What exactly is enterprise risk management?
It's more than simply rolling up the traditional risk management efforts — and it's increasingly critical for agencies.
This article is adapted from the IBM Center for the Business of Government’s recent report, “Improving Government Decision Making through Enterprise Risk Management.”
Often, the risk that hits an organization hard might not be the one that the organization was anticipating. As they have become more experienced in the application of basic risk management, the shortcomings of the traditional approach to managing risks in functional and programmatic silos have become more obvious. This has led to slow but ongoing progress toward implementing the principles of enterprise risk management.
One of the earliest formal definitions of ERM was introduced by the Casualty Actuarial Society. In a 2001 report by its Advisory Committee on Enterprise Risk Management, CAS defined ERM as follows: “ERM is the process by which organizations in all industries assess, control, exploit, finance, and monitor risks from all sources for the purpose of increasing the organization’s short- and long-term value to its stakeholders.”
More recently, the Association for Federal Enterprise Risk Management (AFERM) defined ERM as “a discipline that addresses the full spectrum of an organization’s risks, including challenges and opportunities, and integrates them into an enterprisewide, strategically aligned portfolio view. ERM contributes to improved decision-making and supports the achievement of an organization’s mission, goals and objectives.”
Those definitions are instructive, in part because they point out that ERM is more than simply “good” risk management as traditionally practiced in silos. AFERM’s definition references “the full spectrum of an organization’s risks,” while the CAS definition cites risks “from all sources.” Both definitions inherently require a top-down, strategically driven approach to risk identification.
Some distinguishing characteristics of ERM
However, such a comprehensive view of risk will not emerge simply from a bottom-up aggregation of risks identified within functional and programmatic silos. The need to incorporate risk management into the strategic planning process is an inherent part of any meaningful ERM program, and again, it requires a comprehensive view of major risks to the agency and its programs.
Another shared aspect of those definitions is that they position ERM not as an end unto itself but rather as an element of a broader objective. Risk management is simply an element of effective organizational management, and the AFERM definition reflects the tie of ERM to improved decision-making and the achievement of the organization’s mission, goals and objectives. The CAS definition indicates that ERM leads to increased short- and long-term value.
Finally, the AFERM definition indicates that ERM enables a portfolio view of organizational risks. Just as a portfolio of personal financial investments is intended to maximize the risk-adjusted return on investment for retirement planning, so, too, treating an organization’s array of products and services — and balancing resources against performance objectives and risks across that portfolio of products and services — serves to maximize long-term organizational stakeholder value.
Evolution of ERM in the federal government
Although the concepts of ERM outlined above have been maturing in the private sector for the past two decades, their introduction into the public sector is more recent. What is believed to have been the first enterprisewide implementation of ERM in the federal government happened at the Office of Federal Student Aid (FSA) in the Education Department.
In 2004, FSA hired a chief risk officer (CRO), Stan Dore, who is believed to have been the first person in the federal government to fill such a position. FSA formally approved the creation of a dedicated ERM office early in 2006. Since those initial efforts, FSA has continued to mature its ERM processes and organization.
In 2008, Doug Webster, a co-author of this report, was serving as the chief financial officer at the Labor Department. With a strong belief in the value of ERM, he reached out to other federal executives who shared that interest. Early in 2008, this informal group established itself as the Federal ERM Steering Group and joined with George Mason University to convene the first Federal ERM Summit.
That annual event has been held every year since and has become the key event for bringing together those interested in ERM in the federal government. In 2011, the Federal ERM Steering Group was formally incorporated as the aforementioned AFERM.
Despite the impetus provided by AFERM and its annual summits, progress in the federal government was initially slow. In the Association of Government Accountants’ annual Federal CFO Survey in 2010, five federal executives were noted as having a formal risk management process at their agencies, including the designation of a CRO to facilitate ERM.
Although that certainly represented progress from FSA’s initial appointment of a CRO, the surveyed organizations represented a small portion of the federal government. Moreover, meaningful progress was impeded because conflicting messages were being sent about the true meaning of ERM.
