Now is not the time to be hollowing out Federal ERM Programs: Views from a CRO

Authored By: Tom Brandt, Director of Planning and Risk / Chief Risk Officer for the Federal Retirement Thrift Investment Board

Friday, May 10, 2013, is a day that I’ll probably always remember. I had friends visiting from out of town, and the evening news was on in the background at my home as we were catching up. Hearing the word “IRS” from the newscaster, I turned my attention to the TV. Apparently, an IRS executive I had never heard of named Lois Lerner, while speaking at a meeting of the American Bar Association in New York City earlier that day, had issued an apology for the “mishandling of applications from conservative groups for tax exempt status.”  I think my mouth was agape as I listened. Given the political climate at the time, which was during the height of the “Tea-Party” movement, I turned to my friends and said that this revelation was going to be very, very bad for the IRS.  And it turned out that this revelation indeed did become very, very bad for the IRS.

In the wake of this disclosure, a firestorm engulfed the IRS. Top level leadership was removed or reassigned, including the acting IRS Commissioner. An OMB official named Danny Werfel was tasked by the President and the Secretary of the Treasury with taking the helm. He was given two primary charges: 1) figure out what happened and how it happened, and 2) identify and implement changes to make sure something like this didn’t happen again.  To deliver on these charges, one of Mr. Werfel’s first actions after arriving at 1111 Constitution Avenue NW, the IRS’ Headquarters, was to undertake a 30-day review.

In late June, he detailed the results of that 30-day review in a report, “Charting a Path Forward at the IRS: Initial Assessment and Plan of Action.”

 Here were some key findings and recommendations from that report:

“The IRS Commissioner's Office and other leaders across the organization do not always have sufficient knowledge of emerging operational risks among the various IRS business units. This fact limits the ability of senior IRS leaders and managers to identify and help manage organizational risks and stifles the timely flow of such information to external stakeholders.

We will establish an Enterprise Risk Management Program to provide a common framework for capturing, reporting, and addressing risk areas across IRS. This is intended to improve the timeliness by which such information is brought to the attention of the Commissioner and other IRS leaders, as well as external stakeholders.

Large and complex organizations such as the IRS are always under threat of risks – large and small, strategic and tactical – presenting the potential to dramatically affect performance in both mission delivery and operational support. The recent failures that occurred with respect to applications for tax exempt status highlight the need to evaluate how risks are identified, prioritized, evaluated, and mitigated across the IRS enterprise.

A robust Enterprise Risk Management (ERM) Program is being established that will:

• Provide clear lines of sight into key risks and related controls;
• Determine what risk areas could negatively affect the IRS’s ability to carry out our mission;
• Identify resources, processes, policies, and procedures needed to proactively manage risk;
• Create awareness and leverage any existing risk management infrastructure in the operating units;
• Provide a coordinated and common framework for capturing and reporting risk information; and
• Share risk mitigation practices across the IRS.

The goal of the ERM program is not to achieve zero risks. Rather, the objective is to have a program in place that can properly identify and assess risks and provide senior management the information necessary to make sound decisions, with risk being one of the core elements of the decision-making framework.

Finally, it is important to note that risk management cannot be an isolated function. It requires a seat at the table with the most senior executives in the organization, where enterprise-level risks can be identified, assigned for action, and monitored for success or further mitigation.

The IRS Chief Risk Officer will be responsible for implementing such a program but will do so in collaboration with the business owners in order to yield the kind of results that will bring transparency to critical organizational risks and provide the opportunity to mitigate them long before they have negative impacts on the IRS.”

The IRS followed these recommendations and in the twelve years since this report was issued built a comprehensive ERM program that enabled the timely flow of information about critical risks throughout the organization, facilitated more risk-informed decision-making, managed and mitigated risks in a collaborative manner with risk owners, and developed risk professionals that served as strategic advisors to leadership and management on risk related matters.

The IRS designed its ERM program so that it would have a seat at the table, would inform decision-making, and would add value for the organization. Those attributes were essential ingredients that ensured the IRS’s ERM program didn’t become just a producer of risk lists.   

In recognition of its accomplishments in establishing a mature and integrated ERM capability, the IRS received the RIMS ERM Global Award of Distinction in 2021 and the AFERM ERM Luminary Award in 2023 – awards where the primary criteria was an assessment of the value and positive outcomes demonstrated and achieved for an organization through its ERM program.

Today, a reevaluation of ERM is taking place in many agencies, including the IRS, where memories of the crisis that engulfed the organization in 2013 have seemingly faded away. Even OMB, which set out the requirements for all federal agencies to practice ERM in its 2016 update to Circular A-123, is apparently considering a rewrite that would largely do away with the “enterprise” consideration of risk.

There really couldn’t be a worse time to consider de-emphasizing ERM, especially if we don’t want to repeat the mistakes of the past.  Given the major changes that are happening across the government, including widescale staffing reductions, reorganizations, program overhauls, and more, the risk landscape facing most federal agencies is getting much riskier, and the potential for major risk events is growing, not diminishing.

To avoid spurring a new round of crises in this current environment, agency leadership should be leveraging their ERM teams to help them navigate through these changes, provide insight into what could go wrong, as well as what must go right, and inform decision-making so that the likelihood and/or impact of potential risk events can be minimized.

However, not all agency ERM programs are positioned and resourced to deliver this type of support. Some have not been equipped or enabled to do more than deliver risk lists. Which has then led to questions about the value of maintaining an ERM capability. The risks we face today require stronger and more effective ERM capabilities across government. And for those wondering how to go about doing that, the advice in Danny Werfel’s 30-day report from June 2013 about how to set up an ERM program might be a good place to start. Absent acting on that advice, we might start seeing a whole new batch of 30-day reports in the not-too-distant future.

Tom Brandt was the Chief Risk Officer at the IRS from 2014-2021. He currently serves as the Director of Planning and Risk / Chief Risk Officer for the Federal Retirement Thrift Investment Board. The views in this article are expressed in his own personal capacity.