AFERM EXPERTS SAY...

COVID-19 is a classic black swan event.  Black swan events, as defined by Nassim Taleb, cannot be prevented and can be prepared for only by emphasizing agency antifragility. The COVID-19 pandemic is a realized issue with the emphasis on solving the immediate problems. However, an agency’s objectives and strategies my be influenced in the medium-to-long-term.

ERM processes should include recurring opportunities to survey current conditions and future assumptions and adjust objectives and strategies as appropriate.  The COVID-19 pandemic is certainly one of those opportunities.  Once adjustments are put into place, an agency can examine known uncertainties and their treatment plans.  They can also explore new uncertainties that could impact the revised objectives and strategies.   Risk appetite statements and thresholds should also be reviewed, as what was once considered to be important may not be as important now.  Agencies should examine existing uncertainties in the light of new understanding.  Impact assessments may change and may no longer meet the adjusted appetite thresholds.  New uncertainties that emerge from the altered future landscape must be examined against the updated risk appetite.

The greatest challenge to most organizations is overcoming cultural inertia, or reactions to cultural change.  Organizations don’t change quickly or easily, and the practices prescribed by OMB A-123 introduce fundamental changes to organizations’ processes for decision-making and setting strategic objectives.  Cultural change is often difficult, regardless of the need or reasons.  Success takes time, leadership and management commitment and buy-in at all levels, clear and relevant objectives, and continuous and consistent communication.

We’d love to hear more of the specific challenges you may be facing within your organization.  Please join the discussion by posting a comment below.

AFERM EXPERTS SAY...

Realized problems are by definition issues, also known as deviations from expectations.  The events and conditions that caused the concern have already occurred and are usually referred to in the past tense.  By comparison, unrealized problems, also known as risks, are usually referred to in the future tense or as “what if “ questions.  The key to distinguishing unrealized risks from realized risks is to look at where they are in time and how they are described.  In summary, when an issue is identified in past tense it is typically a realized problem while an issue identified in future tense, or as a “what if” statement, represents a potential threat or opportunity.

AFERM EXPERTS SAY...

Decision making is seldom routine.  At its core ERM is the same as risk management activities conducted at lower levels within an organization.  The differences lie in the objectives and the uncertainties that impact them.  The objectives at an ERM level are different in that the plans are more strategic than tactical, so it follows that the uncertainties are typically broader in nature requiring the need for varied responses.  The decision making process itself involves similar steps but will apply different decision criteria and engage varied levels of stakeholders within an organization.

AFERM EXPERTS SAY...

In the government there is no profit metric or insolvency risk.  However, there are costs associated with responding to uncertainties and benefits resulting from those efforts.  For government entities the balancing act occurs between response costs and the benefits received from the results.

When an uncertainty has the potential for positive or direct impact, measuring the benefit received is straightforward and can occur after the fact.  However, when uncertainty has potential for negative impact measuring the benefits received becomes more challenging.  This results from measuring an outcome that, if the response effort is successful, does not occur.

In both situations the business case for responding to a particular uncertainty hinges on the organization’s ability to estimate response costs against the benefits received.  As such, an organization’s confidence in those estimates becomes vital to the decision making process.

AFERM EXPERTS SAY...

Quantifying value of any kind is dependent upon what is being measured.  For example, risk management measures the impact of uncertainty against an organization’s objectives, so the unit of measurement depends upon those objectives.  For cost or price-related objectives a common metric is money.  For schedule-related objectives it is typically a unit of time.  Metrics will vary for performance-related objectives based on key performance parameters or requirements.  Like all useful measures, those parameters should be SMART – that is, Specific, Measurable, Attainable, Realistic and Time-bound.  The Project Management Institute article “Quantifying Risk: Measuring the Invisible” describes several methods aligned with cost, schedule, and technical objectives.

Beyond that traditional risk management triad, the ability to quantify ERM value depends on whether the objectives can be quantified.  For example, objectives related to staffing in an enterprise can be quantified by head counts or staff hours.  Government compliance-related objectives can be quantified by number or severity of audit findings.

Other objective categories can be a little more difficult.  For example, measuring reputation or safety.  Fortunately, even when an objective defies static quantification its change can still be measurable.  Survey results, while not so meaningful taken individually, can provide a measure of an enterprise’s reputation over time.  A count of incident reports on any given day may not be a meaningful measure of safety, but when tracked over time can support objectives to improve such a critical factor of business success.

In short, quantifying objectives is a critical step in defining the terms needed to convey the value of an organization’s risk management efforts.  In closing, Albert Einstein reportedly once wrote on a blackboard: “Not everything that counts can be counted, and not everything that can be counted counts.”

Question asked by Chris Harley

AFERM EXPERTS SAY...

At the most fundamental level risk is defined by the Internal Organization for Standardization (ISO), which says risk is the impact of uncertainty on objectives.  There are three important pieces to that definition in order of need: objectives, uncertainties, and impacts.

Understanding risk begins with objectives and the plans put in place to attain them. Stemming from those plans are the uncertainties in executing those plans.  Uncertainties have the potential to impact the plans and subsequently the ability to achieve your objectives.

It is important to note that you can’t manage uncertainties themselves, but you can manage how you respond to them.  That is where risk management comes in.  Risk management is a collection of practices that can help you identify uncertainties, prioritize objectives and plans to identify which uncertainties to address, and determine the appropriate response or non-response.

The particular practices used will vary depending on the enterprise and its objectives.  For example, the homeowner’s ‘enterprise’ objectives may include minimizing catastrophic loss from a wide range of uncertainties.   As such, taking out homeowner’s insurance is a contingency response to those risks.  Conversely, an insurance company’s objectives would include profitability and growth.  Risk Management practices may include demographic analysis, damage assessment techniques, and probability simulations.  Responses may include insurance for the insurance company, also called reinsurance.

My advice is to begin with a fundamental understanding of risk management as the principles are the same for the individual and the enterprise.  The Project Management Institute, the Risk Management Society, the Risk Management Association, the Institute of Risk Management, and of course, AFERM are all excellent sources for getting started.  The AFERM Summit held each year (October 29th and 30th in downtown D.C.) is a great opportunity to network with other risk management professionals.

Thank you for your question Chris, and good luck in your career!

AFERM EXPERTS SAY...

