of sudden events, anticipate, seek to remain agile, responsive, and resilient. Indeed, it would be hard to find a more central point in this book than sustainable resilience, the achievement of which (while never fully attainable) becomes the overarching purpose of risk management.

So it is with risk management, but so it is with me. That is, I have sought to be resilient in my life, but as with all of us, I have only had partial success. Nevertheless, resilience in the pursuit of resilience must be the way we proceed through life.

But back to ‘luck’, which is what I really want to talk about here.

Philosophers and scholars contemplate the role of luck and fortune, and one rather clear observation is the fact that we are often more lucky (or unlucky which, by the way, is a different matter) than we care to admit. Provocatively, it is sometimes said that the hallmark of successful individuals is their lack of appreciation for the role luck played in their success. Good parents, genetic endowments, thoughtful mentors, happy marriage, being at the right place at the right time all play a role in success. Yes, being good at what you do and working hard can position you for success, but still … I will go on the record and say that I have been very, very lucky. I would like to think that I work hard and have a modicum of intelligence, but as I look back on life, it is luck that features prominently. And for me, it is people that have mattered the most and brought me the most luck. This Acknowledgement would run to 10 pages or more if I was thorough in recognising them all, so let me provide a light organising structure to capture those that really need thanking.

My parents, now both long gone, were so powerfully influential in promoting my love of learning that I could in many senses just stop the acknowledgements here. However, my extreme good fortune in meeting and marrying my wife, Sian, has to be at the top as well … and then my lovely, smart, funny, and talented daughters, Hannah and Mallory, feature prominently as well.

Turning to matters more pertinent to this book, I had the benefit of two great mentors in my academic life, C. Arthur Williams, Jr at the University of Minnesota, and Don Norris at the University of Nebraska-Omaha. Such is my indebtedness to them that I always mention them when opportunities roll around to recognise my influences. My research colleague, Torben Juul Andersen of Copenhagen Business School deserves mention here as well. He has been a good colleague and an inspirational thinker. I am very lucky we met nearly 15 years ago, and I am happy to say we continue to have research ambitions well into the future.

Let me finish with what is a very unusual string of events that – over 25 years ago – led me down a road into the world of public sector risk management in Europe. Luck had to be present as I did not initially have any specialised knowledge of the European public sector scene. I was invited to the UK in 1995 to discuss my US work on risk pools, which eventually allowed me to work with local authorities in the UK. Along the way I became friends with Martin Fone (a risk financing and underwriting expert), Professors Lynn Drennan and John Hood of Glasgow Caledonian University, Alan Connolly and Rosemary Ryan of Irish Public Bodies, and many other experts on public sector risk management. Because of my time in the UK, I was invited to Denmark by Peter Sylow (CEO of the public body insurer KF) who, I am happy to report, has remained one of my best friends. This in turn introduced me to a constellation of public sector leaders throughout Scandinavia (first) and then the rest of Europe. This very long and winding journey of good fortune finally came to rest – for the moment – with Professors Simon Grima and Rebecca Dalli Gonzi at the University of Malta, who have been major partners in developing this book.

There is only one way to characterise this journey. Lucky. My sincerest thanks to all these friends and colleagues.

Peter C. Young, PhD

17 September 2021