Federal Enterprise Risk Management 2018 Survey Results

Chief Risk Officers are having a positive impact on their agencies.  That’s one of the newest findings from the fourth annual survey of Enterprise Risk Management in the Federal government, conducted by Guidehouse and AFERM (the Association of Federal Enterprise Risk Management).

When the Office of Management and Budget updated Circular A-123 in July 2016 with the new title “Management’s Responsibility for Enterprise Risk Management and Internal Control,” a surge in new ERM programs was kicked off across the Federal government.  The Guidehouse/AFERM annual survey of ERM in the Federal government continues to track the progress of those programs and the impact they are having on their agencies.  This year’s responses confirm previous results, while also identifying emerging trends.

While Federal ERM on the whole continues to demonstrate limited capability maturity in many areas, two trends are evident in this year’s survey results that are generating improved outcomes for government agencies.  Consistent with previous years, Federal organizations that have had their ERM program established for three or more years continue to achieve improved outcomes.  A core conclusion is that ERM is a journey, and persistence helps drive capability maturity that leads to enhanced results. Moreover, a new theme emerged this year, providing evidence regarding the positive impact that Chief Risk Officers (CROs) are having on their organizations.  More pronounced than ever before, organizations with ERM programs led by a CRO exceed the performance levels of those programs that do not have a formal CRO.  This result is evident in the degree to which ERM programs are integrated with other management processes, in embracing the cultural aspects of ERM, and in overall program effectiveness and benefits of to the organization.

The following is a summary of some of the additional overarching themes from this year’s survey:

• Cyber Security/Privacy Risk is identified as the top risk area (both current and anticipated in the near future), followed by Human Capital Risk and Operational/Programmatic Risk. In contrast, a number of risk areas were identified as receiving significant management focus and resources despite low perception of actual current and anticipated risk.
• Training & Awareness is highlighted as the top area of focus over the next 12 months. This is consistent with the results that less than a third of organizations are currently providing sufficient risk management training.
• With its highest result in the history of the survey, OMB Circular A-123 represents the primary motivator for the establishment of a Federal organization’s ERM program, particularly for larger organizations and those with newer ERM programs.
• Enhanced management decision-making is broadly realized as a benefit from Federal ERM programs, but none of the other benefits in the survey are being realized by more than a quarter of respondents.
• Integration of ERM programs with other management processes such as strategic planning, performance and execution processes, and budgetary processes remains low, with the latter representing the least integration.
• The results from the culture-related ERM questions all score, on average, at the midpoint rating or below. There was, however, a notable increase in providing a risk transparent environment that promotes open risk discussions between managers and staff.
• The results from the performance evaluation section on ERM capabilities also score below the midpoint rating on each question, with the best result related to how well organizations view the effective management of risk as a value add/organizational advantage.
• The top three barriers to establishing a formal ERM program remain unchanged from a year ago: (1) Bridging silos across the organization, (2) Executive-level buy-in and support, and (3) Rigid culture and resistance to change.
• The top three impactful improvements organizations can make to better position themselves for effective risk management are: (1) Tone-at-the-top, Executive support for risk management, (2) Culture change to accept risk management as part of day-to-day business, and (3) More clear linkage, alignment, or integration of risk with strategy and performance.
• Fewer than 10% of organizations across any of our demographic groups indicate having a well-understood risk appetite statement that is integrated into strategy and decision-making.

The survey highlights a number of these areas in which results vary based on the size of the organization, the duration of the ERM program, and the position in charge of the program (such as a CRO).

The Federal ERM survey was conducted by Guidehouse and AFERM between July 20 and August 13, 2018.  Links to the online survey were sent to government members of AFERM, as well as to select leaders in the Federal ERM community who were not AFERM members at the time of the survey.  The survey was only distributed to government personnel.  While all respondents received the same set of initial questions, subsequent questions followed one of two prescribed paths based on whether the respondent’s organization had already implemented an ERM program.

Given that a random sample was not used to select the survey population, this approach represents a nonprobability sample which may not be generalizable to the entire Federal population.  However, the survey respondents did span the breadth of the Federal government and across a number of demographic categories.  In terms of organizational representation, responses were received from a total of 21 Federal organizations (all but one from the Executive Branch), including 12 of the 15 Cabinet agencies.  In many of these cases, additional variety was represented across multiple components or bureaus of these broad departments or agencies.

Copies of the survey, including this year’s question-by-question results, comparisons to last year’s results, demographic breakdowns, and analysis can be obtained on the Guidehouse website at www.guidehouse.com/federalerm and at the bottom of this page.

About Guidehouse

Guidehouse provides management, technology, and risk consulting to clients around the world through more than 1,600 professionals in over 20 locations.  At our core, we focus on building trust in society, solving important problems, and having a seat at the table for our clients’ most pressing matters.  Formerly part of PwC, Guidehouse provides the exceptional quality our clients demand with the agility and innovation to go beyond the expected.

About AFERM

AFERM is the only professional association solely dedicated to the advancement of Enterprise Risk Management (ERM) in the Federal government through thought leadership, education and collaboration.  AFERM provides programs and education about benefits, tools and leading practices of Federal ERM and collaborates with other organizations and stakeholders to encourage the establishment of ERM in Federal departments and agencies.  For more information about AFERM, please visit AFERM.org.

For more information, please contact: