Jack Kruf | January 2018

This article examines the application of risk management within local authorities. The title refers to risk management as an ongoing process, but is that really the case? Yes, contrary to how it is often implemented in practice, risk management is a continuous process that supports the achievement of objectives, ranging from those formulated at the administrative level right down to the operational objectives on the shop floor of a department within the municipal organisation. Managing risks, therefore, requires the involvement of all functions and levels within the local authority. Risk management concerns both financial and non-financial risks. Risk management is indeed a systematic process, involving a number of fixed steps to achieve the desired outcome.

Key steps in this process include determining the level of risk the local authority is prepared to accept, assessing the likelihood and consequences of risks materialising, and identifying which control measures are useful and necessary.

Common practice in applied risk management

Risk management is a household term within the public sector. Every public sector organisation has a risk management system, as evidenced by the many framework documents, policy papers and the like bearing the name ‘Risk Management’ or a variation thereof. But is risk management being implemented correctly? In other words, are we not only doing things right but also doing the right things? Systematic consideration of risks only really came to the fore with the introduction of the compliance audit. The board was required to ensure that sufficient internal control measures were in place to manage non-financial risks. Risk management is now an established concept. In many organisations, however, risk management does not go beyond listing as many risks as possible, whether or not these can be translated into financial terms. Most organisations have now also reached the stage where, where possible, a gross and a net list of risks is drawn up. The organisation then links its own probability estimates to the risks, thereby expressing the likelihood of events. The sum of the product of probability and financial impact can then be used as a measure of resilience. And lo and behold, we have a risk management system. Or do we? No, we don’t. Because why or for what purpose is something a risk? And what actually is a risk?

Definition of risk

Risk management is the subject of countless articles and books, and there are many models for structuring it within an organisation. The key point is almost always the definition of a risk as ‘the occurrence, due to a cause, of an undesirable event with negative consequences for the achievement of (organisational) objectives’. Of course, there are all sorts of variations on this definition, and one could debate endlessly whether the term ‘undesirable’ is correct, or whether it should be ‘unexpected’, and so on. But as far as we are concerned, the definition given above covers the essentials for now

Risk culture

Only if the identification and management of risks are part of everyone’s work within the organisation can risk management truly contribute to achieving objectives. To this end, it is important that the organization’s senior management conveys the importance of risk management. And that means not only saying it is important, but also acting accordingly. The aforementioned risk management policy documents are already being channeled through the council by the local authorities. This enables the council to fulfill its role in setting the framework and exercising oversight. After all, under the financial regulations pursuant to Article 212 of the Local Government Act, the council sets the framework for risk management, and by assessing the policy document, the council can determine whether the framework has been met, at least in intent. But it goes further. Thinking about and acting on potential risks must be woven into all levels, processes, and procedures. For instance, it must be part of work meetings, both on the shop floor and at the management and board level.

When it comes to acting with integrity, for example, the board and senior civil servants will have to make it clear time and again what the ethical standards and desired behaviour within the organisation are, in order to foster the right risk culture. Legislation provides various tools for this, such as the whistleblower scheme, the oath of office, and the regulations concerning secondary activities and the acceptance of gifts. These instruments only work if the executive committee and senior civil servants also set a good example every day.

Formulating strategy and objectives

A risk is therefore an undesirable event that has negative consequences for achieving objectives. This definition in itself provides ample scope for discussion and confusion. What, for example, are the ‘organisational objectives’? Are we referring to the goals in the vision for the future? Or do we mean the council’s program? And what about the objectives in the current year’s budget? Should we take all these objectives into account, and are they all equally important? Put this to the test and ask a few colleagues to describe your local authority’s objectives.

Chances are you’ll hear very different objectives from what you had in mind. We’ll come back to how serious that is later. First, the objectives themselves. All local authorities have a long-term vision. This outlines, for various focus areas, what the local authority should look like in the longer term. What will the relationship between residents and the local authority look like? What appeal does the municipality have for various stakeholders, such as citizens, tourists, industry, nature conservation organisations, and the like? This document typically serves as the basis for the coalition program. In it, the coalition parties set out which interim results must be achieved during their term of office. Finally, the annual budgets provide an overview of the specific actions to be carried out in a given year and the objectives to be achieved through them. These objectives should, ideally, be derived from the coalition program and the long-term vision. The shorter the timeframe within which objectives must be realised, the more specific they must be. The call for a SMART budget is therefore justified. It is important to specify in the budget which steps are being taken towards realising the long-term vision and how the coalition and the executive committee intend to achieve them.

