Risk and Responsibility: Leading in a PGPA World


Australian Government Leadership Network Conference: Designing and Leading High Performing Organisations

Sydney – Friday 4 September 2015

“Risk and Responsibility: Leading in a PGPA World”


All public policy involves risk.

The corollary to this is that public policy professionals should, as part of their craft, think about risk when they design policies and manage their roll out.

Ministers expect us, as public policy practitioners, to identify where risks lie and to develop strategies for handling them.

So does the public.

So, if knowing risk is a core skill for people like us, then why is it that we still see the consequences of poor or no risk planning in government – from the failure of the Home Insulation Program to the loss of ballot papers in the 2013 election for Western Australian senators?

Why do things go so wrong, sometimes with catastrophic consequences?

Can we stop bad things happening, without blocking good things from emerging?

How can we engage with risk actively and intelligently, without becoming so risk averse that we invent process and exacerbate red tape requirements to constrain innovation, agility and the delivery of value for money outcomes?

Today I want to explore the theme of risk and responsibility in government.

Today I want to talk about risk management in general, with a focus on developments in the Commonwealth government under the Public Government, Performance and Accountability Act – or PGPA Act – that commenced operation last year.

My proposition is that good risk management depends on the right risk frameworks being in place; with strong leadership driving a mature risk culture, giving clear expression of risk appetite and supporting sensible risk management practice.

Of key importance is the overarching culture within which this risk practice sits.

Risk aversion leads to poor risk practice, where process overshadows thinking and compliance behaviours displace the exercise of judgement.

The attitude to risk in the Commonwealth public sector is driven by a range of factors, both external and internal; and despite evidence that risk management practices are maturing, I think that all too often we focus on reputational risk above other types of risk.

This could be because we work in a political system.

But as risk management in the Commonwealth matures – and there is clear evidence that this is happening under the PGPA Act and the new Commonwealth Risk Management Policy that was released last year – we need to think how to improve the quality and cost of public sector outputs and outcomes by engaging more effectively with risk.

We need to talk openly about the risk, if we are to deal intelligently with risk.

The Commonwealth public service structure of the past was built around avoiding risk.

We need to move beyond this.

The government is seeking to build a modern public service – one that is more agile and better able to link up both internally and externally – and we need to think about how we engage with risk in this new environment.

I, for one, believe that when we do public policy, being transparent in the choices that you make helps with public accountability.

We should help our stakeholders understand what we are dealing with, how we are dealing with it, and why we have made particular choices in the design and implementation of public policy.

Our goal should be to minimise the consequences of failure, but not at the cost of innovation being hamstrung by risk-averse behaviour.

Notice that I said the consequences of failure, rather than the chance of failure.

This is an important distinction.

The risk management of everything

The British academic, Michael Power[1], talks about the myth of “perfect manageability”, where, caught between a public expectation that governments are all-knowing on the one hand, and a media expectation that they are wholly accountable on the other, public policy professionals are forced to organise in the face of the uncertain and the unknown, and “to act ‘as if’ they know the risks that they face”[2].

He calls this “the risk management of everything”.

Needless to say, the notion that you can risk manage everything is neither realistic nor sensible.

All risks cannot be avoided; neither can they be foreseen.

You can be blind-sided by events or the way things unfold.

Failures and accidents happen in complex environments, no matter how vigilant and expert the oversight.

There is a wonderful story about British Rail in 1991 and how it managed a severe weather event that disrupted many of its services.

There was a cold snap, and the unusually soft and powdery snow that fell was not deep enough for snow ploughs or snow blowers to shift it from the tracks.

This soft, powdery snow found its way into electrical systems and caused short circuits.

It caused traction motor damage, because the integral cooling fans and air intakes on these motors pointed down and sucked up the loose snow.

It packed into sliding doors mechanisms and into points, causing them to fail.

Electrical train services were disrupted for periods up to eight hours.

This was not a good day for commuters.

It was about to become worse for British Rail.

Its director of Operations was being interviewed by BBC radio’s James Naughtie.

The British Rail guy explained that "we are having particular problems with the type of snow, which is rare in the UK".

