Blog Post
Enterprise Risk Management: Why Federal Agencies Need It and What They Need to Know
- By Jessica Congemi
- •
- 01 Feb, 2018
The Global Risk Landscape
Globalization, be it good or bad, reinforces the importance of comprehensive enterprise risk management. Information can now be broadcasted around the world in mere seconds and can be shared with viewers in every single country. Polarized groups from around the world, whether they be politically, socially, or economically charged, can now leverage technology unlike ever before, enabling research, sharing, and/or organizing to be done in real time.
The birth of globalization, technologies, and real-time communication platforms, also brought about the opportunity to develop and disseminate misinformation masquerading as facts, often painting any opposing viewpoints in an overwhelmingly negative light. And since
such groups are no longer bogged down by wait time, their targets (or opponents) are no longer afforded an opportunity to react.
With this worldwide shift in information sharing, accordingly to the World Economic Forum’s (WEF) 2017 Risk Report, anti-establishment populism and increasingly divided societies both topped the list in the global risk landscape. However, organizations, specifically federal agencies, can proactively manage the risks impacting their strategy through effective Enterprise Risk Management (ERM) and realize key organizational benefits while side-stepping potential pitfalls.
Why should it matter to federal agencies?
Within the federal government space, agencies are not immune to those risks affecting organizations around the world. As referenced by the Government Accountability Office’s (GAO), “federal managers often handle complex and risky missions, such as preparing for and responding to natural disasters, and building and managing safe transportation systems.*” And while risks may arise from a variety of external and internal environments, to include economic, operational, and organizational change factors, all could negatively impact an agency’s ability to meet goals and objectives if not managed effectively.
Additionally, recent Office of Management and Budget (OMB) policy changes are setting the stage for federal agencies to implement appropriate risk management processes and systems to identify challenges early, bring them to the attention of leadership, and develop solutions. Specifically, policy changes to OMB Circular No. A-123 modernize existing requirements to improve accountability by requiring agencies to implement an Enterprise Risk Management (ERM) capability (requirements became effective in FY17). Risk management is not just a compliance department (anymore)- it’s a driver of an agency’s enterprise and sustainable strategy.
ERM provides a better way to anticipate and manage risk across an agency. It is a principles-based approach to managing, not eliminating, risks and provides transparency at the enterprise level around the most significant risks to the organization. Through implementing ERM, risks are identified and assessed in strategy setting across the entire enterprise, geared towards the achievement of strategic objectives.
Requirements for Success
For an ERM program to be effective in directing and controlling risks, key elements must be integrated into the ERM program development process:
Beyond implementing an ERM program to meet OMB requirements, federal agencies receive key benefits when adopting ERM. Through ERM, their organization can:
Implementing an effective ERM program may seem like a complex and costly endeavor, but there are actionable steps agencies and organizations can take to incrementally shift in the right direction of building a robust ERM capability. At a high level, there are underlying themes that provide a useful foundation for taking initial steps and navigating resistance to ERM adoption**:
Globalization, be it good or bad, reinforces the importance of comprehensive enterprise risk management. Information can now be broadcasted around the world in mere seconds and can be shared with viewers in every single country. Polarized groups from around the world, whether they be politically, socially, or economically charged, can now leverage technology unlike ever before, enabling research, sharing, and/or organizing to be done in real time.
The birth of globalization, technologies, and real-time communication platforms, also brought about the opportunity to develop and disseminate misinformation masquerading as facts, often painting any opposing viewpoints in an overwhelmingly negative light. And since
such groups are no longer bogged down by wait time, their targets (or opponents) are no longer afforded an opportunity to react.
With this worldwide shift in information sharing, accordingly to the World Economic Forum’s (WEF) 2017 Risk Report, anti-establishment populism and increasingly divided societies both topped the list in the global risk landscape. However, organizations, specifically federal agencies, can proactively manage the risks impacting their strategy through effective Enterprise Risk Management (ERM) and realize key organizational benefits while side-stepping potential pitfalls.
