Risky Business
Recovery Act guidance from OMB requires agencies to identify the risk associated with each program and develop a plan of action to reduce such risks. After all, if a program gets 3,100 % increase in funding, like the home weatherization program did, there must be some risk involved! Vice President Biden has said he would like to see the entire government to adopt the new standards being developed under Recovery Act programs. Well, just in time, the IBM Center has just published a new report, “Managing Risk in Government: An Introduction to Enterprise Risk Management,” by Karen Hardy.
Hardy observes that, typically, agencies tend to deal with new risk-reduction requirements on a discrete, program-by-program basis. They put in place compliance mechanisms to meet new IT security risk reduction requirements, or new financial management requirements, or new internal control requirements, or new erroneous payment reduction requirements, etc. She says all of these requirements are geared to one end – improved risk management. She says leading organizations in the private sector have undertaken enterprise-wide risk management efforts. Holistic efforts across an organization can reduce risk – and administrative burdens – at the same time.
Identifying and keeping track of possible events, and classifying them into opportunities or risks, requires a taxonomy or classification scheme and a common language for understanding these risks. Improved data management allows a large organization to take advantage of modern analytical methods to quantify and track current trends and potential risks.
While the concept of enterprise-wide risk management may be new, the federal government has been adopting this approach on an ad hoc basis. Hardy gives concrete examples of enterprise-wide efforts in government, noting that “for the first time in its 75-year history, the Federal Housing Administration (FHA) announced intentions to hire its first chief risk officer.” She also describes efforts underway to address health risks (Food and Drug Administration and Centers for Disease Control and Prevention), security risks (Defense and Homeland Security), financial risks (Ginnie Mae), transportation safety risks (National Transportation Safety Board), and operational risks (Internal Revenue Service and Student Aid).
Hardy notes that a group of government managers have self-organized into a Federal Executive Steering Group for Enterprise Risk Management and they’ve created an unofficial website to foster and continue a conversation on the topic. You can join!