Policy paper

Managing risk: departmental case studies

Published 26 March 2015

This was published under the 2010 to 2015 Conservative and Liberal Democrat coalition government

The examples below provide details of how risk management processes have been applied in different scenarios.

1. Strategic risk: managing strategic risk in Her Majesty’s Revenue and Customs

The over-arching objective of the risk management framework within Her Majesty’s Revenue and Customs (HMRC) is to:

• ensure that risks are clearly visible to individuals accountable for them
• articulate and monitor risks in a way that makes them easy to understand and manage effectively
• be built into the way we work in order to drive appropriate behaviours

There are 4 components that have been implemented to help achieve these aims.

1.1 Structural

Within HMRC, the nature of the business means that risks operate both within and across lines of business, so the framework needs to reflect this. This means that in terms of accountabilities:

• at strategic level, the Accounting Officer and their executive committee members have risk sponsorship for risks that cut across HMRC as well as those wholly within their business areas
• reporting at individual members’ ‘hubs’ (see below) reflects those risks they sponsor as well as those from their teams
• this cascade continues down through the lines of business and change programmes
• the same principle applies for the corporate areas eg finance, estates, commercial, etc
• change risks are managed from a delivery perspective through a portfolio management structure and the corresponding business impact/readiness within the individual lines of business
• risk management is incorporated explicitly into the business planning process, meaning decision making around resources can be made as far as possible during the process rather than as a consideration after the objectives and finance have been agreed
• finance play a key part in the risk management framework by supporting the risk management application within each line of business; they are supported in this role by business risk partners who operate across lines as a community to develop and share best practice

1.2 Process

The main risk framework operates within the PaceSetter management practices in HMRC. Core to this are 3 main elements:

• visual management

These ‘hubs’ comprise a number of slides focused on performance against objectives. They also include the linkage to and monitoring of risks. Movements, tolerance, activities to mitigate and residual positions are all included in slides to focus management action. This includes escalation/de-escalation along with trend analysis of risks and are considered as a bare minimum on a monthly basis.

• line of sight

The cascade principle means that at the executive committee level, the risks to achieving the strategic objectives can be monitored from both a consolidated and individual perspective. Risks can be traced up and down through subordinate hubs to individual team performance hubs to understand where risks would manifest.

• problem solving

Within the PaceSetter methodology are a number of tools that support the behaviours around risk management so that when a team identifies a potential concern, they then work through the causes and countermeasures. If this cannot be wholly dealt with effectively by the team on its own, it is escalated.

Explicitly, what this has meant is that we have aligned how HMRC looks at and manages risks with the way it manages current issues. Once an issue has been addressed, it is reflected against what that tells us for our risk identification and management to continually improve our risk capability.

Roles are made clear around the difference between a risk sponsor who is responsible for managing a risk across one or more areas, and risk actionees who contribute individual elements to the risk management. This particularly applies when risks cover multiple disciplines and hence moves away from people only managing that risk in just their own area. It very much reinforces collaborative working and collective ownership.

1.3 Content

The risks methodology used is standard practice across all sectors in terms of identifying the risk, exposure, actions, timeline and tolerance. At the departmental risk register level, HMRC also operate a ‘bubbling under’ principle which is designed to provide early sight on risks and issues at the next level down in a dynamic way and provide validation around escalation early.

A risk is supported in being de-escalated both from a drop in relative exposure or conclusion, but also when it is being effectively managed with clear escalation criteria. This allows risk registers at whatever level to focus on those risks which are outside of tolerance, not on track to be mitigated or require additional action.

1.4 Assurance

Spanning all of the above is a series of specific mechanisms that, as well as providing assurance, look to continually develop the risk capability in HMRC:

• corporate risk management

A central team whose remit is to support the delivery of the department’s risk management policy and strategy by constantly working with the executive committee and the teams to review and enable improvements in the application of risk management in the department. The team also provides the thought leadership on good practice and a view of effectiveness of risk to the CEO via regular reporting to senior committees.

• HMRC board

Review the departmental risk register at least once a quarter to ensure that the risks to delivering to strategic objectives are being managed appropriately. They conduct a series of ‘content dives’ whereby individual high exposure risks have a thorough teach-in and challenge session with the risk owner. This looks to allow board members to use their experience and expertise to drill into the detail beyond a review of a register.

• Audit and Risk Committee (A&RC)

To support the board, the A&RC review the risk management framework including conducting ‘process dives’. These compliment the content dives of the board as they test the underlying processes are working so that the board can take reliance on the information they are seeing.

