Nonpartisan, Nonprofit, Congressionally Chartered.

Implementing Enterprise Risk Management in Government

March 08, 2018


A recent Commentary in this series, Implementing Performance Management in Government, recommended that political appointees develop ways to track performance in their organization. In addition to tracking performance, political executives also need to track risks in their organizations.

There has been an increase in recent years in unanticipated events that have jeopardized the achievement of agency goals. Recent examples include the website’s failure to anticipate high levels of traffic, the Department of Veterans Affairs’ failure to anticipate rapid increases in workload, and federal government’s failure to accurately forecast as seen in the underestimation of the mortgage default rate.

Very different situations, but the commonality among the three examples is that the leaders were “surprised” to learn of these events. In retrospect, these management failures now seem predictable and preventable. But no one thought these situations were possible, no one planned to deal with them, and no one could imagine the negative consequences they would produce. In short, the agency didn’t identify these as risks.

For many reasons, including the embarrassment caused by these situations, agencies are now focusing on Enterprise Risk Management (ERM). Interest in ERM is growing fast among federal agencies as seen in the establishment of a chief risk officer in an increased number of federal agencies and emerging guidance from the Office of Management and Budget.

What is ERM?

ERM is the management of risks across the organization to enable an agency to achieve their strategic objectives. Agencies need to inventory all risks that might have substantial impact on their performance and achievement of objectives. Agencies need the ability to identify and address key risk areas and the agility to quickly respond.

Identifying and managing risks must be part of setting goals and integrated into plans to achieve those goals. A successful manager in government must not only master previously developed performance management tools, but also must now formally and rigorously address an increased number of uncertainties.

A narrow approach to performance and risk management can pose challenges for an agency. It reduces the organization’s ability to monitor and mitigate critical risks on a timely basis, and it prevents key decision makers from having access to and leveraging risk information. It is possible for an agency to be fully compliant with laws and regulations, but suffer from inadequate risk management, resulting in unexpected events that prevent the agency from reaching its mission, strategic goals and objectives.

Line management needs to consider risk as they work on the following tactical opportunities:

  1. Strategic objectives reviews during which they discuss what project risks and uncertainties exist and whether they can address those to get to the level of performance they want.
  2. Cross-agency priority goals that agencies need to report on every quarter. Here, agencies conduct an assessment of the risk of not meeting the goals.
  3. Agency priority goals, which are a subset of all goals.

How to Get Started on ERM

Agencies need to change the role and objective of the risk function and structure in an agency. Strong and attentive agency managers are needed to integrate risk and performance management. At the same time, risk experts need to become trusted advisors for line managers. This often requires a change of management principles and governance structure. In addition, management processes at the strategic, tactical and operational levels need to receive sufficient risk support in goal setting, planning, performing and evaluating efforts.

To become a fully risk-enabled organization, an organization needs to clearly define and articulate the risk boundaries and appetite, and integrate this into all strategic considerations such as major investment decisions and portfolio risk-exposure levels. Moreover, the ambition and tolerance levels for both risk and results need to be communicated and implemented by senior leadership, establishing a tone at the top, guiding decisions on all levels in the organization.

On a tactical and operational level, agencies need to turn strategic plans and initiatives into objectives, performance prognosis, plans and projects, backed up by fact-based analysis of the most important risk and value drivers. Based on this, agencies can gain more control of uncertainties and opportunities going forward, ultimately improving performance and reducing unwanted risks. To secure alignment between ongoing activities and strategic plans, operational performance feedback should always be incorporated with risk trend and indicator analysis. These analyses should be closely monitored and reviewed to assess relevance and impact. Standard review processes provide agility going forward and enable managers to continuously revise plans, scenarios and focus areas, and escalate deviations if necessary.

To implement ERM, agencies need to take the following steps:

  • Enhance risk strategy within the agency so that risk management can drive accountability across the organization
  • Embed risk management into the organization, including identification, assessment, and analysis of risk across the entire organization
  • Optimize risk management functions, including:
    • Align mandate and scope
    • Coordinate infrastructure and people
    • Use consistent methods and practices
    • Implement common information and technology
  • Improve controls and processes
  • Enable risk management so that the organization manages key risks with processes and controls, embedding consistent risk activities

The success of a political executive’s tenure will depend in large part on the ability of the executive and his or her team to foresee and anticipate unseen problems on the horizon. An Enterprise Risk Management program can greatly assist in achieving an organization’s goals and objectives.

Linda M. Springer is an Executive Director in the Government and Public Sector Practice of Ernst & Young. Prior to joining Ernst & Young in 2008, she was Director of the Office of Personnel Management. She previously served as the Controller at the Office of Management and Budget and head of the Office of Federal Financial Management; Paul Lawrence is a Principal at Ernst & Young's Government & Public Sector practice. He is co-author (with Mark Abramson) of What Government Does: How Political Executives Manage and Paths to Making a Difference: Leading in Government.