Naughtie replied "Oh, I see, it was the wrong kind of snow”, to which the British Rail guy replied, "No, it was a different kind of snow".

By the end of the day, the London Evening Standard ran a headline saying “British Rail blames the wrong type of snow” and in the UK the phrase “wrong type of snow” has become a byword for pointless excuses.

The thing is that British Rail knew a cold snap was coming; they had systems in place to manage the impact and they were prepared for it.

But rather than focus on what was being done to fix the issue – replacing electrical services with diesel services, introducing emergency timetables, moving people – British Rail focussed on excusing why they were caught short.

Now the one thing that good risk management does not involve is making up excuses.

With apologies to Forest Gump, “sometimes snow happens”.

By getting the messaging wrong, British Rail refocussed the public accountability interest from their quite professional response to an unexpected event to their lame excuse-making.

When events like this are managed poorly, that drives future behaviours.

The admonition, “make sure that it never happens again”, can have devastating consequences in term of process controls, red tape and compliance costs if it is taken at literal face value as an expression of extreme risk aversion.

In terms of public policy-making, poor design starts when fear of failure gets elevated to a central organising principle, and things are done to exclude even the most remote of risks for the sake of avoiding the prospect of criticism.

Michael Power has observed that in the design of some public policies in the United Kingdom, the exercise of professional judgement is valued less than compliance with process.

Avoiding reputational risk gets more attention than intelligent risk management.

Another British academic, Christopher Hood[3], talks about the blame culture in government becoming so ingrained that it drives policy choice towards the least blame design, procedure or method of operation[4].

Now I happen to think that these academics have a pessimistic view of how governments behave.

It may be true that risk as an organising concept has entered management thinking as never before.

It is certainly true that the more aware you are of risk, the more you think about what you can do to minimise the adverse consequences of risks materialising.

Done rationally and in the right way, this is a good thing.

It is more than possible to strike a sensible balance between managing risk and achieving good, value-for-money outcomes.

The key thing for public policy practitioners, such as ourselves, is to be thorough in identifying potential risks; hard-nosed in developing strategies for managing them – including deciding which risks we are prepared to accept; and good at managing the consequences of a risk when it materialises.

Let’s talk a little about how we can get there.

Recent developments in Commonwealth risk management

Until recently, the Commonwealth managed risk without an overarching risk framework to provide guidance and clarity.

Unsurprisingly, risk management practice was mixed.

Risk was managed well in some entities and for some activities, but in other areas practice was either underdeveloped or poor.

Where risk management approaches were employed for significant projects, they were not always integrated into the operations of Commonwealth entities or the daily decision making of officials.

The introduction of the PGPA Act and the Commonwealth Risk Management Policy in 2014 has been a catalyst for cultural change.

Section 16 of the PGPA Act makes it clear that public sector leaders set the tone on risk oversight and management.

The Commonwealth Risk Management Policy is designed to support this.

My department has just conducted a benefits realisation survey to mark one year since the introduction of the PGPA Act.

Over a hundred Commonwealth entities provided input.

Almost half of the respondents said that the culture and practice of risk management had improved since the Act and Policy were introduced.

Just over half indicated that there had been no change, which is consistent with the mixed levels of maturity I mentioned earlier.

The PGPA Act and Risk

In a recent Senate Occasional lecture I gave at Parliament House in Canberra, I talked about the consultations undertaken by my department to develop the PGPA Act.

I noted that we found varied practice in defining and communicating risk appetite and tolerance across the Commonwealth.

Often officials were operating in a void, feeling that they were not empowered to take appropriate risks and to make decision on risks.

As a result, officials distanced themselves from risk – they pushed it up the line for more senior people to manage, or put it into process requirements in a way that exacerbated administrative burden and red tape.

Sometimes, risk was pushed onto outsiders and partners who weren’t at all positioned to carry the risks, or into the design of programmes and services in ways that constrained flexibility and increased delivery costs.

Those who worked with the Commonwealth – commercial partners, the community sector and the states and territories – told us that partnering with us could be a really bad experience.

Broadly speaking, they said that while we had the money to get things done, we were risk averse and afraid to innovate.

