On The Look Out

If government’s job is to protect the people, it must be able to manage risk—before disaster strikes.

If government's job is to protect the people, it must be able to manage risk-before disaster strikes.

A Continental Airlines turboprop plane crashes outside Buffalo, killing 50 people. Salmonella-tainted peanut butter kills nine and sickens more than 500. Bernard Madoff is arrested for bilking investors out of $50 billion. The financial industry melts down as subprime mortgages go into default, starting a financial contagion that threatens to tip the nation toward Great Depression II. These are events Americans faced just within a four-month span. While the frequency and severity of the tragedies may seem atypical, this nation is no stranger to unfortunate events. Now Americans are looking to their government, unlike at any other time in modern history, to reduce the chances that catastrophes like these will happen again.

And they do so with trepidation. Citizens believe many of the risks they face have been unevenly managed at best and horrendously botched at worst. No wonder a September 2008 Gallup poll found that only 42 percent of people said they had at least a fair amount of trust in the executive branch-the lowest since the Watergate era, when the poll was first taken.

Americans want life to be less risky. But the problem is government isn't being managed to reduce risks. Without realizing it, federal officials are risk managers at their core. That means they should weave risk management strategies and tactics into their everyday operations and strategic decisions at the highest level. Agencies need to weigh the probabilities of what could go wrong, the price of reducing the chance that it will and the costs if it does. All that should be discussed, evaluated and fed into an agency's strategic plan and budget, whether it's defending the nation against terrorists, keeping food safe, fighting disease, avoiding economic meltdowns or reducing crime. It even plays a role in managing national parks.

"Government has always been involved in managing risks, even as risk management has not generally been recognized as being a fundamental function of government," says David Moss, a professor of business administration at the Harvard Business School and author of When All Else Fails: Government as Ultimate Risk Manager (Harvard University Press, 2002).

But government executives don't manage that way. Agencies don't mention the word risk, and if they do it's in a mish-mash of incoherent policies and misplaced budgets. Take the Food and Drug Administration. It estimates that one in four Americans are sickened by food-borne diseases each year at a cost of $44 billion in hospitalization and lost productivity. Yet FDA inspections have fallen by nearly 15 percent during the past five years. "Citizens are increasingly calling on government to prevent bad things from happening and to ride in to help when they do," says Donald F. Kettl, a political science professor at the University of Pennsylvania and author of The Next Government of the United States: Why Our Institutions Fail Us and How to Fix Them (W.W. Norton & Co., 2008). "That increasingly has led to calls for quick action from Washington."

A response calls for a dramatic shift in how agencies manage themselves and how they decide to meet their missions, both of which require using risk management techniques.

What Is Risk?

Politicians and government managers typically don't think of managing agencies with a focus on reducing the public's risk. But it is impossible to find a time in American history when politicians weren't wrestling with some "nettlesome risks," as Moss calls them, and crafting policies aimed at either reducing or reallocating the risks.

Government first got into managing risk in a big way in the late 18th century when it began to develop policies to deal with risks thought to undermine trade and investment. A second wave occurred at the beginning of the 20th century and lasted until the 1960s, when government began passing laws to protect workers from unfair or unsafe workplaces. A third phase, which continues today, focuses on averting consumer and personal risk.

The consequences of not managing risk have hit Americans squarely in the jaw. It started with the recession brought on when the dot-com bubble burst, and then quickly led to the Sept. 11 attacks, Hurricane Katrina, the wars in Iraq and Afghanistan, and the current financial crisis that is testing the limits of government response. Throw in volatility in oil prices, airline overcrowding and delays, drug recalls, lead in children's toys, salmonella and E. coli outbreaks, and it is understandable why the public feels risks are out of control and wants government to offer relief. "The problem now is the rapid pace of the challenges-that whatever it is that happens punishes and punishes instantly," Kettl says. "Problems are coming from a lot of different directions at once."

The public not only demands that government manage the consequences of risk, but that it deals with problems before they turn into catastrophes. Merely reacting to risk is eroding the people's trust in government.

Time for Change

President Obama has promised to hold government accountable for its performance. In his inaugural address, he broke away from how past presidents defined the role of government, steering clear of the big-versus-small debate. He chose to focus on what works and what doesn't. "Those of us who manage the public's dollars will be held to account-to spend wisely, reform bad habits and do our business in the light of day-because only then can we restore the vital trust between a people and their government," he said.

