Graham Liddell: Mastering risk management and not box ticking

by Graham Liddell
in Blogs · Technical
— 30 Mar, 2017

Councils can find it difficult to grasp risk management. Graham Liddell argues its time for local authorities to undertake an honest appraisal of their management processes.

Why do local authorities so often get risk management wrong? They are exposed to a range of challenging and diverse risks: declining financial resources, keeping vulnerable adults and children safe, providing other essential services, keeping sensitive data secure and so on. But all too often risk management is treated as a yet another box ticking corporate process. How often do senior managers have meaningful conversations about how to manage their key risks?

The text book answer to assessing the effectiveness of risk management is to review the risk maturity of an organisation. And there are a range of diagnostic tools, full of worthy questions, to do this:

Is responsibility for risk management included in job descriptions?
Does the board regularly review its risks?
Has the organisation defined its risk appetite?

But assessing risk management in this way often gives false assurance. Does ticking all the “risk mature” boxes mean that we have identified all our risks and are managing them effectively? I doubt it.

Furthermore, I am not sure that a positive internal audit report on risk management is always that helpful. We auditors like systems and might well report that expected controls are in place and operating as they should. But how often does this consider the quality of the thinking, or the robustness of the risk register? I think it’s time for an honest appraisal of the effectiveness of our risk management arrangements.

Emotions

Pretty much all senior management teams spend some time reviewing their strategic risks, even if it is just once a quarter. So the simplest starting point is to reflect on your emotions following one of these meetings. Which of the following best represents how you feel?

Blissfully ignorant, we don’t really bother with the risk register.
Gnawing with doubt: we’ve ticked the box but not much more.
Cautiously optimistic: we’re beginning to understand some of this stuff.
Enthusiastic: some great discussion and now we need to translate these into robust actions.
Confident: we’ve identified our key risks and robust plans are in place to bring risks down to an acceptable level.

And just to show that this is a well thought out management tool and not something been dreamt up on a sunny Sussex afternoon, here is a picture to help you decide.

I suspect that most senior officers would assess themselves as cautiously optimistic. My job as an auditor is to instil some gnawing doubt. So, let’s revisit that self-assessment. Here are four challenge questions. If you want to skip the detail scroll down to another diagram.

1 Does your risk management system really identify all your key risks?

What has your risk register management system missed in previous years?
Are you fixing stuff that could have been prevented?
What are you spending money on that would not have been needed if only pre-emptive action had been taken 5 or 10 years ago?
What is your risk register missing now?
Does your risk register set out clearly the main things that keep you awake at night?

2 Do you have clear mitigating controls in place?

Are these summarised clearly?
Can you tell whether these bring the risk down to an acceptable level?

3 Are robust plans in place?

Have you set out what level of risk you need to get to?
Is there a robust, time bound, action plan in place to achieve this?
Does the action plan address both likelihood and impact?

4 Do you have robust assurance that controls are working and actions are on track?

How quickly would you find out if controls weren’t working or actions not addressed?
Does progress on the action plan form a key part of your one to one meetings with managers?
Is the risk register updated on a regular basis?
If you have adopted the three lines of defence model, how robust is the assurance you get from your second and third lines?

Still feeling confident? If not, perhaps it’s time to start taking risk management seriously. Don’t get me wrong, I’m all for a well-structured risk management process. But don’t be fooled, risk management is about managing risks. It’s not about ticking boxes.

Graham Liddell

Graham Liddell is head of Internal Audit at Brighton & Hove City Council.

Get the Room151 Newsletter

Leave a Reply Cancel reply

You must be logged in to post a comment.

