Tools and Tactics to Manage Risks and Build Resiliency
With the IBM Center for The Business of Government’s next due date for new research report proposals approaching on September 6th, we are publishing additional perspectives on our research topics over the next week in the form of blog posts focused on each topic. The insights in these posts draw from dialogue that helped to frame the research agenda, as well as subsequent content relevant to each research topic area. We hope that these posts provide potential research applicants and authors of upcoming reports with additional context to help frame final proposals and draft reports that follow.
We lead today with our third topic, Fostering Resilient Institutions. ~
The safety, security, and resiliency of nations and their institutions face a vast array of risks and hazards, including pandemics, malicious cyber activity, terrorism, accidents, transnational crime, fraud, natural disasters, and climate change. High impact and hard to predict events like COVID-19 reveal vulnerabilities and weaknesses in systems and across sectors. The pandemic highlighted serious weaknesses in the global supply chain, hampering government responses to life-threatening situations. When governments do respond by creating assistance programs to offset financial hardship resulting from economic impacts, these programs can increase exposure to fraud, waste, and abuse.
Crises of the past few years have underscored the need for U.S. federal agencies to strengthen and mature robust and rigorous enterprise risk management programs. In an increasingly volatile and uncertain period, agency leaders must complement these risk management efforts by inculcating resilience management approaches that go beyond event-specific business continuity or crisis management plans. Pursuing these disciplines simultaneously better positions agencies to understand acceptable risks, enabling them to redirect resources and get ahead of new and emerging threats — building resilient organizations that can turn disruption into opportunity.
Understanding a Complex Risk Landscape
COVID-19 revealed the evolving and complex risks that government agencies confront. Yet as the pandemic recedes, this risk landscape will remain. Many risks – aging IT systems, cybersecurity threats, supply chain vulnerabilities, impacts of climate change, workforce skills gaps, or program integrity – have the potential to disrupt agency programs, mission support operations, and the ability of federal agencies to conduct the business of government. Government resilience follows from the resilience of its institutions.
The Biden-Harris administration has recognized the significance of these risks and has issued Executives Orders (Executive Order 14028: Improving the Nation’s Cybersecurity, Executive Order 14030: Climate-Related Financial Risk, and Executive Order 14008: Tackling the Climate Crisis at Home and Abroad) and guidance on how agencies should manage and mitigate them. For example, the use of technologies such as social media, the Internet of Things, mobility, artificial intelligence, and cloud computing by government agencies has great benefits, but has also increased potential cyber risks. Cyberattacks against government are becoming more common and more severe – a trend made more pronounced as agencies have increased reliance on digital networks for distance work in the response and recovery efforts around COVID-19.
Technological advances have made federal agency systems, infrastructure, processes, and technologies interconnected and interdependent, such that a risk encountered in one area has the potential to cascade. Given this interconnected operational environment, managing risk across enterprises becomes s more necessary than ever. As noted in the GAO report, Cybersecurity: Agencies Need to Fully Establish Risk Management (GAO-19-384), cybersecurity risks must be addressed and integrated into an enterprise-wide risk management program.
Today’s risk landscape requires a unified, coordinated, disciplined, and consistent approach, no longer focused on risk management as a compliance exercise or perceiving risks solely as problems to avoid. Research is needed on reconceiving risk management as a value-creating activity integral to strategic planning, decision making, and organizational resiliency. As former federal Chief Information Officer Suzette Kent so aptly notes:
“people and operational changes due to service delivery being significantly more digital, workforce in hybrid location mode and massive growth in automation and artificial intelligence…drive the need to reexamine workforce, risk practices, and operational resiliency”
The IBM Center recently launched an initiative to help governments grow more resilient in the face of increasing risks. This effort promotes research on preparing for and responding to shocks that increase in frequency and magnitude.
