OVUM評論:Risk management is core business

The Home Insulation Program began with high expectations. Its primary objective was to help stimulate the economy as part of the government’s response to the global financial crisis. At the same time, it was hoped the program would deliver real green savings to home owners and provide a showpiece for the government’s green credentials.

When it all began to go wrong, much of the public debate focused on program delivery failings and on the appropriateness of the program’s risk matrix. However, risk management is more than just managing the documentation tool. Risk management is all about managing the risks. The Home Insulation Program turned out to be a high-risk program. It was high-risk to citizens, to businesses, and ultimately to the government. The final outcome delivers some powerful messages about the way government agencies should manage risk.

The program’s risk matrix did indeed raise a number of startling concerns, and this later fuelled intense debate about the program. However, it is important to take care not to shoot the messenger. The authors of risk management plans should be encouraged to uncover all potential risks and to document them as plainly and as clearly as possible – this is an essential precursor of being able to manage the risks.

Risk management can sometimes be seen as an annoying distraction from real project delivery work. Optimistic managers can sometimes place too much hope on the heroic efforts of key individuals and their ability to deal with any potential problems. If there is to be a take-home message from the failed Home Insulation Program, it is that citizens rightly expect an appropriate level of risk management from their government officials. Indeed, it is a basic foundation for efficient, effective, and ethical government service delivery.

Government ICT learned many years ago that a manager can’t outsource public accountability. Government managers are responsible for ensuring risk management is applied even if the delivery is outsourced. For their part, outsourcers are contractually bound to deliver appropriate, risk-managed services. But the pressure to deliver government outcomes can sometimes be significant, and it can take a brave project manager to raise questions about risk. Sir Peter Gershon noted this very issue in his review of Australian federal government ICT in October 2008. He said, “There is too much variation in the degree and quality of interaction between policy formulation and implementation…There are real downstream implications and risks for policy implementation from poorly considered policy design.”

Existing standards provide valuable guidance

Australia has a long history of leadership in the development of government risk-management standards. Australia first released its national risk standard, AS/NZS 4360, 15 years ago. Over subsequent years, government tenders have mandated the application of this standard in IT contracts. In November last year, the Australian standard was replaced by a new international standard, ISO31000, which is highly consistent with the earlier Australian standard.

Given Australia’s strong history in developing risk standards, it is probably time for it to take its own medicine. Managing risk is much more than developing a matrix. It requires a major cultural shift that impacts operations across an agency.

The new ISO standard outlines a simple approach for measuring whole-of-agency performance in dealing with risk. The criteria are:

* continual improvement
* full accountability for risks
* application of risk management in all decision making
* continual communications
* full integration in the organization’s governance structure.

These criteria would be a good foundation of a practical assessment of an agency’s risk-management approach.