Left column


Financial and risk management

    Step back and see the full picture: lessons learned in risk management   

  • Posted on March 1, 2022 by

    Confessions of a risk manager

    A few years ago, I decided to renovate my bathroom, it wasn’t a small feat and required all new electrics, plumbing, new boiler, the works. I was reliant on contracted experts to get the results I wanted. I decided to handle the project management myself, I was confident, I’m a risk manager after all! Once the project was underway little things began to go wrong, delays, disruptions and scheduling conflicts cascaded, and I found myself in the middle firefighting. I could manage some of the problems myself, but most of the uncertainty was coming from the people and expertise outside of my direct control. I’ve made a resolution this year to start the next renovation project and I know that to succeed, I will need to learn the lessons from the past.  

    Enterprise thinking

    Uncertainty is at the heart of risk management, and without a doubt we have been living in very uncertain times over the last two years. The impact of the pandemic has been felt across all sectors and has redefined the risk landscape. Here at the NAO, the increased level of uncertainty has influenced our programme of value for money and insight work. It sharpened our focus on the arrangements in place for government to identify, evaluate, and respond to risks. In our latest preparedness report: The government’s preparedness for the COVID-19 pandemic: lessons for government on risk management we found the pandemic has exposed vulnerabilities in government’s approach to managing whole-systems risks and that lessons, that would have helped prepare for a pandemic like COVID-19, were not fully implemented.

    Enterprise thinking in risk management allows us to integrate the practice of risk management across the whole system, from strategic decision making to execution and delivery. However, looking at uncertainties inside the organisation won’t give us the full picture about what is happening outside and across other organisations. We need to step outside and look out into the extended enterprise. If we think of an organisation as a castle, the extended enterprise refers to anything outside of the castle walls. To go back to my project, I was on the inside and close to the project, I wanted the project to succeed, clouded by optimism and missing the full picture. I’d forgotten to account for what might be happening outside of my “castle walls” and how uncertainty would impact what I was trying to achieve.

    I am of course not alone in having optimism bias. Being close to the detail is not a bad thing, in fact it’s often vital, but when we’re on the inside it’s much harder to cast our view out to the horizon and to see the uncertainties just out of focus. We need to see the whole system in order to anticipate, coordinate and prepare for what might happen, even if we’re really hoping it won’t.

    Connecting the dots

    By taking an enterprise approach to identify, evaluate, and respond to risks, we get a better understanding of the full picture. We can see the interdependencies and connections between the various risks facing the delivery of objectives. The NAO’s reports NHS backlogs and waiting times in England and Reducing the backlogs in criminal courts are both clear examples where identifying the complex interdependencies and taking a whole-systems approach will be needed to tackle and improve outcomes. For instance, understanding the inherent risks of harm to patients as a result of longer wait times, and the cascading impact this could have on local partnerships, community support and organisations outside of the NHS.

    Yet, applying this thinking to the extended enterprise of government will also be necessary to tackle and achieve some of the most complex risks of today and of the future. In our report Achieving net zero we concluded that the all-encompassing nature of net zero means that all government bodies, including departments, arm’s-length bodies, and executive agencies, have a role to play. This is perhaps the clearest example of the importance of whole-systems thinking and enterprise-wide risk management.


    We mustn’t forget that uncertainty can generate both threats and opportunities. We’re often taught to see risks only as threats. However, those threats can also present us with opportunities to improve, providing we have the desire, agility, and resilience to respond and act. I’ve already started planning for my next project and I know that by applying the lessons learned from last time I can increase my chances of success.

    As we continue to recover from what we hope is the worst of the pandemic, it’s important to look at the full picture, identify the lessons and apply improvements where we can. Our lessons learned programme of work at the NAO has highlighted opportunities to strengthen government’s approach to risk management, to ensure that it includes a clearer view of whole system risks. Applying this learning will require collaboration not only within and across government but also across sectors and the entire extended enterprise. The challenge questions is: who is providing the enterprise view of risks across the whole of government and what other lessons are there to be learned?

