Zern Liew/Shutterstock.com
What could possibly go wrong? Do self-confident, optimistic leaders ask this question often enough, at the right time?
Risk experts Doug Webster and Tom Stanton think not. In a new report for the IBM Center for the Business of Government, they observe: “The front pages of national newspapers constantly report on actions by private companies, federal leaders, or agencies that do not appear to have considered the risks associated with various decisions and actions. There appears to be a common thread running through these events: a failure to adequately consider risk up front and address it as part of an organization’s overall management.” Their report describes how enterprise risk management, or ERM, is a promising approach to assessing and addressing organizational, mission and reputational risks.
Webster and Stanton interviewed federal executives to find out why agencies typically do not strategically manage their risks effectively and use this knowledge to improve their routine decision-making processes. They identified six challenges:
Challenge 1: Getting sustained support from top leaders. Interviewees stressed this is key, and the biggest challenge is when there is a transition in leadership. Career staff have a responsibility to frame risk management as an element of due diligence for new leaders, and missteps could damage them personally and the mission or agency more broadly.
Challenge 2: Breaking down the power concentrated in organizational silos. While leadership might support risk management approaches, lower levels in the organization might not, especially in decentralized or siloed agencies. Focusing on a targeted set of risks, or creating an enterprise-wide executive risk management committee to regularly assess status are two strategies for addressing this challenge.
Challenge 3: Overcoming a culture of caution. Many organizations have cultures that focus on process compliance and risk avoidance. An overemphasis on “staying out of trouble” can itself become a mission risk. The tone set by agency leadership matters; employees must be able to trust that they can safely report potential risks, and see that this is an encouraged behavior.
Challenge 4: Reconciling the roles of risk managers vs. the inspectors general. The quality of working relationships between agency staff and their IG is “of paramount importance,” according to interviewees. An adversarial relationship will “chill the flow of risk-related information” within the agency, including to top leadership. A constructive dialogue is needed to develop a win-win relationship (Another recent IBM Center report addresses this dynamic).
Challenge 5: Educating agency staff on the usefulness of enterprise-wide risk management. Agency staff intuitively understand potential risks in specific programs or systems, but tend not to see how various trends might lead to broader risks in their agencies. Creating an enterprise-wide perspective is helpful, but requires a concerted communications effort to integrate such discussions into the flow of routine decision-making processes.
Challenge 6: Being able to demonstrate the value of an institutionalized risk management function. The value of an effective enterprise-wide risk management function is that nothing bad happens. So how do you demonstrate the value of avoiding a potentially costly event that never occurs? The authors say “the value of ERM can be seen in the increased quality of decision-making” in that better communication about risk-reward trade-offs can “maximize overall stakeholder value.”
The Office of Management and Budget has had a long interest in managing financial risks, but in 2013 it began to work with the Government Accountability Office to update the government’s guidance for internal controls. The initial draft of the update sought to expand beyond a compliance approach to a broader enterprise risk management approach. This was reflected in budget guidelines in 2014, in which OMB sought to highlight the need for consideration of risk into agency performance and strategic reviews.
A forum earlier this year with OMB addressed the development of an enterprise risk management approach that pairs conversations of risk and opportunity, to ensure the conversations are not dominated by backward-looking assessments of risk. There was also discussion of engaging in strategic planning and risk management activities jointly, not separately, to ensure the conversation doesn’t tend toward risk avoidance versus managing risks and opportunities. OMB hopes to complete its policy revisions by the end of 2015.
Webster and Stanton offer several recommendations to agency leaders. These actions, they say, can be taken in advance of any OMB guidance. They suggest, for example, that agency leaders create an organization-wide operating committee, with a small risk staff to support their efforts, to “regularly identify major risks that could impede achievement of the agency’s mission,” prioritize them and come up with plans to address the high-priority risks.
The authors say that agency leaders need to create the conditions for effective risk management by working to “ensure that information flows up and down the hierarchy so that risk-related information can flow to decision-makers.” In addition, agency leaders need to integrate risk management discussions into their regular decision-making processes, such as strategic reviews and budget discussions. After all, what could possibly go wrong if they didn’t?
(Image via Zern Liew/Shutterstock.com)