The Challenges of Implementing an ERM Framework Within the Public Sector: The Geneva Canton Example

Switzerland is a federal State and, as such, is structured via three layers: Confederation, cantons, and municipalities. The 26 cantons and the over 2000 municipalities, according to the subsidiarity principle, enjoy considerable autonomy from the central federal administration. In particular, each canton has its own government and parliament and can define local laws and regulations, which add to the federal ones.

In 2012, the Geneva canton created a Chief Risk Officer (CRO) function to coordinate the setup of risk management across the organization. In 2013, the cantonal government decided to equip itself with a complete Enterprise Risk Management (ERM) framework inspired by international standards such as ISO 31000 and COSO ERM. The framework, in place for over a decade now, encompasses all classic elements of a fully structured ERM system, including the establishment of a risk policy, involvement of top management, and risk appetite definition. Every year, each individual minister and the cantonal government receive comprehensive reports on key risks produced by departmental risk managers and the CRO, allowing them to have a synthetic view of the risk landscape and facilitating priority setting and decision-making.

Some recent audits have confirmed the correctness and overall satisfactory functioning of our ERM system.

Some opinions consider risk management as somehow useful in the private sector only. This superficial approach has proven wrong in time, and more and more public entities are now hiring professionals in this domain to reinforce their governance with risk analytics.

Practically speaking, what benefits can we seek from implementing a structured ERM within a public administration? What challenges can we expect when attempting to put it in place, and what are the success factors that can help the CRO achieve the objective? How do we avoid “alibi exercises” or over-complex approaches? Here is, in brief, Geneva's experience.

While in the end, the expected benefits might be relatively similar to those in any other sector – ensuring risks are properly managed, opportunities are seized, and decision-making is adequately supported – the way to get there is different. After the public administration’s ERM framework was established, many other cantonal public entities followed suit, establishing their own ERM systems and hiring professionals in this domain. The risk culture of our canton globally improved.

The main specificities related to public administration compared to the private sector are relatively easy to spot. The most intuitive one is possibly the need to manage a large variety of business areas – from tax collection to police, from detention to education, from construction to the organization of elections, and so on. Secondly, a public administration is a not-for-profit organization and is headed by politicians. Although being somehow obvious, these elements have more complex implications than one would think. The challenge, when setting up an ERM framework, is therefore to ensure the system can get and keep the interest of the government; numerous stakeholders need to be enabled to use it in such a way that all of them are sufficiently involved without feeling over-solicited. In other words, you need a balanced system and allow time for it to be understood. And naturally, you need to prove it is useful.

Defining a single methodology applicable to all business areas was definitely a key success factor: our risk evaluation criteria focus on elements that are of interest for the public sector (e.g., quality of services delivered to the population, staff and people safety, reputation of the institutions, impact on society and economy, making good use of public money, etc.). Keeping the system as simple as possible was perhaps even more important than the methodology itself; allowing all stakeholders and experts to contribute to its setup rather than imposing a tool from above ensured they all jumped on board. We completed the framework with a set of internal training modules that allow us to spread concepts within the organization and keep competences up to date.

However, getting the buy-in of top management is always the most important way to get things done. Specifically, the Geneva canton decided to enforce risk management practices by law. In 2013, the parliament approved the Law on the Administrative and Financial Management (LGAF), whose chapter VIII is dedicated to internal control and risk management. The CRO was involved in developing the text. The same year, the government adopted the Risk Management Regulation (RGR), which defines clear roles and responsibilities, key deliverables, and their timing. Establishing this legal basis represented a real tone at the top and immensely facilitated the subsequent work and system acceptance. This tone at the top is renewed at the beginning of each legislature when the newly elected cantonal government approves a new version of the risk management policy, declaring its ambition and priorities in this area and updating the canton’s risk appetite.

To conclude, Geneva canton’s ERM framework does not pretend to eliminate or prevent all risks. However, we believe our structured system minimizes the chance of missing huge risks and facilitates the treatment of those identified. It allows each hierarchy level to embrace risk and get out of their comfort zones constructively, thus fostering the development of public administration and supporting change.

Log in

X
×