Original (Dutch) by Jos Moerkamp | 2006 (translation by Jack Kruf | 2023) 

Interview with Dr. Lynn Drennan, CEO of ALARM, about risk management

The European example of well-developed risk management in the public sector is Great Britain. In the country where you can insure yourself against almost anything, governments and other public organisations appear to do a lot to eliminate and limit risks. ALARM (Association of Local Authority Risk Managers) has grown into a national forum for public sector risk management, with over 1,800 participating organisations. A conversation with Dr. Lynn Drennan, ALARM chief executive.

She has only been in office since August this year, but Lynn Drennan has been active in the field of risk management for many years. She was affiliated with Glasgow Caledonian University, ’the only university in Europe that offers a university degree in risk management,’ says Drennan. “And that since 1982. Many of our graduates now work as risk managers in the corporate world, for consultants such as Marsh and Aon and for public organisations.”

Great Britain is seen as a pioneer in risk management in the public sector. Do you share that view?

Drennan: “Sure. Risk management has a history of about three decades here. Initially it was a matter for the private sector. But when business concepts spilled over from the business community to the government in the 1980s, the concept of risk management also took hold there. That eventually led to the foundation of ALARM. Some members were therefore already involved in the only risk management organisation that existed at the time. Due to common issues, different from issues in the business world, the need arose for an own organisation. That’s how ALARM started.”

Why is risk management in the British public sector more developed than elsewhere in Europe? In the 1980s, business concepts were also transferred to the government in the Netherlands.

Drennan: “I think a number of factors play a role. First of all, Great Britain has a long history of corporate governance. The 1992 Cadbury Report is the starting point. Although that report was primarily intended for listed companies, the ideas were soon adopted by public organisations. Faster than in other European countries (The Dutch corporate governance code dates from 2004, ed.).

The message of corporate governance is that the chief executive officers of organisations bear responsibility for all risks that their organisations face or will face. This responsibility obliges the effective identification, evaluation, removal or reduction and weighing of risks. The ideas of corporate governance have contributed significantly to putting risk management on the agenda, including in the public sector.

In addition, we had a national government that emphasized the efficient and effective use of public resources. I know that message is being preached everywhere now, but our government was early on. That heavy emphasis on effectiveness and efficiency is the second key that focuses on risk management. Because how can you provide the best services at the best prices if you don’t consider the potential dangers or bottlenecks that hold you back from that performance? This cause for the development of risk management has been particularly influential in the public sector.

I would also like to mention the growing claims culture as a reason. In this respect, too, Great Britain differs from other European countries. Many municipalities suffered from fraudulent claims. Individuals who made false or exaggerated damage claims because they fell over loose paving stones, for example. Initially, such claims were generally honoured.

After all, if you looked at the individual amounts, it didn’t differ that much and it was such a hassle to make it a case. But as the number and height increased, congregations became more resolute. They actually went to investigate cases and defend themselves against allegations. On the other hand, municipalities also started to pay more attention to possible risks, for both the public and their own employees.

This development also contributed to the maturing of risk management. I know that municipalities have managed many tons in compensation payments save. Finally, there may be a cultural-historical component. In Great Britain we traditionally approach risks from two angles. The first is insurance: where can I buy the cheapest policy to cover my risk? The second is the realisation that it may be more convenient to reduce or eliminate risks, that insurance is not always the only possible answer.”

United Kingdom: well-developed risk management in the public sector

Can you explain how to ensure that risk management is about more than controlling financial resources? Because that is already a highly developed discipline in the Netherlands.

Drennan: ‘Risk management in public organisations is – perhaps in the first place – about the reputation of organisations. After all, it determines the quality of democracy. For municipal organisations, the relationship with the local community is of decisive importance.

Themes that can cause fear or anxiety must be dealt with with the utmost care. Think of topics such as the closure of a hospital or a school. Or the construction of a new road. Or a wind farm, which, according to part of the community, affects the landscape. These are political choices, with supporters and opponents and with advantages and disadvantages.

In order to be able to do the decision-making process properly, you must properly manage the associated risks. For example, it is important to communicate very well with the community. In fact, you are already involved in risk management: managing the risks of political decision-making. “If we make this decision, what are the likely consequences? The likely reactions from sections of the public? What will our own employees think of it? ” Then you look for strategies to manage those risks as well as possible. You know you never please everyone, that’s inherent to political decision-making. But by thinking through how different stakeholders will respond, you can think in advance how to deal with those reactions, instead of being surprised by them.

I admit, this is a considerably more difficult aspect of risk management than calculating financial risks. In Great Britain, too, we still have to make considerable progress in these areas. It’s not just about managing physical risks, but also strategic decision-making and the resulting risks.”

Is risk management not at odds with change? Don’t public organisations become extremely cautious when they estimate all potential risks in advance?

Drennan: “That is definitely a danger. Some people already feel that the public sector tends to avoid risks as much as possible. That is of course not the intention. To make progress, to bring about change and improvement, we simply have to take risks. Also very difficult decisions, of which you know in advance that you will encounter a lot of resistance. Then you cannot become indecisive because of risk management.

The starting point must be that you cannot please everyone. So we must not hide behind arguments such as “we don’t know enough about it yet”, and then do nothing. Public organisations have a responsibility to society to provide good services and to continuously improve those services. Such an initiative to improve – for example, take electronic services – by definition means that you also bring in new potential risks. 

Nevertheless, such innovation must of course continue. Including estimating risks. In this case, you will have to consider, for example, what electronic services mean for the elderly or for people who do not have access to the internet. To then devise strategies that eliminate or significantly reduce such risks. But estimating risks should never lead to the conclusion that you should never start on something new, because new things are risky.”