New boundaries

The public sector is changing, with organisational shifts creating new paradigms. Managing risk in this fast-paced environment demands major multi-tasking, says Martin Allen-Smith

As public sector risk experts prepare to gather for this year’s Alarm conference, it is hard to remember a time when there has been quite such large-scale change on the horizon. With time and focus spread across a range of priorities including budget, strategy, structure and services, the many and varied changes to existing processes inevitably bring fresh opportunities and new risks.

An across-the-board tightening of the purse strings has not made the task any easier. Bill Sulman, public sector director at Aon Risk Solutions, says public sector bodies need to demonstrate to insurers that reductions in budget and resources have not led to increased risk or that [it] has been assessed and mitigated.

“We suggest an audit of strategic and operational risks to give an independent view of the progress made,” he says. “It is sometimes inevitable that reduction in resources leads to a change in attitude to risks – a change in risk appetite.”

Where cost savings are concerned, sharing central services and outsourcing certain others have long been the modus operandi. JC Applications Development’s Phil Walden says many authorities are looking to save money by offering shared back office services and by outsourcing some traditional activities, but that it’s not as straightforward as it may seem.

“This raises some serious challenges for risk practitioners in that the threats remain but often they are further removed from management. Liability still rests with the local authority but it has less involvement and oversight in the management of these outsourced services.”

Information governance continues to be an area that public sector bodies struggle to get to grips with. “Changes and improvements to how data is supposed to be managed are becoming more rigorous and this will increase with the new EU data protection legislation. We are often asked for tools that can help better manage this area – for example ISO 27001 – and we are working with some third parties to develop appropriate templates that will make the process easier and quicker by giving a robust starting point for this work.”

Structural change

There are several major changes to the structure and culture of public sector authorities across the country, not least the issue of devolution, which experts say will mean fewer actual delivery bodies but no fewer risks. In fact, it is thought that it could increase them. Combined authorities will still have the same responsibilities, but most probably magnified across a larger delivery mechanism with fewer people to deliver the service.

Aon’s Sulman says he’s already seeing police and fire authorities merging and collaborating, and that the same is happening with local councils.

“The risk profile changes, the time available to properly manage risk decreases and this – combined with a possible loss of corporate knowledge – presents our clients with an increased risk in many areas of operation. Statutory services still need to be delivered but in a new organisation and under a more commercial regime,” he explains.

Sulman stresses the need to manage risk should increase at a time when staff and resources are reducing, or in some cases disappearing. As such, public sector bodies need to reassess their attitude to risk, become more risk-aware and probably more risk-taking. This results in a higher risk appetite and ability to retain risks but with possibly fewer proper assessments. “This affects areas such as highways, children and adult services and other statutory services. The establishment of alternative delivery vehicles can alleviate some risks and reduce costs but cannot avoid or transfer residual risks.”

With devolution now becoming a reality for an increasing number of councils across the country, existing leaders must ensure that they are fully prepared for the risks attached. This is especially true as the speed of change picks up pace. With councils taking over responsibility for an ever greater number of local services, council bosses will inevitably find themselves in charge of an increasingly large budget which will undoubtedly effect a number of changes across the existing systems.

Andrew Jepp, head of public sector at Zurich Municipal, says that for council chiefs, this could represent a significant adjustment in how they manage their finances, whilst greater decision-making powers will also leave most council chiefs faced with new and significant questions on the issues of risk sharing and governance.

“Devolution will also mean that councils are increasingly forced to rely on new partners and third parties for service provision. This, in turn, will bring its own set of risks,” he explains. “With the use of outsourcing destined to become increasingly prevalent as regional devolution gains strength, all parties must ensure that the allocation of responsibility and accountability is made clear from the start.”

Local government will have to develop strategies to deal with these risks, but Jepp warns that no single strategy will be appropriate for all authorities, and councils will need to work with their partners and learn from best practice to ensure they have a tailored risk management programme in place.

Another large-scale issue affecting some regions is the move towards the creation of combined authorities – or so-called ‘super councils’ – which sees local bodies working together on certain strategic areas of their operations. Supporters of the idea point to the economies of scale it can bring, the reduction of duplication, and giving authorities a greater voice within central government.

Combined authorities and regional devolution is perhaps the biggest development to affect local government in over 50 years. Whilst hugely exciting, it is also a massive experiment and one that continues to create a great number of risks.

In the most immediate term, council chiefs must ensure that they have proper risk management measures in place from the outset as their supply chain becomes more complex. This will bring about a variety of new risks. “Local authorities must therefore work with their insurance partner to ensure that they have very clear, well-defined contracts. [They] might already find it difficult to determine who is responsible when something goes wrong. Indeed, the courts are still finding that in some cases the responsibility still lies with the local authority, whether the third party was liable or not. For super-combined authorities, this risk is likely to become even more pronounced,” Jepp explains. “And even if the super combined authorities don’t pay the price financially, there can be little doubt that their reputation will be at risk – this will be vital to combat whilst super-combined authorities are in their infancy.”

A digital future

Looking ahead, there are plenty of new issues that have evolved from once potential future threats to the here and now, not least the ongoing march towards a digital future.

Whilst the continuing move towards digitalisation will increasingly act to assist local authorities as they take on ever greater responsibility, it is also likely to bring an ever-greater number of risks for public sector leaders in the coming years. “As with the organisational changes being made elsewhere, the move towards digitalisations brings with it a number of risks – cyber crime incidents in local authorities are becoming increasingly common, and reports of data fraud persist,” Jepp warns. Councils must therefore ensure that the appropriate data protection processes are put in place to keep online services secure and to avoid any substantial fines that may result.

This article was published in the May 2016 issue of CIR Magazine.

Download in PDF format

Click here for more interviews and analysis

Contact the editor

Follow us on Twitter

    Share Story:


Cyber risk in the transportation industry
The connected nature of the transport and logistics industries makes them an attractive target for hackers, with potentially disruptive and costly consequences. Between June 2020 and June 2021, the transportation industry saw an 186% increase in weekly ransomware attacks. At the same time, regulations and cyber security standards are lacking – creating weak postures across the board. This podcast explores the key risks. Published April 2022.

Political risk: A fresh perspective
CIR’s editor, Deborah Ritchie speaks with head of PCS at Verisk, Tom Johansmeyer about the confluence of political, nat cat and pandemic risks in a world that is becoming an increasingly risky place in which to do business. Published February 2022.