Public Sector Leadership in Assessing and Addressing Risk

Ours is a complex world. On these five words will be built a foundation for an alternative way of framing our thinking about risk management. Complexity means many things, but a key feature is that outcomes cannot be predicted with certainty. In the best cases, opportunities arise to analyse and develop some understanding of the uncertainty within a complex system, and in the most fortunate of such circumstances it is possible to anticipate specific outcomes with some degree of accuracy. The authors call such circumstances risks – that is, measurable uncertainties. Complexity, however, consists mainly of interconnected uncertainties and unknown/unknowable possible outcomes or effects. And, of course, complex systems can include humans whose (in)ability to perceive and interpret such environments makes things – well – more complex.

This book ultimately will focus on how the authors construct a way to lead and manage in this environment, but first it is critical that the terminology and description of this world be given some precision. Therefore, Chapter One begins with an introduction to the idea of complexity, including some mention of the principles and concepts that inform our understanding of it. In turn, this discussion introduces uncertainty. Risk, as a category of uncertainty is discussed and the implications of its measurability are presented, which leads to a discussion of human perception and behaviour under conditions of uncertainty. Attention is then drawn to the unknown and the unknowable, and to emergent phenomena. Since the focus of this book is on public sector risk management, the chapter concludes with a brief discussion of the idea of public risk.

This book is about risk management in the public sector, in general, and particularly risk management in public sector organisations. Risk management in the public sector is a much broader topic than risk management in public sector organisations because it touches on many issues of a public nature that are not the direct or sole responsibility of any specific public organisation. Sometimes a public organisation must deal directly with such risks, but often laws and regulations can adequately address broader public risk issues, governments can participate indirectly and behind the scenes, or participation can be in collaboration with private and non-profit organisations. In some cases, government organisations play no role at all.

This chapter focusses on an important contextual issue; the environment in which risk management is practised in the public sector and in which public risks arise. In much of this book, the unique or unusual attributes of the public sector are shown to profoundly affect risk and the forms and functions of risk management. This chapter introduces some of these attributes and highlights their likely impact on risk management. The public environment is one with movable boundaries, and it essentially encompasses any action or object that a society considers public. Over time, attitudes can change about publicness, but a key point is that while government entities occupy part of the public environment, they are not its only inhabitants.

Understanding the context of any subject is crucial and this is certainly true of risk management in the public sector. Undoubtedly, what we face today is the highly path-dependent result of what has happened in the past. And, what happens today in a local government, for example, is very much influenced by the wider current situation that surrounds it. Further, it must be said that even the future can be part of the present context (climate change would be a stark example of this).

Described in this way, it seems a daunting challenge to understand past, present, and future – and, indeed, it verges on the impossible. The remaining chapters of this book revisit the context through the lens of the various components of risk management (assessment, analysis, forecasting, and more) and by looking at the present and future through the concepts and principles used by risk managers. Here, in Chapter Three, the issue of context is first considered by examining the relationship between past and present with specific reference to risk management as a management practice. Thus, the chapter does not specifically address how uncertainty is assessed, or how insurance is used, or even how a risk management programme operates – these are topics for later chapters. Rather, the history of risk management is presented as a narrative that seeks to explain how risk management has evolved into what it is today.

Finally, the chapter leads into the present by providing an overview of the current public environment in Europe. This allows the book to develop both a history of how risk management became what it is today, and to understand the key risks and uncertainties that define the current context. Chapter Four presents the administrative nature of today’s practices and offers some speculation about alternative ways of thinking about risk management practices now and in the future.

Traditional or technical risk management practices have been observed in local governments since the early 1960s. These practices tended to focus on the management and control of insurable risks (fires, thefts, and liability suits), as well as responsibility for insurance purchasing, for occupational safety and health, security, and similar matters. Later, financial risk management became a rather distinct technical practice, among other technical additions.

Chapter Three focussed on developments since the late 1980s, notably a general trend of expansion and extension of risk management followed closely by a rapidly evolving view – both in academia and in practice – that risk management should take an organisation wide and integrated stance and that this integration would be demonstrably value adding. Recent legal, regulatory, and best practice initiatives have further accelerated the expansion of risk management. But while this expansive view, ultimately emerging as enterprise risk management (ERM), is well advanced in the private sector, it has not penetrated the public sector in any significant way. And, indeed when it has been applied, it has revealed several fundamental problems. As a result, the current state of risk management is somewhat less easily summarised than might be expected. Traditional (hereafter ‘technical’) practices remain uneven, though widespread; holistic ERM-like efforts are somewhat widely – but inconsistently – implemented in the private sector while in the public sector technical practices are seen, though to a lesser degree, and there have been very few ERM adoptions. Nevertheless, as sometimes happens, the presence of an idea (ERM) has been highly influential and sufficient to reorient thinking about risk management.

