Search
Close this search box.

Risk Management Lessons from the Home Insulation Program

There is a saying that “a smart man learns from his own mistake, a wise man learns from the mistakes of others, and a fool never learns”. Tony Harb, risk management specialist from InConsult looks at what organisations can learn from the Home Insulation Program mayhem.

Background

The $2.45 billion Home Insulation Program (HIP) was announced in February 2009 and came into effect on 1 July 2009 as part of the Federal Government’s $42 billion economic stimulus package in response to the global financial crisis. The HIP was unprecedented in its scale and speed of implementation.

Remember, there was little economic optimism at the time and the program had a number of important economic and environmental objectives including creating jobs and improving energy efficiency to reduce cost and carbon emissions.

The insulation industry is principally self-regulated…even though working in ceiling spaces is inherently risky.

The HIP was managed in a Division of the Department of the Environment, Water, Heritage and the Arts (DEWHA). Like all other public departments, DEWHA had specific objectives to achieve, external and political pressures, reporting obligations, compliance obligations, formal processes and procedures, limited resources, a budget and a risk management policy and framework in place…just like your typical organisation.

In theory, the HIP was an excellent initiative. But a post-mortem of the series of unfortunate events arising from the now scrapped program is filled with many examples of frail risk management and governance that have had catastrophic moral and financial consequences.

The moral consequences include the loss of life, loss of jobs and loss of confidence in our political leaders. The financial consequences include potential compensation claims, additional inspection costs, remediation of works and additional safety controls.

So what went wrong? Where were the cracks? What can we learn?

Don’t be obsessed with your objectives at the expense of good process.

The government was keen to roll out the program very quickly to reap economic environmental benefits. The former federal government prided itself on its economic management and the current government needed to demonstrate that it was just as good. In addition, the Copenhagen Climate Change Conference was just months away and the government wanted to play a leading role in the climate change debate. So, it was full steam ahead to meet program objectives and a risk attitude of “she’ll be right mate”. Hey, we’ve ticked the boxes…what could go wrong?

Risk management must be practiced at all levels.

DEWHA was and still is committed to managing its risk well. In fact, according to its Strategic Plan produced in July 2009, DEWHA stated that it had a Risk Management Policy and a Fraud Control Plan to help reduce the risk of fraud against the department. In addition, there are undertakings that “Project management and risk management are embedded in day-to-day operations and governance” and a catch all statement that “We manage risks”.

The risk assessment prepared for the HIP demonstrated that DEWHA puts this theory in practice, but how effective were the controls? A risk assessment without an evaluation of control effectiveness is not worth the paper it’s written on.

Use the result of the risk assessment to support decision making.

DEWHA had established working groups and developed processes to manage and monitor the HIP. At the time of conducting the risk assessment (3 months before start date), there were still around 100 outstanding recommended actions/risk treatments and it was recommended the scheme be delayed until September 30 2009. However, instructions from the Department of the Prime Minister and Cabinet were given to the states to reduce as much red tape as possible and to commence work on projects as soon as possible.

The risk register is an important output of a risk assessment process. It should be a key factor in the decision making process when evaluating a strategy, process, program or project. Looking at it 10 months later is not good practice.

Know you risk appetite.

The good news is that a risk assessment/plan was completed and a risk register developed. Whilst it was high level, the process identified gaps in the existing processes and “recommended management plans” developed. Whoever made the final decision to continue the roll out of the program must be a risk taker with a high amount of risk appetite or needs to attend a risk management course. By continuing to roll out the program without completing the risk treatments, the Government was essentially saying we are prepared to live with the risks in order to keep the economy going and reduce carbon emissions. Risk appetite did not appear to be well defined…perhaps hundreds of thousands of fraudulent claims and 100 fires were tolerable and within risk the Governments risk appetite.

It is critical that organisations define their risk appetite, capacity and tolerance on all major programs and strategies.

Know your inherent risk, residual risk and control effectiveness.

Whilst the risk assessment demonstrated good risk management thinking, the risks were very high level statement. The risk assessment published by the department did not identify the risk of installer death. For the risks that were identified, there was no likelihood and consequence ratings, no inherent risk rating, no evaluation of the effectiveness of current internal controls and no residual risk rating. There was no allocation of treatments to specific risk owners or specific time frames.

Know your environmental factors.

The Insulation Council of Australia and New Zealand (ICANZ) states that the insulation market employs 5,000 people; but 10,000 installers were registered for HIP and many workers employed were low skilled. DEWHA estimated 90,000 installations per month but in November 2009, around 180,000 installations were recorded. Throwing money into a program for quick results in a slowing economy where there are more registered installers than industry data suggests and insufficient internal controls is like walking across the Sydney Harbour Bridge in peak hour traffic blind folded…someone is going to get hurt!

The bottom line.

An organisations risk management framework will only be as strong as its weakest link. Having risk management polices and procedure is a good start, but risk management must be in the hearts and minds of every person in your organisations…it must part of your organisations DNA.

Tony Harb can be contacted on 02 9241 1344 or tonyh@inconsult.com.au