The push for enterprise risk management

Savvy agency leaders are already integrating holistic ERM into decision-making processes as they wait for new guidance from OMB.

Executive branch agencies are awaiting new guidance on enterprise risk management from the Office of Management and Budget in the form of an update to Circular A-123. The circular will contain deadlines to motivate government leaders to develop their risk management programs within a short period of time.

The updated circular had been expected in the fall of 2015, but despite the delay, OMB is sticking to the deadline of requiring that the new administration receive agencies' ERM plans on its first day in office in January 2017.

In conjunction with the plan, agencies are preparing to communicate their appetite for risk and provide a list of the strategic risks they have already identified. Savvy leaders are integrating holistic ERM into their decision-making process now as they determine actions to strengthen their agencies against risks.

The circular's origins

An impetus behind the new ERM requirements was a string of high-profile failures of major government programs. In 2015, the updated OMB Circular A-11 included the statement that "agencies are encouraged to leverage any existing enterprise risk management efforts when conducting strategic reviews."

The move forward from that point was rapid, thanks to strong leadership from OMB officials and the support of a collection of federal agencies and industry leaders that stressed the need for enhanced risk communication in the government.

Mark Reger, deputy controller at OMB, has been a driving force behind the increasing momentum to release the updated Circular A-123 and companion guide this year. At a recent meeting of the Association for Federal Enterprise Risk Management, he encouraged agencies to take action immediately to move ERM forward, without waiting for the release of the A-123 guidelines.

The ultimate goal of the circular update is for agencies to proactively identify risks and establish lines of communication to enhance timely risk-informed decision-making and mitigation strategies. The new requirements are expected to help agencies manage risks effectively while achieving their strategic objectives.

Reger has emphasized the need for agencies to use the OMB requirement for ERM to support a shift in culture that identifies risks and swiftly communicates them.

Many agencies -- including the Overseas Private Investment Corp., Smithsonian, U.S. Patent and Trademark Office, and the Centers for Disease Control and Prevention -- are taking action. Others are waiting for the new OMB circular and its companion guide so they can use them as a playbook for best practices.

OMB is encouraging agencies not to wait, however, and is instead suggesting they move forward by adopting other agencies' best practices or hiring consultants.

Finding ways to comply

As a longtime risk management service provider, our firm has developed a robust understanding of the ongoing applications of ERM in industry, the nonprofit world and government. Judging from our experience, agencies will likely respond in one of three ways when OMB issues the update to Circular A-123.

Some agencies, particularly those with smaller budgets or specialized missions, might not perceive ERM as being especially applicable to them. Others might believe their existing management system is sufficient. And some large organizations with skillful internal control departments might conclude that a holistic ERM system is not necessary.

Those groups will fulfill the ERM mandate by adopting an approach that relies on compliance checklists and will probably incorporate ERM into the auditing function.

Other agencies will view ERM as a system that proves its value by producing a "golden nugget" on a frequent basis. That nugget might be identification of a risk that had not been recognized previously or one that emerges from a changing market condition. The value of that type of ERM system will be delivered by a stand-alone team that operates outside the main leadership group. Officials at organizations using that approach will respond to the valuable and timely information by taking action to mitigate risks.

Although that approach has merit, following it means that ERM is intermittent and valued mainly for the most recent risks it has identified.

Some agencies are taking a third and more advanced approach by using ERM as an integral element of operations. They incorporate it into all areas of management and do not view it as a stand-alone tool or annual exercise. Used that way, ERM becomes a vital tool for proactively identifying risks and informing leaders' understanding of risk management.

That holistic approach allows ERM to function as a key component of the organization that supports risk communication and strategic decision-making for leaders. Agencies that adopt this approach will gain a broader, enterprisewide view of the internal and external issues that could adversely affect agency performance or tarnish its reputation.

Factors that influence implementation

Embracing ERM is the logical next step in the development of a government that is determined to decrease its risk exposure while better serving the U.S. public. Even with the circular and playbook, ERM will mature with vastly different implementation styles driven by a number of key influential factors.

The first factor is the placement of the ERM team. Many early adopters in government have been experts in performance management and risk. Organizations led by individuals with those competencies will find it more natural for the ERM role to be handled by the project management office or the head of strategic planning.

OMB is expected to house the new ERM requirement under its management branch (instead of budget), an indication of the importance of ERM as a management function rather than a fiscal one. OMB has recommended that the ERM function be the responsibility of agencies' project management office, strategic planning office or chief operating officers.

However, some agencies might find it easier to expand the chief financial officer's responsibilities because the CFO is already familiar with one element of ERM -- financial risk. And agencies with fully staffed internal control offices might choose to expand that staff's responsibilities to include ERM. (ERM and internal control are naturally interrelated because they flow from the same Circular A-123 mandate.)

The second influencing factor is the tone from the top. The circular will mandate progress in implementing an ERM strategy with which agencies must comply, but agency leaders will set the tone for the level of ERM integration into their systems and processes. Even the most robust and informative ERM system might not deliver value if it is not regarded as a key management tool.

The third factor is whether a given agency has experienced a transforming risk event. Organizations that have recently undergone major distress or experienced a public risk event are typically more amenable to change and more likely to embrace innovative, forward-looking ideas like ERM that decrease the chance of another incident.

The circular update will set the tone for a new era of informed strategic decision-making within government that, when fully embraced, will be an integral part of those organizations. But implementing an ERM system is challenging.

Whether an agency moves forward on its own or looks outside for assistance, it is important to begin taking the first steps now.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.