The Orange Book: The Easy Guide to Managing Risks in the Public Sector: Part2

In this mini-series we will look at The Orange Book, the guide to managing risks in the delivery of public services and change activities. Published by HM Treasury, it gives guidance on keys roles and responsibilities, and a Framework on how to manage risks and deliver effective risk management practises.

• In the first part, we will provide an overview, background and highlight the key principles.
• In the second part, we will look in more detail into the Main Principles and the Supporting Principles, which can guide delivery activity and operating activity.
• In the final part, we explore the Orange Book's Risk Management Framework, the supporting 'Three Lines Model', and some key guidance on how to conduct assessments.

The Complete article can be found here

Part2: Principles

The Orange Book sets out 5 main (A-E) and 41 supporting principles (A1-E4) for risk management in government. The main principles are mandatory requirements and form the core of the document. They provide the "what" and the "why", not the "how", for the design, operation, and maintenance of an effective risk management framework.

Principle A: Governance and Leadership

Risk management is a crucial part of governance and leadership. It's the backbone of how an organisation is steered, managed, and controlled at all levels. In simpler terms, it's like the captain of a ship, guiding the organisation through calm and stormy waters alike.

"Governance and Leadership" is broken down into 10 supporting principles :-

A1: Tailored Governance

• Every public sector organisation should set up governance structures that fit its unique needs, size, and culture. It's like choosing the right outfit - it has to fit well and reflect who you are. People's behaviour and culture greatly affect risk management at every level and stage. The accounting officer, like a good teacher, should make sure that the right values and behaviours are well understood and followed by everyone.

A2: Leadership Assessment

• The accounting officer, with the board's help, should regularly check if the leadership style, opportunities for discussion, and HR policies support the desired risk culture. They should encourage good behaviour and discourage the bad. If things aren't going as planned, they should make corrections and ensure that the desired risk culture and behaviours are promoted.

A3: Strategic Risk Management

• The board should decide on the style and quality of risk management. They should lead in assessing and managing opportunities and risks. They should understand the main risks the organisation faces and how much risk they're willing to take to achieve their goals. Good risk management should support informed decision-making, ensure confidence in responding to risks, and provide transparency about the main risks faced and how they're managed.

A4: Clear Roles and Responsibilities

• The board should make sure that everyone knows their role in risk management. This helps in making effective decisions and knowing when to escalate, combine, or delegate tasks. The accounting officer should make sure that roles and responsibilities are well understood and followed by everyone.

A5: Regular Risk Reviews

• The board should regularly review how management is responding to the main risks. Risk should be considered regularly as part of the normal flow of information about the organisation’s activities and in significant decisions on strategy, major new projects, and other prioritisation and resource allocation commitments.

A6: Balanced Risk Reports

• Regular reports to the board should provide a balanced assessment of the main risks and the effectiveness of risk management. The accounting officer, supported by the Audit and Risk Assurance Committee, should monitor the quality of the information they receive and ensure that it is sufficient to allow effective decision-making.

A7: Tailored Risk Management Approach

• The accounting officer, supported by the Audit and Risk Assurance Committee, should establish the organisation’s overall approach to risk management. The risk management framework should be periodically reviewed to ensure it remains effective and suitable for the organisation.

A8: Designated Risk Leader

• The accounting officer should appoint a senior individual to lead the organisation’s overall approach to risk management. This person should be involved in and influence governance and decision-making forums and establish effective communication with the accounting officer, senior management, the board, and the chair of the Audit and Risk Assurance Committee.

A9: Resource Allocation

• The accounting officer should ensure the allocation of appropriate resources for risk management. This can include people, skills, experience, and competence.

A10: Demonstrated Leadership Commitment

• The accounting officer, supported by senior management, must show leadership and articulate their ongoing commitment to risk management. They should develop and communicate a policy or statement to the organisation and other stakeholders, which should be periodically reviewed.

Principle B: Integration

Risk management should be a part of all organisational activities. It's like a secret ingredient in a recipe that makes everything work together to achieve the desired outcome.

The "Integration" Principle is broken down into 5 supporting principles :-

B1: Embedded Risk Management

• Risk management should be a part of everything an organisation does. It should be involved in setting strategies and plans, evaluating options, prioritising resources, managing performance, managing assets, and improving outcomes. The accounting officer, with the help of senior management, should make sure that risks are transparent and considered in every decision-making process.

