The IBM Center recently released Seven Drivers Transforming Government, a series of essays exploring key drivers of change in government. It is based on research and insights shared by current and former government officials. What follows is an edited excerpt from that report.
There are numerous threats to the safety, security and resilience of the nation, including acts of terrorism, malicious activity in cyberspace, pandemics, accidents, transnational crime, and natural disasters. It is the mission of many federal agencies to identify, address, and mitigate these very risks. Along with these complex external threats, government leaders must also take seriously the internal risks they face in meeting their critically important missions. They do this, as we all do, in a dynamic and uncertain world where the past does not serve as a complete guide to the future.
In addition, government leaders operate in an environment that is increasingly intricate and interconnected. As technology pervades our lives, once simple devices have become smarter and more connected to the world around us. Building the capability and capacity to identify, understand, and address risks and potential threats is essential. Assessing and responding to the inherent risks facing the public sector is a key driver in transforming government and promoting successful program and mission management.
Increased Risks and Threats
Risk involves the effect of uncertainty on objectives. With government facing widening and deepening uncertainty, external and internal risks threaten an organization’s ability to achieve goals and objectives.
External risks to federal agencies include environmental factors as diverse as an aging workforce, changing social norms, or increased cyber security threats. Agencies may have little to no direct control over these changes.
Internal risks are a different matter, and can be affected by organizational actions, such as internal processes and controls, training, values and culture. These are under the direct influence, if not outright control of the organization.
Addressing Risks and Threats
Over the last decade, agencies have begun to take the range of threats more seriously, and have pursued ways to manage and mitigate them. Risk management is such a strategy: it is a series of coordinated activities to direct and control challenges or threats to achieving an organization’s goals and objectives. Dr. Karen Hardy, in Managing Risk in Government: An Introduction to Enterprise Risk Management, identifies enterprise risk management as one tool that can assist federal leaders in anticipating and managing risks. ERM provides an enterprisewide, strategically-aligned portfolio view of organizational challenges that offers leaders insight about how to most effectively prioritize resources to successfully deliver on the mission.
The Office of Management and Budget recognizes ERM as an effective approach to addressing the full spectrum of an agency’s external and internal risks. In July 2016, OMB issued an update to Circular No. A-123 requiring federal agencies to implement ERM to better ensure managers are effectively managing risks that could affect an agency’s ability to achieve its strategic objectives. OMB also updated budget guidance for agencies, requiring them to implement ERM. The updated requirements help modernize management efforts by requiring agencies to implement an ERM capability coordinated with the strategic planning and strategic review processes established by the 2010 GPRA Modernization Act. This integrated governance structure can improve mission delivery, reduce costs, and focus corrective actions towards key risks.
Even before OMB required agencies to adopt ERM, some agencies implemented ERM to address risk-based issues and improve their ability to respond to future risks. The IBM Center has published reports highlighting case studies of federal agencies and their ERM efforts, such as the Education Department’s Office of Federal Student Aid, which adopted ERM in 2004, and the Centers for Disease Control and Prevention’s RiskSmart™ credibility risk management and issues management system.
Tackling the “Internet of Threats”
From the massive OPM breach in 2015 to the latest network penetration of a private corporation, one of the most pressing hazards facing government agencies and governments involves cyber threats. The growing complexity and danger of the current threat environment—“Internet of Threats”—describes risks faced in moving more physical applications online, a trend magnified by the web-enablement of a broad range of applications commonly referred to as the IoT . The interconnectedness of devices today introduces technologies that connect cyber systems to physical systems. This means that potential disruptions can have large and unanticipated cascading effects.
Indeed, these innovations are a double-edged sword. These new technologies can also help government and industry identify and address risks and threats; in the online world, cloud-based approaches can enable instantaneous transmission of patches across a network. And artificial intelligence can automatically detect malware and mitigate risk at scale, automating routine decisions and allowing leaders to focus on the highest priorities (such as open source vulnerabilities).
At the same time, government continues to rely on archaic, vulnerable systems. More fundamental modernization strategies can reduce risk significantly, such as using shared services for secure computing platforms, and adopting technologies that allow identity and access management and encryption.
With sound governance, agencies can adapt new technologies to ensure compliance while allowing overstretched security staff to address high-priority risk items even as constrained budgets remain the norm.
Given the continually evolving threats and compliance issues, addressing threat vectors in a risk management framework is critical.
Federal executives must understand the spectrum of risks, develop actions to mitigate risks in compliance with law and policy, and communicate risk response strategies to appropriate populations. More importantly, assessing the inherent risks facing the public sector, and responding accordingly, can drive change in government and promote successful management of government programs and missions. Risk management is not simply a compliance exercise but goes to the core of agency mission delivery.
Michael Keegan is the Leadership Fellow for the IBM Center for The Business of Government, and the host for its Business of Government Radio Hour.