Managing Enterprise Risk
Federal agencies are hardly immune to the “slings and arrows of outrageous fortune” and uncertainty. Each day federal agency leaders face risks associated with fulfilling their respective program missions and yet today’s headlines present stories of cyber hacks, abuses of power, extravagant spending, and a host of other risk management failures. In some cases, if leaders had taken the time to foresee and mitigate potential risks, many of these failures could have been either avoided or at least had less of an impact. It is a leadership imperative for government executives to mitigate the potency of uncertainty by managing the realities of risk. Employing an enterprise risk management (ERM) process can assist leaders in doing just that.
The U.S. Internal Revenue Service (IRS) has sought to do just this and develop an effective enterprise approach to identifying, measuring, and assessing risks and developing effective policy responses—pursuing enterprise risk management as an approach. What are the benefits of pursuing enterprise risk management? How can risk management enhance agency decision making? What is the mission of the Association for Federal Enterprise Risk Management (AFERM)? Tom Brandt, chief risk officer (CRO) at IRS, joined me on The Business of Government Hour to share his insights on these topics and more. Here is an excerpt.
The chief risk officer position within IRS is relatively new. It was established in 2013 in the aftermath of a major crisis within the agency. The intent was to establish a CRO to help leadership get ahead of potential risks while providing capabilities across the agency to help identify other potential risks that may be on the horizon. The office oversees the ERM program, which provides an agencywide approach to risk management to foster a risk aware culture through education, awareness, and mitigation approaches. It also helps IRS units incorporate risk management principles into strategies and daily operations. When the CRO position was established, my primary responsibility was to develop, establish, and then execute a common risk management framework for how we capture, report, and address risks within the IRS. I continue to mature this approach while also bringing to the fore emerging problems and issues and getting out in front of the potential negative impact of risk. In addition, I also serve in a consulting capacity that supports the IRS leadership team and others who are perhaps facing risk issues. In this role, I need to continue to evolve and mature ERM within the agency in accordance with the IRS’s enterprise risk management vision. I participate in IRS’s strategy and objective setting discussions, including strategic planning and decision-making forums, and provide risk perspective. I also work to ensure proper risk management ownership by the business units and guide integration of ERM with other IRS planning and management activities. My office also works to promote risk awareness at the IRS. Integral to doing this, I partner with the business and functional units on their most important risks. I also represent the IRS in the Treasury ERM Council, the Federal Interagency ERM Council and other forums.
Risk is uncertainty: the reality that we never really know how something is going to turn out. On a personal level, we take risks every day. Many risks are related to how we make decisions. Our commute to work is fraught with many risks. Today, there are more tools and apps that can help us mitigate the risks associated with choosing the best or worst route to work. These tools help us to better understand our options and make more informed decisions. Organizationally, risk is the possibility that events will occur and affect the achievement of strategy and business objectives. Risk management provides the tools, techniques, and approaches to better understand risk issues, minimize their impact, and cultivate a proper risk awareness culture.
ERM is defined as the culture, capabilities, and practices, integrated with strategy-setting and its performance, that an organization relies on to manage risk in creating, preserving, and realizing value. We have a well-established ERM process. We’re six years into our program. We do conduct an annual enterprise risk assessment. We engage every part of the IRS to review risks across all the units and assess what is happening in our external environment. As part of this process, we review audit findings and take input from employees, managers, and the leadership team. We will certainly consider our existing risk and whether there are new risks that are emerging that we need to begin putting on our radar. We have an IRS Executive Risk Committee (ERC) that I chair. As an output of the risk assessments, the ERC develops the IRS’s risk profile. Leadership determines whether additional action needs to be taken for any of the risks and assigns accountability. The risk profile reflects the environment facing the IRS, including how over the past several years the IRS has operated with reduced funding and a declining workforce while workloads and responsibilities have increased. Some of the top risk areas highlighted in the IRS’s risk profile have included:
- Aging technology infrastructure
- Cyber and data security
- Critical staffing shortages
- Reduced service and enforcement levels
Every single unit at the IRS also has an ERM champion or liaison. Most of those positions are collateral duty. However, some of the larger units in IRS have a dedicate full-time ERM lead. Each unit gets together monthly to stay current on what is happening across the IRS and to understand our risk response strategies. We’ve incorporated this discipline into the IRS performance management process as well as our business performance reporting. We’re regularly monitoring and tracking our enterprise risk, but it is not enough to simply go through these exercises to create an enterprise risk list and be done. That isn’t going to get you very far. The key is putting in place risk response strategies and then monitoring those risks and our responses throughout the course of the year.
I have enjoyed being involved in AFERM. In addition to my day job, I set aside time to do this because it has been so helpful really to connect with other practitioners in the federal government and other organizations. Overall, the mission of AFERM is to promote the practice of ERM in the federal government. We meet this mission through training programs, various educational events, and thought leadership research. We host many workshops and networking events each year. A key AFERM resource that provides great value to our members is the sharing of best practices and lessons learned. AFERM provides a network of risk practitioners and access to information on how best to implement ERM in an agency. The association also provides informal mentoring opportunities for newcomers to ERM within the federal government. Last year, AFERM partnered with RIMS, the risk management society, to create the RIMS Certified Risk Management Professional-FED certification. This certification distinguishes the achievement of validated risk management competencies for an effective risk management professional in the federal government environment. Individuals who earn the RIMS-CRMP-FED have demonstrated their knowledge and competency in the area of risk management in the U.S. federal government.AFERM will continue to seek ways to advocate the further adoption and integration of ERM into and throughout the entire federal government.