Enterprise risk management remains elusive for many agencies, but now there’s help

This post first appeared on Federal News Network. Read the original article.

It’s been almost six years since agencies were told by the Office of Management and Budget to develop an enterprise approach to risk management.

Like with many of these unfunded mandates, some agencies are more successful than others.

This is why the Association for Federal Enterprise Risk Management (AFERM) saw an opportunity to provide the first of several helpful guides as ERM is becoming more important to all parts of an agency.

Daniella Datskovska, the president of the Association for Federal Enterprise Risk Management, said the new practice guide will advance and accelerate enterprise risk management.

Daniella Datskovska is the president of the Association for Federal Enterprise Risk Management.

“Why the practice guide is important is because it provides us ammunition to know when something is not right, and what are the mechanisms for escalating and elevating, and that most importantly, the element of risk culture. If I read through this document, and I know that my organization is inline with the main principles of this guidance, I feel empowered to speak up if I see that a risk is about to materialize, and I know that we pay attention as an organization,” Datskovska said in an interview with Federal News Network. “In addition to just being a well-rounded person and understanding that this is a discipline that exists and here are the examples of how you can implement some of the areas of practice related to ERM, it also empowers and gives you tools on how you need to manage risk and what are the important elements of doing that with very specific examples.”

AFERM broke down the 21-page practice guide into four areas:

  • Enterprise risk governance
  • ERM maturity model and maturity assessment,
  • Risk appetite statement
  • Establishing the context

“There is a very structured way of how we approached the practice guide. We defined what an area is. For example, if we talk about enterprise risk governance, our first area of focus, we describe what it is and we intentionally used the description as it applies to federal government,” Datskovska said. “We also define what we believe as AFERM the main principles and attributes of ERM governance or any of the other areas. We try to give very practical examples of what it means and what it looks like. So if, for example, we talk about enterprise risk governance, one of the attributes is understanding what constitutes organizational value. We would describe what an organization organizational value is; we would explain why it is important, and then we would give examples of how agency might achieve that attribute of organizational value.”

Special attention to smaller agencies

The guide also helps agencies further establish processes and models that can be used in mission and back-office areas just the same.

Datskovska said agencies need to align risk decisions horizontally and vertically as well as among internal and external stakeholders.

“The structure that we followed the description, the principal, the attributes, the examples, it’s really, we felt, a natural way of presenting the information,” she said. “All of the people who participated in building this first release document are all practitioners. They’ve designed, implemented and sustained ERM programs.”

And because AFERM members are practitioners, they also gave special attention to smaller agencies, understanding that not every agency has the personnel and resources to develop and implement at agencywide ERM program.

For example under the risk appetite section, AFERM wrote, “For small agencies and agencies with a board of governors, commissioners or directors, the RAS can be approved by the chief operating officer (COO), chief financial officer (CFO) or another designated agency executive. It is a good practice to discuss the RAS with the board for concurrence and to modify as necessary to incorporate board input.”

ERM needs to be consistent, integrated

Datskovska said AFERM consciously wrote the guide in a way that anyone from an ERM expert to someone just learning about the practice could understand and find useful.

“I think that the guide is a great source of receiving confirmation that you’re on the right track. When you look at the area of examples, the definitions of how we describe what the governance is or how we describe what the maturity model is or how you assess maturity, risk, appetite, etc., but when you go beyond definitions, and you go into the example areas, it not only provides you a confirmation that you’re on the right track, but also if you look at that list of examples of activities  and you haven’t considered it and there are no objective reasons for it, then it’s a wonderful, practical guide on what could be done in any given area,” she said. “In one of the attributes that were discussed within the governance, for example, as risk information informs agency decision making, and that’s a good one, I think, because the ultimate goal of ERM is to help senior leaders and leaders across the organization to make better risk based decisions.”

Another common theme throughout the guide is to make sure ERM is consistent and integrated across the entire agency.

Datskovska said the guide should help agencies find gaps in their ERM program as well as understand how to fill those gaps. This is where the ERM maturity model and assessment methodology comes in.

“The beauty of the maturity model that we are referencing, and many of the agencies are using, is that it’s very flexible. Every agency may decide they are at a certain level of maturity in one pillar, like governance, but a different one around risk reporting,” she said. “One of the key factors that influences maturity is the tone at the top. How much support you get from your leadership? So if somebody is just beginning, they could use the module within the areas of practice to give them guidance. This document gives further practical recommendations on where to start on the maturity model.”

For many agencies, getting to level three is when they will start seeing real value and evidence from ERM.

“One particular point that I think is important and more and more being mentioned among practitioners is you have to be patient. The point is the bottom line is that you need to be patient to be able to see the value in the benefits becoming real,” she said.

Datskovska said AFERM will offer new practice guides over the next year to focus on other aspects of ERM.

This entry was posted in Uncategorized. Bookmark the permalink.
 

Leave a Reply

Your email address will not be published.