Authors: Thomas H. Stanton & Douglas W. Webster
This book addresses the challenge of implementing enterprise risk management (ERM) in the Federal government of the USA.
It is largely a story of “the glass is half empty or the glass is half full”.
“The glass is half empty” looks at the reputational risk impacts of the General Services Administration and the Department of Veterans Affairs for extravagant spending on conferences, inadequate federal oversight that led to the financial crisis, BP’s Deepwater Horizon oil spill, etc. “The glass is half full”, which is the perspective embraced in this book, is that risks can never be eliminated, but they can be much better managed by applying good practices… [Douglas Webster, CEO, Cambio Consulting Group]
Optimizing the operation of the US Government and its service to citizens is the goal of ERM in the Federal government of the USA according to this book. There are several challenges and a plan of action that can be distilled from these texts:
Challenge 1: Sustained support from the top
Support must continue after the replacement of top leaders during a power change. Therefore, the creation of a CRO / Risk Management Officer is important in the agencies. This can guarantee the continuity of risk management. Support from the top is also important for creating a risk-aware culture in the organization. This requires institutional change, including necessary policy documents, supportive risk management processes, and incorporating required actions into the responsibility plans of senior officials. It is important to endorse that risk management is a priority. Also, the importance of RM within a good policy should be emphasized, and that risk management can be delegated to the CRO. It is also important to involve RM in any form of cost-saving.
Challenge 2: Overcoming silo mentality
Many individuals have always worked in the same agency or performed the same tasks. This makes change difficult. Organizational objectives are often not measurable within the entity. Therefore, lower supporting objectives in the agencies can gain importance over entity-wide objectives.
Therefore, regarding RM, agencies must:
Focus on a limited number of but most relevant risks
Establish a Risk Management Committee with a limited number of members
Institutionalize RM
Connect the RM process to/apply it to budget allocations
Create a culture of trust
Have the RM committee work closely with the agencies.
Challenge 3: Overcoming a culture of caution
Often it seems as if the government promotes risk-averse behavior. However, entrepreneurship involves taking risks. In the past, too much emphasis was placed on “staying out of trouble”. This is mainly because the government lacks the “profit versus loss” motive, which is one of the drivers in the private sector. Therefore, it is more difficult for a government to “optimize”. Thus, a culture of reporting risks up and down through the agencies is necessary.
For this, support from the top is essential. Employees must feel safe when reporting a risk.
Challenge 4: Reconciling the risk function with that of audit
It is important to ensure that not only fraud and abuse are countered but that waste and inefficiencies are identified in a way that benefits the agencies, through improved decision-making. Here too, a sense of safety among employees is important. The collaboration of the disciplines of audit and RM can lead to stronger practices in meeting stakeholder expectations.
Challenge 5: Educating employees about Risk Management
RM is something that takes time to understand. More than conducting meaningful discussions about risks, the federal government of the USA is too often focused on internal controls. This method of operation cannot guarantee a balanced performance versus cost and risk. Therefore, articulating a vision and value statement of RM that is propagated throughout the agency is important. Such a statement can be crucial in winning the necessary support within the organization.
Therefore, more attention should go to awareness of threats and risks, rather than being compliance-oriented. The goal is thus to increase the maturity of internal RM and to integrate RM into the decision-making processes throughout the agencies. The establishment of a risk register and therein prioritizing threats and risks can help.
Also important are good culture change management and demonstrating the added value of RM to employees at all levels within the agencies.
Challenge 6: Demonstrating the (added) value of Risk Management
The difficulty here is proving that a costly incident that did not occur was prevented. A major issue is that there is often great pressure to undertake politically driven initiatives without understanding how those objectives can be achieved with manageable risk.
Therefore, the value of RM should be seen as an improved quality of the decision-making process, because threats, obstacles, etc., can provoke a positive dialogue. Without such dialogue, the decision too often is a simple mandate that says “we do it” or “we don’t do it”.
An improved decision-making process can be recognized by:
The identification and monitoring of risks and risk treatment occurring at all levels of the agency.
Development of or new possibilities for management to intervene in the allocation of people and resources if a change in the environment requires a change in the plans for risk treatment.
A significant reduction in the number of surprises negatively affecting the agency.
A broad understanding of risk tolerance within the agency and the sense of the need to take certain risks in decisions, consistent with risk tolerance.
Improvement of the agency’s ability to allocate resources and people to manage risks across functional and programmatic domains, thereby creating a greater entity-wide return on investment.
Improvement of entity-wide appreciation of the need to align functional and programmatic goals with strategic objectives.
The plan of action includes:
Step 1: Creating an RM framework
This involves defining key roles and responsibilities, both at the agency level and government-wide.
Government-wide, attention should be given to:
In the annual budget reviews, agencies should be asked to identify major risks and explain how they are being addressed.
In budgeting, risk management should be involved as a collaborating function for its inspection.
Regular review of the best practices of risk management in agencies by accountancy.
Analysis of risk practices, to independently assess how vulnerabilities change with the failure of risk management processes.
Assessing the quality of decisions in weighing performance, cost, and risk to maximize value for stakeholders.
At the agency level, attention should be given to:
CEOs should transform their board of directors into management that thinks in terms of the well-being of the agency rather than their own organizational unit.
CEOs should form a committee in their agency that entity-wide identifies, prioritizes, and generates an approach for those risks of the highest priority.
Generate an open culture so that all employees feel the possibility to express their concerns to management, so it can be addressed.
The CEO must designate an individual to lead the risk initiative.
The CEO must fine-tune the budgeting process to consider resources, performance, and risk in an integrated way.
Audit and the risk function together determine how best to evaluate the effectiveness of the risk function without harming the necessary flow of risk-related information to organizational units and the board of directors.
Step 2: Conditioning to make RM effective
The goal is to allow risk information to flow up and down in the agency to the most relevant places to address it by the right decision-makers. For this, silo thinking must be overcome, and one must think of the risks and benefits for the agency instead of for the organizational units. For this, the risk function must be staffed with people with the right skills, where interpersonal skills are more important than analytical skills, because the risk function must be experienced by everyone as reliable and trusted. This is because the risk function must be able to make the executives feel comfortable in revealing risks in their organizational unit, rather than hiding them. The quality of the risk function and their access to information is more important than its size and budget.
Step 3: Integrating RM into the decision-making process
RM must be able to provide information to the decision-makers. Integrating RM into the budgeting process and performance management processes allows the agency to address major risks with scarce resources and people. Integrating RM into strategic planning gives decision-makers the opportunity to integrate information about major risks into the agency’s planning. In addition, the CEO must also ensure that the risk function is present at specialized committees deemed necessary by the agency for its mission and structure.
Step 4: Protecting the risk function
It is essential that the risk function is protected against major players/executives whose actions could endanger the agency.
Step 5: Creating a risk-aware culture
The CEO has the ability to set the “tone at the top” in favor of RM. This must also involve building an open culture where feedback is heard, and if it sounds reasonable, to validate or invalidate it.
In addition, collaboration is extremely important. Including this in the evaluation of employees is an option to encourage employees to do so. The CEO must publicly involve the CRO in events, and when an executive comes to discuss vulnerabilities that have come to light.
Step 6: Managing the change process
Change from an RM process with silo thinking to an RM process with collaboration.