Senior Risk Manager, Smardt Inc.

Integrating Enterprise Risk Management with a Performance Management System at a federal agency involves aligning risk identification practices with strategic goals, embedding risk assessment into performance reviews, and using risk data to inform resources allocation across the organization. This approach ensures that performance targets are realistic; risks are managed within tolerance levels, and mitigation strategies directly support the mission of the federal agency.

It is very important that a federal agency starts by aligning its risk profile to its strategic plan (e.g. GPRA Modernization Act plans) to be able to identify, assess and mitigate risks that could affect achieving its mission initiatives. The federal agency should also encourage its employees to identify risks and opportunities associated with performance objectives by fostering an open culture that measures, monitors, and shares risk information across the organization. This requires both a Top-Down and Bottom-Up approaches combining senior leadership engagement (top-down) with operational staff insights (bottom-up) to ensure comprehensive risk management practices across all organizational levels are built into the performance management system.

Federal agencies should use their risk appetite statement to guide their decision-making process by setting specific and measurable risk boundaries for each of their projects and investments. They should also integrate their risk mitigation strategies directly into their performance reviews by monitoring the likelihood and impact of potential risk events in relationship to their ability to obtain their strategic initiatives. As part of every employee’s performance evaluation, the employee should be assessed on how well they have managed the risks associated with their job description. Those conducting the performance evaluation of the employee should be able to measure using both key performance indicators and key risk indicators how well the employee’s risk decisions impacted their performance goals.

The goal of integrating Enterprise Risk Management into the performance management system of a federal agency is to move away from a compliance focused Enterprise Risk Management program to a more strategic performance-driven approach. This can be done by determining the level of risk the federal agency is willing to accept to achieve its strategic goals. The next step is for the federal agency to develop a risk profile by mapping operational risks against performance metrics, utilizing data from tools like the Federal Employee Viewpoint Survey as a starting point. Risk assessments can then be used to prioritize budget funding for high-risk, high-impact areas, connecting risk management practices directly to resource allocation. By implementing structured, ongoing risk communication across the federal agency about risks will ensure that decision-makers are making better risk-informed decisions and that employees understand their role in that process.

The U.S. Office of Personnel Management states in their ERM policy, “ERM can help to properly identify and mange risks to performance related to achieving strategic objectives, and improve agency capacity to prioritize efforts, optimize resources, and assess changes in the environment. The OPM’s ERM policy establishes a framework for risk management across the agency that is integrated into OPM’s culture and operations.” U.S. Office of Personnel (OPM) integrates Enterprise Risk Management (ERM) into its performance management system by aligning strategic goals with risk appetite, using an Enterprise Risk Profile to identify, assess, and manage risks. The Risk Management Council (RMC) governs this, aligning performance reviews with risk mitigation.

OPM’s ERM framework ensures that strategic goals (from the GPRA Modernization Act) are pursued with defined risk tolerance, directly affecting performance planning and organization objectives. OPM maintains an annual risk profile, management by the RMC, which acts as a central repository for significant risks impacting performance and operations. ERM is embedded into daily operations, including budgeting, cybersecurity, and project management, to ensure that performance metrics account for potential threats and opportunities.

Managers are encouraged to address performance issues by identifying risks early, setting clear expectations, and using performance data to inform risk assessments. ERM aligns with the Federal Managers’ Financial Integrity Act (FMFIA) and OMB Circular A-123 to strengthen internal controls and program performance. The RMC oversees these activities to ensure that risks are monitored and mitigated to support OPM’s mission.

Kristina Narvaez is a Senior Risk Manager at Smardt, a manufacturing company headquartered in Montreal, Canada.  She leads the Enterprise Risk Management (ERM) program, including global supply chain risk management, global insurance program, strategic initiatives, business continuity, and crisis management plans.  Ms. Narvaez holds a Bachelor’s degree holder in environmental risk management from University of Utah and an MBA from Westminster University.

India’s leading airline Indigo suffered a meltdown in operations in December 2025 that led the country to chaos and the brink of a stalemate. 

In case you missed it in the news, the early trouble started around December 2 with flights getting cancelled due to pilot shortages.  Things peaked around the 5^th of December with over 1000 flight cancellations, affecting thousands of passengers. Being a backbone carrier, Indigo’s flight cancellations and delays left passengers stranded at major airports.  What followed was pure chaos and a complete meltdown of operations.  India’s aviation sector came to a screeching halt within days, affecting almost everyone – business meetings and seminars getting canceled, job interviews getting canceled or postponed, and even people seeking to travel for urgent medical treatment or family emergencies, having to postpone or change their plans.  This chaos continued over a week, with familiar pictures evolving of irate passengers arguing with officials at the airline counters, being stranded for days at airports, and baggage piling up on belts.  .  As passenger demand for alternative flight options surged, other airlines engaged in price gouging activities and there were some reports of passengers paying Indian Rupees (Rs.) 40,000 for a one-way fare where the regular fare should have been Rs. 6000 – 8000.  As of the time of writing this article, Indigo’s operations are limping back to normalcy.

Backstory:

Indigo’s meteoric ascendancy in the Indian aviation sector has been short of extraordinary. Launched just in 2006, following the government’s de-regulation of the Indian aviation sector in the nineties, Indigo quickly captured market share within the fast growing Indian domestic aviation market. Today Indigo controls about 65% of India’s domestic air travel market.  With a fleet of nearly 400 aircraft, it operates about 2200 – 2300 flights daily.  Modeled as a low-cost, no-frills carrier with a reputation for punctuality, Indigo operates on all major and feeder routes across the length and breadth of India.  In addition to domestic flights, Indigo also operates several international flights to Asian and European cities.

Reasons behind the Disruption: 

India’s Directorate General of Civil Aviation (DGCA) (similar to FAA in the United States) introduced new Flight Duty Time Limitations (FDTL) effective November 1, 2025.  Notwithstanding that the announcement of the rule changes came out in January 2024, Indigo Airlines failed to properly plan to comply with the new regulations taking effect.  The changes in FDTL required increasing pilot weekly rest periods (phase 1 effective in July 2025) and enforcement of stricter limits on night operations (phase 2, effective November 2025).  DGCA had appointed Flight Operations Instructors to oversee Indigo’s transition to the new roster system but somewhere along they dropped the ball and failed to raise the orange flag to indicate lack of preparedness on the part of the airline.

However, the disruption was not caused by this change alone.  According to media sources, compounding the issue with shortage of flight crew were also Indigo’s aggressive schedule expansion, software glitches with the flight rostering system, weather delays due to winter fog (often a common issue at this time of the year in India), and other technical hiccups.  But at the end of the day, it was Indigo’s lack of preparedness to the FTDL changes that stood out as the single biggest reason for this failure. Its key competitors appeared to be much better prepared for FTDL phase 2 and experienced minimal disruptions.

Fallout:

Indigo CEO has had to issue a public apology for this catastrophic failure. The DGCA has issued notices to Indigo of impending regulatory action, including financial penalties and suspension of senior officials.  To prevent price gouging activities by other airlines, the government has also had to step in to cap airfares. 

The financial impact of this disruption was massive as the airline was directed by India’s civil aviation ministry to process refunds to all impacted passengers and lost revenue due to flight cancellations. The full financial impact of the crisis can only be determined after the dust settles on this crisis.  However, the real losers of this catastrophe were Indigo’s reputation as a punctual and reliable airline and the government’s lack of ability to deal with a crisis created by a private sector organization dominating a key sector of the economy.

Lessons Learned: 

This lack of preparedness is not an isolated incident, it is an indicator of a systemic failure of an organization to prepare and plan for the future.  Faced with unprecedented growth and customer demand, it is typical of organizations like Indigo to overlook operational priorities to focus on cost cutting and product growth.  Failure to identify and prepare for emerging risks like regulatory changes, probably reflects a key deficiency that many organizations seem to suffer from.  Lack of appropriate governance and processes to proactively monitor emerging risks, identify and plan for mitigation strategies, can be the telltale difference for companies to stay resilient or buckle under the pressures of looming threats and opportunities. 

To manage a fast growth pace like what Indigo has experienced in the last 20 years, a strong enterprise risk management function (ERM) is a must.  A resilient organization can effectively withstand headwinds and maintain growth and net positive turn when the tides are in their favor.  The ERM organization not only has to have a seat at the table within the senior leadership forum of the organization, but also actively engage in risk identification, scenario and contingency planning, and risk response strategy evaluations, all integrated with enterprise strategy, planning and budgeting efforts.

A little bit of research on Indigo’s company website reveals that it does have a Risk and Compliance function.  There is a Senior Vice President on their leadership team who is responsible for managing Company Secretarial and Regulatory Compliance affairs.  As recent as October 2024, they have announced major investments in AI-powered risk management tools to enhance operational safety and efficiency.  Yet when the crisis hit, these efforts appear to fall short.  So where did they go wrong?  Presumably, in setting the right tone and culture at the organizational level for balancing risks with opportunities.  Leaning too heavily into operational efficiency and cost cutting meant critical crew shortages and lack of redundancy (also check out the article written by Gurinderpal Singh on December 8, 2025, analyzing some of Indigo’s key deficiencies).  Making the front-line staff scapegoats to face public wrath, putting cost cutting over employee well-being, and lack of redundancy all led to low employee morale and lack of accountability.  This is a familiar script that keeps repeating across many companies, yet lessons do not seem to be learned.

Too Big to Fail? The Role of the Government:

This failure has also raised critical questions on whether Indigo has become too big to fail within one of the fastest growing economies of the world, and whether more government oversight is needed.  Of course, no one is talking about going back to a government owned aviation sector (the decline of Air India as a government owned airline has been an abject lesson in mismanagement), however, it is critical that appropriate guardrails are set up.  As a result of this failure, government regulators have had to temporarily grant a waiver to Indigo for the phase 2 FTDL regulations to allow operations to stabilize. 

