Evolving the Enterprise Risk Management in Government: Reflections of a Risk Management Professional
In 2010, the IBM Center for The Business of Government published my report, Managing Risk in Government: An Introduction to Enterprise Risk Management (ERM); its first research report exploring the importance of managing risk at the enterprise level. The release of this report and the many other Center reports on risk management that have followed continue to shape and inform the dialogue in what has become a government-wide effort to improve operations and effectiveness within federal agencies. The report also played a role in educating key federal government professionals who would advocate for and developed policy that would lead to the implementation of ERM across U.S. federal agencies.
Six years after the publication of this report, in July 2016, OMB issued a significant revision to Circular A-123 -- renaming it, “Management’s Responsibility for Enterprise Risk Management and Internal Control.” This new guidance not only filled a void addressing the relationship between internal control and risk management, it also updates how U.S. federal agencies should manage to improve operations and decision-making. With the release of this revised Circular, the U.S. federal government joins countries, such as Canada and the United Kingdom, which were had already adopted and were using ERM to improve government operations.
Tell us about your experience leading the Department of Commerce's ERM efforts - Karen Hardy describes.
To date, Managing Risk in Government: An Introduction to Enterprise Risk Management, has been through its second printing and has netted more than 5,500 downloads. Over the past decade it has been referenced by many, including international governments, consultants, practitioners, researchers, and scholars—some I recall by name and others I may have forgotten over the years. Those who have reached out to me personally by email have appreciated the insights and recommendations outlined in the report, recognizing it has a body of work designed to inform the fundamental and foundational thinking on how best to adopt and use ERM within government.
ERM is now more important than ever as a strategy to help government with decision-making in the response and recovery to COVID-19. And I am still reminded that the ERM journey to date, and its lessons learned for the future, have resulted from no small feats.
Making Change in Unexpected Places
I recall the day that I joined a across-agency internal control conference call. It was 2014 and during the typical role call I announced myself as the Deputy Chief Risk Office (CRO) for the U.S. Department of Commerce. Right after my check in, a voice came on the call after me, interrupting the next person to check in. This person specifically asked, “excuse me, but is this the Karen Hardy who wrote the IBM Report on Enterprise Risk Management?” I said, “Yes, it is.” He proceeded to say that he read the report and found it extremely helpful in educating OMB about ERM. The next day, I received an email asking if I would be interested in a detail assignment to OMB to help develop an ERM policy for government. That person was Mike Wetklow, and I said yes. I became the first to serve as a Senior Advisor for Risk Management Policy under the OMB Office of Federal Financial Management and eventually the first federal employee to serve as a member of the COSO ERM Advisory Council. I had not realized how much my previous work at Commerce would impact the ERM momentum moving forward.
Organic Growth of ERM in Government
Prior to my working with OMB and at the Department of Commerce, two key events transpired that really put the government ERM effort in full gear. First, during after work hours while I was working at NIH, a handful of government executives (Douglas Webster, Sallyanne Harper, Barbara Buckhalter, and a few others including myself) came together informally to share best practices and our passion for ERM. This group of executives soon became the Executive Steering Group and organized the first ERM Summit where 50 people were in attendance. We organized the first summit entirely by phone and did not meet each other as a group in person until the summit event. A few years after the initial summits started to grow in attendance, this Executive Steering Group later became what is today the Association for Federal Enterprise Risk Management (AFERM) with Doug Webster as its’ first President.
I had been working in the trenches on ERM at the Department of Commerce for 3 years when I received the assignment from OMB. And even though the internal Department of Commerce ERM conference calls were going well, I soon realized that the government did not have a cross-agency ERM group. With a big push and support from the Department’s CFO, I was able to establish a monthly Commerce-only ERM conference call and I invited a handful of agency leaders (about 5) to join in the conversation. After a few months, I asked those invitees what they thought about opening the call to include a representative from OMB. They thought it was a great idea. That conference call at Commerce, which started with 5 invitees, eventually became the informal ERM Council which I then chaired for the better part of 5 years.
We held our first onsite meeting at the White House Conference Center and the first brainstorming session about where we go next. This ERM Council eventually became the ERM Working Group.
