An experiment is about to begin in the government sector: federal agencies are going to try embedding enterprise risk management into their operations. risk and internal control professionals in the private sector might want to watch this effort and see how it goes.
Final word on the ERM initiative came down last week, when the Office of Management and Budget published updated guidance for Circular A-123—essentially, the federal government’s equivalent to the Sarbanes-Oxley Act, with requirements for internal control over financial reporting. The guidance requires agencies to begin implementing ERM and tie those efforts to existing internal controls. It even renames the guidance to “Management’s Responsibility for Enterprise Risk Management and Internal Control.”
The guidance is a 51-page memo with a few specific directives and deadlines: all federal agencies must either establish a Risk Management Council, with the agency’s chief operating officer as chairman; or name some chief risk officer who will lead the ERM program. Agencies should develop their implementation approach as soon as possible, finish their first risk profile by June 2017, and integrate their ERM program into management’s annual evaluation of internal control by Sept. 15, 2017—that is, by the end of fiscal 2017. ERM and internal control should be reviewed annually after that.
More interesting for compliance and risk professionals is how the guidance describes what your ERM program should do. Plenty of private sector companies struggle with that goal themselves, so let’s take a look.
First, the structure that OMB wants to see, of risk management councils or a chief risk officer who advises the agency’s COO, is not much news unto itself. Large corporations have had compliance risk committees for years, and those who are trying to embrace ERM understand they should adopt a similar approach for enterprise risks.
I suspect that if agencies try to to take ERM seriously, they will adopt a committee approach rather than naming a chief risk officer. CROs make sense for financial companies and perhaps a few other organizations that face specific, quantifiable risks. For the more strategic risks that most companies face—well, they call it “enterprise” risk management for a reason. You’re supposed to get the whole enterprise involved.
The bigger question is how government agencies can take ERM seriously, when they have so many outside influences pulling them in multiple directions. Circular A-123 lists seven elements of a successful ERM program; three of them are:
- Establish the context: understand and articulate the internal and external environments of the organization;
- Initial risk identification: use a structured and systematic approach to recognize where the potential for undesired outcomes or opportunities can arise;
- Develop alternatives: systematically identify and assess a range of risk response options guided by risk appetite.
The principal difference between government agencies and the private sector is that agencies are mission-focused. Now imagine trying to identify the risks to your mission when so you get so many conflicting messages—from Congress, senior members of the administration, and the public—about what your mission is and how you should achieve it. That is the prime fact facing government agencies today.
For example, if your agency helps to manage Obamacare, you have a CEO (President Obama) sending one message while the board of directors (Congress) sends the opposite. What’s more, your shareholders (voters) are preparing for the organization’s next shareholder meeting on Nov. 8, and you may end up with an new set of managers by next year whose objectives are fundamentally different from what you’re trying to accomplish today.
Good luck identifying and managing your strategic risks in that environment.
Thankfully, as we watch our government agency brethren navigate that mess, they will also be trying to apply ERM more prosaic risks that drive private sector professionals just as crazy. We’ll want to watch those, too.
IT projects. IT projects fail to meet expectations all the time, in public and private sector alike. Most notable in government was the collapse of Healthcare.gov in 2013, but we’ve seen many more examples of antiquated or malfunctioning IT, from the Securities and Exchange Commission to the IRS to the Federal Aviation Administration. In the private sector, the airline industry has botched IT integration for almost every merger in the last 15 years.
Succesful IT projects will be all the more important in coming years as privacy and data security reach the heart of every business process we have. (A point Circular A-123 makes strongly toward the end of the publication.) So let’s see what common or best practices in IT project management emerge, if any, as a result of the feds’ work here.
Fraud. Many government agencies give away money through grants, so fraud risk is always high. Circular A-123 reminds agencies to think about “disaster fraud risk”—that is, at times when people often need emergency assistance the most (Hurricane Katrina or Hurricane Sandy, for example), fraud risk runs higher. At the same time, you can’t slow the pace of disbursing funds; a disaster has happened, after all.
Agencies therefore need hugely robust anti-fraud systems that can scale up to those events. Preventive controls sound nice; but preventive controls are policies and IT systems. You need imagination and attention to succeed at them.
Beyond fraud, however, are its companions waste and mismanagement. Consider the case of FEGS, a New York City social services agency that went bankrupt in 2015 after mismanaging its way into a gigantic budget deficit. FEGS required closer government oversight and sharper assessment of its leadership risks (which were enormous), more than it needed anti-fraud controls. How can an agency meld ERM and internal controls to police against threats like that? I’ll be eager to see.