Implementing Effective Enterprise Risk Management in Federal Government
INDUSTRY PERSPECTIVE
G
overnment faces increasing uncertainties as agencies pursue diverse and complex missions. A combination of budget cuts, an aging workforce, difficulties with hiring and retaining talent and the growing complexity of information security challenges are just a few of the factors to consider in an atmosphere where a relatively minor risk can quickly escalate into a serious issue.
2 | Industry Perspective
Executive Summary
Identified gaps between current & future perceived risks for agency leaders current perceived level of risk future perceived level of risk
T
hat’s why more federal agencies are investing in Enterprise Risk Management (ERM), a discipline that addresses the full spectrum of an organization’s risks, including challenges and opportunities, and integrates them into an enterprisewide, strategically aligned portfolio view. ERM contributes to improved decision-making and supports the achievement of an organization’s mission, goals and objectives. According to a 2015 survey by PricewaterhouseCoopers (PwC) and the Association for Federal Enterprise Risk Management, agency leaders are focused on risks. More than 50 percent of respondents identified strategic risk as a pressing, current concern for their organization’s mission. Operational risk was a close second with 48 percent of respondents agreeing it was a major concern. The Office of Management and Budget (OMB) is making ERM a priority for federal agencies. On July 15, 2016, the White House released its update to Circular A-123, which was renamed “Management’s Responsibility for Enterprise Risk Management and Internal Control.” This update makes ERM a requirement for executive branch agencies for the first time. The revised A-123 encourages agencies to think more holistically about ERM as an important tool for managing various risks to their missions. This approach ensures that leaders do not fall into the trap of focusing only on one category of risk while ignoring the other categories in their agencies that are just as important.
The clear intent of the new mandate is for agencies to embrace ERM in a manner that will enhance their ability to make decisions that will improve the likelihood that they will achieve their strategic objectives. While some agencies are tempted to respond to governmentwide mandates with a compliance-oriented “check-the-box” fashion, agencies are strongly encouraged to dismiss such thoughts and focus on the real value that can be generated by a robust ERM program. GovLoop sat down with experts David Fisher, Managing Director and Public Sector Risk Leader, and Bill Hughes, Partner within the National Security Practice, in the U.S. Public Sector Practice from PwC, a leading firm in the ERM arena, to discuss how government agencies can derive real value from an ERM program and what they need to do to get there. “Every agency encounters risks,” Hughes said. “The question is what do they do about those risks? Do they just ignore them and hope they go away? Or do they get in front of the risks so they can systematically manage them?”
Strategic Risk 56% 26%
Operational Risk 48% 74%
Compliance Risk 22% 41%
By reading this industry perspective, your agency will be ready to do the latter. You’ll learn more about what ERM is, the value of an ERM program and how your agency can make the most of ERM.
Financial/ Reporting Risk 26% 30%
Implementing Effective Enterprise Risk Management in Federal Government | 3
The Core Tenets of ERM E
RM is not a new strategy. In fact, the first widely-recognized framework for ERM was created over a decade ago by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), an organization dedicated to providing thought leadership and guidance on risk management ERM. In 2004, COSO engaged PwC to be the principal author of a framework that managers could use to evaluate and improve organizational ERM. That framework has helped organizations incorporate risk management into their policies, rules and regulations to better control their activities and achieve their established objectives. More recently, PwC is currently working with COSO to revise that framework to better address how the alignment of risk, strategy and performance could create opportunity for better business performance. Agencies maximize value when they strike a healthy balance between their various risks and the pursuit of agency objectives. “The idea of an ERM program is to be holistic by addressing as many risk components as possible,” Fisher said. “That means I’m not only going to look at financial risk or only compliance risk. It’s much broader than that.”
Components of ERM The latest framework identifies eight interrelated components of ERM, including:
1
Internal Environment Set the basis for how risk is viewed and addressed by an agency’s employees. Your plan should include risk management philosophy, risk appetite, integrity and ethical values.
2
Objective Setting Construct the objectives of your ERM implementation. ERM requires that management pursues a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
3
Event Identification Identify internal and external events affecting achievement of an entity’s objectives, distinguishing between risks and opportunities. Opportunities are areas of potential growth or development.
4
Risk Assessment Analyze risks, considering likelihood and impact, as a basis for determining how they should be managed. Is it low-risk? High-risk?
5
Risk Response Select risk responses, which could be avoiding, accepting, reducing or sharing risk. Then develop a set of actions to align that response with the agency’s risk tolerances and risk appetite.
6
Control Activities Control activities are actions taken to minimize risk. They’re done like scenarios where organizations analyze potential outcomes and responses for potential risks. In performing control activities, establish and implement policies and procedures to help ensure the risk responses are effectively carried out.