B2: Effective Appraisal

• Effective appraisal helps to assess the costs, benefits, and risks of different ways to achieve objectives. When conducting an appraisal, risks should be identified and analysed in the design and implementation of options. This analysis should provide the foundation to understand the risks arising through chosen options and how these will be managed.

B3: Delivery Confidence

• Confidence in delivery should be supported by clearly identifying the main risks faced and how those risks will be managed within business and financial plans. It's like having a clear road-map for a journey, knowing the potential obstacles and how to navigate them.

B4: Horizon Scanning and Scenario Planning

• The board and those setting strategy and policy should use horizon scanning and scenario planning to identify and consider emerging risks, threats, and trends. It's like using a telescope to look into the future, anticipating what might come and preparing for it. The Government Office for Science ensures that government policies and decisions are informed by the best scientific evidence and strategic long-term thinking.

B5: Public Protection and Assurance

• The government has a role in protecting and assuring the public. This includes taking cost-effective action to reduce risk to a tolerable level and providing accurate and timely information about risks to the public. Policy leads should involve the public, understand their concerns, and communicate good information about risk. The government will be open and transparent about its understanding of risks to the public and about the process it is following in handling them. Decisions for intervention will be based on relevant evidence, including expert risk assessment. Responsibility for managing risks will be placed on those best able to control them.

Principle C: Collaboration and Best Information

Risk management should be a team effort, informed by the best available information and expertise. It's like a group project where everyone brings their best knowledge and skills to the table.

"Collaboration and Best Information" is broken into 6 supporting principles;-

C1: Comprehensive Risk Management

• The accounting officer, with the help of the Audit and Risk Assurance Committee, should establish risk management activities that cover all types of risks. This requires collaboration and cross-organisational working through a range of public sector, private sector, and third-sector partnerships. The risk management framework should provide a comprehensive view of the risk profile to support governance and decision-making.

C2: Partnership with Arm's Length Bodies

• Government departments often sponsor arm’s length bodies, which they are ultimately responsible for, while allowing a degree of independence. Effective relationships and partnership working between departments and arm’s length bodies are critical. The principal accounting officer should consider the organisation’s overall risk profile, including the risk management within arm’s length bodies.

C3: Systematic Risk Management

• Risk management processes should be conducted systematically, iteratively, and collaboratively, drawing on the knowledge and views of experts and stakeholders. Information and perspectives should be supplemented by further enquiry as necessary and should reflect changes over time.

C4: Stakeholder Consultation

• Those assessing and managing risks should consult with appropriate external and internal stakeholders. Communication should be continual and iterative, supporting dialogue, providing and sharing information, and promoting awareness and understanding of risks.

C5: Communication and Consultation

• Communication and consultation should help stakeholders understand the risks faced, the basis on which decisions are made, and the reasons why particular actions are required and taken. It should bring together different functions and areas of professional expertise in the management of risks and build a sense of inclusiveness and ownership among those affected by risk.

C6: Functional Integration

• Functions within and across organisations should play an integral part in identifying, assessing, and managing the range of risks that can arise and threaten successful delivery against objectives. Function leads should provide expert judgement to advise the accounting officer on various aspects, including setting strategies and plans, evaluating programmes, projects and policy initiatives, prioritising resources, identifying and assessing risks, determining the risk appetite, designing and operating internal controls, and driving innovation and improvements.

Principle D: Risk Management Processes

Risk management processes should be structured and include risk identification and assessment, risk treatment, risk monitoring, and risk reporting. It's like a well-organised toolbox, where each tool has a specific purpose and place.

Principle D "Risk Management Processes" is broken down into 16 supporting principles

D1: Systematic Risk Management

• The accounting officer, supported by their nominated individual responsible for leading the organisation’s overall approach to risk management, should ensure the adequate design and systematic implementation of policies, procedures and practices for risk identification and assessment, treatment, monitoring and reporting.

D2: Risk Identification

• Risk identification activities should produce an integrated and holistic view of risks. The aim is to understand the organisation’s overall risk profile. Risks should be identified whether or not their sources are under the organisation’s direct control.

D3: Risk Assessment

• Risk assessment, which incorporates risk analysis and risk evaluation, is necessary to evaluate the significance of identified risks to support decision-making.

