Enterprise Risk Management. Hardy Karen
agencies. The AFERM mission is to advance the practice of ERM in the federal government through thought leadership, education, and collaboration.20 AFERM provides specific programs and opportunities to educate members and stakeholders on the benefits, tools, and leading practices of federal ERM. AFERM also fosters collaboration with organizations and stakeholders to promote laws, regulations, and policies to establish federal ERM in the various agencies and departments. In addition, an International Risk Management Standard (ISO 31000) was adopted by the American National Standards Institute (ANSI), and the FederalERM.org website saw its membership exceed seven hundred government online subscribers. Government Executive magazine recognized the FederalERM.org website as “an informal network to help employees learn new skills.”21
There has also been a modest increase in the frequency with which job postings for chief risk officers (CROs) and risk management officers (RMOs) have been advertised on USAJOBS.gov (see Table I.1). Job titles such as risk management specialist have been identified as a new emerging occupation with a bright outlook. According to the Department of Labor, “bright outlook” occupations are those that are expected to grow rapidly in the next several years, will have large numbers of job openings, or are new and emerging occupations.22 According to the U.S. Department of Labor’s O∗NET OnLine, the risk management specialist occupation is projected to
• Grow much faster than average (employment increase of 29 percent or more) over the period 2010–2020
• Offer one hundred thousand or more job openings over the period 2010–2020
Table I.1 Agency Hiring Activities
Source: The listing of CROs hired in government agencies is taken from a random selection of USAJOBS.gov job announcement postings and organizational charts. “The Chief Risk Officer” is from http://erm.ncsu.edu/library/article/cro-emerging-trends/#.UwV-iMKYbVI.
The speed with which these developments have transpired in the federal environment makes this book especially timely for several reasons:
1. There is a growing demand for knowledge and understanding of ERM and its application to public sector organizations.
2. There is a lack of available information focused on the practice of ERM and how it benefits public sector organizations.
3. A solid blueprint for utilizing ERM in public sector organizations, namely federal agencies, is sorely needed to guide those who champion risk management practice.
4. There is no single resource guide available that summarizes information about ERM and risk management in general for the government workforce.
Finally, the Obama administration’s focus on accountability and transparency has also prompted a renewed focus on risk and controls. This publication aims to satisfy these needs.
In recent years, the federal government has been on the receiving end of new legislation and regulations that require it to better manage risk and improve controls in discrete areas. Generally, to meet the requirements of each of these new mandates, agencies have engaged in many compliance-driven activities. This stove-piped approach to compliance is costly and does not optimize value. This book explores how federal C-suite executives, as well as financial and operational managers, can help guide their agencies to take a more holistic approach to risk management by implementing an ERM system. This approach can help reduce the total cost of compliance by proactively mitigating risk, while helping agencies achieve greater value from their risk management activities.
Although the current focus on risk management for most federal CFOs and financial managers stems from the revised OMB Circular A-123, these are only two requirements among the many that federal agencies must address. Agencies are also required to report their results in implementing the Federal Managers’ Financial Integrity Act (FMFIA) of 1982, the Improper Payments Information Act (IPIA) of 2002, and the Federal Information Security Management Act (FISMA) of 2002, among others. Virtually all of these requirements are ultimately geared toward one objective – improved risk management – so an agency’s response to risk provides reasonable assurance that the organization will achieve its strategic objectives.
This dramatic increase in compliance requirements, coupled with the realization that compliance cannot be effectively achieved just by having discrete compliance programs in various business units, now makes it critical for organizations to move toward an enterprise-wide risk management approach. Holistic ERM starts with a focus on possible events and their classification into opportunities and risks.
Keeping track of these possible events requires good data and data governance managed at the enterprise level. It also requires a taxonomy or classification scheme of the most important risks to the entity and a common language for understanding those risks. Improved data management allows the enterprise to take advantage of modern analytical methods to quantify the impact of risk. Data analysis also enables the enterprise to gain an overall view of current risk as well as trends and potential future risks.
It’s clear that implementing an ERM approach makes sense and yields benefits to an organization. It is my hope that federal executives will find this book useful to them as an introduction and guide to enterprise risk management.
STATE OF RISK MANAGEMENT IN GOVERNMENT
At a September 2011 annual summit on Federal Enterprise Risk Management, J. Christopher Mihm, managing director for strategic issues at the U.S. Government Accountability Office (GAO), summarized the state of risk management in the federal government and a path for moving forward (note: “Recent Risk Events” is reproduced at the end of this introduction):
In a relatively short amount of time, enormous progress has been made in the area of risk management in government. Due to major efforts by many risk managers in the public and private sectors, risk management both as a discipline and a way of thinking has deepened and expanded significantly. Risk management has moved from its traditional domains into areas such as IT, financial management, contracting, health and safety programs, and homeland security. In concept and language, risk management is moving more into the routines of other federal program and functional management areas.
The nature of risk is evolving as well and its dynamics originate from a variety of sources [see “Recent Risk Events”]. Characteristics of this evolution include the following:
• Risks can emerge more quickly;
• Greater transparency about risk is needed;
• Public knowledge of risk occurs more quickly; and
• There are higher expectations that risk will be addressed more quickly
With this newfound awareness, can risk management play a vital role in helping line managers understand and address the performance and accountability challenges associated with government issues?23
To help answer that question and to realize the true potential of risk management in government, Chris Mihm cited several additional actions that must be taken.24
First, there must be ongoing momentum and commitment to “continue to expand the discipline across programs” and at an enterprise level. Too often, “Federal managers take massive risks every day but too often do not consider and manage them as such.” Without the proper level of awareness, managers will not properly identify and manage risk effectively.
Second, there must be internal and external commitment to “help managers understand and calculate the risk inherent in the status quo.” Anecdotal observations
20
Association of Federal Enterprise Risk Management. http://www.AFERM.org.
24
Ibid.