Risk Management: Creating Organizational Self-Defense
How to head off problems before they become a full-blown agency scandal.
Why don’t agency top leaders know about significant management problems in their organizations before it is too late?
Scandals seem to be more prevalent these days, ranging from seemingly dishonest reporting of telework hours at the Patent Office or veterans hospital access wait times, to the safety of CDC labs, to lavish conferences at the General Services Administration.
Wouldn’t it have been better if agency leaders had learned about brewing issues before they became problems? Tom Stanton and Doug Webster, in their new book, Managing Risk and Performance, say there are two key challenges to being able to head off problems in advance:
- First, important information in large agencies often is located at the front line and with middle managers, and bad news tends to not filter upward. So how does trustworthy information flow in an organization, and how do you get the right information to flow to decision-makers without flooding them with unimportant data?
- And second, sometimes leaders just make bad decisions. Effective leaders need to create an environment for “constructive dialogue,” in which the decision-making process brings important information to the fore before action is taken on a decision.
Given that these two challenges are endemic, how can a good leader put in place some form of organizational self-defense?
Stanton, Webster and others share insights on how public sector leaders can do this. They note that these self-defense mechanisms exist in the private sector, and are most mature in the finance and insurance industries. They say the 2008 financial crisis was largely triggered by companies that systematically ignored their risk management experts.
Largely since the 2008 financial crisis, there has been a recent flurry of articles, books and seminars around the importance of creating “enterprise risk management” initiatives, especially in areas beyond finance and insurance.
For example, a number of federal agencies have designated “chief risk officers” to advise agency leadership on the potential impact of risks across their portfolio of programs—instead of the traditional approach of examining risks within each individual program or function. The designation of chief risk officers has grown organically in agencies over the past few years at both the departmental and bureau levels. The pioneer was the Education Department’s Federal Student Aid Office.
The Office of Management and Budget recently charged agencies with being responsible for managing risks, stating that agencies “should identify, measure and assess challenges related to mission delivery, to the extent possible.” Its guidance describes the role of chief risk officers to “champion agencywide efforts to manage risk within the agency and advise senior leaders on the strategically aligned portfolio view of risks at the agency.” However, OMB notes that it is not requiring agencies to designate CROs.
In the next few weeks I’ll share insights from the Stanton and Webster book, along with other resources, addressing issues such as:
- Why does government place itself in risky situations in the first place?
- How agencies develop a risk-responsive strategy to deal with the uncertainty of external risks, such as financial crises, cyberattacks and natural disasters.
- How agencies address internal risks, such as scandals that affect their reputations.
- How does a pioneering agency institutionalize risk management functions into its culture?
Are there other enterprisewide risk management issues that should be addressed, as well?