“Dedicated leadership” is required to build a more positive risk culture in the Australian Public Service, and appointing chief risk officers could help this happen, argue the reviewers of the APS’s financial management legislation.
Commonwealth government departments remain “highly risk averse” despite reforms meant to encourage a more constructive approach to risk management, argues the final report on the Public Governance, Performance and Accountability Act.
Over-reaction to things going wrong by politicians and auditors, particularly where consequences are limited, “reinforces risk aversion and stifles innovation”, argue independent PGPA Act reviewers Elizabeth Alexander and David Thodey.
Instead of rushing to punish failure, leaders should focus on rewarding public servants for effective risk engagement and encourage learning from failure.
“Put another way, they need to be given some leeway to fail.”
Avoiding risk altogether will mean government failing to meet changing citizen expectations, especially around technology.
“Risk aversion in the face of new opportunities to use technology to improve service delivery will mean that new opportunities are not taken, or taken later than they could have been. Rather than leading, the government sector will lag behind other sectors of the economy and behind community expectations in terms of how it engages with citizens, and provides services to them,” the reviewers believe.
Chief risk officers
Appointing chef risk officers — an idea first raised in Professor Peter Shergold’s 2015 Learning from Failure report — could help reform the risk aversion “deeply embedded in the psyche of Commonwealth officials”, they argue.
As with performance reporting, Alexander and Thodey argue tone is set at the top, but add that leaders need “dedicated support” to drive change.
“To be successful, chief risk officers should be sufficiently senior and have a good understanding of the operations of their entity and the government’s objectives in relation to the entity’s purposes,” Alexander and Thodey explain, noting that some agencies, including the Department of the Prime Minister and Cabinet, already have such a role.
“Chief risk officers should have the authority to effectively challenge decisions that may affect the entity’s risk profile, and lead discussions across the entity on what risks can be accepted and managed and when management engagement is required.
“They should be tasked with developing a control framework for the implementation of major projects, and overseeing the development, monitoring and maintenance of risk management plans, within their entity.”
A chief risk officer might not be needed in every entity, but in many places they could help “build more positive, engaged and active behaviours around risk”.
But chief risk officers should not themselves take on the take on responsibility for managing risk across the entity, “or be a convenient person to blame for any negative risk event or organisational failure”, the reviewers add.
“It is essential that the individual responsibilities of officials for risk management are reinforced.”
Agencies should also consider setting up standalone risk committees, a practice increasingly common in the private sector. This would not only allow for a greater focus on risk than under current audit committee arrangements, but over time could help build the capability of the agency to manage and engage with risk.
“Risk committees should be chaired by an independent chair, preferably sourced from the audit committee or the board (an option for corporate Commonwealth entities), and include other independent members with skills and expertise in managing risks in both the corporate and government sectors,” the report argues.
Commonwealth ‘relatively immature’ on risk
“Overall, we suggest that risk practice across the Commonwealth is still relatively immature,” say Alexander and Thodey.
“In many entities, there is an almost exclusive focus on downside risk, identifying and managing what could go wrong (or has gone wrong),” they believe.
Corporate public sector entities tend to do better than the departments, however.
The public sector can learn from the private sector in this area, as private sector “is more advanced in balancing downside risk (the likelihood and consequences of things going wrong) with upside risk (potential for, and gains from, things going well),” the reviewers say.
“Non-corporate Commonwealth entities in particular are highly risk averse and there is little evidence this risk appetite has changed. There is still significant work to be done to embed an active engagement with risk into policy development processes and program management practice, and to have officials at all levels appreciate their role to identify and manage risk.”
One submission to the review noted there are strong indications that the APS is more prone to risk and over-regulation than civil services in other Anglophone countries.