There are also objectives at lower levels of the organisation. Consider the objectives related to the primary processes. After all, you want to levy taxes in a way that complies with the applicable laws and regulations, don’t you? And preferably in a way that allows you to actually achieve the budgeted tax revenue, as efficiently as possible? You also want all of this to be properly recorded, so that you and others can see that the objectives have been achieved. In short, there are objectives at both the strategic and process levels. These objectives are interrelated. After all, the policy objectives determine which targets must be achieved at the underlying levels in order to meet the policy objective. A policy tree emerges, as it were. Not every risk needs to be identified.

This primarily concerns risks relating to effectiveness and efficiency, as well as reliability and legitimacy. It is no coincidence that these four terms recur throughout, from the Local Government Act right down to your own policy.

Risk assessment

The previous section indicated that there are various types of objectives at different levels within the organisation. This section addresses the next component of risk management. The definition of risk indicates that one must consider undesirable events that have a negative impact on the achievement of the organisation’s objectives. Just as objectives can be categorised into different levels, so too can risks.

Levels of risk

Risks come in all shapes and sizes and from various perspectives, including financial, legal, operational, tax, welfare, social, and environmental. Risks also vary in scale. From the risk of an important letter ending up in the wrong postbox to the risk of campsites in a tourist town becoming known as a playground for drug criminals.

Is one category of risk more important than another? That depends on the level at which the risks are assessed. At the operational level, the risk of an important letter ending up in the wrong postbox will be perceived as far more urgent and significant than the risk posed by the campsites. After all, this could result in a planning application not being processed within the statutory deadline, thereby breaching the law.

At the strategic level, the assessment will be very different. A local authority that relies heavily on tourism for a significant part of its local economy and employment will want to prevent damage to its image or, at least, limit it as much as possible. This brings us back to an important element of risk management: there is no ‘one-size-fits-all’ approach. The way in which risks are viewed depends on the organisational level dealing with risk management. This means that for a comprehensive risk management system, everyone in an organisation must be involved in managing risks, or rather in reducing the likelihood of risks occurring. Put another way: everyone must be involved in achieving objectives. Organisations where the control or finance department visits all line and staff departments once or several times a year with a spreadsheet, spends an hour discussing risks with the manager, identifies a few control measures, and then racks its brains over the potential financial impact and the likelihood of occurrence, are not engaging in risk management. Organisations that, instead of a spreadsheet, fill a random application with the results of their discussions are also missing the point.

It is important that all levels within an organisation address the risks that stand in the way of achieving the objectives at their own level. Returning to the earlier question: is it a problem if different people cite different organisational objectives? The answer is no, provided that people at the same level within the organisation share a common understanding of the objectives.

Control measures

Before identifying control measures, it must first be determined what level of risk the local authority is prepared to accept. This is known as the risk appetite and is often ultimately expressed as a monetary amount. For each risk, an assessment must be made of the likelihood of its occurrence and the extent of the impact (consequences) it would have on the local authority. Simply identifying a risk is not enough. What measures are in place to prevent certain events from occurring or to limit the damage caused by them? At the tactical and operational levels, these are often measures embedded in processes, such as segregation of duties. Insurance also plays an important role as a control measure.

To take the burnt-down municipal office as an example again. That could well be a risk; after all, without a workplace, few activities will be carried out, and that will normally have a negative impact on achieving the objectives. The fact that the town hall could burn down is not the whole story. Various control measures can be implemented. For instance, you can install sprinklers, hang up fire hoses, and use a fire alarm. You can also insure your premises. This means there are sufficient control measures in place to limit the consequences of the event. Insurance also allows you to limit the impact should the town hall burn down after all. Should any risks remain after implementing the control measures, these can be included in the risk assessment.

Measurement

Of course, simply identifying risks and specifying control measures is not sufficient. It is at least as important to determine whether the control measures are actually effective. Municipalities also have various options and systems for this purpose. This begins with the structure of the organisation, the appointment of key personnel, and the design of management information systems.

Specific internal control is also a system for assessing the effectiveness of control measures. A large proportion of the control measures is incorporated into the processes. Specific internal control is designed to establish that the control measures within the processes have functioned throughout the year and is carried out by staff who are independent of the process or component being audited. If the specialised internal audit finds no deviations, the control measures have been effective for many risks. This means that, at a tactical and operational level, provided there is a well-functioning internal control system, it can be demonstrated that the risks are being managed. Let us take land development as an example. The risk that land will not be sold is frequently cited. With thorough market research into the demand for building land, combined with proper analysis of market-based prices, a large part of the risk will already be mitigated. The situation is different for strategic risks, as the municipality has less influence over them. At the same time, the impact is also greater.

