Abstract
A feature of PFM/I reforms has been the adoption of international standards and the relevant international standards have been those developed by a US body called the Committee of Sponsoring Organisations (COSO). There are five standards. These standards are described in this chapter. However, in the opinion of author the adoption by most countries has been flawed because they have largely been treated as financial and budgetary control standards with no regard to the managerial implications of those standards. Application has started from an internal audit perspective when it would have been much better to have started from a management perspective. Implicit in the writing of those standards is a set of managerial assumptions and these assumptions have been ignored. Indeed it would be better to describe these standards as ‘managerial disciplines’. Also in applying international standards regard should be had to local cultural and historic conditions but this rarely seems to happen and almost by definition the adoption of international standards is regarded as ‘a good thing’. For example, applying the standards when the responsibility for operational management lies with a political official whose experience of operational management may be limited and who may only be in post for a short period is inappropriate. It does not reflect the operational circumstances applying in those organisations for which the standards have been developed namely large international trading companies.
You have full access to this open access chapter, Download chapter PDF
Countries aiming to introduce PFM/IC, as well as other public financial management reforms, are usually encouraged to adopt internationally recognised standards as best practice. However little or no thought is often given to the context in which such standards are to be applied. These international standards, and especially those relating to PFM/IC, reflect several assumptions about the organisations which are to adopt them. For PFM/IC those assumptions are about the application of the standards to a managerial-based organisation. Where the current context is that of traditional administrative-based government organisations, these standards cannot be applied without managerial reform. And this reform ought to come first. (The experience of this author is that those assumptions are not generally recognised by those seeking to apply them in developing and transition economies nor recognised by those advising them.)
Therefore, as has been pointed out earlier in this guide, trying to apply such standards may not be appropriate for a particular country at the time the PFM/IC reform is proposed to be implemented. In adopting a managerial approach various factors need to be considered. These include local cultural traditions, the relationships between political and appointed officials, the organisation and quality of the civil service, the existing management arrangements (or lack of them), the authority that individual managers have with the current arrangements over operational activity, the experience and training of managers to enable them to apply the standards in a managerial context, the quality of the existing budgetary arrangements and the strength of the existing financial control arrangements. In Chap. 3 a distinction was drawn between PFA/IC and PFM/IC and this distinction illustrates when adopting international standards may not be appropriate.
This chapter accepts that it would be appropriate to adopt PFM/IC international standards, that is, the standards published by the Committee of Sponsoring Organizations of the Treadway Commission’ (‘COSO’).Footnote 1 There are five standards and these cover the control environment, risk management, control activities, information and communication and monitoring, although updating has resulted in some modifications to them.
These five standards of internal control exist to secure the achievement of the objectives of the organisation and to do so within the legal constraints and regulatory requirements, efficiently and effectively and with proper regard for accountability. They therefore have a clear purpose and are not simply bureaucratic requirements associated with the development of internal control. They are integral to management. They are not ‘stand-alone’. This is an appreciation that those responsible for the application of PFM/IC should achieve. The five standards are about managers having the authority and the information they require to make those judgements necessary to enable them to achieve their objectives. This would include meeting any regulatory requirements, including legal, financial and budgetary limitations, in the most efficient and effective manner. They provide an important improved procedural approach to the management of public organisations. However, most countries implementing PFM/IC have treated these standards simply as bureaucratic ‘stand-alone’ requirements, rather than being integral to the managerial process. They have therefore focussed their implementation upon the bureaucracy of the procedures to be adopted, rather than upon the effectiveness of management, that is, the manager as decision maker. (In most developing and transition economy countries a ‘nominal’ responsibility has been placed upon the political head of the organisation, the minister or mayor, to ensure that these standards are implemented. This cannot be a ‘substantive’ responsibility without other changes being made. The necessary changes have been described earlier in this guide. Given the wide range of responsibilities that fall in practice upon a minister or mayor, an expectation that they will exercise anything other than a ‘nominal’ responsibility is misplaced. In other words, countries have not taken account the managerial context in which COSO is meant to apply and therefore the assumptions that lie behind the COSO initiative.)
Each of the five standards of COSO as they were originally specified is discussed in this chapter. They may be more appropriately described as ‘managerial disciplines’. (Other examples of these standards exist such as the ISO 31000 standard which applies to risk management but again the responsibility is focussed upon the management.)
The COSO standards are normally treated as applying only to public organisations concerned with public expenditure, but they should apply equally (albeit with some adaptation) to those organisations concerned with the generation of income.
They are about ‘good quality’ management!
11.1 The Implicit Assumptions Contained Within the International Standards of Best Practice (COSO)
COSO is about how large international private companies should be managed and describes five standards of internal control that should be applied.
Internal control has been defined by COSO “as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide ‘reasonable assurance’ regarding the achievement of objectives in the following categories:
-
Effectiveness and efficiency of operations
-
Reliability of financial reporting
-
Compliance with applicable laws and regulations.”
These standards, of which there are five, that is, the control environment, risk management, control activities, information and communication and monitoring, reflect the requirements of the private sector. The standards are periodically updated with the latest comprehensive update being in 2017.Footnote 2 In addition, COSO also published guidance on specific features of enterprise risk management such as on cloud computing and artificial intelligence.
The public sector provides services which are not subject to a market test and it also has the responsibility to levy and collect compulsory taxes. Citizens of a country cannot escape from this compulsory levy except by legislative permission: there is no option available, as there would be in the private sector by not utilising a public service. Effective management of public expenditure and taxation policies is essential. These standards, which have been described previously as ‘managerial disciplines’ should be adapted to apply to organisations responsible for the development and management of both expenditure and tax policies.
In the public sector a critical feature of public financial management is the existence of the budget and that budget will have legislative approval. Governments and local governments are also required to ensure that public services are delivered consistently and evenly to those members of society that they are expected to serve. Reliability and sustainability ought also to be characteristics in the management of the delivery of public services, and governments generally (subject to political policy change) should be assumed to have a continuing existence. They are not subject to the vagaries of the marketplace.
In applying these standards to public organisations, a ministry of finance, the state secretary for that ministry and the head of the department responsible for the application of PFM/IC (the ‘driver’ department) should recognise that they contain implicit assumptions about the organisations to which they are being applied. Therefore, a simple ‘read across’ from the private to the public sector can be misleading. Unless public organisations recognise the significance of these assumptions, applying these standards will not achieve the objective of introducing effective internal control.
“Learning another language is not only about learning different words for the same things but learning another way to think about things” (Anon). This applies to these standards. The assumptions contained in the COSO model are about the management and objectives of organisations. The standards will only help top and senior management if those assumptions are replicated in the management and objectives of a public sector organisation. To regard these five standards as ‘stand-alone’ features which, if adopted, will deliver effective PFM/IC is mistaken. The key assumptions lying behind these five standards are that:
-
There is a process for setting objectives and performance standards and ensuring that externally set regulatory requirements are met which are consistent with budgetary availability.
-
A professional operational management and supporting staff exists, and if not, either staff will be replaced or added to as necessary.
-
An effective operational managerial structure has been established or can be established designed to deliver the objectives and performance standards of the organisation including meeting externally set regulatory requirements and that would include appropriate personnel management arrangements.
-
The objectives and performance standards exist in a form that operational managers can be held to account for any failure to deliver them.
-
Operational managers have the delegated authority to undertake their responsibilities and are accountable for their performance.
-
Financial information is available which allows operational managers to make decisions both about the volume of activity and the most efficient and effective way of delivering their objectives.
-
Performance information is available which enables an operational manager to make judgements about achieving the expected level of operational performance, including externally set regulatory requirements against the available financial resources.
-
Constant regard is had by all managers to the level of efficiency and effectiveness, that includes the impact upon the user/customer of the outputs of the organisation.
-
Financial and performance reports are available which enable not only internal management at all levels but also external stakeholders (which for public sector organisations would include parliament or the local government council, external regulators and civil society) to make judgements about the performance of the organisation.
-
Financial management is integral to the management of the organisation and a feature of that is that the organisation is managed in a manner which is financially stable. Without that reliability in service delivery cannot be achieved.
These assumptions which are implicit in the COSO standards (as has been indicated) might be better described as managerial disciplines demonstrate very emphatically that introducing PFM/IC is as much a management reform as a financial reform. As a management reform the requirements of PFM/IC need to sit within a managerially focussed organisation. Consequently, the COSO standards will not produce the potential benefits unless the public sector organisation has moved from a traditional administrative style (usually a firmly ‘top-down’ style) to a managerial style of organisational arrangements. This does mean that if these standards are to be effectively applied a competent, managerially oriented civil service (or local government) organisation needs to exist. Managers then need information about objectives, performance and finance to enable them to meet their responsibilities. Countries should not assume therefore that a simple bureaucratic implementation of these standards can be achieved without ensuring that a public organisation exists which has a managerial capability. Civil servants (and local government officials) need to be trained managers and therefore be prepared to take decisions.
Treating these standards as managerial disciplines designed to help managers achieve their objectives efficiently and effectively and to improve accountability demonstrates that civil and local government service and other reforms, such as budgetary and accounting reforms, may be necessary prior to the introduction of these standards. The standards are not ‘ends in themselves’. The COSO executive summary points out the five standards are integratedFootnote 3 and therefore their impact should be considered as a whole. The COSO standards are about improving the quality or, to put it another way, the professionalisation of management.
In developing and transition economies aiming to apply the COSO standards, none of the assumptions summarised above is recognised. The usual practice, in the experience of this author, is to treat the COSO standards as only about financial and budgetary control, not management. This seems to be because the personnel involved in the reform process are usually only concerned with such issues and often start from an internal audit perspective. As this is a wrong approach, the minister of finance, that ministry state secretary and the head of the ‘driver’ department should ensure that in applying these standards there is a recognition of the assumptions implicit in these standards and that the managerial context is reflected in the reform processes. This means, as has been explained previously in this guide, that;
-
Clarity exists over the different roles of the political level of management and that of the civil or local government service officials.
-
An appropriate operational management structure exists.
-
Objectives exist which have been set by the political level of management but only following consultation with operational management and those objectives should recognise the need to meet externally set obligations and should be consistent with available budgets.
-
Performance standards and objectives exist which again should be consistent with available budgets.
-
Operational managers have the necessary delegated authority to make decisions and to expend resources coupled with an accountability process to senior civil service management and ultimately from it to the political level of management.
-
Appropriate skilled staff are available.
-
The performance information a manager requires is available.
-
Constant regard is had to the effectiveness of operations and to user/customer reactions and attitudes.
-
The financial information a manager needs to deliver objectives efficiently and effectively is available.
-
Which means the development of cost and management accounting and that the relevant reports are available to managers at all levels in a form that the manager needs.
-
Financial and performance information is also available to external stakeholders, not least the parliament, who are then able to exercise influence over the operations of the organisation, that is, transparency and external accountability.
These are the characteristic features of a managed organisation: they are not those of a traditionally administered organisation.
The fact that COSO was primarily aimed at commercial companies makes no difference in principle to its use for non-market organisations, merely that it requires an appreciation of the differences between the private and public sector contexts and consequently an appropriate adaptation. (Management in the public sector, as has been pointed out earlier, for many services is much more complex with more confusing signals than in the private sector.)
The effectiveness of the application of these standards depends upon the quality of management, both political and operational. What is important is clarity about the policy, objectives and performance standards and objectives set by the political level of management including the strategy for delivering them. Clarity is also required about how a ministry or local government or other public organisation is managed, both operationally and financially, to secure the efficient and effective delivery of those objectives and performance standards. The introduction of these international internal control standards ought to be a signal that a managerial/performance culture is being established. Therefore, as has been explained earlier in this guide, accompanying the application of these standards a parallel managerial reform process should occur, and if this does not occur, then these standards will not be properly applied.
Previously in this guide, the person responsible for the application of PFM/IC within an organisation was identified as the chief civil service (or local government) official such as a state secretary within an organisation. That official should ensure that introducing these standards results in an organisation capable of delivering its objectives and performance standards and objectives, efficiently and effectively and within any legal, financial or other constraints and that due regard is had to the interests of the users of the service or activity. Merely introducing the bureaucracy associated with the application of the international standards will not, of itself, demonstrate that PFM/IC has been applied and that the ministry or local government is well managed. This is not correct at all.
In many countries a responsibility is placed upon the political head of the organisation, the minister or mayor, to ensure that these standards are implemented. This cannot mean that this official must make all implementation decisions. The substantive implementation responsibility should fall upon the head of operational management, that is, the most senior civil service or local government official with that official being accountable to the political head for the effective application of the standards.
11.2 Appreciating the Impact of COSO
11.2.1 The Standards of COSO
Countries which have implemented PFM/IC following the COSO standards have tended to address four of these standards, ‘the control environment’, ‘control activities’, ‘information and communication’ and ‘monitoring activities’, in general terms only. They have merely required the responsible official to pay attention to them, with the evidence of their application being the additional bureaucratic procedures that have been introduced. However, as has been pointed out, evidence of the existence of the bureaucratic procedures is not the same as the substantive application of those procedures. In most countries little specific indication is provided of what managerial and operational changes have resulted from their application.