It is not just sufficient for the regulatory bodies to make changes to regulations and throw it over the wall for companies to comply with them.  The government also has a watchdog responsibility to oversee the implementation of regulatory changes and create a crisis management plan to prevent and manage catastrophic situations such as these, especially caused by such Too Big to Fail companies.

Questions have also been raised whether a single airline should be allowed to control 65% of the country’s market share.  Its large scale means that Indigo is now a systemic risk for the  entire transportation sector in India.  Aviation experts are asking the government to encourage competition by reducing barriers to entry including high fuel taxes, to make the sector more resilient and prevent single point of failure.

Conclusion:

We can only hope that this catastrophic meltdown of air traffic operations in one of the fastest growing economies will not just be another forgotten episode in this world of ever-changing headlines.  Also, it is not just enough to make someone the fall guy/gal out of this episode and make heads roll.  Instead, lessons learned should be analyzed carefully to bring about real systemic change needs both within the corporate world as well as within policy making by the government.  Some of the key lessons learned are as follows:

• Efficiency is good but not to the point where it makes the organization fragile.
• Contingency planning is essential, even the best-laid plans can fail in a crisis.
• Make ERM and Compliance a strategic imperative and integrate into decision making.
• Reinforce values of ethics, playing by the rules and doing the right thing throughout the organization.
• Invest in the human workforce and build a culture of transparency, risk awareness and resilience.
• From a government perspective – protect the consumer by encouraging competition through fair market policies and discouraging oligopoly, especially within critical infrastructure sectors.

Soumya Chakraverty is the President and Managing Consultant of Risk Pro Solutions, LLC a small business advisory firm specializing in enterprise and operational risk management and internal controls.  He is an experienced risk management consultant, a past Board Member of AFERM and currently the Chair of the Marketing and Communications Committee.

OMB Circular No. A‑11 (2025) states, “Enterprise Risk Management (ERM) is a systematic process for identifying, assessing, and managing risks that may impact the achievement of an agency’s strategic objectives, including those related to mission delivery, operations, compliance, and public trust.” ERM is seen as critically important to organizations because it facilitates the flow of information about major risks from across the organization to decision makers who need that information so they can act before harm occurs. In today’s federal context—marked by shifting objectives, workforce disruption, and heightened uncertainty—ERM has become not merely useful, but essential.

The 2024 federal election brought a presidential Administration to power with significant differences in organizational objectives from the previous Administration. High‑level objectives relating to social equity, for example, have been set aside, while objectives focused on reducing the size of the federal government and cutting federal regulations have gained increasing emphasis. The degree of change varies widely across agencies. Objectives of the Federal Aviation Administration relating to air traffic control have changed far less than those of the Consumer Financial Protection Bureau, which the incoming Administration initially sought to eliminate. In such an environment, ERM serves not only to protect organizational objectives, but also to clarify them. Because ERM explicitly evaluates risks in relation to stated objectives, it exposes situations in which objectives are unclear, inconsistent, or rapidly evolving—a frequent condition in today’s federal government.

Organizational uncertainty has increased in other ways as well. The Department of Government Efficiency (DOGE), officially established by executive order on January 20, 2025, and largely ending in November 2025, contributed to a reduction of the federal workforce by several hundred thousand employees. Workforce reductions disproportionately affected seasoned federal officials who accepted buyouts or early retirement. The loss of experienced personnel diminishes organizational capacity, at least until successors acquire comparable institutional knowledge. ERM becomes especially valuable in this context because it captures institutional memory in formal risk profiles, risk registers, and mitigation plans—preserving knowledge that might otherwise be lost when experienced staff depart.

Federal downsizing also targeted sources of independent and internal risk information, including Inspectors General, evaluation offices, and in some cases Chief Risk Officer (CRO) offices themselves. The scope of this turbulence is reflected in the title of a weekly publication of the American Society for Public Administration (ASPA), “Federal Workforce in Turmoil.” As traditional oversight and evaluative functions weaken, ERM increasingly functions as a low‑cost, internal early‑warning system—helping agencies identify mission‑threatening risks before they trigger public failure. Compared with after‑the‑fact damage control, ERM represents a cost‑effective approach to risk governance in fiscally constrained environments.

The Office of Personnel Management (OPM) has further increased uncertainty by extending it to the individual level. On February 6, 2026, OPM issued a final rule, Improving Performance, Accountability and Responsiveness in the Civil Service, allowing agencies to move “policy‑influencing” positions into a new excepted service category, Schedule Policy/Career. While these positions remain career and nonpartisan, they become at‑will, with reduced adverse action procedures and appeal rights. Although statutory whistleblower protections remain, changes to appeal mechanisms may weaken their practical effectiveness. This personnel context fundamentally alters the incentives for employees to report emerging risks.

Traditionally, a major strength of ERM has been its ability to encourage information flow about major risks from throughout the organization. In the current environment, however, employees may reasonably fear being blamed—or worse—for reporting “bad news.” For employees to surface major risks, organizations require a culture that treats risk identification as a value-added responsibility rather than an act of disloyalty. When employees fear bringing “bad news” to superiors, this makes ERM more difficult to implement at precisely the moment when it is most needed.

At the same time, today’s context strengthens the case for ERM as a tool for governing under uncertainty rather than merely managing risk. When risks are reported, ERM institutionalizes judgment, enabling leaders to think systematically about uncertainty rather than relying on ad hoc reactions. It also emphasizes resilience—the capacity to absorb shocks and recover when risks materialize in unexpected ways—rather than assuming all risks can be prevented.

How, then, should federal agencies proceed? As with ERM generally, support from the top remains critical. In agencies where leadership enjoys clear backing—such as parts of the Treasury and Transportation Departments—this may be more feasible than elsewhere. There is also a compelling political logic for ERM adoption. Political appointees typically wish to leave office without major failures tarnishing their reputations. ERM provides a defensible decision‑making framework by documenting that major risks were identified, elevated, considered, and either mitigated or consciously accepted. In this sense, ERM protects not only agency missions, but leaders themselves.

Ultimately, the paradox of the current federal environment is that the same forces making ERM harder to implement—workforce loss, fear‑based personnel systems, weakened oversight, and rapidly changing objectives—are precisely the forces that make ERM indispensable. By clarifying objectives, preserving institutional memory, encouraging information flow, strengthening resilience, and enabling informed judgment under uncertainty, ERM has become more important than ever to political appointees, career leaders, and the public missions they seek to serve.

Thomas H. Stanton is a former President of AFERM. He teaches ERM for the Center for Excellence in Public Leadership at George Washington University.

For nearly a decade, the Office of Management and Budget (OMB) Circular A-123, Management's Responsibility for Enterprise Risk Management and Internal Control, positioned Enterprise Risk Management (ERM) as a component of internal control and assurance. With the 2025 update to OMB Circular A-11, Preparation, Submission, and Execution of the Budget, ERM is now central to strategic planning, performance management, and public accountability. This transition elevates ERM from a compliance-focused activity to a strategic leadership tool, shifting its emphasis from internal documentation to public reporting and from risk registers to executive decision-making.

OMB A-123: Establishing the Foundation (2016–2025)

• Mandate and Scope: A-123 defined management’s responsibility for ERM and internal control, creating a unified framework linked to the Federal Financial Management Improvement Act (FFMIA) and agency assurance processes. Agencies were directed to establish risk profiles, governance structures (e.g., Chief Risk Officer/board), and integrate ERM with internal control.
• Risk Profile as Core Artifact: Agencies identified, assessed, and prioritized enterprise risks in a risk profile that informed internal control evaluations and the annual Statement of Assurance.
• Objective Coverage: Guidance reinforced that ERM spans strategic, operational, reporting, and compliance objectives.

Bottom Line: Under A-123, ERM matured as a governance discipline but remained primarily focused on controls and assurance.

Emerging Concerns
Recent reporting indicates that the forthcoming revision to A-123 may remove many ERM references, refocusing on internal control. This has raised concerns among ERM program owners regarding visibility and support. However, ERM is not being eliminated; rather, it is being repositioned under A-11, where it will influence strategic reviews, performance reporting, and leadership decisions.

• Take a portfolio view of risk.
• Define risk appetite and tolerance.
• Embed governance processes to prioritize and monitor significant risks.

“ERM and strategic planning and performance should be viewed as complementary efforts to be orchestrated with each other, not as independent activities. ... Successful integration of ERM into an agency's day-to-day decision-making and management practices will enable an agency to leverage opportunities for managing, mitigating, or avoiding risks that affect strategic goals and objectives, which will ultimately result in more resilient and effective programmatic operations.”

Under the Federal Agency Performance Act of 2024, A-11 now requires agencies to publicly disclose risks in their Annual Performance Reports (APR). Each goal or objective must include a summary of progress, likelihood of achievement, and identification of risks or impediments. ERM has thus evolved from an internal management process to a public accountability mechanism.

Implications for ERM Leaders
This transition presents new opportunities. Under A-123, ERM supported certification of internal controls. Under A-11, ERM informs strategic decision-making, resource allocation, and performance transparency.

Rather than producing risk profiles solely for control assessments, ERM leaders will now shape risk narratives and evidence that inform strategic reviews and Annual Performance Reports. Senior leaders will use this analysis to make trade-offs, adjust strategies, and communicate risks to OMB, Congress, and the public.

ERM is now more visible, consequential, and directly linked to mission outcomes. ERM programs will be evaluated not only on risk register maintenance but also on their contribution to strategic decision-making.

