The push for enterprise risk management

Executive branch agencies are awaiting new guidance on enterprise risk management from the Office of Management and Budget in the form of an update to Circular A-123. The circular will contain deadlines to motivate government leaders to develop their risk management programs within a short period of time.

The updated circular had been expected in the fall of 2015, but despite the delay, OMB is sticking to the deadline of requiring that the new administration receive agencies' ERM plans on its first day in office in January 2017.

In conjunction with the plan, agencies are preparing to communicate their appetite for risk and provide a list of the strategic risks they have already identified. Savvy leaders are integrating holistic ERM into their decision-making process now as they determine actions to strengthen their agencies against risks.

The circular's origins

An impetus behind the new ERM requirements was a string of high-profile failures of major government programs. In 2015, the updated OMB Circular A-11 included the statement that "agencies are encouraged to leverage any existing enterprise risk management efforts when conducting strategic reviews."

The move forward from that point was rapid, thanks to strong leadership from OMB officials and the support of a collection of federal agencies and industry leaders that stressed the need for enhanced risk communication in the government.

Mark Reger, deputy controller at OMB, has been a driving force behind the increasing momentum to release the updated Circular A-123 and companion guide this year. At a recent meeting of the Association for Federal Enterprise Risk Management, he encouraged agencies to take action immediately to move ERM forward, without waiting for the release of the A-123 guidelines.

The ultimate goal of the circular update is for agencies to proactively identify risks and establish lines of communication to enhance timely risk-informed decision-making and mitigation strategies. The new requirements are expected to help agencies manage risks effectively while achieving their strategic objectives.

Reger has emphasized the need for agencies to use the OMB requirement for ERM to support a shift in culture that identifies risks and swiftly communicates them.

Many agencies -- including the Overseas Private Investment Corp., Smithsonian, U.S. Patent and Trademark Office, and the Centers for Disease Control and Prevention -- are taking action. Others are waiting for the new OMB circular and its companion guide so they can use them as a playbook for best practices.

OMB is encouraging agencies not to wait, however, and is instead suggesting they move forward by adopting other agencies' best practices or hiring consultants.

Finding ways to comply

As a longtime risk management service provider, our firm has developed a robust understanding of the ongoing applications of ERM in industry, the nonprofit world and government. Judging from our experience, agencies will likely respond in one of three ways when OMB issues the update to Circular A-123.

Some agencies, particularly those with smaller budgets or specialized missions, might not perceive ERM as being especially applicable to them. Others might believe their existing management system is sufficient. And some large organizations with skillful internal control departments might conclude that a holistic ERM system is not necessary.

Those groups will fulfill the ERM mandate by adopting an approach that relies on compliance checklists and will probably incorporate ERM into the auditing function.

Other agencies will view ERM as a system that proves its value by producing a "golden nugget" on a frequent basis. That nugget might be identification of a risk that had not been recognized previously or one that emerges from a changing market condition. The value of that type of ERM system will be delivered by a stand-alone team that operates outside the main leadership group. Officials at organizations using that approach will respond to the valuable and timely information by taking action to mitigate risks.

Although that approach has merit, following it means that ERM is intermittent and valued mainly for the most recent risks it has identified.

Some agencies are taking a third and more advanced approach by using ERM as an integral element of operations. They incorporate it into all areas of management and do not view it as a stand-alone tool or annual exercise. Used that way, ERM becomes a vital tool for proactively identifying risks and informing leaders' understanding of risk management.

That holistic approach allows ERM to function as a key component of the organization that supports risk communication and strategic decision-making for leaders. Agencies that adopt this approach will gain a broader, enterprisewide view of the internal and external issues that could adversely affect agency performance or tarnish its reputation.

Factors that influence implementation

Embracing ERM is the logical next step in the development of a government that is determined to decrease its risk exposure while better serving the U.S. public. Even with the circular and playbook, ERM will mature with vastly different implementation styles driven by a number of key influential factors.

The first factor is the placement of the ERM team. Many early adopters in government have been experts in performance management and risk. Organizations led by individuals with those competencies will find it more natural for the ERM role to be handled by the project management office or the head of strategic planning.

OMB is expected to house the new ERM requirement under its management branch (instead of budget), an indication of the importance of ERM as a management function rather than a fiscal one. OMB has recommended that the ERM function be the responsibility of agencies' project management office, strategic planning office or chief operating officers.

However, some agencies might find it easier to expand the chief financial officer's responsibilities because the CFO is already familiar with one element of ERM -- financial risk. And agencies with fully staffed internal control offices might choose to expand that staff's responsibilities to include ERM. (ERM and internal control are naturally interrelated because they flow from the same Circular A-123 mandate.)

The second influencing factor is the tone from the top. The circular will mandate progress in implementing an ERM strategy with which agencies must comply, but agency leaders will set the tone for the level of ERM integration into their systems and processes. Even the most robust and informative ERM system might not deliver value if it is not regarded as a key management tool.

The third factor is whether a given agency has experienced a transforming risk event. Organizations that have recently undergone major distress or experienced a public risk event are typically more amenable to change and more likely to embrace innovative, forward-looking ideas like ERM that decrease the chance of another incident.

The circular update will set the tone for a new era of informed strategic decision-making within government that, when fully embraced, will be an integral part of those organizations. But implementing an ERM system is challenging.

Whether an agency moves forward on its own or looks outside for assistance, it is important to begin taking the first steps now.