Examination of Witnesses (Questions 1
WEDNESDAY 24 JANUARY 2001
CB AND MR
1. This afternoon we welcome Mrs Mavis McDonald,
Permanent Secretary at the Cabinet Office on her first appearance
before this Committee, although one or two of us are familiar
with her from accounting days. Mrs McDonald is responsible for
monitoring departments on the content of their risk frameworks
and for offering departments guidance and advice, and training
on risk management. We also welcome Mr Brian Glicksman as our
Treasury witness. Mr Glicksman is responsible for providing departments
with guidance on their statements of the internal controls they
have in place relating to the risks that they face. I have saidand
I think it is worthwhile saying todayon numerous occasions
that I will applaud well thought through and well managed risk
taking even where it goes wrong. This Committee is rightly tough
on cases where risks are ignored, for example major IT projects
that are poorly specified and badly managed. But in cases where
risks are properly measured, evaluated and managed, we consider
the outcome as a Committee with an open mind. The important thing
right at the beginning is that your colleagues up and down Whitehall
can understand. I usually give you a steer as to what paragraph
I am referring to in each question. I am going to start with paragraph
seven and paragraphs 2.2, 2.8 and 2.14. The Cabinet Office is
encouraging departments to adopt well managed risk taking where
it is likely to lead to sustainable improvements in service delivery
for the benefit of citizens. In response to the NAO survey, 82
per cent of departments agreed that risk management is important
to the achievement of their organisations' objectives, but only
25 per cent said that their risk management objectives have been
set out. Why is this and what are you doing to remedy that situation?
(Mrs McDonald) If I can start by saying,
and I hope this is not out of order, that we actually found the
NAO Report very useful in our joint work in thinking about modernising
Government where improved risk management was set out in the White
Paper as a key component part of improving performance. Since
the report and the survey was published we have taken between
us a number of steps which we hope are designed to lift risk management
into a high profile within departments, largely in the way in
which they carry out their basic business planning. There are
two particular things which we referred to in the report which
we have carried out since the report Survey took place. One is
we have asked, the Cabinet Office have asked, departments to publish
reports about external outward facing risks that affect the public.
We asked 21 departments to do that. We have pretty well all the
reports available and the last one will be published early next
month. We, with the Inter-departmental Liaison Group on Risks
Assessment, which I hope you will let me call ILGRA, are evaluating
2. Either way it is a mouthful.
(Mrs McDonald) Yes, it is. That Group is evaluating
in some detail what is in there with a view to deciding whether
there are areas where we ought to either promote best practice
guidance or actually there are areas where we need to fill any
particular gaps. During the course of the summer
the Treasury also published a draft of its Orange Book, and I
hope Members of the Committee have now received the final version
which was put out very shortly before this meeting.
3. I think we have it.
(Mrs McDonald) The Treasury have asked departments
to report progress on how they are going to handle risk within
the new framework of statements of internal controls which will
be introduced for real from the year 2002. I might ask Brian Glicksman
to just say a little bit more about that. Another point I wanted
to make is we see ourselves as involved in a process of continuous
work within this whole area of risk management and improved performance
and service delivery, so there are other things going on as well.
For example, the Chief Scientist updated the guidance on handling
scientific risk in the summer. ILGRA itself is doing more research
on the precautionary principle. There are a variety of areas where
we, within the Cabinet Office, with the Treasury are thinking
about whether we need to do more work ourselves.
4. Unless Mr Glicksman has a pressing need to
tell me something we will move on because you have given me a
fairly rounded view of that question. My next question relates
to paragraph 2.4. Here all Government activity involves some risk
which, if not well managed, can result in public services not
being delivered on time, being of poor quality or not cost effective.
Yet that paragraph tells us the NAO survey found that departments'
approach to risk management was very much focused on minimising
financial loss or preventing impropriety. That is clearly very
important. There is less recognition by departments that risk
management is about ensuring the achievement of outputs and outcomes,
and having reliable contingency arrangements to deal with the
unexpected which might put service delivery at risk. In front
of this Committee in the last year passports leap to mind as an
example where service delivery was at risk. What are you doing
to make departments understand that these are also essential requirements
of effective risk management?
