Geplaatst op Door Jack P. Kruf

A Brief History of Public Risk Management 

Towards a holistic approach 

Finn Kjaer Jensen | February 2007

It certainly is true that governments have practiced risk management, in a general sense of the term, for thousands of years. Ancient cities that built walls to keep out invaders were practicing an elementary (but sound) form of risk management. Indeed, risk management is a fundamental purpose of government – government is, to a considerable degree, risk management. Further, there are numerous activities in the public sector that can be characterized as risk management (immunization programs, defense policy), but which are entwined with other functions of government.

The Categories of Public Sector Risk Management 

To better appreciate the historical process that has led to the present risk management environment, it is useful to first understand the general framework of risk management in the public sector. 

As an interesting point of reference, the UK central government (the Cabinet Office’s Strategy Unit) issued a statement in 2002 that characterized public sector risk management as possessing three facets 1) managerial, 2) regulatory, and 3) stewardship. These facets reflected the fact that risk management sometimes was a direct part of the management of public institutions, but that often it involved less direct activities – for example, regulating the behavior of other private and public organisations and influencing other sectors or taking a leadership role to address public concerns beyond the reach of an individual public entity. The main focus of this article is on the “managerial” domain. This facet of public risk management is known as ORM (Organisation Risk Management, or, with increasing frequency, ERM or Enterprise Risk Management). 

It has a history that does not extend back much before the 1960s.

Organisation Risk Management is the formal process by which public organisations manage their risks. It has a history that does not extend back much before the 1960s. Broadly speaking, risk management – whether in the public or private sector – is a post- World War II development. By the 1950s, new developments in management theory and practice were emerging to explain the principles of effective management. Strategic management, operations research, operations management, and risk management can all trace roots to this period of ferment, and their growth as fields of study and practice in the 1950s and 1960s reflects a world-wide interest in advancing the effectiveness of management practices.

Research on the general history of organisation risk management has shown that the term “risk management,” applied in the modern sense, began to appear in the mid-1950s. The 1950s and early 1960s still represent the high-tide era of scholarly research on the subject of organisation risk management, although practitioner interest and research has proliferated since that time.

The development of risk management in the public sector initially lagged behind the private sector. Certainly, readers may assume that public entities tend to adopt innovations more slowly than the private sector. This assumption is not entirely incorrect – but it is a bit misleading. The lag in adoption was more likely due to distinguishing characteristics of the public sector in the 1950s and 1960s – notably the limited exposure to liability enjoyed by public entities at that time. 

Before 1960, most governments in Western democracies were the beneficiaries of a rather broad exemption from tort liability. Thus, most governments were able to confine risk management activities to property-based risks – fires, thefts, and vandalism, and motor vehicle accidents. Conventional insurance coverages typically addressed these risks in a fairly straightforward fashion. Consequently, risk management (if it could be called that) mainly consisted of insurance buying with, perhaps, a little safety engineering thrown in for good measure. 

Immunity from tort liability has been subjected to rather steady erosion since about 1961 – first, and most dramatically, in the US, but more recently in most other Western democracies. Perhaps it will not be surprising to learn that the growth of public sector risk management practices tracks quite closely with the increasing exposure to liability claims across Western nations. Certainly, one can empathize with the interest governments have shown since the 1960s. Public entities have become established as visible, seemingly deep-pocketed targets, and this fact has not diminished in any appreciable way over the subsequent 40+ years. During this time, and for various reasons, public entities also became more uniformly covered by workers’ compensation and employers liability laws, and this feature of public sector life added impetus to interest in matters of occupational health and workplace safety. The extension of responsibilities at the local entity level added further fuel to the growth of risk management. As local governments assumed new, sometimes risky, duties (often fueled by national government trans-fer or grant requirements and unfunded mandates), the emergence of previously unseen risks became an issue of growing concern.