• internal audit (IA)

As well as an annual programme work and opinion on the effectiveness of the risk management in the department, IA now report explicitly on a review by review basis, against elements of risk management. This includes:

• how clearly managed the risks are in the area
• the control alignment/effectiveness to these risks
• the visibility and operation within defined risk tolerances

Contact ian.haldenby@hmrc.gsi.gov.uk to find out more about HMRC’s practices.

2. Project risk: Department of Energy and Climate Change’s management of programme risk

The UK faces very rapid closure of existing electricity generating capacity and needs to replace this with a generation mix that meets our climate change obligations and legally binding targets, as well as maintaining security of supply, and at the least cost to consumers. The Department of Energy and Climate Change’s (DECC) electricity market reform (EMR) programme was established to address these challenges.

The scale of the changes being delivered by the programme is considerable, such as the development of new mechanisms to incentivise the significant level of investment required. This entails considerable stakeholder engagement, new legislation, approval from the European Commission and the establishment of new delivery organisations and partnerships. The programme was also working to a challenging timetable in order to mitigate any potential investment hiatus while the market reform was being implemented. Given these challenges there was a real risk that the ‘go live’ date would not be met, impacting on the critical path and investor confidence.

The risk of delay was included in the departmental risk register and quality assured by the corporate risk advisor to ensure that each underlying cause was addressed by mitigating actions with defined timescales. When one of the causes, the availability of programme resources, began to worsen this was escalated to DECC’s executive committee (ExCo) and board and resolved. This enabled the programme to remain on track. Each of the other causal factors, such as the tight timelines for legislation and need for stronger programme management, was also robustly managed and regularly reviewed at the programme board with any changes reported to ExCo.

Effective risk management enabled the programme to secure the approvals needed, complete legislation and meet the ‘go live’ date, but did not stop there. As the programme moved into the next phase a new high level risk was developed to reflect the ongoing challenges of implementation and delivery. This risk was quality assured by the corporate risk advisor and then reviewed by DECC’s Finance and Business Committee (an ExCo committee) who invited the risk owner to present at their meeting. In line with the department’s improving risk maturity, the committee focused on the mitigating actions and achievability of the risk reduction date. The committee were satisfied with the assurances provided and the chair fed this back to ExCo. The programme remains on track.

Contact Kathryn.Newell@decc.gsi.gov.uk to find out more about how DECC managed risk in this project.

3. Project risk: Department for Business, Innovation and Skills’ management of project risk when working with partners

The Francis Crick Institute is a £750 million research capital project in central London and, upon completion in 2015, will contain a range of imaging equipment which is highly sensitive to sound, vibration and electromagnetic radiation. Transport for London’s plans for the new Crossrail 2 tunnel and station are to go very near the Crick in a particularly sensitive area for the building. This could mean significant disruption to the Crick through the construction phase of Crossrail 2 (estimated 2019 to 2024+) and then potential for continuous train disruption from completion of the Crossrail 2 project. Trains running in an underground tunnel in close proximity would produce significant vibration and electromagnetic effects which would jeopardise the use of the equipment in the absence of substantial mitigation.

This risk resulting from this decision is that the TfL preferred route for Crossrail 2 (as published in the consultation) could cause extreme disruption to the operation and function of the Francis Crick Institute within 4-6 years of opening. If Crossrail 2 continues as planned, this could result in risks for the future of the Crick Institute such as: the Crick building becomes unfit for purpose; wasting public money; concerns from the public scientist community and reputational damage for the Department for Business, Innovation and Skills (BIS), the Medical Research Council (MRC), the Francis Crick Institute, the Department for Transport (DfT) and HM Government.

The MRC raised the risk to the BIS sponsor team, major projects assurance team (MPA) and the performance and risk team, seeking BIS help in navigating the landscape around planning law, cabinet clearance/agreements and inter-departmental negotiations.

The sponsor team and MPA brought the risk to the BIS monthly performance and risk challenge panel (made up of directors and deputy directors from across the department) to discuss the risk, issues and opportunities. The discussion resulted in further actions being identified to aid the sponsor team to mitigate the risk in due course and if required. These included:

• providing contacts within the Lord Mayor’s office, the Greater London Authority and the London London Enterprise Partnership with whom they were able to raise awareness of the risk and potential economic impact materialising
• providing advice on exploring how the cross-government memorandum of understanding on the Olympics was constructed and seeking to replicate
• proposing that the team explore, with the Permanent Secretary, options to write to counterparts in DfT and the Department of Health (DH) to secure their agreement (agreement had been reached at ministerial level only)

The risk was then escalated to the Performance, Finance and Risk Committee and executive board. They endorsed the approach set out by the challenge panel and continued to provide further oversight and management of the risk.

BIS has developed a ‘5 lines of defence’ assurance model. Within this the risk is assured at level 2 (programme) and level 3 (corporate/portfolios). However, within the 3 lines of defence as set out in Lord Browne’s Annual Report 2013-14, the assurance of this risk sits between levels 1 and 2.

Currently, BIS has obtained assurance from transport ministers that the new Crossrail 2 route should not impact upon the operation of the Crick. The agreement has been confirmed through HAC write-round, with DfT ministerial agreement that, as a condition for safeguarding, work for full mitigation should continue.

Commitment has been obtained from DfT and TfL to continue work over the next 18 months to 2 years to agree mitigation measures, overseen by BIS and DfT.

Technical meetings are on-going between TfL and the Crick to better define the technical issues (sound, vibration and electromagnetic impacts and minimum distance the underground line can be to the Crick – currently 70 metres).

The Department for Culture, Media and Sport (DCMS) have now requested the same conditions with respect to the British Library. As this relates to the same area, we have obtained agreement for coordination between the 3 departments (DfT, BIS and DCMS) to oversee the work.

Given the longer timescales of this risk, there are further mitigations to enact in order to reach conclusion. Further actions for mitigation include:

• ensuring strategic coordination of these 2 major infrastructure projects through Infrastructure UK and the Major Projects Authority
• ensuring senior officials in the departments involved are aware of the issues and seeking legal agreement on a solution towards long-term sustained agreement between parties/organisations once agreement on mitigation has been reached.

Contact amanda.davies@bis.gsi.gov.uk to find out more about BIS’s 5 lines of defence or how they manage risk.

4. Business/operational risk: developing a risk management framework in the Ministry of Justice

In 2013 there were 2 well-publicised cases of the Ministry of Justice (MoJ) being overcharged for services, with significant impact on the department’s reputation regarding contract management.

The MoJ quickly responded by conducting a review of contract management to reduce the likelihood of this risk re-occurring which resulted in the following plans.

4.1 Risk classification

Uniform criteria are applied to place each contract into one of 3 categories of risk and complexity which then drives the future management processes for each contract. Approval of the risk profile is approved as part of the award decision.

4.2 Governance and a change programme

Governance was immediately reorganised for better scrutiny of post-award activities and decisions.

A Commercial and Contract Governance Committee (CCGC) has been established and has proved to be a successful mechanism for enhanced scrutiny of operational commercial practices and supplier management. This mechanism, which involves a formal attestation, signed and presented in person by a contract owner, ensures that accountability and ownership are enforced across all major contracts that the MoJ holds.

The contract management improvement programme was established to lead on 3 major changes:

• assurance of contract management regimes (interviews, workplace inspections, desk-based reviews of contract management plans, risk registers, team skills, commercial logs and change management) on all major contracts - results are measured against the National Audit Office’s contract management good practice guide’s ‘5 point scale’ and resultant actions reported to the Contract Management Improvement Board, the Director General of Finance, Analytical Services and Internal Audit
• resources, toolkits and policy - support for staff comes in the form of a new internal website, development of standardised tool templates, resources, exemplar documentation and work samples to assist the learning and improvement process
• capability - the contract management improvement programme established a pan-organisation training programme sponsored by the Director General’s Finance, Assurance and Commercial Group described below

4.3 People

The MoJ was quick to recognise that benefits of assurance activities and other improvements would be undermined without skilled commercial staff. The outcome was a training programme to ensure all people connected to the management of suppliers have the opportunity to develop a thorough understanding of commercial processes and the contract lifecycle. The IACCM Certification training is now part of the Civil Service Learning curriculum, but the MoJ is the first department to embrace this en masse. An ambitious target of 400 staff undertaking this certification by the end of September 2015 has been set. Some staff have already graduated with positive feedback about the usefulness and practical application of the qualification.

All commercial job descriptions have been re-defined to capture skills associated with excellent contract management so essential attributes are measured in future recruitment.

Staff capability is enhanced further by sharing ideas and lessons learned with other government departments which can provide new solutions and a form of peer review, providing further assurance on our progress. The result of networking with the Home Office is that the MoJ now includes Home Office representation on our Contract Management Improvement Board and also strategic supplier relationship processes are aligned with best practice in the Home Office. Together, these changes have led to far better risk management regarding the management of suppliers to the MoJ.

Contact Richard.Pearson@justice.gsi.gov.uk to find out more from MoJ.