The exception to this is the standard relating to risk management. A great deal of attention has been paid to risk management, but much of the emphasis has been upon risks to financial control systems such as risks of losses through error, fraud or other misuse of resources rather than to the risks of not achieving objectives and performance standards or of not providing a consistently reliable service or of meeting externally set regulatory requirements. With risk management the bureaucratic procedures are easy to specify and their existence can be easily checked. However, this does not mean that risk management is being effectively deployed by managers. Risk management has been regarded as perhaps the most important element and much energy has been devoted to providing advice and training programmes. Unfortunately, much of this is misguided. The officials being trained have largely been finance officials and internal auditors and this may be appropriate if risk were confined to financial control matters (i.e., not to broader financial management matters). But it is not so confined! COSO is fundamentally about those risks which will prevent managers (at all levels) achieving their objectives and performance standards and objectives, including any externally set standards and doing so efficiently and effectively. This goes well beyond audit and accounting. Therefore, a priority before risk management is introduced is the existence of objectives and performance standards and objectives, a management structure with managers having an active concern to utilise risk management as a way of ensuring that their objectives and performance standards and objectives can be achieved. For effective management an information and communications process should also exist that provides the information that managers need and which facilitates the establishment of a ‘corporate’ approach to the management of the organisation so that in making decisions managers have regard not only to their individual objectives but to the broader objectives of the whole organisation. (A ‘corporate approach’ is ‘an approach to managing people that supports an organisation’s long-term goals with an overall planned and coherent framework. This helps ensure that the various aspects of people management work together to develop the behaviours and performance needed to create and distribute value. It focuses on longer term people issues, matching resources to future needs and large-scale concerns about structure, quality, culture, values and commitment’.Footnote 4)
The officials who should be trained in risk management should be the operational managers because risk management should be their responsibility. They will not be interested simply in financial systems risks unless they have a material impact upon their part of the organisation, upon its reputation and its ability to achieve its objectives. They will need to consider all risks, of whatever type, affecting their ability to deliver their objectives and performance standards. Some risks will also be of interest to the political level of management, such as a failure to meet political objectives or reputational risk (and reputational risk often can be adversely affected by a failure to meet externally set regulatory requirements) and the responsibility of a state secretary or equivalent is to ensure that information about such risks is available to that level of management.
The development of risk management has been regarded as a priority activity in introducing COSO but this is not how it should be. Other standards of the COSO framework, apart from monitoring, should come first. Again, this illustrates how risk management has been regarded as a ‘stand-alone’ activity rather than being integral to the managerial processes.
As with other international standards, the COSO standards are regularly updated and the head of the department responsible for the application of PFM/IC should familiarise him/herself with those and be aware of updates. In doing so the head should recognise that the updates tend to be written in the language of business enterprise and therefore need adapting to the operational environment of the public sector.
11.2.2 COSO and Management
As COSO is about management, the emphasis in introducing PFM/IC should be on a management structure with managers appointed and their responsibilities defined. Those managers, at all levels, need objectives and standards to work to, including performance objectives and standards. Those objectives and standards should be derived from the objectives for the organisation as a whole, which should be set by the political level and then cascaded down the organisation by the senior operational management. The performance standards should be, in general, related to user needs and any externally set regulatory requirements.
This is what is required before any of the standards of the COSO internal control framework can be made effective. Unfortunately, in most countries, none of this occurs. The experience of this author in the application of PFM/IC in most countries shows that the focus of application has been upon whether the bureaucratic procedures associated with the five COSO standards have been applied. Assessments of reform performance have been based around assessments of the extent to which the bureaucracy associated with these five standards has been introduced. They have not been regarded as managerial disciplines. This is a mistake and a mistake encouraged very often by aid organisations because the existence of the bureaucracy provides evidence of apparent action by the recipient country. Unless these five standards are linked to managerial reform, with the development of a managerial structure, the appointment of managers, the setting of objectives, the development of information and financial systems with the accompanying accountability arrangements, these standards will have little or no practical effect upon the achievement of the objectives of the organisation efficiently and effectively.
Another issue that should be addressed is how is that management to be made effective, with effectiveness being defined for this purpose, as delivering the objectives and performance standards set for them to time, to standard, within budget, efficiently and effectively. Considerable emphasis is placed upon the issue of laws, decrees, rules and regulations and checking that the content of these has been obeyed. Whilst this can be important, management cannot easily be defined in such documents. Management at the top level in organisations is about setting the strategy, leadership, coordinating staff activity, making judgements between competing objectives, taking initiatives and applying the available budgetary and other resources to and ensuring that objectives are delivered efficiently and effectively. This also requires a willingness to take risks because management involves making decisions and all decisions involve some element of risk. However, in most countries whether or not the requirements of these laws, decrees, rules and regulations introducing the five COSO standards have been obeyed has tended to be the measured by how they have been incorporated into the internal rules of the organisation, not by the effect they have had upon the decision making processes. This is the ‘check list’ approach. What is much more important is an assessment of managerial effectiveness. In other words what matters is the impact that these five COSO standards have had upon the performance of the management and hence of the organisation. Therefore, this is what the department responsible for implementing PFM/IC should concentrate on in assessing the quality of their application.
A particular example of the difficulties of just looking at the literal application of laws, decrees, rules and regulations is the application of the first standard, the control environment. Injunctions incorporated into laws and regulations about setting the ‘right’ control environment (very difficult to define in any event) will not work unless accompanied by a commitment from the highest levels such as the prime minister and the cabinet of ministers to the need for all public organisations to ensure that appropriate ethical values and integrity (‘tone at the top’) are expressly stated and implemented. This requirement should cover both politically appointed officials and civil servants (including local government officials). This should also be accompanied by a further requirement that each organisation is committed to ‘good governance’ (see Chap. 1). However, none of this can be fulfilled in practice unless an appropriate managerial structure exists with the assignment of authority and responsibility, including accountability arrangements for the different levels of management.
An approach to an assessment based simply upon the application of the laws, decrees, rules and regulations would in practice tell the department responsible for the application of PFM/IC very little about the real success in implementing the five standards of COSO.
11.3 The Five Standards of COSO
In this section of this chapter each of the five standards is explained. They are discussed in the order in which they should be applied not in the order incorporated into the COSO or INTOSAI publications. This changed order reflects the reality of the operational/managerial arrangements that apply before the introduction of PFM/IC. For example, and as indicated previously, risk management relating to objectives cannot be applied until objectives exist and a management structure has been established with managers appointed to deliver those objectives.
11.3.1 An Overview
The extent to which each of the standards can be applied depends upon the extent to which a managerial approach has been established. For example, the application of the control environment standard, as has been said above, depends upon the extent to which a managerial structure has been developed, including the separation of policy and strategy development from operational management, managers appointed and objectives and performance standards and objectives established with accountability arrangements defined. Those accountability arrangements should not just be the internal accountability arrangements but also external accountability, not least to parliament and civil society. Although the political top manager may nominally be responsible for setting the control environment in practice, the application of that environment depends heavily upon the approach adopted by the top operational manager, in a ministry that would be the state secretary (or equivalent). However, the behaviour and attitude of the political official(s) responsible for the ministry or other public organisation can affect how operational management is implemented and its success. The political head may also change relatively frequently compared to an appointed official and it would be totally inappropriate to expect the control environment to change with each new political head. That way would lie instability. In practice none of these five standards could be introduced completely, certainly during the early stages in the development of PFM/IC: they will evolve over time. Also, as each of the five standards overlaps with others, it is difficult, if not impossible, to disentangle the extent to which a particular standard has been applied compared with another. For example, if objectives are not being achieved is it because of inadequacies in the risk management processes or is it because of weaknesses in the provision of information or communications with another part of the organisation or with third parties, or again a weakness in the controls designed to secure the delivery of the objectives, or just poor management?
Chapter 13 of this guide refers to the need for management to prepare a statement of internal control. This statement should explain how management has performed during the year in terms of meeting its objectives and performance standards. The statement should give the reader a clear understanding of the challenges facing the organisation and how those challenges have been responded to including remarks about what has gone wrong and the actions taken to make corrections. In other words, the statement should be an indicator of the quality of management. This statement would provide an important indicator of the quality of the internal control arrangements and would provide the best source of evidence.
11.3.2 The Individual Standards
11.3.2.1 The Control Environment Standard
Internal control (IC) encompasses more than financial and budgetary control and more than compliance checks. It is a set of management arrangements that enhances the efficient and effective delivery of the organisation’s objectives on time, in line with the performance standard and within the established budget. IC is based upon the COSO model. Both PIFC and IC should apply across the entire public sector and are applicable for the management and implementation of both national and EU funds.Footnote 5
The control environment determines the management attitude to the achievement of objectives, to the quality of the performance standards including externally set regulatory requirements, the operational processes, how operational managers and staff relate to each other, to the political management, to parliament and to the stakeholders in the organisation, particularly the users of its services (i.e., its clients/customers) and suppliers. It also determines attitudes to the utilisation of public resources and to developing efficiency and effectiveness. Overall, it provides the basis for internal control across an organisation. The control environment depends very much upon the personalities of the top and senior management (political and official) and the personnel policies that are applied. (See also Chap. 14 which includes a discussion on delegation and personnel policies.) In the public sector, the control environment also should have regard to the principles of ‘good governance’ (see Chap. 1) although experience shows that this is rarely considered and neither are the principles of public administration considered (see Chap. 14), including the circumstances where delegation is appropriate or not. Again, the appropriateness of the personnel policies and their relevance to the control environment are not considered. A characteristic of a control environment should be that it encourages a focus on the achievement of the objectives and performance standards and objectives of the organisation, so therefore these need to be in place first. The control environment should define the standards of conduct that are expected to be applied throughout the organisation. That includes the integrity and ethical values of the organisation, how they can be embedded in the organisation and how the organisation’s relations with third parties are to be conducted. It also requires the development of a ‘can do’ approach. The control environment is also affected by the distinction made between the responsibility for policy and strategy development and operational management. As has been explained previously, this is because successful operational management depends upon the professional capabilities of the manager. To a large extent the control environment illustrates the ‘intangibles’ of management, that is, features that cannot be precisely described in a ‘job description’.
In practice this standard is very difficult to implement and to demonstrate with evidence that it exists. Civil servants and other public officials appointed to managerial posts ought to be appointed basically for competence reasons, although this does not always happen and staff may be appointed for political reasons. The expectation for the most senior civil service and local government officials (e.g., the state secretary and departmental heads) should include a capacity to set the control environment, even though it may not be defined in precise terms, and through their leadership ensure that the requirements of the control environment are implemented throughout the organisation.
A feature of the control environment should be a well-developed and managed personnel policy with a good and consistent leadership. As has been indicated, introducing PFM/IC represents a considerable change to the way in which public organisations are managed. Change can be very damaging to organisations unless it is well handled by the leadership of the organisation, that is, by the top and senior operational management. Staff must be motivated to work hard and use their talents and abilities, including initiative to make the best contribution they can to the work of the organisation. Change can cause morale to decline and be a cause of insecurity. Motivation is not just simply a function of financial reward, and in practice, different people are motivated by different things, in different ways and at different stages of their careers. A very important factor in staff motivation in the public sector is the quality of the work that is being undertaken.Footnote 6 Other factors affecting quality can include how far staff are allowed to ‘self manage’ aspects of their jobs, the extent of staff development through training and the existence of development opportunities and feedback.Footnote 7 Monetary rewards can work very well for tasks that are routine and measurable, but are less successful when creativity and imagination are required. Staff development policies designed to help staff develop their careers should be an important feature in motivation. Organisational culture also has a key role to play in the motivation of employees. If they are to be genuinely motivated to do a good job, rather than simply to comply with organisational rules and regulations, a sense of common purpose needs to be developed and employees need to understand how their individual contributions ‘fit’ within wider organisational objectives. Leadership and clarity are essential components of good personnel management. Yet this author has not come across any linkages between the introduction of PFM/IC and the development of personnel policies.
Associated with the control environment should be the development of professionalism within the civil and local government service. Professionalism is not just about competence and technical skill but is also about ethical behaviour. To reinforce behaviour codes of conduct or integrity for both politically appointed officials and civil servants should exist. The content of the civil service or public official code should be determined by the organisation responsible for the public service within a country and that for the politically appointed officials should be determined ideally, by the prime minister’s or president’s office. These should not just be ‘token’ codes but should be rigorously enforced.
The reality is that an assessment of the quality of the control environment where there is no or very limited delegation with operational decisions being made by politically appointed officials would be very difficult to make (or even perhaps impossible). In such circumstances, assuming that the assessment would be undertaken by the ‘driver’ department in the ministry of finance on behalf of the state secretary in that ministry, any remedial action probably could only be taken by the minister of finance and his/her hands may be tied by political considerations especially if it involved criticism of another minister. If that other minister is not interested in the control environment or does not conform to the expected principles underpinning that control environment (e.g., the principles of good governance) unless there is a response to minister of finance criticisms, the responsibility for action moves up to the prime minister which in turn makes any decision even more political. If in these circumstances the offending minister is not really interested in or committed to applying the standards of internal control, then it is impossible to ensure that the rest of the organisation has that commitment. This is an important reason why the separation of operational management from policy and strategy development, with the application of PFM/IC, is so desirable.
A key factor in the establishment of the control environment is financial resilience. Without that the control environment will be subject to stresses that affect an organisation’s ability to achieve its objectives. The COSO commentary on the control environment does not specifically refer to the establishment of a stable or predictable financial environment. However, implicit in the whole of COSO is that effective financial management and internal control exists and that means that the organisation management needs to be able to demonstrate that it is currently financially stable and has the financial resources to enable it to meet its objectives and that it will remain stable in the medium to longer term. Financial resilience means that expenditure and income will be matched at least over time and consequently that decisions made by the management or which are the consequences of external factors will not result in the financial destabilisation of the organisation. It also means that even within a financial year, budgetary flows are predictable and stable. However, experience shows that for countries introducing PFM/IC financial resilience is not considered as a factor in the management and delivery of public services and activities, and whilst an important feature of public financial management is the maintenance of financial resilience, in many developing and transition economy countries financial resilience depends upon the quality of the budgetary process, including its links with government objectives, and the quality of the assessment of the economic position of the country.