Why should it matter to federal agencies?
Within the federal government space, agencies are not immune to those risks affecting organizations around the world. As referenced by the Government Accountability Office’s (GAO), “federal managers often handle complex and risky missions, such as preparing for and responding to natural disasters, and building and managing safe transportation systems.*” And while risks may arise from a variety of external and internal environments, to include economic, operational, and organizational change factors, all could negatively impact an agency’s ability to meet goals and objectives if not managed effectively.
Additionally, recent Office of Management and Budget (OMB) policy changes are setting the stage for federal agencies to implement appropriate risk management processes and systems to identify challenges early, bring them to the attention of leadership, and develop solutions. Specifically, policy changes to OMB Circular No. A-123 modernize existing requirements to improve accountability by requiring agencies to implement an Enterprise Risk Management (ERM) capability (requirements became effective in FY17). Risk management is not just a compliance department (anymore)- it’s a driver of an agency’s enterprise and sustainable strategy.
ERM provides a better way to anticipate and manage risk across an agency. It is a principles-based approach to managing, not eliminating, risks and provides transparency at the enterprise level around the most significant risks to the organization. Through implementing ERM, risks are identified and assessed in strategy setting across the entire enterprise, geared towards the achievement of strategic objectives.
Requirements for Success
For an ERM program to be effective in directing and controlling risks, key elements must be integrated into the ERM program development process:
- Standardized methodology
- Integration into strategic planning and decision-making processes
- Shift to a culture of risk management
- Change management (how an organization transitions from current state to future state and how quickly)
- Organizational maturity in 7 behavioral attributes:
- Adoption of an ERM-based approach
- ERM process management
- Risk appetite management
- Root cause discipline
- Uncovering risks
- Performance management
- Business resiliency and sustainability
Beyond implementing an ERM program to meet OMB requirements, federal agencies receive key benefits when adopting ERM. Through ERM, their organization can:
- Gain a cultural understanding of the importance of sustaining high credibility as an agency
- Afford the opportunity for leadership to make more educated decisions
- Increase knowledge and understanding of risk across the organization
- Improve risk culture
- Align risks with agency/program goals and objectives
- Provide a more efficient and effective means of managing risk
- Foster agreement on core values and on the necessity for a broadly integrated risk management approach
- Providing the appropriate foundation, assessment, and management platform
- Insufficient sponsorship of ERM at the executive level
- Positioning ERM as a strategic management practice and not as an additional task
- Managing competing priorities (key ERM staff participate in initiatives that are risk-related but do not directly support the implementation of an ERM program)
- Ensuring compliance with Federal government regulations and requirements
- Lack of understanding of risk management and/or qualified risk management professionals and expertise
- An internal culture prone to siloed operations
Implementing an effective ERM program may seem like a complex and costly endeavor, but there are actionable steps agencies and organizations can take to incrementally shift in the right direction of building a robust ERM capability. At a high level, there are underlying themes that provide a useful foundation for taking initial steps and navigating resistance to ERM adoption**:
Building off these themes, the initial action steps below are recognized as best practices for implementing ERM:
The world continues to shift rapidly as do the risks facing organizations around the world. Federal agencies and organizations alike require a systematic approach to proactively identify, assess, respond to, and monitor risks that threaten the achievement of their strategic objectives. While it is not possible to eliminate all risks, Enterprise Risk Management provides actionable steps to better plan for and manage them. Take the first step – after all, “The worst thing you can do is nothing” – Theodore Roosevelt.
*GAO, Enterprise Risk Management: Selected Agencies Experiences Illustrate Good Practices in Managing Risk (December 2016), 2. **COSO, Embracing Enterprise Risk Management, (January 2011), 7-13.
*GAO, Enterprise Risk Management: Selected Agencies Experiences Illustrate Good Practices in Managing Risk (December 2016), 2. **COSO, Embracing Enterprise Risk Management, (January 2011), 7-13.