Obama's plans include appointing a chief performance officer to scour the federal budget line by line, eliminating what doesn't work and improving the things that do. Approached properly, that is risk management. The CPO's job will be to find those programs that manage the people's risks the best. That calls for agencies to follow proven risk management techniques. But exactly what are those?

A good place to start is with Moss' three approaches to managing risk: reduce it, spread it or shift it. One notable example is how the government has mitigated the risks of driving a car. It has tried to remove the risks of defective automobile parts by shifting the responsibility to auto manufacturers to make safer products. It has spread accountability for and the cost of car crashes by requiring drivers to buy insurance. And risks are reduced by enacting laws such as speed limits, requiring drivers to pass tests for licenses and manufacturers to install airbags, and so on.

Therefore, one success indicator for government programs could be how well they spread, shift and or reduce a public risk as defined by the agency's mission statement. Another measure could include whether the benefits of mitigating the risk outweigh the program's cost. In addition, if a program is to be closed down because it doesn't work, the CPO could reason that the government was mismanaging the public's risk or that the agency wasn't equipped to oversee the risk in the first place.

Few agencies think of their mission as reducing the people's risk. But the National Transportation Safety Board has begun to view its job that way. "We've done a pretty good job of mitigating the results of accidents; why can't we start to look at the philosophy of accident prevention?" says Mark Rosenker, the agency's acting chairman.

While NTSB comes in after a transportation accident (when the risk already has become reality) it has put more management time into prevention. The board has developed guidelines to reducing travel-related risks, which in the case of car crashes, take the lives of 40,000 people and injure 3 million others every year.

In its 40-year history, NTSB has investigated 124,000 aviation accidents and 10,000 crashes involving trains, ships, trucks and cars. Because the board investigates accidents after they occur, it might not seem to be in position to decrease any risk. But NTSB issues safety recommendations after its investigations, totaling more than 12,000, and uses these reports as a way to reduce the public's risk when flying, driving, boating and traveling by rail. In 1990, NTSB created its annual Most Wanted List, which includes dozens of suggestions on how to make travel safer for agencies ranging from the Federal Aviation Administration to the Transportation Department's Pipeline and Hazardous Materials Safety Administration to the National Highway Traffic Safety Administration.

The list has reduced risks. In 2002, NTSB investigated a car accident on the Washington area Beltway in which a Ford Ex-plorer veered across the median into oncoming traffic and crashed into another SUV and a minivan, killing five people. The board concluded the crash could have been avoided if the Explorer had been equipped with electronic stability control, which relies on computer-assisted brakes to allow drivers to maintain control of their cars on slippery roads and to avoid rolling over when turning quickly. Automobile safety researchers say electronic stability control is the most important safety innovation since seat belts, estimating that if all cars were equipped with the technology, as much as 25 percent of auto fatalities could be prevented. NTSB put electronic stability control on its Most Wanted list of safety improvements in 2003. Four years later, the highway safety administration issued a rule that all cars built by 2012 must be equipped with the technology.

Rethinking Risk at FDA

If any federal agency is squarely in the business of managing risk, it's the Food and Drug Administration. But its focus hasn't always aligned with that mission.

A case in point is how the agency managed the adverse effects of the arthritis pain reliever Vioxx, which FDA approved in 1999. By 2004, the widely prescribed drug was withdrawn after cases showed that there was an increased risk of heart attack, stroke and death associated with the drug. FDA so poorly managed these risks that one of its former scientists, David Graham, told a Senate committee in 2005 that the agency was "incapable of protecting America against another Vioxx."

FDA admits it has had problems with many drugs after approving them and that it needs to better track the side effects of pharmaceuticals once they hit the market. But during the agency's 100-year history, officials didn't view their mission as managing the public's risk once drugs came on the market. "Talking about the risks was not a priority," says Julie Zawisza, director of communications for FDA's Center for Drug Evaluation and Research. "Second, there wasn't the infrastructure to support it, and third, there wasn't the cultural shift needed internally to say this is important, we need to do it."

Now the public demands it, she acknowledges. But it's a trade-off. Communicating drugs' risks quickly could undermine research into the causes, which might be incomplete or inconclusive. "When we come out sooner about risks, we know less," Zawisza says. "The science isn't as good. If it turns out to be wrong, we lose our credibility. Then, if we come out late, we may also lose our credibility, because we look like we are hiding something, when all we may be doing is trying to get the science correct."

Last year's salmonella outbreak involving jalapeño and serrano peppers illustrates FDA's juggling act. First, the agency suspected tomatoes were the culprit, and issued warnings in June 2008 to New Mexico and Texas consumers to avoid eating certain types of raw tomatoes. A few days later, FDA expanded its warning nationwide. Just one month later, however, the agency announced the cause for the outbreak was more likely peppers, not tomatoes. Growers complained that FDA's early warnings cost them millions of dollars.

