This article provides an overview of modern risk management as practiced in the public sector.
Risk is a fact of life and a fact of government. To accomplish any major public policy goal and any financial goal-building a new municipal stadium or funding a retirement plan, for instance-requires taking on risk. Moreover, the government's Chief Financial Officer (CFO) often is called upon to understand, manage, and mitigate the risks associated with government projects.
Understanding Risk Management
Finance directors and other staff in the finance department must have an awareness of the evolving field of risk management, if for no other reason than to understand the "shocks" that can occur to the government's budget when unforeseen events threaten to disrupt the plans envisioned in the annual budget. Moreover, three factors make an understanding of risk management vital to the exercise of the OFO role.
First, finance departments are often the locus of the risk management function. In fact, the most common place to house risk management activities is within the finance department--it is more common than legal, human resource, or stand-alone risk management departments.
Second, risk management in some ways is bucking the trend of privarization. Risk management is being brought back in-house through the hiring of full-time risk management specialists. Ironically, the traditional model of risk management was to outsource nearly all risk management activities to an insurance company. Nowadays, many governments (particularly larger governments) believe it is more cost effective to take on the financial cost of risk directly. This is often referred to as self insurance or risk retention, in which, for example, a government would pay out-of pocket the cost of an incident under a certain dollar threshold (larger catastrophic losses would still be shifted to either an insurance company or "risk pool").
Third, and most familiarly, governments have gone through a litigation revolution that has seen the erosion of long-standing tort immunity. The notion of sovereign immunity has clearly been scaled back in the last 20 years or so as governments have been successfully sued for damages in a number of areas. A number of these areas are prominent in the news media, such as incidents where policing techniques have been challenged. For example, high-speed police chases, racial profiling, and the use of excessive force have all been areas of legal dispute.
Of course, policing is not the only area of risk to state and local governments. Technology has created a new source of risk for local governments. As noted in GFOA's An Elected Official's Guide to Risk Management, information technology (IT) has altered the risk profile of a government. IT liabilities that risk professionals must attend to include:
* e-mail--It is necessary for managers to emphasize the importance of maintaining communication standards. The same standards that apply to other official correspondence (e.g., letters and faxes) should apply to e-mail. Because of "open records" laws, employees should be reminded not to write in e-mails anything that they would not want posted on a bulletin board.
* privacy--Public-sector use of technology to maintain citizen and employee records has the potential to improve efficiency and streamline operations. However, a failure to maintain sufficient levels of privacy and data integrity may inadvertently create perils such as "identity theft" or harassment of persons targeted in a database, by perpetrators who gain access to the personal records of their victims. At the same time, open records laws hamper the ability to keep information confidential.
Risk Management Program
* e-Commerce--e-commerce and other types of on-line transactions are threatened by "hacker" attacks and viruses that might interrupt government operations or result in the denial of service to citizens seeking information from a government's Web site. …