Enterprise Risk Management. Hardy Karen
a degree of calculation would undermine the value of risk management in an organization. The more specific the descriptions of risk made available to managers, the better they will be able to articulate the impact it will have.
And finally, actions speak louder than words. Current and future risk practitioners must demonstrate to managers “how they can use risk management to help address governance challenges.” It will be necessary to engage managers early on in action-oriented activities that show how risk management can improve their operations or performance.
HOW THIS BOOK SHOULD BE USED
This book is an update to the research report “Managing Risk in Government: An Introduction to Enterprise Risk Management,” published by the IBM Center for the Business of Government in 2009 and 2010. The practice of and interest in ERM in government has expanded since the original publication of that report, and this book is a reflection of the growth in this area.
Overall, ERM continues to be a tall order for federal risk managers to fill. To ensure success, all federal executives, managers, and employees in general need a blueprint for defining and executing effective risk management in their organizations. Readers should consider this book as a road map for sorting through the key elements that make up ERM success. It is designed to guide risk managers and champions of ERM through a practical thought process using highlighted, real-world work examples. For those in the workforce who have not been designated a specific role in ERM practice in their organization, this book provides a basic educational foundation that will equip any employee with an understanding of risk management.
This book will not answer all the questions about enterprise risk management, nor is it possible to cover all aspects of the subject in one publication. However, the reader will gain a better understanding of the key topics commonly related to ERM design and implementation. This book was written as a resource that can be shared with all employees, no matter what their role in an organization, because a basic understanding of the subject matter is the beginning of an evolving process. Readers are encouraged to maximize use of the book, tools, and other related resources available to reinforce the principles shared and increase awareness and practice of ERM.
EMERGING RISKS TODAY
Nothing seems to define or capture the absolute essence of risk better than the events that emerge from some level of uncertainty. It is then that as a society we are wholly able to grasp and understand risk in its purest sense. Unfortunately, it is when risk has materialized that our greatest sense of awareness is heightened, affording us the opportunity to gain a better understanding of the origins of uncertainty. It allows us to reflect, for a moment, on all the variables that may have contributed to the act or occurrence and permits us to assess why it happened and whether it could have been prevented.
In our society we are surrounded, daily, by events and occurrences that give us the privilege of understanding and defining the “why” and “how” of these instances when they take place. Ideally, we walk away with a better understanding of the root causes and then move forward to fortify ourselves against future challenges. We live in a society in which risks are all too real – that is, when the dangers for which we feel at risk materialize, we see and hear about them. Repeated exposure to such events socializes us to feel uncertain, though we are not always aware that this is happening. In this societal framework, we begin to understand that risks managed in our organizations are often similar to the risks we see playing out in our external environment.
In 2010, the United States witnessed what became the costliest oil spill in the country to date. On April 20, 2010, an explosion from a well site at which the mobile offshore drilling unit (MODU) Deepwater Horizon had been drilling resulted in a spill of national significance in the Gulf of Mexico. As a result of the explosion, oil flowed into the Gulf of Mexico at an estimated rate of between 12,000 and 19,000 barrels per day, according to the National Incident Command’s Flow Rate Technical Group, making it one of the largest, if not the largest spill in U.S. waters. BP, which leased the Deepwater Horizon at the time of the explosion, made efforts to contain the leak. During the later congressional testimonies, it was reported that the total cost of cleaning up this massive and potentially unprecedented spill, repairing the untold damage to the environment, as well as the potential impact to the livelihood and the economic status of the region, will be undetermined for some time. However, it was estimated that the spill cleanup and related damage claims would be in the tens of billions of dollars – well beyond the costs of the Exxon Valdez spill. Federal officials have predicted that this spill and future spills all have the potential to result in considerable costs to the private sector, as well as to federal, state, and local governments.
This was a disaster on a national scale. Of course, we as individuals are not exempt from exposure to risk, accidents, or chance. Thus, the management of risk in an organization naturally evolves from knowledge common to everyone.
In society, we experience direct and indirect exposures to risk. Regardless of the type of exposure experienced, we can learn from it and better prepare for future challenges and occurrences. What have recent events taught us about uncertainty and the management of risk, and how can we apply that knowledge in the quest to incorporate effective risk management in our organizations? “Recent Risk Events,” later in the chapter, provides a comprehensive list of the wide variety of risk events that have taken place, to help us answer these questions. Through these examples, we can conclude that failures in the systemic process of identifying and managing risks led to consequential impacts on reputation, financial investments, public trust, health, safety and security, and the environment.
Through these events, we have learned that risk impact can be far reaching and felt across borders. To take some specific examples described in “Recent Risk Events,” the international incident involving horse meat discovered in the United Kingdom underscored major safety issues and highlighted the extensive reach of the global food supply chain. We also learn that risk must be identified and mechanisms must be put in place to manage the unexpected. For instance, the Mine Safety and Health Administration’s (MSHA) extended authority to issue additional violation notices will help mitigate risks associated with the monitoring of safety problems by mine operators. The U.S. Department of Labor rule will serve as a red flag for mines that repeatedly fail to meet safety requirements and will force them to correct problems before workers are allowed to return to the work site. And finally, we learn that contingency plans for continuity of operations must be sufficient to reasonably ensure the safety of the general public. After a fire in the engine room disabled the Carnival Triumph cruise ship, more than 4,200 passengers and crew were left adrift without power in the Gulf of Mexico. Passengers were forced to sleep in hallways, and food supplies ran low before the ship was finally towed to port in Mobile, Alabama.
But we also learn to recognize how the proactive management of risk can have a positive impact. GAO’s audit of the National Archives and Records Administration (NARA) identified several opportunities for the agency to improve its management of key risks through electronic records archiving. As a result, the nation will be positioned to have a stellar records management system in place, saving billions of dollars in management systems over time. Likewise, the National Institutes of Health, through a GAO audit of its Risk Management Program, is better positioned to support science administratively, as risk is managed through a process that meets specific framework criteria.
The approval of the American Recovery and Reinvestment Act (ARRA) was intended to infuse the U.S. economy with desperately needed funds. The risks associated with issuing multimillion-dollar grants and contracts as required by ARRA in such a short period of time were great; however, the opportunity to stimulate the economy and make economic gains was projected to outweigh the risks. State and local governments were able to use stimulus funds to repair major transportation systems and boost local economies as well. This in turn created grants that were extended to small businesses to help support these initiatives, boosting economic development at the micro level.
These are just a few examples of the activities the federal government has proactively launched to manage the positive aspects of risk. Others include creation of the GAO High Risk List.
TOP GOVERNMENT RISKS
In 1990, GAO began a program to report on government operations