Achieving the Value PropositionRisk ManagementBY PAUL WALLIS

February 2012 | Government Finance Review 37

Risk management is more than preventing bad things from happening. Properly implemented, it can pro-vide strategic and operational opportunities by

focusing activities on what is important to an organization. Risk management creates value by providing opportuni-ties for process improvement, controlling the risks that can hurt the organization most,breaking down silos, and help-ing the organization achieve its objectives. It empowers employees by better defining the risk framework manage-ment and staff work under, thus supporting more timely decision making and the potential for managing issues before they become problems.

Not all risk is bad. While we tend to focus on the negative when considering risk management, risk is in fact the chance of something happening that might have an impact on a juris-diction’s objectives, and it can be bad or good. In fact, as the economic situation requires managers to be more creative in dealing with budget issues, risk can be an important tool — risk and innovation are inextricably linked.

In the public sector, there are great

opportunities for streamlining process-

es and being more strategic in meeting

citizen needs. Accountability, however,

remains a major issue. Citizens expect

top-quality service, quickly, yet they

also want to be sure taxpayer money

is well managed. These conflicting objectives can mean

spending more on processes to manage certain risks that

would have less of an impact in private-sector organizations

— for instance, expense reporting, procurement, travel, and

training. The public then perceives the enhanced oversight

as increased bureaucracy and, to some extent, trusts govern-

ment less because of it.

DEFINING RISK AND RISK MANAGEMENT

Risk can simply be defined as the effect of uncertainty on

objectives or outcomes. Risk management refers to the coor-

dinated activities used to direct and control an organization’s

response to risk. Effective risk management, also referred to

as enterprise risk management or integrated risk manage-

ment, is holistic, addressing risk that affects the organization

as a whole. Risk can arise from internal or external sources,

including an organization’s inability to achieve its objectives,

client dissatisfaction, unfavorable publicity, threats to physi-

cal safety, security breaches, mismanagement, equipment

failure, and fraud.

An effective risk management initiative includes the follow-

ing attributes:

n It is a coordinated activity.

n It supports business objectives.

n It is strategic.

n It is a process, part of the organization’s fabric.

n It supports informed decision making.

n It provides reasonable assurance (because risk is not

eliminated but managed).

An organization that understands risk and risk management

can take advantages of opportunities that present themselves;

in this way, risk management can be a value proposition (see

Exhibit 1). For example, processes and controls can be ratio-

nalized, and activities focused on the

key risks. This enables a more holistic

and informed view of programs, ser-

vices, and processes.

Successful risk management is a

combination of and careful balance

between two key components: risk and

cost. Assuming that the questions in the

risk and cost columns can be answered positively, the poten-

tial value of risk management can begin to be realized.

KEY SUCCESS FACTORS

Many public-sector organizations realize the benefits and

value of risk management, applying a variety of techniques.

Good risk management frameworks are available to help

guide implementation, including the global standard, The

International Organization for Standardization’s ISO 31000 (at

www.iso.org), and the framework developed in the United

States by the Committee of Sponsoring Organizations, COSO

ERM (at www.coso.org).

Unfortunately, organizations sometimes jump right in and

try to implement risk management very quickly. This leads

to corporate, top-down approaches that can result in failure.

Organizations that are already stressed tend to view this

approach as just another corporate project that requires addi-

To a large extent, effective

risk management can shape an

organization’s culture.

38 Government Finance Review | February 2012

tional processes and more work. Another common problem

is identifying risks and finding quick solutions without con-

sidering the organization’s business or strategic objectives or

culture.

The following five activities are essential to a successful risk management initiative.

Understanding the Organization’s Culture. While it may seem daunting, this is probably the most important step. Public-sector organizations are generally risk averse. Processes and controls are developed to minimize risk as

much as possible, sometimes to a degree that causes inef-

ficiency. A hierarchical organization with strong central

management, layers of approval processes, and multi-layered

controls comprising long, detailed policies and procedures

is not managing risk effectively. Instead, it is being managed

by risk. Trust and innovation are stifled under this scenario,

diminishing the value proposition.

