What exactly is enterprise risk management?

It's more than simply rolling up the traditional risk management efforts — and it's increasingly critical for agencies.

FCW magazine June 30 issue icon set.

This article is adapted from the IBM Center for the Business of Government’s recent report, “Improving Government Decision Making through Enterprise Risk Management.”

Often, the risk that hits an organization hard might not be the one that the organization was anticipating. As they have become more experienced in the application of basic risk management, the shortcomings of the traditional approach to managing risks in functional and programmatic silos have become more obvious. This has led to slow but ongoing progress toward implementing the principles of enterprise risk management.

One of the earliest formal definitions of ERM was introduced by the Casualty Actuarial Society. In a 2001 report by its Advisory Committee on Enterprise Risk Management, CAS defined ERM as follows: “ERM is the process by which organizations in all industries assess, control, exploit, finance, and monitor risks from all sources for the purpose of increasing the organization’s short- and long-term value to its stakeholders.”

More recently, the Association for Federal Enterprise Risk Management (AFERM) defined ERM as “a discipline that addresses the full spectrum of an organization’s risks, including challenges and opportunities, and integrates them into an enterprisewide, strategically aligned portfolio view. ERM contributes to improved decision-making and supports the achievement of an organization’s mission, goals and objectives.”

Those definitions are instructive, in part because they point out that ERM is more than simply “good” risk management as traditionally practiced in silos. AFERM’s definition references “the full spectrum of an organization’s risks,” while the CAS definition cites risks “from all sources.” Both definitions inherently require a top-down, strategically driven approach to risk identification.

Some distinguishing characteristics of ERM

The Risk and Insurance Management Society has identified seven characteristics that yield insight into what constitutes enterprise risk management:

  • Encompasses all areas of organizational exposure to risk (financial, operational, reporting, compliance, governance, strategic, reputational, etc.).
  • Prioritizes and manages those exposures as an interrelated risk portfolio rather than as individual silos.
  • Evaluates the risk portfolio in the context of all significant internal and external environments, systems, circumstances and stakeholders.
  • Recognizes that individual risks across the organization are interrelated and can create a combined exposure that differs from the sum of the individual risks.
  • Provides a structured process for the management of all risks, whether those risks are primarily quantitative or qualitative in nature.
  • Views the effective management of risk as a competitive advantage.
  • Seeks to embed risk management as a component in all critical decisions throughout the organization.

Those characteristics clearly distinguish ERM from practices that are sometimes incorrectly understood to be ERM.

However, such a comprehensive view of risk will not emerge simply from a bottom-up aggregation of risks identified within functional and programmatic silos. The need to incorporate risk management into the strategic planning process is an inherent part of any meaningful ERM program, and again, it requires a comprehensive view of major risks to the agency and its programs.

Another shared aspect of those definitions is that they position ERM not as an end unto itself but rather as an element of a broader objective. Risk management is simply an element of effective organizational management, and the AFERM definition reflects the tie of ERM to improved decision-making and the achievement of the organization’s mission, goals and objectives. The CAS definition indicates that ERM leads to increased short- and long-term value.

Finally, the AFERM definition indicates that ERM enables a portfolio view of organizational risks. Just as a portfolio of personal financial investments is intended to maximize the risk-adjusted return on investment for retirement planning, so, too, treating an organization’s array of products and services — and balancing resources against performance objectives and risks across that portfolio of products and services — serves to maximize long-term organizational stakeholder value.

Evolution of ERM in the federal government

Although the concepts of ERM outlined above have been maturing in the private sector for the past two decades, their introduction into the public sector is more recent. What is believed to have been the first enterprisewide implementation of ERM in the federal government happened at the Office of Federal Student Aid (FSA) in the Education Department.

In 2004, FSA hired a chief risk officer (CRO), Stan Dore, who is believed to have been the first person in the federal government to fill such a position. FSA formally approved the creation of a dedicated ERM office early in 2006. Since those initial efforts, FSA has continued to mature its ERM processes and organization.

In 2008, Doug Webster, a co-author of this report, was serving as the chief financial officer at the Labor Department. With a strong belief in the value of ERM, he reached out to other federal executives who shared that interest. Early in 2008, this informal group established itself as the Federal ERM Steering Group and joined with George Mason University to convene the first Federal ERM Summit.

That annual event has been held every year since and has become the key event for bringing together those interested in ERM in the federal government. In 2011, the Federal ERM Steering Group was formally incorporated as the aforementioned AFERM.

