The risk management divide: public and private sector

Peter Young | 2007 and 2012

This article highlights the main differences between public and private risk management. In fact it are two essays written in two moments in time. It is about the increasing and growing insights in the differences between public and private risk. The science is young.

Professor Peter Young, 3M Chair in International Business, University of St. Thomas

Young, P. (2007) Public and Private Sector Risk Management: Is There a Difference?Brussels: PRIMO Europe.

Peter Young: “Are there differences between risk management in the public and private sectors? As a professor who has spent time in both public administration and business administration programs, I have had several opportunities to think about both sides of the debate. 

On one side, we have those who argue that management is management and that differences in the public and private sectors are modest (“if only government were run like a business”). Opponents of the “management is management” point of view argue that the public sector is so different from the private sector that it is a distinctly separate thing and, thus, requires different knowledge and management skills. 

For a very long time, I tended to believe that “management was management.” Politics exist in private and public organisations, and both have multiple stakeholders. Some large private organisations have dispersed authority, while some public institutions have fairly focused authority. Some private organisations are very process-oriented and some public entities emphasize outputs. Further, it is difficult to draw demarcation lines between public and private sectors. What would we call, for instance, an arrangement where a private transportation company is contracted to a nonprofit care facility for disabled individuals, which in turn is under contract with a local authority? 

Indeed, we might say that if a risk is able to be managed privately, there is a reasonable chance it is not – by definition – a public risk 

In recent years, however, I have begun to change my views on pub- lic vs. private risk management, and I now believe that while there are important similarities, the “public” aspect of public management does present some important distinctions. I would like to address those distinctions in this essay.  

Public sector risk management differs from its private sector counterpart because: 

  • Governmental entities, as social institutions, present an exposure to risk that is substantively different from a private entity. 
  • The characteristics of public risks present a set of risk management issues not fully present in the private sector, including:
  • Inability of government to avoid responsibility for risks within its purview.
  • Frequent absence of markets as a risk management tool.
  • Complexity of relationships between risks.
  • The interaction of risks with governmental purposes.
  • The breadth of the government’s exposure to risk 

Being in the public sector does present public risk managers with a set of distinct challenges. Notably, this means that government involvement in public affairs commonly arises when private behaviors (and markets) are somehow unable to deliver the good or service efficiently, if at all, or to manage a risk. Although we know there are degrees of government intervention, risks, goods, and services that meet the test of government intervention have done so because of characteristics that are not “market manageable.” 

They exhibit characteristics of high complexity and high uncertainty (often), they are market-failure inducing, and their effects on the public are diffuse. Also, the effects of these risks may call into question matters of fairness and social adequacy and thus may be impervious to tests of economic efficiency. 

So, one distinction between private and public risk management is that the risks are substantially different. Indeed, we might say that if a risk is able to managed privately, there is a reasonable chance it is not – by definition – a public risk. Additionally, the nature of government and its authority and responsibility is different. Whereas government might privatize garbage collection, or a health care de- livery, or prisons, government’s responsibility and authority for those activity areas remains. Operating in the public sector makes the risks different, and it makes exposure different too. 

…we need to be reminded that public organisations may have responsibility for organisational and social risks, and that traditional risk management skims the surface and fails to attack risk comprehensively

I think the preceding discussion suggests some other relevant les- sons for risk management. The typical risk manager has responsibilities for a set or risks that can be characterized generally as falling within the “organisational risk” domain — property loss exposures, legal liability-based risks, workers’ compensation exposures, and so on. While all these areas are important, we need to be reminded that public organisations may have responsibility for organisational and social risks, and that traditional risk management skims the surface and fails to attack risk comprehensively. A broader framework for thinking about risk management is necessary. We call this broader framework enterprise risk management (ERM). 

Second, by raising the possibility that the management of social risks is part of public risk management, we extend the accumulated knowledge of the risk management field into the public policy arena, where it has been woefully absent. For example, the systematic and critical analysis that risk managers apply to complex property and liability risks would be a breath of fresh air in the debate over public investment in alternative energy development. It is sad to say that today’s risk managers are rarely involved in public policy planning and execution, but this must change and there is evidence, if fact, that it is.”


Young, P. (2012) Reconsidering Public-Private. Brussels: PRIMO Europe

Peter Young: “Five years ago I wrote a short article entitled, “Public and Private Sector Risk Management: Is There a Difference?”  In that article I stated that while there is strength to the argument that ‘management is management’ and that leadership in any type of organisation calls on common knowledge, skills and abilities, there are distinctions and these distinctions make it difficult to conclude that improving public sector risk management is simply a matter adopting private sector practices. A lot of water has flowed under the ‘public sector bridge’ since 2007, and I would like to offer something of a restatement of my original thesis.

We need to be careful about specifying public-private distinctions because there is a set of widely-held beliefs about differences that do not hold up on closer inspection. For example, the idea that politics is an exclusive characteristic of the public sector is simply untrue.  Further, like private firms, public organisations also are driven by short- as well as long-term considerations. Additionally, some private organisations are very process-oriented and some public entities emphasize outputs. Finally, over thirty years of experimentation in outsourcing, privatization, and public/private partnerships has led to numerous situations where it is difficult to say whether we are looking at a public or private endeavor.

