Note: The IBM Center recently released Seven Drivers Transforming Government, a series of essays exploring key drivers of change in government. It is based on our research and numerous insights shared by current and former government officials. This blog is the fourth in a series of excerpts from each of the seven essays. (See the previous post on effectiveness.)
The safety, security, and resilience of the nation are threatened by an array of hazards, including acts of terrorism, malicious activity in cyberspace, pandemics, manmade accidents, transnational crime, and natural disasters. It is the mission of many federal agencies to identify, address, and mitigate these very risks. Along with these external mission-oriented threats, government leaders responsible for managing complex and risky missions, must also take seriously the internal risks they face in meeting their critically important missions. They do this, as we all do, in a dynamic and uncertain world where the past does not serve as a complete guide to the future.
In addition, government leaders operate within an environment where the systems that provide the functions essential for a thriving society are increasingly intricate and interconnected. As technology pervades our everyday lives, once simple devices have become smarter and more interconnected to the world around us. Give what’s at stake, government leaders more than ever must build the capability and capacity to identify, understand, and address risks and potential threats. Assessing the inherent risks facing the public sector, and acting accordingly, is a key driver in transforming government and promoting successful management of programs and missions.
Increased Risks and Threats Facing Government
Risk involves the effect of uncertainty on objectives. With uncertainty facing government widening and deepening, external and internal risks pose threats to achieving an organization’s goals and objectives.
- External Risks. Environmental factors as diverse as an aging workforce, changing social norms, or increased cyber security threats impact federal agencies in multiple ways. These changes occurring in the external environment produce numerous risks over which the organization has little to no direct control.
- Internal Risks. In addition to mission risks caused by events outside the organization’s control, other internal risks can be affected by organizational actions. These actions include internal processes, such as controls, training, values and culture, and are under the direct influence, if not outright control of the organization.
Addressing Risks and Threats
Over the last decade, agencies have begun to take the range of threats more seriously, and have pursued ways to manage and mitigate them. Risk management is such a strategy: it is a series of coordinated activities to direct and control challenges or threats to achieving an organization’s goals and objectives. Dr. Karen Hardy, in Managing Risk in Government: An Introduction to Enterprise Risk Management, identifies enterprise risk management (ERM) as one tool that can assist federal leaders in anticipating and managing risks. ERM provides an enterprise-wide, strategically-aligned portfolio view of organizational challenges that offers better insight about how to most effectively prioritize resource allocations to ensure successful mission delivery.
OMB recognizes ERM as an effective agency-wide approach to addressing the full spectrum of an agency’s external and internal risks. In July 2016, the OMB issued an update to OMB Circular No. A-123 requiring federal agencies to implement ERM to better ensure their managers are effectively managing risks that could affect the achievement of agency strategic objectives. OMB also updated Circular No. A-11, Preparation, Submission, and Execution of the Budget in 2016 and refers agencies to Circular No. A-123 for implementation requirements for ERM. The updated requirements in Circulars No. A-123 and A-11, respectively, help modernize existing management efforts by requiring agencies to implement an ERM capability coordinated with the strategic planning and strategic review process established by the GPRA Modernization Act of 2010 (GPRAMA). This integrated governance structure can improve mission delivery, reduce costs, and focus corrective actions towards key risks.
Even before OMB required agencies to adopt ERM, some agencies implemented ERM to address risk-based issues and improve their ability to respond to future risks. The IBM Center has published reports highlighting case studies of federal agencies and their ERM efforts, such as the Office of Federal Student Aid (FSA) in the Department of Education, which adopted ERM in 2004, and the Centers for Disease Control Prevention’s (CDC) RiskSmart™ credibility risk management and issues management system.
Tackling the “Internet of Threats”
From the OPM breach to the latest network penetration and hack of a private sector corporation, one of the most pressing hazards facing government agencies and governments involves cyber threats. The growing complexity and danger of the current threat environment—“Internet of Threats”—describes risks faced in moving more physical applications online, a trend magnified by the web-enablement of a broad range of applications commonly referred to as the IoT . The interconnectedness of devices today introduces technologies that connect cyber systems to physical systems. This means that potential disruptions to a system can have large and unanticipated cascading effects.
Indeed, these innovations are a double-edged sword. These new technologies can also help government and industry in identifying and addressing risks and threats; in the online world, cloud-based approaches can enable instantaneous transmission of patches across a network. And artificial intelligence can automate detection of malware and mitigate risk at scale, automating routine decisions and fostering a focus on highest priorities (such as open source vulnerabilities).
At the other end of the technology scale, government continues to rely on archaic systems that retain vulnerabilities—more fundamental modernization strategies, including shared services for secure computing platforms and new technology approaches ranging from identity and access management to encryption, can reduce risk significantly.
Accompanied by sound governance, agencies can adapt new technologies to support overstretched security staff who focus on results while still ensuring compliance. These experts can then address high-priority risk items even as constrained budgets remain the norm.
Given the constant threats and compliance issues that face government teams 24×7 and a world where adversaries only have to succeed once, addressing threat vectors in a risk management framework is critical.
Federal executives must understand the spectrum of risks, develop actions to mitigate risks in compliance with law and policy, and communicate risk response strategies to appropriate target populations. More importantly, assessing the inherent risks facing the public sector, and acting accordingly can drive change in government and promote successful management of government programs and missions. They need to understand and apply a set of tools and techniques and adapt them to their specific operating environment, based on best practices and lessons learned in addressing common as well as unusual risks. Risk management is not simply a compliance exercise but goes to the core of agency mission