Select Committee on Public Accounts Minutes of Evidence

Examination of Witnesses (Questions 1 - 19)




  1. This afternoon we welcome Mrs Mavis McDonald, Permanent Secretary at the Cabinet Office on her first appearance before this Committee, although one or two of us are familiar with her from accounting days. Mrs McDonald is responsible for monitoring departments on the content of their risk frameworks and for offering departments guidance and advice, and training on risk management. We also welcome Mr Brian Glicksman as our Treasury witness. Mr Glicksman is responsible for providing departments with guidance on their statements of the internal controls they have in place relating to the risks that they face. I have said—and I think it is worthwhile saying today—on numerous occasions that I will applaud well thought through and well managed risk taking even where it goes wrong. This Committee is rightly tough on cases where risks are ignored, for example major IT projects that are poorly specified and badly managed. But in cases where risks are properly measured, evaluated and managed, we consider the outcome as a Committee with an open mind. The important thing right at the beginning is that your colleagues up and down Whitehall can understand. I usually give you a steer as to what paragraph I am referring to in each question. I am going to start with paragraph seven and paragraphs 2.2, 2.8 and 2.14. The Cabinet Office is encouraging departments to adopt well managed risk taking where it is likely to lead to sustainable improvements in service delivery for the benefit of citizens. In response to the NAO survey, 82 per cent of departments agreed that risk management is important to the achievement of their organisations' objectives, but only 25 per cent said that their risk management objectives have been set out. Why is this and what are you doing to remedy that situation?

  (Mrs McDonald) If I can start by saying, and I hope this is not out of order, that we actually found the NAO Report very useful in our joint work in thinking about modernising Government where improved risk management was set out in the White Paper as a key component part of improving performance. Since the report and the survey was published we have taken between us a number of steps which we hope are designed to lift risk management into a high profile within departments, largely in the way in which they carry out their basic business planning. There are two particular things which we referred to in the report which we have carried out since the report Survey took place. One is we have asked, the Cabinet Office have asked, departments to publish reports about external outward facing risks that affect the public. We asked 21 departments to do that. We have pretty well all the reports available and the last one will be published early next month. We, with the Inter-departmental Liaison Group on Risks Assessment, which I hope you will let me call ILGRA, are evaluating—

  2. Either way it is a mouthful.
  (Mrs McDonald) Yes, it is. That Group is evaluating in some detail what is in there with a view to deciding whether there are areas where we ought to either promote best practice guidance or actually there are areas where we need to fill any particular gaps. During the course of the summer[4] the Treasury also published a draft of its Orange Book, and I hope Members of the Committee have now received the final version which was put out very shortly before this meeting[5].

  3. I think we have it.
  (Mrs McDonald) The Treasury have asked departments to report progress on how they are going to handle risk within the new framework of statements of internal controls which will be introduced for real from the year 2002. I might ask Brian Glicksman to just say a little bit more about that. Another point I wanted to make is we see ourselves as involved in a process of continuous work within this whole area of risk management and improved performance and service delivery, so there are other things going on as well. For example, the Chief Scientist updated the guidance on handling scientific risk in the summer. ILGRA itself is doing more research on the precautionary principle. There are a variety of areas where we, within the Cabinet Office, with the Treasury are thinking about whether we need to do more work ourselves.

