By Tony Collins
The Freedom of Information Commission reported comprehensively yesterday on the workings of the FOI Act. It raised the question of whether risk registers and Major Project Authority project assessment reviews should be published.
The Commission’s members, who included former Tory leader Michael Howard and Labour’s Jack Straw, received over 30,000 responses to their call for evidence. They met numerous stakeholders, heard ten hours of oral evidence and produced an impressive report that opposed the idea of charging for FOI requests.
Two of the seven Cabinet vetoes have been on FOI requests related to risk assessments. Indeed the Department for Work and Pensions is fighting a protracted legal battle (three years so far) to stop three reports on the Universal Credit IT programme being published, including a risk register and project assessment review.
Is there any good reason not to publish a risk register, or a project assessment review? Aren’t the public entitled to know the extent to which their money is at risk on a project or programme?
No, argue civil servants, whose views on confidentiality are almost always supported by their ministers. Civil servants contend that they need a “safe space” to be imaginatively negative, to think the unthinkable, without the media and opposition MPs seizing on a risk register as evidence that an innovative scheme should not get off the ground.
Civil servants and ministers argue that disclosing risk registers (and project assessment reviews) would mean that those who contribute to them would tone down or sanitise their comments. Civil servants would not be completely honest or candid when setting out the scale or magnitude of the risks.
This is what the FOI Commission concluded:
“In our call for evidence we described risk assessments as a particularly relevant example of the tension between the public’s right to know, and the need for public bodies to have an internal deliberative space.
Many documents will contain mention of risks, but here we are concerned principally with documents that are explicitly devoted to setting out a candid risk assessment. We drew particular attention to risk assessments because two of the seven Cabinet vetoes have been in respect of risk assessments.
The most obvious example of a candid risk assessment is the ‘risk register’. Project management processes typically utilise risk registers as part of their methodology. Risks are normally given a rating on a scale of 1 to 5 of the likelihood of the risk occurring (where 5 is the highest likelihood of the risk occurring) and the scale of the impact if that risk occurred. Using the scores for likelihood and impact, a “Red / Amber / Green” (RAG) rating is created denoting how serious a risk is.
Risk registers do not generally provide detailed explanations of the risks involved, but only the headline risk and potential mitigation.
The Office of Government Commerce (OGC) Gateway Review is another example of a risk assessment. Gateway Reviews examine programmes and projects at key decision points using a peer review process in which independent practitioners examine progress and likelihood of successful delivery. These reviews can apply to e.g. IT or procurement processes, but can also apply to policy development.
Policy impact assessments are formal evidence based procedures that assess the economic, social and environmental costs and risks and benefits of a policy. These are published for example: at the same time as a consultation, response to consultation or at introduction of a Bill or as part of any change during the passage of the Bill.
Major Project Authority Project Assessment Reviews (PARs) are detailed assessments of large projects. They are more tailored to specific projects than Gateway Reviews. Following frank interviews with staff they culminate in a report for the Senior Risk Owner for the project setting out recommendations and assessment of risks.
In its response to the call for evidence Kent County Council highlighted the difficulties that could arise if candid risk assessments were made routinely available:
‘…it could mean that people do not feel confident enough to put risks they have identified onto the registers, or that risk registers themselves are not compiled in the first place for fear of repercussions. This could lead to potential “nasty surprises” and poor decision-making if people choose to keep risks ‘in their heads’ (paragraph 3.3)
By contrast, in their evidence the Open Government Network said:
‘The public acknowledgement of the existence of certain risks will enhance the public debate about major projects and their implementation. It is when risks can be silently ignored that the consequences are dramatic, often then requiring the complete publication of a flawed risk register when it is too late to prevent the overlooked problems.’
The Commission agrees with the evidence of the IC [Information Commissioner] in which he says that the impact of disclosing candid risk assessments can vary depending on the sensitivity of the topic and what is already in the public domain.
There will be risk assessments where it is so keenly in the public interest that the risks identified be disclosed (for example, where these concern serious risks to public health or life) that, notwithstanding the need for these assessments to be part of an internal deliberative process, they should be disclosed.
In other cases the nature and candour of the risks may mean that they should not be published. The Commission has reached that the conclusion that the public interest test provides the best way to assess whether specific risk assessments should be published, and that no additional or specific protection is required for risk assessments.”
There are times when civil servants and ministers take themselves and what they do too seriously. The continuing confidentiality of risk registers is an example.
NHS trusts routinely publish risk registers in their board papers and nobody notices, not even the local press, because risk registers highlight things that haven’t happened, but may happen.
Even a high-risk score is an esoteric and speculative concept that is unlikely to interest the general public. So risk registers in the NHS go unreported.
Central government, on the other hand, generally protects risk registers as if they are new-born babies.
Civil servants fear the media would have a field day if risk registers were routinely disclosed.
In fact they would go largely unreported. Journalism tends to be about things that are happening, and have happened, rather than risks that may materialise if certain circumstances come together.
Few journalists will convince their news editor of a potential story about a project or programme that has a high risk assessment score.
Instinct will tell civil servants and bureaucracies to prefer confidentiality to openness. Secrecy reduces the pressure for accountability. It minimises the risk of dissent.
I have the impression that some civil servants – perhaps mainly in the Department for Work and Pensions – would lie down in front of a bulldozer rather than allow it to break down the barriers of confidentiality over risk assessments.
But there is no sound reason for keeping risk registers and project assessment reviews confidential. The public is entitled to know when tax money is at risk.
Civil servants and ministers often forget when are locking away risk assessment reports that they are locking out the public that pays their salaries, and is paying for the projects and programmes where the risks are being kept secret.
Government secrecy is an inevitable part of life in North Korea and China. Should it be inevitable in Whitehall?
Thank you to Government Computing for drawing my attention to the risk registers section of the FOI Commission’s report.
Thanks also to FOI campaigner Dave Orr who pointed out that the FOI Commission’s report quotes Maurice Frankel of the Campaign for Freedom of Information who says: “We now need to ensure that the Act is extended to contractors providing public services…”
Lord Burns, Chair, Lord Carlile, Dame Patricia Hodgson, Michael Howard (former Tory leader) and Jack Straw.