Introduction
At their core, all organizations exist to create value for their stakeholders. While this maxim is an accepted truth when considering for-profit organizations, it is equally true for public sector organizations. Enterprise risk management (ERM) is a powerful management tool that informs decisions and helps focus leaders at the top of the organization as they work to manage uncertainty, pursue opportunities and respond to threats related to achieving goals and objectives. In fact, âevery decision either increases, preserves, or erodes valueâ (Curtis & Carey, 2012). The Risk and Insurance Management Society (RIMS) defines ERM as âa strategic business discipline that supports the achievement of an organizationâs objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolioâ (RIMS, n.d.âa).
The coordinated, cross-silo risk management approach of ERM places emphasis on cooperation and information flow and acknowledges that key organizational risks cut across organization boundaries. Elevating the management of key risks from within individual lines of business and programs to the enterprise level results in ERM encompassing all risk types and brings to bear the vast knowledge, experience and resources of the entire organization to address these key risks. This reality requires information sharing vertically and horizontally within and across business silos.
It takes time and effort to achieve a mature ERM program. As the former leader of TD Ameritradeâs internal audit activity commented when reflecting on the companyâs ERM implementation efforts, ERM âis a journey and not something they could implement and have up and running effectively in six monthsâ (Egerdahl et al., 2012). Avoiding internal pressures for a quick-fix approach and exercising the patience required to design, develop, implement and mature an ERM program is necessary to realize the value potential of ERM. Using the five-level Risk Maturity Model (RMM) developed by RIMS as a yardstick (RIMS, n.d.âb), a research team from the United Kingdom determined that organizations can increase their organizational value by up to 25 percent by achieving a mature ERM program state (Farrell & Gallagher, 2015). Unlike previous studies on ERM that focused only on the financial sector, this study looked at âmarginal value impactâ from a mature ERM program across a variety of sectors, including agriculture, manufacturing, services, transportation, wholesale and retail, and finance. The research concluded that, with respect to maturity, âthe most important aspects of ERM from a valuation perspective relate to the level of top-down executive engagement and the resultant cascade of ERM culture throughout the firmâ (Farrell & Gallagher, 2015).
The federal government is finally beginning to catch up with the private sector, and ERM is now a specified responsibility of government managers. The concept of marginal value impact also applies to governance and decision making in government organizations. Federal organizations, from the Transportation Security Administration (TSA), Office of Federal Student Aid (FSA), Treasury Department and Commerce Department, have all seen the value of their programs and missions enhanced through formal and mature risk management approaches. However, other government organizations are encountering classic issues of cultural resistance, silos, bureaucratic inertia and changing leadership (who need to be re-educated all over again) as they move forward with ERM implementation.
This book provides examples of how federal agencies and a local government have created successful ERM programs. As identified in Farrell and Gallagherâs research, one of the most critical components of long-term success and strategic value of any organizationâs ERM program is culture. Public sector risk managers can benefit from practical examples from leading enterprise risk management programs to help prevent and overcome common organizational and ERM program challenges. The Risk Management Association (RMA) defines risk culture as âthe set of encouraged and acceptable behaviors, discussions, decisions and attitudes towards taking and managing risk within an institutionâ (RMA, 2013). This definition appropriately focuses on attitudes and behaviors as the driving force behind organizational culture, because ultimately people â and not processes and procedures â determine ERM program success. Focusing on culture in conjunction with implementing mature risk management processes and procedures is essential for ERM to become a keystone in an organizationâs decision-making process, and to enhance the value that government organizations deliver to the American people.
As the U.S. Chief Financial Officers Council (CFOC) and Performance Improvement Council (PIC) note in Playbook: Enterprise Risk Management for the U.S. Federal Government (hereafter referred to as the ERM Playbook), developed in support of agency efforts to comply with Circular A-123 of the Office of Management and Budget (OMB), âEffective risk management needs to give full consideration to the context in which the organization functions and to the risk aspects of partner organizationsâ (CFOC & PIC, 2016, p. 17). OMBâs ERM requirement recognizes the need for federal agencies to better understand and manage risks for several reasons related to the increasing level of uncertainty and challenges confronting government organizations.
Enterprise risk management is the process of coordinated risk management that places a greater emphasis on cooperation among departments in order to understand and manage the organizationâs full range of risks as a portfolio rather than trying to deal with individual concerns within organizational silos. ERM offers a framework for effectively managing uncertainty, responding to risk and harnessing opportunities as they arise. Unlike other risk management practices, the concept of ERM embodies the notion that risk analysis cuts across the entire organization. The goal of ERM is to better understand the resilience of the enterprise with respect to its key risks and to better manage enterprise risk exposure to the level desired by senior management.
Moving beyond the Basics: Overview of the Book
This book is intended for heads of risk functions, risk managers and risk professionals in the public sector. Other government executives and managers also can benefit from the bookâs case studies. While most of the case studies and special topics focus on federal government agencies, the challenges of complexity, transparency, technology, political instability and constrained resources are at least equally important to all levels of government, and in some respects present even greater challenges. The need for effective strategies and approaches to overcoming cultural barriers is important, we believe, to all organizations working to implement ERM concepts. The approaches presented by the contributors to this book are applicable to public sector organizations at the state, county, tribal and local government levels as well as to federal agencies.