Recommended Actions

For program owners, the following steps should be considered:

• Maintain A-123 Discipline: Continue developing risk profiles and governance structures, integrating them into quarterly and annual performance decisions and the APR.
• Integrate with A-11 Processes: Ensure each strategic objective in annual reviews includes a clear risk narrative, identifying top impediments, their likelihood, and mitigation options.
• Elevate the Portfolio View: Consolidate programmatic, operational, IT, and reputational risks into a comprehensive portfolio for leadership decision-making.
• Prepare for Public Transparency: Collaborate with performance and evidence officers to ensure risk narratives are seamlessly incorporated into the APR for external visibility.

To find out more about ERM and strategic planning and performance integration, contact:

Supply chain risk management (SCRM) can be integrated into an Enterprise Risk Management (ERM) program by treating supply chain risks as a critical component of the organization's overall risk landscape, and not just a procurement exercise. This involves systematically identifying and assessing supply chain risks, developing mitigation and contingency plans, monitoring risk factors through multi-tier mapping and technology, fostering a risk-aware culture, and ensuring transparent communication across all organizational levels. By aligning SCRM with the broader ERM framework, organizations can achieve greater resilience, improve strategic decision-making, and enhance overall business continuity. 

The first question to ask is how to integrate SCRM into the ERM Framework? Supply Chain Risk Management activities should align with the organization’s strategic objectives by supporting the broader ERM goals of resilience and informed decision-making. A resilient supply chain is no longer just a defensive measure, but a strategic capability that enables an organization to not only withstand disruptions, but also to thrive during periods of uncertainty.  Resilient supply chains provide a competitive edge by enabling faster response times to disruptions than competitors, ensuring customer needs are met, and capturing market share during turbulent times.

By mapping the supply chain from end-to-end, organizations can identify potential vulnerabilities and emerging threats before they become a crisis. This includes assessing risks like supplier financial instability, geopolitical tensions, and climate-related events. Reducing reliance on a single supplier or geographic region is key in a Supply Chain Risk Management strategy. This diversification, sometimes called “friendshoring” or “nearshoring”, minimizes the impact of a disruption to a single supplier. It is important for organizations to reconsider the “just-in-time” model and strategically stockpile critical components to act as a buffer against a supply chain disruption. By using technology like real-time tracking, AI, and data analytics, organizations can have insights into supplier performance and logistics. This allows for proactive risk identification and faster, data-driven decision-making.

By creating backup plans for supplier disruptions, an organization should diversify their supplier base by identifying and vetting multiple vendors, including in different geographical regions. There needs to be a focus on maintaining a buffer inventory for critical parts to create a strategic safety net. This will help to enhance an organization’s supply chain visibility through technology to better anticipate and respond to issues. The next step is to develop robust communication strategies with suppliers to stay informed and collaborate on contingency plans. Finally, an organization should test and refine their plans through exercises and simulations to ensure their responses are effective during actual disruptions.

Another consideration is to compile a list of potential suppliers for their critical components or materials. Then vet and qualify alternative suppliers, ideally ensuring they are in different geographic regions, or have their own diverse supply chains to mitigate risks like labor shortages or port issues. It is important to review and update supply chain risk assessments for changing circumstances. An organization needs to continuously monitor the supply chain for new risks, periodically reassess know risks, use real-time data and predictive analytics, collaborate across functions and document all changes. This involves a cyclical process of risk identification, analysis, mitigation, and monitoring, often facilitated by technology to manage evolving risks effectively. Organizations can use technology to get real-time alerts and track key performance indicators like on time delivery, which can signal potential disruptions. By leveraging AI and other tools to forecast supplier performance, an organization can detect early signs of trouble and model potential mitigation scenarios.

To review and update supply chain risk assessments for changing circumstances, an organization must continuously monitor the supply chain for new risks, perform regular audits, conduct scenario planning, leverage technology for real-time data and analytics, strengthen supplier relationships, and strategically diversify their supplier base and inventory resilience. It is important for organizations to understand their entire network to identify vulnerabilities, including all suppliers, logistics, and potential disruption points. 

It is critical for the success of an organization ‘s Supply Chain Risk Management program to have a cross-functional risk communication plan that cultivates a culture of psychological safety where employees feel comfortable sharing concerns, regardless of their role. These strategies involve establishing unified goals, creating clear communication channels, and utilizing dedicated technologies to foster transparency and shared understanding of risks across all departments.

Risk would not exist if it were not for…change!  In a world without change, every outcome would be solidly predictable.  It is the uncertainty of change that defines risk.  The public sector, and particularly the federal government, has seen more change in the past year than many of us have experienced in our lifetimes.  While the merits of specific changes are always open to debate, the increased uncertainty of intended results due to this change is without question. What does this mean to those of us with responsibility for managing risk in the delivery of results?

Unfortunately, those within the risk management community of practice have often failed to make the case that risk should be a critical element of every significant management decision.  Risk management is not simply an activity to help ensure achievement of objectives once established.  It is not a Go/No Go step to be passed once a decision has otherwise been made.  Instead, it should be a critical element in establishing those objectives at the outset and then determining how those desired results are to be achieved. Many organizations use risk management as an analytical tool to increase the likelihood of achieving an objective without ever considering the risk of having selected suboptimal or inappropriate objectives.  

How do we broaden the conversation around risk management and make it more applicable to every manager and leader in an organization, and not just the functional risk management community?  Moreover, how do we make every employee a risk manager and not simply those with the term “risk” in their job description? We must demonstrate how risk is ultimately part of a much broader and critical conversation that impacts, and is impacted by, every organization member.

If risk is defined as “the effect of uncertainty on objectives”, risk does not originate after objectives have been defined.  Risk management is an inherent part of selecting optimal objectives in the first place.  This requires understanding why the organization/agency exists in terms of customers, and the products and/or services intended to be delivered to those customers.  Also included in defining the value provided by an organization is understanding who the key stakeholders are--beyond customers of products and services--that define value.  In the federal government, this would include those providing resources (e.g., Congress), those establishing government-wide operational requirements (e.g., OMB, OPM, etc.), and agency leadership.

Maximizing the value provided by organizations to their customers and other stakeholders requires first identifying who specifically those key stakeholder groups are, and what they deem to be of value related to your potential products and services.  It is frequently the case that different stakeholder groups for any one organization will have different needs and priorities for products and services.  Balancing tradeoffs in meeting key stakeholder group needs is a starting point for setting direction.

Carrying this concept one step further in complexity, most organizations seek to deliver more than one specific product or service.  Maximizing stakeholder value (i.e., overall organizational risk adjusted ROI) thus requires maximizing the value of an organization’s overall portfolio of products and services.  This means that any organization should seek to employ their limited resources in a manner that maximizes overall value of the portfolio of stakeholder products and services, even if this requires a reduced ROI for certain individual products or services. This portfolio management approach is identical to a key concept of enterprise risk management, which seeks to manage risk of the overall portfolio of products and services, rather than managing risks of organizational elements independent of one another.

If delivering value is the destination of an effective organization, then what is the path to get there?  What is needed is a “roadmap” that envisions a particular destination (i.e., maximum stakeholder value), and then provides the steps necessary to achieve that destination.

Strategic planning provides the initial road map to align stakeholder objectives with organizational resources and capabilities in a manner that can deliver maximum organizational value. Such strategic planning requires careful identification of key stakeholders and what potential organizational products or services these stakeholders consider to be of benefit.  

While any strategic planning effort begins at a high and sometimes abstract level, it must be further refined until specific organizational objectives, satisfied with the delivery of specific products or services, can be defined.  At this point, the level of resource consumption for delivery of specific products and services can be estimated, along with the associated risk to delivery.  By applying a strategic planning process that aligns customer needs and desires with organizational capabilities, and cascades down from strategic goals to specific operational objectives, the delivery of particular products and services can be defined and optimized.  

A critical element of this planning process is the explicit recognition that goals, objectives, and the delivery of products and services must be balanced with available resources and acceptable risks.  This is a collaborative, interactive process in which the ideal balance of outputs delivered, resources consumed, and risks accepted is established.  It is not simply a process of delivering as much product or service allowed by available resources, and then evaluating if the remaining risk is acceptable.  

Typically, an organization is responsible for delivering more than a single product or service.  Balancing results sought, resources allocated, and risks accepted across a large organization delivering multiple products and services can be particularly challenging, as the choices and tradeoffs made must optimally benefit the overall organization as a whole, and not simply one of numerous functional silos.  For example, more resources provided to the CIO can improve information technology capabilities, reduce IT risks due to cyber security lapses, etc.  However, at what point is additional resources provided to IT outweighed by the negative impact of reduced budgets to other overhead functions, or even to key enterprise mission functions?  The goal of maximizing agency value must thus include consideration of the results to be achieved from all programmatic and support functions, how overall agency resources are allocated in support of these functions, and how risks are best treated or accepted for the benefit of the overall organization, and not suboptimized for the benefit of an organizational silo.

This agency-wide optimization process requires a governance process with the following attributes:

1. Balances tradeoffs of results sought (performance), resources allocated (budget) and risks accepted across the agency (consistent with high level guidance/restrictions) to optimize delivery of agency strategic goals and objectives to key external stakeholders.
2. Communicates guidance downwards for execution by subordinate-level organizational units.
3. Communicates challenges and obstacles upwards to seek revisions or further guidance.
4. Communicates horizontally across agency functions to facilitate value optimization for the overall agency

Summary

Risk management in general, and Enterprise Risk Management in particular, have matured and spread significantly over the past two decades.  This progress could be greatly leveraged further if these concepts are not viewed as simply the domain of risk managers, but as an integral element of optimizing overall delivery of value to organizational customers and other stakeholders. ERM should thus transition from a message to those interested in managing risks, to those seeking to deliver greatest value.  In this way, ERM is a critical element of all management discussions.

