Getting to Ten Will Require More Government-wide Support and Action
On July 16, 2016, the U.S. Office of Management and Budget (OMB) issued a revision to Circular A-123 setting forth expectations for federal agencies to implement and practice Enterprise Risk Management (ERM). The requirements were intentionally flexible, providing substantial leeway in how agencies chose to go about setting up their ERM program. That approach by design was to help get ERM off the ground in a manner that could be tailored to the structure, culture, and needs of each agency, and to avoid the enactment of ERM purely as a compliance exercise.
In the half-decade since the Circular update was issued, several agencies have established effective and integrated ERM programs that are helping them better manage risks and improve decision-making. Those agencies should be acknowledged for the work they have done to establish governance, develop risk identification and assessment processes, prepare risk profiles, and improve their overall risk readiness and response. However, progress across government has been very uneven and, in some cases, ERM programs that had gotten off to a good start, faded after leadership and organizational changes occurred.
The COVID-19 pandemic and other risks we currently face in government demonstrate the critical need to have sound risk management practices in place. Doing so can help ensure that we are thinking through the range of risks to agency mission, taking the steps necessary to prioritize those risks, and then acting to reduce the likelihood and impact should they occur. But as those in the risk business know, it does little good to put in place programs that identify risks only to find there is limited support or resources to then do something about them.
We face a challenge at the five-year mark for federal ERM: if agencies are putting forth the effort to identify the most significant risks to agency mission, but then nobody is asking them about what those risk are, or engaging in a dialogue about what is needed to manage those risks to an acceptable level, which could entail additional resources, policy changes, new legislative authorities, etc., then the energy and discipline around ERM is at risk of fading. Acting on risks isn’t something agencies alone can accomplish. They need help from a variety of stakeholders, including OMB, the administration, and congress.
This isn’t a new challenge. The Government Accountability Office (GAO) for decades has published its High Risk List every two years – calling attention to some of the most intractable risks facing government – cybersecurity, human capital management, defense financial management, tax enforcement, the nation’s transportation system, food safety, improper payments, etc. Many of these risks have been on the list as long as it has been in existence. The approach to addressing and managing these risks, though, has largely been left up to each agency – there hasn’t been much of an administration-led or driven priority focus on these – and even the extent to which Congress expects to see agencies addressing High Risks in budget submissions or strategic plans, for example, is spotty at best.
Perhaps because the High Risk List represents GAO’s view of critical risks, and not necessarily the administration’s or agency views of top risks, that has hindered action. To get greater traction and ownership of risk across the federal government, it may be necessary for each Administration to produce its own High Risk List, using the risk profiles that each agency is supposed to be producing per Circular A-123.
While I suspect the top risks on both GAO’s list and the administration’s list might be similar, having an administration-developed and owned list could help avoid the “not invented here” syndrome that might be a factor that has limited action on these risks. But creating yet another list of risks won’t add value if we just end up with another list and no action – that gives you Enterprise LIST Management, it doesn’t give you Enterprise RISK Management. Plus, OMB did try once in the distant past to create and use its own list of top government risks, without much success.
To get past risk list admiration, agency leadership, along with OMB, the administration, and Congress, need to be using the information that is compiled to inform budget and strategy decisions. To make that happen, however, in an environment with so many competing priorities, we need someone who can commit the time and energy necessary to champion the cause, serve as point person, and take the lead in a formal capacity to promote the adoption and effective practice of ERM across government. To that end, I think the appointment of a federal Chief Risk Officer (CRO) could help.
A federal CRO could raise the profile of federal ERM efforts, help marshal and drive some of the needed enhancements, help facilitate cross-agency collaboration on shared risks, and help strengthen the expectations and requirements over time in terms of what agencies need to be doing around ERM; not the HOW of ERM, but definitely the WHAT – for example, by articulating a set of minimum standards that should be met by each agency.
The idea of naming a federal CRO, of course, may be met with resistance in some areas. It would shine the spotlight on federal ERM and increase expectations and accountability that could be unwelcome by those agencies that haven’t made as much progress in implementing Circular A-123 requirements as was intended, or by those who are fearful of what could result from a more transparent sharing of risks. It also won’t help if we draw more oversight attention to risks but don’t do anything to provide agencies with the support or resources they need to do something about them.
One way to help allay those fears would be to place the federal CRO in OMB – and in conjunction with the naming of a federal CRO – OMB should also strengthen Circular A-11 and other guidance to more fully integrate ERM into planning, budgeting, performance and investment activities. Additionally, every budget examiner in OMB should know what ERM is and should be asking for risk profiles from the agencies they have in their portfolio. Congress should then – in their annual budget hearings and reviews – start asking about those risk profiles and looking at how budget requests align with and are aimed at addressing the most critical agency risks.
We need to realize we are all in this together – if the energy grid goes down, if the water or food supply is tainted, if the tax system fails, etc. – there are consequences for everyone. If we can learn any lesson from COVID, it’s that we need to do more to improve our risk readiness – and not just to better identify risks, but to also better equip government to manage, prepare for, and build the level of resiliency and robustness of our risk response strategies.
Through the 2016 update to A-123, and the early efforts of many federal agencies and risk practitioners, the foundation for meeting this goal has been laid. But building ERM to the next level in the federal government requires a more concerted and collective effort, with more definitive guidance and requirements, and with a designated point person. Naming a federal CRO and equipping her or him with an appropriate and sufficient set of authorities, responsibilities, and resources to lead the way, could help ERM grow and mature so that, on this day in 2026, we’re able to join in celebrating ERM’s tenth birthday!
About the Author. Tom Brandt is Chief Risk Officer for the Internal Revenue Service, a position he has held since 2014. He leads the agency’s enterprise risk and audit management programs, enabling the identification, prioritization, evaluation, and treatment of key risks to achieving the IRS mission as well as coordinating the agency’s handling of oversight audits. Tom is also chair of the Organization for Economic Cooperation and Development’s Enterprise Risk Management Community of Interest for the Forum on Tax Administration. In 2020, Tom completed a three-year term on the Board of Directors for the Association for Federal Enterprise Risk Management, serving as President in 2019.