AUTHOR: MARK HARRISON

In a recent Insights publication, the Australian Government Auditor-General has recently reported that since 1 July 2021, only 31% of audit findings relating to risk management were positive.

This forced us at Sententia Consulting to think about whether risk management in the Australian Government really is that bad.

We have concluded that the answer is yes… and no.

The fact is that the Australian Government (and government generally) is responsible for some of the most complex and risky ventures and activities in the country.  Defence of the nation, operating healthcare systems that must cater for every citizen, delivering environmental outcomes in the face of massive environmental headwinds, all are ventures that can just as easily be unsuccessful as be successful … as well as being just plain difficult. Yet there are plenty of (often unheralded) successes by Government in all of its responsibilities.

It’s easy to look at some of the more challenging episodes in the Australian Public Service and attribute those to poor risk management – Robodebt, the “pink batts” scheme, any number of Defence materiel design and construction projects, and the 2013 lost ballot papers in the Federal Election, amongst others.  Further, most agencies and public servants have experienced their own challenged procurements, failed programs, poor grant decisions, and policy implementations which in hindsight could have gone better.

While there is almost inevitably some truth to the comment that all of these are a result of poor risk management, that is simplistic and only part of the circumstances.  (Note here, we are not seeking to misinterpret the Auditor-General’s comments, which were not that simplistic.)

Risk management represents just one part of good governance, or good project management, or good procurement management, or good program management, or good contract management, or frankly any model or framework for effective execution of aspects of public administration.  Each of these have frameworks with multiple components that all need to work together to create good outcomes.  Typically, those frameworks involve having good people doing the right jobs, good planning, effective process design, strong stakeholder engagement, tight legislative compliance, and clear accountability mechanisms.

While risk management definitely is important in contributing to all of these components of effective management, it is not the only discipline that needs to be in place and operating to support good outcomes.  Put another way, good risk management does not guarantee a good outcome, but poor risk management does expose agencies to poor outcomes, and reduces defensibility when those poor outcomes occur.

In my 20-something years of working with the Australian Government, I have seen plenty of examples of really good risk management, and I have seen just as many examples of poor (or non-existent) risk management.

That 20 years of experience has taught us that the key ingredients to good risk management are:

• Deep experience and relevant expertise in what you are doing. Too often the Australian Government embarks on projects or processes without the right skills and experience to truly understand how to execute it effectively.  Further, without that experience and expertise, it is impossible to really know what the risks are that need to be managed and how best to manage them.
• Strong situational awareness and good information. Risks emerge through projects and processes from a range of sources and vectors.  If managers do not have effective monitoring of their operating environment and good data on the metrics that matter, they will likely not see risks emerging or unfavourable operating circumstances approaching.  These are sure conditions for unmanaged risks to have a negative impact on your project or function.
• Discipline in following through on risk mitigations and controls. In our view, this is the key to effective risk management, and the most common gap.  Risks typically require active management – the taking of steps or the creating of conditions that reduce risk.  While managers may think about this while planning, it is not uncommon for the execution of those controls or mitigations to waver over time or as pressure increases.  Risks that are not effectively controlled almost inevitably result in poor outcomes.
• Honesty in assessing risk and interpreting what it means. We have seen countless examples of agencies assessing risk at a level that is “perceived” as acceptable, or that reduces the effort required to develop risk management plans.  While this may reduce effort at the early stages of a project or process, it increases the likelihood that risks become issues – and that’s where the effort really begins.
• A team that is on the same page about how risk should be considered and managed, including what risks should be taken and what risks should not. In the public service, we operate in teams and the secret to effective teamwork is having a team aligned behind a purpose who are well-informed, well-coordinated, well-directed and well-aligned.  This should equally apply to the approach and attitude to risk, as any other aspect of teamwork.

Note here that I have not mentioned risk registers once.  I have not referenced the Commonwealth Risk Management Framework once.

Each of these are important tools – tools that support good process and each of the ingredients I have referred to above. For all projects I lead or contribute to, I ensure I do follow the Framework, and I do maintain a focussed risk register.

But, where agencies miss the point with risk management is that they focus all of their energy in connection with risk management on the register and having a register that is “complete”, and a process for risk management that follows all of the steps in the manual or the policy or the Framework.  And insufficient energy on some of the ingredients outlined above – and therefore on actually preventing or responding to risk.

To close this article I am reminded of two quotes that are influential in my approach to risk management:

• The first is a quote from an enormously successful leader of a “top 10” Australian company, who said to me “we have been successful in our field, not because of risk registers and risk management reports, but because we have good people who know what we are trying to achieve and make good decisions to support that achievement”. What resonates for me from this quote is the importance of having the people with the right skills, experience, authority and information to support the management of risks and opportunities in any project, organisation, function or business.
• The second is a slightly modified famous quote as follows: “culture eats strategy [and process] for breakfast”. This classic quote from Peter Drucker (and I apologise for my adlibbed addition) reflects something that I believe is the difference in good risk management – everyone on the team understands the desired outcomes and what can impede them, is empowered to work together to achieve them, and they naturally respond to risk accordingly.  This does not suggest that either risk strategy or risk management processes are unimportant to good risk management.  But rather, that a powerful, informed and empowering culture around risk is more influential to effective risk management.