The Government Accountability Office (GAO) has updated their risk management framework to more fully include recent experience and guidance, as well as specific enterprise-wide elements; in order to incorporate enterprise risk management (ERM) concepts that can help agency leaders better address uncertainties in the federal environment. As well, the updated guidance should help managers better navigate changing and more complex operating environments due to technology and other global factors, the passage of GPRAMA and its focus on overall performance improvement, and stakeholders seeking greater transparency and accountability. The GAO identified six essential elements to assist federal agencies:
- Align the ERM process to agency goals and objectives- Agency leaders examine strategic objectives by regularly considering how uncertainties, both risks and opportunities, could affect the agency’s ability to achieve its mission
- Identify Risks- Assemble a comprehensive list of risks, both threats and opportunities, that could affect the agency from achieving its goals and objectives
- Assess Risks- Agency leaders, risk owners, and subject matter experts assess each risk by assigning the likelihood of the risk’s occurrence and the potential impact if the risk occurs
- Select Risk Response- Agency leaders review the prioritized list of risks and select the most appropriate treatment strategy to manage the risk.
- Monitor Risks- After implementing the risk response, agencies must monitor the risk to help ensure that the entire risk management process remains current and relevant.
- Communicate and Report on Risks- Communicating and reporting risk information informs agency stakeholders about the status of identified risks and their associated treatments, and assures them that agency leaders are managing risk effectively.
Good ERM Practices being used by Selected Agencies
The GAO identified six best practices that nine agencies are implementing that illustrate ERM’s essential elements, representing steps that federal agencies can take to initiate and sustain an effective ERM process.
Guide and Sustain ERM strategy through Leadership Engagement
Implementing ERM requires the full engagement and commitment of senior leaders, which supports the role of leadership in the agency goal setting process, and demonstrates to agency staff the importance of ERM. Agencies should designate an ERM leader or leaders, commit organization resources to support ERM, and set organizational risk appetite.
To manage ERM activities, leadership may choose to designate a Chief Risk Officer (CRO) or other risk champion to demonstrate the importance of risk management to the agency and to implement and manage an effective ERM process across the agency. The CRO role includes leading the ERM process; involving those that need to participate and holding them accountable; ensuring that ERM reviews take place regularly; obtaining resources, such as data and staff support if needed; and ensuring that risks are communicated appropriately to internal and external stakeholders, among other things.
An example of an agency that incorporated this ERM best practice is the Transportation Security Administration (TSA). The TSA has a CRO who reports directly to agency leadership, leads the TSA in conducting regular enterprise risk assessments of TSA business processes or programs, and overseeing processes that identify, assess, prioritize, respond to, and monitor enterprise risks. An example of committing organizational resources to an ERM initiative is seen in the Office of Federal Student Aid (FSA). The CRO of the FSA dedicated resources to define the goal and purpose of the ERM program and met with key leaders across the agency to socialize the program. Agency leadership hired staff to establish the ERM program and provided risk management training to business unit senior leaders and their respective staff. Lastly, an example of when risk appetite was set is seen in the National Institute of Standards and Technology. The National Institute of Standards and Technology (NIST) ERM Office surveyed its 33-member senior leadership team to measure risk appetite among its senior leaders.
Develop a Risk-Informed Culture to Ensure All Employees Can Effectively Raise Risks
Developing an organizational culture to encourage employees to identify and discuss risks openly is critical to ERM success. Companies can develop a risk-informed culture by encouraging employees to discuss risks openly, training employees on ERM approaches, engaging employees in ERM efforts, and customizing ERM tools for organizational mission and culture.
Examples of agencies who utilize these practices follow. Department of Commerce (Commerce) officials sought to embed a culture of risk awareness across the department by defining cascading roles of leadership and responsibility for ERM across the department and for its 12 bureaus. The TSA’s Office of the Chief Risk Officer (OCRO) has sponsored a number of activities related to raising risk awareness. Lastly, NIST tailored certain elements of the Commerce ERM framework to better reflect the bureau’s risk thresholds. Commerce has developed a set of standard risk assessment criteria to help identify and rate risks, referred to as the Commerce ERM Reference Card.
