Navigating today’s risk landscape is no small feat. From economic shocks and supply chain disruptions to geopolitical conflicts and extreme weather, the challenges are vast and varied. Add in the ever-present threats of cyber-attacks and data breaches, and it’s clear that the risk landscape is increasingly more volatile, uncertain, complex, and ambiguous than ever before.
We are living in what some call a “permacrisis,” where crises seem to be a constant, rather than an exception. As civil servants your job isn’t an easy one! But it’s crucial in responding to, managing, and overcoming these relentless challenges.
So, where does the National Audit Office come in?
Our vantage point is unique and our value for money work across the whole of government enables us to take a whole system approach in recognising interdependencies and consequences across departmental boundaries and take a long-term view towards achieving sustainable goals. Resilience and risk management is not only central to our work across government, but given the scale and variety of the risks that government has to deal with, it’s central to securing long-term value for money and delivering resilient public services.
Over the last year, we’ve focused attention on some of the largest and most challenging cross-cutting risks facing the nation, including auditing risks on the National Risk Register. Our resilience programme of work started with value for money reports on resilience to flooding and government resilience to extreme weather. Alongside our value for money reports, we publish good practice and share our insights across government to make it easier for others to understand and apply the lessons from our work.
Last year, recognising the importance of risk management, we published Overcoming the challenges to managing risks in government to assist government departments and public bodies to strengthen their risk management approaches and improve the effectiveness of how risks are managed.
Over the coming year, we’ll continue our focus on resilience, including publishing reports on cyber resilience and resilience to animal diseases.
If you’ve not read our guide on how to overcome the challenges of managing risks in government, I encourage you to take a look. The guide aims to help leaders and practitioners in government to overcome the pervasive and deep-rooted challenges that make it difficult to improve risk maturity and effectiveness. Not just in how government identifies and manages threats, but also, how it can identify opportunities and take well managed risks when considering improvements, transformation and innovation.
To help leaders and practitioners we’ve set out 10 approaches to take:
- Establish strong leadership and risk culture: that recognises and values risk management as a strategic enabler and a tone at the top that promotes a positive risk culture;
- Build capability and risk expertise: that increases the impact and value of risk management activities and strengthens credibility, drawing on external specialists where appropriate;
- Define and embed risk appetite and tolerance: as clear parameters and guardrails by which to make risk-informed decisions and take well-managed risks and opportunities;
- Take a forward-looking view: to anticipate emerging risks and use futures techniques to identify risks over the horizon, increasing the ability and effectiveness to prepare and respond;
- Make risk-informed decisions: that places risk at the heart of strategic decisions and outcome delivery, and that takes account of risk as both threats and opportunities;
- Adopt a whole-systems approach: to understand the interconnections and interactions of risks from end-to-end, including third parties and the extended enterprise;
- Assess risk impact: in a way that utilises quantitative and qualitative methods and that leverages good quality and robust data to understand the individual and aggregate impact of risks;
- Take action to address risks: by ensuring accountability and responsibilities are clear, and by gaining assurance over the effectiveness of the actions taken to address and mitigate risks;
- Monitor and report on the risks that really matter: by setting meaningful performance metrics to enable attention to be focussed on the risks that matter most to strategic objectives and outcomes; and
- Drive continuous improvement: by learning lessons and implementing good practice from within and outside of the organisation and where possible benchmarking against others.
Alongside the guide we published an assessment template to assist organisations to assess the strength of their risk-management practices. This handy checklist can be used by leaders, practitioners and audit committees to inform and influence risk maturity improvement plans and risk culture.
In this current state of permacrisis, significant risks will continue to play out. The role of civil servants is crucial to navigating and overcoming the challenges that lie ahead.
The NAO will continue to influence change and challenge government. By drawing out key learnings, we can help you to navigate the largest and most complex risks now and in the future.
Russell Heppleston is a risk manager for the NAO