Monitoring policy and clarifying responsibilities are critical factors
Risk identification and management is a critical function of audit committees (ACs) across Canada for virtually all types of organizations. When it comes to the public sector, however, risk must be understood and framed differently than in public or larger private companies, as should the way ACs approach and manage it.
AC members are often first appointed to a public sector audit committee as a result of their governance or management experience in the private sector. Translating that skill set to the public sector, however, typically requires a very different way of looking at risk—one that may not be immediately intuitive.
For those without public sector management or board/AC experience, the shift from private sector priorities and risk concepts can be confusing. The focus is no longer primarily on selling goods and services for maximum revenue at the least cost (i.e., maximizing shareholder value), but rather on delivering service to the public and fulfilling the entity’s mandate in the most effective and efficient way possible (maximizing stakeholder value using scarce resources). It’s a very different way of looking at an organization’s operations, and it changes the way AC members must consider risks as well.
How is risk different in the public and private sectors?
There are a number of areas where risk factors and focus diverge between the private and public sectors, including:
How can public sector ACs enhance their risk posture?
Public sector ACs should first consider their risk framework at the enterprise level before focusing on controls at the process level. What internal or external factors could prevent the organization from achieving its mandate? Which risks are most potentially damaging to organizational goals? These questions should be addressed before implementing or restructuring process/transactional controls to be certain fundamental barriers to success are not overlooked.
Risk management workshops—where management, audit committee and other board members challenge the organization’s conceptual understanding of its risk profile—can be an extremely effective and valuable means of refocusing the approach to risk management. In addition, significant cost savings can be realized through identification of organizational redundancies and encouragement of a more lean approach to processes. While the public sector is often hesitant to spend scarce funds and further tax the time demands of management and board members, the benefits of an enterprise risk management exercise can be substantial.
The stakeholder conundrum
In the end, one of the most challenging aspects for public sector AC members can be getting clarity around the stakeholder relationship and the resulting risk responsibility involved. In the private sector, stakeholders are typically an identifiable group, with whom relationships and responsibilities can be fairly easily defined. In the public sector, stakeholders can include an enormous range of clients, customers and vendors, as well as those who simply rely on public services every day. It is virtually impossible to truly know who all potential stakeholders are for public sector organizations. Nevertheless, the approach to risk management must consider who all those stakeholders might be, as the ultimate responsibility of the public sector audit committee is to the public.