Strengthen and Mature Enterprise Risk Management
In 2016, OMB updated Circular No. A-123, requiring federal agencies to implement enterprise risk management (ERM) to ensure agencies effectively manage risks that can potentially derail mission delivery. These flexible requirements offered agencies considerable latitude in how they set up ERM programs. This approach tied ERM to the structure, culture, and needs of each agency, avoiding the treatment of ERM as a compliance exercise. IBM Center research has validated ERM as a strategy to address agency exposure to risks that impact mission, strategic goals, and operations, enabling agencies to manage risks and foster organizational resiliency.
In almost six years since the A-123 update, a growing number of agencies have implemented effective and integrated ERM programs, establishing governance, developing risk identification and assessment processes, preparing risk profiles, and improving their overall risk readiness and response–helping them better manage risks and improve decision-making. However, some agencies have not. “Progress across government has been very uneven,” admits Tom Brandt, former chief risk officer at IRS and past president of Association of Federal Enterprise Risk Management (AFERM), “and, in some cases, ERM programs that had gotten off to a good start, faded after leadership and organizational changes occurred.”
The pandemic underscored the need for continued, strengthening, maturing, and expanding of ERM across federal agencies. “Doing so”, according to Brandt, “can help ensure that we are thinking through the range of risks to agency mission, taking the steps necessary to prioritize those risks, and then acting to reduce the likelihood and impact should they occur.” But he, like many government risk professionals, sees challenges knows for programs that identify risks only to find limited support or resources to enable action.
What can research contribute to strengthen and mature ERM? First and foremost, this is a leadership imperative. The disruption of the current pandemic heightens this reality. The Partnership for Public Service in its report, Mastering Risk: Ways to Advance Enterprise Risk Management Across Government, outlines steps federal agencies should consider as a path to strengthen and mature ERM within agency operations:
- Push, don’t just pull, risk information. Rather than simply gathering risk information from core programs, add value by analyzing the information—such as for a risk appetite statement—and delivering it in a timely way to stakeholders who perform vital management and program functions.
- Increase the use of data and analytics. Use data to support an agency’s ability to identify and analyze risk, to aid stakeholder decision-making and to track the ERM program’s progress in responding to risks.
- Use technology to integrate a wider range of existing internal and external data (and move away from manual data calls in spreadsheets) to generate evidence-based risk analysis and targeted response activities that build senior leaders’ commitment to ERM
- Integrate ERM both at the enterprise and program levels. Increase integration between the ERM program and individual office risk management activities.
- Use ERM to strengthen response and future risk preparedness. ERM programs can help anticipate threats to effective crisis response—including identifying potential subsequent impacts. This could enable agencies to develop scenario-based contingency plans, test response plans and continually scan for the next emerging risk.
This last point illustrates how a complementary focus on resiliency management would benefit agencies and further embed the critical importance of strengthening and maturing risk management at the enterprise level – getting ahead of known risks offers an opportunity to build organizational resilience.
Pursuing Organizational Resiliency as a Strategic Imperative
Gartner recently identified organizational resilience as a strategic imperative, complementing the work of a fully functioning risk management program. By using ERM to provide visibility, leaders can monitor identified risks and mitigate them before they turn into disruptions or crises. DOD recognized this reality when it announced a supply chain resiliency working group to address systemic barriers limiting supply chain visibility, conduct resiliency assessments, and develop effective mitigation actions. The working group will look at ways to increase visibility into the supply chain, identify risks and issues early, and implement proactive remedies.
Organizational resiliency is “the ability of an organization to resist, absorb, recover and adapt to…disruption in an ever-changing and increasingly complex environment to enable it to deliver its objectives, and rebound and prosper.” Research into a strategic approach to resilience can enable agencies to go beyond simply developing business continuity and crisis management plans, which tend to be event specific. “Instead of perpetuating the illusion that we can anticipate the future, risk management should [also] try to reduce the impact of threats we don’t understand.” Focusing resources in this direction positions agencies to effectively handle risks and threats that may be unknown or unlikely, but have the potential to totally disable and disrupt their operations. These sorts of risks are typically characterized as low-probability and high impact. Getting a better handle on how best to prepare and respond to them rests on a solid enterprise view of managing risk, complemented by a disciplined focus on strategic resilience management. It is about continuing to manage risks we understand, but also placing greater emphasis on establishing processes and mechanisms that can help agencies absorb unexpected system shocks and not only bounce back but bounce forward. Bouncing forward means learning from these situations and using that knowledge to strengthen capacity to respond with agility and adaptiveness.
