Special Edition of The Business of Government Hour
Each week my goal is straightforward: to introduce you to key government executives and thought leaders, who are tackling significant management challenges and seizing opportunities to lead. To complement these examples of leadership in action, I also highlight the practical, actionable research done by some of the most recognized and respected thought leaders in public management.
Whether government leaders or thought leaders, our guests join us for an informative, insightful, and in-depth conversation. Over the last five years, I have interviewed more than 300 of them. It is from this rich library that I have culled together their insights on managing risk in government.
This world is fraught with uncertainty, and all activities entail a certain level of risk. The increasing complexity and interconnectedness of today’s society only ups the ante on the unknown. What makes a difference for individuals and organizations alike is how well they can handle an uncertain environment, with risks ranging from financial to reputational to operational. The way to manage this uncertainty is to build government’s capacity to anticipate and be resilient – to prepare for the future and its effects.
U.S. federal agencies are hardly immune to the slings and arrows of uncertainty, which include sequestration, budget cuts, or a government shutdown. Along with these threats, each day federal agency leaders face similar, as well as unique, risks associated with fulfilling their respective program missions. Today’s headlines are full of stories of failed website launches, cyber hacks, abuses of power, extravagant spending, and a host of other risk management failures. The federal government has taken a hit, with the public’s trust in government continuing to be low, as measured in numerous surveys. This view is shaped in part from some of these stories about how federal agencies could have improved their operational and mission performance, had leaders taken the time to foresee and mitigate potential risks.
The first step in tackling risk is defining it. The conventional view of risk is focusing on a potentially negative impact. Risk management in this context typically focuses on managing threats to objectives. Maximizing the opportunity for success requires that threats and opportunities are managed together. As government leaders allocate and invest resources and develop strategic plans for their agencies, it is apparent that not all risks are threats — some in fact bring opportunities. All future events and the achievement of future results—the heart of strategic planning—are uncertain because they have yet to happen. In identifying, analyzing, and mitigating risk, the methods of Enterprise Risk Management (ERM) can also be a powerful resource for strategic planning and effective decision making. To that end, government leaders should view risk as “uncertainty that matters.”
With uncertainties that face government widening and deepening, external and internal risks pose threats to achieving an organization’s goals and objectives. Such risks include strategic, cyber, legal, and reputational, as well as a broad range of operational risks such as information security, human capital, financial control, and business continuity. Risks come from both outside and inside an organization.
Technological advances have made federal agency systems, infrastructure, processes, and technologies interconnected and interdependent, such that a risk encountered by one area impacts other operations. This interconnected environment makes the managing of risk across the enterprise more necessary than ever. It also precipitates a change in how government leaders view risk, no longer thinking about risk management as largely a compliance exercise or perceiving risks in solely negative terms as something to be avoided. With that as the backdrop, five years ago OMB revised its risk management guidance, Circular A-123, setting forth for the first time a formal governmentwide policy for how government leaders should manage risk and internal control in their agencies.