Risk assurance and risk management:

Corporate/institutional scandals are nothing new, but the prevalence and scope of recent public inquiries such as those relating to the Post Office and the government’s handling of the Covid-19 pandemic have brought issues of Board-level governance and risk management ‘out of the shadows’ and exposed them to public and quasi-judicial scrutiny. Underlying themes of Paula Venells’ evidence to the Post Office inquiry were claims that she was not made aware of key information and that matters pertaining to risk were not brought to her attention. 

Whether that claim is accepted will be matter for the Inquiry to determine, having regard to all the evidence before it. One of the objectives of an effective risk assurance/management framework is to ensure that the identification and handling of material risks by an organisation are not left to ad-hoc communication lines between individuals but are embedded in a structured process that enables threats and opportunities to be identified, planned for and managed. 

Management of risk is a challenge for any organisation, but especially so in healthcare. Bodies such as NHS Trusts are large, complex and multi-faceted organisations that face a variety of internal and external challenges, including varying and in some respects unpredictable demands from patients and pressures relating to workforce, premises and resources. Those challenges must be seen in the context of government targets for innovation and the digital agenda. For all organisations, increasing geopolitical risks including the use of AI, supply chain instability, stock market volatility and political uncertainty mean that effective risk management has become more important than ever. 

Every organisation will have its own risk appetite – the amount of risk it is prepared to take or accept in pursuing its objectives or, to put it a different way, the boundaries or levels of risk within which it wishes to operate. Proper evaluation and application of risk appetite supports decision making in times of uncertainty. It can provide a top-down direction as to how much risk the leaders of the organisation are prepared to accept, and in what fields of activity, in pursuit of the strategic objectives of the organisation and what are seen as the key risks and opportunities facing the organisation. It can then inform policy creation and key decision making including in relation to capital investment and the strategic direction of the organisation. 

Risk appetite applies to opportunities as well as threats. In relation to threats, risk appetite is about identifying the level of exposure which can be tolerated should the risk materialise. This involves balancing the cost/impact of minimising the risk with the cost/impact of exposure and finding the place that can be tolerated. By contrast, setting risk appetite in relation to opportunities requires consideration of how much the organisation is prepared to actively put at risk in order to realise the benefits of the opportunity. It requires balancing the potential value/gain of the benefit against the potential loss/impact involved in pursuing it. 

Securing engagement with risk management at Board/senior decision-making level is needed to enable the setting of risk appetite, the use of an effective risk register and risk assurance processes to provide protection and drive growth. Risk appetite should be seen and used as a live tool, owned and promulgated by senior leaders to manage the organisation and pursue strategic objectives and drive growth.  

The effectiveness of a risk management framework is not just dependent on engagement with it. That effectiveness is also dependent on the quality of the information on which decisions are made, including information from an operational level, and on the operation of effective escalation processes that ensure that the right groups are sighted on the right risks. The Board or equivalent cannot be sighted on every risk but the escalation process should operate to ensure that risks that are strategically, financially or reputationally significant are brought to the attention of the right people at the right time.  

Coroners are increasingly issuing ‘Prevention of Future Death’ (PFD) reports to a wide range of organisations, highlighting systemic or other failings that they consider caused or contributed to a death and requiring action to be taken to eliminate or reduce the risk of death. There has been a recent focus on systemic failings, such as failures to ensure staff were properly trained, to have in place effective systems to ensure lessons from adverse incidents were properly identified and disseminated and cultural failings. These are all matters on which the Board/senior decision-makers should be sighted before they become the subject of a PFD report and are all matters that can be encompassed within the risk management framework.  

In changing times, it is important to ensure that senior decision-makers are sighted on risk and that assurance/management procedures are in place that provide for risk appetite/ratings to be kept under regular review and calibrated as necessary as circumstances change. The adoption of a positive risk culture, achieved through engagement with the risk register and risk management procedures at the top of the organisation, has benefits in providing protection while driving growth.