Obtaining Commitment from the Board and Executive Management. High-level support is needed to gain traction.

The objective is not to get the board or senior management to

Exhibit 1: Risk Management as a Value Proposition

n Does the organization understand the risks it faces?

n Does the organization understand what the key risks are?

n Does the organization have an effective risk reporting mechanism?

n Has the organization defined its risk attitude or tolerance?

n Does the organization accept the right level of risk?

n Does the organization know if risks are being properly managed?

n Does the organization have a comprehensive risk management process or methodology in place?

n Is the organization focused on the risks that matter?

n Does the organization have duplicating or overlapping risk functions?

n Does the organization leverage automated controls versus manual controls?

n Does the organization optimize the use of technology to manage risk?

n Does the organization ahave an overall risk mitigation strategy that focuses on minimizing costs?

n Risks aligned to business, program, and process objectives.

n Alignment of risk to customer service.

n More informed decision making as risks both positive and negative are better understood.

n Service or program delivery that optimizes risk versus funding.

n The right mitigation strategies (controls) to manage the right risks.

Risk Value

Cost

Risk Value

Cost

Risk Value

Cost

February 2012 | Government Finance Review 39

mandate a risk management initiative, but to champion the

benefits and the value proposition while allocating resources.

Keeping the Process Simple. Existing frameworks pro-

vide good guidance, but overly strict adherence can be a

problem. For example, COSO has been criticized as a com-

plicated framework that is difficult to implement. An orga-

nization needs to tailor its risk management strategy based

on the critical risks it has identified. The value proposition

is to identify, assess, and mitigate key risks. The number of

risks a jurisdiction’s executive management and governing

body should address depends on individual differences, but

organizations generally consider 10 to

30 critical risks. These risks will be at a

high level and will drive more detailed

risk management at the management

and staff levels.

Linking Risks to Strategic/Business Objectives. According to a

report from the Economist Intelligence

Unit, “only 47 percent of respondents [to an EIU survey]

believe that their organization is effective at linking risk with

corporate strategy.”1 Implementing an effective risk manage-

ment strategy is difficult if it is not linked to the organization’s

strategic, program, and project objectives. Risks related

to achieving those objectives, both positive and negative,

should be identified, assessed, and mitigated.

Recognizing that Risk Management is a Form of Change Management. Organizations that introduce risk

management as an overall organizational initiative can-

not succeed without paying attention

to change management. An effective

change management process builds

organizational awareness, desire,

knowledge, and ability. Risk manage-

ment has to go through the same pro-

cess. Organizational buy-in is vital to

success. Risk management works well

in a supportive, transparent, non-auto-

Exhibit 2: The Enterprise Risk Management Process

Design mitigation strategies (controls)

Business program, process or project objectives/outcomes

Performance measures (KRI)

Risk tolerance (KRI)

Controls mitigate risk

Controls are cost effective •detective •preventative •directive •corrective

Design to seize opportunity

Define objectives/ outcomes

Identify risks or events

Analyze drivers and effects

Determine significance

and likelihood

Method for managing risk

Risk Reporting(Key risks = by category, by event, top five)

Organizational Environment or Context(Culture, risk attitude, governing body/senior management commitment, or strategic plan)

Risk categories

Event list

Scenario analysis (what if?)

Assessment questions

Risk source

Why does the risk exist? (root cause)

Potential harm (what might happen?)

Opportunity?

The relative importance, within a given context (impact)

A probability or chance of a risk or event happening (likelihood)

Avoid risk — (stay out of the program or business)

Accept the risk (take a chance)

Reduce to acceptable level

Transfer (insurance)

Risk is the chance of something

happening that might have an

impact on a jurisdiction’s objec-

tives, and it can be bad or good.

40 Government Finance Review | February 2012

cratic environment. The culture has to be open, willing to

talk about risk, and able to have meaningful, constructive

conversations. If the culture doesn’t support this openness,

success is diminished.

BUILDING THE VALUE PROPOSITION

For risk management to be viewed as a value proposition,

it must be a key component of organizational governance.

