Enhancing Decision Making with ERM
If today's pandemic has taught us anything, it is that managing risk in the public sector has taken on new significance. It has also underscored that organizations across all sectors must tackle risk and uncertainty in a more systematic and enterprise manner.
“Risk is uncertainty: the reality that we never really know how something is going to turn out,” explains Tom Brandt, chief risk officer at the Internal Revenue Service (IRS). “We take risks every day. Many risks are related to how we make decisions. Organizationally, risk is the possibility that events will occur and affect the achievement of strategy and business objectives.” Risk can take many forms. Recognizing the range of risks and developing strategies and tools to incorporate risk into decision-making and action can help government executives more effectively manage programs and achieve mission objectives.
It is a leadership imperative for government executives to mitigate the potency of uncertainty by managing the realities of risk. Employing an enterprise risk management (ERM) process can assist leaders in doing just that. In her IBM Center report, Managing Risk in Government: An Introduction to Enterprise Risk Management, Dr. Karen Hardy describes it as a coordinated approach to addressing the full spectrum of an organization's significant risks. ERM provides a strategically-aligned portfolio view of organizational challenges and opportunities that provides improved insight about how to more effectively prioritize and manage risks. When employed on a strategic level, this risk management approach can help decision makers evaluate the likelihood and impact of major events and formulate the best way to either prevent them or manage their effects, if they do occur. ERM starts with a focus on the potential events and their classification into opportunities and risks. It is about balancing risk and opportunities; that requires an organization to go beyond simple regulatory compliance and embed this discipline into its organizational strategy, governance, and culture.ERM is different than the functional stovepipe approach to risk management, which has value but on some level is also lacking. For instance, the chief financial officer (CFO) manages internal control risks and focuses on getting a clean audit while the chief information officer (CIO) works to mitigate cyber risks and threats to the technology infrastructure. However, “when you manage risks within these functional silos,” explains Dr. Doug Webster in an interview on The Business of Government Hour, “leaders aren’t able to prioritize at the enterprise level across functions. Moreover, you do not have the ability to identify cross functional impacts. For example, a CIO may mitigate one risk, but unknowingly create risks in other parts of the organization. You also lack the ability to prioritize resources and develop that portfolio view of risk across the enterprise to ensure it’s consistent with the risk appetite of your entire organization.”
In July 2016, the Office of Management and Budget (OMB) issued an update to OMB Circular No. A-123 requiring federal agencies to implement ERM. It is a positive change that federal agencies are pursing ERM and are taking actions to make it an important part of their operational model. Even before OMB required agencies to adopt ERM, some agencies implemented it to address risk-based issues and improve their ability to respond to future risks. The IBM Center has published reports highlighting case studies of federal agencies and their ERM efforts, such as the Office of Federal Student Aid (FSA) in the Department of Education, which adopted ERM in 2004, and the Centers for Disease Control Prevention’s (CDC) RiskSmart™ credibility risk management and issues management systems. Similarly, the head of the U.S. Troubled Asset Relief Program (TARP) included risk management as a key element in ensuring performance and accountability, and at the time a new agency head at the Defense Logistics Agency began an ERM program as a key driver for change.
More recently, I spoke with IRS Chief Risk Officer Tom Brandt on The Business of Government Hour. He provides a brief overview of how his agency does ERM. "We have a well-established ERM process”, says Brandt, “We are six years into our program. We do conduct an annual enterprise risk assessment.
