In July of 2010, the Center for Strategic & International Studies (CSIS), a Washington based non-partisan organization focused on research and analysis related to policy initiatives, conducted a workshop where they gathered risk practitioners from various US government agencies to discuss the results of a risk management practices survey conducted by CSIS. Once this was completed, 14 case studies were done in different agencies to see the different types of risk management practices that were standard operating procedure.
In all, the paper, which is authored by Matt Squeri, Christ Jones, and Becca S. Smith, gave several similarities between many of the agencies were found in the risk assessment and risk implementation phases of a risk management process in a typical agency in the United States government.
Within the Risk Assessment phase, the following similarities were found:
- Setting the context – Every agency looks internally and externally at the risk environment to understand what they are dealing with. Government agencies also take a careful look at the global strategic environment, something that does not always need to be done in a business setting.
- Considering non-risk factors – The non-risk factors in this context include the attitude toward risk. Specifically, an example of this would be Americans’ low tolerance for nuclear industry accidents.
- Assessing consequence and likelihood – The UN Office of Internal Oversight Services defines this as the “potential of an event to influence the achievement of the organization’s objectives and goals.”
- Acknowledging uncertainty and variance – Many agencies admit during their risk assessment process there will be surprises during the process of doing business.
Identifying crosscutting risks – Risks often cut across functions and geographies, and this is something that is acknowledged and understood by many agencies.
The Risk Implementation phase had the following similarities between American government agencies:
- Decentralizing implementation – Leadership roles in risk management are divided up, on the average, according to individual threats and missions.
- Comparing alternatives – Government agencies often take the time to deliberately identify alternatives and analyze the risks associated with each alternative.
- Emphasizing transparency – Public access to risk factors is becoming much more of a priority to American agencies.
There are also many differences between agencies. For example, many agencies assign similar tasks to people that play different roles within a single organization. There are also very different levels of documentation of the risk management process. The US Nuclear Agency documents everything and has the documents available for public consumption, while other government agencies are not so transparent. This was a main criticism of the CSIS regarding US government risk management – the Nuclear Agency is the exception, not the rule.
As a result of the study, the CSIS came up with some best practices in seven categories, strategic environment and objectives, risk lexicon, identifying/assessing risk, implementing risk management systems, communicating risk, organizational culture, and leadership. The practices they suggest are the following
1. Strategic Environment and Objectives
• The risk management process should begin by understanding the environment by appreciating and thinking about objectives, stakeholders, constraints, influences, and risk criteria.
2. Risk Lexicon
• Consistent definitions need to be across the organization so everyone fully understands and coherent in risk discussion.
3. Identifying and Assessing Risk
• Should be done within the organization’s strategy and goals.
• Risk assessment should consider items like enterprise-level risks, crosscutting risks, residual risks, secondary risks, cascade risks, and cumulative risks.
• Assumptions should be limited, but transparent in the risk management process.
• Risks should be prioritized in a rational fashion.
4. Implementing Risk Management Systems
• Standards should be flexible enough to be able to tackle diverse missions and risks.
• Cost/benefit analyses should be done when assessing the effectiveness of a risk management process.
• The risk information derived from the process should “tee up” discussions about risk.
5. Communicating Risk
• Stakeholders need to be communicated to transparently in regards to the risk management process.
6. Organizational Culture
• Risk management should be embedded in the day-to-day process of the agency, not something that is “someone else’s job.”
• Materially relevant accountability procedures should be present within an organization when risk management processes are ignored.” There should be a strong tone at the top in regards to risk management.