Our thinking was dominated by fear of failure, rather than the prospect of breakthrough success; we pushed risk onto other parties and micromanaged how they filled their side of the bargain.

Given, as I said earlier, that innovation in public policy involves engaging with risk – finding new ways of doing things, backing good ideas and putting faith in others – this was criticism that went to the core of our aspiration to create a more agile and responsive Commonwealth public sector.

A combination of Sections 17 and 18 of the PGPA Act say: please join-up with others to achieve common objectives, think about risks involved and how you are managing those risks, but don’t load your partner with red tape just because you want to cover your bases if something goes wrong.

Section 15 of the Act, which talks about the proper use – that is the efficient, effective, economical and ethical use of public resources –, makes it clear that officials need to think about the cost dimension of imposing red tape.

The proposition is that risk management should be done but done sensibly; or in PGPA Act language “an accountable authority should establish and maintain an appropriate system of risk oversight and management ... to promote the achievement of the purposes of the entity”[5].

A key part of the PGPA Act scheme is the notion that all officials have a responsibility to actively manage risk as part of their day to day work, no matter what their role or position.

Of course, how officials interact with risk and the role that they play in managing risk will vary, depending on the nature of their responsibilities.

But good risk management happens when it involves all levels of an entity.

And good risk management happens when we get the basics right:

  • a clarity of purpose,
  • a strong focus on the proper use of resources, and
  • a commitment to being agile, responsive and accountable to the needs of the public that we deal with and the government we serve.

The Commonwealth Risk Management Policy

To help support better risk practice in the Commonwealth, we now have the Commonwealth Risk Management Policy, which I mentioned earlier.

It sets out principles to underpin better risk management in the day-to-day operations and decision-making of Commonwealth entities.

It is designed to support intelligent risk management; to allow entities to make their own decisions about the level of complexity required in their risk management practices and the appropriate strategies for mitigating risk.

It is not prescriptive.

It does not establish compliance-focussed processes that displace the exercise of professional judgement about risk.

The Commonwealth Risk Management Policy sets out the nine elements that come together to build an effective risk framework.

And while I won’t run through all of them, I will mention some of the key elements to reinforce the points that I have made through this presentation:

  • Embedding systematic risk management into business processes
  • Developing a positive risk culture
  • Communicating and consulting about risk, and
  • Understanding and managing shared risk.

Risk management is not about creating artefacts and putting them on the shelf.

Risk management is about knowing your environment and your capabilities, planning how you achieve your goals, and knowing how to get there.

People who manage their risks well establish the context or reasons for risks eventuating.

They assess the likelihood of a risk occurring, determine its possible impact and the consequences of that impact, and then consider the controls and treatment strategies that they might employ to manage those consequences.

People who manage risks well also review them regularly, scan the horizon for new risks and talk to stakeholders on a continuing basis, to establish stakeholder expectations in a shifting risk environment.

My department, through Comcover, which manages the insurable risk exposure for the general government sector, has been working to help entities improve their risk management practice.

This includes:

  • providing risk advisory services
  • running a targeted professional development program
  • conducting an annual risk management benchmarking program
  • running an awards for excellence program, which profiles entities that have implemented effective risk frameworks and systems, or have been innovative, and
  • soon to be released better practice guides, tools and templates.

Let me focus on two of these initiatives.

First, the professional development program, which aims to develop risk management capabilities at every level of government.

It provides e-learning, peer-to-peer learning and on the job learning opportunities.

It also organises workshops, seminars and networking events.

The program targets four levels of capability that we call “pathways”, and these are being rolled out progressively.

We’ve designed the pathways so that you can self-assess the most suitable route for developing your personal risk management skills.

The “foundation” pathway targets beginners; the “generalist” pathway targets risk assessment; “specialist” targets enterprise risk and “executive” targets strategy and culture.

Last month we released our senior executive pathway, which provides a strategic perspective to managing risk.

We also released our foundation level e‑learning course, Introduction to Risk in the Commonwealth.

You can register for the professional development programs that you are interested in, and use the website as a central access point to Comcover’s education program.

