Executive summary

1.  Introduction

These Guidelines to implement Risk management in statistical organisations were drafted under the coordination of the UNECE High Level Group for the Modernisation of Official Statistics, by the Modernisation Committee on Organisational Framework and Evaluation (MCOFE), chaired by Jackey Mayda (Statistics Canada).

The project has been mainly carried out by a workgroup from the Italian statistical office (Istat), led by Fabrizio Rotundi in cooperation with a team coordinated by Prof. Alessandro Hinna from the University of Rome “Tor Vergata”.

The Guidelines contain a dedicated section on Agile in Risk management prepared by the “Task team on Risk Management in the context of Agile development”, led by Ben Whitestone and Rich Williams (UK Office for National Statistics). This was added at the request of participants in the Workshop on Risk Management in Geneva on 24-25 April 2016.

2.  The value of Guidelines for statistical organisations

Risk management comes under the initiatives aimed at modernising the national statistical organisations (NSOs), in that it concerns both organisation and production processes. Actually, Risk management, on the one hand, points at strengthening organisation governance on the whole by supporting the decision-making process when selecting priorities; on the other hand, it points at identifying, analysing and removing the uncertainties that can put obstacles in the way of quality.

The Guidelines intend to give NSOs, interested in internally implementing a risk management system, a reference based on the practices developed within the UNECE organisations and containing some key features: effective development, sustainability (in terms of resources and complexity), alignment with change management processes.

The task is therefore to find a risk management practice that can be arranged according to the needs of the NSOs without necessarily being “the very best” in an either theoretical or methodological sense, but rather being a really feasible method.

Having started from the practices already used by those NSOs currently involved in modernisation processes should facilitate discussion in order to capitalise on good experience while readjusting it to domestic contexts – so that it is possible to either avoid or easily fix the most recurring mistakes in decision-making processes.

This could also result in standardisation of the management processes, consistently with what is happening to the production ones (see GSBPM and GAMSO). Although not compulsory, such an approach could also lead to create a varied common risk register (organisational, statistical, IT, etc.) that would allow the NSOs to set up proper treatment actions in advance.

3.  The three surveys to get information and in-depth analysis

Three surveys were conducted as follows.

1^st survey on Risk management practice

This survey collected information on the level of development of risk management systems and practices in NSOs. It was addressed to all UNECE NSOs, with a response rate of more than 50%. It collected information on:

• Use of risk management;
• Features of the adopted risk management process;
• Features of the risk management implementation process;
• Final remarks on the risk management process and system.

2^nd Survey – In-depth and short survey

Among the NSOs that answered to the 1^st survey, some Countries were selected to provide specific information about the Risk Management practices that seemed particularly relevant for NSOs. The 2^nd survey was addressed to 14 organisations, 7 for an in-depth survey and 7 for a shorter one. The total response rate was almost 80%. The following information was collected:

    1.       In-depth survey

• Qualitative and context-analysis in-depth questions, made up according to a limited set of items considered basic as well as strategic to find the practice of reference.
• Inquiry into either methodological or operative documents that can be accessed or shared (i.e. formalised organisational procedures);
• Quantitative questions intended to assess, through ad hoc indicators, the adaptability/replication of practices in contexts other than the Countries which developed or adopted them.

    2.       Short survey

The short questionnaire was addressed to NSOs which, in the first survey, reported Risk management practices showing some specific features that have been implemented by other NSOs too. It collected qualitative and quantitative information, including number of risks, dedicated staff, trained staff, etc.

3^rd Survey – In-depth and short survey

To validate as well as underpin the Guidelines, a closing survey was designed to get a full picture of the implementation routes for Risk management systems among statistical organisations. It included six different questionnaires covering Risk management; Statistical quality analysis; Statistical production process management; Organisational process management; Internal control and/or internal auditing; Services supporting statistical production. The sample consisted of organisations presenting different levels of Risk maturity; therefore, the approach was comprehensive enough to catch diverse perspectives and bring out elements that are as far as possible representative of the different contexts analysed. Each questionnaire focused on four main subject areas:

1.  Risk management framework
2.  Risk management process
3.  Overarching processes
4.  Organisation risk maturity

For each subject area, respondents were asked:

• WHAT WAS MOST SUCCESSFUL”: Which have been the best effects on the organisation coming from introducing Risk management;
• “WHAT WAS MOST DIFFICULT”: Which have been the main stumbling blocks in developing Risk management;
• “WHAT NOT TO DO”: According to the experience gained by NSOs participating in the Survey, which errors are best not to be repeated in implementing Risk management. 

The results were analysed to trace every item back to the three categories that inspired the whole path: Rationalities, Uncertainty experts and Technologies. Starting from such a distinction, the main features that can contribute to either success or failure when implementing risk management systems in NSOs, have been mapped.

 back to top

4.  Brief summary of the Guidelines’ contents

The Guidelines are structured consistently with the ISO 31000:2009 standard architecture; this standard is widely accepted internationally as well as used by most public organisations when implementing Risk management systems.

The structure underpinning the Guidelines starts from experience, standards and/or other methodological references. It matches this information to analysis of the practices gathered through three surveys. Then directions about risk management system implementation that can be reproduced among statistical organisations are given. In some cases, the Guidelines quote excerpts from the questionnaires, together with the related answers, in order to put contents into context.  

In more detail, the two main sections of the Guidelines are arranged as follows:

1. Building a Risk management system design. This section starts by observing the strategic components: from common definitions of risk and risk management to description of mandate and risk management policy. This includes the selected decision-making pattern as well as the selected approach to integrate technology and management processes. Then, the section deals with assets and HR management, in particular with training, competence mapping, role and responsibility assignment as well as with the opportunity to establish a dedicated office/unit. This part of the Guidelines just hints to the risk management process (the topic is developed in the second section), while particular attention is devoted to the building of information flows as well as to the monitoring of RM system itself, also through a reporting system on different levels.
2. Developing the Risk management process. By balancing information sources and practices as in the first part of the Guidelines, this section outlines all the stages of a risk management process: from cross-cutting consultation and communication with stakeholders to context analysis, including process mapping, identification, prioritisation, risk treatment and (treatment action) monitoring. In addition, there are directions related to control systems and Internal Auditing as well as to indicators measuring both performance and state of risks. This part of the Guidelines also contains a description of some context features related to risk management system implementation, i.e., requirements for the supporting information systems, models to assess the maturity level of Risk Management systems and the “lessons learned” when developing such systems. The “lessons” are referred to, in particular, what was most successful, what was most difficult and what not to do. The second section ends with the paragraph on the Agile approach to Risk management, drafted by a UNECE Task Team on this topic.

Finally, the Guidelines include three further elements:

• Annexes, which show a more practical approach to the different domains of risk management, describing two categories of examples:

             - Focus points on the risk management core topics developed in the Guidelines;

             - Case-studies, describing significant experiences of some NSOs on particular features of the risk management systems;

• References, related to the main sources of the Guidelines: standards and international guidelines, specialist literature, in-depth analysis and specific experience;
• Glossary, containing the main relevant terms and phrases of the Guidelines.