Despite the impetus provided by AFERM and its annual summits, progress in the federal government was initially slow. In the Association of Government Accountants’ annual Federal CFO Survey in 2010, five federal executives were noted as having a formal risk management process at their agencies, including the designation of a CRO to facilitate ERM.

Although that certainly represented progress from FSA’s initial appointment of a CRO, the surveyed organizations represented a small portion of the federal government. Moreover, meaningful progress was impeded because conflicting messages were being sent about the true meaning of ERM.

For example, in the Association of Government Accountants’ 2011 Federal CFO Survey, 50 percent of respondents indicated that they believed that ERM was adequate at their organizations. However, one respondent said, “We have risk management committees of senior executives and subject-matter experts aligned with each portion of our financial balance sheet. They recommend actions to a national risk committee to evaluate the risks.”

That statement reflects a common misunderstanding of the differences between a functional risk (e.g., financial reporting) and meaningful ERM.

Although the principles of ERM may be applied within a functional area to manage risk (such as impacts to reliability in a balance sheet), that approach does not represent the principles of ERM applied across an agency. In that same study, only 29 percent of respondents said there was a designated risk management office or operation at their agencies.

Given the lack of a central coordinating risk management office, this begs the question of whether a meaningful ERM program was in place. As the authors of this report have sought to explain in describing ERM, there is a need for a central office or function generating centralized risk management policy, establishing cross-functional risk management processes, facilitating collaborative risk management discussions and prioritizing risks.

In 2011, the term ERM might have been more broadly recognized than the understanding of the underlying concepts, but organizations have since sought to improve on that understanding. The winter 2013 edition of the Armed Forces Comptroller, the journal of the American Society of Military Comptrollers, focused largely on ERM, thereby helping to spread the word about the principles of ERM in that community.

An additional effort aimed at helping inform the federal community about ERM principles and practices was the publication of the book “Managing Risk and Performance: A Guide for Government Decision Makers” (Wiley, 2014), co-edited by the authors of this report.

Despite the initially slow progress and misunderstanding of the term “ERM,” concrete progress is now demonstrably underway. In the book just referenced, the last of 10 recommendations offered for the federal government was to “incorporate ERM explicitly into Circular A-11 and [Office of Management and Budget] reviews of agencies.”

On July 25, 2014, OMB released an update to Circular A-11 (its annual guidance to agencies on the preparation of their budget submissions) that recognized ERM as an important practice for managing agency risk.

OMB’s efforts to encourage an ERM approach

OMB’s current interest in ERM has evolved over time but became more evident early in 2013. OMB began working with the Government Accountability Office to provide input on an update to Standards for Internal Control in the Federal Government (commonly known as the Green Book) and to consider how evolution of the Green Book might influence internal controls policy reflected in OMB Circular A-123, Management’s Responsibility for Internal Control.

With the release of the exposure draft on internal controls by GAO in fall 2013, OMB sought to encourage a more robust consideration of risk management than the check-the-box compliance attitude sometimes seen at federal agencies. The awareness of ERM was at least partly responsible for the effort to move beyond a focus on internal controls in A-123 to a broader view of risk management.

The next version of A-123 (at the time this report was published) is thus expected to broaden the role of A-123 beyond internal controls to include other aspects of risk management.

In parallel with those developments, in 2013, OMB asked the CFO Council for suggestions on what OMB and the CFO Council might focus on as initiatives in the coming year. The No. 1 suggestion from the CFO Council was ERM.

More from FCW

FCW Magazine (June 30, 2015)

To view the print version of this article, and the rest of FCW's "How it Works" package, please see our digital edition.

CFOs felt they were doing a good job of financial management and risk management within financial management but were struggling with other types of risk. OMB thus started a working group on ERM under the CFO Council. One result of this working group was to convene a CFO Council forum. The forum had most of the CFO Council in attendance and was both an educational discussion on the meaning and practices of ERM and a discussion of next steps in the council’s engagement with ERM.

In October 2014, OMB Controller David Mader said during a panel discussion that “we have begun talking about how do we think about risk more broadly than just financial risk? I think when you look at [circulars] A-11 and A-123, those were all born out of the CFO Act. So everyone is narrowly focused on ‘Well, it’s about financial risk and it’s about internal controls.’ What we are doing now is stepping back and thinking isn’t there really a way to take the lessons learned and what we’ve accomplished with A-11 and A-123 and broaden that perspective across the entire organization, particularly around mission programs?”

Mader went on to state that OMB believes there needs to be an enterprise risk protocol across government and that OMB would provide that guidance late in 2015.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.