Broadly, ERM brings value to the strategic planning process in several different ways.  First, establishing the context stage of the ERM process provides understanding of major internal and external considerations that can enable the success of the strategic plan or present significant obstacles to achieving strategic goals and objectives.  Armed with this understanding, the outcome of the strategic planning process can emphasize enablers and work to minimize potential barriers.  A second value contribution stems from how OMB defines risk: “The effect of uncertainty on achievement of objectives.  An effect is a deviation from the desired outcome – which may present positive or negative results” (emphasis added).  Thinking about risk as “uncertainty” vice only as a potential threat, helps ERM provide input in strategic planning on potential new opportunities to pursue and increase the value the organization delivers through its programs and activities.  The final value contribution ERM provides to strategic planning is providing the strategic planning team with a detailed understanding of potential impacts to the organization if a key risk event occurs, along with information on the approved risk response plans.  Both of these elements can be used during strategic planning to help structure goals and objectives with a higher probability of success.  This link is to a paper produced by the ERM Initiative at North Carolina State University that provides a couple of case studies on integrating ERM with strategy.

Version 1.1 of the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, released in July 2018, makes it much easier for CROs and Chief Information Officers (CIO) to align the cybersecurity framework with the agency’s ERM program.  Revised definitions and the introduction of various terms (e.g., risk tolerance) makes the NIST framework align more closely with existing ERM terminology and approaches.  Additionally, Version 1.1 explicitly acknowledges that the NIST framework is not intended to be rigidly applied, but instead, tailored to the needs and environment of the organization.  As stated on page vi, “The decision about how to apply it is left to the implementing organization.”  The greater compatibility with ERM and the flexibility and encouragement to tailor both risk management efforts to the organization provide the basis for integrating cybersecurity within the broader ERM framework.  Figure 2 on page 12 shows an example of how the NIST framework integrates with overall agency risk management efforts.  The revised framework can be found here.

AFERM EXPERTS SAY...

The main difference is that a risk is an event that could possibly occur in the future, while a challenge (often referred to as an issue) is an event that has already occurred.  Thinking about this question as the Office of Management and Budget (OMB) defines risk (uncertainty), there is really no distinction other than the level of confidence you have in assessing the event likelihood (see likelihood scale examples on page 97 in the Playbook) and events that fall under either term can be present on the Enterprise Risk Management (ERM) risk register.  There is a higher level of confidence in assigning a very high likelihood if the event has already occurred than for events with some level of probability of occurring in the future.  It is often easier to assess and evaluate challenges because you can identify the actual causal chains that led to the event which facilitates identifying root cause(s).  Similarly, with events that have already occurred, it is much easier to identify the actual impact on the organization rather than having to predict what the impact might be.

One way to generate more active involvement in Enterprise Risk Management (ERM) is to make sure your stakeholders truly have “skin in the game.”  As in any human activity, people get involved and stay involved with ERM efforts and practices when they can see personal benefit from the involvement.

People generally perceive benefit in two ways.  Some will only see benefit in saving their skins, and such individuals tend to concentrate on threats.  Others will see benefit in improving their game and will tend to focus on opportunities.  It has been my experience that people with an opportunistic mindset tend to be more engaged than people focused on self-preservation; however, either set of individuals will have personal reasons for being involved and active.

Now, it turns out the amount of skin anyone in the enterprise may have depends on their role in the game.  The enterprise defines those roles, either directly and specifically or not, by how enterprise goals and objectives translate to individual strategies and plans.  The enterprise also defines how the individuals play the game by the culture it creates and nurtures.  A culture that promotes continual improvement, encourages taking appropriate risks, and exercises appropriate accountability and rewards innovation will foster opportunistic thinking.  A culture that focuses on maintaining the status quo, on punishing failure, on protection rather than promotion, and does not have clearly defined goals and objectives will foster risk intolerance.

Where does the risk management come in?  Remember, the reason for risk management, whether practiced at the enterprise or individual level, is to improve the likelihood of successfully meeting or exceeding our goals and objectives.  When an enterprise’s goals, objectives, strategies, and plans are translated to individual stakeholders and they accept their role, they will have something to lose and will embrace risk management practices.

To build a more effective ERM community, consider the following:

• At the top, clearly define enterprise goals and objectives with strategies and plans to achieve those goals
• Actively and regularly scrutinize the enterprise’s goals, objectives, strategies, and plans for the purpose of making them better
• Delegate the strategies and plans to the stakeholders and make it clear that the enterprise expects them to adapt their delegated strategies and plans into supporting plans of their own
• Promote a culture that encourages people to identify and spend more resources on opportunities and fewer resources on threats.

This is really two different questions.  Emerging risks, by definition, represent uncertainties caused by evolving current or near-term events and conditions.  Because they are near-term, we can easily recognize changes in current events and conditions that have the potential to impact objectives and plans.

To use one of the four dimensions of risk impact, emerging risks have high urgency.  The changes and their potential impacts are either happening now or will happen soon.  For example, consider the stock market.  Stock prices change continuously, driven in large part by investors’ perceptions of the impacts of immediate changes in market conditions.  Changing conditions can have an almost immediate impact on stock prices.  By comparison, risks with a long horizon have low urgency, so they are not likely to impact objectives until well into the future.  Objectives with far horizons involve events and conditions far away from present day, and they generally have lower likelihoods.

International Electrotechnical Commission (IEC)/International Organization for Standardization (ISO) 31010 “Risk management–Risk assessment techniques” (2009) includes several risk identification techniques applicable to forecasting near-term or emerging risks.  These include Checklists, Business Impact Analysis, and Cause and Effect Analysis.  These and several others are particularly useful for identifying near-term or emerging risks because they can take advantage or our knowledge of current events and conditions.

Other ISO 31010 risk identification techniques are useful for longer-range objectives and uncertainties.  These include Brainstorming, Delphi, Structured What-If (SWIFT), and Scenario Analysis, among others.  They depend less on current knowledge than on our ability to imagine the future and assess its impacts.

AFERM EXPERTS SAY...