Register to become a Room151 user
Email Address
First Name
Last Name
Job Title
Latest tweets
Room151 1 day ago
Last call for Wednesday's COP & LGPS special. See the agenda and register: room151.co.uk/wp-content/upl… pic.twitter.com/iiSi1kxQ4A
Room151 1 day ago
An ethical charter for responsible investors: Sponsored article: Reflecting every investor’s values is impossible, writes Michelle Scrimgeour, but “everyone benefits from a more sustainable financial system.” “The largest asset managers must acknowledge… dlvr.it/S9p0hz pic.twitter.com/2fOWol70Z0
Room151 2 days ago
Spending review set to push up council tax: Westerminster may just allow increases in council much higher than current thresholds, writes Adrian Jenkins. There is much that we do not know about the spending review later this month[...] dlvr.it/S9nRCb pic.twitter.com/iZjSdBiN8K
Room151 5 days ago
Why doesn’t LGPS make more noise about diversity among asset managers?: Diverse teams of asset managers score better returns. Karen Shackleton explores what LGPS should do. A recent recent survey by Citywire on gender diversity in asset management shared… dlvr.it/S9Xxrf pic.twitter.com/jsfO3fBRz4
Room151 1 week ago
Skills in short supply for local government audit: As always when faced with the excitement of current local government I first turn to the greats of our municipal heritage to map out the journey we have been on.[...] dlvr.it/S9Mldr pic.twitter.com/nlx8Pa0WSG
Room151 1 week ago
Mult-year settlements, the funding picture, net zero, place, commercialsim and the prudential code will be just some of the topics we'll be discussing. Come and meet your fellow senior colleagues: lnkd.in/dWxpt5K3 pic.twitter.com/DlKOW9O1V5
Room151 2 weeks ago
No ‘fire sale’ of treasury assets under new Prudential code: The new Prudential code targets long-term investments in pooled funds. But a Room151 webcast hears it does not require authorities to become “forced sellers” of those assets. There has been[...] dlvr.it/S98PBk pic.twitter.com/6RgJQjoMbm
Room151 2 weeks ago
No ‘fire sale’ of treasury assets under new Prudential code room151.co.uk/treasury/no-fi… #localgov #s151 #treasury #riskmanagement
Room151 2 weeks ago
Avoiding the ‘flaw of averages’ in your LGPS actuarial valuation: Familiar numbers can sometimes obscure the underlying reality. Douglas Green unpacks the truth about figures in LGPS. Jeff Bezos walks into the room…and immediately we all become… dlvr.it/S8yLFM pic.twitter.com/EFjHJIOPRq
Room151 3 weeks ago
Course aims to aid move from private sector to council accounting: Training event: Tackling the political context and peculiarites of local government accounting. Negotiating the move from private sector to local government accounting can be daunting.… dlvr.it/S8b1VZ pic.twitter.com/K0S9CK8Mts
Room151 3 weeks ago
‘Unknowns’ linger in social care calculations: The clock is ticking on implementation of the social care reforms. Ewan Dewar writes that many uncertainties remain to be resolved. The much lauded social care reforms were announced in[...] dlvr.it/S8ZQx3 pic.twitter.com/F8cUl35GKH
Room151 3 weeks ago
Treasurers make ‘slow’ adjustment to asset allocation: Survey results tell a tale of treasurers slowly adjusting asset allocation, low levels of yield and the possibility of rising interest rates Are treasury officers adjusting their asset allocation… dlvr.it/S8S0M8 pic.twitter.com/wWwlNOEZ3b
Room151 3 weeks ago
Exploring the hydrogen spectrum: The future’s white: Sponsored article: Michael Hart writes how investors can balance returns and have a positive impact on the environment? “Yes, my friends, I believe that water will one day be employed[...] dlvr.it/S8Qn3g pic.twitter.com/OqiwYsyWrs
Room151 3 weeks ago
Room151 team up Arlingclose to explore Prudential and Treasury Codes in webcast special: CIPFA has issued a revised version of the Prudential Code prompting finance officers to pour over the details to find how the document will transform the treasury… dlvr.it/S8Qmwh pic.twitter.com/aUl6RcNH39
Room151 4 weeks ago
Understanding climate risks in short-dated bonds: Sponsored article: Ian Buckle and Rory Sandilands discuss why short-dated corporate bonds which are relatively close to maturity can help investors capture attractive yields with minimal interest-rate… dlvr.it/S8DSd7 pic.twitter.com/pW2KQsf0rm
Room151 4 weeks ago
Loans: The legal checklist for supporting enterprise: Loans from local authorities to big companies recently made national newspaper headlines. They don’t happen without plenty of checks. Neil Wallers offers a guide through the legalities. So, what… dlvr.it/S8CdkD pic.twitter.com/2wwXA5yvMB
Categories
Archives
- 2021
- 2020
- 2019
- 2018
- 2017
- 2016
- 2015
- 2014
- 2013
- 2012
- 2011

Councils can find it difficult to grasp risk management. Graham Liddell argues its time for local authorities to undertake an honest appraisal of their management processes.

Emotions

You may also like...

Leave a Reply Cancel reply

Register to become a Room151 user

Latest tweets

Categories

Archives