Another contributing factor must be cited here. During the 1970s and 1980s, the commercial insurance industry began to change its approach to underwriting public entities. Understandably, part of this change was due to the growing riskiness of governmental entities and the uncertainty this brought to underwriters. Part of the change was due to strictly competitive pressures and the underwriting cycle, and part was due to the economic environment of the 1970s, 1980s, and on to the present day. Other reasons could also be mentioned, but it is sufficient here to observe that the effect of these factors was to produce a commercial insurance market that was wary of underwriting public entities. This wariness resulted in skeptical and cautious underwriting in the best of times, and outright abandonment of the public sector when times were bad. In any event, the difficulties in financing risks served to heighten an awareness of the value of managing risks. 

The extension of responsibilities at the local entity level added further fuel to the growth of risk management.

What Do traditional Risk Managers Do? 

Previously, insurance buying was identified as a historic function of risk management, and undoubtedly the management of insurance and insurable risks is the core activity of the average traditional risk manager. In fact, “insurance buyer” is a title that still is widely used.

Responsibilities for buying insurance tend to push a risk manager’s duties into a number of related areas, what might be called “insurable risk management.” For example, responsibility for workers’ compensation insurance almost inevitably compels the risk manager to address workplace safety and health matters, integration issues with employee benefits, training, equipment maintenance, and so on. Similar extensions occur when risk managers deal with property and casualty insurance. 

Summarizing typical risk manager responsibilities is subject to the ordinary caveats cited in any attempt to generalize a fairly diverse occupation. That said, the average scope of duties likely would include: 

  • Insurance buying.
  • Insurance risk management.
  • Occupational safety and health matters.
  • Workers’ compensation/employers liability management.
  • Compliance with regulatory and legal requirements.
  • Catastrophe planning.
  • Contract review.
  • Advising on insurance issues related to employee benefits and pensions (where appropriate).
  • Security.
  • Risk assessment.
  • Public policy research.

One of the more significant recent trends in risk management is the emergence of financial risk management. Financial risk management refers to those measures employed to manage exposure to financial risks like interest rate risk, currency exchange risk, and credit risk. The emergence of tools that enable financial managers to address such risks – tools like forwards, futures, options, and other derivatives – has propelled forward significant advances in this area. Interestingly, most of the developments in financial risk management have occurred independently of traditional risk management (described above). Thus, a number of public entities now have an individual titled “risk manager” who is responsible for managing financial risks, and who may or may not deal with more traditional risk management concerns. 

In rare instances, entities may have two risk managers – one dealing with traditional risk issues and one dealing with financial risks. As a result, one might say that the modern field of risk management is experiencing something of a competition between traditionalists and financial risk managers. Who is the organisation’s true risk manager?

…redefine risk management as the management of all organisation risks on an integrated basis. 

Whether or not either group prevails, broader forces are afoot that are expanding the concept of risk management, and so today both camps – as well as other observers and participants – at least agree that risk management is a function that should have organisation-wide application. This observation is explained in the following section, and this explanation will serve to introduce an important organizing framework for understanding both the current practices and the future possibilities of risk management in public entities.

Current Developments 

In the private sector, there are significant changes occurring in the practice of risk management, changes which, taken as a whole, are tending to redefine risk management as the management of all organisation risks on an integrated basis. While the number of organisations practicing this “holistic” form of risk management is limited, most observers predict that this new definition eventually will prevail. Why?

The explanation varies a bit from industry to industry, but in general, the trend seems to be driven by the following factors:

