In 2001 the Chartered Institute of Public Finance and Accountancy (CIPFA),5in conjunction with the Society of Local Authority Chief Executives and Senior Managers (SOLACE),6 produced a framework for use by local authorities to review their existing corporate governance arrangements and to prepare and adopt an up-to-date local code of corporate governance. This guidance, calledCorporate Governance in Local Government – A Keystone for Community Governance: The Framework, is intended to be followed as best practice for establishing a locally adopted code of corporate governance and for making adopted practice open and explicit (CIPFA/SOLACE 2001). The framework uses the terms “principles”, “dimensions”,
“local codes” and “elements” within the text, and it would have been helpful if these had been explained at the outset, together with guidance on how they relate to each other. The framework states that authorities must be able to demonstrate that they are complying with the underlying principles of good governance (openness and inclusivity, integrity and accountability) by translating them into a framework which seeks to ensure that they are fully integrated into the conduct of the authority’s business. The framework is subdivided into four sections:
1. Introduction to corporate governance in local government
2. Framework for a code of corporate governance for local authorities 3. The elements of corporate governance
4. Annual review and reporting.
The guidance argues in section 2 that the fundamental principles of corporate governance need to be reflected in the five different dimensions of a local authority’s business (which I interpret as the aims or goals). These dimensions are described as community focus, service delivery arrangements, structures and processes, risk management and internal control and standards of conduct.
Of interest here is dimension 4, “risk management and internal control”, which states that an authority needs to establish and maintain a systematic strategy, framework and process for managing risk (again without spelling out what these terms are intended to mean). Together, the framework says, these arrangements should:
• include making public statements to stakeholders on the authority’s risk management strat- egy, framework and process to demonstrate accountability;
• include mechanisms for monitoring and reviewing effectiveness against agreed standards and targets and the operation of controls in practice;
• demonstrate integrity by being based on robust systems for identifying, profiling, controlling and monitoring all significant strategic and operational risks;
• display openness and inclusivity by all those associated with planning and delivering services, including partners; and
5CIPFA is one of the leading professional accountancy bodies in the UK and the only one that specialises in the public services.
It is responsible for the education and training of professional accountants and for their regulation through the setting and monitoring of professional standards. Additionally CIPFA provides courses, conferences and publications and a range of advice, information, training and consultancy services. It is a membership organisation with more than 15 000 members and is part of the accountancy profession within the UK and internationally. It is a key stakeholder in the public services where governments across the world are seeking to engineer major reforms.
6SOLACE is the representative body for senior strategic managers working in local government. Like other vocational organisa- tions, its members are drawn from a variety of professional backgrounds.
Developments in Risk Management in the UK Public Sector 121
• include mechanisms to ensure that the risk management and the control process is monitored by continuing compliance to ensure that changes in circumstance are accommodated and that it remains up to date.
Section 3 of the framework calls for local authorities to develop local codes of corporate governance, which comprise the following elements (which I interpret to be the activities).
This section uses the same headings as section 2, commencing with community focus again.
The element entitled “risk management and internal control” lists what I call the activities to be undertaken to satisfy this framework:
• develop and maintain robust systems for identifying and evaluating all significant risks which involve the proactive participation of all of those associated with planning and delivering services;
• put in place effective risk management systems, including systems of internal control and an internal audit function – these arrangements need to ensure compliance with all applicable statutes, regulations and relevant statements of best practice and need to ensure that public funds are properly safeguarded and used economically, efficiently and effectively and in accordance with the statutory and other authorities that govern their use;
• ensure that services are delivered by trained and experienced people;
• put in place effective arrangements for an objective review of the effectiveness of risk management and internal control, including internal audit;
• maintain an objective and professional relationship with external auditors and statutory inspectors; and
• publish on a timely basis, within the annual report, an objective, balanced and understand- able statement and assessment of the authority’s risk management and internal control mechanisms and their effectiveness in practice.
In the final section of the framework, section 4, it states that every local authority should publish a statement annually in its financial statements on how it is complying with the principles set out in the framework and how it is complying with its own local code of corporate governance.
In section 1 of the framework it repeats this same statement, but also adds that arrangements should be made by authorities for their local code of governance to be in place by 31 March 2002.
7.8 M_o_R 2002
The full title of this publication isManagement of Risk: Guidance for Practitioners, though it was branded by the authors, the OGC IT Directorate, as M_o_R (Office of Government Commerce 2002). The guide declares that its purpose is to help organisations to put in place effective frameworks for taking informed decisions. It is subdivided into eight chapters. Foll- owing an introduction, chapter 2 describes the key principles underpinning risk management and chapter 3 the management of risk. Chapters 4–7 describe managing risk at the strategic, programme, project and operational levels respectively. Each of these four chapters includes the common headings of: types of risk, where to apply risk management, when to do it, who is involved and policy for risk management. The final chapter, chapter 8, discusses the range of techniques available to support the risk management process. A series of annexes provide supporting information.
Chapter 2 examines where risk occurs in an organisation in terms of decision making and splits decision making into four types or levels: strategic or corporate, programme, project
Operational
level Decisions required for
implementing actions Decisions transforming strategy into specific actions
Decisions on corporate strategy Corporate level
Portfolio or Programme level
Project level
Figure 7.2 Decision making within the management hierarchy of an organisation
and operational (Figure 7.2). The guide correctly makes the point that a risk may materialise initially in one level but subsequently have a major impact at a different level.
Chapter 8 describes a series of techniques that can be used to support the management of risk, which are reproduced in Box 7.4. The guide makes the observation that experience in managing risk is a more critical factor for success than the choice of tools and techniques.
Box 7.4 Consequence categories Strategic/corporate
level Programme level Project level Operational level
NPV (net present level) Decision trees Simulations Simulations IRR (internal rate of
return)
CPA (critical path analysis)
LCC LCC
ROI (return on investment)
Cost/benefit analysis Decision trees Performance analysis Cash flow analysis Sensitivity analysis Risk tables Reliability analysis Currency analysis Stakeholder risk
analysis
PERT (Programme Evaluation and Review Technique)
Queuing analysis
SWOT analysis Simulations Performance analysis Algorithm analysis Scenarios Scenarios Reliability analysis Capability analysis Cost/benefit analysis LCC (life cycle
analysis)
Capability analysis Top-down analysis
Developments in Risk Management in the UK Public Sector 123
Strategic/corporate
level Programme level Project level Operational level
Decision trees Monte Carlo
simulation
HAZOP (HAZard OPerability, analysis, risk registers and databases) CRAMM7for business
impact security requirements
Influence diagrams CRAMM
CRAMM