It is important to establish a common definition of risk culture.  The Risk Management Society (RMA) defines risk culture as “the set of encouraged and acceptable behaviors, discussions, decisions and attitudes towards taking and managing risk within an institution.”  In my opinion, this definition appropriately focuses on attitudes and behaviors as the driving force behind organizational culture because it is ultimately the people, and not the processes and procedures, that determine ERM program success.  A useful model to think about with respect to promoting culture is the Attitude-Behavior-Culture (A-B-C) model where culture derives from repeated behaviors, behavior is influenced by attitude, and attitude is influenced by culture.  (Hillson, 2013) https://www.pmi.org/learning/library/understanding-risk-culture-management-5922

Culture change efforts can focus on shaping attitudes and reinforcing the desired behaviors associated with the desired risk culture.  Considering strategies in relation to the A-B-C model, knowledge and understanding are key to shaping attitude.  There are several approaches that an agency can consider, including frequent communications, specific training on the ERM program, using ERM as a common thread woven throughout agency-provided training, and providing other learning forums.  Strategies to address the behavior component could include setting expectations and reinforcing the desired risk management behaviors.  Creating clearly defined risk appetite statements for employees allows them to apply the statements to the decisions they make within their assigned responsibilities.  Adding a risk management core competency or performance goal to performance appraisals can be useful.  Additionally, having clearly defined and enforced risk management policies and processes that guide behavioral expectations, along with recognizing and rewarding the desired behaviors, are significant ways to establish and reinforce how the agency expects its employees to behave, individually and collectively.  The final culture component of the A-B-C model can be addressed through periodically assessing the risk culture of the organization and by setting the right tone at the top, and through an effective and transparent risk governance process.  These aspects are the most important according to Hillson, and the results of a 2013 study conducted by RMA.  www.rmahq.org/WorkArea/DownloadAsset.aspx?id=5452

It is important to remember that changing culture is very much an evolutionary endeavor and not a revolutionary one.  It is one of the most difficult leadership challenges, takes considerable effort and time and is difficult to measure progress.

Hillson, D. (2013). The A-B-C of risk culture: how to be risk-mature. Paper presented at PMI® Global Congress 2013—North America, New Orleans, LA. Newtown Square, PA: Project Management Institute.

AFERM EXPERTS SAY...

One of the benefits of aligning ERM with agency strategy is developing information that strengthens the agency’s strategic review process.  Recognizing a root cause and identifying outcomes or impacts of the key risk events that can inhibit or enable realizing the strategic goals and objectives of the agency provide greater insights into what actions, resources, and our authorities may be needed.  Explicitly discussing the risks to strategic objectives and the consequences of the risks, if they manifest, presents an objective argument that supports the actions taken to achieve results and demonstrates that the agency has a thorough understanding of the issues and key challenges to accomplishing its goals.

AFERM EXPERTS SAY...

As with most questions of discretion and management choice, the appropriate course of action is dependent upon considerations beyond residual risk rating or exceeding the agency’s established risk tolerance boundaries or risk appetite level.  ERM informs the resource allocation and internal decision-making processes and should not necessarily trigger the focus of resources in any one direction.  There may be a range of other factors that agency leaders must consider when deciding where and how to address key risks.  For example, the risk may stem from entirely external factors beyond the control of the agency and may require extensive deliberation and negotiation before an acceptable course of action to influence these factors is set and resources focused to respond.  There may be broader political considerations that motivate leaders to elect to apply resources to one risk over another.  The decision of where to focus may also be influenced by the resources at hand.  It may be the better decision to apply existing resources to one risk over another because the agency has those resources available but needs to attain the resources needed to address another risk.  Finally, the actions available to the agency may have already been exhausted, and nothing else can be done to reduce the likelihood or minimize the impact if the event materializes, but the residual risk still exceeds the established risk appetite level.  Simply monitoring leading key risk indicators may be the only option.

Additional Details

I'm creating a communications plan for the agency I support as a contractor (FEMA-FIMA). I wanted to hear the depth and breadth of other comms plans supporting ERM. Thanks.

AFERM EXPERTS SAY...

Formal communication programs are crucial for organizations striving to achieve their objectives.  One way to approach communications strategies for an Enterprise Risk Management (ERM) program is through discussion of vertical and horizontal communications.  Although a very simplistic model in principle, the discussion can prove beneficial.  A communication plan facilitates information transfer between the bottom and top levels, as well as every level within the organization and across stakeholder pools on horizontal platforms.  Simply put, a communication program can support communication up and down (support to leadership) and side to side (stakeholder to stakeholder or office to office), as evidenced by the examples provided below.

The first example addresses not just information direction, but also information flow.  This can be compared to a water spring, where information flows point to point from the bottom level of an organization through the layers to the top for decision-making, and then it is dispersed throughout the organization.  In this model, each organization at the bottom primarily transmits its information to update the top levels of the organization where decisions are made, and then risk responses and their corollary effect spread across the organization.  The primary purpose of this communication program is to provide necessary information to “leadership” for quick and conclusive decision-making.

Other organizations, however, require a more complex model that is multi-directional simultaneously.  Unlike a water spring, which is more unidirectional and cyclical, the information flow effect for this example resembles airport terminal traffic.  In this model, each terminal or department within the organization is responsible for transmitting and receiving risk information from every other node.  This can be compared to airport terminal traffic, where individuals use escalators, elevators, moving platforms, and stairs to move to and from any terminal in the airport.  The primary purpose of this type of communication model is to provide transparency and information symmetry across the organization.

The key to an effective communication program is choosing the right communication model for a particular agency, depending on where the organization is in its ERM maturity curve.  In addition, it is important to remember that as an agency matures and changes, the communication program will most likely need to evolve as well.

To answer the second question first, risk responses are not internal controls.  Industry professionals know that agencies identify risks, develop risk responses, and then implement internal controls.  If risk responses are not internal controls, then what is the relationship between the two?

Internal controls ensure that the objective of a risk response is carried out effectively.  When comparing risk responses and internal controls to the construction of a building, one could say that the risk response is more of the “blueprint” or “architectural diagram” and the internal control is the “engineered solution.”  Internal controls ensure the execution of the risk response.  In addition, the relationship between risk responses can be one to one, or one to many, and in some rarer circumstances, many to one.  One risk response could be affected by one internal control or by several.  Multiple risks responses could be affected by one internal control if the risk responses are very similar or if the internal control is complex and multi-faceted.