7
Information and Communication Identify, capture and communicate relevant risk information in a form and timeframe that enables people to carry out their responsibilities.
8
Monitoring After your initial tactics are deployed, commit to ongoing risk management. Make modifications to your strategies and tools as necessary. What’s most important to take away from ERM is that it is a multidirectional, iterative process where any component influences the other.
“The idea of an ERM program is to be holistic by addressing as many risk components as possible. That means I’m not only going to look at financial risk or only compliance risk. It’s much broader than that.” - David Fisher, Managing Director & Public Sector Risk Leader, PWC
4 | Industry Perspective
Why ERM? T
he benefits of ERM are proactive risk management, integrated strategies for achieving mission objectives and better overall risk response that enhance the ability for an organization to achieve its strategic objectives. Unfortunately, like many private sector organizations, federal agencies tend to adopt risk strategies that are surface-level and address only limited types of risk. “Risks can manifest at the reputational and strategic levels all the way down to the compliance and tactical operational levels,” Fisher said. “But there are a lot of inconsistencies in how government manages these risks. A lot of government organizations don’t have good mechanisms in place to know what their risks are or assess how serious they are until they’re already in the midst of a crisis.” Without proper management and strategies in place, risks can escalate quickly into greater problems. All too often, government agencies don’t address risks until they’ve become a real problem. But when you’re reacting in crisis mode, it’s difficult to counter issues and that makes it that much more difficult to proactively tackle risks in the future. That’s why it’s especially important that agencies take their risk management seriously and go beyond the surface level of just “checking the box.” “There is a strong value proposition for agencies that embrace the core tenets of ERM, which is not just making sure you’re in compliance with standards, but more importantly incorporating risk management as an important part of mission operations,” Fisher said.
The Value of Risk Management ERM provides comprehensive risk management and strategies. With ERM, agencies derive real value in several ways with the ability to:
Provide early warning indicators. ERM enables agency leaders to identify potential events and respond to them early on, when options and responses are still effective. Thus, they can avoid unwanted surprises, like a Distributed Denial of Service (DDoS) attack that can compromise multiple systems before even being detected.
Improve transparency with a portfolio view of risk. ERM provides leadership with the ability to see how risks from across the organization interrelate – including how they potentially impact one another – and to respond accordingly.
Enhance strategy and prioritization. ERM provides the timely risk information necessary for an agency to develop and pursue a well-informed strategy that supports effective prioritization of initiatives and activities.
Align risk appetite. Management considers the entity’s risk appetite in evaluating strategic alternatives, setting related objectives and developing mechanisms to manage related risks. In some cases, this approach identifies scenarios where taking more risk, or trading off one kind of risk for another, enhances the organization’s ability to achieve its strategic objectives.
Realize better opportunities. Effective ERM programs support not only risk identification and management, but also the identification and capitalization of opportunities to more effectively meet the agency’s mission, goals and objectives.
“Adding ERM to an overall governance framework for addressing an organization’s risks helps agencies better mitigate those risks and become more efficient, more effective and better at advancing their overall mission.” - Bill Hughes, Partner within the National Security Practice, in the U.S. Public Sector Practice from PwC
Implementing Effective Enterprise Risk Management in Federal Government | 5
Implementing ERM at Your Agency I
n order to implement an effective ERM program, it’s important to address both culture and mechanisms. An organization’s culture incorporates mindsets and behaviors that govern how much risk the organization is willing to take (risk appetite) and how open it is to bringing risks out into the open (risk transparency). Mechanisms, including standards, templates, forums, governance and operational roles and responsibilities, enable employees with the tools to act on those cultural decisions.
Adhere to Leading Practices Before delving deeper into culture and mechanisms, it’s important for agencies to follow these leading practices if they’re in the beginning stages of ERM. Jumping into an ERM strategy without forethought can lead to ineffective deployment or surface-level “check the box” compliance. Consider these tips from Fisher and Hughes, before diving in:
1. Identify influential individuals who support ERM and engage them as advocates for organizational early adoption.
2. Determine opponents of ERM within the agency and engage them as early as possible as well by soliciting their input for designing an ERM program. This will promote a feeling of investment in ERM’s success.
3. Focus on tying ERM into the agency’s overall mission, strategy and goals.
6 | Industry Perspective
4. Develop strategic communication and training planning that enables consistent messaging throughout the organization. This is important for top-down leadership engagement and bottom-up adoption, where leads create an environment in all employees are comfortable participating in risk management activities and where employees from the bottom up adopt best practices. The ERM Office would be the core facilitator of such communications. While these practices sound easy enough, Fisher and Hughes understand the difficulty that comes with rewiring an organization to embrace ERM. “We’re asking agencies to embrace something new and different, and even uncomfortable,” Fisher said. Once they adopt these leading practices, agencies can move onto the next critical steps of ERM.