Because ERM is still new to the public sector, many different definitions, models and approaches exist. As can be seen in the chapters of this book, these are variations around a common understanding of the nature of ERM and the importance of encouraging information flow across the organization, including the reporting of bad news without the informant suffering any form of reprisal. This does not mean that all informants and information are correct or useful; rather, âfeedback is a gift,â to be accepted with a simple âthank youâ if the risk officer determines that further investigation is not needed. The first time that someone âshoots the messengerâ bringing unwelcome information is the last time that such information will be reported. Question 17 of the Federal Employee Viewpoint Survey, which the Office of Personnel Management (OPM) produces annually for each federal agency (OPM, n.d.), is a useful rough measure of the openness of an organization to hearing negative information.1
The case studies and special topics included in this book represent either leading practices to address culture from across government ERM programs or unique challenges confronting government risk leaders that, when addressed, contribute to a positive risk culture. The chapters have been written by ERM professionals and other senior federal managers, with each chapter contributing to the overarching theme. This book is organized into four parts.
Part I: Introduction and Background
Chapter 1 (this chapter), by Kenneth Fletcher and Thomas Stanton, introduces the reader to the overarching theme of the book.
Part II: Overcoming ERM Implementation Challenges: Selected Case Studies
The second part of this book provides a series of case studies of leading practice to address the organizational culture aspect of ERM implementation. They show how federal agencies and one county government overcame institutional barriers so that ERM could add value to their operations.
Chapter 2, by Kenneth Fletcher, provides a case study of the Transportation Security Administrationâs ERM development and implementation efforts. Mr. Fletcher emphasizes the importance of change management to overcome bureaucratic resistance to ERM implementation. He provides a brief historic perspective on how TSA came to the decision to implement an ERM program following the successful introduction of risk-based security principles to the agencyâs core aviation passenger-screening mission. The chapter offers a rich variety of practical examples for agency leaders and risk managers who seek to make ERM a working reality in their organizations.
Chapter 3, by Frank Vetrano and Jason Stayanovich, explores how a new risk office can get the traction required to add value to its agency and earn the credibility required to do its job. With many areas in need of attention, a risk office has considerable flexibility in prioritizing projects to tackle. Using their experience at the Federal Housing Administration (FHA), a part of the U.S. Department of Housing and Urban Development, the authors present four case studies to show how the FHA risk office initially focused on key risks that were of particular concern to individual program leaders. This approach, and the effective use of agency-wide data, helped overcome internal resistance and positioned the risk office staff to be a valuable resource and extension of their own program resources. Rather than regarding the risk office with apprehension, program managers came to view it as an ally.
Chapter 4, by Ken Phelan and Karen Weber, explores lessons learned in implementing ERM across the federal government, with special emphasis on the U.S. Treasury. The authors reflect on different approaches taken in laying the groundwork for a new ERM effort and show how they overcame the internal bureaucratic and cultural resistance that new initiatives frequently encounter. The chapter provides practical advice for identifying and building partnerships with key players across the organization. The chapter concludes with examples of how the U.S. Treasury successfully integrated ERM into its management practices.
Chapter 5, by Jennifer Hills and Sean Catanese, presents a case study on how King County, Washington, successfully implemented ERM following a series of costly liability claims. This example from outside federal agencies provides a broader perspective that extends the usefulness of the book beyond federal risk managers. The authors reflect on their efforts to embed ERM within the culture of King County government and present a riskâvalue curve model they adopted to help county leaders optimize the countyâs risk posture to enhance the value provided to their residents.
Part III: Selected Special Topics
This part of the book presents information and insights about selected special topics of concern to ERM leaders across the federal government. Federal ERM programs may need to address ways to harmonize ERM with internal control (IC) processes, to establish a cooperative relationship between the risk function and the agencyâs inspector general and to assess the quality of their risk culture. The contributing authors to these special topics provide concrete examples and recommendations to help address these questions.
Chapter 6, by Sean Vineyard and Quimby Kaizer, focuses on providing practical applications to more effectively harmonize enterprise risk management and internal control. It provides insight into how agency culture may be enhanced through the coordination of ERM and IC, especially as it relates to increasing program performance. The goal of this chapter is to help readers to simplify a seemingly complex undertaking in order to improve capabilities and culture by providing a better understanding of both ERM and IC; showing the evolution of guidance for both programs; discussing comparisons and distinctions; offering techniques for effective coordination; discussing the implications for organizational culture; and offering precautions to improve the success of coordination.
Chapter 7, by Robert Westbrooks, addresses a key public sector ERM challenge: reconciling the roles of the risk function and those of the Government Accountability Office (GAO) and the agencyâs inspector general (IG). Both the GAO and the agency IG report directly to the Congress and thus have oversight responsibilities independent of the agencies they review. This chapter discusses the roles and perspectives of IGs and the GAO, basic truths about the nature of their relationship with an agency and essential ingredients for success in creating a win-win relationship between the ERM function and the IG or GAO. Auditors play an important role in risk management, as champions, evaluators and risk advisors. The chapter provides promising practices that can be adapted and replicated to fit agencies of all types and sizes. If it can be achieved, a win-win relationship can strengthen the agencyâs risk culture and support the common goal of a better-prepared and more resilient government.
Chapter 8, by Cynthia Vitters, Carey Oven, and Dr. Michael Gelles, explo...