So Many Risks, So Little Time
Agencies aren’t waiting for a governmentwide risk management framework to take action.
“By some estimates, taking out just nine critical electrical substations could plunge the whole nation into darkness,” says Jason Black, a researcher at Battelle Institute. This scenario, of course, keeps the leaders of the Federal Energy Regulatory Commission awake at night. What is their risk management strategy?
Other federal agencies also face a wide range of risks. Some are external, others are internal. Some are financial (such as having to deal with managing under sequestration or the market impact on external investments in pension funds, which could affect federal pension guarantees). Some are operational, such as those faced by FERC, or cybersecurity threats, or even insider threats. And some are reputational, such as recent accusations of U.S. Patent and Trademark Office telework abuse and the scandal over lavish conferences at the General Services Administration.
In recent years, a number of federal agencies have put in place risk management strategies. Recent guidance from the Office of Management and Budget says “agencies are expected to manage risks and challenges related to delivering the organization’s mission.” Also, a professional association has evolved—the Association for Federal Enterprise Risk Management—so professionals can share insights and best practices. Yet there is no overarching U.S. federal framework.
The private sector faces many of the same kinds of risks, and some sectors—such as finance and insurance—have well-developed approaches. Increasingly, both public and private sector organizations have begun to systematically address their risks via initiatives such as enterprise risk management. Companies as diverse as Target and JP Morgan Chase have created their own risk management functions in response to increasing uncertainties in their operating environments.
The use of standards and policies as the foundation for an enterprise risk management function has evolved internationally in both the private and public sectors, with the creation of definitions, standards, principles and frameworks. The most prominent include the ISO 31000 and the COSO risk management standards (created in 2004 via the Committee of Sponsoring Organizations of the Treadway Commission).
What is Enterprise Risk Management?
Risk management expert Doug Webster writes: “Many of us think of risk only in terms of bad consequences . . . the word has evolved to refer to two different and conflicting concepts.”
He observes that the Government Accountability Office’s definition “treats risk as introducing only a negative impact . . . Risk management in this context is typically focused on managing the threats to objectives.” However, he continues: “Risk management professionals are more likely to subscribe to the definition offered by the international standard ISO 31000, which defines risk as ‘the effect of uncertainty on objectives.’ ”
John Fraser, senior vice president of a Canadian hydroelectric company, Hydro One Networks, says in a new book that effective enterprise risk management can be distilled down to two essential processes: having conversations and setting priorities. “By enlisting managers and employees in conversations, organizational leaders can facilitate people’s willingness and ability to surface major risks so that they can be addressed,” Fraser says. “Then by prioritizing these known risks the organization can allocate its energy to addressing the most important risks . . . in a systematic way.” This approach is being adopted by national governments as well.
Risk Frameworks: The British Example
In 2002, British prime minister Tony Blair launched a two-year risk program to develop a set of principles and concepts, culminating in the risk management “Orange Book” in 2004. Several years later, this was supplemented with an in-depth guide book. This program serves as an overarching framework for developing risk management strategies for British government agencies.
For example, one British agency—National Savings and Investments—identified 13 key risks and assigned responsibility for each to an executive director. Every six months, the board conducts a review. Individual projects have their own “risk registers,” and joint project teams have them as well. This allowed the agency to keep abreast of changes in the external environment and develop contingency plans for various scenarios.
But there is a danger of risk management becoming a cumbersome, formulaic, unhelpful exercise. “Overdependence on process may limit departments’ ability to manage risk effectively,” notes the UK National Audit Office. “Effective risk management offers a means of anticipating issues and responding to them.”
Webster notes that the biggest danger in introducing an enterprise risk management requirement is creating a function that is seen as a compliance hoop, instead of a culture change. To be effective, it has to be leader-driven. But having an individual leader to serve as its champion does not span transitions in leadership very well—which is the strength of establishing standards and requirements. Nevertheless, creating standards and policies introduces the danger of enterprise risk management becoming a compliance-oriented administrative function.
Australia’s Nine Risk Management Elements
More recently, the national government of Australia has issued a policy document in July 2014 that outlines a set of principles that each government agency must incorporate into their programs (and it provides accompanying resources to help agencies develop effective programs).
The Australian government’s goal is to “embed risk management as part of the culture of commonwealth entities where the shared understanding of risk leads to well-informed decision making.” To do this, it set forth nine elements that all agencies must comply with:
- Establishing a risk management policy that defines the entity’s approach to risk and how this supports its strategic plan.
- Establishing a risk management framework that provides the foundations and organizational arrangements for designing, implementing, monitoring and continually improving.
- Defining responsibility for managing risk by defining roles and responsibilities for individual tasks.
- Embedding systematic risk management into business processes, including but not limited to strategic planning, policy development, program delivery and decision-making.
- Developing a positive risk culture that promotes an open and proactive approach that considers both threat and opportunity.
- Communicating and consulting about risk with relevant stakeholders and transparent, complete, and timely flows of information between decision-makers.
- Understanding and managing shared risks that extend beyond a single entity and require shared oversight and management.
- Maintaining risk management capability to maintain an appropriate level of capacity to manage an entity’s own risks commensurate with its risk profile.
- Reviewing and continuously improving the management of risk so it is not seen as a one-off event, but a process of continuous improvement based on internal reviews.
Should the U.S. government undertake a similar governmentwide effort to create a risk-responsive framework? At a recent forum, Tom Stanton, co-author of a new book on risk and performance in government, remarked that this may not be a good idea. He observes that mandating a governmentwide framework, such as requiring the use of the ISO standards, would likely result in a compliance-oriented system, not a change in how agency leaders manage. His advice is to develop risk management frameworks at the agency level in the context of each organization’s mission and environment.
In practice, agencies aren’t waiting for governmentwide policies to be put into place. They are doing it on their own, in their own context. As Stanton notes, this more organic evolution of risk-responsive frameworks may be a more appropriate approach for ensuring that these homegrown policies are actually used to manage risk and not become another compliance requirement
Note: GAO released an update of its “Green Book” on internal control standards on Sept. 10.