Creating Risk-Responsive Frameworks
Other federal agencies also face a wide range of risks. Some are external, others are internal. Some are financial (such as having to deal with managing under Sequester or the market impact on external investments in pension funds, which could affect federal pension guarantees). Some are operational, such as those faced by FERC, or cybersecurity threats, or even insider threats. And some are reputational, such as the recent accusations of Patent Office telework abuse, or the General Services Administration’s lavish conferences scandal. In recent years, a number of federal agencies have put in place risk management strategies. Recent guidance from the Office of Management and Budget declares “Agencies are expected to manage risks and challenges related to delivering the organization’s mission.” And a professional association has evolved – the Association for Federal Enterprise Risk Management – where professionals can share insights and best practices. Yet, there is no overarching U.S. federal framework. The private sectors faces many of the same kinds of risks and some sectors – such as finance and insurance – have well-developed approaches. Increasingly, both public and private sector organizations have begun to systematically address their risks via initiatives such as “enterprise risk management.” Companies as diverse as Target and JP Morgan Chase have created their own risk management functions in response to increasing uncertainties in their operating environments. The use of standards and policies as the foundation for an “enterprise risk management” function has evolved internationally in both the private and public sectors, with the creation of definitions, standards, principles, and frameworks. The most prominent include the ISO 31000 and the COSO risk management standards (created in 2004 via the Committee of Sponsoring Organizations of the Treadway Commission). What is “Enterprise Risk Management?” Risk management expert Doug Webster writes “. . . many of us think of risk only in terms of bad consequences” and that “the word has evolved to refer to two different and conflicting concepts.” He observes that the Government Accountability Office’s definition “treats risk as introducing only a negative impact . . . Risk management in this context is typically focused on managing the threats to objectives.” However, he continues: “Risk management professionals are more likely to subscribe to the definition offered by the international standard ISO 31000, which defines risk as ‘the effect of uncertainty on objectives.’” John Fraser, senior vice president of a Canadian hydro-electric company, Hydro One Networks, says in a new book that effective enterprise risk management can be distilled down to two essential processes: having conversations and setting priorities. He says: “By enlisting managers and employees in conversations, organizational leaders can facilitate people’s willingness and ability to surface major risks so that they can be addressed. Then, by prioritizing these known risks the organization can allocate its energy to addressing the most important risks . . . in a systematic way.” This approach is being adopted by national governments, as well. Risk Frameworks: The British Example. In 2002, British prime minister Tony Blair launched a two-year “risk program” to develop a set of principles and concepts, culminating in the risk management “Orange Book” in 2004. Several years later, this was supplemented with an indepth guide book. This program serves as an over-arching framework for developing risk management strategies for British government agencies. For example, one British agency – National Savings and Investments -- identified 13 key risks and assigned responsibility for each to an executive director. Every six months, the Board conducts a review. Individual projects have their own “risk registers” as well as joint project teams. This allowed the agency to keep abreast of changes in the external environment and develop contingency plans for various scenarios. However, there is a danger of risk management becoming a cumbersome, formulaic, unhelpful exercise. “Over-dependence on process may limit departments’ ability to manage risk effectively,” notes the UK National Audit Office: “. . . effective risk management offers a means of anticipating issues and responding to them.” Webster notes that the biggest danger in introducing an enterprise risk management requirement is creating a function that is seen as a compliance hoop, instead of a culture change. To be effective, it has to be leader-driven. But having an individual leader to serve as its champion does not span transitions in leadership very well – which is the strength of establishing standards and requirements. Nevertheless, creating standards and policies introduces the danger of enterprise risk management becoming a compliance-oriented administrative function. Australia’s Nine Risk Management Elements. More recently, the national government of Australia has issued a policy document in July 2014 that outlines a set of principles that each government agency must incorporate into how they run their programs (and it provides accompanying resources to help their agencies develop effective programs). The Australian government’s goal is to “embed risk management as part of the culture of Commonwealth entities where the shared understanding of risk leads to well informed decision making.” To do this, it set forth nine elements that all agencies must comply with: Establishing a risk management policy that defines an entities’ approach to risk and how this supports its strategic plan. Establishing a risk management framework that provides the foundations and organizational arrangements for designing, implementing, monitoring, and continually improving. Defining responsibility for managing risk by defining roles and responsibilities for individual implementation tasks. Embedding systematic risk management into business processes, including but not limited to strategic planning, policy development, program delivery, and decision making. Developing a positive risk culture that promotes an open and proactive approach that considers both threat and opportunity. Communicating and consulting about risk with relevant stakeholders and transparent, complete, and timely flows of information between decision makers. Understanding and managing shared risks that extend beyond a single entity and requires shared oversight and management. Maintaining risk management capability to maintain an appropriate level of capacity to manage an entity’s own risks, commensurate with its risk profile. Reviewing and continuously improving the management of risk so it is not seen as a “one off event” but a process of continuous improvement based on internal reviews. Should the U.S. government undertake a similar governmentwide effort to create a risk-responsive framework? At a recent forum, Tom Stanton, co-author of a new book on risk and performance in government, remarked that this may not be a good idea. He observes that mandating a governmentwide framework – such as requiring the use of the ISO standards -- would likely result in a compliance-oriented system, not a change in how agency leaders manage. His advice is to develop risk management frameworks at the agency level, in the context of each agency’s mission and environment. In practice, federal agencies aren’t waiting for governmentwide policies to be put into place. They are doing it on their own, in their own context. As Stanton notes, this more organic evolution of risk-responsive frameworks may be a more appropriate approach for ensuring that these “home grown” policies are actually used to manage risks and not become another compliance requirement. NOTE: GAO released its update of its “Green Book,” on internal control standards, on September 10, 2014.