Assess Your Agency’s Risk Appetite An organization’s risk appetite is simply how much risk the agency is willing to assume. An agency can be low-risk (risk averse), highrisk (able to tolerate higher levels or risk) or moderate (somewhere in between). Federal agencies tend to be risk-averse. This is understandable, since they deal with highly sensitive missions that can have a direct and dramatic impact on the American people. Fisher and Hughes pointed out, however, that having a low-risk appetite can actually be counterproductive to achieving an organization’s strategic goals.
“We’re never going to prevent every risk in the first place,” Fisher said. “Having zero risk appetite can cause other risks to manifest in terms of overall mission objectives.” For example, trying to ensure 100% compliance with all rules and regulations may result in a cost that exceeds the benefit from that level of compliance. It’s true that mistakes in the public sector can have more repercussions because federal agencies operate in politically sensitive environments. Risks don’t just affect government, but can affect the average citizen as well. With a better assessment of risk appetite, however, are better able to balance how they allocate resources to mitigate risks where appropriate, but not exceed the amount of controls to the point where they are no longer cost effective.
Identify ERM Leadership As government embraces ERM, many agencies will have to rethink how they identify risks, how they talk about and assess risks, and how they formulate, prioritize, and monitor their risk responses. Effective leadership is necessary for organizations to adopt the tenets of ERM. For many organizations, that leadership comes from the appointment of a Chief Risk Officer (CRO). The role of a CRO has gained renewed interest within the federal government, although the title is less important than the role itself. Contrary to popular belief, CROs should not be accountable for an agency’s risks. Instead, CROs and their
teams are responsible for establishing the environment in which ERM can prosper. They also facilitate the ERM process to include coaching, training, establishment of processes and tools, and CROs ensure that the desired risk activities are being performed consistently and effectively throughout the organization. The CRO position is a critical role without which non-standard, non-integrated solutions will be adopted and the flow of risk information will be limited. To reap the benefits of an ERM program, it’s important to properly establish and implement the CRO role. “Historically, there hasn’t been a Chief Risk Officer at most federal agencies,” Hughes said. “The question is going to be: Where is this position going to reside within an organization to derive real value? Ideally, this executive should report as high as possible in the organization in order to advise senior leaders on the strategically aligned portfolio view of risks at the agency.” Because many agencies don’t have this position, they find it useful to consult third-party advisors more familiar with the role and requirements of a CRO. PwC helps guide agencies through the process of hiring a CRO and/or assessing whether they need one at all.
They also outline the core responsibilities of the CRO, including the ability to:
• Understand the business combined with ability to bring a fresh perspective to old issues; • Harness organizational momentum around risk management to achieve a more risk-aware culture and improve decision-making; • Build strong, trusting relationships within the organization to feel the pulse of the organization and to gain buy-in from key stakeholders to move the program forward. Hughes and Fisher emphasized that ERM can’t just happen with seniorlevel leadership. In order for ERM to be effective, it takes a whole organization to be on board. That means frontline employees should be trained on proper risk management and encouraged to speak up when they see risks without fear of retaliation or negative spotlight. Agencies that embrace these components of ERM have the opportunity to treat risks in a more sophisticated manner while allowing greater opportunities for every employee to contribute greater value to the overall organization.
Conclusion There are a number of ways federal agencies can benefit from an ERM program. But it’s important that agencies go beyond checking the box and adopt holistic procedures and standards for their risk management. ERM not only has the potential to help further an agency’s mission and change its organizational culture for the better; it can also improve services to the most important people to consider: government’s citizens. “Ultimately, ERM is about optimizing the operations of an organization to be more efficient, effective, resilient and account for the taxpayer dollars as best as possible,” Hughes said.
About PWC
About GovLoop
PwC’s Public Sector Practice helps federal agencies solve complex business issues, manage risk and add value through our comprehensive service offerings in financial management; program management; human capital; enterprise effectiveness; governance, risk and compliance; and technology, all of which are delivered seamlessly throughout the world. To find out more, visit www.pwc.com/ publicsector.
GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government.
To learn more about how PwC helps agencies with their enterprise risk management program, visit: www.pwc.com/federalerm.
For more information about this report, please reach out to info@govloop.com.
Implementing Effective Enterprise Risk Management in Federal Government | 7
1152 15th St. NW, Suite 800 Washington, DC 20005 (202) 407-7421 F: (202) 407-7501 www.govloop.com @govloop