Monday, September 29, 2014
The Office of Federal Student Aid put in place the first formalized risk management framework in the federal government, starting its efforts in 2004. What does it look like? How did they do it?

One former federal leader, Todd Grams, observes that agencies that ignore risk are actually creating risk. Not surprisingly, there has been increasing interest in agencies in recent years in developing a risk management function. So what does it look like? The Office of Federal Student Aid (FSA) in the Department of Education undertook efforts a decade ago to create a risk management function, which may serve as inspiration for other agencies considering the same. In a recent book and presentations around town, Cynthia Jasper Vitters and Fred Anderson, key risk management executives at FSA, describe their efforts and the evolution of an enterprisewide risk management (ERM) function in their agency. They observe: “ERM implementation at FSA is not viewed as a compliance function.” Background. FSA has made or guaranteed more than $1.2 Trillion in student loans, with 40 million borrowers. The Office has a budget of $1 billion and a staff of about 1,200, serving about 6,200 universities around the country. In 1998, FSA was legislatively designated as a “performance based organization” which allowed it a certain degree of autonomy and its head -- a chief operating officer (COO) -- was appointed by the Secretary of Education on a term contract instead of being a political appointee or career executive. Anderson and Vitters felt that the designation as a performance-based organization “helped pave the way” for the creation of a risk management function at FSA. Because of the high level of loans and a high default rate, the Government Accountability Office placed FSA on its High Risk List of programs in 1990. In part, because FSA began to systematically pursue risk management in 2004, GAO removed FSA the next year from its high risk list. How Did FSA’s Risk Management Framework Evolve? Stan Dore was hired as FSA’s first Chief Risk Officer in 2004. He set out to create an enterprisewide risk management office, which was formally stood up in 2006 with a small staff, reporting to the Enterprise Performance Management Office within FSA. The new office started to create a framework and implementation plan, but FSA lost its top official, chief operating officer (and sponsor for the risk management office) Theresa Shaw in 2007. FSA had several acting leaders until a full-time COO was named in 2009. During that period, the office worked to educate senior career executives and various FSA business units about the role of risk management in their operations The new COO, Bill Taggart, was a former bank executive who was a strong supporter of risk management. He appointed a new chief risk officer, Fred Anderson, who raised the profile of the fledgling office, expanded the risk management framework, and formalized the role of risk management in FSA’s five-year strategic plan. Anderson became a direct report to Taggart and split the office into four groups: Risk analysis and reporting group. Internal review group. Portfolio performance management services group. Acquisition risk management group. In addition, Taggart created a cross-FSA Risk Management Committee, chaired by Anderson, of which Taggart and other operational and business leaders are members. The committee has met monthly and Taggart, the COO, attended all meetings. FSA’s current COO, James Runcie, consistently attends the Risk Management Committee meetings as well. The committee’s objectives are to: “identify, track, and mitigate operational, portfolio, project, and technology risks across the organization.” Advice on Creating a Risk Management Function. So what would it take to create a risk management function in your agency? Anderson and Vitters – say there are six pieces of advice they give to those interested in doing so: Use a phased approach to implementation. FSA developed a time-bound, phased plan for implementing its enterprise risk management approach. Each phase had its own defined risk criteria and an accountable owner, who also is responsible for continuous review and updating, based on changing conditions. An upfront investment in planning and engaging senior leaders made the eventual implementation easier to act upon. Create a Risk Management Committee. When Taggart established the nine-member Committee, he had the risk management office define its scope and operations and ensure that its risk management initiatives aligned with existing business functions. Executives on the Committee had specific roles and portfolios of issues. Prior to each monthly meeting, issues on the agenda were vetted by the assigned member of the committee to ensure no surprises. Ensure the right talent in the risk management office. Finding the right talent for the risk management office staff, according to the authors, is “vital to the group’s success.” They started with internal staff and supplemented with contract staff. As the function matured, they identified individuals with specific skill sets and subject matter expertise. Integrate risk management into existing processes and functions. FSA, like other agencies, has pre-existing formal and informal oversight, compliance, and internal control activities. One of the first tasks of the new chief risk officer was to inventory these activities and help align their activities with an overarching risk management strategy. Extend risk management to contractors and other partners. FSA historically has outsourced many of its major operations – such as loan serving and collection – to outside contractors. They also have partnerships with universities and lending institutions. The risk management office developed approaches to ensure it extended its oversight of significant risks to these partners, as well. Prioritize key risk information. Initially, the risk management office identified a large number of potential risks and scenarios. However, it found that if there are too many, they became unable to manage and prioritize them. So, it became important to focus on the risks that might affect FSA’s goals. By focusing attention on these elements, FSA’s risk management office was able to help ensure that risk management was not viewed as a compliance function, but rather a strategic leadership approach to managing the business of student loans. As a result, Vitters and Anderson believe this “puts FSA in a strong position to successfully manage its unique business structure.”