"What Could Possibly Go Wrong?"
Risk experts Doug Webster and Tom Stanton think not. Writing in a new report for the IBM Center for The Business of Government, they observe: “The front pages of national newspapers constantly report on actions by private companies, federal leaders, or agencies that do not appear to have considered the risks associated with various decisions and actions. There appears to be a common thread running through these events: a failure to adequately consider risk “up front” and address it as part of an organization’s overall management.” Their report describes how “enterprise risk management, “ or ERM, is a promising approach to assessing and addressing organizational, mission, and reputational risks. The Six Challenges. Webster and Stanton interviewed federal executives to find out why agencies typically do not strategically manage their risks effectively and use this knowledge to improve their routine decision making processes. They identified six challenges: Challenge 1: Getting sustained support from top leaders. Interviewees stressed this was key, and the biggest challenge is when there is a transition in leadership. Career staff have a responsibility to frame risk management as an element of due diligence for new leaders, and that missteps could damage them personally, and the mission or agency more broadly. Challenge 2: Breaking down the power concentrated in organizational silos. While leadership might support risk management approaches, lower levels in the organization may not, especially in decentralized or siloed agencies. Focusing on a targeted set of risks, or creating an enterprise wide executive risk management committee to regularly assess status are two strategies for addressing this. Challenge 3: Overcoming a culture of caution. Many organizations have cultures that focus on process compliance and risk avoidance. An overemphasis on “staying out of trouble” can itself become a mission risk. The tone set by agency leadership matters; employees must be able to trust that they can safely report potential risks, and see that this is an encouraged behavior. Challenge 4: Reconciling the roles of risk managers vs. the inspectors general. The quality of working relationships between agency staff and their IG is “of paramount importance,” according to interviewees. An adversarial relationship will “chill the flow of risk-related information” within the agency, including to top leadership. A constructive dialogue is needed to develop a win-win relationship (Note: another recent IBM Center report addresses this dynamic). Challenge 5: Educating agency staff on the usefulness of enterprise-wide risk management. Agency staff intuitively understand potential risks in specific programs or systems, but tend not to see how various trends might lead to broader risks in their agencies. Creating an enterprise-wide perspective is helpful, but requires a concerted communications effort to integrate such discussions into the flow of routine decision-making processes. Challenge 6: Being able to demonstrate the value of an institutionalized risk management function. The value of an effective enterprise-wide risk management function is that nothing bad happens. So how do you demonstrate the value of avoiding a potentially costly event that never occurs? The authors state that “The value of ERM can be seen in the increased quality of decision making” in that better communication about risk-reward tradeoffs can “maximize overall stakeholder value.” OMB Efforts. The Office of Management and Budget (OMB} has had a long interest in managing financial risks but in 2013 it began to work with the Government Accountability Office (GAO) to update the government’s guidance for internal controls. The initial draft of the update sought to expand beyond a compliance approach to a broader “enterprise risk management” approach. This was reflected in OMB’s budget guidelines in 2014, where OMB sought to highlight the need for consideration of risk into agency performance and strategic reviews. A forum earlier this year with OMB discussed the development of an enterprise risk management approach that pairs conversations of risk and opportunity, to ensure the conversations are not dominated by backward-looking assessments of risk. There was also discussion of engaging in strategic planning and risk management activities jointly, not separately, to ensure the conversation does not tend toward risk avoidance vs. managing risks and opportunities. OMB hopes to complete its policy revisions by the end of 2015. Next Steps by Agencies. Webster and Stanton offer several recommendations to agency leaders. These actions, they say, can be taken in advance of any OMB guidance. For example, they suggest that agency leaders create an organization-wide operating committee, with a small risk staff to support their efforts, to “regularly identify major risks that could impede achievement of the agency’s mission” and that they should prioritize these risks and come up with plans for the high priority risks. The authors say that agency leaders need to create the conditions for risk management to be effective by working to “ensure that information flows up and down the hierarchy so that risk-related information can flow to decision makers.” In addition, agency leaders need to integrate risk management discussions into their regular decision making processes, such as strategic reviews and budget discussions. After all, what could possibly go wrong if they didn’t? * * * * * Postscript: An earlier series of IBM Center blog posts on risk management, based on a book edited by Webster and Stanton, is available here.