Now, what happens if an organization already has internal controls, and how is that considered when establishing the likelihood of risk?  There are three parts to this process.  In part one, “inherent risks” are identified based on risk impact (calculated using probabilities of incidence and severity), assuming a world without controls.  In part two, the agency develops a risk response, applies an internal control, and re-measures, which leads to “controlled risk.”  In part three, agencies measure the risk impact and/or output over time given the implementation of the control to determine if there is any “residual risk.”  As such, internal controls become very important in parts two and three when establishing the likelihood of risk.

Reporting will vary depending on leadership and how the audience best receives information.  However, reporting will likely focus on the accomplishments of the ERM program, particularly as it relates to enabling an agency effectively managing risk tolerances at the goal and objective levels and risk appetite at the agency level.  To accomplish this, agency leadership should view the risk tolerance of each objective and goal as a target measure of performance.

For example, an agency may leverage a risk tolerance scale of 1-10, with an objective risk tolerance determined to be a 4.  The goal of the ERM program is to ensure that there is the least amount of deviation of risk associated with that goal from the established threshold.  Further, consider a target with 10 rings, where the agency’s targeted risk tolerance is the fourth ring.  The agency’s actual results can then be overlaid on the target to view any potential deviation.  If the results are actually ranked at 5.5, the agency took on too much risk compared to its threshold; the risk response will need to be adjusted.  If the ranking is actually at a 3, the agency expended too much energy reducing the risk and can shift resource use to another focus area.  Ultimately, this representation allows for management to understand how well the ERM program is helping the organization in accomplishing its mission, goals, and objectives.

Additional methods used by agencies include storyboard or dashboard-style presentations capturing key risk metrics for a portfolio of risks, or at a more granular level by program or individual risk.  This can be facilitated through user developed applications based on Microsoft Office Suite tools, or through more advanced governance, risk and compliance (GRC) automated solutions that have built in analytics and reporting capabilities.  We have also seen other informative communication strategies where agencies use a newsletter campaign to broadly distribute important updates, useful tips, and planned implementation details to risk stakeholders on a frequent, recurring basis.  The goal being to help make informed decisions and keep ERM on the forefront through proactive engagement.

This question touches on an important distinction within ERM program implementation.  There is a significant difference between a fully compliant ERM program and a fully capable ERM program.  Compliance focuses on the contents of an ERM program, while capability focuses on what an ERM program can achieve.

A fully compliant ERM program can be established in 1-2 years, seeking to institute an Enterprise Risk Board, a governance structure, risk appetite statement, updated Statement of Assurance, risk profile, etc.  It is not as easy to build an ERM program that is mature, fully functioning, integrated, and outcome-oriented.  In a smaller, less complex agency with leadership buy-in, this could range from 5-7 years.  However, in a larger, complex, decentralized agency, it could take 5-10+ years.  It is important that agencies not be discouraged by those projections.  Effective ERM is meant to be a long-term, evolving endeavor.

Agency buy-in, especially from senior leadership/executives, is often difficult to achieve, and resistance to new initiatives is common across all levels of the organization.  Successfully implementing ERM requires the ERM team to focus on change management in conjunction with developing the program processes, policies, and procedures.  It is helpful if there is positive tone and commitment to ERM from the head of the agency and/or deputy.  Key change management elements that should be addressed include focusing ERM efforts on strategic goals and objectives; recognizing and celebrating wins; building internal risk management capabilities with ERM champions at various levels; clearly stating the rationale and benefit case for ERM; tailoring the program to fit existing organizational culture and processes, where possible; and encouraging continuous engagement and collaboration.  Several specific actions that agencies might consider include incorporating ERM into executive performance plans; explicitly integrating key risks into resource allocation decisions; applying the ERM framework to an issue widely recognized as a problem by most agency executives; and incorporating risk management principles throughout agency training programs, both as a stand-alone effort and integrated into other courses.

AFERM EXPERTS SAY...

Within the Federal Government, there is no right answer to this question.  Some agencies have designated a Chief Risk Officer (CRO) to report to the Chief Operating Officer or Chief of Operations (COO).  In other agencies, the ERM program is led by a Risk Manager who reports to the Chief Financial Officer (CFO).  Several agencies have decided to incubate their ERM program within the CFO organization with plans to elevate the position and program when they reach a certain level of maturity.  Office of Management and Budget (OMB) Circular A-123 provides agencies with a great deal of latitude in this area in recognition that the same approach may not work across all agencies.  However, agencies are best served by a strong and independent risk management function positioned as high in the organizational structure as possible.  An executive leading ERM program efforts, who is also formally recognized as part of the agency’s senior leadership team, helps facilitate acceptance across the organization’s lines of business.  Designating a CRO at the executive level, with the program reporting to the COO, also sends a message about how agency leadership views the importance of ERM, and this message can be an effective element of an agency’s tone-at-the-top.

How are your agencies addressing the governance issue?  Share your thoughts – join the conversation!

Past experiences with ERM program audits by the Government Accountability Office (GAO) and Inspector General (IG) lead to similar areas of focus.  Their initial reviews concentrated on ensuring that basic program elements were present and documented.  These elements included the maturity model and program development map; ERM governance structure; ERM framework, including standardized processes and procedures; ERM function staffing, including Chief Risk Officer (CRO) duties and responsibilities, as well as placement within the agency’s organizational structure; and the agency’s Risk Appetite Statement.  After the audit teams understood the basic design and foundation elements supporting the ERM program, they investigated methods used to identify key risks, as well as conducted interviews with agency executives, ERM program staff, and ERM points of contact within each line of business.  While auditors from both teams were interested in the enterprise risk register and responses to key risks, the GAO team did not raise questions regarding whether the risk appetite and risk response actions were appropriate.  On the other hand, the IG audit team questioned various aspects of risk appetite and risk tolerance adopted by the agency.  Each audit team will likely have a different focus, but starting with foundational ERM program elements with a clear direction for program development and maturity will compel the audit team to consider how the agency is approaching its ERM program and may help steer auditors away from judgements about whether agency leadership has set suitable risk appetites and tolerances and if risk response actions are appropriate.

When it comes to discussing matters of risk management within an organization, there will always be some overlap.  However, the Risk Manager should remain focused on the primary business/mission objective, the risk created from executing toward that objective, and what responses the organization would have for the risk created.