Unfortunately, the messaging of the importance of ERM to successful organizational delivery of value has met recent hurdles in the federal government, given the removal of ERM from OMB Circular A-123.  At a time of perhaps the greatest change in federal operations this country has seen in many of our lifetimes, ERM is more important than ever.  Understanding how ERM is a critical element of a far broader and more important conversation—the maximization of value delivered by organizations to customers and key stakeholders—can perhaps be a means of regaining the momentum to move forward to a more outcome-oriented government.

My, how time flies when you’re having fun!  I can’t believe that it has been 10 years since Doug Webster was introduced to me, coming to my office to talk about something called "Enterprise Risk Management,” and would the Center for Excellence in Public Leadership at GW (GW CEPL) be interested in developing a certificate program to teach people about this new thing that the federal government was going to be introducing over the next year.  I’ll be honest—at first, I was skeptical, because it seemed either like a “Duh” concept—weren't organizations already talking to each other across organizational boundaries to ensure organizational success? And then it seemed like a “how in the world would we ever get people to see its value?” idea—way too much hassle to make it financially viable for the Center to create, market, and get it off the ground.  Finally, however, it seemed like a, “but of course, everyone would want to know about and use ERM principles,” sort of idea—especially when the revised version of OMB Circular A-123 came out in July of 2016, encouraging federal agencies, among other things, to establish a risk register that took into account how specific risks were affecting multiple components of the same agency, potentially putting at risk the agency’s ability to achieve its mission and its strategic goals, and then to monitor and evaluate the effectiveness of the risk responses selected by the agency to manage its risks. 

Over the years, new ERM experts have come to work with CEPL—Tom Stanton and Nancy Potok, chief among them. We’ve tried different formats, developed customized and open enrollment programs, worked with hundreds of federal workers committed to doing their best to ensure their agency can achieve its mission critical goals, and assisted several agencies in working to create a “risk-aware culture" in which all employees see themselves as stewards of risk, no matter what position they hold. It has been a decade of exploration, of learning how different agencies have taken different paths to make it work for them, of AFERM growing and expanding its reach to support the ERM movement as people captured the vision of how ERM can really make a positive difference in organizations’ ability to prepare for the unforeseen—and seen—risks that threaten to derail their mission. 

We are living in a time when many of the things we had taken for granted about the way the federal government works have been upended, changed, and transformed into a landscape that is sometimes unrecognizable. It seems to me that ERM is needed even more now, even though the Office of Budget and Management has curtailed access to Circular A-123 on its website. In this moment, I am reminded of William Bridges’s work on leading organizational change.  In his book, Managing Transitions, he reminds us that it isn’t the change that is the issue (the new boss, the new policy, the new organization structure)—it's the transition to accept the change that is the hard part—the human part—of engaging in organizational change. ERM can be a tool that helps us identify, assess, and respond to the unintended, unforeseen, unimagined consequences of the changes that are being put in place.  How do our agencies continue to meet their mission when the workforce has been so drastically reduced?  What if the mission has changed so dramatically that the remaining staff aren’t prepared or trained to act on that new mission? What if there is no more “Tone at the Top” --one of the critical leadership features of an effective risk culture? How do those of us “in the know,” so to speak, continue to persevere in the effort to engage in effective risk management at all levels, and across components of our organizations?

Bridges suggests that there are three phases in the transition to accept the changes that occur around us.  The first phase is Endings—the identification of what will stop being the old way of doing and being.  The second phase is what Bridges calls the Neutral Zone, where things are in limbo—things that are ending aren’t fully ended, things that are beginning aren’t fully started yet. The third phase is the phase of New Beginnings, where the new ways of doing and being have been articulated and are starting to be implemented. The three phases are not particularly discrete—Endings may be still going on while New Beginnings are getting started, the Neutral Zone will most likely overlay both endings and beginnings.  Bridges’s point is that, while all these things are taking place, leading to confusion, resistance, and loss, the Neutral Zone, in particular, can provide a space for imagination, creativity, and the possibility of establishing new ways of doing things that are even better than the old ways were. 

Bridges includes helpful checklists to help manage the three phases of transition, which I highly recommend to you in these challenging times, as you lead your colleagues to focus on the mission and purpose of your organization.  I also encourage you to pair his model of managing transitions with the tools of Enterprise Risk Management (see the inner box of “Risk Assessment” in the ISO 31000 model), especially the phases of Identifying, analyzing, and evaluating risks that may arise due to the changes in the landscape.  I also encourage you to make it a collaborative effort among your staff and colleagues, to help them find a measure of control and ownership in the midst of uncertainty and chaos. 

As I look back on 10 years of Enterprise Risk Management, I am very grateful to the group of federal managers who got together to say, “this is something the federal government needs to do; this is something important to help us ensure that our agencies are managing the risks that threaten to prevent us from achieving our strategic objectives, the risks that could prevent us from achieving our organization’s mission in serving the American People.”  Thank you to all those of you who planted the seeds and brought ERM to fruition, and for the work you do in bringing ERM not only to federal agencies, but also to state and local governments.  The George Washington University Center for Excellence in Public Leadership is proud to have played a small part in helping to train and shape those who work in this important area of public service. 

Dr. Natalie K. Houghtby-Haddon is the Executive Director of the George Washington University Center for Excellence in Public Leadership (GW CEPL), part of the GW College of Professional Studies. She continues to serve as the Faculty Director for CEPL’s Enterprise Risk Management in Government Certificate Program.  She can be reached at: hsquared@gwu.edu. Please stop by CEPL’s website to check out that program, and our 1-day ERM Mini Boot Camps: Certificate Program in ERM for Government | The Center for Excellence in Public Leadership (CEPL) | The George Washington University.

Friday, May 10, 2013, is a day that I’ll probably always remember. I had friends visiting from out of town, and the evening news was on in the background at my home as we were catching up. Hearing the word “IRS” from the newscaster, I turned my attention to the TV. Apparently, an IRS executive I had never heard of named Lois Lerner, while speaking at a meeting of the American Bar Association in New York City earlier that day, had issued an apology for the “mishandling of applications from conservative groups for tax exempt status.”  I think my mouth was agape as I listened. Given the political climate at the time, which was during the height of the “Tea-Party” movement, I turned to my friends and said that this revelation was going to be very, very bad for the IRS.  And it turned out that this revelation indeed did become very, very bad for the IRS.

In the wake of this disclosure, a firestorm engulfed the IRS. Top level leadership was removed or reassigned, including the acting IRS Commissioner. An OMB official named Danny Werfel was tasked by the President and the Secretary of the Treasury with taking the helm. He was given two primary charges: 1) figure out what happened and how it happened, and 2) identify and implement changes to make sure something like this didn’t happen again.  To deliver on these charges, one of Mr. Werfel’s first actions after arriving at 1111 Constitution Avenue NW, the IRS’ Headquarters, was to undertake a 30-day review.

In late June, he detailed the results of that 30-day review in a report, “Charting a Path Forward at the IRS: Initial Assessment and Plan of Action.”

 Here were some key findings and recommendations from that report:

“The IRS Commissioner's Office and other leaders across the organization do not always have sufficient knowledge of emerging operational risks among the various IRS business units. This fact limits the ability of senior IRS leaders and managers to identify and help manage organizational risks and stifles the timely flow of such information to external stakeholders.

We will establish an Enterprise Risk Management Program to provide a common framework for capturing, reporting, and addressing risk areas across IRS. This is intended to improve the timeliness by which such information is brought to the attention of the Commissioner and other IRS leaders, as well as external stakeholders.

Large and complex organizations such as the IRS are always under threat of risks – large and small, strategic and tactical – presenting the potential to dramatically affect performance in both mission delivery and operational support. The recent failures that occurred with respect to applications for tax exempt status highlight the need to evaluate how risks are identified, prioritized, evaluated, and mitigated across the IRS enterprise.

A robust Enterprise Risk Management (ERM) Program is being established that will:

• Provide clear lines of sight into key risks and related controls;
• Determine what risk areas could negatively affect the IRS’s ability to carry out our mission;
• Identify resources, processes, policies, and procedures needed to proactively manage risk;
• Create awareness and leverage any existing risk management infrastructure in the operating units;
• Provide a coordinated and common framework for capturing and reporting risk information; and
• Share risk mitigation practices across the IRS.

The goal of the ERM program is not to achieve zero risks. Rather, the objective is to have a program in place that can properly identify and assess risks and provide senior management the information necessary to make sound decisions, with risk being one of the core elements of the decision-making framework.

Finally, it is important to note that risk management cannot be an isolated function. It requires a seat at the table with the most senior executives in the organization, where enterprise-level risks can be identified, assigned for action, and monitored for success or further mitigation.

The IRS Chief Risk Officer will be responsible for implementing such a program but will do so in collaboration with the business owners in order to yield the kind of results that will bring transparency to critical organizational risks and provide the opportunity to mitigate them long before they have negative impacts on the IRS.”

The IRS followed these recommendations and in the twelve years since this report was issued built a comprehensive ERM program that enabled the timely flow of information about critical risks throughout the organization, facilitated more risk-informed decision-making, managed and mitigated risks in a collaborative manner with risk owners, and developed risk professionals that served as strategic advisors to leadership and management on risk related matters.

The IRS designed its ERM program so that it would have a seat at the table, would inform decision-making, and would add value for the organization. Those attributes were essential ingredients that ensured the IRS’s ERM program didn’t become just a producer of risk lists.   