  4. Unless Mr Glicksman has a pressing need to tell me something we will move on because you have given me a fairly rounded view of that question. My next question relates to paragraph 2.4. Here all Government activity involves some risk which, if not well managed, can result in public services not being delivered on time, being of poor quality or not cost effective. Yet that paragraph tells us the NAO survey found that departments' approach to risk management was very much focused on minimising financial loss or preventing impropriety. That is clearly very important. There is less recognition by departments that risk management is about ensuring the achievement of outputs and outcomes, and having reliable contingency arrangements to deal with the unexpected which might put service delivery at risk. In front of this Committee in the last year passports leap to mind as an example where service delivery was at risk. What are you doing to make departments understand that these are also essential requirements of effective risk management?
  (Mrs McDonald) Again, if I may, there are a number of things that we are doing jointly. Firstly, the promotion of better business planning is a plank of Sir Richard Wilson's Civil Service Reform Programme. We are working with a man called Clive Elphick who has come into the Cabinet Office from the private sector, from United Utilities, to take an overview of how departments do their business planning process and see where there are areas or gaps where we can promote best practice. Since the Spending Review last summer, we have been working with the Treasury on improving the formal system of monitoring on a quarterly basis the way in which departments are meeting their Public Service Agreement targets and their Service Delivery Agreement targets. A much more intensive process of monitoring is designed for the new targets that start to bite from 1 April next year on which we will be working jointly at both ministerial and official level. Then we have been promoting better understanding of the basic agenda which is to try to ensure that risk management is about all aspects of business from policy development through to managing particular projects but also through to service delivery on the ground. We have had several seminars ourselves. The Centre for Management and Policy Studies, which is part of the Cabinet Office, has had some joint seminars with ministers and officials on the subject. Both the College, the Treasury and ourselves have arranged conferences. We have had several occasions where we have joined with the NAO in trying to promote the message to a wider audience and, indeed, I think our next one is on 20 March where I believe you are going to come and take part.

  5. I believe so. Let us move on. Paragraph 2.20 is the substance of my next question. More joint working between departments, agencies and other public and private sector organisations is important to improve service delivery for citizens, and I suspect it is going to get rather more important in the coming years, both under joined-up government but also through the PFI. If it is to be successful, departments need to be alert to the risks associated with working with others which might adversely affect service delivery. But only one in eight departments said that they knew about the strengths and weaknesses of the risk management systems of other organisations they work with. How can that be improved?
  (Mrs McDonald) This is an area where we think we ought to be doing more work, but there are a number of things in train, or things that have happened previously, which might help people to think in a more cross cutting manner. We have got a number of cross cutting programmes which are being promoted as part of the modernising agenda, not based in the Cabinet Office, but in departments, like Sure Start. We have also got in the Cabinet Office itself a number of cross cutting units which while working on their own specific area, such as the Social Exclusion Unit, have developed ways of working in the cross cutting manner across departments, particularly on the Neighbourhood Renewal Strategy which we are evaluating in a formal kind of sense in order to promote best practice there. Also we have one or two examples of long-term strategies. The Drugs Unit within the Cabinet Office has a ten year strategy. To deliver that strategy it requires a number of other departments to be co-operating against meeting a communally agreed set of targets, particularly the Health and the Home Office. It is the responsibility of the Unit to see that performance against those targets, which have milestones across the ten years, has worked, so they have both a co-ordinating and a driving role there. We also have, ourselves, since we asked for material in the summer, set up a Cross Cutting Risk Management Steering Group which, in fact, the Treasury chair, Brian chairs, which is designed to engage a number of departments, plus ILGRA, to talk about the issues that are emerging both from the risk management frameworks and from the returns and the statements of internal control. Our real feeling is the issue is not so much understanding about each other's risk management systems, it is really understanding how people perceive the priorities in their particular area and ensuring that there is not a mismatch of priorities, so you are heading off. We think we will probably want to do some more work about vertical risk transfer and horizontal risk transfer within the various units of the Cabinet Office to unpick that a little bit further.

  6. Let us move on to paragraph 2.24. Early warning indicators—such as sudden increases in claims for damages, increases in customer complaints, IT or other quality failures—are all useful for alerting managers that risk is increasing or that circumstances have changed to the extent that new risks may exist. Fifty-three per cent of departments responding to the NAO survey said that such early warning reporting mechanisms are not in place or they do not work, in other words are ineffective. What is being done to remedy that?
  (Mrs McDonald) I think we will use the risk frameworks that are published and the evaluation I have already mentioned to look hard at what early warning systems are in place. Some people do have quite well established early warning systems or methods of approach which are basically early warning systems, like the HSE or the Environment Agency; others do not have such clear cut early warning systems. We think in terms of the general embodiment in achieving business objectives then the PSA/SDA approach to setting clearer targets with outcome requirements and milestones, monitoring of that will help as well. We have also got some work going on where a number of departments have set up futures units and the Cabinet Office will take an overview and try to get almost a corporate overview of the sum total of what are thought as priorities across those. We have examples of departments taking a lead in trying to engage their colleagues across Whitehall in areas that are of particular concern. So DETR, for example, has done a lot of research work on climate change and is looking at the impacts of that ahead on their own immediate programmes and asking other departments to do the same kind of thing.