When discussing the OIG and an Agency’s programs, it is very interesting indeed.  The OIG and Agency Programs have very different objectives (i.e., the Agency executes the mission and the OIG provides assurance that the mission was executed appropriately and in compliance with laws and regulations).

“Drawing the line” is a good way to think about this by using the “who goes first” paradigm.  Essentially, a paradigm that helps illustrate the cause and effect relationship within the Agency’s risk universe.

First, we have the Agency, which must execute its mission.  An Agency is a collection of Programs, separated into Offices and Departments for administrative control.  These Programs, once funded, initiate execution and create risks, specifically located within each Program’s execution toward its programmatic objectives.

Next, we have the Highest Level of Administrative Control within the Agency managing the Enterprise-Wide risk to the Program portfolio in its entirety by maintaining an ERM program.

Then, we have the OIG.  The OIG was formed in response to the risk created by Program execution performing its own risk assessment.  The expectation is that the OIG may leverage the Agency’s ERM program for risk, risk response, and resource application information, but the OIG may also add risk factors that the Agency may not have included, or may increase or decrease the prioritization of risk ranking for its own purposes, the achievement of a risk-adjusted audit plan, or investigation schedule.

So where should we draw the line?  It is more like a Venn Diagram, but we must remember that 1) the Agency goes first, 2) the OIG comes after, 3) the Agency’s ERM process is focused on managing the enterprise-wide risk of acquiring programmatic objectives within given resource constraints, and 4) the OIG’s risk management process is focused on managing the risk of providing inspection and investigation assurance on the compliance, as well as ultimate effectiveness and efficiency of that execution.

In mature agencies and programs, OIG input into the Agency’s ERM process will be very helpful as long as it does not blur the lines of independence, and as long as Agency executives seek to have that conversation.

Additional Details

COSO ERM Understanding and communicating risk appetite identifies 1) general statement, 2) by org objectives, or 3) by risk types identified by the org. What organizational characteristics would benefit from each of these methods? (e.g. education level of employees, complexity of org, variety of programs administered)

AFERM EXPERTS SAY...

Risk appetite denotes the level and nature of risk that is acceptable.  Risk tolerance refers to the degree of variability in Return on Investment (ROI) in programmatic execution or administration that an Agency is willing to withstand.  Risk appetites and tolerances should be set at the Governance level, Executive level, and Operational level and should flow downward from the top of the organization to the various lower levels of management, with actual risk information flowing from the lower levels of the organization, upward.

Should risk appetite and risk tolerance statements be documented by organizational objective or by risk classes?

Depending on the agency, risk appetite and risk tolerance statements can be documented by organizational objective or by risk classes, and in some agencies, risk appetite and risk tolerance statements can both be documented at the same time.  Some agencies manage complexity large enough to have to deal with differentiated risk classes within each organizational objective, and some agencies manage programs where a single set of risk classes can apply across the enterprise.

The most important thing to remember is that risk appetite and risk tolerance statements enable the ERM program and officers to respond to risk in a dynamic and direct way.  In other words, an Agency should make sure it does not create risk appetite and risk tolerance statements that constrain behavior (unless by design) and delay risk response actions.

AFERM EXPERTS SAY...

A risk trigger is an event or series of events that activate the execution of a particular action, usually associated with mitigation strategy or execution of contingency plans.  Risk thresholds define the boundaries of fluctuation for those triggers.

This is a difficult challenge.  It is almost impossible without first defining an actual risk event scenario, because risk triggers exist to respond to risk events within a threshold of an actual scenario.  It is especially difficult where risk action is defined at a very detailed level across large portfolios of disaggregated risks.  This is where we rely on the expertise of our Risk Management professionals to prioritize risk actions, and by doing so, prioritize risk triggers and thresholds.

For example, not all risks are created equal, and although we have defined impact and severity probabilities (if quantitative), not all risks contribute similarly to the overall risk of a risk pool.  Overall, risks assessed at “high” matter more.  Then, if the Risk Management professional can either 1) provide anecdotally the risk triggers that control risk actions for “a majority” of the risk or 2) leverage risk management software to determine which risk triggers are specifically associated with risk actions in that scenario.  This provides an opportunity to then aggregate the profiles from the bottom up, and give meaningful risk trigger information.

Without specific scenarios to discuss, a Risk Management professional could have the challenging task of either discussing an endless list of “if/then” scenarios or providing an inert dictionary of all the risk triggers in the portfolio.  Risk management software can be very helpful in the case of the latter.

While OMB Circular A-123 requires agencies to present instances of uncertainty (i.e., opportunities and threats), where applicable, it does not necessarily mean that both will be presented in the risk profile. However, there are likely two reasons why opportunities are not readily identified in Federal risk profiles to the extent that threats are identified:

• The Federal government is inherently risk averse; and
• Most agencies are still in the early stages of ERM program maturation.

Because of the Federal government’s unique position, in comparison to perhaps a commercial entity, the Federal government tends to lean towards stability instead of volatility.  This places more emphasis on managing downside risks, or threats, and seeking to monitor or minimize the accompanying risk exposure.  Identifying and seeking to exploit opportunities involves numerous constraints in the Federal space, including potential alignment with the President’s agenda and the agency’s mission and priorities, not to mention sufficient funding to pursue the opportunity.  However, trends in information technology modernization, business intelligence, data analytics, and shared services, may support near-term reporting of opportunities in agencies’ risk profiles.

Secondly, it is taking time to shape agency risk culture and awareness to understand that risk essentially translates to uncertainty, and that uncertainty is not always negative. Focusing early ERM adoption and implementation strategies on enterprise risks helps build the foundation of an effective ERM program that may eventually seek to identify, exploit, and report on opportunities.  Additionally, ERM may be leveraged to review and understand existing risk exposures when evaluating new strategic objectives and opportunities.  Due to many Federal ERM programs still being in their early stages of implementation, adopting a risk profile and a risk awareness that promotes the identification of opportunities will take time to complete.

Additional Details

Federal GOV contractor supporting a Law Enforcement Agency, seeking guidance in regards to salary budget and current market for professionals with this skill set.

AFERM EXPERTS SAY...

