Guest Post by James Kline (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
Enterprise Risk Management (ERM) is becoming an important topic and activity worldwide. This is in part because of COVID 19. COVID 19 focused the public’s attention on health risks. As the world comes out of the pandemic crisis, the focus, particularly in government, will be on other risks. Already, in the United States, cities which defunded the police, are reallocating money back due to rising crime. However, because of the political atmosphere and retirement of senior officers, cities are having trouble recruiting enough people to fill the vacated ranks. Adding to this problem are the consequences of riots and work from home. In many urban areas, the result has been a hollowing out of the urban core.
Portland Oregon, where I live, is an example. Most of the city center and associated small businesses are boarded up. Foot traffic is down. Riots continue to wreak havoc on part of the core. All 50 members of the riot response unit have resigned. As a result, the city no longer has individuals specifically trained in riot response available to respond. In addition, north of the throughfare which cuts the city center in half, are homeless encampments. The homeless are now allowed, by city council resolution, to camp on any publicly owned property including sidewalks. This means walking downtown will require navigating through homeless encampments. Such action can be risky for an adult, let alone a family with young children.
Complicating the situation are two other factors. First, lock downs crushed small businesses. Second, work from home helped reduce foot traffic in the central core. Work from home also calls into question the need for so much office space downtown. Since many companies will continue to have a portion of their work force working from home, they will not need as much office space. Excess office space, a lack of foot traffic, occasional riots and homeless encampments all contribute to a hollowing out of the downtown core. This erodes property values and local government’s tax base. In addition, the lock downs threw millions out of work. Many became homeless.
Several of the now obvious problems were risks which could have been identified early. Moreover, if ERM had been a part of the administrative process at the outset, the resulting adverse impact may not have been as great.
Could Some of the Adverse Impacts Been Avoided?
ERM is an administrative process which helps an organization identify and prioritize the risks it faces. It also provides a vehicle for discussing mitigative actions and their possible consequences.
The dominate ERM model in government is the International Organization for Standardization (ISO) 31000. ISO 31000 provides a stepped sequence for identifying and managing risks on an enterprise-wide basis. (1) The culmination of the process is risk register. The risk register is a prioritized list of the risks identified by staff, management, and the governing body. It also indicates the rating of the risk and the mitigation efforts being used to reduce any adverse impact.
Even though the risk register is the end results, their publication, even in the public sector is limited. Also limited is any publication of risk registers over time. The rest of this piece looks at the risk registers of the Flintshire County Council in the United Kingdom for 2016 and 2020. Flintshire County Council provides an example of risk register use over time. The register shows the interrelationship among risks and rating change.
Flintshire County Council
Flintshire, like all local government in the United Kingdom, is under a requirement to publish a risk assessment annually. (2) This requirement is part of the core principles of a Good Governance in local government framework. One element of this framework is: “Managing risks and performance through robust internal control and strong finance management.”
In 2015, Flintshire updated its ERM process. The updates included: moving from a 3 x 3 matrix to a 6 X 4 matrix, providing clear guidance for escalating and reviewing risks and reporting risks more prominently in council reports. The four risk levels are color coded. Green is insignificant, Yellow is minor. Orange is moderate. Red is major.
Below is the Current Risk assessment by percentage for 2016 (3) and 2020 (4). Also for 2020 is the Risk Trend.
2016 Current Risk 2020 Current Risk 2020 Risk Trend
Insignificant 9% Insignificant 6% Decrease 30%
Minor 18% Minor 11% Maintained 62%
Moderate 67% Moderate 68% Increased 8%
Major 7% Major 15%
The data shows that the Shire Council has been effective in reducing identified risks. The largest reduction has occurred in the minor category. It saw a reduction of 7% points. Insignificant decreased by 3% points. On the other hand, Moderate risks increased by 1% points, while Major risks increased by 8% points.
The data also indicates that the process of risk management is dynamic. Some risks are modified and some move from one level to another. The infrastructure risk is an example of modification. It moved from a general risk description to several more focused risks. Below are the risk descriptions for 2016 and 2020 and potential effect impacts.
