Lessons for Government on Risk Management


Report by the Comptroller and Auditor General
Ordered by the House of Commons

National Audit Office, London, www.nao.org.uk
Published: November 19, 2021


Scope of Report:
“The report sets out central government’s risk analysis, planning, and mitigation strategies prior to the arrival of the COVID-19 pandemic, with the aim of drawing out wider learning for the government’s overall risk management approach. It does not cover local-level risk planning, wider aspects of resilience planning or top-level disaster response procedures. It also does not cover the government’s response to COVID-19 or how prepared it was for subsequent waves of the pandemic.”

Key findings:
(pages 6 – 10 )

  • “Since before the pandemic, stakeholders have identified areas for improvement in the government’s approach to risk assessment
  • reviewing aspects of the methodology that it uses to assess risks
  • not fully prepared for the wide-ranging impacts that this pandemic had on society, the economy and essential public services
  • A cross-government review of pandemic planning arrangements found that most plans were inadequate to meet the demands of any actual incident
  • Prior to the pandemic, the government did not act upon some warnings about the UK’s lack of preparedness from its past pandemic simulations”


“The pandemic has highlighted the need to strengthen the government’s end‑to‑end risk management process to ensure that it addresses all significant risks, including interdependent and systemic risks. This will require collaboration on risk identification and management not only across government departments and local authorities, but also with the private sector and internationally. For whole‑system risks the government needs to define its risk appetite to make informed decisions and prepare appropriately so that value for money can be protected. The pandemic has also highlighted the need to strengthen national resilience to prepare for any future events of this scale, and the challenges the government faces in balancing the need to prepare for future events while dealing with day-to-day issues and current events.”


  • “The Cabinet Office should work with government departments to ensure that their risk management, business continuity and emergency planning are more comprehensive, holistic and integrated
  • ensuring that all departments that are involved in the response to whole-system or catastrophic risks have coordinated plans that cover the whole range of societal and wider impacts
  • The Cabinet Office and HM Treasury should support departments to reduce variation in capacity, capability and maturity of risk management, emergency planning and business continuity across government departments. This should include providing advice on strengthening leadership of risk management, business continuity and disaster recovery; the basic level of capability needed in each department; and plans to address any gaps.”

Roles and Responsibilities:

“Individual departments and other public sector organisations are responsible for identifying and managing risks in line with their desired risk appetite, including relevant national risks allocated to them by the Cabinet Office and risks set out in the Register that are relevant to their operations. Ultimate responsibility for risk management lies with the board and accounting officer, who should ensure that organisations allocate appropriate resources (people, skills, experience and competence) to risk management. They are supported by audit and risk committees, functional leads, and risk and business continuity practitioners. HM Treasury sets the standards, requirements and guidance for risk management, with developments and engagement supported through the Government Finance Function”

Explicitly refering to HM Treasury, Managing Public Money, May 2021    https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1000670/MPM_Spring_21_with_annexes_080721.pdf


my Remarks:

  • This investigation in COVID Pandemic can be quite useful in other disaster situations of complex cross-organizational management (devastationg, large area / cross-border flood situations, climate risk and else)
  • Several other nations will find a lot of similarity in their own conception of the pandemy, flood, drought, hunger, etc.  situation management performance.
  • I see the special usefulness of the report in compiling situation, deficits and future action from a holistic viewpoint of complex cross-government responsibilities.
  • Especially also very useful for non-government stakeholders (NGOs, private sector, civil society, citizens (especially the most vulnerable groups, science & technology / R&D) to understand the key importance of law enforcement agencies involved in complex and massive risk situations / disasters.
  • It seems to me that currently in many cases there predominantly is still an attitude to have “intra-silo” management views, while on more general (holistic / strategic) level the misfunction of cross-organizational / cross-domain cooperation, resp. the poor cooperation of the different level organizational units, is deplored.
  • This report is mainly restricted to a governments organizations view, not covering the all-of-society approach defined in the UN SENDAI Framework text.
  • The report does not touch the complex need of reviewing existing laws and regulations together with with proposals for appropriate changes in support of innovation and structural reorganization.
  • Note the wording “Lessons  f o r  Government”   not  “Lessons learned” (in many cases, known lessons were not learned at all …  )

In case you have information about similar reports by your national Comptroller and Auditor General, then let us know!


Horst Kremers, Engineering Management and Information Sciences
Information Systems Strategy Advisor

P.O. Box 20 05 48, 13515 Berlin, Germany
mobile       +49 172 3211738   (also on WhatsApp)
FAX             +49 30 3728587
FON            +49 30 20878902