In recognition of its accomplishments in establishing a mature and integrated ERM capability, the IRS received the RIMS ERM Global Award of Distinction in 2021 and the AFERM ERM Luminary Award in 2023 – awards where the primary criteria was an assessment of the value and positive outcomes demonstrated and achieved for an organization through its ERM program.

Today, a reevaluation of ERM is taking place in many agencies, including the IRS, where memories of the crisis that engulfed the organization in 2013 have seemingly faded away. Even OMB, which set out the requirements for all federal agencies to practice ERM in its 2016 update to Circular A-123, is apparently considering a rewrite that would largely do away with the “enterprise” consideration of risk.

There really couldn’t be a worse time to consider de-emphasizing ERM, especially if we don’t want to repeat the mistakes of the past.  Given the major changes that are happening across the government, including widescale staffing reductions, reorganizations, program overhauls, and more, the risk landscape facing most federal agencies is getting much riskier, and the potential for major risk events is growing, not diminishing.

To avoid spurring a new round of crises in this current environment, agency leadership should be leveraging their ERM teams to help them navigate through these changes, provide insight into what could go wrong, as well as what must go right, and inform decision-making so that the likelihood and/or impact of potential risk events can be minimized.

However, not all agency ERM programs are positioned and resourced to deliver this type of support. Some have not been equipped or enabled to do more than deliver risk lists. Which has then led to questions about the value of maintaining an ERM capability. The risks we face today require stronger and more effective ERM capabilities across government. And for those wondering how to go about doing that, the advice in Danny Werfel’s 30-day report from June 2013 about how to set up an ERM program might be a good place to start. Absent acting on that advice, we might start seeing a whole new batch of 30-day reports in the not-too-distant future.

Tom Brandt was the Chief Risk Officer at the IRS from 2014-2021. He currently serves as the Director of Planning and Risk / Chief Risk Officer for the Federal Retirement Thrift Investment Board. The views in this article are expressed in his own personal capacity.

Short Bio: Timothy Hanlon is a Doctor of Business Administration (DBA) student specializing in Business Intelligence at Marymount University. His research focuses on enhancing fraud detection by integrating financial data and unstructured non-financial data, refining methodologies through the lens of artificial intelligence (AI). As an experienced CPA, CISA, and internal auditor, he has an extensive background in reviewing both manual and automated internal financial controls. While his expertise in fraud and AI is rooted in his ongoing dissertation, he brings an understanding of enterprise risk management and regulatory compliance frameworks to the evolving discussion on fraud detection in federal financial systems.

Abstract

 The complexity of modern financial fraud presents a critical challenge to traditional detection methods in federal and government agencies. As enterprise risk management (ERM) frameworks evolve to address emerging risks, artificial intelligence (AI) and machine learning (ML) offer transformative solutions for strengthening fraud detection and reducing vulnerabilities. This article explores how advanced AI-driven methods, particularly bio-inspired algorithms and explainable AI (XAI), enhance the ability of federal agencies to detect fraud in real-time, drawing insights from both financial and non-financial data sources. Recommendations are provided for integrating these technologies within a structured ERM approach.

Introduction

Federal and government agencies face unique challenges in managing fraud risks within their financial systems. Traditional fraud detection techniques (e.g. Benford’s Law statistical model for financial dataⁱ), while foundational, often struggle to address the scale and sophistication of financial crimes targeting government fundsⁱⁱ. This vulnerability not only poses financial risks but also threatens the integrity and public trust in government operations. AI, particularly ML and bio-inspired algorithms, offers promising enhancements to federal ERM programs by automating the detection of irregular patterns, analyzing complex data sources, and reducing human error. When integrated into a well-structured ERM framework, AI-driven fraud detection can support agencies in proactively managing financial risks and maintaining compliance with stringent regulatory standards.ⁱⁱⁱ

The Role of AI and Machine Learning in Government ERM

 AI-powered tools provide the agility needed to address the rapid evolution of fraud tactics in federal systems. By using ML to analyze extensive datasets, federal agencies can move beyond traditional rule-based methods to detect fraud patterns that emerge in real-time. This capability is particularly beneficial for agencies managing large, complex financial programs where fraud risks may be difficult to monitor using conventional methods alone.

Machine Learning and Real-Time Data Analysis: ML enables the continuous analysis of large datasets, uncovering patterns that signal fraud with greater accuracy and speed. For instance, ML systems can analyze procurement data, disbursement records, and other transaction streams to flag anomalies indicative of fraud, supporting ERM objectives by reducing reaction times.^iv

Bio-Inspired Algorithms for Complexity: Bio-inspired algorithms—derived from natural processes like neural networks and evolutionary strategies—offer unique advantages for fraud detection in high-complexity environments, such as federal contracting and grant programs. These algorithms can adapt to identify subtle patterns of fraud across vast and diverse data, thereby enhancing the resilience of federal ERM systems against increasingly sophisticated threats. Bio-inspired algorithms are computational algorithms based on natural processes and systems. Examples include genetic algorithms (based on natural selection), swarm intelligence (inspired by social insects), and neural networks (inspired by the human brain) are widely used in solving complex optimization problems.^iv

Explainable AI (XAI) for Transparency and Compliance: Explainable AI frameworks are critical for ensuring that AI-driven fraud detection systems remain transparent and justifiable—key factors in a regulatory environment. XAI allows agency stakeholders to understand and validate the decision-making process, ensuring AI models align with ethical, legal, and procedural standards essential for public trust.^vi

XAI refers to methods and techniques designed to make the decision-making processes of complex AI models, especially deep learning systems, more transparent and understandable. It offers explanations that reveal why a model made a particular decision for a given input. XAI methodologies like SHapley Additive exPlanations (SHAP) and Locally Interpretable Model-Agnostic Explanations (LIME) are commonly used to elucidate the contributions of individual features to a model's predictions, offering insights into the model’s logic even in instances where the underlying model behaves as a 'black box.' This transparency is essential for validating the trustworthiness and reliability of AI models, particularly in sensitive applications.^vii

Implementation Challenges in Federal Agencies

While AI-driven solutions offer significant benefits, federal agencies face implementation challenges that may limit their effectiveness in fraud detection within ERM frameworks. Key issues include:

Data Quality and Governance: Ensuring data quality is essential for accurate AI outcomes. Incomplete, inaccurate, or unstructured data can compromise the performance of AI models. Establishing robust data governance processes is critical to ensure data integrity within federal systems.^viii

Skill Gaps and Infrastructure Needs: The specialized knowledge required to implement and maintain AI-based fraud detection systems is often scarce in government settings. Investing in skill development and technical infrastructure is essential for agencies to fully leverage AI capabilities in fraud detection. ^ix,x

Bias and Fairness Concerns: AI models, if not properly managed, may introduce biases that affect fraud detection outcomes. This is particularly relevant for government agencies, where decisions must be unbiased and equitable. Explainable AI and regular audits of AI systems are recommended to mitigate these risks and align with ERM objectives.^v

Recommendations for Federal ERM Programs

To strengthen fraud detection within ERM frameworks, federal agencies should consider the following actions:

Strengthen Data Governance for Quality Assurance: Establishing data governance policies that ensure high-quality, relevant, and consistent data is foundational for effective AI-driven fraud detection. Data governance also supports regulatory compliance by improving traceability and accuracy.^xi

Leverage Non-Financial Data Sources for Comprehensive Risk Insight: To capture a broader picture of potential fraud risks, agencies should incorporate non-financial data sources, such as internal reports, public records, and sentiment analysis from social media. This holistic approach aligns with ERM goals by improving detection accuracy and enhancing overall risk management capabilities.^xii

Adopt a Hybrid Approach: Federal agencies can benefit from combining traditional fraud detection methods with advanced AI tools. This dual approach offers resilience by allowing agencies to address both established and emerging fraud patterns, a key consideration for robust ERM frameworks.^xiii The hybrid approach not only combines traditional and advanced AI tools but also serves as a transitional strategy. It allows agencies to incrementally incorporate sophisticated AI techniques while gradually addressing skill and infrastructure challenges.

Invest in Skill Development and Infrastructure." Dedicated resources in skill development and infrastructure investment so that agencies may fully implement advanced AI-driven fraud detection systems.^xiv

Implement Explainable AI (XAI) to Enhance Transparency: Explainable AI frameworks ensure that AI-driven decisions are interpretable and traceable, meeting regulatory demands and promoting accountability. This alignment with ERM principles supports stakeholder confidence and regulatory compliance across government financial systems.^v As governments and regulatory authorities work to establish guidelines and regulations surrounding AI, the need for transparency and accountability becomes essential. Explainable AI (XAI) facilitates regulatory compliance by ensuring that AI systems operate within ethical frameworks and adhere to legal standards.^xv

Conclusion

Integrating AI-driven solutions into federal ERM programs can significantly enhance fraud detection and prevention capabilities. Traditional detection methods remain important but are limited in scope and adaptability. By leveraging machine learning, bio-inspired algorithms, and XAI, federal agencies can build more resilient, transparent, and effective fraud detection systems. This evolution in fraud detection supports broader ERM goals, ensuring agencies are equipped to manage financial risks proactively and maintain public trust in an increasingly complex digital environment.

