Post spoke to Bill Sulman, director for public sector at Aon Risk Solutions, about the common business continuity threats for the public sector and how insurers, brokers and risk managers can work together for mutual benefit.
What are the most common business continuity threats within the public sector?
There are a number of threats to business continuity and the level of these threats is changing.
In the past we could have said that a terrorist bomb might be top of the list, if directed at, for example, County Hall, a town hall or even a police headquarters. However, this threat is reduced mainly because the threat is more likely to be directed at individuals these days.
Schools are still at risk of major arson attacks despite increased risk management and vigilance.
My top three threats would be: a major flooding incident or sea intrusion affecting a critical building or service, including IT; a cyber-attack on the IT systems; and a judicial review or government intervention in, for example, social services, taking control of the service delivery.
A response is possible as part of a properly conceived business continuity plan.
How could insurers, brokers and risk managers work more closely together for mutual benefit?
We know that Alarm [The National Forum for Risk Management in the Public Sector] has been prominent in bringing together best practice models both in regard to operational risk and strategic management, and this has helped a closer working relationship. One example is the methodology put together by the Alarm Police Special Interest Group on operational policing by Tim Burton [formerly of Devon and Cornwall Police]. This has resulted in a much closer relationship and better practice.
Similar initiatives could be considered in other areas of risk such as flood and data security. Insurers and brokers working together with the public sector should be able to produce results and has been done in the past, despite some competitive differences.
How have public sector risk management practices been impacted by government expenditure cuts?
This area is of some concern to risk managers, brokers and insurers. We have seen budget reductions affect the availability of resources for risk control and undoubtedly some areas that were well managed in the past have suffered reductions. It is vital that the public sector risk managers identify these areas of concern and put in place systems to cope with this reduction. If it is not possible to provide a similar level of risk control or management perhaps it is time to consider a more proactive approach to risk such as identifying and retaining more risk or transferring through contracts or outsourcing.
However, outsourcing has its own problems and if the process is not properly managed it can lead to risks being inadvertently retained. A proper due diligence process is needed and the risk professionals need to be involved all the way.
Are there any changes coming up that risk managers ought to be aware of?
In Wales, mergers are being proposed between authorities, which will alter their risk profiles. Also, the joint working agenda - whether between local authorities or between health trusts and authorities - is producing new emerging risks around people and processes, IT and employment conditions. Local authorities are now considering risks such as medical malpractice, directors' and officers' and professional indemnity, which were not that high on the agenda a few years ago.
Alternative business structures are producing additional risks as well. Some local authorities are looking to extend their legal services into the private sector in areas such as conveyancing. This immediately produces an additional PI risk, as the Solicitors Regulation Authority insists on ‘compliant' PI policies with much higher limits of indemnity.
What are the biggest improvements to how public sector risk management operates in recent years?
There has been an enormous increase in risk awareness, primarily due to increased audit and regulation, for example the CPA/CAA inspection process, which has now been abolished. While it could be said that the inspections led to a ‘tick-box mentality' towards strategic risk, it did concentrate the mind.
Public sector bodies expressed a certain relief that the regime had ended and that risk could now be more appropriately managed. This initially led to a more proactive approach but the danger is that without inspection or audit the risk management process could move further down the agenda.
Enterprise risk management and the move towards opportunity risk is a definite improvement as recently demonstrated by Shropshire Council.
Are there any ways the public sector could learn from the private sector in terms of business continuity preparedness?
No. I am of the firm view that the public sector has overtaken the private sector in the management of risk and in the comprehensive nature of their business continuity and emergency planning process. There are a few notable exceptions in the private sector but the majority seem not to have moved on. Public sector bodies have suffered from floods, fires, data breaches and many other incidents that have encouraged them to produce BCPs with a much wider range of responses.
This is part of a Post In Focus on the Public sector - see yesterday's article on business continuity management in the public sector and look out for more tomorrow.
- Motor insurers paying out record £23m in claims every day
- Insurers warned a 'robust' system will be in place to monitor discount rate savings
- Relaunched insurer Folgate to write £35m in first year
- Polaris appoints Gallagher’s Vivek Banga as MD
- Staff at collapsed RIIG owed thousands in unpaid wages
- Blog: Who Monitors Wins
- FSCS mulls raising levies on brokers using unrated