For discussion and clarity purposes, this chapter introduces the concept public organisation risk management (PORM). Clarity is important, but the concept PORM serves a second function here. It provides a label that allows actual technical practices to be linked to the ERM ideas that shape thinking about risk management in the public sector. Furthermore, this concept also allows for the inclusion of some even more recent developments (beyond ERM) that will lead to an alternative framing of risk management in the final chapters. PORM, therefore, ultimately involves an inclusion of past, present, and future thinking about risk management in public sector organisations.

The Public Organisation Risk Management concept challenges managers to develop a means of systematically identifying and managing key features of the organisation’s uncertainty field (its risks, uncertainties, the unknown and emergent, and the human perception/behaviour component). This presents an immense challenge, as it seems an organisation would need – in some sense – to identify all aspects of the environment before then isolating that subset of the most important risks and uncertainties. Clearly this is impossible, but a conscious awareness of this limitation might be valuable in its own right.

Assessment and analysis refers to the systematic and ongoing process by which a public organisation identifies, analyses, and measures the key components of its uncertainty field. A foundation concept that governs assessment and analysis is the view that public organisations are, in effect, collections of contracts, obligations, commitments, and agreements between the government and resource holders. Those arrangements serve as means by which the public organisation becomes exposed to the elements of the uncertainty field. Those elements, in turn, arise from the physical, social, political, economic, legal, operational, and cognitive environments.

A more detailed exposition of assessment and analysis appears in both Chapters Six and Seven. Here, in Chapter Five the goal is to set the foundation for such an exploration. Key terms and concepts are presented, and some core issues are introduced. As with all chapters, the discussion will address what have been identified as ‘traditional’ as well as enterprise risk management influenced perspectives. This in turn will lead to some coverage of alternative thinking about the assessment and analysis process.

There are several ways that risks and uncertainties might be discussed in the context of assessment and analysis – several of which could be inferred from previous chapters. Here, Chapters 6 and 7 are structured around what might be called strategic risks/uncertainties and operational risks/uncertainties.

This chapter presents the strategic risk/uncertainty assessment and analysis challenge. Most current thinking on risk management – enterprise risk management (ERM), but even including more traditional approaches – place expectations on leaders and top managers to provide guidance on risk policy, but also require those individuals to understand the challenges for which they are responsible. As implied previously, this domain mainly consists of uncertainties. Typically, top managers deal with aggregated operational data that – in itself – might be measurable but owing to the effects of consolidation tend to present leaders with a singular strategy/issue that is unique to the organisation and therefore not well-suited to statistical analysis. Furthermore, scanning for future threats and opportunities is decidedly a matter of considering the unknown, the emergent, and even the unimaginable. Within this assortment of challenges are the very large-scale features that – among many things – compel consideration of collaboration with other organisations. Here these special risks/uncertainties are labelled global risks.

The issue of complexity is here revisited, and this discussion serves two particular purposes. Complexity theory (and complex adaptive systems) offers some insights into methods of assessment and analysis, but they also provide some useful views on the nature of the uncertainty field in the context of complex environments. This discussion will offer some consideration of traditional, ERM, and alternative approaches and the appropriate ‘fit’ of assessment and analysis into these frameworks.

Chapter Seven turns to what will be characterised as operational risks/uncertainties. The associated concept of strategic risks/uncertainties introduced in Chapter Six, is somewhat arbitrary as many risks and uncertainties fit into both categories. Further, a precise demarcation is not practically possible. Nevertheless, for purposes of introduction it is a helpful distinction.

Although it might be an overstatement, here operational risks/uncertainties do seem to offer greater opportunities for quantifiable measurement. This is simply because many operational functions are repetitive, offer numerous contexts where data can be gathered, and observations can lead to useful predictions of future outcomes. Supplementing individual organisation observations with sector-wide data is more possible as well. This is not to say that human factors do not matter, they most certainly do. Subjectivity also matters; but it remains the case that operational activity does present the better chance for measurement.

As with Chapters Five and Six, alternative perspectives are presented, and the complex adaptive systems idea reappears in relation to the processes by which operational risks/uncertainties are assessed and analysed.

The evolution of risk management has placed some emphasis on the language of risk management practices. The classic categories risk control and risk financing, as umbrella terms for the range of risk management tools that may be employed, are still widely used – but as has been pointed out elsewhere in this book, the broadening of risk management has led to a reconsideration of the continuing accuracy and usefulness of the older terminology. For example, historically the term insurance-buying was expanded to include risk financing, which allowed recognition of newer, non-insurance tools. Similarly, loss prevention became risk control to include risk reduction, risk distribution, hedging, and more. More recently, risk treatment has emerged as a term that encompasses both the control and financing categories.

One of the significant changes in practice is the inclusion of opportunities that may arise from risks. Here the terminology has not quite kept pace with changes in the field. Additionally, while assessment and analysis has long captured the idea of evaluating risks and uncertainties, the more explicit inclusion of uncertainty, along with emergent phenomena, complexity, and the unknown/unknowable has led to questions about whether risk control meaningfully conveys the essence of these activities. The search for an alternative terminology is ongoing, but for the time being the term adaptive response (AR) is used here, which refers to a range of actions that could be taken to capture the full range of exposures.

