The actions and decisions of public servants have consequences for the reputation of their department, and the confidence of Canadians in the government’s ability to deliver on its commitments. Not surprisingly, they are cautious and often take precautions to ensure that many risks are mitigated to a point as close as possible to zero.
This risk-averse culture often results in increased costs, less timely action or reduced output for government operations. This article identifies some of the underlying factors leading to this culture and offers some solutions. The authors interviewed six senior managers at the deputy minister and assistant deputy minister levels in the public service of Canada to discover what drives risk aversion in the public sector and how oversight bodies can help.
The first factor identified was policy. There is a common misconception among public service managers that all policies are designed to control risks, whereas some policies are driven by political needs. Decisions are often made, especially for internal operations, to ensure that policies are respected to the letter despite operational realities. Senior managers interviewed indicated that they are often faced with situations where the best course of action requires decisions that can sometimes go against established policy requirements. This is an important factor.
The need to increase controls and thus take less risk can also be driven by a reaction to an event. In cases where a department had just experienced a failure in their program delivery or received a negative audit, managers may overreact by implementing controls to directly address the symptoms identified instead of making efforts to identify and address the underlying risk drivers leading to these events.
Given all of the factors that managers must consider when making decisions, it can be a challenge for managers to understand what is expected in either accepting or mitigating identified risk. Two broad approaches were identified in our interviews.
The first was in using Risk management tools and processes. Although some departments have made significant progress in this area, there is still a lack of fundamental risk management tools and processes in place to identify, understand, assess and mitigate risks. There is also a lack of understanding that no two risks have the same level of tolerance, and that tolerance levels change over time. Risk tolerance discussions need to be held at key governance committees to develop a common understanding of the current context facing a department, including ministerial direction, public environment, or resource or operational constraints.
The second was in judging where operational risk outweighed compliance risk. Sometimes, non-compliance to certain administrative policies is acceptable. One of the most compelling examples in this regard would be the need to protect the health and safety of Canadians. It is our opinion that if timely actions were needed to address risks to Canadians in a crisis situation such as a natural disaster, most Canadians (including politicians, public servants and civilians) would accept a certain level of low risk non-compliance to certain administrative policies.
Oversight Bodies Can Help: Here’s how
The third was in seeking the advice of the many assurance providers in the Government of Canada that provide services in helping departments understand and manage risk and controls. This group includes Internal Audit, the Office of the Auditor General, the Privacy Commissioner, the Information Commissioner and others.
They have common approaches, though they have different stakeholders and mandates. When they conduct assurance engagements and look at compliance with policies, however, they need to understand the context and environment in which decisions are made. In most cases, oversight bodies will accept a valid reason for non-compliance, especially in a situation where there is a sufficient audit trail and evidence to support the decision that was made.
Their objective is also to provide advice on how to balance controls and risk. When making recommendations to management, oversight bodies must consider whether the corrective actions are appropriate to the circumstances. Oversight bodies should be just as concerned about an over-controlled, and consequently ineffective or inefficient environment, as they are about an under-controlled environment. Too many controls lead to unnecessary red tape that in turn creates inefficiencies and diverts resources away from higher risk areas.
We challenge all assurance providers to be aware of the environment in which decisions are made and be able to advise public service managers on the best controls to use in light of risks and risk tolerance. This begins by avoiding recommendations that address risks that are already well below their tolerance level. Assurance providers must also make efforts to identify areas that will improve efficiencies while still maintaining an effective risk management balance.
Louis Seabrooke is the Director of Internal Audit at the Canada Revenue Agency and Greg Nesbitt is the Director of Audit at the Public Service Commission of Canada.
