Meeting the public sector risk management challenge | KPMG | CA
Share with your friends

Meeting the public sector risk management challenge

Meeting the public sector risk management challenge

Monitoring policy and clarifying responsibilities are critical factors



Related content

Risk management, public sector, board of directors

Risk identification and management is a critical function of audit committees (ACs) across Canada for virtually all types of organizations. When it comes to the public sector, however, risk must be understood and framed differently than in public or larger private companies, as should the way ACs approach and manage it.

AC members are often first appointed to a public sector audit committee as a result of their governance or management experience in the private sector. Translating that skill set to the public sector, however, typically requires a very different way of looking at risk—one that may not be immediately intuitive.

For those without public sector management or board/AC experience, the shift from private sector priorities and risk concepts can be confusing. The focus is no longer primarily on selling goods and services for maximum revenue at the least cost (i.e., maximizing shareholder value), but rather on delivering service to the public and fulfilling the entity’s mandate in the most effective and efficient way possible (maximizing stakeholder value using scarce resources). It’s a very different way of looking at an organization’s operations, and it changes the way AC members must consider risks as well.


How is risk different in the public and private sectors?

There are a number of areas where risk factors and focus diverge between the private and public sectors, including:

  • Focus of the risk register—Private sector risk registers often focus primarily on threats to revenue generation and cost containment. While there may be some commonality, a public sector organization’s risk register will typically focus on threats that, if not addressed, will impact the organization’s ability to deliver on its mandate in a cost-effective manner. It will also likely be focused on risks arising from government policy changes. A public or private company might monitor those risks, but would be unlikely to significantly alter corporate strategy as a result, while public sector activities can be significantly altered or even halted when policy changes.
  • Cyber security—Private sector corporations are primarily concerned with the potential impact on competitive edge through loss of corporate assets, trade secrets and other proprietary information to cybercrime, while the public sector must consider reputational risk and protecting stakeholders (students, patients, citizens, taxpayers) from unauthorized access to information. While such loss is important to the private sector as well, for the public sector—where often one can’t simply switch providers when trust wanes—the political fallout of cyber breaches can be devastating.
  • Fraud—While misappropriation in any organization is a consideration in addressing risk, public company audit committees are equally, if not primarily, focused on fraudulent financial reporting, which is less of a focus in the public sector. Because of the stewardship function they serve, public sector organizations are primarily focused on risk of misappropriation of cash and other assets. Corporate theft in the private sector may, to some extent, be accepted as a cost of business—even factored into the organization’s risk tolerance—and typically does not garner the publicity it does in the public sector, where misappropriation of any amount is considered an unacceptable risk. Avoiding the public exposure and fallout associated with theft of public funds and other assets, irrespective of the dollar amounts involved, should be a critical component of a public sector audit committee’s risk management process.

How can public sector ACs enhance their risk posture?

Public sector ACs should first consider their risk framework at the enterprise level before focusing on controls at the process level. What internal or external factors could prevent the organization from achieving its mandate? Which risks are most potentially damaging to organizational goals? These questions should be addressed before implementing or restructuring process/transactional controls to be certain fundamental barriers to success are not overlooked.

Risk management workshops—where management, audit committee and other board members challenge the organization’s conceptual understanding of its risk profile—can be an extremely effective and valuable means of refocusing the approach to risk management. In addition, significant cost savings can be realized through identification of organizational redundancies and encouragement of a more lean approach to processes. While the public sector is often hesitant to spend scarce funds and further tax the time demands of management and board members, the benefits of an enterprise risk management exercise can be substantial.

The stakeholder conundrum

In the end, one of the most challenging aspects for public sector AC members can be getting clarity around the stakeholder relationship and the resulting risk responsibility involved. In the private sector, stakeholders are typically an identifiable group, with whom relationships and responsibilities can be fairly easily defined. In the public sector, stakeholders can include an enormous range of clients, customers and vendors, as well as those who simply rely on public services every day. It is virtually impossible to truly know who all potential stakeholders are for public sector organizations. Nevertheless, the approach to risk management must consider who all those stakeholders might be, as the ultimate responsibility of the public sector audit committee is to the public.

Connect with us


Request for proposal