Like any professional, the salary range for an ERM professional with 10 years of working experience will depend on many factors.  Formal education, relevant peripheral experience (e.g., strategic planning, performance management, internal controls, audit, etc.),  closely aligned experience (i.e., risk management and ERM), and specific familiarity with the organization and/or similar projects all play into an individual’s marketability.  However, let’s assume you have a candidate with 10 years of experience closely aligned with ERM and the individual can be a major contributor to analyzing the current risk environment and mapping out an ERM approach.  Several senior leaders in federal consulting organizations have confirmed for me that it is highly unlikely you will be able to find such an individual in the specified compensation range.

This does not mean there are not individuals claiming expertise in ERM that will accept such compensation.  However, in all such cases, I would highly suggest you ensure they: (1) truly understand ERM (versus internal controls or some informal approach to risk management), and (2) have significant verifiable experience specifically related to ERM.

If anyone has experience to the contrary, we would certainly welcome the feedback.  Best wishes with your ERM efforts.

Risk is typically considered a function of probability/likelihood of an event occurring, and the impact/consequence of that impact if the event does occur.  The scoring of the risk is thus a function of the combination of those two factors.  This is often graphically displayed on a “heat map”, in which one axis is likelihood/probability and the other impact/consequence. The axes may be numbered (e.g., 1-5) or have descriptions (e.g., Rare, remote, moderate, likely, very likely for probability and insignificant, minor, significant, major, critical for impact).  The intersection of a specific risk’s likelihood and impact is its risk rating.  These ratings can be quantitative (often the product of the numbers associated with the impact and probability ratings) or qualitative (e.g., low, medium, high, critical).  There is no single accepted approach to how many levels are designated for probability, impact or risk rating.

Keep in mind that risk treatment is not always mitigation.  Mitigation literally means to reduce, and that term is generally used in risk management to mean reduction in the likelihood or impact of a risk, and thus the overall level of risk after treatment. However, other treatment options include accepting the risk as it is, avoiding the risk, or transferring the risk to another party.  In any event, the risk after treatment is scored in the same fashion as evaluation of the risk before treatment.  Depending on the nature of the risk, this may be very quantifiable with significant precision.  In other cases, the estimation of a risk before and after treatment may be very subjective.  In the latter case, it is often advisable to gather a number of subject matter experts to discuss the risk and seek to achieve consensus on the level of risk before and after treatment.  In all cases, the level of claimed reduction in a risk after treatment should be justified as well as practical.

AFERM EXPERTS SAY...

Wade,

OMB A-123 update of July 15, 2016 required ERM to be implemented at all executive agencies, regardless of size. How robustly those agencies are implementing ERM is another question, and one that has not been authoritatively addressed to the best of my knowledge. There is an A-123 requirement, however, that ERM and internal controls be integrated by September 15, 2017. This is arguably the deadline for implementation of some meaningful level of ERM.

Regards,
Doug

Doug,

I wish I knew of such a repository.   We face many challenges in our risk management community.  One challenge is that risk management is too seldom recognized as an actual discipline of knowledge.  The recognition of Enterprise Risk Management is rising rapidly in the Federal government. This suggests that risk management will become more broadly recognized as a career field. However, this growing recognition has not yet reached the level of the Office of Personnel Management establishing risk management as a job series.  I strongly suggest it is time for OPM to take such action.  However, until that occurs, we will be faced with sharing amongst our peers.  AFERM has an online resource library for members (www.aferm.org/resources/), so you might want to check that out. Those organizations that have drafted position descriptions focused on risk management could provide value to the community by offering those documents for posting on the AFERM website (www.aferm.org).

Doug

AFERM EXPERTS SAY...

There is no standard form for developing a risk assessment report.  While various sources indicate elements that may find a home in such a report, one might expect no standard exists because assessment reports can be written for different audiences with different information needs.

Understanding what might go into a risk assessment report should thus begin with an understanding of the needs of those for whom the report is intended.  ISO 31000 defines risk assessment as the combination of risk identification, analysis, and evaluation, but does not include risk treatment.  Are we looking only to report information on the assessment of risks (as suggested by the wording of your question), or are we also seeking to report on the implementation status of selected risk treatments, and the resulting risk after treatment?  The more inclusive reporting of risk treatment status is required if the report is to be used by management to monitor risk treatment activities, and ensure that the targeted levels of risk resulting from risk treatments is actually achieved.  If your report is to share newly identified risks, then there would be no need to include risks previously identified.  However, if the intent is to communicate the organization’s ongoing level of risk and corresponding risk treatments, then understanding the full set of key risks is critical. 

I would propose the following elements for any risk assessment report:

• Objective to be achieved (remember that risks by definition do not exist in isolation, but are linked to a specific objective.
• Name of risk
• Classification category of risk
• Risk appetite for the risk classification
• Likelihood/probability (of current risk)
• Consequence/impact (of current risk)
• Risk rating (prioritization based upon consideration of consequence and likelihood)
• Selected treatment (Accept, Avoid, Transfer/Share, or Mitigate/Reduce, and also Enhance if intentionally increasing risk to seek opportunities).
• Likelihood/probability (projected after completion of selected treatment)
• Consequence/impact (projected after completion of selected treatment)
• The basis for selected risk treatment (considerations of consistency with desired risk appetite, and cost-benefit analysis of various responses for treating any particular risk).
• Risk owner (the person responsible for determining the acceptability of the risk, selecting the appropriate risk treatment, and ensuring completion of the risk treatment).
  

If this report will also be used to monitor the actual implementation of the selected risk treatment, I would propose also including the following:

• Date risk treatment projected to be completed.
• Current status of treatment (or indication of completion)
  

Too often organizations consider risk in a very informal, ad hoc manner.  Effective risk management requires meaningful reporting and monitoring.  Formal risk reporting will be important to any organization seeking to truly manage risks in an effective manner.  A full understanding of an organization’s risks will require inclusion of newly identified risks as well as ongoing risk treatment activities previously assessed.

Rationalizing and aligning the concepts and terminology of the internal control community with the risk management community is an ongoing challenge for many in the public sector and beyond. This is in part because these two communities come from a history relying on similar terms to mean different things.

Take for example the concepts of inherent risk and residual risk. The GAO Green Book—the “rulebook” for internal control in the US Federal government—defines inherent risk and residual risk as follow:

• Inherent risk is the risk to an entity in the absence of management’s response to the risk.
• Residual risk is the risk that remains after management’s response to inherent risk.