Integrate ERM Capability to Support Strategic Planning and Organizational Performance Management
Integrating the prioritized risk assessment into strategic planning and organizational performance management processes helps improve budgeting, operational, or resource allocation planning. Agencies can integrate ERM capabilities to support strategic planning and organization performance by incorporating ERM into strategic planning processes and using ERM to improve information for agency decisions.
Examples of agencies implementing this best practice follow. In the federal environment, agencies can leverage the GPRAMA performance planning and reporting framework to help better manage risks and improve decision making. For example, the Department of Treasury (Treasury) has integrated ERM into its existing strategic planning and management processes. Treasury officials stated they integrated ERM into their quarterly performance or data-driven reviews and strategic reviews, both of which already existed. Officials stated this action has helped elevate and focus risk discussions. The Office of Personnel Management (OPM) has a Risk Management Council (RMC) that builds risk-review reporting and management strategies into existing decision making and performance management structures.
Establish a Customized ERM Program Integrated into Existing Agency Processes
Customizing ERM helps agency leaders regularly consider risk and select the most appropriate risk response that fits the particular structure and culture of an agency. Agencies can implement this best practice by designing an ERM program that allows for customized agency fit, developing a consistent, routinized ERM program, and using a maturity model approach to build an ERM program.
Examples of agencies that utilize this best practice follow. The Department of Education’s (Education) Office of Federal Student Aid (FSA) began establishing a formal ERM program, based on the COSO ERM Framework, to help address longstanding risks using customized implementation plans. More specifically, FSA’s framework and materials were customized for it to ensure that they were specific to a government setting, and to capture the nuances of FSA's business model. To identify and review risks, the TSA Risk taxonomy organizes risks into categories so the agency can consistently identify, assess, measure, and monitor risks across the organization, as discussed in the TSA Policy Manual. To assist implementing a department-wide ERM process, Commerce developed an ERM Maturity Assessment Tool (EMAT), as well as a comprehensive guidebook and other tools, to share with its 12 bureaus. The EMAT consists of 83 questions to help bureaus determine their ERM maturity.
Continuously Manage Risks
Conducting the ERM review cycle on a regular basis and monitoring the selected risk response with performance indicators allows the agency to track results and impact on the mission, and whether the risk response is successful or requires additional actions. Agencies that implement this best practice can do so by tracking and monitoring current and emerging risks. An example of a selected agency that does this is when the Department of Housing and Urban Development (HUD) uses risk dashboards to monitor risks. The Office of Public and Indian Housing (PIH) has two risk management dashboards, which it uses to monitor and review risks. The dashboard provides a snapshot view for the current period, analysis of mitigation action to date, and trends for the projected risk. It tracks the highest-level risks to PIH as determined by the Risk Committee, along with the corresponding mitigation plans.
Share Information with Internal and External Stakeholders to Identify and Communicate Risks
Sharing risk information and incorporating feedback from internal and external stakeholders can help organizations identify and better manage risks, as well as increase transparency and accountability to Congress and taxpayers. Selected agencies can implement this best practice by incorporating feedback on risks from internal and external stakeholders to better manage risks, and sharing risk information across the enterprise.
- Examples of agencies that implement this best practice follow. The National Oceanic and Atmospheric Administration (NOAA) and the National Aeronautics and Space Administration (NASA) are creating and sharing inter-agency risk information as part of their joint management of the Joint Polar Satellite System (JPSS) program. These two agencies have a signed agreement of understanding, to share ownership for risk that details the responsibilities for delivering the satellite and overall cost and schedule performance. Sharing information helps promote trust within and outside of the organization, increases accountability for managing risks, and helps stakeholders understand the basis for identified risks and resulting treatment plans. The Internal Revenue Service (IRS) uses the Risk Acceptance Form and Tool (RAFT) to document business decisions within a consistent framework. As part of the RAFT development process, the IRS considers the views of internal and external stakeholders. According to agency officials, the RAFT assists IRS business units in making better risk-based decisions and elevating risks to the appropriate level.