    You can read more about our findings and insights on our website.  Links to the specific reports and topics explored in this blog are set out below:

    Please feel free to comment and share your thoughts, your views are very welcome.  

    About the author

    Russell Heppleston

    Russell Heppleston

    Russell Heppleston is a Risk Manager for the Financial and Risk Management hub at the NAO. He joined the NAO in 2021 as an experienced risk manager with over 15 years experience working in Local Government, specialising in internal assurance, risk and governance. He is a Chartered Internal Audit Leader (QIAL) and Certified Risk Manager (CMIRM).

  • A small leak will sink a great ship: the need to counter fraud and error in government

  • Posted on November 16, 2021 by

    My outdoor tap leaks. Not very much, just a small drip. And though I put a bucket underneath to catch the drips, I’ll admit that sometimes the bucket overflows before I can use the water in my garden. I know I should find out if it’s just a dodgy washer or I need a replacement tap but somehow it never makes it to the top of my to-do list.

    Out of interest, the other day I looked up how much a leaky tap costs the average household. Potentially hundreds of pounds each month, so safe to say it makes financial sense to get it fixed. Then I saw that leaky taps cost UK householders an estimated £3 million every year. Thousands of little drips adding up to a big chunk of money being washed away.

    The Government Counter Fraud Function (GCFF) faces a similar challenge when trying to tackle fraud against the public purse. Government estimates that £26.8 billion a year is lost to fraud and error in the tax and welfare system, but for me, the most surprising thing is that GCFF estimate that up to £25 billion a year more is lost through fraud and error in other areas of government spending. The measurement data available suggests that most departments are losing a relatively small amount to fraud and error every year, but these hundreds of small leaks add up to an eye watering cost to the taxpayer.

    Part of the problem government faces is this sheer diversity of risk – fraud and error impacts everything from grants and procurement to income collection. Fraud and error has also traditionally been the sole responsibility of each department to manage leading to considerable variations in approach to similar risks. Although this has clear benefits for accountability, focusing on risks by organisation rather than type and across multiple organisations leads to missed opportunities. Most government grant programmes are likely to face similar challenges when it comes to managing fraud and error risks, even if their exact nature varies.

    The GCFF was established in 2018 as a means to bridge these gaps and bring together the 16,000 or so people working in public sector counter-fraud to share knowledge and best practice. Though progress has been made, in June 2021 the Committee of Public Accounts reported that the

    Cabinet Office and HM Treasury’s central mechanisms for managing fraud and error are still in their infancy

    There are also less than 7,000 recognised counter-fraud professionals working across central and local government and policing, with more than 75% of these working in tax and welfare. That doesn’t leave many qualified specialists to tackle all the other fraud risks across government.

    The GCFF recognises that the information it holds on fraud and error losses outside the tax and welfare system needs improvement – its fraud loss estimate of 0.5% to 5% of expenditure is a massive potential range. In our Good Practice Guide on Fraud & Error, we set out how departments need to ensure they have a cost effective control environment. This means doing everything they reasonably can to minimise fraud and error, to the point where doing anything more would have a detrimental impact on wider objectives. In a world of limited resources is it enough to replace a washer or do they need a brand new tap?

    The Good Practice Guide also includes our Fraud and Error Audit Framework, developed over several years based on best practice in government and the private sector. Fraud and error risk is continuously evolving, and the Framework provides a structure for assessing how management uses an iterative approach to measure the effectiveness of its counter-fraud and error activities and to continuously improve its controls.

    Ultimately, without more precise information on the scale and causes of fraud and error outside the tax and welfare system, government risks large amounts of fraud and error remaining unidentified or untackled. Ensuring that more effort goes into improving government’s understanding of exactly where money is leaking from the system  is a key focus of our ongoing work on fraud and error. Now, more than ever, it’s important to make sure that vital taxpayers’ money isn’t being washed down the drain.