During the pandemic, many federal agencies continued to deliver on their missions amidst uncertainty. The Internal Revenue Service distributed billions of dollars in stimulus payments to millions of individuals in only two months, and the Department of Veterans Affairs handled an almost fifteenfold increase in telehealth appointments for veterans’ physical and mental health services. These and many other agencies experimented and adapted to unprecedented demand for government services. Even DOD proved nimble enough to support large-scale telework in response to the pandemic, taking only a handful of weeks to move millions of workers into a viable and secure “work from anywhere” environment. Similarly, FEMA turned crisis into opportunity by using desktop validation instead of on-site inspection to issue public assistance (PA) disaster grants; this protected workers from COVID-19 exposure and expedited the disaster grant process. The Transportation Security Administration (TSA) used feedback from agents to identify the best way to protects workers; input from employees in the field now help shape future requirements for personal protective equipment (PPE), shielding and technology, to keep both passengers and officers safe. These are just a handful of examples of organizational resiliency across federal agencies in the wake of the pandemic.
Planning for Future Disruptions
Agencies would benefit from research on how best to engage in early warning activities to foster resiliency. Leveraging strategic foresight — a planning tool to develop the critical thinking, planning, and management competencies for considering the impact of long-term uncertainties on near-term decision making – can help. It is a necessary frame for making strategically important decisions in an increasingly complex world to reduce the risks of unanticipated consequences. It is both a mindset that keeps future impacts in mind in all decision-making, and a set of activities that aid and improve the planning processes. It is important to note that foresight is not about predicting the future so much as it is identifying plausible alternative futures. Engaging in foresight works best when informed by the agency’s ERM efforts. Better understanding an agency’s risk profile, risk appetite, and risk registry allows leaders to identify and prepare for low-probability, high impact risks that most often test organizational resiliency.
A range of tools and techniques can help agency leadership think outside the box in exercising foresight. For example, scenario planning and simulation are key tools in envisioning the future. These involve crafting multiple future scenarios to explore and learn from in terms of implications for present. actions. When engaging in these exercises key questions include:
- what programs and operations are mission critical?
- what level of disruption could be absorbed from a major event?
- At what level of disruption, would activities be temporarily or permanently impaired?
- Where is redundancy or additional support required and how can it be put in place and readied for the time when needed?
Complementing this type of planning is horizon scanning, a formal examination of information flows to identify potential threats, risks, emerging issues, and opportunities. Research here can help leaders plan for disruption, but also assist them to anticipate and prepare organizations to survive and thrive. Engaging in scenario planning and horizon scanning exercises can result in the development of playbooks that outline response programs for potential events, which support the development of resilience capabilities and justify funding such efforts.
The COVID-19 pandemic has demonstrated that federal agencies must continue to strengthen and mature ERM programs while also pursuing organizational resilience as a strategic imperative. It is about dedicating time and resources to create mechanisms and capacity with the goal of being better prepared for future disruptive events. As observed in the IBM Center report, Managing The Next Crisis: Twelve Principles For Dealing With Viral Uncertainty, governments confront a cascade of “unknown unknowns” (the category of unknowable events that tend to be the difficult ones), for which anticipatory measures can take years or decades to develop. Indeed, the nation will likely face far more uncertainty in the future, making effective responses more important. This new operating reality affords government leaders an opportunity to reflect, learn, and build organizations that are more agile, adaptive, innovative, and able to mobilize swiftly and operate in new ways. Now more than ever, government leaders can take a holistic view of the managing of risk and building resiliency, prioritizing what they do know and preparing for what they don’t.