  7. You mentioned HSE as a good example of advance warning systems, but might it also be an example where advance warning systems are not taken seriously? Railtrack, broken rails, known about for years but nothing done.
  (Mrs McDonald) I do not know any details about Railtrack and so on. I know HSE said yesterday that part of what their current examination is that they will look back at their system as well as forward about what should happen. If you want me to get a further note from colleagues, I can.

  8. I only raised it because you cited it as an example of good practice. I can tell you that because this Committee looked at the Railtrack issue and looked at things like the HSE warning of broken rails which were there for years before the Hatfield accident and it was quite clear that for one reason or another action was not taken by the relevant operator, Railtrack. It is quite important if you look at risk warning systems that you make sure that the control loops are completed. Perhaps you could have a look at that.
  (Mrs McDonald) I certainly agree that just having an early warning system on its own does not actually resolve the problems of how you manage the risks subsequently and what judgments are taken.

  9. I was thinking it might be a good case study for one of your colleagues. I will move fairly quickly on because I am using more than my time. Paragraph 3.19 is my next point. I see from the memorandum which you and the Treasury have submitted to the Committee that at the end of December 2000 17 departments had published frameworks covering their approach to risks directly affecting the public. What is your assessment of the adequacy of these frameworks and how will you monitor departments to ensure that they are assessing the risks identified?
  (Mrs McDonald) Our first very broad level sighting shot is that they are mixed and those who have had them for some time and are much more closely involved in areas that have a high impact in terms of risk have got better frameworks in place. Some other departments are beginning to think harder, we think, about the totality of the risk management statement. We will look at these in much more detail and we will get the risk experts on ILGRA who work with us to take an independent view, as it were, apart from our taking a view. We will, as I said earlier, look for areas which we think are generally weakest and applaud those which look generally good and try to promote best practice and move the base position forward, if I can put it like that.

  10. My next question will relate to 3.15, 3.13 and some things not in the report. My experience of Whitehall is there is a growing tendency for process to take over. One of the problems here is probably partially a problem of culture of incentive, both in terms of reward and penalty and in terms of management grip. I think I told you at one of our other meetings we had the Ministry of Defence in front of us, asked them about a billion pound overhaul and when asked how that came about they said "we did not forecast it properly", missing the point entirely that it is a question of grip and control of the management, not about just forecasting how big the numbers will be. There is a danger, is there not, that all of this will end up in a blizzard of initiatives and will end up as a series of forms to be filled in and actually we will not change the culture, the approach, the method that the private sector uses of breaking the risk down into small bits so that you can control each one. All of those things will not happen if you allow it to go down the bureaucratised route. How do you respond to that and how would you deal with that?
  (Mrs McDonald) I hope that the fact that most departments are now trying to embed risk as part of their main business planning process, associating responsibility to those who lead in particular areas of responsibility within departments, will actually help avoid too much over-bureaucratization. I think as part of the Civil Service Reform Programme, which Sir Richard Wilson leads, there is a real attempt to shift the culture. There is going to be a new performance management system, a new pay system, which consultations have just started on. It is attached to a new definition of what are the skills and competencies that are required at senior levels which positively promote supporting and being innovative and taking measured risk and knowing what you are doing, as positive skills. The way the format is set out is these are effective behaviours and these are ineffective behaviours, and ineffective behaviours are sticking with old ways of working and not doing things because it is the safe route and so on. I think that approach, combined with a much tighter definition of responsibility attached to particular PSA targets or other key objectives within that performance framework, actually can serve to tighten the definition of things that matter. Equally, there is another part of this programme which is about leadership which does mean the people at the top of Civil Service departments both showing that they mean to follow through on that approach and that they themselves behave in that kind of manner in areas that they are particularly taking a lead on. There is an attempt to shift to that culture. I think part of your question was related to more specifically how we manage things, projects, contracts, different kinds of procurement. We have, in the Office of Government Commerce, been working on a much tighter approach to project management and in the area for which I have particular responsibility, the E-Envoy area, we have worked across the boundaries to tie that approach into managing IT projects, for example. So basically we are going for independent review—the term being used is "gateways"—early on which says why are you doing this, do you know why you are doing it, and promoting the approach that says it may be better to break a big project down into small bites and take it a step at a time, which is the way in which we are developing the knowledge network. Sorry, the terminology is confusing. The bit of infrastructure we are building on which you can do, say, interactive transactions is also called the "Gateway". We are doing it a step at a time in all departments. The E-Envoy's office announced that the Envoy would lead a programme of oversight of the major IT projects going on across Whitehall to ensure that they are pursuing the principles and approach adopted in those guidelines.