Second, let me mention the most recent annual benchmarking conducted by Comcover.

This year’s survey involved 156 entities.

Ninety percent of participating entities demonstrated a level of risk maturity that is characterised as “systematic” or greater.

To achieve this rating, an entity must have a consistent approach to managing risk that is integrated with its strategic and business planning processes.

It must use risk information to inform key decisions and support the allocation and prioritisation of resources, and have a culture for managing risk that is set and determined by its executive.

This is a good result for the Commonwealth.

Now these various Comcover initiatives and tools are great, but the real work needs to be done at each level of the entity.

A key to success is leadership.

Early this year, the Australian Prudential Regulation Authority released a Prudential Practice Guide to help financial institutions comply with the Prudential Standard 220 – Risk management

[Ask if anyone from APRA is present and say that it is a good piece of work if they are]

In this guide, APRA recognises that “sound culture is a core element of an effective risk management framework and that it is the Board’s responsibility to form a view of the risk culture of an institution”[6].

I totally agree with this, with one addition – it is also the role of the leadership of an institution to set the risk culture of that institution. 

The articulation of an organisation’s risk appetite, tolerance and capacity for risk taking starts with setting its objectives and strategies. 

By way of example, objectives and strategies that involve innovation should be couched in terms that set the boundaries for intelligent risk taking.  

Explicit in the design of any innovative program should be a statement about the level of risk that the leaders of the entity consider to be acceptable under given circumstances.

These boundaries should be set in consultation with ministers and key stakeholders, and should reflect the operating environment, capabilities and constraints that the entity works within.

Within these boundaries, officials can frame and focus on the risks which are relevant to the articulated objectives, and can establish strategies for managing them and their consequences if they materialise.

The new PGPA Act requirements for corporate planning allow for the public articulation of these issues, which helps to make transparent the choices that are made, and which, in turn, supports public accountability.

As I said earlier, I see transparency and public accountability as a key to making and doing good public policy.

Where the scope of authority is articulated clearly and in a way that allows people a degree of freedom to exercise their own professional judgement, then you will see a more mature engagement with risk.

In areas where there is repeat activity or process, a compliance based risk management approach makes sense, but where a program is flexible in design or involves innovation, then the overarching risk culture becomes more important.

As I said, we need to build an environment where people engage with risk intelligently; where process does not overshadow thinking and where compliance behaviours do not displace the exercise of judgement. 

Setting these boundaries is not a “set and forget” type of process. 

As the strategy of the entity changes, its appetite and tolerance for risk must be reviewed and adjusted to ensure that it continues to support the achievement of its objectives.

Finance’s approach

Let me make this a little more concrete by describing what I do — as a leader — to enable success within my own organisation.

I articulate the priorities of my department and the level of risk we are willing to accept in delivering on our purpose statement in the Finance corporate plan. 

My senior leadership team is responsible for ensuring that proper processes for managing these risks are in place and are communicated to those who need to know.  

The risk management practices of the department take place an enterprise risk management framework.

At a high level, the Executive Board of Finance has a Risk sub-committee that reports on a regular basis on the overall risk environment and risk practices within the department.

All business groups are represented on the Board and the risk sub-committee.

The Finance Audit Committee also has a role under the PGPA Act in reviewing the appropriateness of our system of risk oversight and management and system of internal control, and provides me with regular reports.

Every Monday morning I have a meeting with my most senior executives where we review the key activities of the department for the coming week.

Our discussions include the risks that relate to these activities and what is being done to mitigate them.

This allows us, as a senior leadership group, to respond to risks as they arise; to identify new risks, and to discuss what we can do at a strategic level to tackle risk related issues, no matter whether they go to output delivery, outcomes or reputational risk.

So I have a level of comfort that the risks which keep me awake at night have been allocated to those with the expertise, skills and knowledge to manage them, and that things are brought to my attention as required. 

As an organisation, we can roll with the punches if we know that we have been attentive to the risks that we engage with, and have managed them intelligently.

However – and some of you may have walked this skinny plank yourselves – at the end of the day, I am the person who is accountable for the outcomes and actions of my department. 