The arrangements for assessing the quality of the internal control environment were described in the SIGMA paper referred to above (see note 6) issued by the OECD: Support for Improvement in Governance and Management Guidelines for assessing the quality of internal control systems.Footnote 8 This paper described a set of principles that should be followed by managers. Five principles were described covering the quality of the internal control environment, that is, the public organisation:
-
Principle 1: Demonstrates a commitment to integrity and ethical values.
-
Principle 2: Exercises oversight responsibility.
-
Principle 3: Establishes structures, reporting lines, authorities and responsibilities.
-
Principle 4: Demonstrates commitment to competence.
-
Principle 5: Enforces accountability.
IC quality assessment is a primary responsibility for the public organisation’s management. This should not only consist of the evaluation of overall conformity with the established regulatory framework, but rather focus on how the functioning of IC enhances the operational efficiency and effectiveness of the public organisation and the achievement of its objectives.Footnote 9
The characteristics that should be looked for in assessing the quality of the control environment were summarised in a European Commission paper based upon COSO as:Footnote 10
-
1.
The organisation demonstrates a commitment to integrity and ethical values.
-
2.
The oversight body demonstrates independence from management and exercises oversight of the development and performance of internal control.
-
3.
Management establishes, with oversight by the oversight body, structures, reporting lines and appropriate authorities, responsibilities and empowerments in the pursuit of objectives.
-
4.
The organisation demonstrates a commitment to attract, develop and retain competent individuals in alignment with its objectives.
-
5.
The organisation holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
The oversight body referred to here is taken from the COSO principles and refers to the controlling board of a company. In the circumstances of developing and transition economy countries, the oversight body cannot be assumed to be the politically appointed top and senior management where that management has operational responsibilities and therefore has no role which is independent of the day-to-day operational management. It is doubtful if the politically appointed top and senior management could act as the oversight body even where that management is not responsible for operational activities unless it included a significant and genuinely independent membership which in a politically based organisation would be most unlikely. The question then is who could form this ‘oversight body’? There are four possibilities. One is that the ministry of finance exercises this responsibility through the ‘driver’ department, acting on its behalf. A second is that this is made a specific responsibility of the external auditor. A third is that each public organisation is required to appoint a body, such as an audit committee, which is independent of management and which has a capacity to report directly to the most senior level of management in an organisation (and that could be the political level of management) and that its reports are also copied to the department of the ministry of finance responsible for the implementation of PFM/IC. A fourth is that the government or parliament establishes a new body with a specific responsibility for overseeing the development of internal control activity within public organisations. Which solution should be adopted will depend upon local circumstances and that any organisation responsible for assessment has a high degree of independent membership. This points towards the third or fourth solutions. In addition, the external auditor should always review the quality of the internal control arrangements and report on them to parliament. What will be critical in assisting that organisation make a quality assessment of the internal control arrangements will be the statement of internal control referred to in Chap. 13.
11.3.2.2 The Information and Communication Standard
There is in practice potential overlap between this standard and the ‘control environment’ standard. For internal control to be effective the managers and staff within the organisation need to know both what the organisation’s objectives are and those that are set for themselves. Ideally, they ought also to know what the objectives are and the services and activities provided by other parts of their organisation. In other words, managers and staff need to know what is expected of them and how their responsibilities relate to those of others in the organisation. They also need to know the operational context for the whole organisation, as well as for their particular part of the organisation. That operational context includes knowing the resources available to them, that is, their budgets (i.e., total budgets including all elements of expenditure, not just some, such as only the sums available for procurement), how actual expenditure or income is occurring during the year, performance information that relates directly to their areas of responsibility and how performance is developing during the year, whether the demands upon a particular service are rising or falling, the short- and longer term strategic objectives, the pressure to improve efficiency and effectiveness, the reaction of users of the service (whether internal or external to public organisations), actual and potential legislative, environmental and other changes affecting the operational environment.
The exact information that will be required will depend upon the role and responsibilities of the manager and individual staff members. But, for example, if a manager has responsibility for the delivery of an objective, information about performance towards achieving that objective should be available to that manager as well as information about the financial resources that have been consumed. This should be available on a systematic and regular basis. If that manager is also responsible for efficiency and effectiveness, as he/she should be, then that manager must know not only what the total available budget is but also in a format that is relevant to the manager. The manager should receive financial accounting information showing progress against the budget in a similar format. In addition, the manager should have available information showing the allocation of budgets and accounting information over, for example, different cost centres, what drives costs or whatever else the manager requires. The manager should also have available costing information so that judgements can be made about the most efficient methods of undertaking activities. In addition, effectiveness can only be judged by the impact that the activity is having and therefore the manager should be provided with user or customer information, whether the user or customer is internal to the government or external. The ‘driver’ department should ensure that managers and staff have available to them the information they need. Unless they have that information, managers cannot effectively be responsible for risk management which is central to the successful delivery of objectives and performance standards.
Again, where a first-level organisation uses second-level organisations to undertake activities on its behalf, the managers of the first-level organisation must have the information necessary to enable them to exercise effective control and supervision of second-level organisation activity. The manager must also ensure that second-level organisation activity is coordinated with that of the first-level organisation and of other second-level organisations. This applies whether the second-level organisation is non-market based or market based (a state- or local government-owned enterprise). The question that should be asked is, are the communication arrangements between the controlling or supervising organisation adequate to enable it to properly exercise its responsibilities?
The responsibility of the political leadership of an organisation is to ensure that the top and senior operational management is kept informed of political developments that would affect the operational management. The responsibility of the top or senior operational management is to ensure that the information individual operational managers require is available to them. If all this information is not available, managers can hardly be blamed for a failure to deliver objectives efficiently and effectively. On the other hand, managers themselves may need to specify the information they require, and if top and senior management refuse to make the information flow possible, then at least some part of any responsibility for the failure to achieve objectives is transferred to those top and senior managers.
No organisation operates within a static environment and the changes affecting the operational environment need to be communicated throughout the organisation. Changes may become apparent at any level in an organisation, not just at the top and senior management level. Managers at all levels need to be aware of their responsibility to communicate significant change upwards to more senior managers through the accountability process.
Information and communication are not simply about internal activity. It is also about the provision of information to external organisations and individuals, its clients and customers. Communications with each of these groups should be clear, purposeful, relevant and timely. Without that the effectiveness of the organisation will be difficult to judge and its reputation could be adversely affected. Such external communications can include financial reports (but designed in a manner that is relevant to the reader of the report), communications about the organisation’s policies and proposals and why the services that it delivers to its publics are designed in the way that they are and why any charges that it levies are also what they are and why they have changed (if that has occurred) from one period to the next. Clarity should also exist about arrangements for appeals against the actions of the organisation and how, where appropriate, compensation can be sought.
There are many factors that should be considered in assessing whether the information and communications strategy is being properly implemented. The analysis shown below illustrates the difficulty that exists for both management and the ministry of finance ‘driver’ department in trying to identify separate features of management within each of the control standards. Overall, the real issue is the quality of management (Table 11.1).
Where there is little or no delegation of operational management responsibility from the political level, there can be difficulties with communicating the policies and strategies within an organisation. This is because politically appointed officials do not normally regard staff communications as falling within their remit, except for those with whom they directly work. Again, the appointment of different political officials responsible for different policies (e.g., several deputy ministers or mayors) without any recognition of the need for coordination to harness the resources of the whole organisation itself encourages the development of a ‘silo’ mentality. (The existence of ‘silo mentalities’ is a classical feature of public administration organisations.) A ‘team meeting’ of top politically appointed officials does not automatically mean that coordination will exist at lower levels in the organisation. Where operational implementation of policy is a responsibility of a civil or local government service management, then the development of a staff communications policy and associated activities should be easier to achieve provided that the top and senior civil or local government service management perceive the necessity and are willing to implement such a policy. The organisational arrangements should accommodate this. But whatever the top management structure, emphasis should be put on developing an information and communications strategy for the organisation and an operational environment that encourages open and trusting relationships.
A feature of an effective information and communications policy is that if it is to encourage open and trusting relationships there must be adequate protection for ‘whistle blowers’.Footnote 11 This means that public organisations must find a reliable method of identifying and correcting any unlawful or unethical conduct that occurs within their organisation. Consequently, public organisations should:
-
Not obstruct officials from reporting misconduct potentially harmful to the organisation or to the public it is serving;
-
Introduce procedures for ensuring reliable reporting without incurring any penalties.
Whatever the information and communication arrangements within an organisation, there can be a lack of understanding or interpretation between those making any statements (in whatever form) and those hearing or reading them. Merely issuing advice or an instruction does not mean that it will necessarily be interpreted in the way in which the author intended. How the recipient interprets that advice or instruction depends very much upon the position and perceptions of the recipient. Senior managers communicating with their staffs must be aware of the potential risk of the recipient of the communication hearing what they want to hear, rather than what the senior manager wanted them to hear. This author has been told by officials from several different countries that all that is necessary is to issue an instruction or regulation and it will be followed. That is a mistake! The same problems exist with external communications. Care should be taken to avoid the use of ‘jargon’.
Effective communication in the workplace helps staff and managers form highly efficient teams. It builds trust, reduces competition and encourages cooperation within and between units and departments and helps staff work together harmoniously leading to higher productivity, integrity and responsibility. Staff must know their roles and should know that they are valued.
A manager who openly communicates with staff can foster a positive relationship that benefits the whole organisation. Good communications can also improve employee morale. Employees do appreciate good communication from more senior management.
The department responsible for the application of PFM/IC therefore should not just rely on legislative requirements set out in a public internal control or public financial management law or other formats to ensure that good communications are a feature of the internal control arrangements. This is though the apparently usual process in some countries adopting this reform. A deep understanding of effective communications is necessary and in reviewing the application of this standard, evidence that this exists should be looked for. In other words, the ‘driver’ department responsible for applying PFM/IC should look for the features of an information and communications strategy outlined here and for the effectiveness of the strategy. That responsibility also extends to external communications.
A European Commission paper based upon COSO defined a set of principles affecting information and communication. These were that the public organisation:
-
Principle 13: Obtains, generates and uses relevant, quality information.
-
Principle 14: Ensures proper internal communication.
-
Principle 15: Ensures proper external communication.Footnote 12
11.3.2.3 The Control Activities Standard
The political management should have a responsibility to ensure that the objectives of the organisation are delivered, that they are delivered efficiently and effectively, that performance standards and objectives are observed and especially those set by external regulators, that the resources of the organisation are properly safeguarded and used only for the purposes of the organisation and not, for example, for political or personal purposes. They also have an obligation to ensure that the objectives imposed upon the organisation by others and most notably by the ministry of finance to maintain adequate budgetary and financial control are properly met. Top and senior operational and political management also have a responsibility to ensure that the financial reports to the ministry of finance, including the year-end financial statements and other statement, are reliable. Controls should also be concerned with the longer term financial viability of the organisation. The actual application of these responsibilities, as has been shown in earlier chapters, should be undertaken in practice normally by the operational management and this should be made clear through the delegation and accountability arrangements. The accountability arrangements should be designed to ensure that the political management can be confident that the operational management is acting competently and responsibly. The aim of the control activities should be to ensure that all this is achieved. The control activities should be designed to reduce the risk of failure by the operational management to achieve objectives and performance standards efficiently and effectively and that public resources are being properly utilised. The operational management should also ensure that commitments are not entered into which would affect adversely the financial sustainability of the organisation and should advise the political management where such a risk appears to be occurring or would occur if particular decisions were made.
A key feature of control activity is ‘accountability’. Lower levels of management are accountable to more senior levels for the delivery of their objectives within the relevant constraints. Top and senior operational management responsibility is to test out in its actions whether the control activities are effective and this should be demonstrated in the accountability arrangements. That is, are the reporting systems effective; do they address the key issues; are reports used as the basis for decisions; do follow up processes exist and are acted upon? Similarly, the accountability arrangements between the top operational management and the political level of management should be assessed by both sets of management to ensure that they provide the confidence that the political level of management requires.
The department responsible for the application of PFM/IC should assess as one of its monitoring activities both how well the control activities within an organisation are operating and the range of those control activities, most notably that they are not limited to traditional financial and budgetary controls. An indicator of this is by establishing how successful the organisation has been in achieving its objectives, within budget, to time, to standard, efficiently and effectively and meeting all regulatory requirements. Some of the detailed analyses to assess the quality of the individual internal control processes include:
-
Is each level of management clear about the scope of its responsibilities and the extent of its discretion?
-
Are the internal management reporting arrangements consistent with the delegation arrangements?
-
Do senior managers respond effectively to reports?
-
Is there onward reporting to higher levels of management in appropriate circumstances?
-
Do clear guidelines exist which indicate how management at all levels should respond to accountability reports?
-
Are such reports supplemented by ‘face to face’ meetings?
-
Do opportunities exist for group discussions so that issues and the information associated with them may be more widely shared or challenged?
The control activities should focus on outputs as well as inputs and a responsibility of top and senior operational management is to ensure that the appropriate controls exist.
