Wednesday, November 14, 2018

In the IBM Center’s new book, Government For The Future: Reflection and Vision for Tomorrow’ Leaders, we have identified six major trends that have driven government management reforms.  This contribution highlights the the evolution of risk management in U.S. federal government.  For more detail, see the chapter on Assessing Risk.

Government agencies are hardly immune to the effects of uncertainty, such as sequestration, budget cuts, or a government shutdown. Along with these threats, each day federal agency leaders face similar, as well as unique, risks associated with fulfilling their respective program missions.  Today’s headlines are full of stories about troubled website launches, cyber hacks, abuses of power, extravagant spending, and a host of other risk management failures. The U.S. federal government has taken a hit, with the public’s trust in government continuing to be low as measured in numerous surveys.  This view stems in part from stories about how federal agencies could have improved their operational and mission performance, had leaders taken the time to foresee and mitigate potential risks.

Defining Risk as “Uncertainty that Matters”

The first step in tackling risk is defining it. The conventional view of risk focuses on potentially negative effects. Risk management in this context typically addresses managing threats to objectives. As Thomas Stanton and Douglas Webster describe in their 2014 book, Managing Risks and Performance: A Guide for Government Decision Makers, defining risk as merely a threat that objectives will not be achieved leaves unanswered the question of how to actively balance risks that may pose opportunities as well as threats.  To that end, government leaders should view risk as “uncertainty that matters.”

With uncertainties that face government widening and deepening, external and internal risks pose threats to achieving an organization’s goals and objectives. Such risks include strategic, cyber, legal, and reputational, as well as a broad range of operational risks such as information security, human capital, financial control, and business continuity. Risks come from both outside and inside an organization

Ways of Managing Risks

This chapter explores three approaches to managing risks in government:

  • Use of internal control: The U.S. Government Accountability Office (GAO) has defined “internal control” as a set of activities that provides reasonable assurance that the objectives of an agency will be achieved— specifically, effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.
  • Use of siloed approaches to risk management: The International Stan- dards Organization (ISO) defines “risk management” as coordinated activities that direct and control an organization with regard to risk. In 2006, GAO defined this as a continuous process of assessing risks, reducing the potential that an adverse event will occur, and putting steps in place to deal with any event that does occur.8 Risk management involves a continuous process of managing—through a series of mitigating actions that permeate an entity’s activities—the likelihood of an adverse event and its negative impact. Typically, traditional risk management has been implemented in “silos”—that is, specific functions such as financial management, or specific programs such as flood management.
  • Use of Enterprise Risk Management (ERM): The international risk management society, RIMS™, defines ERM as “a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio,” rather than addressing risks only within silos.9 ERM provides an enterprise-wide, strategically aligned portfolio view of organizational challenges that offers improved insight about how to more effectively prioritize and manage risks to mission delivery.

The first two approaches provide the necessary foundations for the effective use of the third. According to OMB: “ERM is viewed as a part of an overall governance process, and internal controls as an integral part of risk management and ERM.”

Evolution of Risk Management: 1998-2018

The evolution of risk management policies in U.S. federal agencies over a twenty-year period can be divided into three phases, as shown in the following chart:

Early action: Early efforts in the 1980s and 1990s to manage risk in government focused largely on internal and administrative controls, with some application of traditional risk management principles. Congress passed laws, OMB issued guidance, and the General Accounting Office (since renamed the Government Accountability Office) defined standards—all in an effort to prescribe how federal agencies should manage internal risks (i.e., financial, human resources, systems, compliance, and operations risks). This early emphasis on internal control was part of a burgeoning movement focused on improving accountability in federal programs and operations that addressed fraud, waste, and abuse (see, for example, the box about GAO’s High-Risk Government Programs later in this chapter). Federal agencies also began to employ, on an ad hoc and frequently siloed basis, risk management approaches to manage functional risks. Risk management practice also matured generally, with the issuance of a “first of its kind” standard risk management framework and process by the international Committee of Sponsoring Organizations of the Treadway Commission (COSO).