    About the author

    Katie Dixon manages our work on fraud and error within the Financial and risk Management Hub. She joined us as a trainee in 2011 and, after qualifying as an accountant, completed a masters degree in counter fraud and counter corruption studies. She has experience auditing fraud and error risks across financial, investigative and value for money audits and represents the NAO on several public sector fraud expert panels.

    Follow Katie on LinkedIn

  • Climate Change risk: Are We Doing Enough, Fast Enough?

  • Posted on September 13, 2021 by

    “The world is now living through climate change, not watching it draw near” is the stark warning delivered by the IPCC (Intergovernmental Panel on Climate Change), in its sixth assessment report (AR6).

    In risk speak, high-impact, low-likelihood events will become more likely with higher temperatures.

    With COP 26 fast approaching and extreme weather events becoming an uncomfortable ‘new normal’ across the world, not a week goes by without media coverage of the physical risks of climate change whether it be the: scorching heat in Canada, wildfires in the Americas, or devastating floods in Germany, India and China.

    So, are we acting fast enough?

    The verdict from the Climate Change Committee’s June progress report is “with every month of inaction, it is harder for the UK to get on track” with its climate ambitions.

    To gauge the level of climate change risk maturity in government we surveyed Chairs of Audit and Risk Assurance Committees (ARACs). While four out of five ARAC Chairs considered climate risks to be relevant to their organisation, over half noted that their organisation did not have a climate or sustainability risk policy or a dedicated employee accountable for either. Additionally, seven in ten Chairs said that climate change risks had either never been discussed at an ARAC meeting or had been discussed less than annually.

    Against this backdrop, we intend to help government organisations start the conversation around climate change risk.

    What is climate change risk?

    As risk professionals we tend to think in terms of “what could go wrong?” and how “how can we manage these risks?”.

    Government organisations have a huge challenge in trying to balance short, medium and long-term risks. The UK, and indeed the rest of the world, are still recovering from the COVID-19 pandemic, which showed how crucial it is for organisations to have the resilience to respond to high-impact, low-likelihood events. It is important that a true assessment of long-term risks is considered.

    Our good practice guide intends to help with this. In setting out the wide variety of potential risks that climate change can bring about, it will help all organisations across government – not just those responsible for leading on climate policy –identify and effectively manage a variety of climate change risks. These risks stretch beyond the physical risks, such as the impact of rising temperatures. They also include the risks posed by the transition to net zero and risks specifically posed to government organisations.

    How to support and challenge management

    Our guide further allows audit and risk assurance committees to constructively challenge management’s approach to climate change risk.

    This can be done across the whole risk management cycle: from initial identification and assessment, to treatment and monitoring, through to risk reporting and continual improvement.

    For many organisations effectively managing climate change risk will be a long journey. Our challenge questions are a great tool to help you do this.

    Example questions
    Example questions for the risk management principle ‘Governance and leadership (plain text alternative)

    Key takeaways of the Good Practice Guide can be found here. We hope you find it helpful.

    Authors: Mfon Akpan, Chris Coyne, Courtnay Ip Tat Kuen


    About the authors           

    Mfon Akpan

    Mfon leads our Financial and Risk Management Hub. She is a Big Four trained multi-disciplinary Risk, Assurance and Governance professional with over two decades of cross-border leadership experience across the financial services industry and beyond.

    Mfon has held roles at a number of blue-chip institutions, including the World Bank Group as a Risk Management Specialist, Standard Bank Group where she was the Chief Risk Officer and Regional Head of Risk for its operations in Nigeria and across West Africa, respectively, and Barclays Group Plc where she was an Audit Director.

    Follow Mfon on LinkedIn

    Chris Coyne

    Chris manages our work on financial and risk management. He has been with the NAO since he joined as a graduate trainee in 2008, and has significant experience managing financial audits across a variety of government organisations.   

    Follow Chris on LinkedIn 

    Courtnay joined the NAO in 2013 as a graduate trainee. She has experience leading and managing audits in the public, commercial and charity sectors, as well as acting as an Ambassador for the International Technical Cooperation team.