FDA also is working on the Sentinel initiative, a network to improve monitoring of adverse drug side effects. When fully launched in 2015, the nationwide computer network will track the safety of all medical products FDA approves.

But the agency can do just so much. FDA is bound by laws, regulations and policies that limit the disclosure of confidential or proprietary information. The agency's enforcement powers also restrict the information it can reveal. FDA can sue a manufacturer to prevent it from shipping its products, or even seek criminal charges against companies, as it is doing in the peanut salmonella case.

Even Parks Have Risks

Do all agencies need to manage risk? Why do agencies like, say, the National Park Service have to worry about it? After all, what risks do parks have? Plenty, it turns out.

The obvious ones are the health and safety of visitors, a metric the agency tracks by tallying injuries and lives lost or saved when hikers, skiers and other park visitors find themselves in trouble. But there are less obvious risks that drive strategic planning. The most significant ones, park officials say, include losing segments of the nation's heritage.

"You have this great conflict in public policy," says John Hennessy, chief historian of the Fredericksburg and Spotsylvania National Battlefield Park in Virginia. "You have national parks that are supposed to be here for as long as there is an America, remain largely unchanged, being preserved and protected during that time. But they are sitting within a local community that wants . . . development, employment and economic growth, which are also all good. So how do you reconcile that?"

Balancing the public's risk of ruining historical landmarks with economic development includes analyzing the worth of preserving land versus the value of new jobs. And the risk of making the wrong decision is increasing.

"What we're finding now is that while acquisition is hugely important, it is not the end of the story, because what goes on outside a park can ultimately destroy what has been preserved inside, by virtue of traffic, roads, noise and all those things," Hennessey says. For example, Wal-Mart wants to build a 141,000-square-foot superstore at the edge of the Wilderness Battlefield in Orange County, Va., about 65 miles southwest of Washington. It was on this battlefield, the second-largest military park in the world, where Ulysses S. Grant and Robert E. Lee first faced one another during the Civil War. The store promises to bring badly needed jobs and tax revenue during the depths of a recession. But also it poses a risk of development that could threaten the character of the park.

The park service, Civil War historians and preservationists would like to see the Wal-Mart built farther from the battlefield, but the county council, developers and property rights advocates argue that landowners have a right to develop their property as they see fit-even if it threatens the park. To manage the risk, Hennessey and other park officials are working with many groups, including both preservationists and developers, to ensure the best possible outcome for everyone. "We are trying to move away from a stovepipe approach to a more comprehensive plan to allow for development to occur without the incremental destruction of the park," Hennessey says.

The Risk of Risk

There are risks to risk management. Or at least too much of it. The public might indeed call for the government to manage more of its risk, but "it is unclear where the endpoint is," Kettl says. "We obviously don't want to get to a state where the government is running everything." But with no clear definition of the limit, the number of public risks the government should manage appears endless. "During normal times, many believe that it is better for the government to stay out," Moss says. "But during bad times, the public demands that the government comes in. This may not be an entirely viable combination."

The United Kingdom may offer an example of a government trying to manage too much risk, contends Michael Power, professor of economics at the London School of Economics and the author of Risk Management of Everything (Demos, 2004). The U.K. began to employ risk management as part of decision- making after several mismanaged governmental crises in the 1990s, such as an outbreak of mad cow disease, failure rates on school exams, and an expensive botched attempt to develop a passport applications system, to name a few.

Compliance with risk management, however, has become the ends for many agencies, rather than actually reducing the public's risk, Powers argues. U.K. government workers have been admonished for not performing risk assessments, and in more than one documented case, police have been chastised for not conducting a "dynamic risk assessment" before saving a person from drowning, to make sure they would not drown themselves.

Finding the proper balance of what risks government should manage is a debate that has been waged since the nation's founding. Abraham Lincoln wrote in 1854:

"The legitimate object of government is to do for a community of people what they need to have done, but cannot do at all, or cannot so well do, for themselves- in their separate and individual capacities. In all that the people can individually do as well for themselves, government ought not to interfere."

The first step is to realize government is in the risk management business and to manage accordingly. And then define how far to go.

Robert Charette is president of the consulting firm Itabhi Corp. and has advised federal agencies, written and lectured extensively on risk management strategies in the United States and internationally.

NEXT STORY: Gathering Good