That means it is built into the normal business practices of

the organization. Exhibit 2 illustrates a six-step process to help

organizations build the value proposition, based on business

processes already in place, including strategic and operation-

al planning, performance reporting, and control design.

Jurisdictions need to assess the organizational environment

or context to determine risk management readiness. Not all

public-sector organizations are ready to

embrace enterprise risk management.

If there is uncertainty about the culture,

commitment or expected value, it is

best to stop here and address gaps.

Organizations can use the six-step

model as a guide. Do all areas of the

organization understand the key stra-

tegic objectives and how the organi-

zation’s functions and processes support those objectives?

For example, a key strategic objective for a public-sector

organization might be to “protect, enhance, and restore the

environment,” and a number of specific business objectives

and processes support this objective. They could include

recruiting the right people with the right skills, purchasing

the right goods and services at the right time, and providing

adequate funding. Aligning objectives and defining outcomes

sets the stage for risk management.

Given the organization’s understanding of its objectives and

desired outcomes, how does it measure success — what are

its performance measures? And, based on those measures,

what is its tolerance for risk? For instance, a certain error rate

on processing accounting transactions might be acceptable

because eliminating the risk costs more than it saves. What is

that rate, and when it is exceeded, can

the organization proactively manage

corrective action?

Can the organization identify the risks

and opportunities that affect its objec-

tives? Analyzing scenarios and asking

the “what if” question provides the

decision framework needed to identify

key risks and balance negatives against

Exhibit 3: Risk Categories

Strategic Risk

Political

Social

Economic

Environmental

Governance

Asset Planning

Strategic Planning

Operational Risk

People

Technology/Information

Emergency/Business Recovery

Contractual/Procurement

Service Delivery/Process

Financial Risk

Credit

Capital Adequacy

Market

Compliance Risk

Law

Regulations

Policy

Reputational Risk

Integration

An organization that understands

risk and risk management can take

advantages of opportunities that

present themselves.

February 2012 | Government Finance Review 41

opportunities. Potential risk events include natural disasters,

economic downturn, funding cuts, workforce availability,

privacy concerns, and increased legislation.

Managing each potential risk event or scenario can be com-

plex and time consuming. Categorizing risks is often helpful,

as it allows the jurisdiction to manage risks from an organi-

zation-wide level. For example, workforce availability might

threaten a number of key business objectives. If it becomes

an issue throughout the organization, it can be managed as

a risk category across the jurisdiction, instead of in silos or at

the specific business process or program level. When catego-

rizing, keep in mind that risks do not operate in isolation; they

are interrelated or integrated. An operational risk can lead to

a reputational risk.

Exhibit 3 provides an example of five broad public risk

categories and the types of risks that could be attributed to

each category.

Once risks are identified, what is their likelihood and poten-

tial impact? The assessment process helps management focus

on the key risks, enabling quicker implementation of risk

management and thus providing value faster. This is a time

when opportunity can be realized; the organization can be

made more efficient by eliminating services or processes that

do not meet business objectives or address any significant

risks. Changes like these can reduce bureaucracy and open

the door to innovation.

A popular tool for accessing risk is the heat map. Jurisdictions

can use internal surveys, risk workshops, or interviews to col-

lect information to populate the heat map, shown in Exhibit

4. Once risk information is collected and analyzed, the

organization can develop its a risk profile. In this example,

reputational and business recovery risk represent key risks

and would deserve more attention and mitigation (control

strategies) than, say, policy risk, which is likely to happen but

unlikely to have much of an impact. As a medium to low risk,

it would require less attention.

