The Office of Federal Student Aid put in place the first formalized risk management framework in the federal government, starting its efforts in 2004. What does it look like? How did they do it?
One former federal leader, Todd Grams, says agencies that ignore risk are actually creating risk. Not surprisingly, there has been increasing interest among agencies in developing a risk management function. So what does that look like? The Education Department’s Office of Federal Student Aid began a decade ago to create a risk management function, which may serve as inspiration for other agencies considering the same.
In a recent book and presentations around town, Cynthia Jasper Vitters and Fred Anderson, risk management executives at FSA, describe their efforts and the evolution of an enterprisewide risk management function. They observe: “ERM implementation at FSA is not viewed as a compliance function.”
FSA has made or guaranteed more than $1.2 trillion in student loans, with 40 million borrowers. The office has a budget of $1 billion and a staff of about 1,200, serving 6,200 universities around the country. In 1998, FSA was legislatively designated a performance-based organization, which allowed it a certain degree of autonomy. Its chief was appointed by the secretary of Education on a term contract and was not a political appointee or career executive. Anderson and Vitters felt that the designation as a performance-based organization “helped pave the way” for the creation of a risk management function at FSA.
Because of the volume of loans and a high default rate, the Government Accountability Office placed FSA on its high risk list of programs in 1990. GAO removed FSA the next year from its high risk list, in part because FSA began to systematically pursue risk management in 2004.
Creating a Framework
Stan Dore was hired as FSA’s first chief risk officer in 2004. He set out to create an enterprisewide risk management office, which was stood up in 2006 with a small staff reporting to the Enterprise Performance Management Office.
The new office started to create a framework and implementation plan, but FSA’s chief operating officer, Theresa Shaw, resigned in 2007. The office had several acting leaders until a full-time COO was named in 2009. During that period, the FSA worked to educate senior career executives and various business units about the role of risk management in their operations
The new COO, Bill Taggart, was a former bank executive who was a strong supporter of risk management. He appointed a new chief risk officer, Fred Anderson, who raised the profile of the fledgling office, expanded the risk management framework and formalized the role of risk management in FSA’s five-year strategic plan.
Anderson became a direct report to Taggart and split the office into four groups:
- Risk analysis and reporting
- Internal review
- Portfolio performance management services
- Acquisition risk management
In addition, Taggart created FSA’s risk management committee, chaired by Anderson. Taggart attended all meetings, along with other executive members. FSA’s current COO, James Runcie, consistently attends meetings as well. The committee’s objectives are to: “identify, track and mitigate operational, portfolio, project and technology risks across the organization.”
Tips for Other Agencies
So what would it take to create a risk management function at your agency? Anderson and Vitters have six pieces of advice:
Use a phased approach to implementation. FSA developed a timebound, phased plan for its enterprise risk management approach. Each phase had defined risk criteria and an accountable owner, who is responsible for continuous review and updating based on changing conditions. An upfront investment in planning and engaging senior leaders made implementation easier.
Create a risk management committee. When Taggart established the nine-member committee, he had the risk management office define its scope and operations and ensure that its initiatives aligned with existing business functions. Executives on the committee had specific roles and portfolios of issues. Prior to each monthly meeting, issues on the agenda were vetted by the assigned member of the committee to ensure no surprises.
Ensure the right talent in the risk management office. Finding the right talent for the risk management office staff, according to the authors, is “vital to the group’s success.” They started with internal staff and supplemented with contract staff. As the function matured, they identified individuals with specific skill sets and subject matter expertise.
Integrate risk management into existing processes and functions. FSA, like other agencies, has pre-existing formal and informal oversight, compliance and internal control activities. One of the first tasks of the new chief risk officer was to inventory these activities and help align their activities with an overarching risk management strategy.
Extend risk management to contractors and other partners. FSA historically has outsourced many of its major operations—such as loan serving and collection—to outside contractors. The off also has partnerships with universities and lending institutions. The risk management office developed approaches to extend its oversight of significant risks to these partners as well.
Prioritize key risk information. Initially, the risk management office identified a large number of potential risks and scenarios. It found, however, that too many made it difficult to manage and prioritize. So, it became important to focus on the risks that might affect FSA’s goals.
By focusing attention on these elements, FSA’s risk management office was able to help ensure that risk management was viewed not as a compliance function, but rather a strategic leadership approach to managing the business of student loans. Vitters and Anderson believe this “puts FSA in a strong position to successfully manage its unique business structure.”