We engage every part of the IRS to review risks across all the units and assess what is happening in our external environment.” As part of this process, the agency reviews audit findings and takes input from employees, managers, and the leadership team. “We will certainly consider our existing risk and whether there are new risks that are emerging. We have an IRS Executive Risk Committee (ERC) that I chair,” explains Brandt. “As an output of the risk assessments, the ERC develops the IRS’s risk profile. Leadership determines whether additional action needs to be taken for any of the risks and assigns accountability. The risk profile reflects the environment facing the IRS, including how over the past several years the IRS has operated with reduced funding and a declining workforce while workloads and responsibilities have increased. Every single unit at the IRS also has an ERM champion or liaison. Each unit gets together monthly to stay current on what is happening across the IRS and to understand our risk response strategies. We have incorporated this discipline into the IRS performance management process as well as our business performance reporting. We are regularly monitoring and tracking our enterprise risk,” notes Brandt. However, he admits it is not enough to simply go through these exercises to create an enterprise risk list and be done. “That isn’t going to get you very far,” Brandt says. “The key is putting in place risk response strategies, monitoring the risks, and our responses throughout the year.”
ERM done well can create value as well as protect it for organizations. Carol Fox, VP, Strategic Initiatives at RIMS underscores that mitigating risk also offers an opportunity to add value to an organization. It does this by providing organizations with a path to strengthen decision making processes while also improving the flow of information. As noted in the IBM Center report, Improving Government Decision Making through Enterprise Risk Management, by Tom Stanton and Dr. Doug Webster, ERM can improve senior leadership decision making by strengthening both the quantity and quality of the information available for decision making and offering the opportunity for fact-based information flow that can challenge a leadership team’s assumptions. ERM provides them with more complete information about the potential effects of a decision, including the downsides and upsides:
- Strengthen decision making. Decisions, whether to undertake a new initiative or to continue ongoing activities, involve risks and rewards. News about rewards seems to travel quickly to decision makers: proponents of a course of action can usually point to indications, often backed by data of varying quality, suggesting the benefits. By contrast, bearers of news about downside risks are often seen as naysayers and people who “don’t want to play,” or at least “cheer,” for the team. In the federal government, one of the most important questions to ask about a promising new initiative is: “Does our agency have the ability to carry this out?” That also can be one of the most difficult questions for a decision maker to answer. ERM plays an important role in such a decision-making process. By institutionalizing the presentation of information about “downside risks” associated with a decision, an executive, such as a risk officer, can facilitate the presentation of important information to help inform the decision-making process. If the agency head or other decision maker can structure a respectful dialogue between individuals responsible for assessing risk and proponents of a new program initiative or other decision, then the agency may be able to find an approach that optimizes the risk-reward tradeoff by borrowing insights from each perspective.
- Improving information flow. Webster and Stanton also note that the quality of organizational decision making improves because effective ERM creates an institutionalized process for encouraging the flow of information across the organization and up the hierarchy to the relevant decision makers. An institutionalized process serves as a buffer against the unpopularity that sometimes plagues an individual who warns about possibilities of failure when agency leadership is charging ahead. Moreover, an institutionalized and well managed risk-management process may help to encourage dialogue, which can provide an opportunity to integrate leaders’ goals with the realities of what the agency is capable of implementing. Once information is available, a leader needs to exercise judgment and make decisions about whether and how to proceed.
Federal executives must understand the continuum of risks, develop actions to mitigate risks, monitor the success of their risk response strategies, and adjust accordingly: embracing risk as a component of every decision. More importantly, assessing the inherent risks facing the public sector and embracing risk as a component of each decision can promote successful management of government programs and missions. There is no "one size fits all" approach to ERM and it is a complex effort. It is best for agency leaders and chief risk officers to pursue what Carol Fox from RIMS calls a "fit for purpose" approach to ERM. Government executives need to understand and apply a set of tools and techniques and adapt them to their specific operating environment, based on best practices and lessons learned in addressing common as well as unusual risks. The IBM Center can help government leaders do just that with its library of thought leadership resources and the continued recognition that risk management is not a compliance exercise but goes to the core of effective decision-making and mission delivery.
Managing Risk in Government: An Introduction to Enterprise Risk Management by Dr. Karen Hardy
Improving Government Decision Making through Enterprise Risk Management Thomas H. Stanton and Dr. Douglas W. Webster
Pursuing Risk Management in Government—A Leadership Imperative by Michael J. Keegan
Analytics and Risk Management: Tools for Making Better Decisions by Michael J. Keegan