Health and Social Care Bill

My Lords, I was not involved in the earlier exchanges in this House on this issue. Coming to it new, my view is that first, there is a very important issue of public policy here; and secondly, the FOI process, still less the procedural devices in the course of this Bill, are not an effective way of resolving the issue. The issue is this: in what way should public authorities report on risk ex ante and account for their management of it ex post? A ruling on a request for a specific document from a specific department is, in my view, incapable of addressing that issue adequately. Let me declare an interest: I am a director of Prudential plc. This, in the jargon, is a SIFI—a significant financial institution—and, as such, it is now required to have a separate risk committee. In the rest of the plc world, risk is still dealt with as the work of the audit committee. I am a member of that risk committee. Looking at its experience, one can identify three categories of material. First, there is a definition in the annual report of the risk universe and the organisation’s risk appetite: capital risk, liquidity risk, credit risk, operational risk, and so on. In addition there is a definition of the organisation’s appetite for risk. Secondly, the annual report has material on how risk is managed—the so-called three lines of defence: front-line managers, the risk function at the centre, and internal audit. There is then a third category of information. It might be about the risk of falling below a particular level of capital, or the danger of not finding enough liquidity at a crucial time, or the danger that the key supplier might fail or that IT systems might be interrupted. There are also watch lists: what banks or counterparties does one not want to increase one’s exposure to? This is often set out in the diagrams with which many Members of this House will be familiar, in red, amber and green, showing impact, likelihood, a combined score and then the mitigants. Very little of this category of information is disclosed, for a very good reason. Discussing it can risk making it more difficult to manage the case in question and in some circumstances might crystallise the very event one is trying to avoid. The same should apply to public bodies. Mention has been made of the chilling effect—that is, officials being reluctant to give candid advice more or less in real time. There is also something that has not really been covered by the Act, which I call the ““crystallisation effect””. Managers might be reluctant to be frank in public about operational difficulties if that would undermine their ability to make contingency plans or could trigger an event before their plans are ready. In my view this is the wrong way to resolve this issue. Where the line should be drawn, what is reported and what is withheld should not be decided on a case-by-case basis. The Information Commissioner—indeed, the whole of the FOI Act, in my opinion—is afflicted by the fallacy of composition. Because something is desirable in case A, it will also be desirable in all cases, if all cases alike are treated in the same way. However, if I stand up to get a better view of a football match, I will improve my view; if we all stand up, none of us will. The fact that one cannot take cases in isolation is perfectly illustrated in this case. The Information Commissioner issued a decision on 2 December on a request from the risk register on the NHS reform programme. Yet only the day before, he issued a decision on a different request, I think from a different complainant, on the strategic risk register. It is fanciful to think that those things could be decided independently or that they could be isolated from what happens in the rest of the public sector. How, therefore, should this issue be dealt with? Not, as I say, by requiring the release of a particular document originally written for a different audience. It would be better if the Information Commissioner had recommended that the Government should set in hand work involving the man known as HOTGAS—the head of the Government accountancy services—and the NAO, to create a framework of best practice on what should be provided in departmental reports, and what operationally should be withheld. It is normally the case that public accounting standards in the private sector have developed over time and the public sectors usually follow with a lag. The reporting of risk and of risk management is in my view the next area for improvement in the public sector accounts, and the role of the CAG should then be to police whether those principles are being followed. In the case of this Bill, I hope that the Minister can be as forthcoming as possible on what the risks are without creating any of the perils that I have indicated. The Information Commissioner has made a decision so it goes to the tribunal, and the Government’s case would be greatly improved if they were able to indicate that they supported the kind of initiative that I have suggested. Meanwhile, I hope that the noble Baroness, in the light of any assurances and further information from the Minister, will not press her amendment, but if she does I hope that the House will support the Government, on the understanding that the reporting of risk is the next issue to be advanced across public bodies as a whole.