One area of internal control activity that is frequently overlooked is that concerned with the risks to the longer run financial resilience of the organisation. This is discussed in Chap. 8. Most internal controls are focussed upon current operations, yet the ability to continue current operations into the future is heavily influenced by longer run financial considerations. By undertaking strategic financial planning an organisation should be able to forecast its future demands for current funding from the national budget or for new capital investment. Only then will an organisation be able to either argue for additional resources or to assess the scale of the cuts to existing activities (if that is the situation) or consider adjustments to its strategic plans that it may need to make. Strategic plans should also exist and those strategic plans should include a financial dimension to demonstrate what the costs will be of achieving strategic objectives.
To assist top and senior operational management determine the appropriateness of the internal control arrangements (and it is their responsibility to ensure that these controls are appropriate) they ought to ask themselves a series of questions covering output and input controls and the controls concerned with longer term financial sustainability. (These questions which link with other internal control standards should also enable the ‘driver’ department responsible for the application of PFM/IC to form a judgement about the effectiveness of the controls.) Examples of some of the questions which refer to ministries, but which can be adapted to meet the needs of other types of public organisation such as local governments, are as follows:
Overall Questions:
-
(i)
Can we (i.e., the top and senior operational management) be sure that managers at all levels have the right information, at the right time, in the right form to enable the organisation to deliver its objectives, to time, to standard, within budget, efficiently and effectively:
-
Is each manager within the organisation clear about the objectives and standards that the manager is expected to meet?
-
Are the relevant managers fully aware of externally set regulations and do systems exist to demonstrate how they are being met?
-
Has each manager the information available so that not only can that manager monitor what is happening but also be fully and properly accountable?
-
What controls exist to ensure that objectives and standards are achieved efficiently and effectively?
-
Where the health and safety of clients and staff is a major concern (as in hospitals or high-rise housing or child care facilities), is there absolute clarity about standards expected and do management systems exist to secure observance of health and safety standards?
-
-
(ii)
As each manager should be expected to deliver the objectives efficiently and effectively, has each manager the full budgetary and performance information available to enable the manager to do so? Has the manager also the appropriate management accounting information and does the necessary cost and management information system exist; is the management as well as the finance department staff sufficiently well trained to use that information?
-
(iii)
Has each manager the appropriate technical guidance to enable the relevant operational standards to be delivered and do monitoring arrangements exist to secure observance?
-
(iv)
Where charges are levied for services provided or for the use of assets and other resources, do those charges fully reflect the costs of provision or where a policy decision has been made to subsidise those costs or to provide a surplus, that the financial information has been properly and fully calculated and therefore that the real level of subsidy is apparent and to whom?
Questions About Input Controls:
-
(v)
Do the appropriate controls over inputs exist to ensure that:
-
Assets and other resources (including stocks and stores) are used only for the purposes of the organisation, that is, exclude use for political or private purposes?
-
No significant liabilities, including all fiscal liabilities, are entered into without the specific approval of top management and, if necessary, with the specific approval of the ministry of finance?
-
No contracting out of the delivery of public services exists without a thorough investigation into the financial and operational viability and quality of the private companies or other private institutions involved?
-
No future contractual obligations to suppliers exist which will make the future financing of the service or activity difficult to achieve or which may lead to an imbalance in the provision of other services or activities?
-
Procurement is only undertaken in accordance with the procurement regulations/legislation?
-
All externally set technical regulatory regulations concerning the delivery of particular services are observed?
-
All financial regulations issued by the ministry of finance are being adhered to (if such regulations do not exist, then either the ministry of finance should be asked to issue such regulations or the organisation itself should develop and issue its own financial regulations)?
-
All income and payment arrangements adhere to the requirements set out in those financial regulations, including where appropriate the separation of duties?
-
-
(vi)
Do controls over inputs inhibit or support management’s ability to deliver the objectives of the organisation? Where those controls, especially over the number of personnel or the allocation of personnel, require decisions to be made by someone other than the manager or even by another organisation, the responsibility of the manager is diluted. The question then is, is this desirable and to what extent does it reduce the accountability of the manager? The consequential question for top and senior management then is how does this, in turn, affect their responsibilities and should any external controls be challenged, for example, over staffing arrangements?
-
(vii)
Do the ministry of finance budgetary and cash flow controls reflect the needs of the operational management or is change required? The question that has then to be addressed by top and senior operational managers is what are the most appropriate controls to meet the needs of operational management? This is likely to require significant new controls or an adaptation of those required by the ministry of finance, for example, to give managers greater ability to manage resources to achieve objectives.
-
(viii)
Are the arrangements for the recruitment, allocation, retention and training of staff consistent with the needs of the organisation or do they inhibit the organisation in the delivery of its objectives? (Sometimes organisational managements have little control over the recruitment, promotion and training of staff. Staff may be appointed for political reasons rather than because of their competencies. Is that an appropriate arrangement given the need to achieve objectives and to secure managerial accountability?)
-
(ix)
Are the controls that exist within the IT systems sufficient to protect against fraudulent misuse through inadequate security arrangements and against hacking and other forms of attack: what is the evidence that those controls have been fully tested? Are the controls only nominal or are they properly applied in practice and what is the evidence for that?
-
(x)
Have all operating system updates issued by software manufacturers been applied?
-
(xi)
Is there confidence that the reporting to the ministry of finance (and where appropriate to other third parties) is accurate and timely and that the financial statements properly present the financial position of the organisation? (Internal and external audit have an important role but the primary responsibility is that of the management.)
-
(xii)
As the organisation will have a responsibility to store information and that may be physically and electronically, are the archiving arrangements consistent with the centrally determined arrangements for archiving (if any) and are those arrangements adequate for the purpose, both physically to ensure that the records are not damaged, and are they held securely to prevent misuse or change to those records? Are the records properly maintained so that they are accessible to future enquirers? Are the systems sufficiently secure to prevent loss of data though breaches of security, mismanagement or IT breakdowns? Do ‘back-up’ systems exist? Archiving applies to all operational as well as financial records. Can these questions be answered positively for electronically held records as well as for physical records?
Questions About the Controls Concerned with Longer Term Financial Sustainability:
-
(xiii)
Does a process of strategic financial planning exist which evaluates the impact of present and proposed policies upon the organisation’s future finances considering all those factors that are likely to impact upon those finances?
-
(xiv)
Is there a process which assesses the commitments of the organisation given its current policies, such as public/private partnership arrangements, and tests the financial viability of those policies over the longer term, considering likely trends in the availability of budgetary funds and other sources of income (which may be affected by the state of the economy)?
-
(xv)
Does a long-term financial planning process exist which systematically informs the political level of management and the top and senior operational management of the forecast financial resilience of the organisation given the commitments that have been entered into with the development of current policies? Does that planning process inform the political level of management about the financial consequences of the introduction of new policies and other likely new commitments that may be or are emerging (e.g., through climate and legislative change) which are beyond the control of the management of the organisation, and which could affect policy making decisions?
-
(xvi)
Do those processes consider the impact of any fiscal liabilities that have been entered into?
-
(xvii)
Does a process of consultation exist with the ministry of finance about its judgement of the future government financial planning, based upon economic forecasts, and how this may impact upon the finances of individual ministries given government priorities?
These examples of control activities also demonstrate the interlocking of this standard with those for the control environment and information and communications. They also emphasise that control activities are not simply about financial and budgetary controls but that technical controls also are very important and a failure to observe technical controls is likely to result in major future costs as well as costs to reputation.
A European Commission paper based upon COSO summarised the requirements of control activities as the public organisation:
-
Principle 10: Selects and develops control activities
-
Principle 11: Selects and develops general control activities
-
over technology
-
Principle 12: Deploys control activities through policies and proceduresFootnote 13
The responsibility of the top and senior operational management should be to ensure that the control activities that are employed are effective and that the political management is satisfied with their quality. They also need to satisfy the external auditor and consequently parliament, and those to whom the organisation is accountable (e.g., to the cabinet of ministers, to parliament and to civil society). The top operational manager should ensure therefore that appropriate control activities actually exist, operate effectively and be confident that all staff are familiar with the controls that affect them and how they should operate. This would mean that staff job descriptions fully cover the responsibilities for the relevant controls and that staff appraisal arrangements also cover references to awareness of those internal control arrangements. Periodic assessments of the efficiency and effectiveness of these controls should occur with internal audit and any relevant external organisation being assessors.
The exact form of the control activities will depend upon the services and operational activities that the organisation is engaged in.
11.3.2.4 The Risk Management Standard
11.3.2.4.1 An Overview
An important element of control activity is that the risk management processes operate effectively. The aim of risk management is not to eliminate risk because only by taking risks will change and improvements in the delivery of services and activities occur. The purpose is to identify and then manage the risks so that objectives and standards can be achieved and that adverse consequences can be avoided or minimised by careful assessment, planning and management. The ‘driver’ department of the ministry of finance should issue detailed guidance on how the reporting associated with risk management should be developed and applied taking into account the arrangements for delegation and managerial accountability that exist at the time.
The key to the effective management of risks is the ‘tone at the top’ of the organisation (the ‘control environment standard’). This affects the priority that the different levels of operational management and staff give to risk management and the comprehensiveness of the risk management arrangements. The behaviour and actions of the top and the senior management and how they communicate with and challenge the different levels of management about risk illustrates the degree of significance attached to risk management. If the leadership attitude is one of indifference and there is no real top-level ownership, especially by top operational management, or the messages from the political leadership and top-level operational management are inconsistent, this will be damaging to the risk management process.
The primary concern of the political level of management should be with the relevance and quality of the organisation’s risk management policy.
Whatever the managerial circumstances and the level of risk, there are various ways in which risks can be addressed. One way is through building in additional controls, another is by changing the management arrangements, or by some form of insurance, by sharing the risk with a third party, by changing designs or even not going ahead with a policy, project or activity because the perceived risks are too great.
The UK Treasury issued a publication on the Management of Risk—Principles and Concepts. This emphasised significance of the role of management as: “For the risk management framework to be considered effective, the following principles shall be applied: A. Risk management shall be an essential part of governance and leadership, and fundamental to how the organisation is directed, managed, and controlled at all levels. B. Risk management shall be an integral part of all organisational activities to support decision-making in achieving objectives. C. Risk management shall be collaborative and informed by the best available information and expertise. D. Risk management processes shall be structured to include: a. risk identification and assessment to determine and prioritise how the risks should be managed; b. the selection, design and implementation of risk treatment options that support achievement of intended outcomes and manage risks to an acceptable level; c. the design and operation of integrated, insightful and informative risk monitoring; and d. timely, accurate and useful risk reporting to enhance the quality of decision-making and to support management and oversight bodies in meeting their responsibilities. E. Risk management shall be continually improved through learning and experience.”Footnote 14 (Although this publication has been issued by a country with a well-developed public sector management structure, it does contain very clear guidance which could be usefully applied in countries introducing PFM/IC.)
For risk management to be effective:
-
The political head of the organisation and the person responsible for the quality of PFM/IC within the organisation, that is, the state secretary in a ministry, recognise the significance of risk management in the achievement of the objectives and performance standards of the organisation including technical performance standards and provide leadership in its development.Footnote 15
-
Clarity of objectives and performance standards and objectives exist and a management structure is in place designed to deliver the objectives and standards.
-
An appropriate control environment exists.
-
Adequate information flows and communication arrangements exist.
-
Internal controls are effective.
-
Accountability arrangements exist, both internally and externally.
If the top political and operational management are not interested in the development of risk management throughout the organisation (i.e., genuinely interested as opposed to ‘going through the motions’), then there is something wrong not only with the risk management process but also with the management arrangements themselves. The risk management process must be of genuine interest to these top officials. They cannot though be expected to personally manage all risks. Their personal concerns should be that there is effective risk management throughout the organisation and that they are focussed on the significant risks to the organisation, perhaps no more than 15 to 20. However, this number does depend upon the nature of the service or activity. If the number rises above this level, then there is almost certainly something not right about the risk management assessment arrangements and the top management is being drawn into too much detail. This is likely to devalue the risk management as a process. Once a risk has been accepted, then what matters most, given systematic review, is change in the level of risk. Why is that change occurring?
The Orange Book referred to above also defines 13 different categories of risk, that is, Strategy risks—Governance risks—Operations risks—Legal risks—Property risks—Financial risks—Commercial risks—People risks—Technology risks—Information risks—Security risks—Project/Programme risks—Reputational risks.Footnote 16 For countries adopting PFM/IC to analyse risks over these 13 different categories at the initial stages of development may be too complex. The following may be an oversimplification but initially an important distinction should be made between managerial or strategic risk management and systems risk management.
Managerial or strategic risk management should be concerned with the key or strategic risks facing an organisation, which could fall into any of the categories identified above. A responsibility of the top operational management is to work with the political management to identify those risks with which the political management is concerned and how it wishes that they should be managed including being kept informed about them. Most risks will be managed by the operational management but others may have aspects which are of particular interest to the political management as well as to operational management. The top operational management should identify and focus upon those managerial or strategic risks that have a direct impact upon their effective management of the organisation.
Examples of high-level risks that political management may be concerned about include significant potential damage to the reputation of the organisation, significant legal action against the organisation, significant financial losses, risk of death or serious injury to users of the service or to employees, an attack on the IT security systems that results in the theft of private personal data or the corruption of a major IT system that prevents a service or activity being delivered, such as social security payments or the taking of decisions that could significantly affect the long-run financial resilience of the organisation.
Another example of high-level risk that organisations should take into account is risk to the continued operation of the organisation as a whole or significant parts of it. An important responsibility therefore of top and senior management (political and official) is business continuity planning in the event of some major external threat to the organisation. A recent example of this is the impact of a disease upon management and the clients/customers of the organisation and on the organisations that are major suppliers.