In the internal control community, these definitions are typically thought of as the risk prior to implementing internal control (inherent risk) and the risk after implementation of internal control (residual risk). However, from a risk management perspective, there are multiple problems with these definitions. First, what exactly is “the absence of management’s response to the risk”? Good process design should inherently consider what might not operate as planned in a process, and then design the process in a way that considers the possibility of not achieving the desired result.

For example, on a semi-automated factory assembly line, the assembly process considers how parts are to be moved along the line toward final assembly, how to reduce random variation in the process to gain stability over a quality output, when to have human intervention to minimize variation or to even temporarily stop the assembly process, etc. At what point are controls being “added”? Even more to the point, after the assembly process has been fully designed and implemented, how much of the designed-in process controls do you remove to be able to assess the inherent risk? In the assembly line example, internal controls are not added to a process that first has no controls, but are instead designed into the process from the very start. There is no meaningful basis to assess an inherent risk as might be practiced by auditors in looking at, for example, the risk of inaccurate financial reporting.

While this assembly process was chosen to highlight the problems in meaningfully defining inherent risk, that problem remains with any process, whether it be something as straightforward as the employee pay process, or something never attempted before, such as a NASA interplanetary mission.

What may be an even more important question from a risk management perspective is asking what the value is of such an exercise? From a risk management perspective, there are two points of risk measurement that are important. The first is our current level of risk given existing controls, and while operating within the current external and internal environment. The second is what is our targeted level of risk?

Our current level of risk should be compared to our risk appetite—that level of risk we are willing to accept in order to appropriately balance considerations of opportunities and threats. That comparison will tell us whether or not the risks we are in reality accepting are within that level we have agreed are appropriate to accept. Artificially removing from consideration existing internal controls to evaluate inherent risk is not a useful exercise in understanding our current level of risk with our current controls.

However, in addition to our current level of risk, another consideration is the level of risk we are targeting to be at in the future. We may seek to move from where we are today in order to reduce threats or go after greater opportunities. In either case, we need to understand current risks, targeted future levels of risks, and actions we plan to take to move from where we are today to where we wish to be in the future.

The new A-123 moves a step in the right direction by defining inherent risk as “…the exposure arising from a specific risk before any action has been taken to manage it beyond normal operations.” (emphasis added). This modification of the GAO definition would suggest that OMB requires agencies to understand their current risk (i.e., that which is reflected in “normal” operations), and then to address how that level of risk might be further acted upon by the agency to reach a new level of risk (i.e., future residual risk). This minor tweaking of the inherent risk definition by OMB may help facilitate the needed discussion between the internal control and risk management community to provide an effective and value-added risk assessment and monitoring process.

While these comments have focused on inherent risk and residual risk, they are but a reflection of a need for a broader discussion of concepts and terminology between practitioners of internal control and the broader risk management community.  The two communities need to develop a common understanding of how the two concepts fit together in achieving organizational success.

Additional Details

Some say that ERM will only occur at the Departmental level and above and that the bureaus (within Departments) will continue to only use the internal controls program. Are they correct?

AFERM EXPERTS SAY...

David, thank you for your question.  In my view, ERM is intended to be forward thinking/scanning the horizon, while the existing internal controls only measure how well we are executing measurable components towards our strategic goals.  ERM looks at what could keep us from accomplishing our goals, so it would seem that ERM would have to reach into the bureaus.  I am not in the camp that views ERM as only a Departmental-level initiative.

(part 2 of 2) We are a bureau within a much larger agency.  Some are calling for us to implement ERM, but there appears to be no meaningful action to do so at the higher agency level.  How can we implement ERM without doing so at the agency level?  Will doing so even be helpful?

AFERM EXPERTS SAY...

As I hopefully conveyed in my prior thoughts on the distinction between ERM and internal controls, it would be a serious mistake for any organization to presume their internal control program will suffice for addressing the risk to their organizational objectives.  Hopefully that message will filter down throughout the Department, because all levels of the Department will need to be engaged if true ERM is to ultimately result.

Moving to ERM requires a change in organizational culture for most of the Federal government. In may be that bureaus may in some cases actually have leaders who more quickly understand and see the value of ERM.  In those cases, we may see bureaus or other subordinate parts of larger organizations being the primary advocates for ERM.  In DoD, for example, early explorers of ERM included DFAS (in 2007) and DLA (in 2009), well before DoD as a whole had expressed any interest in ERM.  While these early initiatives eventually stalled due to changes in leadership, my expectation is that the new focus by OMB on risk management and ERM as reflected in A-123 and A-11 will encourage proactive leaders to initiate ERM programs regardless of their organizational level.

Additional Details

(part 1 of 2) We are a bureau within a much larger agency.  Some are calling for us to implement ERM, but there appears to be no meaningful action to do so at the higher agency level.  How can we implement ERM without doing so at the agency level?  Will doing so even be helpful?

AFERM EXPERTS SAY...

One way of answering this question is to first ask: (1) what is the purpose of ERM? and (2) what is the key mechanism of ERM in accomplishing this goal? ERM seeks to develop an organization-wide, portfolio view of risk that allows balancing results, resources and risks in a manner that maximizes stakeholder value. The key mechanism is two-fold. In the words of John Fraser, former Chief Risk Officer of Canada’s Hydro One, ERM is about “conversation” and “prioritization”. By conversation, John is referring to an open conversation of risk across the organization. This in turn leads to meaningful prioritization of risk treatments at an enterprise level contributing to maximizing stakeholder value.

Implementing a formal ERM program may indeed have little value if those conversations and prioritizations are already occurring. This can easily be the case in small organizations that are already well interconnected and have not grown to the size and complexity where functional and programmatic silos have evolved as a result of organizational structures. A basketball team, as a very simple example, understands the risks to each of the other players at any point in the game and reacts to those risks in a manner designed to win the game. However, as any organization grows to require larger numbers of participants and more complex organizational structures to coordinate efforts, this group interaction in understanding risks begins to fall apart. Instead, many business decisions and associated risks are management within organizational silos. Concrete efforts need to take place to this conversation and prioritization across the enterprise is to take place.

With the preceding as background, it is clear that where an organization sits in the overall organizational hierarchy is not the critical factor. The key considerations are: (1) will the organization considering implementing ERM potentially benefit from that implementation, and (2) does it have the capabilities to be successful in that implementation.

