Presentation on theme: "Embedding risk management in the public sector – a rain check"— Presentation transcript:
1 Embedding risk management in the public sector – a rain check Colette KaneNorthern Ireland Audit OfficePromoting better use of public money
2 Overview Good practice in Risk management Key messages we wanted to promoteHow public sector bodies are doingWhere additional focus is neededThis is what I hope to focus on today-Firstly many of you will know we produced our Good Practice in Risk Management publication in June I will highlight to you the background to this publication, our purpose in producing it and what we did to bring it together. Secondly I will highlight the key messages we wished to promote when we produced the guide. Then I will talk a little about where we have seen changes in risk management from our perspective as public sector auditors and finally I will highlight where, in our view, additional focus is needed. I will also briefly discuss the Governance Statement and its role in risk management and how it is developing.
3 As I said we published this Good Practice guide in June It is on our website to download and still continues to hold the record for the most downloaded publication there. We considered we were ideally placed to produce the guide as we currently audit in excess of 200 public bodies covering all areas including health and local government. This is in addition to our value for money work.When we produced the publication we were fairly up front that the content presented nothing radical or new –rather it was a bringing together of good practice from a number of sources including Treasury and other sources. We did however aim to use local examples of good practice to illustrate issues. We produced a checklist which is replicated in the publication and used this to survey 16 bodies – the central government departments and a number of other bodies. We also used our knowledge of our audited bodies to include good examples where required – we did struggle to get organisations to highlight good practice !So what was our aim:To revive risk management processes – at that time we were seeing a jaded process where, on many occasions, risk management was dusted down for quarterly board and audit committee meetings and even then was so far down agendas little time was left for discussion.To illustrate good practice examples- we knew there were good examples of risk management out there and we wanted these highlighted so others good use themDue to the economic climate – we saw, and I am sure you all agree, good risk management is key in an recession when there is pressure to produce more for less..To dispel the myth that risk is bad – over and over again we had heard the mantra – the public sector is risk averse – indeed NIAO and the PAC don’t expect risks to be taken and therefore risk should be avoided. But we all know business could never be done without risk taking!
4 Good Practice in Risk Management-key messages Process should be specific to each body.Managed risk taking can present opportunities.A clear understanding of roles and responsibilities in the process is key.Contingency planning is important for every organisation.Not all risks need to be accepted/treated.Good communication is key.Horizon scanning is recommended.Identify and communicate risk appetite.Consider fraud risk.Be clear on assurances.Process should be specific to each body – there is no one size fits all.Managed risk taking can present opportunities .A clear understanding of roles and responsibilities in the process is key – there is a diagram outlining the roles and responsibilities clearly – one issue we had with this was that boards were very often delegating responsibility for risk management to audit committees.Contingency planning is important for every organisation – not only for internal emergencies for emergencies which impact delivery thus we highlighted the need for a good tested communication strategy.Not all risks need to be accepted/treated – a reminder that risks can be terminated or transferred too.Good communication is key – so that everyone understands their specific role and responsibility in risk management.Horizon scanning is recommended – the benefits of looking around the corner.Identify and communicate risk appetite – this is one I will come back to – we encouraged bodies to start thinking about risk appetiteConsider fraud risk – we saw this as particularly important in the current economic climate where fraud is more commonBe clear on assurances- we were concerned that risk registers detailed lots of untested controls which did not seem to mitigate against the risk.
5 A rain check! We have observed; An increased emphasis on risk management.As finances get tighter risk management is seen as more important.More conversations on risk around the board and audit committee table.Risk discussed at all levels within the organisation.Risk appetites being explored.More emphasis on the high risks.More movement on risks than before.So where are we now in 2014?
6 Could do better? Areas of risk management requiring more focus; Braver managed risk taking.Too many risks being recorded and monitored.Risk assessment very cautious and without regard to appetite.The controls being relied upon are sometimes non existent.Horizon scanning not widely used.Fraud risk assessments not being prepared.Contingency planning still relatively weak and rarely tested.Disclosure in Governance Statements still being developed.Braver managed risk taking- some public sector organisations need to take significant risks to achieve their goals – organisations like InvestNI, NITB where pressure on the economy is their focus but its important this is managed risk taking, seeing the risks at the outset and including adequate controls as far as possible.Too many risks being recorded and monitored.- we still see risk registers with 20+ risks many considered low – organisations need to focus on the real risks and threats to them.Risk assessment very cautious and without regard to appetite – often there lots of high/high risks and this is because there is little regard to appetite. The conversations amongst senior management, around the board and audit committee table about appetite are extremely useful to determine the levels of acceptable risk. We strongly encourage bodies to determine risk appetite and communicate it widely.The controls being relied upon are sometimes non existent – I mentioned this before and we have been advocating the use of assurance frameworks so the key controls are examined and assurances are evidencedHorizon scanning not widely used – where it is used it is useful for ensuring controls are in place to counteract an unexpected or maybe even expectedFraud risk assessments not being prepared.Contingency planning still relatively weak and rarely tested.Disclosure in Governance Statements still being developed.- I will look at this in a little more detail.
7 Governance Statements The governance statement should reflect the organisation’s governance, risk management and internal control arrangements and how they operate in practice. The Governance Statement should provide a sense of the organisation’s vulnerabilities and resilience to challenges.Then an overall higher level aim – much more than was required in the SIC. We recently produced a factsheet (available on our website ) which came from a review of a governance statements produced in the first year of implementation. The next slide details a couple of key recommendations from teh fact sheet specifically relating to risk management disclosures which I thought it might be useful to share with you.
8 Key RecommendationsFocus more on the assessment of risk and particularly where risks have materialised and how these were addressed.New risks identified should be disclosed.
9 Once again a reminder of where you can find our good practice guide. Also if you work in a public sector body we audit we are always happy to advise on risk management processes. Thank you for your attention.