Leveraging ERM and risk management for a higher goal

By: Doug Webster, PhD
Principal with TFC Consulting

Risk would not exist if it were not for…change!  In a world without change, every outcome would be solidly predictable.  It is the uncertainty of change that defines risk.  The public sector, and particularly the federal government, has seen more change in the past year than many of us have experienced in our lifetimes.  While the merits of specific changes are always open to debate, the increased uncertainty of intended results due to this change is without question. What does this mean to those of us with responsibility for managing risk in the delivery of results?

Unfortunately, those within the risk management community of practice have often failed to make the case that risk should be a critical element of every significant management decision.  Risk management is not simply an activity to help ensure achievement of objectives once established.  It is not a Go/No Go step to be passed once a decision has otherwise been made.  Instead, it should be a critical element in establishing those objectives at the outset and then determining how those desired results are to be achieved. Many organizations use risk management as an analytical tool to increase the likelihood of achieving an objective without ever considering the risk of having selected suboptimal or inappropriate objectives.  

How do we broaden the conversation around risk management and make it more applicable to every manager and leader in an organization, and not just the functional risk management community?  Moreover, how do we make every employee a risk manager and not simply those with the term “risk” in their job description? We must demonstrate how risk is ultimately part of a much broader and critical conversation that impacts, and is impacted by, every organization member.

If risk is defined as “the effect of uncertainty on objectives”, risk does not originate after objectives have been defined.  Risk management is an inherent part of selecting optimal objectives in the first place.  This requires understanding why the organization/agency exists in terms of customers, and the products and/or services intended to be delivered to those customers.  Also included in defining the value provided by an organization is understanding who the key stakeholders are--beyond customers of products and services--that define value.  In the federal government, this would include those providing resources (e.g., Congress), those establishing government-wide operational requirements (e.g., OMB, OPM, etc.), and agency leadership.

Maximizing the value provided by organizations to their customers and other stakeholders requires first identifying who specifically those key stakeholder groups are, and what they deem to be of value related to your potential products and services.  It is frequently the case that different stakeholder groups for any one organization will have different needs and priorities for products and services.  Balancing tradeoffs in meeting key stakeholder group needs is a starting point for setting direction.

Carrying this concept one step further in complexity, most organizations seek to deliver more than one specific product or service.  Maximizing stakeholder value (i.e., overall organizational risk adjusted ROI) thus requires maximizing the value of an organization’s overall portfolio of products and services.  This means that any organization should seek to employ their limited resources in a manner that maximizes overall value of the portfolio of stakeholder products and services, even if this requires a reduced ROI for certain individual products or services. This portfolio management approach is identical to a key concept of enterprise risk management, which seeks to manage risk of the overall portfolio of products and services, rather than managing risks of organizational elements independent of one another.

If delivering value is the destination of an effective organization, then what is the path to get there?  What is needed is a “roadmap” that envisions a particular destination (i.e., maximum stakeholder value), and then provides the steps necessary to achieve that destination.

Strategic planning provides the initial road map to align stakeholder objectives with organizational resources and capabilities in a manner that can deliver maximum organizational value. Such strategic planning requires careful identification of key stakeholders and what potential organizational products or services these stakeholders consider to be of benefit.  

While any strategic planning effort begins at a high and sometimes abstract level, it must be further refined until specific organizational objectives, satisfied with the delivery of specific products or services, can be defined.  At this point, the level of resource consumption for delivery of specific products and services can be estimated, along with the associated risk to delivery.  By applying a strategic planning process that aligns customer needs and desires with organizational capabilities, and cascades down from strategic goals to specific operational objectives, the delivery of particular products and services can be defined and optimized.  

A critical element of this planning process is the explicit recognition that goals, objectives, and the delivery of products and services must be balanced with available resources and acceptable risks.  This is a collaborative, interactive process in which the ideal balance of outputs delivered, resources consumed, and risks accepted is established.  It is not simply a process of delivering as much product or service allowed by available resources, and then evaluating if the remaining risk is acceptable.  

Typically, an organization is responsible for delivering more than a single product or service.  Balancing results sought, resources allocated, and risks accepted across a large organization delivering multiple products and services can be particularly challenging, as the choices and tradeoffs made must optimally benefit the overall organization as a whole, and not simply one of numerous functional silos.  For example, more resources provided to the CIO can improve information technology capabilities, reduce IT risks due to cyber security lapses, etc.  However, at what point is additional resources provided to IT outweighed by the negative impact of reduced budgets to other overhead functions, or even to key enterprise mission functions?  The goal of maximizing agency value must thus include consideration of the results to be achieved from all programmatic and support functions, how overall agency resources are allocated in support of these functions, and how risks are best treated or accepted for the benefit of the overall organization, and not suboptimized for the benefit of an organizational silo.

This agency-wide optimization process requires a governance process with the following attributes:

1. Balances tradeoffs of results sought (performance), resources allocated (budget) and risks accepted across the agency (consistent with high level guidance/restrictions) to optimize delivery of agency strategic goals and objectives to key external stakeholders.
2. Communicates guidance downwards for execution by subordinate-level organizational units.
3. Communicates challenges and obstacles upwards to seek revisions or further guidance.
4. Communicates horizontally across agency functions to facilitate value optimization for the overall agency

Summary

Risk management in general, and Enterprise Risk Management in particular, have matured and spread significantly over the past two decades.  This progress could be greatly leveraged further if these concepts are not viewed as simply the domain of risk managers, but as an integral element of optimizing overall delivery of value to organizational customers and other stakeholders. ERM should thus transition from a message to those interested in managing risks, to those seeking to deliver greatest value.  In this way, ERM is a critical element of all management discussions.

Unfortunately, the messaging of the importance of ERM to successful organizational delivery of value has met recent hurdles in the federal government, given the removal of ERM from OMB Circular A-123.  At a time of perhaps the greatest change in federal operations this country has seen in many of our lifetimes, ERM is more important than ever.  Understanding how ERM is a critical element of a far broader and more important conversation—the maximization of value delivered by organizations to customers and key stakeholders—can perhaps be a means of regaining the momentum to move forward to a more outcome-oriented government.