Two government entities with separate but related responsibilities were to be amalgamated. One was constituted as a statutory authority, reporting to a Board and staffed by employees of the authority, while the other was a conventional government agency staffed by public service employees. The amalgamation entailed a physical move for all the staff, a shift to a new organisational structure, significant changes to infrastructure and support services such as IT and communications, and the adoption of a new role in government and the community.
This case illustrates how the context setting stage of a risk assessment delivered considerable value in its own right as well as laying a sound foundation for the analysis that followed and the value that it provided.
Two government entities operated in separate but related areas. One was a statutory authority reporting to a Board and staffed by employees of the authority, many of whom were engaged on long-term contracts. The other was a conventional government agency staffed by public service employees who enjoy, among other things, the right to apply for public service roles in other departments and to move between departments and agencies without affecting the terms of their employment.
The new organisation was to be a statutory authority reporting to a Board. All staff would have to move to new offices. A new organisational structure was to be developed and IT, communications and other services were to be reviewed and rationalised. At the time of this work, the government’s intention had been declared but Board appointments were not settled. The mission of the new entity had only been set out in broad terms in a ministerial speech and press release.
A risk assessment was required as input to the work of management teams responsible for various aspects of the transition. This was very deliberately framed as a tactical exercise to support the transition process. While it was to take account of strategic risk management in the two organisations, it was not intended to supplant the strategic work and, as it served a different purpose, it did not need to mirror those processes.
The approach followed the process described in ISO 31000 Risk management – Principles and guidelines (Figure 1).
There was a great deal of uncertainty about the future. In particular, strategic planning had not reached the point at which it could be used as a focus for the transition risk assessment. There was broad understanding of the principles that government expected would guide the new organisation, and both existing organisations had a substantial body of important work in hand that they knew they needed to sustain.
Two separate groups of people with different business cultures were coming together in a new organisation with a role that was, initially, only loosely defined. There was a danger that a risk assessment of the transition would raise more questions than it answered. To manage this, considerable attention was devoted to establishing the context with senior managers from both organisations.
Establishing the context
Drawing on senior personnel from both organisations, the context for the risk assessment was established by:
- Gathering information about the existing organisations’ responsibilities and the new organisation’s role
- Working with a small group of managers to draft a context statement for the risk assessment and refining this draft through several iterations
- Holding a workshop with the senior management team as a whole to explain the planned risk assessment process and review the draft context statement
- Updating the draft and circulating it among the management team for final comment
- Issuing the context statement with an agenda for a subsequent risk assessment workshop.
This ensured that the risk assessment workshop was underpinned by an agreed view on:
- Internal and external factors having a bearing on the transition
- Stakeholders and their objectives
- A scale to describe the effectiveness of existing controls associated with each risk
- Criteria to be used to rate the consequences of risks with scales describing various levels of consequence
- A scale to be used to describe the likelihood of experiencing a given level of consequence
- A risk rating matrix to combine consequence and likelihood ratings into an overall rating for each risk
- A set of key elements to be used to stimulate the identification of risks and to ensure that time spent in the workshop was well managed.
The risk assessment workshop was conducted in two parts. One dealt with legislation, business systems, personnel and facilities. The other looked at work in hand, fresh responsibilities being assigned to the new organisation, IT and communications, external stakeholders and then, to ensure that nothing important was overlooked, matters that might not sit easily under the other headings.
Risk identification and analysis proceeded key element by key element, with a bow-tie structure (Figure 2) using the following steps:
- Risks were identified and described with a summary label and a selection of causes and impacts
- The effectiveness of controls was assessed
- A consequence rating was assigned and then a rating for the likelihood of experiencing that level of consequence
- A risk rating was assigned based on the consequence and likelihood rating
- A potential exposure rating was assigned describing the level of consequence that might be expected if the controls failed to operate in the intended manner.
At the end of each workshop, the initial risk analysis outcomes were reviewed to ensure they were consistent and reasonable.
The workshops proceeded smoothly with very little debate about the process being used as this had been established in the context setting workshop. They ran to time and achieved a comprehensive coverage of the risks to the transition.
Thirty-six risks were identified. None was rated Extreme, 13 were rated High, 21 Medium and 2 Low. The high risks were concentrated on matters that could prevent the two organisations from carrying out their existing responsibilities.
Due to the fluid situation in which the transition was taking place, many of the items raised in the workshop were considered as likely as not (50/50) or more than likely (>50% chance) to affect the transition process. Since these were expected to affect the transition, they were flagged for consideration as planning assumptions. They related to staff wellbeing and morale, misunderstandings on the part of other sections of government or external stakeholders, and difficulties with initial governance arrangements, all matters under consideration by the transition working groups at the time.
It is possible to carry out a useful risk assessment in a fluid environment where it is difficult to make very firm statements about what constitutes success for an organisation and with personnel from different business cultures and organisational backgrounds.
Establishing the context is crucial for any risk assessment. In situations such as this, not only is it crucial but the exercise of exploring and agreeing on the basic elements of the context delivers significant value in its own right. It is a process by which people with varying viewpoints, who are seeking to collaborate, can come to understand each other’s point of view and agree on a common framework for priority setting.
We have found that careful attention to establishing the context and holding separate workshops to do this has played a significant part in many of our assignments, and particularly those associated with amalgamating disparate teams and organisational change.
- State Government agencies
- Public sector and government business