  • Achieving excellence in Public Sector reporting

  • Posted on May 20, 2021 by

    Good reporting in the public sector should allow the public and Parliament to understand to easily understand an organisation’s strategy and the risks it faces, how much taxpayers’ money has been spent and on what, and what has been achieved as a result. Following the challenges of the last year, most notably COVID-19, clear and transparent reporting is hugely important.   

    Transparency and accountability in central to strong financial and risk management in government, and how this is supported by clear and understandable reporting. With that in mind, we’re delighted to share a recent National Audit Office report which cuts to the heart of this: the Good Practice in Annual Reporting Guide.  Our guide sets out good-practice principles around a number of key areas to help public sector organisations to compile their Annual Reports.  Those principles are:  

    • Accountability  
    • Transparency 
    • Accessibility 
    • Understandability  

    Building on these principles, our guide provides some excellent examples from public sector organisations that we think are leading the way. Below we have picked out a few key takeaways for organisations to consider as part of their preparations for 2020-21 Annual Reports.  

    Risk and Governance: There should be an increased focus on the risks and challenges of recent events and how these are managed, including: 

    • Frank and honest analysis of how COVID-19 (and other risks) have impacted operations and how the taxpayer’s money has been spent and managed.  
    • Clear depiction of the governance and risk management framework to demonstrate an organisation’s processes to identify, monitor and mitigate risk. 
    • Transparent reporting of complex technical judgements and decisions. We anticipate, given the challenges brought about by the pandemic, spending reviews and EU Exit, that organisations may enter complex transactions or arrangements. These transactions should be disclosed transparently and in a way that is understandable to the users. 

    Strategy and Operations: There should be a clear articulation of purpose and objectives, and how an organisation’s operations support their objectives. In particular:  

    • Clarity around an organisation’s purpose, strategic objectives and values and how these feed into the performance of the organisation and any related risks, with reference to its external environment. 
    • Celebration of Diversity and Inclusion within annual reports. Employee costs make up most of the central government expenditure and people are undoubtedly an organisation’s most precious asset.  Organisations should consider what their employee data says about them and whether reporting could be improved in this area. 

    Measures of Success and Financial Performance: There should be a balanced assessment of goals achieved and performance against targets, and financial performance should be understandable and consistent with the underlying financial statements. For instance:  

    • Better trend reporting. Trend analysis over time is a strong indicator of performance and achievements and a good way for the reader to hold organisations to account. Organisations should consider what trend data is being published and what story they are trying to tell.  
    • Better, more accessible information on non-financial metrics affecting organisations, such as sustainability reporting. Organisations should seek to portray non-financial data in simple terms to help tell a story and show clearly how it is linked to their operations.  

    Lastly, the NAO co-sponsor the annual Building Public Trust Awards, Public Sector reporting category with PwC, to give credit to organisations who are demonstrating excellence in government financial reporting. If you believe your organisation’s 2020-21 annual report and accounts is an example of excellent reporting, you can nominate it for the Building Public Trust Awards – Public Sector Reporting Award by emailing Building.Public.Trust@nao.org.uk by 30 June 2021.  

    Authors: Chris Coyne, Rachel Nugent, Catriona Sheil and Courtnay Ip Tat Kuen.

    Chris Coyne

    Chris manages our work on financial and risk management. He has been with the NAO since he joined as a graduate trainee in 2008, and has significant experience managing financial audits across a variety of government organisations.   

    Follow Chris on Linkedin 

    This article was first published on OneFinance (login required) 

    Tagged with:

Right column

  • About the NAO blog

    Our experts share their views about issues and common challenges facing government, what public sector leaders should look out for and how organisations have addressed issues. Our posts draw together threads from across our reports, share secrets spilled in events and reveal our experts’ expectations for the future.

    We encourage comments that support the exchange of ideas for improvement, but ask that those posting are respectful of others.

  • Sign up for automatic feeds

    Sign up to receive email alerts:

    RSS IconSubscribe in an RSS Reader