Systems risks may or may not be important to top and senior operational management, and sometimes political management may need to become involved. However, it all depends upon the circumstances. If the system is vital to the effective functioning of the organisation (such as a social security system or disease prevention in a hospital), then the top political management would inevitably become involved. Otherwise, most system risks could be managed by operational management.
As has been pointed out previously, all decisions involve some element of risk and in some countries the risks associated with usual day-to-day management activity have been incorporated into the formal risk management processes. This is a mistake. These normal operational responsibilities should not be included in the formal risk management processes and to include them, as some organisations do, is to devalue the impact of risk management.
Whatever decisions are made about risk management, whether by political or top operational management, risks should be subject to regular review because circumstances change. How frequently such reviews should occur should depend upon the particular risk being considered!
11.3.2.4.2 Managers and Risk
The introduction of risk management into the management process adds considerably to the responsibilities of managers. In some organisations, defining and managing risk will be a complex process requiring considerable skill, expert knowledge and the exercise of judgement. Hence there may be a need to appoint staff to support the managers who are expert in identifying and making judgements about risk in a particular area of activity, for example, in the provision of health services, in the development of infrastructure, in policing and prison services, in services with a high risk of fraud such as those providing benefits to individuals or in fraud and corrupt practice in purchasing and supply arrangements. Those risks that involve the health and safety of employees should always be discussed with the potentially affected employees, or their representatives, including the proposed mitigation measures.
The management approach to risk at lower managerial levels should be based upon the risk to the achievement of that manager’s objectives and the relevant performance standards (emphasising again that each manager should have objectives and standards). The process for addressing lower level risks should be, in principle, the same as that described above for high-level risks. Each lower level manager should report those that he/she regards as the more serious risks to the next higher level of management to determine whether in turn they should be referred further up the management structure until they reach top and senior management. They should also report to the next higher level of management on changes in the level of risk, especially where those changes indicate a worsening of the level of risk. Once risks have been identified, the individual manager’s responsibility is to analyse those risks to determine how those risks should be managed and which risks may need to be reported to and agreed with more senior management.
An example of a service that will require specialist risk management skills is that of the management of hospitals. Hospital management will be concerned with the management of clinical and non-clinical risks and these will be managed in different ways.
Through risk management there are significant opportunities for achieving improved quality of care, major costs savings, improved public perception and a reduction in clinical negligence claims by having the correct risk management strategy. The goals of the risk management strategy could include:
enhanced quality of care;
protection against criminal prosecution;
financial savings from reduced risk, which includes reduction in claims against the trust [hospital] and optimisation of insurance premium expenditure;
cost-efficient risk reduction;
improved public image;
improved staff morale and productivity.Footnote 17
Another example is the management of schools. A major immediate concern to the managers of a school will be the health and safety of pupils. Risk assessment involves considering the severity of consequences if a person or pupil is exposed to a potential risk, combined with the likelihood of it happening. The level of risk will increase as the likelihood of injury or illness or its severity increases. A risk assessment can help determine:
-
How severe a risk is;
-
Whether existing control measures are effective;
-
What action should be taken to control the risk; and
-
How urgently the action needs to be taken.Footnote 18
11.3.2.4.3 The Practicalities of Introducing Risk Management
A degree of bureaucracy is necessary to identify risk, indicate who is responsible for its management, demonstrate the actions that have been taken and identify the trends in the development of the risk. A formal risk register therefore should be established: a single register covering all risks can be unwieldy and a more practical approach can be to establish risk registers that address managerial or strategic risks and separately for lower order risks.Footnote 19 Again, different risk registers can be developed for different parts of the organisation. Which is the most appropriate approach depending upon the management arrangements within the organisation? Top and senior operational management, subject to any political management concerns, should determine the monitoring and reporting arrangements. The overall responsibility for the risk register process should lie with the head of operational management. However, the actual ‘process’ responsibility could be delegated to another official. That a specific official should have this bureaucratic responsibility in no way removes from the top operational manager, the state secretary or equivalent, their ultimate responsibility for managing risk and for ensuring that an appropriate risk management process applies throughout the organisation.
Decisions should also be made about the frequency for the reporting of risks. This could vary depending upon the type of risk and the personalities involved. This will mean that the risk register(s) will need to be updated (and coordinated) so that each higher level of management is aware of the development of risks and the effectiveness of the mitigation measures. How often updating or review of risks should occur will depend upon the nature of the risk and the bureaucracy should have the capacity to be flexible about the updating arrangements. Particular regard should be had to trends in the movement of individual risks—is the risk declining or increasing?
11.3.2.4.4 The Responsibilities of the Top and Senior Operational Management
The top and senior operational management have a substantial range of risk management responsibilities even though in practice some would be delegated to other officials. The main responsibilities of the head of operational management should include to:
-
a.
Ensure that risk management is incorporated within the operational management processes, including job descriptions and that all risks are fully identified and managed at an appropriate level.
-
b.
Ensure that those management processes are actually undertaken and are regularly reviewed with active steps being taken to mitigate risks.
-
c.
Provide direction, guidance and advice on risk management best practice throughout the organisation.
-
d.
Determine the risk appetite/tolerance for the organisation (see below for a discussion on ‘risk appetite’) and to inform and agree the risk appetite parameters with the political head of the organisation, also after considering the views of any external advisers.Footnote 20
-
e.
Receive regular reports on managerial and strategic risks and the trends which are emerging so that he/she can require corrective actions to be taken.
-
f.
Prepare reports to the political head of the organisation on those managerial and strategic risks which directly affect the political head, paying particular attention to changes in the levels of risk.
-
g.
Provide any feedback from the political level of management to other managers on the risk management process.
-
h.
Ensure that appropriate training is provided to the different levels of official on risk management (whether politically appointed or civil or local government officials) and/or that specialist officials are appointed where fraud or corrupt practice is a high area of risk.
-
i.
Ensure that a process exists which identifies the possible causes of risk appetite/tolerances being exceeded. Those causes can include mismanagement, natural events, unforeseen international price movements, failures in a supply chain such as bankruptcy (but this risk in some circumstances should have been foreseen and therefore the real cause is mismanagement), misjudgement of demand for a service or activity (again a potential cause is mismanagement) or in construction, unstable ground conditions or unavailability of key workers such as engineers.
-
j.
Ensure that systematic communication arrangements exist within the organisation to raise awareness about risk and the policies of the top management so that there is a wide understanding throughout all levels of management of the level of risk that is acceptable: this should inform all activities, that is, policies, programmes, projects and operational service delivery.
-
k.
Ensure that second-level organisations establish risk management and that top and senior operational management of the first-level organisation are informed of the strategic risks and all fiscal risks that affect the second-level organisation so that the top and senior operational management of the first-level organisation can decide whether they need to become involved in the management of those risks and whether they should inform the political level of management.
-
l.
Where an external advisory committee, such as an audit committee, exists which has an interest in the quality of risk management, maintain a close liaison with that committee and ensure that its recommendations are fully considered.
-
m.
Prepare an annual risk management/risk appetite statement.
How does top and senior operational management undertake these responsibilities towards risk management in practice? The United Kingdom National Audit Office addressed this in a publication by setting out a series of questions for top and senior operational management to consider.Footnote 21 These are:
-
1.
“How do we ensure that our focus is on managing the things that matter? Are we content that management’s assessment of risk is not overly optimistic?
-
2.
Are we clear about where we are prepared to tolerate differing levels of risk and, in turn, how these influence and drive the actions of management?
-
3.
How confident are we that risks are being managed appropriately and that we will be informed of the most significant risks to our business?
-
4.
What information do we need both to take decisions and to challenge the rigour with which risk is managed throughout the organisation?
-
5.
How do we ensure that our decisions are based on a clear and balanced evaluation of the costs and impacts associated with risks and mitigations?
-
6.
How do we learn from successes and failures both within our own and other organisations?”
11.3.2.4.5 Risk Appetite Impact and Likelihood
‘Risk appetite’ has been defined as “the amount and type of risk that an organisation is willing to take in order to meet their strategic objectives”. Even though the top operational management may define the policy on risk appetite, the political leadership should agree that policy because of its significance. “Organisations will have different risk appetites depending on their sector, culture, and objectives. A range of appetites exist for different risks and these may change over time.”Footnote 22 No risks should be acceptable which exceed the defined risk appetite. However, ‘risk appetite’ is not always quantifiable and may require managerial judgement. PFM/IC requires a managerial approach to the delivery of the objectives of an organisation, and as all managerial decisions involve a greater or lesser degree of risk, the existence of a risk appetite statement provides guidance to managers about the risks that can be taken to achieve an objective.Footnote 23
In making decisions about risk two features are important. These features are what is the likelihood of the risk occurring and if the risk does occur what will be the impact? The management should assess these in terms of how the risk will affect the achievement of the objectives and performance standards and objectives. The estimates of the costs can then be compared with the costs of taking mitigating actions and the extent to which those mitigating actions will reduce the risk. This type of analysis can be undertaken with varying degrees of detail and complexity, depending on the purpose of the analysis, the availability and reliability of information and the resources available. Also risk analysis can be influenced by opinions, biases, perceptions of risk and judgements and the quality of the information used. Often a scoring method may be applied to provide a basis for assessing the significance of the risk. Both impact and likelihood should be scored (although some risks may be difficult to quantify and managers will need to make judgements).Footnote 24
The Institute of Risk Management has listed stages in the development of risk appetite statements.Footnote 25 These are:
-
1.
“Identify stakeholders and their expectations, together with an analysis of the risks to strategy, tactics, operations, and compliance, as set out in the risk register.
-
2.
Establish the desired level of risk exposure that will lead to a risk appetite statement that provides a set of qualitative and quantitative statements.
-
3.
Define the range of acceptable volatility or uncertainty around each of the types of risks leading to a statement of acceptable risk tolerances.
-
4.
Reconcile the risk appetite, risk tolerances with the current level of risk exposure and plan actions to bring current risk exposures into line with risk appetite.
-
5.
Formalize and ratify a risk appetite statement(s), communicate the statement with stakeholders and implement accordingly.”
11.3.2.4.6 Publication
Risk management/appetite statements ideally should be published on the grounds of transparency and accountability and as one of the improvements emerging from the development of the quality of corporate governance. In countries which are in the process of adopting PFM/IC, there are basically two other significant reasons for the ministry of finance ‘driver’ department to require the development of annual risk management/appetite statements and for the completion of such a statement to be a specific responsibility of top and senior management. These are:
-
To cause top and senior management to be aware of their risk management responsibilities and that risk management is not a lower level requirement which can easily be met by leaving it to lower level staff or internal audit and to be completed through the traditional bureaucratic procedures; and
-
To require top and senior management to engage in the systematic and ongoing review of risks and to then make decisions about the range of risks that the organisation faces, the extent to which risk is acceptable in order to achieve objectives and the appropriate mitigating measures.
Examples of risk management statements are included in the annex to this chapter. They reflect different approaches to risk management. The common features are that the details are published and the approaches to risk management as well as who is responsible are also made clear. In other words, they meet the most desirable features of transparency and accountability. Unfortunately, countries currently adopting PFM/IC do not appear so far, to publish such types of statements. Yet a requirement for top and senior management to publish such statements would encourage risk management to become embedded into managerial arrangements. In the examples, risk management is shown to be a fundamental feature of management processes and therefore the operational context will reflect this as will the existence of objectives and performance information coupled with accountability pressures to achieve those objectives and levels of performance. Without a specific requirement falling upon top and senior management to specify the risk management arrangements they have established and the extent to which risk is considered and is acceptable, there is every possibility that considerations about risk will be superficial. This in turn, means that there will be less likelihood of objectives and standards being achieved. What is published for external stakeholders such as other ministries and the ministry of finance as well as parliament, pressure groups and service users (i.e., civil society) may be different from that published for the benefit of internal stakeholders (i.e., primarily the managers within the organisation). Without such an internal statement, lower level managers within the organisation will be providing services and activities with no or insufficient guidance on the levels of risk that they are permitted to take. They may also be deterred from developing new ideas and proposals to improve services and activities for fear of taking on additional risks because they do not know what level of risk is acceptable to top and senior management. In an administrative culture that has been traditionally risk averse, which is the situation in most of the countries adopting PFM/IC, clarity about top and senior management towards risk is very important.
Where publication of comprehensive information is deemed to be too difficult in a particular country, then all such reports should be available internally within a government. Similarly equivalent reports for individual local governments and state-owned enterprises should also be published.
Where agencies and state-owned enterprises are subject to the control or supervision by a ministry or local government, that ministry or local government should ensure, as part of its performance or service level agreement with the second-level organisation, whether market or non-market based (see Chap. 12), that risk management is introduced in those organisations. The risk management arrangements that have been put in place should be covered in the reporting arrangements between the second-level organisations and the controlling or supervising ministry or local government. (NB. A particular feature of the risk management control arrangements between first- and second-level organisations of whatever type should be that no fiscal risks should be entered into without the specific agreement of the first-level organisation.) Footnote 26
11.3.2.4.7 A European Commission Overview About Risk Management and COSO
A European Commission paper based upon COSO summarised the requirements of risk assessment as the public organisation:
-
6.
Specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
-
7.
Identifies risks to the achievement of its objectives across the entity and analyses risks as a basis for determining how the risks should be managed.
-
8.
Considers the potential for fraud in assessing risks to the achievement of objectives.
-
9.
