Managing risk in the public sector has taken on new significance in light of the government and national response to COVID-19.
The safety and security of the nation faces threats from this as well as an array of longer-term hazards, including acts of terrorism, malicious activity in cyberspace, manmade accidents, natural disasters. The need for effective risk management in government—and the consequences of a failure to adequately address risk—have become increasingly evident.
While historically, the federal government had tended to focus on the managing of risk in silos, over the last five years the Office of Management and Budget (OMB) has emphasized the critical importance of managing risk from an enterprise perspective while also providing guidance to federal agencies on how best to build this discipline and enhance their risk-based decision making capabilities. Building an accepted culture and framework in which to properly understand, manage, and communicate risk is a leadership imperative. Recognizing the spectrum of risks and developing strategies and tools to incorporate risk into decision-making and action can help government leaders better plan for and respond when crises arise.
Over the decade, the IBM Center has invested substantial time and resources in researching the discipline, application, and use of risk management in government. We have published the work of leading academics as well as captured the expertise of front-line practitioners chronicling their insights and recommendations in a vast array of Center reports and interviews. It is from this rich library that we present a blog series dedicated to strengthening risk based decision-making capabilities within government.
This blog series will explore such topics as lessons learned from the evolution of risk management in government; enterprise risk management (ERM) and how it can help improve decision making; managing the risks associated with artificial intelligence; and managing specific financial, IT, cyber, and program risks.
Here’s a brief video introducing the Center’s Risk Management research portfolio and highlighting many of the reports we have published in this area. Immediately following this video is a kick off piece that highlight the evolution of risk management in U.S. federal government.
In the IBM Center book, Government For The Future: Reflection and Vision for Tomorrow’ Leaders, we have identified six major trends that have driven government management reforms. This contribution highlights the evolution of risk management in U.S. federal government. For more detail, see the chapter on Assessing Risk.
Government agencies are hardly immune to the effects of uncertainty. Stories abound about troubled website launches, cyber hacks, abuses of power, extravagant spending, and a host of other risk management failures. The public’s trust in government continuing to be low as measured in numerous surveys. This view stems in part from stories about how federal agencies could have improved their operational and mission performance, had leaders taken the time to foresee and mitigate potential risks.
Defining Risk as “Uncertainty that Matters”
The first step in tackling risk is defining it. The conventional view of risk focuses on potentially negative effects. Risk management in this context typically addresses managing threats to objectives. As Thomas Stanton and Douglas Webster describe in their 2014 book, Managing Risks and Performance: A Guide for Government Decision Makers (which was complementary to their IBM Center report, defining risk as merely a threat that objectives will not be achieved leaves unanswered the question of how to actively balance risks that may pose opportunities as well as threats. To that end, government leaders should view risk as “uncertainty that matters.”
With uncertainties that face government widening and deepening, external and internal risks pose threats to achieving an organization’s goals and objectives. Such risks include strategic, cyber, legal, and reputational, as well as a broad range of operational risks such as information security, human capital, financial control, and business continuity. Risks come from both outside and inside an organization
Ways of Managing Risks
Our research has identified three primary approaches to how agencies have managed risk in the past:
- Use of internal control: The U.S. Government Accountability Office (GAO) has defined “internal control” as a set of activities that provides reasonable assurance that the objectives of an agency will be achieved— specifically, effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.
- Use of siloed approaches to risk management: The International Standards Organization (ISO) defines “risk management” as coordinated activities that direct and control an organization with regard to risk. In 2006, GAO defined this as a continuous process of assessing risks, reducing the potential that an adverse event will occur, and putting steps in place to deal with any event that does occur. Risk management involves a continuous process of managing—through a series of mitigating actions that permeate an entity’s activities—the likelihood of an adverse event and its negative impact. Typically, traditional risk management has been implemented in “silos”—that is, specific functions such as financial management, or specific programs such as flood management.
- Use of Enterprise Risk Management (ERM): The international risk management society, RIMS™, defines ERM as “a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio,” rather than addressing risks only within silos. ERM provides an enterprise-wide, strategically aligned portfolio view of organizational challenges that offers improved insight about how to more effectively prioritize and manage risks to mission delivery.
The first two approaches provide the necessary foundations for the effective use of the third. According to OMB: “ERM is viewed as a part of an overall governance process, and internal controls as an integral part of risk management and ERM.”