And sometimes snow happens.

Now let’s talk about what you can do as leaders in your entities.

And when I talk about leadership, I mean leaders at all levels, from APS right through to the most senior leaders in an organisation.

No matter what your role, you can demonstrate to others through your own leadership and actions how to engage with risk intelligently.

I asked my colleagues in Comcover if they had any observations from their own experience and from the better practice discussions they have had with other sectors about what makes for good risk leadership.

They suggested five actions that leaders can take.

First, walk the talk.

  • Make explicit the risk behaviours you want to foster in your organisations by talking clearly and openly about the risks that concern you. Establish the risk appetite and tolerances of stakeholders and talk about how their key risks concerns are being managed. Do this regularly. If people talk openly about risk, then the chances are that they will be open to dealing intelligently with risk.

Second, recognise and reward those who manage risk well.

  • Highlight better practice and informed risk taking within your organisation and elsewhere. Give more responsibility to people who engage with risk effectively, not to those who are process-bound on the one extreme, or reckless at the other.

Third, identify ‘risk champions’, who can encourage positive risk behaviours through their role, personal experience and reputation. 

  • Organisational titles do not create role models. The best role models are people in the business who do the right things and succeed. Point to those who have engaged actively with risk and who have succeeded in delivering complex and fraught programs by innovating and pushing existing boundaries while meeting the high standards of public accountability. Again, red tape champions and those who are reckless are not good role models.

Fourth, focus on the important things. Be a role model in your own agency.

  • You cannot risk manage everything. You should not try. You can stifle thinking and innovation in an organisation by promoting compliance as good practice in areas where it is not needed. Red tape is nobody’s model of best practice. Work on the key risks – the ones that matter to stakeholders. Deal with the risks that can enable or impede you achieving results. Leave space for people to exercise their professional judgement.

And finally, focus on changing attitudes and behaviours.

  • Show that you do not expect “perfect manageability”, but rather, that you want people to be smart about risk. Where snow does happen, deal with it without blame or making-up lame excuses. People learn a lot from how their leaders square-up when things don’t go to plan. Show that you are fair dinkum about engaging with risk.

And British Rail?

Well, they are still dealing with British weather, but so are others in that country’s rail industry.

In December 2009, more than 55,000 people were stranded following a three day cessation of operations through the tunnel between Britain and France, when six trains operated by Eurostar got stuck because melted snow shorted vital electrical circuits.

Eurostar’s commercial director explained:

“It seems to be a strange combination of factors. It was the amount of snow, which was higher than we experienced before, it was lighter than normal; fluffier, and the temperature inside the tunnel and the humidity was higher than normal”.

The poor bloke studiously avoided blaming the wrong type of snow, but The Independent newspaper, in reporting the story, helpfully included a footnote entitled “What kind of snow is the wrong snow?” and rehashed the 1991 British Rail story.

An independent review, published on 12 February 2010, was critical of Eurostar’s contingency plans for assisting passengers stranded by the delays, calling them "insufficient”[7].

And in this case, the snow had happened before.

Here endeth the lesson – yet another example of someone failing to learn from the mistakes of others, not thinking about their risks and not developing strategies for handling these risks.



[1] Michael Power is the P.D Leake Professor of Accounting at the London School of Economics and a Director of the Economic and Social Research Council’s (ESRC) Centre for the Analysis of Risk and Regulation, amongst other appointments.  He writes on financial accounting, auditing and risk management issues.

[2] Michael Power: The Risk Management of Everything. Rethinking the politics of uncertainty. Demos, London, 2004 p.59.

[3] Christopher Hood is Gladstone Professor of Government at All Souls College, Oxford University. From 2004–2010 and was director of the ESRC Research Programme Public Services: Quality, Performance and Delivery. He has a number of publications to his name.

[4] Christopher Hood: The Blame Game. Spin, Bureaucracy and Self-Preservation in Government. Princeton University Press, 2011.

[5] This language is a combination of sections 16(a) and 15(1)(b) of the PGPA Act.

[6] Prudential Practice Guide CPG 220 – Risk Management

Last updated: 09 September 2015