For example, in the Association of Government Accountants’ 2011 Federal CFO Survey, 50 percent of respondents indicated that they believed that ERM was adequate at their organizations. However, one respondent said, “We have risk management committees of senior executives and subject-matter experts aligned with each portion of our financial balance sheet. They recommend actions to a national risk committee to evaluate the risks.”
That statement reflects a common misunderstanding of the differences between a functional risk (e.g., financial reporting) and meaningful ERM.
Although the principles of ERM may be applied within a functional area to manage risk (such as impacts to reliability in a balance sheet), that approach does not represent the principles of ERM applied across an agency. In that same study, only 29 percent of respondents said there was a designated risk management office or operation at their agencies.
Given the lack of a central coordinating risk management office, this begs the question of whether a meaningful ERM program was in place. As the authors of this report have sought to explain in describing ERM, there is a need for a central office or function generating centralized risk management policy, establishing cross-functional risk management processes, facilitating collaborative risk management discussions and prioritizing risks.
In 2011, the term ERM might have been more broadly recognized than the understanding of the underlying concepts, but organizations have since sought to improve on that understanding. The winter 2013 edition of the Armed Forces Comptroller, the journal of the American Society of Military Comptrollers, focused largely on ERM, thereby helping to spread the word about the principles of ERM in that community.
An additional effort aimed at helping inform the federal community about ERM principles and practices was the publication of the book “Managing Risk and Performance: A Guide for Government Decision Makers” (Wiley, 2014), co-edited by the authors of this report.
Despite the initially slow progress and misunderstanding of the term “ERM,” concrete progress is now demonstrably underway. In the book just referenced, the last of 10 recommendations offered for the federal government was to “incorporate ERM explicitly into Circular A-11 and [Office of Management and Budget] reviews of agencies.”
On July 25, 2014, OMB released an update to Circular A-11 (its annual guidance to agencies on the preparation of their budget submissions) that recognized ERM as an important practice for managing agency risk.
OMB’s efforts to encourage an ERM approach
OMB’s current interest in ERM has evolved over time but became more evident early in 2013. OMB began working with the Government Accountability Office to provide input on an update to Standards for Internal Control in the Federal Government (commonly known as the Green Book) and to consider how evolution of the Green Book might influence internal controls policy reflected in OMB Circular A-123, Management’s Responsibility for Internal Control.
With the release of the exposure draft on internal controls by GAO in fall 2013, OMB sought to encourage a more robust consideration of risk management than the check-the-box compliance attitude sometimes seen at federal agencies. The awareness of ERM was at least partly responsible for the effort to move beyond a focus on internal controls in A-123 to a broader view of risk management.
The next version of A-123 (at the time this report was published) is thus expected to broaden the role of A-123 beyond internal controls to include other aspects of risk management.
In parallel with those developments, in 2013, OMB asked the CFO Council for suggestions on what OMB and the CFO Council might focus on as initiatives in the coming year. The No. 1 suggestion from the CFO Council was ERM.
CFOs felt they were doing a good job of financial management and risk management within financial management but were struggling with other types of risk. OMB thus started a working group on ERM under the CFO Council. One result of this working group was to convene a CFO Council forum. The forum had most of the CFO Council in attendance and was both an educational discussion on the meaning and practices of ERM and a discussion of next steps in the council’s engagement with ERM.
In October 2014, OMB Controller David Mader said during a panel discussion that “we have begun talking about how do we think about risk more broadly than just financial risk? I think when you look at [circulars] A-11 and A-123, those were all born out of the CFO Act. So everyone is narrowly focused on ‘Well, it’s about financial risk and it’s about internal controls.’ What we are doing now is stepping back and thinking isn’t there really a way to take the lessons learned and what we’ve accomplished with A-11 and A-123 and broaden that perspective across the entire organization, particularly around mission programs?”
Mader went on to state that OMB believes there needs to be an enterprise risk protocol across government and that OMB would provide that guidance late in 2015.
NEXT STORY: Improving the skills of your IT staff