We all face uncertainty in our everyday lives. It's how we manage uncertainty that matters. We all accept risks. What matters is how we decide how much risk to accept and when.

Government is no different. Movement to enterprise risk management (ERM) by the Office of Management and Budget (OMB) through its overhaul of Circular A-123,

Management's Responsibility for Enterprise Risk Management and Internal Control, signals a new day in risk management.

Agencies are being challenged to identify and focus on the most important risks through the aperture of an enterprise lens across management stovepipes and organizational boundaries. The changes in Circular A-123 are transformative, but only if ERM is viewed as value-added and not a backroom paperwork exercise. Changing the status quo is never easy given deeply-rooted cultures that protect current ways of doing business.

Leading organizations add value through ERM by:

  1. Establishing ownership of the ERM program at the top management level and cascading a culture of risk management throughout the organization. Top management faces many pressing priorities, especially with presidential transition. It will be challenging, but imperative, to gain top leadership support to change the risk culture. Otherwise, ERM can quickly become simply “checking the boxes.”
  2. Appointing a chief risk officer (CRO), sending a strong signal of top management commitment. CROs have to be empowered to add value as a facilitator, while making clear responsibility for risk management lies with program and operations management.
  3. Establishing the risk appetite, making it part of day-to-day management. Otherwise, there’s simply no way to gauge whether organizations are taking too much or too little risk. There can be an upside to taking strategic risk and a heavy price for risk aversion. Unnecessary and ineffective controls waste resources and may introduce risk. Are organizations spending dollars to save pennies, or do they even know?
  4. Considering ERM in strategic planning, such as weighing risk impacts on mission achievement to support resource planning and programming.
  5. Embedding ERM in governance processes, which drive day-to-day management and decision-making. Included are clear roles and responsibilities; well-designed policies and procedures; fact-based tradeoffs; oversight and monitoring; open communications; stakeholder involvement, and maturity models to assess continuous improvement.
  6. Incorporating fraud risk management. Criminals go where there’s money and opportunity. Government offers both, driving enactment of the Fraud Reduction and Data Analytics Act in June 2016.
  7. Identifying risks and assessing what’s currently in place to mitigate them. Circular A-123 addresses mitigation elements, such as understanding internal and external risk environments and risk objectives; using structured, systematic approaches to identify the potential for an undesired outcome, which represent inherent risks; assessing adequacy of responses to inherent risks, with shortfalls representing residual risks; analyzing residual risks to identify causes, likelihood of occurrence and impact and developing alternatives.
  8. Understanding the nature and potential impact of long-tail risks (very low likelihood of occurrence but potentially devastating impacts, such as the housing meltdown) and emerging risks, sitting in the shadows ready to pounce.
  9. Making risk mitigation a critical component of management expectations. This involves risk acceptance, avoidance, reduction and/or sharing, premised on identified “root” causes and not just “a” cause. Defining expectations, so people own mitigation, and set responsive and realistic deadlines. Today, risks too often simmer on the back burner until boiling over. Consider that six of 32 items on GAO’s high-risk list have been there for over 25 years and another 14 for at least 10 years.
  10. Getting started! Often attributed to Mark Twain: “The secret of getting ahead is breaking your complex overwhelming tasks into small manageable tasks, and then starting on the first one.”

Risk is inevitable, so make it your friend, while respecting its downside. Use ERM to your advantage in calibrating control systems. Establish a proactive risk culture and imbed risk consideration in the management fiber. Done smartly, ERM drives down costs in tough budget times, while increasing public confidence in government.

Laura A. Price, KPMG Partner and Federal Risk Consulting Leader, and Jeffrey C. Steinhoff, Managing Director KPMG Government Institute, and former assistant comptroller general of the United States for Accounting and Information Management at the Government Accountability Office.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. This article represents the views of the authors only, and not necessarily the views or professional advice of KPMG LLP.

Share:
More In Cyber