(Mrs McDonald) Again, if I may, there are a number
of things that we are doing jointly. Firstly, the promotion of
better business planning is a plank of Sir Richard Wilson's Civil
Service Reform Programme. We are working with a man called Clive
Elphick who has come into the Cabinet Office from the private
sector, from United Utilities, to take an overview of how departments
do their business planning process and see where there are areas
or gaps where we can promote best practice. Since the Spending
Review last summer, we have been working with the Treasury on
improving the formal system of monitoring on a quarterly basis
the way in which departments are meeting their Public Service
Agreement targets and their Service Delivery Agreement targets.
A much more intensive process of monitoring is designed for the
new targets that start to bite from 1 April next year on which
we will be working jointly at both ministerial and official level.
Then we have been promoting better understanding of the basic
agenda which is to try to ensure that risk management is about
all aspects of business from policy development through to managing
particular projects but also through to service delivery on the
ground. We have had several seminars ourselves. The Centre for
Management and Policy Studies, which is part of the Cabinet Office,
has had some joint seminars with ministers and officials on the
subject. Both the College, the Treasury and ourselves have arranged
conferences. We have had several occasions where we have joined
with the NAO in trying to promote the message to a wider audience
and, indeed, I think our next one is on 20 March where I believe
you are going to come and take part.
5. I believe so. Let us move on. Paragraph 2.20
is the substance of my next question. More joint working between
departments, agencies and other public and private sector organisations
is important to improve service delivery for citizens, and I suspect
it is going to get rather more important in the coming years,
both under joined-up government but also through the PFI. If it
is to be successful, departments need to be alert to the risks
associated with working with others which might adversely affect
service delivery. But only one in eight departments said that
they knew about the strengths and weaknesses of the risk management
systems of other organisations they work with. How can that be
(Mrs McDonald) This is an area where we think we ought
to be doing more work, but there are a number of things in train,
or things that have happened previously, which might help people
to think in a more cross cutting manner. We have got a number
of cross cutting programmes which are being promoted as part of
the modernising agenda, not based in the Cabinet Office, but in
departments, like Sure Start. We have also got in the Cabinet
Office itself a number of cross cutting units which while working
on their own specific area, such as the Social Exclusion Unit,
have developed ways of working in the cross cutting manner across
departments, particularly on the Neighbourhood Renewal Strategy
which we are evaluating in a formal kind of sense in order to
promote best practice there. Also we have one or two examples
of long-term strategies. The Drugs Unit within the Cabinet Office
has a ten year strategy. To deliver that strategy it requires
a number of other departments to be co-operating against meeting
a communally agreed set of targets, particularly the Health and
the Home Office. It is the responsibility of the Unit to see that
performance against those targets, which have milestones across
the ten years, has worked, so they have both a co-ordinating and
a driving role there. We also have, ourselves, since we asked
for material in the summer, set up a Cross Cutting Risk Management
Steering Group which, in fact, the Treasury chair, Brian chairs,
which is designed to engage a number of departments, plus ILGRA,
to talk about the issues that are emerging both from the risk
management frameworks and from the returns and the statements
of internal control. Our real feeling is the issue is not so much
understanding about each other's risk management systems, it is
really understanding how people perceive the priorities in their
particular area and ensuring that there is not a mismatch of priorities,
so you are heading off. We think we will probably want to do some
more work about vertical risk transfer and horizontal risk transfer
within the various units of the Cabinet Office to unpick that
a little bit further.
6. Let us move on to paragraph 2.24. Early warning
indicatorssuch as sudden increases in claims for damages,
increases in customer complaints, IT or other quality failuresare
all useful for alerting managers that risk is increasing or that
circumstances have changed to the extent that new risks may exist.
Fifty-three per cent of departments responding to the NAO survey
said that such early warning reporting mechanisms are not in place
or they do not work, in other words are ineffective. What is being
done to remedy that?
(Mrs McDonald) I think we will use the risk frameworks
that are published and the evaluation I have already mentioned
to look hard at what early warning systems are in place. Some
people do have quite well established early warning systems or
methods of approach which are basically early warning systems,
like the HSE or the Environment Agency; others do not have such
clear cut early warning systems. We think in terms of the general
embodiment in achieving business objectives then the PSA/SDA approach
to setting clearer targets with outcome requirements and milestones,
monitoring of that will help as well. We have also got some work
going on where a number of departments have set up futures units
and the Cabinet Office will take an overview and try to get almost
a corporate overview of the sum total of what are thought as priorities
across those. We have examples of departments taking a lead in
trying to engage their colleagues across Whitehall in areas that
are of particular concern. So DETR, for example, has done a lot
of research work on climate change and is looking at the impacts
of that ahead on their own immediate programmes and asking other
departments to do the same kind of thing.