Identifies and assesses changes that could significantly impact the system of internal control.Footnote 27
11.3.2.5 The Monitoring Activities Standard
The purpose of monitoring is to evaluate whether the arrangements for PFM/IC are making it possible for an organisation to achieve its objectives, doing so efficiently and effectively, to time, to standard and within budget and also within the laws and regulations to which the organisation is subject. Monitoring is also concerned to ensure that the organisation has adopted and is applying a commitment to integrity and ethical values. If these features are not occurring, the next question is why is this? The focus of monitoring in many countries that are introducing PFM/IC has been simply on whether the bureaucratic processes relating to the four other standards are in place with observations about the deficiencies that exist (if any). However, the SIGMA Guidelines for assessing the quality of internal control (IC) systems states that “Monitoring of the IC system is essential to ensure that IC remains aligned with changing objectives, environment, laws, resources, and risks. IC monitoring assesses the quality of performance over time and promptly resolves the findings of audits and other reviews. Corrective actions are a necessary complement to control activities in order to achieve objectives.”Footnote 28
The monitoring processes that have been adopted in this author’s experience do not in general appear to address the main purpose of the reform. In most countries they also do not recognise that each standard is not a ‘stand-alone’ process which can be separately assessed. The procedural processes associated with each standard, as has been shown, are not easy to separately identify except at the most superficial level. Because the standards are interlocking, the monitoring process needs to reflect this. This will be best achieved by looking at the overall performance of the organisation in achieving its objectives and performance standards and objectives efficiently and effectively. Reliance is also often placed on ‘self-certification’. What this means in practice is difficult to understand. The monitoring process needs to establish how far the assumptions, referred to at the beginning of this chapter, that lie behind the COSO process have been recognised. Monitoring is not therefore a simple ‘tick-box’ end of year type of process checking that the required bureaucratic procedures have been implemented. To emphasise, introducing the COSO standards is not simply a bureaucratic exercise but it has a specific purpose. This purpose is to achieve the objectives of the organisation efficiently and effectively, to time within budget, to standard with proper regard for integrity and ethical values, transparency and accountability and as part of this ensure that the law and regulatory requirements to which the organisation is subject are fully met. Monitoring should be aimed at this purpose, that is, is it being achieved and if not why not? Anything else at best can be regarded as an interim process. Each of the individual standards is ultimately aimed at this purpose. The most effective test for the application of PFM/IC is how successful the organisation management has been in meeting this purpose. That is the point from which monitoring should start.
Without such an evaluation, whether the COSO standards have been properly applied cannot be established. Therefore, whether the policy of PFM/IC is meeting expectations also cannot be established. So, the question cannot be asked. Monitoring should start from whether the objectives and performance standards and objectives of the organisation have been achieved efficiently and effectively, within the law and budgetary constraints. The monitoring aim should then be to identify if they have not, what are the weaknesses that have allowed this to occur.
Monitoring responsibility within an organisation should be that of the top and senior operational management where the overall responsibility lies for the achievement of the objectives and performance standards. Monitoring should form part of the accountability arrangements flowing up the organisation, ultimately to the top and senior management, official and political. Monitoring should identify weaknesses in the quality of the management of the organisation itself (i.e., technical, operational and financial). A failure to properly carry out certain procedures is a management failure, not just a procedural failure which can simply be corrected by bureaucratic action.
Apart from the top and senior management, monitoring will be of concern to others. One will be to external regulators concerned with the observance of technical standards, another will be to the ‘driver’ department of the ministry of finance responsible for the application of PFM/IC and a third will be to parliament. The role of the ministry of finance in monitoring should be to judge the quality of operational management. Lack of achievement of objectives and performance standards, a failure to meet external regulatory standards as well as the quality of financial control should affect future budgetary allocations. Parliamentary monitoring (i.e., scrutiny) should have a central concern for the quality of management, the delivery of objectives efficiently and effectively and the meeting of technical regulations. Parliament may have its own scrutiny requirements and it may rely for advice on the external auditor who should have a concern about the quality of public expenditure through its assessments of value for money. This may lead on to a further form of external scrutiny, that of civil society.
What should also stimulate monitoring is that it should result in each public organisation publishing an annual report covering all its activities and, unless consolidated into a whole of government statement, its financial statements, along with a ‘statement of internal control’ (see Chap. 13). The ‘statement of internal control’ should describe the effectiveness of internal controls applying within an organisation.
Monitoring should be an ongoing process and the PFM/IC driver department should provide advice on how that is to be undertaken, including the extent of the monitoring required. As PFM/IC is developed it may also wish to regularly review the outputs of those monitoring arrangements.
Internal audit has an important role in the monitoring process. But it can only undertake this role effectively if internal audit recognises that it is operating within the managerial context set by PFM/IC. This means that internal audit should have a thorough understanding of the PFM/IC reform and how it affects decision making by managers. Therefore, the training of internal audit should be aimed to ensure that internal audit capability extends beyond traditional internal control monitoring based simply upon systems controls with a focus upon financial and budgetary controls.
The aim of an internal audit evaluation is to provide a ‘lens’ to show to the top and senior operational management how effective the application of the COSO standards by management is.
A European Commission paper based upon COSO summarised the requirements of monitoring as the public organisation:
-
16.
Selects, develops and performs ongoing and/or separate evaluations.
-
17.
Evaluates and communicates deficiencies.Footnote 29
11.4 Summary
In this chapter the international standards of internal control have been described. These standards are essentially managerial disciplines. The context into which they are to be applied is an operational management context. These international standards cannot be isolated from this managerial context and treated as individual ‘stand-alone’ features of PFM/IC. The impact of each standard also cannot be clearly separated one from the other. Yet that is how they are treated in many developing and transition economy countries applying the standards. In considering the application of these standards regard should also be had to the assumptions that underpin these standards and these assumptions reflect the managerial context in which the standards are to be applied. Again, this is not usually something which is either recognised or considered.
The detailed analysis of the application of each of these standards demonstrates how they impact upon the managerial arrangements. Those managerial arrangements should be designed to deliver the objectives and performance standards and objectives of the organisation efficiently and effectively within the budgetary and legal framework. These standards apply principally to operational management. Therefore, an important precursor to their implementation is the separation of operational management from the political level. These standards though also provide an opportunity for the political level of management to have an informed insight into how well the operational level of management is working. From this point of view therefore the political level of management should support the full application of these standards, but again what is essential is managerial reform.
An indicator of how well the standards have been applied would be described in the statement of internal control which each organisation ought to prepare as part of the annual reporting arrangements (see Chap. 13). This statement should be available to the ministry of finance, to parliament and to the wider public (civil society) as part of the transparency and accountability arrangements. Either accompanying the statement of internal control or separately, a public organisation should publish a statement about its approach to risk, that is, its risk appetite.
Notes
- 1.
- 2.
- 3.
Executive summary—page 4: https://www.coso.org/Documents/990025P-Executive-Summary-final-may20.pdf.
- 4.
Strategic Human Resource Management/Factsheets: CIPD www.cipd.co.uk.
- 5.
SIGMA paper 59 June 2019 ‘Guidelines for assessing the quality of internal control systems’ (https://www.oecd.org/officialdocuments/publicdisplaydocumentpdf/?cote=GOV/SIGMA(2019)1&docLanguage=En), page 21.
- 6.
See footnote 10 of Chap. 14 for an example.
- 7.
Debate: Motivating civil servants—insights from self-determination theory: Berend van der Kolk: Public Money and Management: published online 22 Jan 2020.
- 8.
SIGMA paper 59 June 2019 (https://www.oecd.org/officialdocuments/publicdisplaydocumentpdf/?cote=GOV/SIGMA(2019)1&docLanguage=En), pages 22 to 32.
- 9.
Guidelines for assessing the quality of internal control systems SIGMA Paper No. 59.
- 10.
Principles of Public Internal Control: Position Paper no 1: Public Internal Control an EU approach Ref 2015–1.
- 11.
A whistle blower is an employee, who reveals information about activity within a private or public organisation that is deemed illegal, immoral, illicit, unsafe or fraudulent.
- 12.
SIGMA paper 59 June 2019 ‘Guidelines for assessing the quality of internal control systems’ (https://www.oecd.org/officialdocuments/publicdisplaydocumentpdf/?cote=GOV/SIGMA(2019)1&docLanguage=En), pages 47 to 52.
- 13.
SIGMA paper 59 June 2019 ‘Guidelines for assessing the quality of internal control systems’ (https://www.oecd.org/officialdocuments/publicdisplaydocumentpdf/?cote=GOV/SIGMA(2019)1&docLanguage=En), pages 41 to 47.
- 14.
The Orange Book—Management of Risk-Principles and Concepts: P6: Published by UK Government, updated 2020. Orange Book—GOV.UK (www.gov.uk).
- 15.
The official within an organisation responsible for the managing and effectiveness of the risk management process should be the official responsible for the application and quality of the PFM/IC reform within an organisation, that is, the state secretary or equivalent. If there is no delegation, in practice how a political official could actually take on the responsibility for risk management is difficult to see because of the detailed operational management knowledge that is required and the detailed bureaucracy that is likely to be involved. However, the top political manager must recognise and accept the importance of risk management in ensuring that the political objectives of the organisation can be achieved. Therefore, interaction between the political head and the top operational manager is essential.
- 16.
Orange Book—p. 38.
- 17.
Extract from ‘An exemplar operational risk management strategy’ UK NHS January 1997: file:///C:/Users/User/Dropbox/Reference%20sources/Risk%20Management/An_exemplar_operational_risk_management_strategy.pdf.
- 18.
- 19.
A typical risk register contains:
-
A risk category to group similar risks
-
A brief description or name of the risk
-
The impact (or consequence) if an event actually occurs (usually identified by a numerical score)
-
The probability or likelihood of its occurrence (usually identified by a numerical score)
-
The risk score (or risk rating) is the multiplication of the impact and probability scores leading to an overall ranking of the risks
-
The mitigation steps
-
The name of the person responsible for monitoring that risk.
-
- 20.
This should be regarded as a dynamic activity because determining risk appetite is not a single fixed concept and it will vary both for individual types of risk and over time, all depending upon circumstances.
- 21.
Managing Risks in Government: National Audit Office 2011.
- 22.
Institute of Risk Management UK 2017 (https://www.theirm.org/knowledge-and-resources/thought-leadership/risk-appetite-and-tolerance/).
- 23.
A risk appetite statement sets out the amount and type of risk that an organisation is willing to take in order to meet its strategic objectives. The appropriate level of risk will depend on the nature of the work undertaken and the objectives being pursued.
- 24.
Scoring may be on a three- or five-point scale. With a three-point scale the scoring would be ‘high’ (3), ‘medium’ (2) or ‘low’ (1). The five-point scale elaborates on these three points. The overall risk assessment calculation is made by multiplying the two scores.
- 25.
- 26.
Sources of fiscal risks include inadequacy of budgetary contingencies, guarantees given to third parties, public/private partnership arrangements, long-term contracts, environmental events, risks arising from the disposal or acquisition of assets and liabilities, compensation or other payments arising from legal challenges.
- 27.
SIGMA paper 59 June 2019 ‘Guidelines for assessing the quality of internal control systems’ (https://www.oecd.org/officialdocuments/publicdisplaydocumentpdf/?cote=GOV/SIGMA(2019)1&docLanguage=En), pages 70 to 79.
- 28.
SIGMA PAPER No. 59. Para 2.5 p. 51: OECD iLibrary | Guidelines for assessing the quality of internal control systems (oecd-ilibrary.org).
- 29.
SIGMA paper 59 June 2019 ‘Guidelines for assessing the quality of internal control systems’ (https://www.oecd.org/officialdocuments/publicdisplaydocumentpdf/?cote=GOV/SIGMA(2019)1&docLanguage=En), Pages 92 to 96.
- 30.
These have been developed in conjunction with the Director of Finance.
- 31.
Author information
Authors and Affiliations
Annex 1
Annex 1
11.1.1 Examples of Risk Management Statements
Examples of risk management statements are set out below in a summarised form. Practical examples can be found by searching the web. Not all organisations are willing to publish such statements but with the introduction of PFM/IC and the emphasis upon transparency and accountability and an increased quality of governance, the managerial assumption should be in favour of publication unless there are very good reasons not to do so. These examples are for a hospital, a university and a state-owned industry and are based upon UK organisations. (These statements have been slightly edited by the author for publication within the context of this guide.)
Example 1.
A hospital (Hospitals provided as part of the UK National Health Service (NHS) are established as trusts and are governed by trust boards. An operational management with a chief executive has the delegated responsibility for the day-to-day management of the hospital and is accountable to the board.)
11.1.1.1 Risk Management Example Statement
11.1.1.1.1 Overview
The aim is to provide high-quality, effective and safe services which improve the health, wellbeing and independence of the population it serves. The Board [i.e., the governing board of the hospital] recognises risk is inherent in the provision of healthcare and its services, and therefore a defined approach is necessary to identify risk context, ensuring that the Organisation understands and is aware of the risks it’s prepared to accept in the pursuit of the delivery of the Organisation’s aims and objectives. This Statement sets out the Board’s strategic approach to risk-taking by defining its boundaries and risk tolerance thresholds and supports delivery of the Risk Management Strategy and Policy.
11.1.1.2 Risk Appetite Statement
11.1.1.2.1 Clinical Effectiveness
-
We will provide high-quality services to our patients and not accept risks that could limit our ability to fulfil this objective. This key value is a driver that directly supports our core objective to improve our patients’ care outcomes, and that of their family and friends, by providing personalised and responsive services.
-
We are strongly averse to risks that could result in poor quality care or unacceptable clinical risk, non-compliance with standards or poor clinical or professional practice.
