England & Wales, Scotland Personal and organisational development

What is a risk manager and what do they do?


Photo by Loic Leray on Unsplash

In this article, Dr Andrew Walker and Dr Greg Stride from the LGIU’s Local Democracy Research Centre outline the role of risk and risk management within local government. They also introduce their new joint research project with Browne Jacobson, seeking the opinions of local authority risk managers on the future of their roles.

Risks are everywhere in the work local authorities do. From external risks like a global pandemic or climate change to budget pressures, the reliance on external contractors for service provision, the navigation of uncertain political waters, and more novel threats like cyber attacks, risk permeates the work of local government. Local authorities are large,  complicated organisations with important responsibilities, so these risks can have complex permutations with implications for vulnerable people and communities.

Councils have a statutory responsibility to maintain their management of risk to ensure the continuation of services and functions. The Local Government (Accounts and Audit) Regulations state that:

“A local authority is responsible for ensuring that the financial management of the authority is adequate and effective and that the authority has a sound system of internal control which facilitates the effective exercise of the authority’s functions; and includes arrangements for the management of risk.”

Responsibility for managing risk also has a democratic imperative. Local authorities need to be accountable and demonstrate good governance to local electorates but also to other public bodies and government departments. They have a mandate to provide services, fulfil statutory obligations and to ensure the smooth running of the democratic process itself. Preventing misuse of public money or fraud and ensuring business continuity are all important elements of good governance that thread together risk management and democratic procedure.

The regulations mention a key outcome that local authorities have to consider when thinking about risk: the “effective exercise of the authority’s functions.” But in reality, this is only one of a vast number of different outcomes that must be considered by local authorities: the safety of employees and residents, the reputation of the authority, environmental outcomes, legal risk, workforce retention, the list goes on and on. The variety of different outcomes that might be affected by one risk or another and the importance of these within the authority’s strategic aims make risk management in a local authority all the more complex.

How local authorities manage these risks is challenging, especially as they are often dispersed across the organisation, held at various levels and across different portfolios. At the very top end, there are statutory officers who take on overall responsibility for areas where risks are likely to develop: legal compliance, financial management, governance and service delivery.

However, while responsibility for these risks can involve multiple officers and elected councillors with varying portfolios, it is the risk manager’s role to identify potential risks, determine their likelihood and the severity of their impact, and communicate risks to the relevant stakeholders inside and outside the council.

Who are the risk managers?

Unlike our previous deep dive into a local authority role (the Monitoring Officer) there is no statutory role for risk managers. They are not defined in legislation, and as a consequence of this, it is likely that their roles will be significantly different across local authorities. There is no specific “risk management” role that applies in each authority, though there are elements, such as the Public Sector Internal Audit Standards, which are mandated to government departments and other public institutions including local authorities. In many councils, it is a shared responsibility across departments and statutory officers, including the chief executive and section 151 (finance) officer. While in others there are designated risk managers or risk management teams.

As a result a crucial factor in managing risk is designating clearly who is responsible for it, once the risk has been identified and there is a shared understanding within the council. This should include an agreed terminology; a coherent process and structure for managing risks; and a shared set of objectives.

As with our research on the monitoring officer role, there is often a huge breadth and range of responsibilities that can be tied up within a risk manager’s remit, from audit and health safety to cyber security and flooding. ALARM (the professional membership association that supports risk managers) has a news page that makes this clear immediately. They have to think about a huge variety of different topics, including terrorism and civil emergencies, to legal claims made against the council.  each of these will be more or less of a priority based on the local authority in question.

We want to know if this variety of different risks has an effect on the routes into risk management. As one example, auditing is crucial for managing risk in local government and many risk managers arrive in their role via a career in audit. This is because of the detailed assessment of risks and issues, chiefly relating to finance that audit involves and because many of the risks that councils face over various time scales manifest in threats to their financial sustainability. However, we are equally interested in risk managers who have found their way into the role through different routes, and our research will cover risk managers from a variety of professional backgrounds.

How do risk managers assess risk?

As in many types of organisation, local authority risk managers often use a risk matrix in their work to assess, understand and prioritise risks, as well as the actions to address them. A risk matrix is a tool that can help with decision making, not substitute for it. It needs to be used well in order to make good decisions about risk, which requires a set of skills around using evidence, strategic and political thinking and communication. Subjective judgements need to be incorporated, along with factual evidence, to make effective assessments of risk.

According to the Centre for Governance and Scrutiny, a risk matrix should:

  • Accurately describe the risk;
  • Assess the likelihood of the risk materialising, and assign a numbered rating between one and five that describes this likelihood;
  • Assess the impact of the risk, should it materialise, and assign a numbered rating between one and five that describes this impact;
  • Set out a “score” for the risk that is these two numbered ratings multiplied together;
  • Set out the mitigation being planned and undertaken to reduce impact and likelihood;
  • Set out a revised “score” based on this mitigation being in place.

Councils will also develop risk registers, which they use to keep track of and prioritise risk factors, as well as to ensure responsibility for managing risks is clearly identified. The LGA has highlighted a lack of clarity around the ownership of risks such as financial stress as a factor in high profile governance failures.

The CFGS goes on to advise:

“Risk should be identified at sufficient granularity to be meaningful to the organisation, and to maximise the opportunity for that risk to be managed. This may involve certain major risks with a national or global scale – such as a future pandemic – being broken down into risks that a council can do something about, and that reflect how that wider risk will play out at the local level.”

While this is one widespread approach, councils will vary in how they approach risk in general and in more particular scenarios. We want to understand how this plays out and so we are working with Browne Jacobson and ALARM to find out more.

Where does our research come in?

Risk management is a well-researched field of inquiry, with particular emphasis on the drivers and processes used for managing risk in the corporate world and public institutions. We know much less about risk managers themselves. What skills are needed to be an effective risk manager? What challenges do risk managers face? Where do risk managers sit in local authorities, and what support do they need to do their role effectively?

Risk management in local authorities, although based on sophisticated procedures and mechanisms, is just as dependent on real human beings as any other role. It is these people we are interested in. We want to understand their role, the challenges and pressures they face, how they fit within local authority structures, what approaches to risk management are more and less effective, and how they are helping councils to navigate risk over different timescales.

With that in mind, we will be interviewing local authority risk managers over the summer to understand more about this crucial role and will publish a report in the autumn.

As well as understanding the mechanics of this crucial role, we want to find out, in greater detail, what councils perceive as the big risks they face in the short, medium and long term, what evidence do they use in their assessments, how do they communicate these within the council, with elected members and with the public.

Global risks have important local impacts and local authority risk managers have a role in interpreting and communicating how these manifest across places, as well as the actions that a council can take to mitigate the effects.

Climate change is a global challenge that entails crises at an enormous scale. But the impacts will be felt in communities and organisations at local, human scale as well. Other important trends, such as financial pressure, cybersecurity and the development of AI, demographic change, increasing demand and service redesign all present important risks, as well as potential opportunities for local government. We want to better understand how councils perceive these and other issues.

If you would like to be involved in this research, please contact [email protected]


Leave a Reply

Your email address will not be published. Required fields are marked *