Don’t Risk It

Information technology can help agencies meet their most important mission-protecting the public.

Nearly 200 years ago, Thomas Jefferson said, "The care of human life and happiness and not their destruction is the first and only legitimate object of good government."

According to Jefferson's theory, government's first duty is to manage the public's risk, giving everyone the opportunity to pursue individual happiness-the second duty of good government.

Government manages people's risk in three fundamental ways: first, as a regulator when individuals or businesses impose risks on others; second, as a risk manager, when individuals or businesses cannot manage risk themselves; third, as a provider of services to the public, which often entails risks that the government itself needs to manage effectively.

Consider the Securities and Exchange Commission. Its duty is to protect investors; maintain fair, orderly and efficient markets; and facilitate capital formation. Without SEC's regulatory authority, how comfortable would people feel about investing?

Or take the Food and Drug Administration, whose duty is to protect and promote public health. Since May, FDA has tried to track down a salmonella outbreak that has sickened more than 1,100 people. No private organization could easily take on that role.

The risks agencies manage today are more varied and complex than Jefferson ever imagined. FDA, for instance, is responsible for monitoring potential dangers involving food, drugs, medical devices, cosmetics and radiation-emitting products, to name a few.

Consider food safety. Risks have changed as the food supply has expanded globally and the amount of imported food FDA regulates has more than tripled in the past decade, straining its ability to conduct adequate inspections. In addition, more foods are genetically engineered, increasing from just one in 1994 to more than 50 today. FDA must ensure they all are safe to eat.

With risks becoming more complex, the use of information technology is essential for managing the public's safety. For instance, to improve health care and reduce costs, the Bush administration set a goal to provide interoperable electronic health records for most Americans by 2014.

While technology can help agencies manage risk, the IT solutions themselves frequently are not managed well. The FBI's first attempt to develop a virtual case file system is one example. The bureau canceled the project in 2005 after repeated budget overruns, missed deadlines and performance issues. The snafu with developing handheld computers to support the Census Bureau's 2010 count is another example. The agency canceled its plan to use the devices when it became clear that it wouldn't be able to properly test them by census time and development costs began to increase.

When the agency announced in April that it would not use handheld computers in the next decennial count, top officials blamed poor communication between the government and its contractor, Harris Corp. But that explanation is merely a euphemism for enterprise risk mismanagement.

With so many IT project blunders, it's not surprising that federal agencies have been slow to embrace enterprise risk management. More businesses, however, are using ERM, a holistic approach to managing the full spectrum of risks. They are integrating strategic, operational, financial and insurance risk management practices to better understand the risks that confront them. That way, risks become transparent to everyone in the organization, and a coordinated and cost-effective approach to managing them is possible.

ERM also helps with managing the strategic and financial risks associated with major IT programs, which many agencies typically don't take into account. At Census, a strategic decision was made to use handheld computers for door-to-door census takers to capture and transmit data for the 2010 count. This was a reasonable decision. But the risks it created-operational, financial, contingency and, especially, how those factors interacted with one another-were not accounted for.

A robust ERM approach would have increased the chances that the bureau's handheld project would have been successful. Given all the types of risks the project faced, however, it is doubtful that even a robust IT risk management plan would have been sufficient to ensure success.

Adopting ERM at a federal agency is much harder than in business. While the fundamental business of government is the management of risk, its basic practice revolves around politics, which is about power and control. Also, identifying risk in government is viewed as a negative. Who wants to be on the Government Accountability Office's high-risk list? So, making myriad risks transparent isn't a priority for most agencies.

Still, launching ERM in government is possible. The best way is to take a middle-out approach that concentrates on managing operational risks-those posed by people, processes and technology. Chief information officers, in cooperation with chief financial officers, are well-placed to begin the process because IT touches on not only operational, but financial and strategic risks, too.

CIOs can help identify the different types of risk IT creates and mitigates. With help from CFOs, they can begin to create the underlying processes necessary to manage risk not only within IT, but throughout the agency.

Agencies will find it progressively difficult to create the complex solutions necessary to protect the public without an agencywide approach to managing risk. Without one, Jefferson's goal of good government-the public's happiness-will be at risk as well.

Robert Charette is founder of ITABHI Corp., a risk management consulting firm.