DECIDING WHAT TO DO

After key risks have been identified and assessed, four deci-

sion options are available:

n Avoid. Decide against providing a program or service

because the cost or risk is greater than the opportunity or

benefit the program or service provides.

n Accept. Consider options and recognize tradeoffs, if the

opportunities presented might be greater than the cost or

risk of loss or harm. There is always a level of uncertainty,

which is the price of innovation.

n Reduce or Mitigate. Find a balance between oppor-

tunity and risk of loss or harm by evaluating cost versus

likelihood and impact and then implement the appropri-

ate mitigation strategies or controls.

n Transfer. Share the burden with a third party, combining

acceptance and reduction of the risk. Examples include

insurance, service-level contracts, and partnership agree-

ments. An organization cannot insure against or transfer

every risk, so it needs to make informed decisions about

what risks to accept, avoid, and mitigate. Getting the right

balance is the value proposition.

Exhibit 4: Example of a Risk Heat Map

Risk

1. Reputational

2. Technology

3. People

4. Economic

5. Business Recovery

6. Credit

7. Social

8. Policy

Impa

ct

Likelihood

1 2 3 4 5

7

4

6

8

23

1

5

5

4

3

2

1

42 Government Finance Review | February 2012

If the organization decides to reduce

or mitigate risk, a variety of mitigation

strategies are available. They include

preventative, detective, directive, and

corrective controls.

Preventative Controls. These are

designed to limit the possibility of

an undesirable outcome. The more

important it is that an undesirable out-

come not arise, the more important it

becomes to implement appropriate preventative controls,

which tend to be the most cost effective and proactive con-

trols. Examples include authorizations and approvals, physi-

cal access controls, and automated controls that limit access

or ability to initiate transactions.

Detective Controls. Designed to identify occasions when

an undesirable outcome has been realized, these controls

are appropriate only when it is possible to accept the loss or

damage incurred and then attempt to correct after the event.

Examples include reconciliations, post-

implementation reviews, exception

reports, and monitoring and oversight

controls.

Directive Controls. Designed to

ensure that a particular outcome is

achieved, this type of control does not

prevent or detect undesirable events.

Instead, it encourages positive behav-

ior. These are “soft” controls, embed-

ded in the culture of an organization. Examples include value

statements, ethics, codes of conduct, policies, performance

guidelines, and education and training.

Corrective Controls. These are designed to correct unde-

sirable outcomes that have already occurred. They provide a

means of recourse for achieving some recovery against loss or

damage. Examples include insurance and business recovery

planning.

Organizations need to put the right control in place for

a given risk. Apart from the most extreme undesirable out-

come (such as loss of human life), it is normally sufficient

for a mitigation strategy to give a reasonable assurance of

confining likely loss within the risk attitude or tolerance of

the organization. Every control action has an associated cost,

so the control should provide value for the money spent, in

relation to the risk being controlled. Again, generally speak-

ing, the purpose of control is to constrain risk rather than to

eliminate it.

CONCLUSIONS

Risk management helps expose uncertainty and allows

for full exploration of an issue, which helps provide all the

information needed to make good decisions for the organiza-

tion. Although risk management cannot guarantee the one

“right” decision, it does help provide the best information

possible. y

Note

1. Beyond Box Ticking: A New Era for Risk Management, The Economist Intelligence Unit, 2009.

PAUL WALLIS is director, internal audit, for the Region of Peel,

Ontario, Canada. He can be reached at paul.wallis@peelregion.ca

The Role of the Finance Officer

The chief financial officer (CFO) plays a significant role in risk management and risk governance. According to a survey conducted by the Economist Intelligence Unit, the CFO was cited as second in ultimate responsibility for risk management content and process, after the head of an organization (chief executive officer or equivalent).*

A jurisdiction’s CFO and financial officers have a strategic view of the entire organization and can help advise other senior officials and governing bodies about the risks the organization faces. By further integrating the risk management tools avail-able, financial officers can help the organization assess, manage, and report the organization’s key risks.

However, financial officers do not have exclusive responsibility for risk. That responsibility is organization-wide. Jurisdictions need to develop a risk management culture that builds aware-ness and organizational buy-in; CFOs and their staffs have an important role in building that awareness and shaping the culture.

* Beyond Box Ticking: A New Era for Risk Management, The Economist Intelligence Unit, 2009.

Public-sector organizations devel-

op processes and controls to

minimize risk as much as pos-

sible, sometimes to a degree that

causes inefficiency.