These days, risk management has become pivotal for the senior management of many public sector entities, as well as local and international entities. With this increasing focus on transparency in the public sector, and on the need to ensure quality and efficient service delivery to the general public – we see a gradual and even natural transformation from a ‘firefighting’ and risk identification culture within superficial, divisional, or individual level frameworks, to a culture devoted to strategic planning and continuous improvement. This shift to a strategic-planning oriented culture aims to improve work progress, and enhance staff cooperation as one team with a consistent and effective vision.
One of the most prevalent concepts about the public sector, in contrast with the private sector, is that it is fully supported by the government and is strictly controlled by laws and regulations. This leads many to conclude that the need for risk management in the public sector is nonessential. However, a number of factors must be kept in perspective:
- Globalization: In terms of service quality, efficiency, public outreach, etc., the public sector is comparable to other sectors.
- Lack of Resources: Even with government support; human resources, fixed assets, and budgets are limited, and therefore must be properly used, maintained, and conserved.
- Responsibility and Accountability: Even if the public sector is not primarily driven by profit, management must still be held accountable due to their responsibility towards the general public. The government’s commitment to the protection of public interests and the improvement of the quality of life remains a fundamental responsibility to which these entities can never turn their backs on, and for which managements must be held accountable.
Enterprise Risk Management
Enterprise Risk Management (ERM) is a process involving the organization’s management board, managers, and other staff. It is carried out by developing an organization-wide strategy. This strategy identifies potential incidents that may affect it, and controls associated risks to keep them within acceptable levels. This in turn provides reasonable assurance with respect to the organization’s ability to attain goals set by the senior management.
Why Manage Risks?
In order to understand the importance of risk management, we need to examine corporate governance.
Corporate Governance Corporate Governance refers to the system by which corporations are directed and controlled. It affects the way corporations identify and achieve their goals, and how risks are monitored and evaluated to ensure maximum performance improvement. If this system is effectively implemented, it brings about a major transformation on all levels: beginning with instilling a deeply – rooted professional culture within individuals to raising their awareness about individual accountability and the organization’s goals, operations, and general strategic and holistic approach. Corporate governance is typically viewed as a simple concept that is difficult to achieve in practice. As a theoretical notion, corporate governance is not complicated and comprises a number of clearly defined elements. However, when it comes to implementation, which involves building a whole system with closely connected constituents, corporate governance is anything but simple. As illustrated in the figure below, all elements need to be active and linked with one another. For example, the Risk Management element cannot add value to the corporation unless adequately supported and monitored by the Management Committees and the Management Board to ensure maximum benefit is secured.
Importance of Risk Management
First, we will provide a standard definition of ‘Risk’: Risk is the potential of losing something of value or of diminishing the opportunities for gain as a result of a given action or inaction, which may negatively affect an entity’s achievement of goals. Thus, according to this definition, risk is not only about the likelihood of a future loss, it also addresses the potential of future failure in making use of and/or missing an opportunity for improvement. From this perspective, the entities with the highest risk management efficiency are those most capable of maintaining their course in regards to success, growth, and goal achievement. Consequently, Risk Management has a number of benefits that include:
- Ensuring a stronger link between goals and operations on one side and the organization’s overall strategic vision on the other.
- Efficient communication between various functions to monitor and implement risk control plans and assess their impact.
- Increased awareness about the relationship between set goals, operations, and results.
- Improved capabilities of decision-makers based on more holistic and transparent information.
Further, in order to understand the significant role of risk management, kindly look at the Risk Status (indicated in Red) of any major corporation as illustrated in the model below:
We note the wide range of risks and the difficulty of assessing their seriousness. We also note the absence of an efficient system for linking elements with risks.
This model highlights the importance of management and management committees and their central position within any organization, regardless of whether it is in the public sector or the private sector. Moreover, the model also shows that in the absence of an effective and transparent system for risk assessment and identification, risk and risk control will be a dark area for the management and management committees. This is where the role of Risk Management comes in, as it brings risk assessment closer to the role of other elements in risk control as follows:
Consequently, risks are being anticipated, assessed, and controlled beforehand and in a holistic fashion that supports coordination between the organization’s various divisions to achieve its strategic goals. Indeed, this is where the importance of risk management lies, as it is a tool that allows the management to focus on root causes and obstacles that impede goal achievement. If we take the First Risk as an example; it is true that, if such risk is properly assessed and its causes efficiently investigated – according to the methodology which we will be tackling later – this would allow the management to develop an in-depth understanding of the issue and enable other concerned functions, such as the Human Resources, Finance, and IT departments, to work in coordination as one team to find and implement an appropriate solution. Furthermore, despite the availability of multiple international approaches to risk management, the ISO 31000 guidelines are the most applicable for the government entities of the public sector, as they adopt a simple model of the risk management cycle that directly addresses risks and links them with the relevant entities. We shall discuss this methodology in the next issue, along with a practical example which illustrates the various measures for implementing this methodology.
In summary, risk management is an essential and integral concept that comes under the umbrella of corporate governance. It is a vital process for any government entity seeking to achieve its goals and continually improve and develop in the service of its clients and in the protection of public interests, particularly within a world of rapid technological and economic changes.
GHALEB AL MASRI, CPA, CIA, CFE is a finance & risk professional at a government department in Abu Dhabi.