Implementing Effective Enterprise Risk Management in Federal Government

This is blog post is an excerpt from GovLoop’s Industry Perspective, Implementing Effective Enterprise Risk Management in Federal Government.

Government faces increasing uncertainties as agencies pursue diverse and complex missions. A combination of budget cuts, an aging workforce, difficulties with hiring and retaining talent and the growing complexity of information security challenges are just a few of the factors to consider in an atmosphere where a relatively minor risk can quickly escalate into a serious issue.

That’s why more federal agencies are investing in Enterprise Risk Management (ERM), a discipline that addresses the full spectrum of an organization’s risks, including challenges and opportunities, and integrates them into an enterprisewide, strategically aligned portfolio view. ERM contributes to improved decision-making and supports the achievement of an organization’s mission, goals and objectives.

According to a 2015 survey by PricewaterhouseCoopers (PwC) and the Association for Federal Enterprise Risk Management, agency leaders are focused on risks. More than 50 percent of respondents identified strategic risk as a pressing, current concern for their organization’s mission. Operational risk was a close second with 48 percent of respondents agreeing it was a major concern.

That’s why GovLoop sat down with experts David Fisher, Managing Director and Public Sector Risk Leader, and Bill Hughes, Partner within the National Security Practice in the U.S. Public Sector Practice, from PwC – a leading firm in the ERM arena –  to discuss how government agencies can derive real value from an ERM program and what they need to do to get there.

“Every agency encounters risks,” Hughes said. The question is what do they do about those risks? Do they just ignore them and hope they go away? Or do they get in front of the risks so they can systematically manage them?”

Why ERM?
The benefits of ERM are proactive risk management, integrated strategies for achieving mission objectives and better overall risk response that enhance the ability for an organization to achieve its strategic objectives. Unfortunately, like many private sector organizations, federal agencies tend to adopt risk strategies that are surface-level and address only limited types of risk.
“Risks can manifest at the reputational and strategic levels all the way down to the compliance and tactical operational levels,” Fisher said. “But there are a lot of inconsistencies in how government manages these risks. A lot of government organizations don’t have good mechanisms in place to know what their risks are or assess how serious they are until they’re already in the midst of a crisis.”

The Value of Risk Management
ERM provides comprehensive risk management and strategies. With ERM, agencies derive real value in several ways with the ability to:

-Provide early warning indicators. ERM enables agency leaders to identify potential events and respond to them early on, when options and responses are still effective. Thus, they can avoid unwanted surprises, like a Distributed Denial of Service (DDoS) attack that can compromise multiple systems before even being detected.

-Improve transparency with a portfolio view of risk. ERM provides leadership with the ability to see how risks from across the organization interrelate – including how they potentially impact one another and to respond accordingly.

-Enhance strategy and prioritization. ERM provides the timely risk information necessary for an agency to develop and pursue a well-informed strategy that supports effective prioritization of initiatives and activities.

-Align risk appetite. Management considers the entity’s risk appetite in evaluating strategic alternatives, setting related objectives and developing mechanisms to manage related risks. In some cases, this approach identifies scenarios where taking more risk, or trading off one kind of risk for another, enhances the organization’s ability to achieve its strategic objectives.

-Realize better opportunities. Effective ERM programs support not only risk identification and management, but also the identification and capitalization of opportunities to more effectively meet the agency’s mission, goals and objectives.

Implementing ERM at Your Agency
In order to implement an effective ERM program, it’s important to address both culture and mechanisms. An organization’s culture incorporates mindsets and behaviors that govern how much risk the organization is willing to take (risk appetite) and how open it is to bringing risks out into the open (risk transparency). Mechanisms, including standards, templates, forums, governance and operational roles and responsibilities enable employees with the tools to act on those cultural decisions.

Some of the critical steps to implementing ERM include:

-Assess your agency’s risk appetite. An organization’s risk appetite is simply how much risk the agency is willing to assume. An agency can be low-risk (risk averse), high-risk (able to tolerate higher levels of risk) or moderate (somewhere in between).

-Identify ERM leadership. Effective leadership is necessary for organizations to properly adopt and implement ERM. For many organizations, that leadership comes from the appointment of a Chief Risk Officer (CRO). A CRO should be able to understand the business, harness organizational momentum around risk management to achieve a more risk-aware culture and build strong relationships within the organization to gain buy-in from key stakeholders and move the program forward.

There are a number of ways federal agencies can benefit from an ERM program. But it’s important that agencies go beyond checking the box and adopt holistic procedures and standards for their risk management. ERM not only has the potential to help further an agency’s mission and change its organizational culture for the better; it can also improve services to the most important people to consider: government’s citizens.


Leave a Comment

One Comment

Leave a Reply

Harrol R. Alexander

You know that in World War II the enemy was breaking our codes left and right, then someone had a bright idea of simple one so the code talker came about, and no one could break the code so all I am saying is sometimes looking for answers the simplest may be the best. Is anyone inviting Lin X to participate in our cyberspace problem, it is my understanding that they are not having the same problem. I have talked with people who use their product that say it works, But it’s a little harder to use. I. do good just to get a few sentences on any computer.