Feature
PRACTICE
Grasping the nettle Risk managers in the public sector are often underfunded and overworked. But new guidance and a push for greater clout could boost their effectiveness BY SARAH WINT
A
t the same time as the UK government has been cutting costs in central and local governments, the impact of risks that do crystallise seems to be intensifying. For example, major cyberattacks earlier this year brought to a standstill several high-profile NHS hospital trusts. Not only did the healthcare providers have to get their systems back online, but they simultaneously had to deal with the mainstream and social media storm that followed. Risk managers might believe they need to work harder to make sure all possible scenarios are covered. But they would be letting themselves in for an endless and futile task. “If you’re trying to do analysis of what can go wrong in government departments, you can get into thousands of risks,” says Trevor Llanwarne, a former government actuary turned consultant. Not only that, so-called black swan events are, by their definition, unpredictable with potentially catastrophic effects. Non-executives in the industry were asking Llanwarne how it was possible that risk management departments could produce 50-page risk registers yet fail to see some of the major catastrophes that hit their organisations.
If you’re trying to do analysis of what can go wrong in government departments, you can get into thousands of risks
Resilience An analysis of risk registers showed that they worked well for internal risks which could be managed through internal controls. But there were three other types of
14
Enterprise Risk