Local authorities and public sector bodies are grappling with a broad spectrum of increasingly complex risks. Years of reduced central government funding and rising demand for public services have been further exacerbated by rising inflation, the increasing costs of borrowing, and burgeoning energy costs.

These challenges are having a significant impact on service delivery. Adele Taylor, Director of Finance and Customer Services for Cheshire East, explains: “We face a constant balancing act between demand-led services, such as social care and housing, and universal services, such as leisure facilities and bin collections, which can have a real impact on the wider determinants of health.”

Ian Cosh, Chief Finance Officer and Senior Information Risk Owner at Greater Manchester Police (GMP), also outlines some of the financial risks faced by public sector bodies: “The annual funding cycle makes it very difficult for finance professionals to deliver any certainty over their organisation’s financial position. It also creates significant financial risks in terms of the sustainability of operational activity.”

“Police forces are very demand-led, reacting to operational necessity. While you can anticipate and budget for a number of major incidents each year, you can’t know the nature of those incidents or how much resource you will have to pour into them. Managing that uncertainty poses significant financial challenges,” he explains.

Like many private sector firms, public sector organisations are also having to navigate risks associated with their supply chains, regulation and compliance, cyber security, and the environment. Reputational risk is another critical issue. “There is national dissatisfaction with public service delivery and with politics more generally. We have to consider what that might mean for us as an organisation,” says Taylor.

It is important for finance professionals to bear in mind that these risks are often interlinked. “Financial challenges could mean that we are really stretched operationally. Is the impact of this on services ultimately going to result in a deterioration of the trust and confidence of the public?” cautions Cosh.

Risk management

Risk registers are often used to document potential risks, their likelihood, and impact. “All of our projects and management teams have risk registers, with an appropriate level of risk management and review,” explains Taylor. “These feed up into an overall strategic risk register.”

Cosh outlines a similar bottom-up approach to risk: “Risks that are more manageable at a local level are dealt with by local risk management boards, but ultimately they feed up to a quarterly corporate risk board, which ensures a central understanding of the risks we face and the steps being taken to manage and mitigate them.”

When it comes to assessing identified risks, risk-based budgeting and scenario planning are vital tools. “At a detailed, practical level, the Police Uplift Programme is a good example. Every force had target numbers to recruit, with funding dependent on hitting these targets. The financial risk of not meeting recruitment numbers required collaborating with HR on recruitment flows and associated risks, such as higher than expected attrition, long onboarding processes and vetting timeframes, and modelling different scenarios to ensure we understood and minimised the risk,” Cosh says.

Once risks have been identified and assessed, they can be managed through mitigation strategies. These might include building financial reserves, adjusting budgets, or introducing internal controls to reduce the likelihood or impact of risks.

Governance structure

Robust governance structures are essential for effective risk management, ensuring accountability and adherence to risk management practices.

“Our Audit and Governance Committee is an incredibly important part of our assurance framework,” explains Taylor. “We have three to four independent members on the Committee. Having these independent experts is a really helpful exercise in holding a mirror up to the organisation. The Committee reviews our Strategic Risk Register on a regular basis and asks key questions around how risks are being managed, what mitigations we have in place and anything we may have missed.”

Internal audit functions are also critical, regularly reviewing an organisation's risk management processes, testing controls and making recommendations for improvement. “Our internal audit function’s focus on understanding, advising and offering early warnings on whether financial controls are operating properly means they form a key link between performance, finance, and risk,” says Taylor.

Organisational culture

It is important that risk management is seen as a strategic priority across the organisation, not just within finance. “Risk needs to be embedded in everything we do,” says Taylor. “For that to happen, senior leadership must be actively involved. All of our committee and decision making reports have a risk section. It’s then about having those discussions, examining the what-if scenarios.”

Finance teams need to work closely with other departments, whether that’s to identify risks in different service areas, or working closely with internal auditors to ensure that financial and operational risks are thoroughly examined. “Silo thinking can lead to missed opportunities, with risks falling through the gaps,” adds Taylor. “We have to focus on ensuring better cross- and multi-functional working.”

Finance professionals should be engaging regularly with councillors, department heads, and staff to ensure that all stakeholders understand the risks and their potential impact. Training and awareness sessions can also help non-finance personnel to recognise potential risks, clarifying each stakeholder's role in the risk management process and ensuring informed decisions based on a solid understanding of risk.

“We bring in outside expertise for training, working closely with CIPFA and sectors such as insurance and risk management to advise us on how to anticipate risk and plan for it,” says Cosh. “We are focusing on getting people to think ahead to potential future risks and modelling worst case scenarios, which enables us to address these risks in the planning stage. Rather than reacting to events once they happen, we need to have proper plans in place for dealing with these risks if they were to crystallise.”