Have Candid Conversations Before Bad Things Happen

New guidance from the Office of Management and Budget offers a fresh approach to managing risk.

A 2015 survey of federal employees found that 39 percent fear reprisals if they report violations of rules or laws. This has serious implications for their willingness to identify and report serious programmatic risks in their day-to-day jobs, and the tendency is to avoid or ignore risks.

New guidance from the Office of Management and Budget attempts to address this challenge and create an environment where candid conversations can take place. The goal of the guidance is to help managers and employees understand the spectrum of risks, develop strategies and tools to mitigate them and communicate risks to the appropriate people.

New Guidance for an Old Issue

Managing risk is not new. But the new guidance is a fresh approach. Traditional guidance on risk—OMB’s Circular A-123—focused on internal controls, largely in the financial arena. The new guidance, which significantly revises A-123, is the culmination of two years of extensive development and consultation across the government by OMB’s David Mader, the Controller for the federal government.

Interestingly, the development of this approach—called enterprise risk management, or ERM—has largely been a bottom-up movement by several pioneering agencies. Staff from the Education, Commerce and Treasury departments gathered in 2008 to create an informal interagency community of practice that has evolved into a more formal Federal Interagency ERM Council. This group caught the eye of OMB staff, triggering changes in 2014 to governmentwide performance management guidance issued annually by OMB, and ultimately led to the revision of A-123. Mader said: “It’s time now to institutionalize this across the Executive Branch.”

What Is Enterprise Risk Management? According to OMB: “ERM is a discipline which deals with identifying, assessing, and managing risks across an enterprise.”  In a 2015 report for the IBM Center, Doug Webster and Tom Stanton advocated a shift in the federal mindset: Accept risk as a condition of action and as a part of achieving mission results. Agencies needed to shift from risk avoidance to risk management, reflecting similar practices in the private sector.

According to Mader: “ERM places the focus on identifying, measuring, and assessing challenges related to mission delivery in advance—well before those challenges can become issues . . . it identifies the range of possible events, or the full spectrum of an organization’s significant risks.” Those could be financial, organizational, reporting, compliance, governance, strategic or reputational. ERM also allows leaders to “understand the combined risks as an interrelated portfolio, rather than addressing them within individual silos.”

Circular A-123 further notes: “Risk management practices must be forward-looking and designed to help leaders make better decisions, alleviate threats and to identify previously unknown opportunities to improve the efficiency and effectiveness of government operations.”

The revisions shift the focus of A-123 from being a set of prescriptive internal control standards, assurance statements and financial reporting, to a more flexible, dynamic focus on a broader range of risks. Mader says it doesn’t mandate “how” agencies should act, but rather focuses on a set of principles of “what” agencies should do. The Circular:

  • Requires engagement by all agency management, not just the chief financial officer (who had the lead role in implementing requirements under the earlier version of A-123). It requires leadership from an agency’s chief operating officer and performance improvement officer, as well as close collaboration with the agency’s mission delivery and mission support functions.
  • Recommends establishment of an interdisciplinary risk management council chaired by the chief operating officer or senior official with responsibility for the enterprise in each agency, which would also leverage existing offices or functions that currently monitor risk and internal controls.
  • Requires the development of a maturity model that would assess progress in an agency’s adoption of an ERM framework.
  • Requires the development of risk profiles, with plans for their approach due as soon as practicable, with initial risk profiles due to OMB by June 2, 2017. Agencies are expected to organize their risk profiles into portfolios, using the agency’s strategic objectives as the framework for the portfolio. The guidance includes a sample template for the components of the risk profile, which include identifying organizational objectives and associated risks in meeting them; the current risk response; and proposed risk responses.
  • Encourages candid conversations with top leaders, where agency leaders discuss their risk profiles and proposed responses annually as part of their strategic reviews.

Implementing the New Guidance 

It’s been a long time in gestation but Controller David Mader says that taking the time to actively engage stakeholders—internal and external—in the development process was seen as essential to the success of the implementation process.

The tough communication element will be having federal employees understand that “risk is part of the job,” he said. They need to factor into their work and identify ways to mitigate it, not just hope to hide or avoid it. The goal is to change the culture in government enough that employees would feel comfortable talking about and mitigating risks.

To pave the way, a Playbook 1.0 has recently been developed by a cross-agency interdisciplinary team to help agencies develop their own ERM approaches. This playbook is to be released at the end of July. In August, OMB will begin meeting with agencies individually to discuss specifics. Training will be provided over the next six to 12 months, culminating next spring, when agencies need to be able to show OMB what their risk management program looks like and share their initial risk profiles. In addition, the professional association for federal risk managers, the Association for Federal Enterprise Risk Management, is offering training as well.

The Role of Strategic Reviews 

A-123 says agencies should rely on existing agency functions and processes. As a result, the agency-level annual strategic review process is intended to be the forum for discussions about enterprise risks. These meetings are where top agency managers discuss and make decisions about performance issues, and the risks inherent in meeting mission objectives. Agencies conduct their own reviews and use their own analytic approaches. The reviews are an opportunity to use multiple sources of information and integrate analyses that look strategically at their portfolio of programs around a strategic objective (there are about 350 strategic objectives across the federal government). The reviews offer agency leaders opportunities to change strategic approaches and frame their coming year’s budget requests. Agencies are currently completing their third annual strategic review. Risk management was a big theme in the reviews. 

As for the fourth cycle of agency strategic reviews upcoming in mid-2017, OMB staff sees them as the preparation session for the development of agency four-year strategic plans, which are due to be revised in mid-2017 and submitted to Congress in February 2018 along with their FY 2019 budget requests. In preparation for this, A-123 sets a deadline of June 2, 2017, for when agencies’ initial risk profiles are to be completed, so they can be included in the conversations at their annual strategic reviews.

Completing the first set of ERM risk profiles by June 2017 is not the end. The goal is to connect dots with other existing administrative management processes and integrate the risk reviews into the fabric of how government works, such as the development of agency strategic plans. But, as noted earlier, the real challenge will be to incorporate it into agency cultures as a routine, ingrained practice, with expectations that managing risk is a team sport. A-123 notes: “Successful implementation . . . requires Agencies to establish and foster an open, transparent culture that encourages people to communicate information about potential risks and other concerns with their superiors without fear of retaliation or blame.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.