 

Expansion: Recognizing the benefits of managing risk from an organiza- tion-wide enterprise perspective, federal agencies incrementally expanded their use and adoption of formal ERM disciplines and principles beginning in the early 2000s. Lacking a formal federal risk management policy, agencies acted independently to leverage practices with proven track records in the private sector and had access to an increasing number of ERM frameworks and processes. The emergence of chief risk officers began in federal agencies. The coalescing of informal networks of risk management practitioners and thought leaders championed the benefits of ERM as a critical management tool. Revised OMB policy guidance on agency strategic planning and reviews suggested the use of ERM in agency strategic planning, signaling ERM as the way forward for managing risk in federal agencies.

Institutionalization: Technological advances have made federal agency systems, infrastructure, processes, and technologies interconnected and interdependent, such that a risk encountered by one area impacts other operations. This interconnected environment makes the managing of risk across the enterprise more necessary than ever. It also precipitates a change in how government leaders view risk, no longer thinking about risk management as largely a compliance exercise or perceiving risks in solely negative terms as something to be avoided. With that as the backdrop, OMB revised its risk management guidance, Circular A-123, setting forth for the first time a formal governmentwide policy for how government leaders should manage risk and internal control in their agencies. Federal agencies must now implement an ERM framework that also integrates their existing internal control process.

Looking Forward

The risks facing government agencies are hardly static. They morph and transform in ways never seen before. It is a leadership imperative for government executives to mitigate the potency of uncertainty by managing the realities of risk. In an increasingly uncertain, complex, and interconnected world, the need for determined and adept risk leaders will be greater than ever.

Many current transformations (i.e., blockchain, artificial intelligence, robotics, and smart technologies) have the potential to make government function more effectively. Each of these advances bring unique risks, as well as their potential application in managing current risks. It is a positive change that OMB has mandated the use of ERM, that an increasing number of federal agencies have recognized the value of ERM, and that they are taking actions to make ERM an important part of their operational model to address emerging transformations beyond simply meeting external requirements.

However, today’s digitally disruptive environment continues to usher in new and evolving threats. The immediate future is already taking shape:

  • Increased technological risk. Technological advances—as represented by artificial intelligence, big data, robotics, the Internet of Things, blockchain technology, and the implications of the share economy—are transforming the risk environment and ushering in new benefits and new risk for government. Though the immediate effects of these changes may appear over time, some if not all will permeate the operations of agencies into the future. As one observer notes, “Technological risk is expected to become increasingly complex with the growth of new technologies beyond those currently recognized.  Given this reality, agency risk architecture and ERM governance will need to identify suitable ways to prioritize, respond, and ultimately man- age new and potentially unknown and unknowable risks. Technological risk leads to greater uncertainty, compelling government leaders to look ahead with strategic foresight. Making strategic foresight an integral discipline within ERM can help agencies anticipate risks and prioritize resources accordingly.
  • Increased interconnectedness of different kinds of risks. Many federal agencies now collaborate with external parties to achieve mission outcomes. This interconnectedness means these entities share data, systems, and thus a level of risk. Agency leaders must identify innovative ways to manage risk collectively in an increasingly networked and collaborative world. Couple the changing nature of how work is done with the proliferation of new technologies described above, and agency leaders must proactively address the risks associated within an increasingly complex organizational ecosystem.
  • Cultivating agile and adaptive risk leaders. The perception of risk has evolved over time. Risk is no longer viewed as inherently negative, something to avoid, but as a potential way to create value and enhance performance. Managing risk must become an integral part of an agency’s strategic mission. ERM elevates the role of the risk professional from an operational to a strategic level. As a result, risk professionals will need to expand their knowledge and experience while honing essential risk management skills. For example, today’s risk leader may have a basic, albeit insufficient, understanding of the components of technological risks. To be ready for the future will require them to become cognizant of techno- logical advances and their implications on how an agency operates. Successful risk leaders in the future must be adaptive, informed, and ready for the impact of inevitable change.

As government operates in a world of increasing speed and complexity, and as citizens expect better, faster, and more cost-effective results, managing risk becomes ever more critical. Government executives need to understand and apply tools and techniques like ERM to their specific operating environment addressing the inherent risks facing the public sector. The promise of ERM, now and into the future, goes to the core of program delivery and mission success.