The answer to point one is “yes” if the organization is large enough and complex enough to benefit from a conscious and organized approach to identifying, sharing, and managing risk across the organization in an integrated fashion. For a group of a dozen individuals, this level of sharing and integration is likely already present. However, when organizations grow to hundreds and thousands of individuals, then the resulting organizational silos make the benefits of ERM almost inevitable. If so, then the second question must be answered: does the organization have the capabilities to implement ERM. Internal organizational capabilities can be developed, but the starting point is to know that the organization has sufficient autonomy within the larger organizational structure to pull together the necessary governance structures, make the necessary risk-informed resource allocations, and develop the necessary cultural changes. The leader of a bureau typically has the needed level of autonomy and resource allocation discretion. If those necessary prerequisites are present, then the implementation of ERM within the bureau is possible even when the higher level organization (agency or department) has not yet sought to implement ERM.

Additional Details

(part 2 of 2) I have worked with A-123 and Internal Controls for years, but now I am hearing a lot about ERM.  Isn’t this just a more mature way to implement internal controls? After all, the GAO Green Book states that internal control is a process “…that provides reasonable assurance that the objectives of an entity will be achieved.” Is this the same as saying risk is well managed?

AFERM EXPERTS SAY...

Previously, I shared thoughts on the relationship between internal control and risk management. These two terms are not synonyms, and to understand their relationship is important to achieving any organization’s full set of objectives. However, how does Enterprise Risk Management (ERM) factor into this discussion? Is ERM simply a new term for discussing risk management, or is there more to the story?

COSO released their first Internal Control—Integrated Framework in 1992, which was revised in 2013. In 2004, COSO released their Enterprise Risk Management—Integrated Framework, and a 2016 update was recently published. However, there has never been a “Risk Management Framework” by COSO. Does this infer that ERM is simply a new name for what was previously known as risk management? While this might be a fair question looking only at the title of their existing frameworks, a quick review of the COSO Enterprise Risk Management–Integrated Framework Executive Summary would show that there are aspects of ERM that go beyond traditional risk management.

Given an understanding that risk is the uncertainty of achieving an objective, risk management can be employed anytime we have established an objective. This might be completing a major project, or it might be as simple as getting to an appointment on time. The traditional approach to managing risk prior to ERM would be to look at each of the identified risks independently, and then seek to manage that risk without consideration of the other objectives and risks also being managed in the organization. In this traditional approach, the CIO manages information technology risks on his or her own, the CFO manages financial and reporting risks independent of others, program managers focus on their specific program risks, etc.

In contrast to this traditional approach to risk management, the current update to the COSO ERM Framework indicates that ERM seeks to:

• Establish risk governance and appropriate culture
• Align risk management with strategy and performance
• Develop a portfolio view of risk across the enterprise
• Flow risk information up, down and across the enterprise

This goal of fully integrating risk management across the enterprise in a manner that allows for the balancing of results sought, resources to be consumed, and risks to be accepted, directly contributes to the ultimate goal of generating maximum value for the organization’s key stakeholders. This is the goal of ERM, something that clearly cannot be accomplished when risks are managed only within functional, programmatic, or organizational silos.

One important aspect of ERM is that it “…facilitates effective response to the interrelated impacts, and integrated responses to multiple risks.” While giving a nod to integrated risks, the 2004 ERM COSO is relatively silent on this critical distinction between ERM and traditional risk management. However, the revised ERM framework clearly goes farther in recognizing this important aspect of ERM by establishing one of the 23 principles as “Develops Portfolio View”. An integrated, portfolio view of risk across an organization is unique to ERM, and is a key differentiator between ERM and traditional risk management. This concept underlies the definition of ERM offered by OMB A-11, when it defines ERM as “an effective agency-wide approach to addressing the full spectrum of the organization’s significant risks by understanding the combined impact of risks as an interrelated portfolio, rather than addressing risks only within silos”.

Additional Details

(part 1 of 2) I have worked with A-123 and Internal Controls for years, but now I am hearing a lot about ERM.  Isn’t this just a more mature way to implement internal controls? After all, the GAO Green Book states that internal control is a process “…that provides reasonable assurance that the objectives of an entity will be achieved.” Is this the same as saying risk is well managed?

AFERM EXPERTS SAY...

The distinction between internal control, risk management, and ERM is often a point of confusion. In translating a definition into a working concept, it is often important to understand the application of the concept, and what words in a definition might be lacking to further explain the concept. To start, the full GAO Green Book definition of internal control is:

“…a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved. These objectives and related risks can be broadly classified into one or more of the following three categories:

• Operations – Effectiveness and efficiency of operations
• Reporting – Reliability of reporting for internal and external use
• Compliance – Compliance with applicable laws and regulations”

In each of these cases, processes and procedures can and should be set in place to achieve operational results, allow for appropriate reporting, and do so while ensuring compliance with applicable laws and regulations. Internal control is indeed important to developing reasonable assurance that the applicable processes will operate as designed and achieve the desired objectives.

However, what is unstated in the Green Book definition is that organizations can have objectives outside of these three categories. Any choice of a future action typically entails risk. Those choices extend far beyond the execution of currently implemented business processes, and include any decision for future action not dependent on an existing process.

Let us agree for purposes of this explanation that risk is the uncertainty of achieving objectives, and risk management is that set of activities used to assess and control risks to acceptable levels that contribute to maximizing stakeholder value. We manage risks in part by choosing to treat risks through one of the following options: acceptance, avoidance, transference, or mitigation. If our choice is to mitigate a risk, we are looking to take action through an internal control to reduce either the likelihood that a risk transitions into an adverse event, or the impact of that event is lessened, or both. This internal control can be placed on an existing process (if the process is in operation), or prospectively if the process is being designed or otherwise intended for future implementation. Internal controls are thus a means of lessening the risks to business processes.

Based on this description, internal control is clearly an important element of risk management. However, there are aspects of risk that are not addressed by internal control. Many risks occur outside the control of the organization (e.g., the likelihood that a federal agency will be allocated their requested budget by Congress). Other risks arise from plans that are made, well before processes are designed or put into place to deliver products or services in accordance with those plans (e.g., strategic planning options). Internal control cannot be applied to future trade-off considerations when there are no processes to control. While internal control may not be an option for managing some risks, that does not make the risk in those various trade-offs any less important.