Managing Risk: Insights from GAO’s High-Risk List
The past several decades have seen far greater attention to the challenge of making government programs work better. There is no better bellwether of this movement than the “high-risk” report of the U.S. Government Accountability Office (GAO), a biennial assessment of the biggest challenges facing some of the federal government’s most important programs. Professor Don Kettl acknowledges in his 2016 IBM Center report, Managing Risk, Improving Performance:Lessons for Improving Government Management from GAO’s High-Risk List, GAO hgh-risk reports identify the larger issues of risk that the government faces. In the four years since its publication, Kettl’s report and the insights he offers are still relevant, even more so today. Like all large enterprises, the U.S. ederal government faces the risk that bad things—or unintended things—will happen as it attempts to manage its programs. As Doug Webster and Tom Stanton explain in their IBM Center report Improving Government Decision Making through Enterprise Risk Management, a catalog of risks can affect federal operations, including problems involving hazards, finances, operations, strategic choices, and the government’s reputation. "Understanding what can go wrong, how it can matter, what steps can make things right, and how to minimize risk to begin with can provide invaluable insights for improving government," advises Kettl.
GAO’s High-Risk List provides a useful roadmap that can help leaders of federal agencies and programs to identify, mitigate, and to possible avoid certain risks all together. It is an in nvaluable resource in the effort to build a robust risk management discipline across the federal government enterprise.
GAO's High-Risk Series and its Evolution
First launched in 1990, the GAO High-Risk list has grown from 14 programs in 1990 to 35 areas since it was last updated in 2019. Programs on the list range from the 2020 Decennial Census, to food safety oversight, to ensuring the cybersecurity of the Nation. The ratings for over half of the 35 areas on the list remain unchanged. Since its last update, 7 areas improved and 3 regressed. GAO added 2 new areas (on the government-wide personnel security clearance process and VA acquisition management) and removed 2 existing areas due to progress in managing risk (on mitigating gaps in weather satellite data and DOD supply chain management). Government operations are considered high risk due to their greater vulnerabilities to fraud, waste, abuse, and mismanagement or that are in need of transformation to address economy, efficiency, or effectiveness challenges.
Getting on the High-Risk List
In his 2016 IBM Center report, Professor Kettl looked over the first 25 years of GAO reports on programs it had placed on the list to see if he could detect any patterns. He explored how programs got onto the list in the first place, what they did over the years to get off the list, and, based on these lessons, he offers advice on how to stay off the list.
Kettl identifies a set of root causes for why certain programs found themselves on the high-risk list. These top issues are similar causes for why some federal agencies have trouble managing risk at an enterprise level as well. When I interviewed Professor Kettl on The Business of Government Hour he elaborated on these root causes:
- Spanning boundaries and effectively working across organizational stovepipes. “Most of the problems that government face,” says Kettl, “have to do with managing across boundaries not so much managing programs themselves but managing the connections between programs. Difficulties in spanning these boundaries often create big performance problems that can only be solved by ensuring that different players find effective ways of connecting with each other in pursuing their common goal. Indeed, building strong bridges to connect the disparate parts of government’s policy networks is one of the truly great challenges of the 21st century."
- Tracking performance information to make timely decisions. “The government has increasingly developed performance measures, both to define results and to measure the success in achieving them. But”, according to Kettl,” the root cause of many of government’s toughest problems doesn’t just rely on the failure to create a measurement scheme. It requires mapping the road from present problems to future successes and on creating milestones along the way to chart progress.”
- Aging and inadequate information systems. “The government needs effective information systems to manage its programs and to hold its managers accountable. Some of the information systems that government agencies rely on,” Kettl explains, “are updated and need replacing. This is a root cause that requires both sufficient investment and good management; one won’t work without the other. Good information systems are an essential foundation for 21st century government. But so, too, are good systems essential for building and using those information systems. Moreover, good bridges are essential for spanning organizational boundaries; those bridges are often built through information systems.”
There are several other root causes mentioned in the IBM Center reports from ineffective financial controls and contract management to the problem of managing technological complexity and staffing the right people with the right skills in the best positions. “Some of these issues just are hard,” admits Kettl, “and they're hard technologically and require not only the people with the skills to do it but also an approach that allows government flexible.” The high risk problems cannot be solved by a focused effort on a small number of issues. It requires an integrated strategy akin to what we see in an enterprise risk management (ERM) approach aimed at a constellation of interrelated issues.
Managing Risk and Getting Off the List
From identifying root causes for ending up on the list to offering solutions for exiting the list, Professor Kettl underscores that success is possible. "The high-risk list is not just a thick, comprehensive catalog of problems embedded in an arcane collection of management minutiae," asserts Kettl. In parallel with GAO’s refinements in 2015 to the criteria for getting on and making progress in getting off the high-risk list, the federal government began taking a more expansive strategy for understanding and managing risk. There are two key elements here Kettle describes in his report:
- One is an expansion of the notion of risk to include not only fraud, waste, and abuse but also “economy, efficiency, or effectiveness challenges,” as well as areas “that are in need of transformation.” GAO has embraced the broader approach of enterprise risk management, with a focus on challenges to advancing the goals of government organizations as a whole, as opposed to individual programs.
- The second is an increasingly broad vision of the notion of “enterprise” to stretch beyond individual organizations, like agencies and departments, to government as a whole. It keeps an eye on understanding the forces most likely to increase government’s performance problems—and what steps are most likely to prevent or solve them. In addition to examining why programs were placed on the high-risk list.
As noted in Kettl's IBM Center, the enduring lesson is that the government faces enormous risks, which are growing.The wide swath of problems and their root causes is daunting, and there is no sign that either the problems or their roots will get easier to manage any time soon. But there is also great hope in the fact that the problems and their root causes are becoming better understood and therefore skilled leaders are successful in guiding their programs off GAO’s high-risk list in a surprising number of cases.
Even more important is how these lessons speak to the performance of the federal government more generally. "There is great value," says Kettl, "in focusing on enterprise risk management in gauging the obstacles that can stand in the way of making government work. There is even greater value in identifying the root causes for the high-risk problems, for they surely exist more broadly throughout government." Kettl acknowledges that so many of the problems that we have [in government] are a result of not only not understanding the nature of risk, but also failuing to build capacity in advance, to try to manage and solve those issues before they become mega crisis.
Read the next post in our risk series, "Managing Financial Risk in Government."