7. You mentioned HSE as a good example of advance
warning systems, but might it also be an example where advance
warning systems are not taken seriously? Railtrack, broken rails,
known about for years but nothing done.
(Mrs McDonald) I do not know any details about Railtrack
and so on. I know HSE said yesterday that part of what their current
examination is that they will look back at their system as well
as forward about what should happen. If you want me to get a further
note from colleagues, I can.
8. I only raised it because you cited it as
an example of good practice. I can tell you that because this
Committee looked at the Railtrack issue and looked at things like
the HSE warning of broken rails which were there for years before
the Hatfield accident and it was quite clear that for one reason
or another action was not taken by the relevant operator, Railtrack.
It is quite important if you look at risk warning systems that
you make sure that the control loops are completed. Perhaps you
could have a look at that.
(Mrs McDonald) I certainly agree that just having
an early warning system on its own does not actually resolve the
problems of how you manage the risks subsequently and what judgments
9. I was thinking it might be a good case study
for one of your colleagues. I will move fairly quickly on because
I am using more than my time. Paragraph 3.19 is my next point.
I see from the memorandum which you and the Treasury have submitted
to the Committee that at the end of December 2000 17 departments
had published frameworks covering their approach to risks directly
affecting the public. What is your assessment of the adequacy
of these frameworks and how will you monitor departments to ensure
that they are assessing the risks identified?
(Mrs McDonald) Our first very broad level sighting
shot is that they are mixed and those who have had them for some
time and are much more closely involved in areas that have a high
impact in terms of risk have got better frameworks in place. Some
other departments are beginning to think harder, we think, about
the totality of the risk management statement. We will look at
these in much more detail and we will get the risk experts on
ILGRA who work with us to take an independent view, as it were,
apart from our taking a view. We will, as I said earlier, look
for areas which we think are generally weakest and applaud those
which look generally good and try to promote best practice and
move the base position forward, if I can put it like that.
10. My next question will relate to 3.15, 3.13
and some things not in the report. My experience of Whitehall
is there is a growing tendency for process to take over. One of
the problems here is probably partially a problem of culture of
incentive, both in terms of reward and penalty and in terms of
management grip. I think I told you at one of our other meetings
we had the Ministry of Defence in front of us, asked them about
a billion pound overhaul and when asked how that came about they
said "we did not forecast it properly", missing the
point entirely that it is a question of grip and control of the
management, not about just forecasting how big the numbers will
be. There is a danger, is there not, that all of this will end
up in a blizzard of initiatives and will end up as a series of
forms to be filled in and actually we will not change the culture,
the approach, the method that the private sector uses of breaking
the risk down into small bits so that you can control each one.
All of those things will not happen if you allow it to go down
the bureaucratised route. How do you respond to that and how would
you deal with that?
(Mrs McDonald) I hope that the fact that most departments
are now trying to embed risk as part of their main business planning
process, associating responsibility to those who lead in particular
areas of responsibility within departments, will actually help
avoid too much over-bureaucratization. I think as part of the
Civil Service Reform Programme, which Sir Richard Wilson leads,
there is a real attempt to shift the culture. There is going to
be a new performance management system, a new pay system, which
consultations have just started on. It is attached to a new definition
of what are the skills and competencies that are required at senior
levels which positively promote supporting and being innovative
and taking measured risk and knowing what you are doing, as positive
skills. The way the format is set out is these are effective behaviours
and these are ineffective behaviours, and ineffective behaviours
are sticking with old ways of working and not doing things because
it is the safe route and so on. I think that approach, combined
with a much tighter definition of responsibility attached to particular
PSA targets or other key objectives within that performance framework,
actually can serve to tighten the definition of things that matter.
