The Office of Management and Budget released in July a long-awaited update to their guidance to agencies on steps they should take to manage – not avoid — expected and unexpected risks to their operations. And the focus broadens from financial risks to all kinds of potential risks.
A 2015 survey of federal employees reports that 39 percent fear reprisals if they report violations of rules or laws. This potentially has serious implications for their willingness to identify and report serious programmatic risks in their day-to-day jobs, and the tendency is to avoid or ignore risks.
The new guidance from the Office of Management and Budget attempts to address this culture challenge, and make it okay to have candid conversations. The goal of the new guidance is to help managers and employees understand the spectrum of different kinds of risks, develop strategies and tools to mitigate them—as well as incorporate them into decisionmaking—and develop strategies to communicate risks to appropriate target populations.
The Background of the New Guidance. Managing risk is not a new issue in government. But the new guidance is a fresh approach. Traditional guidance on risk – OMB’s Circular A-123 – focused on internal controls, largely in the financial arena. The new guidance, which significantly revises A-123, is the culmination of two years of extensive development and consultation across the government by OMB’s David Mader, who is the Controller for the federal government.
Interestingly, the development of this approach – called “enterprise risk management” or “ERM”– has largely been a bottom-up movement by several pioneering agencies. Several agencies, including staff from Education, Commerce and Treasury, gathered in 2008 to create an informal interagency community of practice that has evolved into a more formal Federal Interagency ERM Council. This group caught the eye of OMB staff and this helped trigger changes in 2014 to governmentwide performance management guidance issued annually by OMB, and ultimately led to the revision of A-123. OMB’s Mader said: “It’s time now to institutionalize this across the Executive Branch.”
What Is Enterprise Risk Management? According to OMB: “ERM is a discipline which deals with identifying, assessing, and managing risks across an enterprise.” In a 2015 report for the IBM Center, Doug Webster and Tom Stanton advocated a shift in the federal mindset: Accept risk as a condition of action and as a part of achieving mission results. Agencies needed to shift from risk avoidance to risk management, reflecting similar practices in the private sector.
According to Mader: “ERM places the focus on identifying, measuring, and assessing challenges related to mission delivery in advance – well before those challenges can become issues . . . it identifies the range of possible events, or the full spectrum of an organization’s significant risks” – financial, organizational, reporting, compliance, governance, strategic, reputational. It also allows leaders to “understand the combined risks as an interrelated portfolio, rather than addressing the within individual silos.”
Circular A-123 further notes: “Risk management practices must be forward-looking and designed to help leaders make better decisions, alleviate threats and to identify previously unknown opportunities to improve the efficiency and effectiveness of government operations.”
Expectations in the New Guidance. The revisions shift the focus of A-123 from being a set of prescriptive internal control standards, assurance statements, and financial reporting, to a more flexible, dynamic focus on a broader range of risks. Mader says it doesn’t mandate “how” agencies should act, but rather focuses on a set of principles of “what” agencies should do. The Circular:
- Requires engagement by all agency management, not just the chief financial officer (who had the lead role in implementing requirements under the earlier version of A-123). It requires leadership from an agency’s chief operating officer and performance improvement officer, as well as close collaboration with the agency’s mission delivery and mission support functions.
- Recommends establishment of an interdisciplinary risk management council chaired by the chief operating officer or senior official with responsibility for the enterprise in each agency, which would also leverage existing offices or functions that currently monitor risk and internal controls.
- Requires the development of a maturity model that would assess progress in an agency’s adoption of an ERM framework.
- Requires the development of risk profiles, with plans for their approach due as soon as practicable, with initial risk profiles due to OMB by June 2, 2017. Agencies are expected to organize their risk profiles into portfolios, using the agency’s strategic objectives as the framework for the portfolio. The guidance includes a sample template for the components of the risk profile, which include identifying organizational objectives and associated risks in meeting them; the current risk response; and proposed risk responses.
- Encourages candid conversations with top leaders, where agency leaders discuss their risk profiles and proposed responses annually as part of their strategic reviews.
Approach to Implementing the New Guidance. It’s been a long time in gestation but Controller David Mader says that taking the time to actively engage stakeholders – both internal and external — in the development process was seen as an essential element in the success of the implementation process that follows.
He says the tough communication element will be having federal employees understand that “risk is part of the job” – that it always exists and that they need to factor into their work the need to identify ways to mitigate it, not just hope to hide or avoid it. The goal is to change the culture in government enough that employees would feel comfortable talking about and mitigating risks.
To pave the way, a Playbook 1.0 has recently been developed by a cross-agency interdisciplinary team to help agencies develop their own ERM approaches. This playbook is to be released at the end of July. In August, OMB will begin meeting one-on-one with agencies to discuss specifics. Training will be provided over the next 6-to-12 months, culminating next spring, when agencies need to be able to show OMB what their risk management program looks like, and share their initial risk profiles. In addition, the professional association for federal risk managers, the Association for Federal Enterprise Risk Management, is offering training as well.
Use of Agency Strategic Reviews for Candid Conversations. A-123 says agencies should rely on existing agency functions and processes. As a result, the agency-level annual strategic review process is intended to be the forum for discussions about enterprise risks. These meetings are where top agency managers discuss and make decisions about performance issues, and the risks inherent in meeting mission objectives. Agencies conduct their own reviews, and use their own analytic approaches. The reviews are an opportunity to use multiple sources of information, and integrate analyses that look strategically at their portfolio of programs around a strategic objective (there are about 350 strategic objectives across the federal government). The reviews offer agency leaders opportunities to change strategic approaches and frame their coming year’s budget requests. Agencies are currently completing their third annual strategic review. Risk management was a big theme in the reviews.
As for the fourth cycle of agency strategic reviews upcoming in mid-2017, OMB staff sees them as the preparation session for the development of agency four-year strategic plans, which are due to be revised in mid-2017 and submitted to Congress in February 2018 along with their FY 2019 budget requests. In preparation for this, A-123 sets a deadline of June 2, 2017 for when agencies’ initial risk profiles are to be completed, so they can be included in the conversations at their annual strategic reviews.
The Longer-Term Goal. Completing the first set of ERM risk profiles by June 2017 is not the end. The goal is to connect dots with other existing administrative management processes and integrate the risk reviews into the fabric of how government works, such as the development of agency strategic plans. But, as noted earlier, the real challenge will be to incorporate it into agency cultures as a routine, ingrained practice, with expectations that managing risk is a “team sport.” A-123 notes: “Successful implementation . . . requires Agencies to establish and foster an open, transparent culture that encourages people to communicate information about potential risks and other concerns with their superiors without fear of retaliation or blame.”
Graphic Credit: Courtesy of Stuart Miles via FreeDigitalPhotos.net