D4: Risk Analysis

• Risk analysis is to support a detailed consideration of the nature and level of risk. The risk analysis process should use a common set of risk criteria to foster consistent interpretation and application in defining the level of risk.

D5: Analysis Techniques

• Risk analysis can be undertaken with varying degrees of detail and complexity, depending on the purpose of the analysis, the availability and reliability of evidence and the resources available. Limitations and influences associated with the information and evidence bases used should be explicitly considered.

D6: Risk Evaluation

• Risk evaluation should involve comparing the results of the risk analysis with the organisation's risk appetite to determine where and what additional action is required.

D7: Risk Treatment

• Selecting the most appropriate risk treatment option(s) involves balancing the potential benefits derived in enhancing the achievement of objectives against the costs, efforts or disadvantages of proposed actions.

D8: Treatment Implementation

• As part of the selection and development of risk treatments, the organisation should specify how the chosen option(s) will be implemented, so that arrangements are understood by those involved and effectiveness can be monitored.

D9: Contingency Planning

• Where appropriate, contingency, containment, crisis, incident and continuity management arrangements should be developed and communicated to support resilience and recovery if risks crystallise.

D10: Risk Monitoring

• Monitoring should play a role before, during and after implementation of risk treatment. Ongoing and continuous monitoring should support understanding of whether and how the risk profile is changing and the extent to which internal controls are operating as intended.

D11: Monitoring and Review

• The results of monitoring and review should be incorporated throughout the organisation’s wider performance management, measurement and reporting activities.

D12: Integrated Risk Management

• The “three lines model” sets out how these aspects should operate in an integrated way to manage risks, design and implement internal control and provide assurance through ongoing, regular, periodic and ad-hoc monitoring and review.

D13: Risk Reporting

• The board, supported by the Audit and Risk Assurance Committee, should specify the nature, source, format and frequency of the information that it requires. Factors to consider for reporting include differing stakeholders and their specific information needs and requirements, cost, frequency and timeliness of reporting, method of reporting, and relevance of information to organisational objectives and decision-making.

D14: Information for Decision-Making

• The information should support the board to assess whether decisions are being made within its risk appetite to successfully achieve objectives, to review the adequacy and effectiveness of internal controls, and to decide whether any changes are required.

D15: Informative Reports

• Clear, informative and useful reports or dashboards should promote key information for each principal risk to provide visibility over the risk, compare results against key performance/risk indicators, indicate whether these are within risk appetite, assess the effectiveness of key management actions and summarise the assurance information available.

D16: Deep Dive Reviews

• Principal risks should be subject to “deep dive” reviews by the board and/or Audit and Risk Assurance Committee, with those responsible for the management of risks and with appropriate expertise present at an appropriate frequency depending on the nature of the risk and the performance reported.

Principle E: Continual Improvement

Risk management should be continually improved through learning and experience. It's like a cycle of learning, where we learn from our past, apply it to our present, and improve our future.

"Continual Improvement" is broken down into 4 supporting Principles ;-

E1: Adapt and Improve

• The organisation should continually monitor and adapt the risk management framework to address external and internal changes. The organisation should also continually improve the suitability, adequacy and effectiveness of the risk management framework. This should be supported by the consideration of lessons based on experience and, at least annually, review of the risk management framework and the performance outcomes achieved.

E2: Learn from Experience

• All strategies, policies, programmes and projects should be subject to comprehensive but proportionate evaluation, where practicable to do so. Learning from experience helps to avoid repeating the same mistakes and helps spread improved practices to benefit current and future work, outputs and outcomes. Lessons should be continually captured, evaluated and action should be taken to manage delivery risk and facilitate continual improvement of the outputs and outcomes.

E3: Use Maturity Models

• Process/capability maturity models or continuum may be used to support a structured assessment of how well the behaviours, practices and processes of an organisation can reliably and sustainably produce required outcomes. These models may be used as a benchmark for comparison and to inform improvement opportunities and priorities.

E4: Develop Improvement Plans

• As relevant gaps or improvement opportunities are identified, the organisation should develop plans and tasks and assign them to those accountable for implementation. This is like creating a to-do list for improvement, where each task is assigned to the person best suited to complete it.

Summary : The Orange Book Principles

---

• Part 1: Overview, background and key principles.
• Part 2: Main & Supporting Principles
• Part 3: Risk Management Framework, 'Three Lines Model', and Assessments.
• The Complete article can be found here