What would we call, for instance, an arrangement where a state government creates a public corporation that then establishes a joint venture with public and private institutions—as well as a host of private sector technical vendors and consultants–to support complex scientific research, partly on behalf of a national governmental agency but also for private business?  Therefore, let us recognize that there are many similarities between management in the public and private sectors, and many situations where it really is not helpful to even attempt to draw distinctions.

I would like to argue that the essential distinction between public and private risk management rests on the idea of ‘public risk.’ 

So much for similarities; to consider the distinctions let us refocus on risk management. There are several things that might serve as distinguishing differences, but I would like to argue that the essential distinction between public and private risk management rests on the idea of ‘public risk.’  I should first stipulate that public risk (as opposed to private risk) is not a rigid concept.

Irrespective of the actual substance of any risk, societies can confer the status of public risk on nearly any risk—and indeed—once conferred that status may remain, change, or even disappear over time.  But, to the extent we can describe public risks, they tend to be characterized as risks producing widespread (some might say indiscriminate) potential effects; or that cannot be handled privately, or that have an impact on broad political/legal concepts like rights or obligations, and/or that tend toward high levels of both complexity and potential impact. Climate change, threats to global economic systems, terrorism, and natural disasters have all variously been described as public risks.

The characteristics of these public risks present a set of risk management issues not fully present in the private sector, including:

  1. Inability of a government body to avoid responsibility for risks within its purview.
  2. Frequent inability to use markets as a risk management tool.
  3. Complexity of the scope and substance of risks, which limit the ability of single bodies to fully address such risks.
  4. The interaction of risks with governmental purposes such as assurance of constitutionally guaranteed rights.
  5. A government’s constitutional, legislated, and legal basis for existence, leading to distinct risk exposure issues (such as—Who ‘owns’ a governmental entity and therefore is legally responsible for its actions?).

Let me briefly elaborate on these points. A government’s involvement in public risks very commonly arises when individuals (and private markets) are deemed unable to deliver a good or service efficiently, if at all, or to manage the associated risks. Indeed, although we know there are degrees of government intervention in response to public risk (ranging from monitoring a risk to government-controlled management of that risk), governments tend to intervene precisely because of “market failure.” That is, almost by definition, public risks cannot be managed privately without some degree of public sector involvement. Also, the effects of these risks may call into question matters of fairness and social adequacy and thus tests of economic efficiency may not be politically and legally relevant.

We also need to establish that public risks not only have different properties, the nature of government and its authority and responsibility is different. As a result, a government might privatize refuse collection, or a health care delivery, or prisons, a government’s, but responsibility and authority for those activity areas remains with the government. Put slightly differently, if a risk is deemed to be public, government avoidance of the responsibility for that risk is not possible.

Efforts to privatize and outsource public activities have produced varying results, but two consistent findings are: 1) the outsourcing entity loosens its controls on the management of risks, but because it still retains responsibility 2) the government incurs unexpected costs in monitoring the privatized management of risk (interestingly, research shows that feasibility studies for privatization or outsourcing consistently ignore ongoing risk management monitoring costs).

We also need to establish that public risks not only have different properties, the nature of government and its authority and responsibility is different.

Stepping back from the previous comments, we could make a broader claim, which is that governments exist to manage risks—primarily what we might call social risks such as public safety, access to health care, equal protection under the law, maintenance of safe infrastructure, and regulation of markets.

In order to address those risks, governments are authorized to create structures, processes and systems that—in turn—generate what we would call organisational or operational risks; risks of fires, accidents, employee harm, law suits, equipment malfunctions, and so on.  

These risks are similar to private organisation/operation risks, but owing to the distinct legal nature of public entities, their impacts and implications are different. In any event, any description of risk management within public entities must be organised around a wide-ranging understanding of the full scope of public risks the organisation encounters—some of which are organisational/operational, some of which are social. This more comprehensive approach to interpreting the public risk manager’s scope of responsibility—by the way—fits quite neatly with modern risk management thinking, which emphasizes holistic, integrated and approaches to assessing and addressing risks.

And here, we come to an interesting conundrum arising from the difference between public and private risk management. The ‘thing’ (responsibility for the management of public risks) that distinguishes public from private risk management is something that we actually don’t do very well.  As we have witnessed over the past five years, there is very little evidence the public sector has done a good job in adopting a more consistent and strategic approach to managing organisational and social risks (pick your example; the global economy, the natural environment, multilateral relationships, public health and safety).

I am not naïve about the institutional, even philosophical, barriers to creating comprehensive approaches to managing public risks.  In modern democratic systems, efficiency is sometimes a threat as well as a solution—this is why we have separation of powers written into constitutions. And politics plays a role too, which explains why responding to, say, natural disasters is always more fully supported after an event than before. So, I do think there are difficulties—indeed, limits—to the public sector’s ability to fully integrate and expand risk management.

Still, I have described in a nutshell the essential problem/challenge/opportunity for public risk managers—and, indeed, the essential distinction between public and private risk management. Improving the quality of public risk management requires a wider-ranging, more integrated approach to assessing and addressing all public risks. Can we possibly move our current practices in that direction? And if so, how can we imagine that happening?”

This publication is part of the web-book Public Risk Canon