Mr Griffiths

  11. Good afternoon. You asked the departments to report to you last October on the development of their risk assessment process as it related to the statements of internal control. What was the result of that in October?
  (Mrs McDonald) Perhaps I could ask Brian to reply to that because, in fact, those went back to the Treasury rather than the Cabinet Office.
  (Mr Glicksman) This was a request that we asked departments for to give us an indication of what progress they were making with preparations we had asked them to carry out for statements of internal control. We addressed our request to the Government departments rather than all the agencies and NDPBs.

  12. What was your success rate?
  (Mr Glicksman) We have had reports from all the main Government departments that we wrote to and we have also had a selection of responses from small Government departments and, in addition, some agencies and NDPBs that we did not specifically write to but who volunteered information.

  13. So did 100 per cent of Government departments meet that deadline?
  (Mr Glicksman) I do not think they all met the deadline. It was not a deadline, it was just a request for information by a date. We were not being rigid about the date by which they had to reply. We have now had responses from all the main Government departments.

  14. You have to assess, of course, a number of important factors, some of which you are commended for in here. How important is it to set clear management objectives for departments on risk assessment?
  (Mr Glicksman) I think that one of the problems departments may have had with answering the survey on this point is we have tended up to now to emphasise that objectives should be related to outcomes rather than objectives related to processes. So when they were asked about objectives for risk management, which is essentially about a process, a lot of departments felt this was not the way in which they had constructed their objectives in the past and that was why the NAO tended to get a lowish response in relation to that question.

  15. That lowish response was 75 per cent saying that they did not set these clear management objectives?
  (Mr Glicksman) That is right.

  16. Are you saying that they did not have clear processes or they did not have clear outcomes?
  (Mr Glicksman) I think I am saying that they did not, at the time that the NAO did its survey, define objectives in that way. They tended to define objectives in terms of the outcomes they were trying to achieve rather than processes like risk management which contribute to those outcomes. Therefore, when the survey asked them "have you got objectives for risk management", it is perhaps not surprising that a lot of them said, no, they had not.

  17. Why is it not surprising? When did it become a Cabinet Office priority to have such objectives?
  (Mrs McDonald) Our priority is to ensure that the people have systems in place to show that they are identifying and thinking about the risk that attaches to various parts of their business, so if they are developing policy and they are thinking about how it is implemented, they are thinking about the risks associated with that process. There are different varieties of risk.

  18. When did you start that?
  (Mrs McDonald) I think we have over the last ten years, between us, put out quite a lot of advice about handling different aspects of risk. I think what we were looking for in both asking for the published risk management frameworks and for the development of the risk element of the statement of internal control was to get a much more comprehensive lifting of risk within the agenda recognising that it was relevant to the totality of the business and not just the bits that we thought were risky because they were a safety hazard or there was a scientific uncertainty but there were just as big risks about other elements.

  19. Your awareness of this as an issue of however important a priority has gone back for ten years?
  (Mrs McDonald) Certainly it is about ten years ago since the Treasury put out a guidance on doing the investment appraisal process.

4   Note by Witness: 1st draft published February 2000; revised draft published August 2000. Back

5   Note: See Evidence, page 000 (PAC 00-01/130). Back

previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2001
Prepared 31 July 2001