Five years ago I wrote a short article entitled, “Public and Private Sector Risk Management: Is There a Difference?” In that article I stated that while there is strength to the argument that ‘management is management’ and that leadership in any type of organization calls on common knowledge, skills and abilities, there are distinctions and these distinctions make it difficult to conclude that improving public sector risk management is simply a matter adopting private sector practices. A lot of water has flowed under the ‘public sector bridge’ since 2007, and I would like to offer something of a restatement of my original thesis.
We need to be careful about specifying public-private distinctions because there is a set of widely-held beliefs about differences that do not hold up on closer inspection. For example, the idea that politics is an exclusive characteristic of the public sector is simply untrue. Further, like private firms, public organizations also are driven by short- as well as long-term considerations. Additionally, some private organizations are very process-oriented and some public entities emphasize outputs. Finally, over thirty years of experimentation in outsourcing, privatization, and public/private partnerships has led to numerous situations where it is difficult to say whether we are looking at a public or private endeavor. What would we call, for instance, an arrangement where a state government creates a public corporation that then establishes a joint venture with public and private institutions—as well as a host of private sector technical vendors and consultants–to support complex scientific research, partly on behalf of a national governmental agency but also for private business? Therefore, let us recognize that there are many similarities between management in the public and private sectors, and many situations where it really is not helpful to even attempt to draw distinctions.
So much for similarities; to consider the distinctions let us refocus on risk management. There are several things that might serve as distinguishing differences, but I would like to argue that the essential distinction between public and private risk management rests on the idea of ‘public risk.’ I should first stipulate that public risk (as opposed to private risk) is not a rigid concept. Irrespective of the actual substance of any risk, societies can confer the status of public risk on nearly any risk—and indeed—once conferred that status may remain, change, or even disappear over time. But, to the extent we can describe public risks, they tend to be characterized as risks producing widespread (some might say indiscriminate) potential effects; or that cannot be handled privately, or that have an impact on broad political/legal concepts like rights or obligations, and/or that tend toward high levels of both complexity and potential impact. Climate change, threats to global economic systems, terrorism, and natural disasters have all variously been described as public risks.
The characteristics of these public risks present a set of risk management issues not fully present in the private sector, including:
a. Inability of a government body to avoid responsibility for risks within its purview.
b. Frequent inability to use markets as a risk management tool.
c. Complexity of the scope and substance of risks, which limit the ability of single bodies to fully address such risks.
d. The interaction of risks with governmental purposes such as assurance of constitutionally guaranteed rights.
e. A government’s constitutional, legislated, and legal basis for existence, leading to distinct risk exposure issues (such as—Who ‘owns’ a governmental entity and therefore is legally responsible for its actions?).
Let me briefly elaborate on these points. A government’s involvement in public risks very commonly arises when individuals (and private markets) are deemed unable to deliver a good or service efficiently, if at all, or to manage the associated risks. Indeed, although we know there are degrees of government intervention in response to public risk (ranging from monitoring a risk to government-controlled management of that risk), governments tend to intervene precisely because of “market failure.” That is, almost by definition, public risks cannot be managed privately without some degree of public sector involvement. Also, the effects of these risks may call into question matters of fairness and social adequacy and thus tests of economic efficiency may not be politically and legally relevant.
We also need to establish that public risks not only have different properties, the nature of government and its authority and responsibility is different. As a result, a government might privatize refuse collection, or a health care delivery, or prisons, a government’s, but responsibility and authority for those activity areas remains with the government. Put slightly differently, if a risk is deemed to be public, government avoidance of the responsibility for that risk is not possible. Efforts to privatize and outsource public activities have produced varying results, but two consistent findings are: 1) the outsourcing entity loosens its controls on the management of risks, but because it still retains responsibility 2) the government incurs unexpected costs in monitoring the privatized management of risk (interestingly, research shows that feasibility studies for privatization or outsourcing consistently ignore ongoing risk management monitoring costs).
Stepping back from the previous comments, we could make a broader claim, which is that governments exist to manage risks—primarily what we might call social risks such as public safety, access to health care, equal protection under the law, maintenance of safe infrastructure, and regulation of markets. In order to address those risks, governments are authorized to create structures, processes and systems that—in turn—generate what we would call organizational or operational risks; risks of fires, accidents, employee harm, law suits, equipment malfunctions, and so on. These risks are similar to private organization/operation risks, but owing to the distinct legal nature of public entities, their impacts and implications are different. In any event, any description of risk management within public entities must be organized around a wide-ranging understanding of the full scope of public risks the organization encounters—some of which are organizational/operational, some of which are social. This more comprehensive approach to interpreting the public risk manager’s scope of responsibility—by the way—fits quite neatly with modern risk management thinking, which emphasizes holistic, integrated and approaches to assessing and addressing risks.
And here, we come to an interesting conundrum arising from the difference between public and private risk management. The ‘thing’ (responsibility for the management of public risks) that distinguishes public from private risk management is something that we actually don’t do very well. As we have witnessed over the past five years, there is very little evidence the public sector has done a good job in adopting a more consistent and strategic approach to managing organizational and social risks (pick your example; the global economy, the natural environment, multilateral relationships, public health and safety).
I am not naïve about the institutional, even philosophical, barriers to creating comprehensive approaches to managing public risks. In modern democratic systems, efficiency is sometimes a threat as well as a solution—this is why we have separation of powers written into constitutions. And politics plays a role too, which explains why responding to, say, natural disasters is always more fully supported after an event than before. So, I do think there are difficulties—indeed, limits—to the public sector’s ability to fully integrate and expand risk management.
Still, I have described in a nutshell the essential problem/challenge/opportunity for public risk managers—and, indeed, the essential distinction between public and private risk management. Improving the quality of public risk management requires a wider-ranging, more integrated approach to assessing and addressing all public risks. Can we possibly move our current practices in that direction? And if so, how can we imagine that happening?