The ERM Council gave OMB proof that federal agencies were interested, involved, and engaged in using ERM to identify, manage, and mitigate risk at the enterprise level with the goal of improving operations and decision-making within agencies. Its existence influenced and supported OMB’s decision under the leadership of Dave Mader to pursue, revise, and retitle OMB Circular A-123 as Management’s Responsibility for Enterprise Risk Management and Internal Control in July 2016.
A Decade of Progress
The motive behind the IBM ERM report was and has always been to help agencies apply ERM more easily. I was responsible for the initial work in establishing the NIH Risk Management Program. With little information to work with, I struggled to find a comprehensive blueprint for adopting and implementing ERM in the federal space. After doing a great deal of research by phone and the internet, I came to the conclusion that this was too hard for one person and vowed to create a resource that would spare others the frustration and pain of working from scratch. The IBM Center was a viable path to help make that happen.
When I first submitted my research proposal to the IBM Center, it was originally titled “Leading Enterprise Risk Management Activities in Government.” It was later changed to “Managing Risk in Government: An Introduction to Enterprise Risk Management in Government” for publication. The original manuscript I submitted exceeded the IBM publishing guidelines of 50 pages. The material that didn’t make it into the final report was expanded and in 2013 reprinted into a 400-page book, Enterprise Risk Management: A Guide for Government Professionals, published by John Wiley and Sons. To date, this book continues to be used by universities, consultants, and practitioners to inform their ERM learning.
With an eye on the future of what could be possible, much effort was invested to ensure that work in one agency did not remain a monologue but would inspire an extended conversation across government. That growth has been recognized over the past several years. What was once a blank sheet of paper has now evolved to include conversations about several areas of government such as cyber security risk management, customer engagement risk management, applying risk-based decision-making, artificial intelligence, and managing financial risk.
With this new-found momentum, how far have we come since 2010? Here are a few research findings from the 2010 report with some thoughts about where we go from here:
2010 Finding #1: Educating a workforce unfamiliar with the ERM terminology and concepts is a key issue for leading ERM activities.
2020: We now can celebrate the establishment of AFERM, the partnering of government and Non- Government Organizations (NGOs)-- such as the Partnership for Public Service (PPS), Association of Government Accountants (AGA), and the Risk Management Society (RIMS)- all working together to develop, deliver and support ongoing educational opportunities. One significant milestone has been, the establishment of the RIMS-Certified Risk Management Professional designation for federal government.
2010 Finding #2: Most ERM initiatives were not championed specifically by the CFO though the CFO was part of the ERM governance structures.
2020: We have seen the CFO community step up and take a leading role in pushing forward the ERM initiative and agenda with the OMB CFO council picking up the mantle. Accomplishments include sponsoring key committees and ushering through the publication of the ERM Playbook.
2010 Finding #3: How organizations approach ERM may largely depend on the agency’s management objectives, resources, culture, and risk tolerance level as well as internal and external influences.
2020: This challenge remains true. ERM efforts continue to vary in scope and scale from agency to agency. However, agencies are now able to assess through formal annual surveys specific areas of challenges and opportunities and work together to close gaps of maturity. The Guidehouse Annual Survey of ERM practices in government, in partnership with AFERM, is a great example of the tracking, progress, top of mind issues and pain points agencies face.
Conclusion
To quote futurist and global thinker Buckminster Fuller, “You never change things by fighting the existing reality. To change something, build a new model that makes the existing model obsolete.” Certainly, federal leaders are working towards this ideal. ERM is not just for the government of today but of the future. Every day we should be dismantling the norms of what we think work well today and challenge ourselves to create a model fit for the future of a dynamic and responsive government.
The presence of risk is a permanent fixture in the VUCA world in which we live-- A world filled with Volatility, Uncertainty, Complexity, and Ambiguity (VUCA). The year 2020 presents an opportunity to further adjust the narrative surrounding ERM because of COVID. A narrative too often affiliated with compliance to one of necessity. The devastation of the pandemic has emphasized the role of risk management during times of uncertainty and the role it plays in helping organizations manage and mitigate risk. This may help those doubtful about the value of ERM think differently about it. It may also be the Segway to a stretch of time that focuses on collecting the evidence proving this assertion.
What can change because of ERM? This will be a challenging task but also a great opportunity to solidify what was envisioned in 2010—ushering in a business practice that helps make government more efficient. With that in mind, ERM as a solution for solving problems will continue to be a key driver for becoming part of day-to-day business operations and creating effective change in how we govern.