Evolution of Risk Management: 1998-2018
The evolution of risk management policies in U.S. federal agencies over a twenty-year period can be divided into three phases, as shown in the following chart:
Early action: Early efforts in the 1980s and 1990s to manage risk in government focused largely on internal and administrative controls, with some application of traditional risk management principles. Congress passed laws, OMB issued guidance, and the General Accounting Office (since renamed the Government Accountability Office) defined standards—all in an effort to prescribe how federal agencies should manage internal risks (i.e., financial, human resources, systems, compliance, and operations risks). This early emphasis on internal control was part of a burgeoning movement focused on improving accountability in federal programs and operations that addressed fraud, waste, and abuse (see, for example, the box about GAO’s High-Risk Government Programs later in this chapter). Federal agencies also began to employ, on an ad hoc and frequently siloed basis, risk management approaches to manage functional risks. Risk management practice also matured generally, with the issuance of a “first of its kind” standard risk management framework and process by the international Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Expansion: Recognizing the benefits of managing risk from an organiza- tion-wide enterprise perspective, federal agencies incrementally expanded their use and adoption of formal ERM disciplines and principles beginning in the early 2000s. Lacking a formal federal risk management policy, agencies acted independently to leverage practices with proven track records in the private sector and had access to an increasing number of ERM frameworks and processes. The emergence of chief risk officers began in federal agencies. The coalescing of informal networks of risk management practitioners and thought leaders championed the benefits of ERM as a critical management tool. Revised OMB policy guidance on agency strategic planning and reviews suggested the use of ERM in agency strategic planning, signaling ERM as the way forward for managing risk in federal agencies.
Institutionalization: Technological advances have made federal agency systems, infrastructure, processes, and technologies interconnected and interdependent, such that a risk encountered by one area impacts other operations. This interconnected environment makes the managing of risk across the enterprise more necessary than ever. It also precipitates a change in how government leaders view risk, no longer thinking about risk management as largely a compliance exercise or perceiving risks in solely negative terms as something to be avoided. With that as the backdrop, OMB revised its risk management guidance, Circular A-123, setting forth for the first time a formal governmentwide policy for how government leaders should manage risk and internal control in their agencies. Federal agencies must now implement an ERM framework that also integrates their existing internal control process.
The risks facing government agencies are hardly static. They morph and transform in ways never seen before. It is a leadership imperative for government executives to mitigate the potency of uncertainty by managing the realities of risk. In an increasingly uncertain, complex, and interconnected world, the need for determined and adept risk leaders will be greater than ever.
Many current transformations (i.e., blockchain, artificial intelligence, robotics, and smart technologies) have the potential to make government function more effectively. Each of these advances bring unique risks, as well as their potential application in managing current risks. OMB has mandated the use of ERM, an increasing number of federal agencies have recognized the value of ERM, and they are starting to take actions to make ERM an important part of their operational model to address emerging transformations beyond simply meeting external requirements.
However, today’s digitally disruptive environment continues to usher in new and evolving threats. The immediate future is already taking shape:
Increased technological risk. Technological advances—as represented by artificial intelligence (AI), big data, robotics, the Internet of Things, blockchain technology, and the implications of the share economy—are transforming the risk environment and ushering in new benefits and new risk for government. Though the immediate effects of these changes may appear over time, some if not all will permeate the operations of agencies into the future. As one observer notes, “Technological risk is expected to become increasingly complex with the growth of new technologies beyond those currently recognized.” The Center’s reports on managing risks in the use of AI provide a insights on how agencies can address technology risks.
Given this reality, agency risk architecture and ERM governance will need to identify suitable ways to prioritize, respond, and ultimately manage new and potentially unknown and unknowable risks. Technological risk leads to greater uncertainty, compelling government leaders to look ahead with “strategic foresight.” Making strategic foresight an integral discipline within ERM can help agencies anticipate risks and prioritize resources accordingly.
Increased interconnectedness of different kinds of risks. Many federal agencies now collaborate with external parties to achieve mission outcomes. This interconnectedness means these entities share data, systems, and thus a level of risk. Agency leaders must identify innovative ways to manage risk collectively in an increasingly networked and collaborative world. Couple the changing nature of how work is done with the proliferation of new technologies described above, and agency leaders must proactively address the risks associated within an increasingly complex organizational ecosystem.
Cultivating agile and adaptive risk leaders. The perception of risk has evolved over time. Risk should not be viewed as inherently negative and something to avoid, but rather as a potential way to create value and enhance performance. Managing risk must become an integral part of an agency’s strategic mission. Agency leaders will need to expand their knowledge and experience while honing essential risk management skills. For example, today’s risk leader may have a basic, albeit insufficient, understanding of the components of technological risks. To be ready for the future will require them to become cognizant of technological advances and their implications on how an agency operates. Successful risk leaders in the future must be adaptive, informed, and ready for the impact of inevitable change.
As government operates in a world of increasing speed and complexity, and as citizens expect better, faster, and more cost-effective results, managing risk becomes ever more critical. Government executives need to understand and apply tools and techniques like ERM to their specific operating environment to understand and make decisions about inherent risks – understanding risk management in addressing from today’s public health and economic needs, and building risk awareness into government’s long-term decisionmaking capacity.
Next up: Improving Government Decision Making through Enterprise Risk Management