References

  ⁱ von Eschenbach, W.J. Transparency, and the Black Box Problem: Why We Do Not Trust AI. Philos. Technol. 34, 1607–1622 (2021). https://doi.org/10.1007/s13347-021-00477-0

ⁱⁱ PriceWaterhouseCoopers. (2024). Global economic crime survey. Retrieved from https://www.pwc.com/gx/en/services/forensics/economic-crime-survey.html

ⁱⁱⁱ Almaqtari, F. A. (2024). The role of IT governance in the integration of AI in accounting and auditing operations. Economies, 12(199), 1-24. https://doi.org/10.3390/economies12080199

^iv Ikemefuna, C. D., Okusi, O., Iwuh, A. C., & Yusuf, S. (2024). Adaptive Fraud Detection Systems: Using Machine Learning to Identify and Respond to Evolving Financial Threats. International Research Journal of Modernization in Engineering, Technology, and Science, 6(9), 2077-2092. DOI: https://www.researchgate.net/publication/384319231_Adaptive_Fraud_Detection_SystemsUsing_Machine_Learning_To_Identify_and_Respond_To_Evolving_Financial_Threat

^v Pham, T. H., & Raahemi, B. 2023. Bio-Inspired Feature Selection Algorithms With Their Applications: A Systematic Literature Review. IEEE Access, https://10.1109/ACCESS.2023.3272556.

^vi Okenwa, C., Damilola, O., Orelaja, A., & Akinwande, O. T. (2024). Exploring the Role of Explainable AI in Compliance Models for Fraud Prevention. International Journal of Latest Technology in Engineering, Management & Applied Science, 13(5), 232-235. https://doi.org/10.51583/IJLTEMAS.2024.130524

^vii Papadakis, T., Christou, I. T., Ipektsidis, C., Soldatos, J., & Amicone, A. (2024). Explainable and transparent artificial intelligence for public policymaking. Data & Policy, 6, e10. https://doi.org/10.1017/dap.2024.3

^viii Almaqtari, F. A. (2024). The role of IT governance in the integration of AI in accounting and auditing operations. Economies, 12(199), 1-24. https://doi.org/10.3390/economies12080199

^ix Nassar, A., & Kamal, M. (2021). Machine Learning and Big Data Analytics for Cybersecurity Threat Detection: A Holistic Review of Techniques and Case Studies. Journal of Artificial Intelligence and Machine Learning in Management, 5(1), 51–63. Retrieved from https://journals.sagescience.org/index.php/jamm/article/view/97

^x Nassar, A., & Kamal, M. (2021). Ethical Dilemmas in AI-Powered Decision-Making: A Deep Dive into Big Data-Driven Ethical Considerations. International Journal of Responsible Artificial Intelligence, 11(8), 1–11. Retrieved from https://neuralslate.com/index.php/Journal-of-Responsible-AI/article/view/43

^xi Almaqtari, F. A. (2024). The role of IT governance in the integration of AI in accounting and auditing operations. Economies, 12(199), 1-24. https://doi.org/10.3390/economies12080199

^xii Soltani, M., Kythreotis, A., & Roshanpoor, A. (2023). Two decades of financial statement fraud detection literature review; combination of bibliometric analysis and topic modeling approach. Journal of Financial Crime, 30(5), 1367-1388. https://www.emerald.com/insight/content/doi/10.1108/jfc-09-2022-0227/full/html

^xiii Li, H., Gao, H., Wu, C., & Vasarhelyi, M. A. (2024). Extracting Financial Data from Unstructured Sources: Leveraging Large Language Models. Journal of Financial Data Science https://doi.org/10.2308/ISYS-2023-047

^xiv Gadekallu, T. R., Maddikunta, P. K. R., Boopathy, P., Deepa, N., Chengoden, R., Victor, N., ... & Dev, K. (2024). XAI for Industry 5.0-Concepts, Opportunities, Challenges and Future Directions. IEEE Open Journal of the Communications Society. https://doi.org/10.1109/OJCOMS.2024.3473891

^xv Pankaj Dixit. (2023). Assessing Methods to Make AI Systems More Transparent through Explainable AI (XAI). International Journal of Multidisciplinary Innovation and Research Methodology, ISSN: 2960-2068, 2(4), 59–66. Retrieved from https://ijmirm.com/index.php/ijmirm/article/view/48

It’s no secret that artificial intelligence is making its way into nearly every industry, ushering in transformative change and disrupting the status quo. Financial management is no exception. When we think about financial management, our images often harken back to the old days, when green eyeshades, pencils and spreadsheets dominated the landscape. Those rudimentary tools have given way to more modern technologies that have enabled accountants and other financial managers to work more efficiently, reviewing, analyzing and working with increasing volumes of data in near-real-time. As we look ahead to the not-so-distant future, it’s easy to see how these evolutions are about to take a backseat to a new wave of powerful technologies driven by modern artificial intelligence (AI) and machine learning (ML) that, when fully developed, will likely revolutionize financial management reporting and transparency.

Today’s developing AI and ML technologies are enablers of change, increasing speed and capacity, reducing (if not eliminating) manual errors, automating and simplifying what have traditionally been complex processes, and improving data accuracy, among many other benefits. Imagine a world where complex financial information can be simplified, personalized and customized in a manner that is digestible by non-financial professionals. In the context of the government, think about being able to generate, in real-time, financial reports for targeted audiences – a mayor, a member of congress, or even an interested citizen who just wants to better understand how their tax dollars are being spent, at the touch of a button. By now we’ve all explored generative AI tools like Chat GPT, and in some cases maybe we’ve even applied them to our businesses, and it’s that same concept that can be used in financial reporting that stands to bring real change in the near future.

Late last year, Congress included directive language in the final version of the FY2025 National Defense Authorization Act (NDAA) that aims to take advantage of AI and ML technologies in the context of the Department of Defense annual financial audit. That language, for all intents and purposes, directs the Secretary of Defense, working with other DOD officials including the Chief Data and AI Officer (CDAO), the Office of the Inspector General, as well as the heads of the military departments to explore the use of AI and ML in the preparation of the department’s financial statements, an area where they have historically struggled. The expectation, although not explicitly stated in the legislation, is that Congress believes the use of these technologies could likely remedy at least some of the issues related to DOD’s financial audit, helping the department get closer to a clean financial audit opinion. If AI and ML are ready for prime time at DOD, the rest of the federal government should be ready to go too.

Beyond financial reporting transparency, the use of AI and ML in related areas including risk assessment, compliance, customer service and reduction of waste, fraud and abuse hold similar promise. In the risk assessment and fraud reduction space, AI and ML can help add significant capacity to what are traditionally strained organizations by using technology – rather than manual processes – to mine through volumes of data identifying risks and flagging trouble spots before fraud occurs. What used to take days and weeks, can now be done in minutes, making what was inefficient, radically efficient. Further, having these types of technologies in place, many of which can be run continuously in the background, frees up auditors and risk managers to focus on more strategic work, while improving the speed and velocity of any financial organization.

As we look ahead to the next 18 months, it’s critical that the US government lean into – rather than shy away from – AI and ML technologies, bringing innovation to areas that are traditionally more risk averse. As we do so, we can only hope that adding these emerging technologies into the government financial management toolbox find their way to the top of the priority list.

Paul Faust is a seasoned leader with over 25 years of experience in the technology and SaaS industries, specializing in serving public sector and education organizations. As Vice President of Sales at Workiva, Paul’s team focuses on delivering cutting-edge financial reporting and compliance solutions that streamline processes and ensure transparency and accountability. By partnering with Federal, State, Local, and Education institutions, as well as nonprofit healthcare organizations, Paul helps these organizations enhance trust and efficiency in their reporting, empowering them to meet their unique challenges with confidence.

This is a reprint of the original article, the was initially featured in the March 2022 AFERM newsletter

Over the last few years, it has become clear that the federal agencies are and will continue to operate in a more turbulent and unpredictable environment. The COVID pandemic, the internal and international political tensions, and climate change are only some of the risk factors that are likely to sustain this turbulence. In this new environment, investing in organizational resilience where the agencies can meet their objectives under a wide range of risk scenarios should become a key priority for their budgeting processes.

It has been a long-stated maturity objective of the ERM function to embed risk management principles in key decision processes. The growing resilience-building requirements for the federal agencies will provide the challenge and the opportunity for the ERM professionals to engage with their finance colleagues and respective agency’s leadership to improve the current capital budgeting decision processes and enable the more rigorous assessment and approval of resilience-building projects.

Reactive Resilience vs. Proactive Resilience

Every organization has some level of resilience where it responds to a particular risk by absorbing and overcoming its negative impacts. The unfolding of the COVID pandemic underscored the difference between:

• Reactive Resilience where the organization starts to develop a response, mobilize resources, and deploy required capabilities only when the threat emerges.
• Proactive Resilience where through pre-planning responses and pre-positioning contingent capabilities the organization can take prompt, effective, and efficient actions to mitigate the threat.

Only through building up proactive resilience, the federal agencies will be able to sustain mission-critical operations while coping with a range of possible risk impacts.

Optimizing and Justifying Investments in Contingent Capabilities

Federal agencies through the capital budgeting process build up and maintain a wide range of operational capabilities enabling them to meet their objectives under the regular course of business conditions. However, under certain risk scenarios they need additional contingent capabilities to enable their effective response and resilient operations. The pre-investing and pre-positioning of the necessary contingent capabilities is a critical element of building and maintaining proactive resilience.

At federal agencies, investments are assessed with Benefit-Cost Analysis comparing their long-term benefits with incremental costs¹. Projects with a positive benefit-cost ratio are approved for financing and implementation. The challenge of investing in contingent capabilities is that while their up-front costs are predictable, their long-term benefits are uncertain. A good example is the requirement for federal agencies to invest in climate change resilience and adaptation capabilities². Because the climate in the short-term is highly uncertain, the timing and the size of the expected benefits from climate risk mitigation investments are uncertain as well and hard to assess with traditional benefit-cost analysis.

In recent years, there have been some innovations based on the insight that contingent capabilities provide organizations with different “options” to respond to risks if they occur. These options can be properly valued by option pricing methodologies used in financial markets. This area of finance is called Real Options Analysis (ROA)³ and is a well-established field of research and practice. Foreign governments, particularly the UK Government, have been using Real Options Analysis in multiple areas such as energy investments and climate adaptation⁴. U.S. federal agencies also can benefit from the application of this innovative best practice to their budgeting decision processes.