2016 – Infrastructure does not keep pace with needs and business is lost to the economy.
Potential Effect: The potential impact would include businesses choosing not to locate in Flintshire, existing businesses finding it harder to justify remaining in the area and a worsening quality of like, where for example, traffic congesting increases.
2020 – Insufficient funding to ensure our highways infrastructure remains safe and capable of supporting economic growth.
Potential Effect: Deterioration of the condition of highways in Flintshire.
2020 – Failure to deliver Growth Deal projections within Flintshire.
Potential effect: Reputational risk to the Council. Infrastructure investment does not keep pace with needs and business is lost to the economy. Support for businesses in Flintshire does not match need and fails to encourage investment.
The above risks were rated as moderate in 2016 and 2020. However, in 2016 the infrastructure risk description was broad. By 2020 some aspects had been separated out for individual attention. The split is a recognition of the need to clearly identify risk and the fact that a number can be interrelated.
Affordable housing provides another example of the interrelated nature of some risks. Below is the risk description for both 2016 and 2020 and the 2020 Progress Comment for affordable housing.
The supply of affordable housing will continue to be insufficient to meet community need.
Potential effect: Increase in homelessness. Increase in people sleeping rough.
Flintshire clearly recognized that the availability of affordable housing is related to homelessness. Homelessness, in turn, provides an example of a risk level that changed.
2016/2020 Homelessness will remain a growing area of demand due to current economic conditions.
Progress Comment. “Homelessness remains a high area of risk as a result of a number of ongoing factors, but it is important to note the risk of an increase in homelessness post COVID-19 is significant. The service is at the moment receiving only approximately 50% of presentations compared to this time last year but this is in the main due to the measure put in place by the Government to protect people from homelessness during Covid-19. At the same time, it is unclear what will happen once existing measures are withdrawn post COVID-19 …” (5)
As with many governments around the world, homelessness has become an increasing problem. Flintshire has rated Homelessness a major risk. The lack of funding is one reason. But rent arrears accrued during the pandemic period and financial hardship through loss of employment are other contributors.
The lack of affordable housing, which is rated moderate, is another contributor to the homelessness problem. Its availability could mitigate some of the homelessness problem. However, the ability to provide affordable housing depends on the availability and prioritization of resources.
Flintshire County Council is an example of a local government which has tracked their risk mitigation overtime. The County Council has a sophisticated risk register. It recognizes the interrelationship among risks. It shows that mitigative actions taken in one area of risk can impact other risks. The historical data indicates improvement in risk management have occurred.
However, ERM should not be considered a cure all. As seen in the case of homelessness, the success of some mitigative efforts may depend on policies enacted by higher levels of government. In other cases, a lack of resources may limit the extent of mitigative action. Nevertheless, the ability to prioritize risks and identify interrelationships helps management and governing bodies make better decisions.
- Kline, James J, 2019, Enterprise Risk Management in Government: Implementing ISO
31000:2018, CERM Academy, Portland OR, available on Amazon.
- Kline, James J. and Greg Hutchins, 2019, Auditors, Accountants and ERM, Journal of Government Financial Management, Winter, pages 33-37
- Flintshire County Council, 2016, Strategic Risk Report, July 4, https://committeemeetings,flintshire.gov,uk/ngCovert2PDF.aspx?ID=4568
- Flintshire County Council, 2020, End of Year Council Plant Risk Report 2019/20, https://committeemeetings.flintshire.gov.uk?documents/s61519/Enc.%202%20-%20Council%20201920%Risk%20Registerpdf.
- Ibid page 4
James J. Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence, and a Certified Enterprise Risk Manager. He has work for federal, state, and local government. He has over ten year’s supervisory and managerial experience in both the public and private sector. He has consulted on economic, quality and workforce development issues for state and local governments. He has authored numerous articles on quality and risk management. His book “Enterprise Risk Management in Government: Implementing ISO 31000:2018” is available on Amazon. He is the principle of JK Consulting. He can be contacted on LinkedIn. (My e-mail was hacked. For those who received a request for money, it was not from me. I apologize. I am working to resolve the issue.)