In many cases, the success of the control measures will be most evident from the amount of publicity the issue generates. In the example of the tourist municipality with campsites, for instance, enforcing a ban on permanent residence will be an important control measure. This will undoubtedly generate publicity, but publicity comparable to that of a case such as Fort Oranje could significantly damage the image of a tourist municipality and lead to a corresponding loss of appeal to tourists. In short, for tactical and operational risks, measuring the effectiveness of control measures will be based primarily on internal sources, whilst for strategic risks, external sources play a more significant role.

Reporting and adjustment

The final stage – and, in fact, the starting point once again – of risk management is reporting and adjustment. Municipalities still have some way to go in this regard. In (very) many cases, risk reporting consists of an overview of mainly tactical and operational risks. Admittedly, this is neatly accompanied by an estimate of the financial impact and the probability of the risk materialising. And, of course, through a number of attractive graphs and calculations, this is translated into the required resilience and compared against the existing resilience. Budgets and annual accounts are full of them. But is that sufficient?

At the level of the civil service and the executive committee, such reporting will suffice, given the management responsibilities there. Based on these overviews, the executive committee can assess whether there are risks for which control measures still need to be introduced. After all, not all risks need to be covered by control measures; in some cases, the costs of such measures outweigh the risk’s financial impact. In such cases, a sound cost-benefit analysis may lead to a decision to accept the risk and act only when it materialises.

But where, then, does the problem lie? With the strategic risks! The risks that, if they ever materialise, could cause major problems for the municipality’s image or its financial situation, not to mention the political problems they might entail. The risks that are addressed at a tactical and operational level, even though they do not belong there at all. Let’s look at an example.

Social sector

There is a perfect example right at our fingertips: the social sector. The 2015 decentralisation process shook local government to its very foundations. Not only local authorities, but also care institutions, welfare organisations, social work companies and many other organisations have been (and continue to be) busy ensuring everything runs smoothly. Fortunately, no major mishaps have occurred and everyone has received the care they need. We are now in the transformation phase, which offers an opportunity to look at the process with a little more perspective. What stands out in this context? It is, in particular, the role of the local authorities.

In the new set-up, the local authority is the linchpin and the party with the funds, but not necessarily with the expertise across all areas of the social sector. The question is whether that is a problem, whether the transformation is really a matter of substance, or whether it should be addressed at a different level. In recent years, local authorities have been busy gathering operational expertise. Extensive procurement documents have been drawn up, and costly tendering procedures have been completed. The risk of excessively expensive care and the delivery of the wrong products had to be mitigated.

Yet the real risk at the strategic level lay in the governance of the entire system. Substantive knowledge of care provision, labour participation, prevention, and early detection is already amply available among all partners in the social domain, so why do local authorities need to bring all that knowledge in-house as well? The greatest risk facing local authorities in the social domain is not that people receive the wrong bespoke services. Nor is it that it takes too long to identify problems, resulting in the need for more expensive bespoke services.

The greatest risk is that local authorities fail to specify sufficiently WHAT needs to be arranged and within what frameworks this must take place. They would do better to leave the HOW to the professionals, who are trained for this purpose. Of course, there may be local authorities that employ professionals in certain areas, and use should be made of this. But the greatest challenge lies in governance. What do we want to achieve? What are we willing to invest in this? What frameworks do we want to provide for this? How do we ensure that the parties we select to shape the implementation do so within the frameworks set by law and by the local authority? Once these questions have been answered at a strategic level, the remaining risks can be managed at a tactical and operational level.

Conclusion

Risk management has long existed within local government, yet in many places it is still in its infancy. Risk management generally consists of a risk assessment translated into resilience. Significant progress can be made, particularly in strategic risk management. Periodically review the long-term vision for your municipality’s development and identify its strengths. Then assess which threats could undermine these strengths and jeopardise the achievement of long-term goals. Discuss this with all levels of your municipality, including the executive committee and the council.

Formulate policies to mitigate the risks, and consider how the success of the measures can be measured. Report back periodically on developments regarding strategic risks. Can any risks be removed? Have any new risks emerged? These sessions can be very interesting for everyone and help to understand where your municipality’s risks truly lie. But do not forget the tactical and operational risks.

For local authorities that dare to state in their Risk Management Policy that they take a pragmatic approach to risk management and therefore only consider financial risks, risk management is not a control tool, but a major risk in itself.

Bibliography

Kruf, J. (2018). Risicomanagement als een doorlopend proces In Adlasz. Adlasz voor de slimme gemeente, International Publishing & Sales, 2018, pp. 91-97.