Chapters Nine and Ten continue to use the term risk financing. This is more of a concession to practicality as, in any other setting, financial measures logically are ARs. Nevertheless, there are technical and substantive reasons to maintain some separation. But even here, the pressures of change are being felt. For example, while most risk financing arrangements focus on addressing the costs of risk (e.g. indemnifying an organisation for losses), the role of financial measures in encouraging or discouraging certain practices – including paying the risk manager’s salary, or incentivising certain desired practices – has historically not been considered in discussions

The second major area of the so-called risk treatment is risk financing. Risk financing includes measures to finance the costs of losses, risks, and uncertainties. Historically, risk financing has been virtually synonymous with buying insurance. However, over time alternatives to insurance have evolved – self-insurance, pools, captives, large deductible programmes, finite insurance programmes, banking arrangements, and capital market-based solutions. The concept of risk financing has expanded to include products that address a range of financial risks such as interest rate and credit risk. These products include derivatives and some new innovative securities.

Today, the rapid development of the risk financing market has created several practical problems. Notably, regulatory and legal structures have not always kept pace with change, leading to much confusion about risk financing alternatives. Many products look and function almost identically to others, and yet history and custom have dictated very different treatment by regulators, tax authorities, and others. There is growing pressure for significant legal and regulatory realignment.

For newcomers to the field, risk financing measures can be thought of as existing on a continuum, ranging from pure retention (all losses paid directly out of pocket) to pure transfer (where a third party accepts and bears the full costs of risk). An important recognition of the continuum of risk financing is that there are no products that are fully retention or transfer, but rather a varying blend of the two. Hedging of risk, for example, is arguably here a near perfect blending of a retention and a transfer of risk.

Insurance is a contract whereby one party (the policyholder) promises and makes a payment or series of payments in exchange for the second party’s (the insurance company’s) promise to indemnify the policyholder for losses covered under the terms of the policy. Perhaps it is easier to just think of insurance as a transaction where the policyholder trades small regular losses (the premium paid) for large and irregular gains (claims proceeds).

While it may seem somewhat disproportionate to devote an entire chapter to more detailed treatment of a single risk financing tool, insurance has a very large impact, not only in terms of its intrinsic value, but also in terms of the many ways in which insurance influences risk management thinking and practice. As will be shown, some of this influence is waning and in other cases it could be argued that insurance ‘thinking’ has hindered efforts to respond to facts on the ground and the ability to adapt the role of risk management in organisations.

To provide a useful discussion, this chapter will cover both the products that the insurance industry offers and the structure of the industry itself, along with addressing legal and regulatory matters that were touched upon in Chapter Nine. The chapter concludes with an overview of public sector insurance issues that provides a basis for understanding alternatives to insurance that have emerged in dramatic fashion in recent decades – which in turn provides a basis for considering some of the constraints that insurance imposes on risk management practice.

Risk management involves assessing and dealing with objective risks and therefore risk managers are expected to have reasonably advanced analytical knowledge and skills. However as noted earlier, many, if not most, of the elements within the uncertainty field do not provide much in the way of adequate data or information, and – even when they do – there can be significant problems with data quality. Thus, statistical or actuarial analysis tools are best used thoughtfully and mainly in the context of cases where an organisation has many similar exposures (a fleet of hundreds of vehicles, large numbers of employees) or when external data analysis fits convincingly with the more limited experience of the organisation itself. In any case, the overarching challenge for risk managers is to develop a consistent approach to thinking about all risks, uncertainties, emergent/unknown phenomena, even when they have very different characteristics.

Chapter Eleven adopts an approach that is somewhat different from Chapter One to Chapter Ten. Previously, a general, descriptive overview of the subject is given beforehand, and then a slightly different discussion is offered to provide an alternative commentary. Here, the alternative insights are woven into a discussion of decision-making. After presenting this different approach, the traditional decision-making tools are presented and discussed. Since Chapter Twelve also serves as a summary, a more integrated approach is used here.

sGiven the topics covered in the first 11 chapters, it seems a tall order to bring such a large number of topics into a cogent summary. Additionally, the book has introduced three distinct views of risk management – the traditional/technical view, enterprise risk management, and an alternative view that is yet-to-be-fully-articulated. The summary is further complicated by the challenges of managing in complex environments. Nevertheless, an effort should be expected.

Here, the framing of public organisation risk management in practice (which will be applicable to risk management in other public contexts), begins with setting sustainable resilience as the central organising idea. From this come several practical principles that will serve to contextualise a range of specific processes and actions that constitute risk management as understood in the book. This requires some consideration of operational issues – programme implementation tactics, defining particular roles, evaluating outcomes, embedding assessment and analysis, and implementing tools. However, it also discussed somewhat more philosophical issues like the development of ‘network schema’, leadership in complexity, and the twin ideas of innovation and adaptation. Recognising that effective risk management always depends on the particular organisation or situation, a general guide to practice is outlined here.