Risk and Issue Management

In common with any responsible organisation, a public inquiry will wish to draw up a risk management policy and establish risk registers and issue logs that will form part of the inquiry’s system of internal control and governance. The policy should outline the public inquiry’s underlying approach to risk management and set out key aspects of the risk management process and identify the main reporting procedures.

It may be prudent to adopt HM Treasury’s definition of risk: ‘uncertainty of outcome, whether positive opportunity or negative threat, of actions and events’ (The Orange Book: Management of Risk – Principles and Concepts, October 2004, para.1.2, HM Treasury). The Office of Government Commerce define an issue as ‘a concern that cannot be avoided […] whereas a risk may not actually materialise’ (Management of Risk, OGC).

By managing threats effectively any public inquiry will be in a stronger position to deliver its objectives. By managing opportunities it will be better placed to improve service levels and provide value for money to the public purse.

Managing risk must not a one-time activity, but rather must be a continuing process. The goals of the public inquiry’s risk management strategy are likely to include: integrating risk management into the culture of the inquiry; managing risk in accordance with best practice; fully documenting major threats and opportunities; clearly identifying risk exposures; implementing cost effective actions to reduce risk and ensuring conscious and properly evaluated risk decisions.

Risk appetite

The Orange Book defines risk appetite as the ‘amount of risk which is judged to be tolerable and justifiable’ (para.1.3). As a publicly funded entity with no long term planning requirements a public inquiry may well feel that it is prudent and appropriate to adopt a cautious attitude to risk.

Every discrete risk identified must be individually assessed in order to ascertain the most effective means of addressing it.

A model risk assessment criteria and methodology

The Robert Hamill Inquiry adopted the following model for assessing risks. The extent of a risk was assessed by qualitatively evaluating its impact, the consequences of the risk arising and the likelihood of the risk occurring.

Impact was divided into three categories, assessing the potential of the risk to: i) cause delay to the oral hearings and/or the production of the report; ii) adversely affect the operational work of the inquiry and iii) cause reputational damage.

Each category was rated on a scale from 1 to 4:

  • minor: 1
  • moderate: 2
  • significant: 3
  • severe: 4

The likelihood of a risk occurring was similarly assessed:

  • remote: 1
  • possible: 2
  • probable: 3
  • more probable/likely: 4

The sum of the three categories of impact was multiplied by the likelihood to give an individual risk assessment score that could be graphically represented on a red/amber/green (RAG) basis:

(graph to go here...)

This allowed the inquiry to compare risks and concentrate efforts on addressing those that are most urgent, using established transfer, tolerate, treat or terminate methodology.

A commitment to effective risk management allows a public inquiry to ensure it achieves its desired outcomes; effectively constrains threats to acceptable levels and take informed decisions about exploiting opportunities.

Effective risk management allows stakeholders to have confidence in the public inquiry’s corporate governance and its ability to deliver its objectives.