Category | Board Committee/Sub-committee (12+) | Divisional Governance (9+) |
---|---|---|
Clinical & Care Outcomes | Risks relating to clinical & care outcomes scoring 12+ will be reported to the Quality & Safety Committee. | All clinical & care outcomes risks scoring 9+ will be reviewed at the appropriate monthly divisional governance meeting. |
11.1.1.2.2 Patient Safety
-
We will hold patient safety in the highest regard and are strongly averse to any risk that may jeopardise it. This key value is a driver that directly supports our core objective to improve the safety of our services to patients.
-
It can be in the best interests of patients to accept some risk in order to achieve the best outcomes from individual patient care, treatment and therapeutic goals. We accept this and support our staff to work in collaboration with people who use our services to develop appropriate and safe care plans based on assessment of need and clinical risk.
Category | Board Committee/Sub-committee (9+) | Divisional Governance (6+) |
---|---|---|
Patient safety | Risks relating to patient safety scoring 9+ will be reported to the Quality & Safety Committee. | All patient safety risks scoring 6+ will be reviewed at the appropriate monthly divisional governance meeting. |
11.1.1.2.3 Finance
-
We will strive to deliver our services within the budgets modelled in our financial plans. However, budgetary constraints will be exceeded if required to mitigate risks to patient safety or quality of care. All such financial responses will ensure optimal value for money.
Category | Board Committee/Sub-committee (15+) | Divisional Governance (12+) |
---|---|---|
Finance | Risks relating to finance scoring 15+ will be reported to the Finance & Performance Committee | All finance risks scoring 12+ will be reviewed at the appropriate monthly divisional governance meeting. |
11.1.1.2.4 Patient and Service User Experience
-
We will accept risks to patient and service user experience if they are consistent with the achievement of patient safety and quality improvements.
-
We will only accept service redesign and divestment risks in the services we are commissioned to deliver if patient safety, quality care and service improvements are maintained.
Category | Board Committee/Sub-committee (12+) | Divisional Governance (9+) |
---|---|---|
Patient and service user experience | Risks relating to patient experience, engagement or stakeholder relationships scoring 12+ will be reported to the Quality & Safety Committee | All risks relating to patient experience, engagement or stakeholder relationships scoring 9+ will be reviewed at the appropriate monthly divisional governance meeting. |
11.1.1.2.5 Workforce
-
We are committed to recruit and retain staff that meet the high-quality standards of the organisation and will provide ongoing training to ensure all staff reach their full potential. There are few circumstances where we would accept risks associated with the delivery of this aim.
-
We will not accept risks associated with unprofessional conduct, bullying or an individual’s competence to perform roles or tasks safely and nor any incidents or circumstances which may compromise the safety of any staff members and patients or contradict our values.
-
For patient safety, quality care, service delivery and financial sustainability reasons we are prepared to consider risks associated with the implementation of non-NHS [National Health Service] standard terms and conditions of employment, innovative resourcing and staff development models.
-
We are strongly averse to any risk that could result in staff being in non-compliance with legislation or any frameworks provided by professional bodies.
Category | Board Committee/Sub-committee (12+) | Divisional Governance (9+) |
---|---|---|
Workforce | Risks relating to workforce scoring 12+ will be reported to the Workforce & Organisational Development Sub-Committee | All workforce risks scoring 9+ will be reviewed at the appropriate monthly divisional governance meeting. |
11.1.1.2.6 Infrastructure
-
We are committed to providing patient care in a therapeutic environment.
-
We will provide staff with appropriate space and supporting infrastructure in which to perform their duties.
Category | Board Committee/Sub-committee (12+) | Divisional Governance (9+) |
---|---|---|
Infrastructure | Risks relating to infrastructure scoring 12+ will be reported to the Quality & Safety Committee. | All Infrastructure risks scoring 9+ will be reviewed at the appropriate monthly divisional governance meeting. |
11.1.1.3 Risk Tolerance
Risk ‘tolerance’ is the minimum and maximum risk the organisation is willing to accept as reflected in the risk appetite themes above.
Detailed thresholds are articulated in the Risk Management Strategy & Policy statement and are dependent on the type of risk, against which all identified risks are assessed for their likelihood and impact using a risk scoring matrix.
The Executive Risk & Assurance Group will oversee all risks that score outside the risk appetite monthly and has established a rolling programme where each division (including Corporate Services) will present their full risk registers.
The Trust Board have agreed that all risks with total risk score of ‘12’ will require executive oversight by the Executive Risk & Assurance Group.
In addition, risks with an impact score of 5 (catastrophic) and likelihood of 2 (unlikely) will also be regularly reviewed at executive level.
Finally, themes and trends in reported risks will be identified and escalated as appropriate to ensure that multiple similar risks of a low impact and likelihood are not ignored.
The Board has a range of committees and groups all charged with the responsibility of reviewing risks related to their terms of reference and subject matter ensuing those risks are controlled and, where necessary, escalated.
Note by author: This statement is complemented by an appendix showing a risk management governance map, guidance on risk management scoring and guidance on risk likelihood scoring.
Example 2.
A university (The governance arrangements for a university in the UK are determined by the university’s constitution which in turn depends upon how the university was originally established. There is therefore no standard model.)
The university in this example has published a Risk Policy and Risk Appetite Statement. This is set out below as an example of a different approach to the publication of information about risk management.
The university is governed by a ‘court’ which is the equivalent of a ‘board’ in other types of organisations. The chief official of the university who is the chairman of the university executive is the principal (other terms are used in other jurisdictions such as ‘vice-chancellor’), and the principal is responsible for the overall operation of the university including that risk is identified and effectively managed.
11.1.1.4 The Risk Management Objectives
The university’s risk management objectives are as follows:
-
1.
Strategic-level decision making and planning are informed by accurate and congruent assessment of risk across the diverse colleges, groups and subsidiaries through formal university-wide enterprise risk management (ERM) framework and processes.
-
2.
Effective college, group and subsidiary operational decision making is guided by accurate and congruent assessment of risk within and across their diverse business areas. The risk management framework and process in place at this operational level supports and feeds back into the strategic-level ERM framework, while meeting the needs of each distinct organisation.
-
3.
All risk management across the university adheres to the current risk management framework established by the court, while encouraging a culture of innovation and opportunity, informed risk-taking within the university’s risk appetite and an acknowledgement of risk as inherent in all activities of the university.
11.1.1.5 Framework
The management of risks in the university is undertaken within a framework comprising:
-
a.
the values, vision, culture, mission and goals of the university and its constituent organisations;
-
b.
the university’s governance and reporting structures;
-
c.
this Risk Policy and Appetite statement issued by the court;
-
d.
BS/ISO 31000:2018 Risk management—Guidance standard, which defines the risk management process adopted by the university;
-
e.
the University Risk Management Guidance Manual;
-
f.
supporting tools and documents, such as risk register templates, likelihood and consequence criteria, and partner policies such as insurance, procurement, emergency management and business continuity, security, IT and financial control policies; and
-
g.
the assurance and audit processes.
11.1.1.6 Roles and Responsibilities
An effective risk management programme should permeate existing management processes and provide assurance over the management of key risks. It requires interdependence between strategic and operational objectives, management processes, governance arrangements and other policies.
The court recognises that in order to pursue its objectives and to take advantage of opportunities, the university cannot avoid taking risks and that no risk management programme can aim to eliminate risk fully. Accordingly, the university’s approach to risk management is intended to increase institutional risk awareness and understanding and thus support taking risks where appropriate, in a conscious, structured and controlled manner. Risk management must be embedded throughout the university. It is not the sole responsibility of senior managers but should be exercised by all staff, particularly those with management or operational responsibilities.
11.1.1.6.1 Role of the Court
Court has a requirement under the legislation to ensure the establishment and monitoring of systems of control and accountability, including risk management. Accordingly, its role is to:
-
a.
Set the tone and influence the culture of risk management within the institution.
-
b.
Determine the nature and extent of the principal risks it is willing to take in pursuing the university’s strategic plan. This includes determining what types of risk are acceptable and which are not, and providing a risk appetite framework within which the appropriate level of exposure to risk can be determined in particular circumstances.
-
c.
Approve major decisions affecting the university’s risk profile or exposure.
-
d.
Ensure the establishment and maintenance of a risk register.
-
e.
Provide an annual disclosure about risk management in audited financial statements and submit an annual corporate governance statement to the Funding Council [an external body responsible for providing funding to universities] following advice from the audit committee, risk management committee, senior management, external and internal audit.
11.1.1.6.2 Role of the University Executive (UE)
The UE is responsible for:
-
a.
Implementing court’s risk management policy.
-
b.
Ensuring that the major risks associated with significant proposals put to it have been properly considered and can be appropriately managed within the policy framework set by court.
-
c.
Ensuring that corporate risks are properly managed, reviewing evidence to this effect and ensuring measurement of results as appropriate.
-
d.
Communicating university policy and information about the risk management programme to all staff, subsidiary organisations and external partners.
11.1.1.6.3 Roles of Heads of Colleges, Schools and Professional Services
Responsibility for identifying and managing the risks in the university, as in any other organisation, lies with the management of the university. Heads of colleges, schools and professional services are responsible for:
-
a.
Appointing a senior manager to coordinate risk management within their organisation.
-
b.
Ensuring compliance with university and college policies. They have a responsibility to identify, evaluate and manage strategic and operational risks in accordance with the university’s risk management policy and process, ensure each risk is assigned a risk owner and bring emerging corporate risks to the UE’s attention.
-
c.
These managers should ensure that everyone in their area of responsibility understands their risk management responsibilities and must make clear the extent to which staff are empowered to take risks.
11.1.1.6.4 Role of the Risk Management Committee
The role of the risk management committee is to support and advise the management, and through it the court, on the implementation and monitoring of the risk management policy. Its remit is to:
-
a.
Ensure that the identification and evaluation of key risks that threaten achievement of the university’s objectives is carried out and that a register of these risks is maintained.
-
b.
Identify the strategy in place to manage such risks, including identification of appropriate risk owners and monitoring the satisfactory operation of the management strategy.
-
c.
Satisfy itself that other risks are being actively managed, with the appropriate strategies in place and working effectively.
-
d.
Report regularly to the court through the UE and the audit & risk committee on the achievement of the remit. Contribute to raising awareness of risk generally across the University and to maintaining the profile of risk management.
-
e.
Address such other matters related to risk as may arise from time to time.
11.1.1.6.5 The University Risk Manager
The risk manager is a part of corporate services group. The risk manager is responsible to the risk management committee for:
-
Facilitating the implementation of the standard risk management framework and process across the university.
-
Assisting with the analysis of operational-level risk and the roll-up of significant risks to the strategic level.
-
Providing risk management advice and assistance to all organisations within the university.
11.1.1.6.6 Role of Internal Audit
Internal audit is responsible for independently and regularly reviewing the operation of the overall risk management process in the university. In doing this, it has regard to best practice as recommended by professional institutes and other relevant organisations. Internal audit will:
-
a.
Report its findings to the audit & risk committee.
-
b.
Advise and make recommendations to the risk management committee and senior managers as appropriate.
11.1.1.6.7 Role of the Audit & Risk Committee
The audit & risk committee is responsible for monitoring the university’s general arrangements for risk management, and specifically for:
-
a.
Advising the court on the effectiveness of policies and procedures for risk assessment and risk management.
-
b.
Annually reviewing the university’s approach to risk management and, if appropriate, recommending changes or improvements to key elements of its processes and procedures. Providing a statement to the court annually indicating how the university has complied with good practice with regard to corporate governance and, in particular, in relation to effective risk management.
11.1.1.6.8 Role of All Faculty and Staff
All faculty and staff have a critical role to play in risk management. As a minimum, all members of the university have a responsibility to:
-
a.
Effectively manage risk within their areas of responsibility in accordance with the university’s risk management policy and process.
-
b.
Report risks beyond their scope of authority or resources to their superiors.
11.1.1.7 Risk Appetite
The risk policy and appetite establish the court’s commitment to the risk management framework and process, set the goals and objectives of the university’s risk management process, lay out risk management roles and responsibilities throughout the university and specify the amount of risk the university is willing to seek or accept in the pursuit of its long-term objectives. It indicates the parameters within which the university would want to conduct its activities.
In terms of priorities, the need to avoid reputational, compliance and overall financial risk will take priority over other factors, for example, it will be acceptable to undertake risks in research activities providing they do not expose the university to undue reputational, compliance or financial risk. Similarly, the university is open to innovation in education and student experience, if this supports and enhances its reputation and does not expose it to undue finance or compliance risks. A balanced assessment has to be taken of risks—in many cases there are risks attached to both doing something and doing nothing.
Given the devolved nature of the University, the Statement is intended to act as a set of limitations within which academic and professional managers and committees should conduct their affairs, indicating:
-
a.
the areas where colleagues should step out and be innovative;
-
b.
the areas where colleagues should be conservative and compliant in their activities and
-
c.
the ‘lines’ across which the university court and senior management do not wish to cross and where the university’s senior management and court would need to be notified.
Where appropriate, the implementation of the statement will be incorporated into processes and procedures of the university.
Responsibility for managing the activities of the university within the statement of risk policy and risk appetite lies with the management of the university, in particular heads of colleges, schools, professional services and subsidiary companies, as well as key university and college committees.
Statement of Risk Policy and Risk Appetite
The university’s approach is to minimise its exposure to reputational, compliance and financial risk, whilst accepting and encouraging an increased degree of risk in pursuit of its mission and objectives. It recognises that its appetite for risk varies according to the activity undertaken and that its acceptance of risk is subject always to ensuring that potential benefits and risks are fully understood before developments are authorised and that sensible measures to mitigate risk are established.
