How Mature is the Federal Government’s Practice of Enterprise Risk Management (ERM)?
Last week, while speaking at the 2021 AGA and AFERM ERM Workshop, I had an opportunity to obtain viewpoints from the ERM community on this very question.
As most already know, OMB Circular A-123, when it was updated in July 2016, defined management’s responsibilities for ERM and included requirements for agencies to identify and manage risks. Additionally, agencies were encouraged to establish a governance structure, including a Risk Management Council or Committee or similar body, to develop “Risk Profiles” to identify major risks arising from mission and mission-support operations, and to analyze those risks in relation to achievement of strategic objectives.
For ease of use with a couple of simple polling questions, I shared a straightforward 5-stage ERM Maturity Model, which is one of the examples included in the ERM Playbook. This model progresses from stages of Nascent to Advanced. At the Nascent level, organizations lack a formal ERM process, address risks as they arise, and fail to anticipate potential risks. At the Advanced level, the consideration of risk is fully integrated into the organization’s planning, budgeting and decision-making processes, and the organizations are well equipped to monitor and respond to risks.
I asked the nearly 200 participants to consider this model in providing answers to two questions:
- At what level would you rate the overall federal government’s ERM maturity level?
- At what level would you rate your agency’s ERM maturity level?
And here are the results, noting of course that this was not a scientific survey, but as a poll of ERM practitioners and others actively engaged with the federal ERM community, it should reflect well-informed viewpoints:
Overall, respondents tended to rate the maturity level of their own agency ERM program higher than where they believe the federal government is at overall. Ratings at Level 1 (Nascent), were nearly identical for both questions at just over 14%. Level 2 (Emerging), was the most frequently selected response, which is largely in-line with my own personal view of the level at which most agencies and the government have attained. Two-thirds of respondents rated the federal government overall at this level, while just under 44% rated their own agency at this level.
The variation in ratings at Level 2 for agencies vs. government overall are accounted by higher ratings of one’s own agency at the more advanced levels of the model: more than a quarter of respondents (26%) rated their own agency at Level 3 (Integrated), and another almost 13% felt their agency had reached level 4 (Predictive), with a handful (3.4%) giving their agency the highest rating at Level 5 (Advanced). It wasn’t possible through polling questions to delve further into the responses from those who rated their agencies as having reached levels 3, 4 and 5, but it would be helpful, I believe, if there was a way to pressure test those responses a bit and learn more about the steps those agencies have taken.
Agencies that have implemented the minimum requirements set forth in OMB A-123 will most likely find themselves at Level 2, Emerging, while agencies that have taken further actions, such as those set out in Circular A-11, Part 6 (which thankfully is back in force after a brief, and surprising, hiatus) to use the risks identified through ERM to inform budgetary and strategic decision-making within the agency and also include enterprise risks as part of strategic review discussions with OMB, would most likely find themselves at the upper end of the maturity model. The next iteration of the ERM Playbook, release of which is imminent, encourages and promotes further development and integration of ERM in these areas.
In addition, as agencies are in the process of developing their new five-year strategic plans, per the requirements of the GPRA Modernization Act of 2010, it would be a terrible missed opportunity if ERM Programs were not leveraged and the consideration of top risks and opportunities facing mission delivery were not used to help inform the determination of new strategic goals and objectives. Lastly, while the informal polling information shared here is interesting, a more formal and rigorous assessment of the federal government’s progress in implementing ERM by either OMB or GAO is likely in order.
In closing, I am hopeful that most agencies are at least somewhere on the maturity model scale – I didn’t think to include an option of, “My agency hasn’t taken any steps at all to implement ERM” – perhaps because I was worried there might be some who would have selected that response! Let's hope not.
At any rate, to end on a bright note, congratulations to all my colleagues and peers who have helped with the introduction, implementation, and advancement of ERM in their own agencies, and Happy 5th Birthday (almost) to Federal ERM overall!
[This blog post is the first in a two-part series. Read the next blog, "The Tragic 2019 Fire at Notre Dame Cathedral."]