  • The restructuring of organisations has tended to broaden the responsibilities of all managers.
  • Increasing competition has forced organisations to scrutinize cost structures, leading to insights into the reduction of the cost of risk. 
  • Just-in-time processes, total quality improvement practices, and other modern developments all stress the need to control risk and to do so in an integrated fashion. 
  • Consolidation in financial services has resulted in an increasing integration of insurance, banking, and other financial services – which in turn has led to broader thinking about risk financing. 
  • The absence of coordinated risk management practices (or, occasionally, the demonstrated effectiveness of the same) has been a feature of many sensational and highly publicized stories, disasters, and events (e.g., the World Trade Center attack, the Madrid train bombing, the tsunami disaster, the Enron scandal). These issues, in turn, have introduced risk management into higher level discussions. 
  • Perhaps most notably, legislation(Sarbanes-Oxley, specifically), regulations(especially arising from the Securities and Exchange Commission), and accounting standards (the Committee of Sponsoring Organisations of the Treadway Commission’s new guidance on Enterprise Risk Management) all are leading to a climate in which organisation-wide risk management is required or nearly required.

…this “holistic” form of risk management eventually will prevail.

This final bullet point warrants some further discussion. Although there are underlying factors common to all situations, it is nevertheless true that numerous Western nations have been moving toward a broader view of risk management. And, importantly, whereas in the recent past the concept of a broader, more holistic approach to risk management has been based on a mainly intellectual argument, the recent developments have been developed from legal, regulatory, legislative, and industry best practice platforms.

For example, the desire to provide greater audit consistency in the evaluation of risk management practices has led to the development of standards within the audit community. The Committee of Sponsoring Organisations of the Treadway Commission (COSO) in the US has established a framework for organisation-wide risk management – called Enterprise Risk Management, or ERM – and the expectation is that external auditors will evaluate client firms based upon this framework. Similar standards or “best practice” developments have occurred in Australia and New Zealand, the UK, Canada, Denmark, Germany, and in the global financial services sector (through Basel II). Auditors expect to find wide-ranging risk management practices in their clients – be they public or private sector organisations. 

Emblematically, perhaps, recent years have seen the emergence of the chief risk officer (CRO) concept, which can be said to underscore the growing interest in the subject.

Additionally, governments and market regulators (self regulators or governmental agencies) in North America and Europe have responded to the recent spate of corporate fraud scandals (Enron, Parmalat, Barings Bank, and so on), by establishing new legal expectations for corporate governance. Sarbanes-Oxley in the US is the most visible example, but the Turnbull Commission in the UK, KonTrag in Germany, and the Nørby Commission in Denmark illustrate further initiatives (both public and quasi-public) to place formal expectations on risk management practices. Although this is a phenomenon very much in its incipient stages, new expectations have appeared in the form of regulations, strict statutory rules, and even civil court decisions.

The emerging Framework: Enterprise Risk Management (ERM) 

As a consequence of the factors cited previously, there has been a dramatic move toward a more organisation-wide approach to risk management. Admittedly, at present, the activity is more dynamic on the private sector side. However, a significant “spillover” effect is occurring and knowledgeable observers are convinced that the ORM/ERM movement will accelerate in the public sector over the next 3-5 years.

Emblematically, perhaps, recent years have seen the emergence of the chief risk officer (CRO) concept, which can be said to underscore the growing interest in the subject. In the private sector, this organisation-wide approach is known as Organisation/ Enterprise Risk Management (ORM or ERM) and, indeed, the term is applied increasingly in the public sector as well. 

The two dominant global documents that establish the ERM framework are The Australian Risk Management Standard and the Committee of Sponsoring Organisations of the Treadway Commission (COSO) ERM Framework. They differ in key aspects, though in principle both argue for an integrated approach to managing all risks within an organisation’s ambition. 

Concluding Comment 

Although there will continue to be a role for the historical forms of risk management, they are likely to become technical aspects of the broader form of risk management – ORM or ERM. As Public Risk Forum has laid out (and will lay out) in other articles, the ORM/ERM approach requires executive-level engagement in the setting of risk management policy and in assuring stakeholders that risk management is undertaken in a manner consistent with that policy. Risk management may have technical features, but it has become a general management function and therefore part of every manager’s job. 

Bibliography

This essay is a republication of  A Brief History of Public Sector Risk Management, published in the magazine Public Risk Forum, February 2007 by PRIMO/EIRM.