Equally, there is another part of this programme which is about
leadership which does mean the people at the top of Civil Service
departments both showing that they mean to follow through on that
approach and that they themselves behave in that kind of manner
in areas that they are particularly taking a lead on. There is
an attempt to shift to that culture. I think part of your question
was related to more specifically how we manage things, projects,
contracts, different kinds of procurement. We have, in the Office
of Government Commerce, been working on a much tighter approach
to project management and in the area for which I have particular
responsibility, the E-Envoy area, we have worked across the boundaries
to tie that approach into managing IT projects, for example. So
basically we are going for independent reviewthe term being
used is "gateways"early on which says why are
you doing this, do you know why you are doing it, and promoting
the approach that says it may be better to break a big project
down into small bites and take it a step at a time, which is the
way in which we are developing the knowledge network. Sorry, the
terminology is confusing. The bit of infrastructure we are building
on which you can do, say, interactive transactions is also called
the "Gateway". We are doing it a step at a time in all
departments. The E-Envoy's office announced that the Envoy would
lead a programme of oversight of the major IT projects going on
across Whitehall to ensure that they are pursuing the principles
and approach adopted in those guidelines.
11. Good afternoon. You asked the departments
to report to you last October on the development of their risk
assessment process as it related to the statements of internal
control. What was the result of that in October?
(Mrs McDonald) Perhaps I could ask Brian to reply
to that because, in fact, those went back to the Treasury rather
than the Cabinet Office.
(Mr Glicksman) This was a request that we asked departments
for to give us an indication of what progress they were making
with preparations we had asked them to carry out for statements
of internal control. We addressed our request to the Government
departments rather than all the agencies and NDPBs.
12. What was your success rate?
(Mr Glicksman) We have had reports from all the main
Government departments that we wrote to and we have also had a
selection of responses from small Government departments and,
in addition, some agencies and NDPBs that we did not specifically
write to but who volunteered information.
13. So did 100 per cent of Government departments
meet that deadline?
(Mr Glicksman) I do not think they all met the deadline.
It was not a deadline, it was just a request for information by
a date. We were not being rigid about the date by which they had
to reply. We have now had responses from all the main Government
14. You have to assess, of course, a number
of important factors, some of which you are commended for in here.
How important is it to set clear management objectives for departments
on risk assessment?
(Mr Glicksman) I think that one of the problems departments
may have had with answering the survey on this point is we have
tended up to now to emphasise that objectives should be related
to outcomes rather than objectives related to processes. So when
they were asked about objectives for risk management, which is
essentially about a process, a lot of departments felt this was
not the way in which they had constructed their objectives in
the past and that was why the NAO tended to get a lowish response
in relation to that question.
15. That lowish response was 75 per cent saying
that they did not set these clear management objectives?
(Mr Glicksman) That is right.
16. Are you saying that they did not have clear
processes or they did not have clear outcomes?
(Mr Glicksman) I think I am saying that they did not,
at the time that the NAO did its survey, define objectives in
that way. They tended to define objectives in terms of the outcomes
they were trying to achieve rather than processes like risk management
which contribute to those outcomes. Therefore, when the survey
asked them "have you got objectives for risk management",
it is perhaps not surprising that a lot of them said, no, they
17. Why is it not surprising? When did it become
a Cabinet Office priority to have such objectives?
(Mrs McDonald) Our priority is to ensure that the
people have systems in place to show that they are identifying
and thinking about the risk that attaches to various parts of
their business, so if they are developing policy and they are
thinking about how it is implemented, they are thinking about
the risks associated with that process. There are different varieties
18. When did you start that?
(Mrs McDonald) I think we have over the last ten years,
between us, put out quite a lot of advice about handling different
aspects of risk. I think what we were looking for in both asking
for the published risk management frameworks and for the development
of the risk element of the statement of internal control was to
get a much more comprehensive lifting of risk within the agenda
recognising that it was relevant to the totality of the business
and not just the bits that we thought were risky because they
were a safety hazard or there was a scientific uncertainty but
there were just as big risks about other elements.
19. Your awareness of this as an issue of however
important a priority has gone back for ten years?
(Mrs McDonald) Certainly it is about ten years ago
since the Treasury put out a guidance on doing the investment
4 Note by Witness: 1st draft published February
2000; revised draft published August 2000. Back
Note: See Evidence, page 000 (PAC 00-01/130). Back