Net Present Value (NPV) vs Agility Adjusted Net Present Value (AANPV)

Under normal circumstances, a project would require certain investments and provide certain benefits all reflected in a base case scenario. If risk events are to occur the performance of the project would deteriorate and it could require extra costs or deliver lower benefits. This possibility can be described with a stress test risk scenario.

An additional resilience-building mitigation project would require additional funding but would improve the stress test scenario by reducing the likely losses. For example, building and maintaining a storage facility with emergency supplies for a hospital would require an initial investment and ongoing costs but would provide great benefits under emergency shortages scenarios.

Current Net Present Value-based cost-benefit methodologies like the Benefit-Cost Analysis mentioned above, evaluate only the base scenario and do not incorporate the potential improvements in the stress test scenario of a project.

Agility Adjusted Net Present Value is an improved cost-benefit methodology that enables the correct valuation of resilience-building projects. In addition to the base case scenario, it incorporates the stress test scenario and an upside potential scenario. The total Agility Adjusted Net Present Value of the project is equal to the value of its baseline performance minus the value of downside risk plus the value of upside potential⁵.

An additional resilience-building project, while reducing the baseline value with the extra cost requirements would also reduce the negative value of the downside risk scenarios. As a result, the total AANPV of the resilience-building project could be positive and its funding could be justified.

Quantifying the Strengths and Weaknesses, Opportunities and Threats (SWOT) Analysis with AANPV

The SWOT analysis has been the standard approach for assessing operations and projects. The Strengths and Weaknesses of a project determine its projected future results reflected in the base case scenario and plans. The uncertainty around the actual results of the project is reflected in the Opportunities and Threats analysis. Opportunities represent likely positive developments that would enable the achievement of results higher than the base case projections. Analogously, the threats analysis captures the likelihood and negative potential impact of future risks on the base case expected results. Currently, the Opportunities and Threats analysis is part of a project’s assessment, but their specific valuation impacts are not incorporated into the Benefit-Cost Analysis. With the use of AANPV the whole SWOT analysis can be quantified and included in the final benefit-cost ratio.

Key Benefits of Incorporating the AANPV into the Federal Benefit-Cost Analysis

By correctly evaluating resilience-building projects, AANPV can become a critical tool in achieving the following key objectives:

• Motivate and empower agency leaders to develop and implement resilience and adaptation projects consistent with their fiduciary duties.
• Optimize project design to achieve long-term proactive resilience and adaptability at minimum cost to the taxpayer.
• Achieve additional benefits to the consumers of government services by increasing their availability and reliability at critical moments of unfolding risks.

By strengthening their proactive resilience, federal agencies will successfully overcome their present and forthcoming challenges and meet their objectives in serving the American people.

¹ Circular A-4, Office of Management and Budget 2003
² Executive Order on Tackling the Climate Crisis at Home and Abroad, White House, January 2021
³ Real Options: A Practitioner’s Guide, Tom Copeland and Vladimir Antikarov, 2003
⁴ Real Options and Investment Decision Making, The Office of Gas and Electricity Markets (Ofgem), UK 2012.
Accounting for the Effects of Climate Change, Department for Environment Food and Rural Affairs (Defra), UK 2009
⁵ Both the values of the downside risk and upside potential scenarios of the project are correctly valued using Real Options Analysis. (Real Options: A Practitioner’s Guide – Tom Copeland and Vladimir Antikarov, 2003)

This is a reprint of the original article, the was initially featured in the Sept. 2021 AFERM newsletter

The fundamental qualities of a true leader transcend time, circumstance, and organizational culture. Essential attributes inherent in today’s leaders are no different from those needed in the past, even though times have changed and continue to change. However, some specific character traits are necessary in the contemporary work environment, currently undergoing transformation to meet today’s needs.

Emboldened by my own insights, gathered over 20 years in the advisory consulting profession, I sought out leaders in government and the private sector (Pete Gouldmann, the U.S. Department of State’s enterprise risk officer for cybersecurity and John Hunt, Advanced Solutions Leader at Guidehouse) to discuss the traits needed for success. All said the foremost quality is being able to handle transitions and lead change management. Moreover, they confirmed my belief that such leaders share similar character traits.

Attributes Vital to Leadership

No matter the challenges, an effective leader employs vital attributes to create an environment conducive to change. Many leadership and change management experts tout specific personal qualities, shown in the table above, that are needed to succeed.ⁱ The leaders I interviewed concurred that change leaders require:

Ability and willingness to co-create a new way. Leadership is selfless; the goal is not credit. Rather, with part art and part science, a leader creates an environment that stimulates, motivates, and encourages teams to take initiative. People need to trust their leaders and to trust the process of change. Moreover, this trust must be mutual.ⁱⁱ

Leaders earn trust through everyday ethical interactions, decisions, and behaviors. The art is in exhibiting competence and delivering promised results while remaining humane and benevolent. It demands ample emotional intelligence, education, and life experience to realize the importance of treating people as the ends rather than the means. Trust is also about building relationships that create value, rather than practicing a transactional approach to leadership in which reciprocity is expected from every interaction. With trust, the other important aspects of leadership can be applied.

Humility, self-awareness. Although it seems counterintuitive to a hierarchical organizational dynamic, cultivating these qualities in yourself and those you lead will encourage feedback and, at times, skepticism. A key attribute of extraordinary leaders is the ability to welcome and handle opposing view- points gracefully and professionally. By allowing people to feel, through your tone, words, and actions – body language included, that they can talk to you without negative repercussions, your effectiveness as a leader multiplies exponentially. This is the science component of leadership – to be comfortable with divergent ideas. True leaders nurture this attribute and find balance between productive discussion and neutralized negativity.

Ability to create a climate of well-being and appreciation – Different from culture, climate is how people feel about coming to work and what they feel in the office. Climate change can happen quickly, while culture remains more resilient with its organizational values, unwritten rules, and expectations, all slow to change. The atmosphere and tone that prevail in an office, at meetings, on conference calls, and through email can affect motivation and performance outcomes in a more profound way than strategy, mission or vision. To create an amiable climate, leaders need, as Mahatma Gandhi said, to be the change they want to see. They set the example of appreciation, recognition, support, integrity, and responsibility, simply by maintaining a good mood, smiling, being calm and remaining positive.

Patience in building participation and seeing progress. It takes time to build a high-performing team. An effective leader creates a space and allocates time for discussions. Some talks are relevant to change and some may not be. But it is important to let people speak and “establish themselves” first. While difficult to accomplish in a world of deadlines and competing priorities, a habit of rushing into doing without first thinking and talking things through will most likely lead to a change initiative failure. Taking time and effort to form teams of people who feel welcome, heard, and integral to both process and solution, rather than feeling overlooked, dispensable, and used, is essential to effective leadership.

Willingness to share decision-making. Extraordinary leaders know the success of an endeavor is a result of everyone doing his or her part well. On high-performing teams, the leader most often leads from behind. In practice, this means listening to all available opinions and allowing teams to make decisions. While often difficult for leaders who naturally make decisions and take control, extraordinary leaders welcome flexibility in roles and let their teams create ways to get things done without direction.

Extraordinary leaders should also be able to follow another’s lead, especially someone hired as an advisor and contributor of ideas who is expected to co-lead. Acting on the advice of direct reports or staff demonstrates command of a situation and trust in the team. Knowing how and when to empower, how to share decision-making authority, and how to acknowledge being wrong or not having an answer are all powerful expressions of the successful leader.

Considerations in Changing Times

The social media factor. An effective leader’s desire for transparency is complicated by the instantaneous nature of social media. Information can become public and go viral beyond the organizational perimeter in a matter of seconds today. Hunt suggests leaders remain cautious about the type of information and the amount of detail to be shared as well as the timing.

Communication preferences. Hunt also pointed out the importance of knowing how people prefer to receive news and information. Some prefer face-to-face interaction while others prefer email. An effective leader takes this into account and remains flexible, yet still able to influence and make an impact.

Data awareness. Gouldmann offered a unique perspective on the prevalence of data and resulting information, now so easily attainable, and the way it drives the need for agile leadership. He said, “Data awareness is unprecedented. It positions us to refine processes and execution and serves as a catalyst for change. It also allows to make better risk-based decisions and trade-offs by providing insights into the risks of doing something versus refraining from it.”

In the words of the ancient Chinese philosopher and writer Lao Tzu, “Of the best leader, when his work is done, the people all say, ‘We did it ourselves.'”ⁱⁱⁱ If leaders can demonstrate and consistently practice the attributes of trustworthiness, competence, humility, self-awareness, and cooperation underpinned by positivity and patience, their teams can reach breathtaking goals and conquer any change, no matter how difficult they may seem when first presented.

Leaders Let Their Team Shine

Extraordinary leaders feel no need to impress. They let their followers shine, be impressive, smart, and sophisticated. Hunt, who led his team through a major organizational transition, said, “It is okay to say, ‘I am not working on this issue, but someone else is, and we will provide you an answer once it is available.'” If things do not go as planned, he noted, “You cannot be afraid of change going wrong and get stuck. You need to be humble enough to say, ‘It isn’t working,’ and go back to the drawing board.”

