This section summarises sections on risk management in “Intelligent Monitoring: an Element of Financial Relationships with Third Sector Organisations” published by the National Audit Office in 2009.
What is risk management?
Any financial agreement carries some risk [Note 1]. Manage risk, do not seek to eliminate it. This would be both impractical – since the cost of removing all risk may be far more than the cost of risk if it materialises – and undesirable – since well-managed risk taking also presents opportunities to innovate, experiment and develop new ideas where more traditional ways of working are not able to deliver real change.
Some programmes are inherently risky – for example, because they deal with an innovation that may not work as hoped. You and your governors (Ministers, councillors, Board members etc) need to be clear about the level of risk you are prepared to take [Note 2].
Depending on the nature and confidentiality of such risks, you may involve stakeholders, including potential providers, in this work. For some programmes, there is a risk committee, with external members, to help with this.
Risk management needs to be done throughout the period of a financial agreement [Note 3]. The first stage is to identify the risk before the financial agreement is put in place [Note 4]. This will help you make decisions further into the process. You should reassess risk on a regular basis to identify new risks that have arisen, changes in existing risks, or risks that have ceased to be relevant.
Types of risk
There are four types of risk [Note 5]:
- Financial – the risk that the budget you and the provider have agreed may be exceeded; and/or that there is poor value for money. You should also consider risks to regularity and propriety.
- Performance – the risk that the outcomes for the programme that you and the provider have agreed may not be met.
- Reputational – the risk that unwanted actions of the provider may bring it, the programme or the funder into disrepute.
- Opportunity – the risk that the funder or the provider, because they have not assessed risks accurately and are risk averse, decide not to take an opportunity that presents itself and so damage their effectiveness.
At the start of the financial agreement, you should agree a risk register with the provider. To save on duplication of work, you should draw on any risk register the provider already has.
Once the risk register has been drawn up, it provides a basis for monitoring [Note 4]. This can be done by periodically updating and circulating the register. If the assessment of risk remains the same, no further special action is needed. If risk is assessed as greater, defences against risk (identified in the risk register) will need to be deployed. These may require more focused monitoring but are likely to need closer management and action – possibly even termination of the financial agreement.
Note 1: Improving Financial Relationships with the Third Sector: Guidance to Funders and Purchasers (pdf – 696KB), HM Treasury, National Audit Office, Office of Government Commerce, 2006.
Note 2: Known as ‘risk appetite’. See chapter 5: Risk Appetite, The Orange Book: Management of Risk – Principles and Concepts (pdf – 473KB), HM Treasury, 2004.
Note 3: The Orange Book: Management of Risk – Principles and Concepts (pdf – 473KB), HM Treasury, 2004.
Note 4: HM Treasury, Managing Risk with Delivery Partners
Note 5: The first three are drawn, with small changes in terminology, from Good Practice Contract Management Framework (pdf – 202KB), National Audit Office, 2008. The fourth type is identified in HM Treasury, The Orange Book: Management of Risk – Principles and Concepts (pdf – 473KB), HM Treasury, 2004.