Funding Risk Management
Hello and welcome once again.
One of the challenges that many organisations have in relation to risk management is the funding and the budgeting of risk management.
We have a whole range of elements of the risk management framework within the organisation that require funding. Things like:
– Allocating finances for treatment strategies;
– Allocating money to be set aside if an incident that we have identified occurs (or even if there is an unknown unknown; something that we haven’t forecast);
– The provision of training for our people; or
– Third party accreditation or third party maturity assessment of our organisation.
All of those things need resources. In my experience however, what organisations tend to do is to identify the activities they are going to do throughout the cycle, and allocate budgets to those. They don’t look at the risks and they certainly don’t maintain a contingency budget to spend if that risk becomes an issue and the event happens.
As a result of that, what we find is that the organisation has said “I’m going to do 100 things during this particular period” and then some of those incidents start to occur. Well, where do we get the money for that? We take away some of the lower priority activities and we fund the incident management out of that.
Of course, if we’ve said that we are going to do 100 things throughout the year and we only manage to do 85 of those things because we’ve spent part of our budget dealing with those incidents, then our stakeholder community is going to be dissatisfied because we haven’t met those expectations. But if we identify those activities that we are going to do, we identify the risks that could occur, we fund the treatments for those out of our budget (and they become funded activities as well), we identify what our residual risk is and we maintain some contingency then we could actually say to our stakeholder community “we’re going to manage risk and we’re going to keep some money if things go wrong, but we’ll be able to do 90 or 95 events.”
The chances are that at the end of that cycle you will have met those expectations of your stakeholder community and because you’ve managed risk so effectively then you might have been able to exceed those and transferred some money across and fund some of the lower priority tasks that you had left off.
Now of course in Government, this is really problematic because we place the manner in which we are effective with our budget and our financial management as “how close?” Plus or minus one percent or plus or minus two percent in terms of our budget expenditure. But of course what we’re not doing is we’re not assessing what have been the outcomes. We’re saying, “we have an output here. We’ve met our output. We’ve spent all our money.” But are out stakeholder satisfied? Have we met their expectations? You’ve met your budget expectation targets, but what have we done with that money?
That’s the real challenge that I know Government departments are going to have. Particularly when we go into the PGPA world where you’ve got accountability for the management of risk, but the budgeting cycle and the way you allocate budgets and spend your money does not support the proactive management of risk. That is going to be a real challenge for you.
I will be speaking on that at the IQPC Risk in Government Conference in the Master Class on the 28th April 2014. So if you wish to hear more about it then I’d encourage you to come along to that particular master class.
That’s all I’ve got for right now. As always, let’s be careful out there.