Considerations for Female Leaders and Lessons Learned

Women face additional, often unique, leadership challenges, such as being heard and recognized for contributions and thoughts, or remaining true to one’s self as a tenacious, passionate, straightforward person without being deemed aggressive or worse. Specific considerations for women in change leadership include:

• Remember: If you are not at the table, you are on the menu. It is important to participate in discussions and not remain passive.
• Do not be a wallflower. Do not hesitate to speak up and stand up to be in the room and sit at the table.
• Find mentors and role models. Watch, pose questions, ask for help and advice, and emulate their behavior and style. Be prepared for constructive criticism.
• To comments about being too talkative, too assertive, too outspoken, or too strong, thank the giver for the compliment. Exhibit a friendly, animated style with a pleasant expression and a forward lean.
• Balance between assertiveness and aggression can be achieved through situational awareness, tone, and delivery. Think of the message and what you want to achieve with it, as well as what your relationship to the receiver means to you.
• Stay true to yourself, regardless of seniority.
• Take responsibility for your personal decisions and make things work for you.
• Do not be afraid to refuse. There is a difference between cannot do and will not do. Even if we can do it, will we? Should we?

Interesting fact: When women are involved in a peace process, the agreement is 35% more likely to last beyond 15 years.^iv

ⁱ DAVIS, JOYCELYN. (2019). The Art of Quite Influence. Nicholas Brealey Publishing.
ⁱⁱ OUSLIS, NATASHA (2019). Trust in Leadership – One Key Factor During Organizational Change. Science for Work.
ⁱⁱⁱ LAO, TSU. Tao Te Ching. Translation: Addiss & Lombardo). Hackett Publishing Co., Inc., 1993.
^iv WORLD BANK GROUP FORUM. Paving the Way for Women in International Security. April 25, 2019

Artificial Intelligence (AI) introduces a complex and multidisciplinary set of risk factors that demand new depth, expertise, and leadership from agency risk functions. Recognizing the urgency of these risks, the Office of Management and Budget (OMB) memorandum on Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence (M-24-10) rightfully emphasizes the importance of an integrated, agency-wide risk management function for most types of AI usage. This paper briefly discusses the benefits of seeing this risk function as more than a cybersecurity exercise and rather viewing it through a cross-functional, sociotechnical lens. We also discuss an intuitive, probabilistic methodology for quantifying risks despite the uncertainty inherent to AI, thereby enabling more strategic decision-making for AI risk management and portfolio governance at the enterprise level.

Classifying AI risks

One of the requirements in OMB’s memo is to conduct periodic risk reviews of any safety-impacting or rights-impacting AI. Indeed, a clear understanding of the risks is the only way to know the true costs of an AI solution and whether its purported benefits are desirable considering those costs. Since the risks inherent to AI stem as much from their technological implementation as from their (mis)use, we’ve found it helpful to ground AI risk assurance in cross-functional, sociotechnical thinking about how an AI model fits into a business process. When you shift your attention from the bits and bytes of one particular AI model and instead conceptualize how that model integrates into a business process, four risk categories emerge:

When you think about a model in the context of a specific business process, it’s easier to have a tactical conversation about the risks no matter their provenance, whether they be technical (e.g., cybersecurity), sociotechnical (e.g., misuse), systems-related (e.g., software supply chain), or organizational (e.g., reputational harm). For instance, the ethical issues inherent to using a using a Large Language Model (LLM) for an HR function, like recruitment, will be different from those inherent to another function, like finance, even if both use cases leverage the same LLM.

Quantifying AI risks

While it’s clear that AI risk assessments need to be tailored to each individual AI application, OMB—as well as the National Institute of Standards and Technology (NIST), Government Accountability Office (GAO), and other authorities on risk management—have not been prescriptive on how agencies ought to quantify AI risk exposure. Although useful as a heuristic, qualitative risk registers make it difficult to perform simulations or perform apples-to-apples comparisons between use cases, which is crucial for AI portfolio governance.

Enter KPMG Probabilistic Risk Assessment methodology. Built atop Bayesian Networks, the methodology goes well beyond providing an understanding of the potential likelihood and impact of risks (i.e., traditional heat map) and combines probabilistic methods with graph data science to model complex, potentially interdependent risk factors in a fashion that can handle uncertainty, incorporate both quantitative and qualitative data, and provide visualizations of the complex interdependencies among risk factors and their potential impacts (Exhibit 2). For decision-makers in the AI risk management space, this unlocks the ability to better understand technical risks, such as your traditional cybersecurity vulnerabilities, alongside the more amorphous sociotechnical risks, such as (un)intended (mis)use. For instance, the methodology permits integration of expert knowledge from the business/mission function, which can be useful where empirical data is lacking, as well as updates when new information comes to light, which is crucial in such a fast-changing field as AI. For decision-makers, this flexibility enables what-if analyses to determine the impact of changes in information, assumptions, risk appetite, or all the above. The methodology also enables your most senior leaders to compare/contrast the risk postures of otherwise dissimilar use cases, which can facilitate those tough go or no-go decisions. By enhancing your understanding of the complex, multidisciplinary risk factors at play, the methodology ultimately helps all stakeholders uncover the right set of risk mitigation strategies and monitoring plans.

How KPMG can help

With our rich pedigree in assurance functions, KPMG has developed the Trusted AI Framework to help ensure fairness, transparency, explainability, accountability, data integrity, reliability, security, safety, privacy, and sustainability in AI adoption (Exhibit 3). While the Trusted AI framework was designed for use across all AI activities—establishing safe and ethical practices for machine learning and GenAI teams as well as defining data quality standards—its tenets also guide our approach to AI risk management and its components align to the requirements of OMB memo M-24-10. Through this Exhibit 3 framework, our cross-functional professionals can help you quantify risk exposure for each AI use case and then leverage probabilistic simulations to model scenarios and their impacts. That transparency can help you cut through the complexity of AI adoption and make more confident, data-driven decisions when assessing and prioritizing AI use cases, helping ensure not just the advancement of technology but also your mission.

Enterprise Risk Management (ERM) programs commonly rely on an array of spreadsheets, presentations, manual processes, and siloed data to manage their program operations. For many ERM programs, this minimal technology infrastructure has met their start-up needs. However, this approach may not satisfy needs for long. As agencies are maturing their ERM programs, they are expanding to include additional categories and types of risks (Third-Party Risks, Cyber Risks, Supply Chain Risks, etc.) to capture a more complete picture of the modern risk landscape. They are also putting in place connections to strategy, budget, and controls to better understand and manage risk to outcomes. Due to the expanded risk data sets, the increasing number of stakeholders that utilize risk information, and the drive to have timely information, agencies are assessing Governance, Risk, and Compliance (GRC) tools to streamline or automate their programs.

GRC tools are software applications and modules designed to integrate governance, risk, and compliance processes across the organization. These capabilities include policy and compliance management, risk management, audit management, issue and incident management, business continuity management, vendor risk management, information security, and more. Centralized data storage, analytics, visualization, and workflow management efficiently tie all these capabilities together to facilitate cohesive and efficient operations. Furthermore, GRC tools offer flexibility for customization and reconfiguration, allowing them to be tailored to align with an organization’s specific operating environment and needs today and for the future. GRC’s integrated suite of capabilities helps agencies achieve their strategic objectives through effective risk management in a cost-efficient manner.

Once leaders grasp the basics of GRC and its potential benefits for their organization, they may feel both excited and concerned. Excitement stemming from the idea that a GRC tool offers an elegant solution to automate time-consuming processes and integrate risk programs. On the flip side, there can be concern because the technical procurement and implementation of software are not typically within their usual responsibilities. Nevertheless, risk leaders should err on the side of excitement as the concerns, while not unfounded, are manageable. Given that some risk leaders are unfamiliar with software procurement and GRC implementation, below are a few domains to help frame their thinking.

Program Design and Use of GRC: Risk leaders should not develop their programs around a tool, but rather configure the tool to meet their program needs. When identifying the needs for an agency risk program, risk leaders should ask themselves questions that include, but are not limited to:

• What risk programs (ERM, TPRM, Internal Controls, Audit Management, etc.) are in place today?
• What risk programs does the agency want to establish in the future?
• What current systems in place will / should integrate with the GRC tool?
• What functionality is needed to enhance the ERM program?
• Who should have access to the GRC tool?And most importantly, how do I implement this tool and manage change in a manner that makes the agency’s risk program sustainable for the long term?

These are just a few illustrative questions to get a risk leader thinking and prioritizing what they value in their future state program design and use of a GRC.

Cost: There are four general types of cost that an agency incurs with any software implementation: one time implementation cost, annual license cost, support cost, and operations and maintenance (O&M) cost:

• Implementation cost: The one-time implementation cost encompasses the initial setup, configuration, and integration of the GRC tool into the existing systems and processes. This may include expenses for consulting services, customization, data migration, change management, and training for staff to effectively use the tool.
• Annual license cost: Recurring annual cost for users to utilize the software. This can also include updates and patches, support, and maintenance.
• Support costs: These are cost that are not able to be seen in a budget, such as staff time spent in implementation or staff time spent in training.
• O&M cost: These are costs associated with any hours spent on any maintenance or further configurations.

Beyond understanding the significant value proposition, risk leaders should be aware of the types of costs associated with a GRC tool to support the creation of a fully informed business case for GRC within their respective agencies.

Agency GRC Operability: Agencies often have different preferences when it comes to the level of “self-service” they desire within a software product – for example, some may want the full ability to customize and configure, while others may want limited configurability. The preference should be considered as risk leaders evaluate GRCs that are right for their program as well as potential needs for upskilling staff or enlisting outside support. Agency leaders should also consider the benefits of an implementation vendor, as purchasing a GRC as a one-off software buy, rather than as part of a wrap-around set of risk and change management services, may limit the value proposition.

Although change can be challenging and software may seem intimidating, Agency ERM leaders should look to capture the benefits that a GRC solution can bring to their ERM program and their agency. ERM programs have driven significant change and improvement across their respective organizations – now is the time for the ERM program to be the subject of evolution and improvement.