The university’s appetite for risk across its activities is provided in the following statements and is illustrated diagrammatically.
Unacceptable to take risks Higher willingness to take risks | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | |
Reputation | ||||||||||
Compliance | ||||||||||
Financial | ||||||||||
Research | ||||||||||
Education and student experience | ||||||||||
Knowledge exchange | ||||||||||
International development | ||||||||||
Major change activities | ||||||||||
Environment and social responsibility | ||||||||||
People and culture |
Risk Appetite Criteria:
Score | Description |
---|---|
1 | Court unwilling to accept risks with potential to impact this operational area, as extreme damage to the viability of the university could result. Sub-optimal performance is unacceptable. Failure is not an option. No margin for error. |
2 | Very reluctant to accept risks. Potential pay-off must substantially exceed costs, and robust controls must be in place to prevent or mitigate potential harm. Court must specifically approve taking these risks. Continual monitoring and regular reporting to court is expected if approval to proceed is granted. |
3 | Reluctant to accept risks in this operational area. Detailed business plan with formal risk assessment would be required demonstrating value of taking these risks. Existing risks above ‘medium’ in these categories must be reported to risk management committee. |
4 | Colleges and support groups can retain high risk in these areas, provided substantial potential benefits exist. Robust risk management and ongoing monitoring by heads of college is required. |
5 | Retaining these risks can be considered by colleges and group provided resources exist internally to absorb potential losses and costs without impacting key operations and services, or other parts of the university. |
6 | Pursuit of opportunities is encouraged provided risks are considered and documented, and resources applied are commensurate with the potential benefit to the existing goals and objectives of the organisation. |
7 | Stretch targets are encouraged, even if failure is possible. Should not threaten the delivery of current key programmes, but project failure is possible and acceptable in pursuit of potential benefits. |
8 | Project teams and service groups can proceed in the face of significant risks provided reasonable mitigation strategies are in place. Heads of school should likely be aware of these activities’ risks. |
9 | Individuals are free to innovate and take intelligent risks provided some potential benefits exist. |
10 | Risk taking is encouraged, assuming it is legal and a degree of due diligence is applied. Chance of failure can be high and failure will be accepted in the pursuit of moderate rewards. |
Reputation—It is regarded as critical that the university preserves its high reputation. The university therefore has low appetite for risk in the conduct of any of its activities that puts its reputation in jeopardy, could lead to undue adverse publicity or could lead to loss of confidence by the Scottish and UK political establishment and funders of its activities.
Compliance—The university places great importance on compliance and has no appetite for any breaches in statute, regulation, professional standards, research or medical ethics, bribery or fraud. It wishes to maintain accreditations related to courses or standards of operation and has low appetite for risk relating to actions that may put accreditations in jeopardy.
Financial—The university aims to maintain its long-term financial viability and its overall financial strength. Whilst targets for financial achievement will be higher, the university will aim to manage its financial risk by not breaching the following minimum criteriaFootnote 30:
Operational , Quantitative, Quarterly test
-
We will ensure the basket of financial sustainability metrics is always at a weighted acceptable level.
Liquidity and gearing , Quantitative, Monthly test
-
We will maintain at least one month’s equivalent average spend in cash or short-term deposits or negotiated bank facilities.
-
We will ensure that the annual surplus before interest is at least two times the annual interest charge, except in exceptional circumstances as approved by Court.
-
We will limit borrowing over one year to 35% of net assets except in exceptional circumstances approved by court.
-
We will ensure that all cash invested through the endowment fund portfolio can be liquidated with three months’ notice and that 30% can be liquidated with one month’s notice.
Qualitative
-
We will maintain access to liquidity that will allow us to meet our obligations, even under stressed scenarios.
-
We will limit volatility impact by securing fixed-rate long-term borrowing.
-
We will maintain a portfolio of highly liquid assets to meet the liquidity outflows that may occur over the near-term.
-
We will maintain a contingency plan to address any unforeseen events.
Surplus , Quantitative, Annual test
-
We will deliver a minimum annual operating surplus of at least 2% of turnover over any three-year period unless court approves a specific alternative.
-
We will operate with a staff cost/total expenditure ratio of less than 60%.
The above statements take priority over the statements of areas of risk appetite below.
Research—The university wishes to be at the leading edge in the creation of knowledge and making a difference to society. It wishes to grow its research activities and improve its performance in each REF [research excellence framework] assessment compared to the previous assessment. It recognises that that this will involve an increased degree of risk in developing research activities and is comfortable in accepting this risk subject to (a) limitations imposed by ethical considerations and (b) ensuring that potential benefits and risks are fully understood before developments are authorised and that sensible measures to mitigate risk are established.
Education and Student Experience—The university wishes to stimulate students to develop a lifelong thirst for knowledge and learning and encourage a pioneering innovative and independent attitude and an aspiration to achieve success. It expects as a minimum to be in the top quartile of surveys related to student experience. It recognises that this should involve an increased degree of risk in developing education and the student experience and is comfortable in accepting this risk subject always to ensuring that potential benefits and risks are fully understood before developments are authorised and that sensible measures to mitigate risk are established.
Knowledge Exchange—The university wishes to be amongst the leaders in transforming knowledge, ideas, skills and expertise into advice, innovation, intellectual property and enterprise, thereby enriching society. It recognises that developing this may involve an increased degree of risk and is comfortable in accepting this risk subject always to ensuring that potential benefits and risks are fully understood before developments are authorised and that sensible measures to mitigate risk are established.
International Development—The university aims to achieve global impact in its activities and to promote research and other collaborations and staff/student exchanges with leading institutions across the world. It has a strong appetite for developing such networks to the extent that they support the mission and reputation of the university, a medium appetite for investing in research facilities overseas and a low appetite for investing in the development of student campuses outside of the UK.
Major Change Activities (e.g., projects, collaborations, mergers)—Major change activities are required periodically to develop the university and to adapt to changes in the regulatory and technological environment and in the nature and conduct of the university’s activities. The university expects such changes to be managed according to best practice in project and change management and has low appetite for deviating from such standards.
Environment and Social Responsibility—The university aims to make a significant, sustainable and socially responsible contribution to Scotland, the UK and the world through its research, education, knowledge exchange and operational activities. It recognises that this should involve an increased degree of risk and is comfortable in accepting this risk subject always to ensuring that potential benefits and risks are fully understood before developments are authorised and that sensible measures to mitigate risk are established.
People and Culture—The university aims to value, support, develop and utilise the full potential of our staff to make the university a stimulating and safe place to work. It places importance on a culture of academic freedom, equality and diversity, dignity and respect, collegiality, annual reviews, the development of staff, and the health and safety of staff, students and visitors. It has low appetite for any deviation from its standards in these areas.
Example 3.
A State-Owned Enterprise: (This is an extract from NETWORK RAIL LIMITED ANNUAL REPORT AND ACCOUNTS 2016Footnote 31)
Network Rail owns and operates most of Britain’s railway infrastructure, including 20,000 miles of track, 30,000 bridge and viaducts and thousands of signals, tunnels, level crossings and points. We also manage rail timetabling and operate 20 of the largest stations. Our role is to provide a safe, reliable and efficient railway while growing and upgrading the network to better serve passengers and freight.
Network Rail is a public sector company, answerable to the Department for Transport (DfT) and Transport Scotland. It is governed by a board.
OUR APPROACH TO RISK MANAGEMENT
Our assets across the country work 24 hours a day, seven days a week, to provide a safe, reliable rail network. We are committed to providing a railway infrastructure that meets the performance and safety expectations of the travelling public, operating companies, and the tax payer.
With many assets working with often extreme environmental pressures, occasionally things break down. We are committed to resolving issues quickly in order to maintain service. We are also committed to improving our assets through comprehensive enhancement and maintenance programmes. In scheduling this work we recognise the disruptive impact on both the public and our commercial customers and strive to minimise disruption to complete works as efficiently as possible.
The purpose of our Enterprise Risk Management (ERM) process is to identify and mitigate risks to the delivery of a safe, reliable, and efficient service to our customers. Our ERM framework supports all areas of the business to recognise both risk and opportunity early. Early recognition of risk allows us to work collaboratively and proactively with customers, stakeholders, and suppliers to manage our extensive portfolio of works better. Being better every day requires us to look at areas where we can improve our service. By careful consideration of risk, we can focus on those opportunities that have the highest potential to increase efficiency and provide a better experience for our customers.
Introduction:
-
Across Network Rail our approach to risk management balances the risks associated with our operational environment with identifying opportunities to improve performance through careful acceptance of some risk. We recognise our status as a regulated rail network infrastructure provider and the importance of maintaining essential service provision.
-
We have reviewed the original risk mitigations in place to manage the costs of our enhancement and maintenance works portfolio. The three major reviews … completed this year have also affected our risk landscape. Whilst the full extent of any future structural changes are yet to be understood, we will be proactive in looking at the opportunities available and how we can effectively manage the risks.
-
Due to the nature of some of our principal risks and the level of uncertainty, we continually assess both the risk and the appropriateness of mitigations.
Embedded Risk Management Processes:
-
We take an enterprise-wide approach to risk management and have in place an ERM framework for the identification, analysis, management and reporting of all risks to strategic objectives. The framework also takes account of operational risk and recognises the need for specialist approaches in areas such as safety, project management and information security. The use of a standard risk assessment matrix and defined risk appetite supports and enables the integration of the strategic and operational risk management approaches. Clear escalation criteria and the use of business assurance committees throughout the business provide structure, increasing visibility and challenge on the management of risks.
-
Whilst the ultimate responsibility for risk management rests with the board, it delegates the more detailed oversight of risk management and internal control principally to the audit and risk committee, which reports the findings of its reviews to the board.
-
The audit and risk committee receives regular reports from the internal auditors and independent auditor and reviews progress against agreed action plans to manage identified risks.
-
Detailed oversight of safety-related risks is delegated to the safety, health and environment committee.
Approach to Risk Assessment:
-
The ERM framework provides a standardised approach to the identification, assessment, recording and reporting of significant risks. We analyse the possible causes of a risk and assess what the impact could be if the risk were to occur. By using standard risk assessment criteria based on our performance targets we are able to have a visible link to the achievement of business objectives.
-
For each risk we identify current controls and their effectiveness to manage underlying causes and minimise consequences. We identify risks from a strategic view (top down) and from the operational environment (bottom up) to give better visibility of risk exposure across the business.
-
Monitoring risk exposure and the effectiveness of the controls in place is an ongoing part of risk assessment. The establishment of early warning indicators is one of the most recent areas of improvement activity within the framework. We have introduced visualisation boards to aid the monitoring of performance against operational targets. These boards, as part of the periodic reporting process, are also being used to track early warning indicators linked to risks.
-
We have also introduced further clarity around linked risks through innovative use of visualisation technology. This allows us to see the relationships between risks and analyse potential aggregated impacts or weak controls.
-
Through the use of defined risk appetite and our ability to see the relationships between our principal risks we can further analyse our capacity to manage risk outcomes. This also enhances our ability to make decisions on which risks require further mitigation or where we can pursue opportunity.
Categories of Risks (i.e., Safety, Performance, Value) and Who Manages Them:
-
All principal risks are mapped to performance reporting and strategic objectives. The assessment of risk is informed by the performance targets and the company’s risk appetite statements. Each principal risk is appointed an executive committee owner.
Network Rail’s Defined Risk Appetite Is as Follows:
-
‘Network Rail has no appetite for safety risk exposure that could result in injury or loss of life to public, passengers, and workforce. Safety drives all major decisions in the organisation. All safety targets are met and improved year on year.’
-
‘In the pursuit of its objectives, Network Rail is willing to accept, in some circumstances, risks that may result in some financial loss or exposure including a small chance of breach of the loan limit. It will not pursue additional income generating or cost saving initiatives unless returns are probable (85 percent confidence internal (CI) for income; 60 percent CI for cost where potential for cost reductions are large).’
-
‘The company will only tolerate low to moderate gross exposure to delivery of operational performance targets including network reliability and capacity and asset condition, disaster recovery and succession planning, breakdown in information systems or information integrity.’
-
‘The company wants to be seen as best in class and respected across industry. It will not accept any negative impact on reputation with any of its key stakeholders, and will only tolerate minimum exposure i.e., minor negative media coverage, no impact on employees, and no political impacts.’
Risk Area:
-
Safety
-
Three strategic risks are identified. The responsible risk owners are: The Group Director of Safety, Technical and Engineering and the Managing director, England and Wales.
Value:
-
One strategic risk is identified. The responsible risk owner is the Chief Financial Officer.
Performance:
-
Six strategic risks are identified. The responsible risk owners are: the Group Human Resources director; the Managing director, England and Wales; the Managing director, Infrastructure Projects.
-
The annual report identifies in detail each area of strategic risk and these can be found on pages 38 to 42 of the annual report.
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2024 The Author(s)
About this chapter
Cite this chapter
Hepworth, N. (2024). International Standards of Internal Control Relevant to the Application of PFM/IC. In: Public Financial Management and Internal Control. Palgrave Macmillan, Cham. https://doi.org/10.1007/978-3-031-35066-5_11
Download citation
DOI: https://doi.org/10.1007/978-3-031-35066-5_11
Published:
Publisher Name: Palgrave Macmillan, Cham
Print ISBN: 978-3-031-35065-8
Online ISBN: 978-3-031-35066-5
eBook Packages: Economics and FinanceEconomics and Finance (R0)