Globally, governments have been forced to act quickly in response to COVID-19 and to find new ways of working.
In many instances this has been effective, but it has also come at the expense of some of the usual rigor and diligence that is expected and required of governments. To support people and economies, governments have had to relax spending rules, implement changes rapidly and take shortcuts that may expose them to risk.
The risk landscape in the post-pandemic new reality will likely be one that has accumulated through each phase of the crisis, for instance:
- Many of the actions taken in the initial crisis reaction phase will need to be safely wound down over time, such as support payments, or they will need to be strengthened and moved to a sustainable footing (e.g. remote and flexible working).
- Resilience measures, such as new supply chains, will need to be tested and amended to ensure alignment, and reduce risk, to government outcomes and mission.
The recovery phase is posing a new set of risks in balancing health and economic imperatives, embedding alternative delivery methods (e.g. virtual courtrooms and wider transformation programs to maintain the pace of change).
Short term urgent issues need to be identified and patched up. Services and systems need to be pen-tested for cyber weaknesses, processes need to be reviewed to give leaders assurance and the control environment needs to catch up with the new reality to help ensure that government processes are secure, robust and effective.
In managing risk, leaders should ensure that the control environment accelerates rather than forcing the business of government to slow down. Digital tools enable live reporting so government should become comfortable using that information to make decisions, rather than returning to reliance on lengthy, retrospective program reviews and academic evaluations before acting. In testing for payment integrity and compliance, governments can leverage analytics and rules engines to quickly identify suspect applications to focus the time and effort of their teams.
For instance, in the Netherlands when COVID-19 containment measures caused a significant drop in the revenues of small and medium-sized businesses, the country’s enterprise agency (RVO) was tasked with providing compensation. The organization quickly mobilized an online solution that could process applications in a timely and accurate fashion while identifying possible fraud scenarios.
Meanwhile in Australia, to support businesses, the Queensland State Government has adopted a dynamic risk framework for use by individual businesses in their return to operations. The framework includes COVID-19 safe checklists, and plans that businesses can adapt to their needs, while also providing a decision-tree of when it is possible to re-open and how, based on specific industry characteristics.
With organizational structures up in the air, leaders need tools that give a current and clear understanding of how risks affect the operation of their business. Across large and complex organizations, a cyberattack will have wide operational consequences and leaders need to understand potential weaknesses and impacts to be able to prepare for them. The same applies as large government programs adapt to the new reality. This work will likely come under significant scrutiny to achieve value for money, so leaders need a live view of progress, risks and confidence levels in program outcomes.
In addition to the internal control environment, COVID-19 has also fundamentally changed the external risk landscape and is expected to continue to do so. In taking direct roles in economic management by guiding how economies can open up, governments have taken an active role in safeguarding the health and livelihoods of their populations. Additionally, they will need to navigate complex policy factors arising from the crisis such as inequality, growth, sustainability and climate change.
In this dynamic risk landscape, the previous understanding of risk as a static multiple of likelihood and impact no longer works. A risk register approved the week before may well be out of date, leaving leaders vulnerable when making decisions. Leaders need a current picture of their whole risk landscape, which reflects the interrelationships between risks, the contagion factor between those risks and how those risks will develop over time. Risk analytics tools and capability that convert live data from changing risks can enable leaders to be informed but still act fast.
Clearly the risks that governments face have changed significantly, both in terms of their people, operations and service delivery. Leaders need to have a clear and current understanding of risk across the organization to be able to plug critical gaps, reform their appetite and build a new approach. Government has previously been risk averse and taken a necessarily conservative role behind the pace of society, but in the new reality the sector needs to become comfortable leading.
Throughout this website, “we”, “KPMG”, “us” and “our” refer to the network of independent member firms operating under the KPMG name and affiliated with KPMG International or to one or more of these firms or to KPMG International.