Federal agencies are under increasing pressure to accomplish their missions more effectively and efficiently, while also meeting taxpayer and legislative expectations for accountability and value creation. This is no small task, as new and evolving risks present significant challenges for federal agencies and failing to address those risks can have detrimental effects on compliance, financial and operational performance, strategic objectives, and an agency’s ability to accomplish its mission. Effective enterprise risk management (ERM) requires a holistic and robust framework that encompasses, among other things, a range of risk management activities and responsibilities.
There is no one-size-fits-all approach to ERM, so organizations should adapt ERM programs that suit their risk management needs and objectives. However, there are certain essential elements that agency leaders should include in their ERM frameworks to maximize value for stakeholders, shown in Figure 1 below.
Figure 1: Illustrative ERM Framework
Establish ERM governance to develop a more risk-aware culture
Risk management is a shared responsibility that requires active involvement and commitment from leaders in each business and program area to develop and maintain a risk-aware culture—one where leaders work collaboratively with members of the organization to encourage the flow of information and communicate the importance of risk identification, management, monitoring, and reporting. Some agencies have hired chief risk officers (CROs) and chartered executive risk committees (ERCs) to oversee the ERM program’s effectiveness and integrate risk concepts into strategic planning and performance measurement activities across the enterprise.
Align ERM process to strategic goals and objectives
The Government Performance and Results Modernization Act (GPRAMA) of 2010 requires every federal agency to produce a new strategic plan at the beginning of each administration’s new term. Each strategic plan presents the agency’s long-term objectives and is a great starting point for aligning ERM processes to strategic goals and objectives through the review of the results of risk management activities, operating plans, and performance reports.
Identify and assess risks
Agencies must first identify risks inherent to its processes, always asking, “What could go wrong?” Management should consider the following in compiling an inventory of risks or a risk register:
- Strategic and mission risks
- Operational risks
- Budget and financial risks
- Technology risks
- Regulatory, compliance, and legal risks
- Reputational risks
- Human capital risks
Once agencies have identified risks, the next step is to assess and prioritize them. Managers should estimate each risk’s significance by considering the likelihood of its occurrence and its impact to the agency if realized. A heat map, such as the sample shown in Figure 2 below, can help chart an agency’s significant risks.
Figure 2: Illustrative Risk Heat Map
Respond to risks
Once risks have been identified, assessed, and prioritized, management should determine the appropriate response for all identified risks in the risk register. Responses include:
Among other considerations, management can assess how to leverage existing internal controls to develop effective responses to enterprise risks.
Monitor and report on risks
Appropriate reporting mechanisms and channels are critical to support ongoing risk monitoring and reporting. Management should ensure that appropriate tools and channels are in place from the program level through the executive level. A sample reporting structure, shown in Figure 3 below, can facilitate awareness of new or evolving risks, risk responses, and dialogue regarding the alignment of risk management activities and the pursuit of strategic objectives.
Figure 3: Illustrative ERM Reporting Structure
Risk monitoring should be part of an organization’s ongoing strategic and operational reporting to help the agency readily identify and respond to new or evolving risks. Additionally, agency leadership should consider separate or independent evaluations of the effectiveness of ongoing monitoring.
As agencies implement ERM, leaders should consider how they plan to mature ERM processes or programs. Ultimately, the maturity of an agency’s ERM program impacts its ability to effectively identify, assess, prioritize, respond to, monitor, and report on risks. According to OMB Circular A-123, “agencies should develop a maturity model approach to the adoption of an ERM framework.”
ERM maturity models help management reflect upon their programs’ strengths and identify opportunities to improve risk management practices. Considerations include but are not limited to an agency’s:
- Awareness and understanding of risks and risk response strategies
- Risk management governance and oversight over risk-taking activities
- Risk appetite, risk tolerances, and risk indicators
- Application of risk management processes
- Risk monitoring and reporting (e.g., emerging or evolving risks)
- Integration of risk management practices with strategic planning and performance management
Figure 4: Illustrative ERM Maturity Model
Among other things, maturity models can support benchmarking, create a shared vision and risk taxonomy, and tackle gaps or duplications in risk management practices. Each year, agencies should refine and improve their approach for implementing ERM programs, including but not limited to risk identification capabilities for emerging or evolving risks.
For more information on how MorganFranklin’s ERM experts can support your organization in building or maturing its risk management framework or program, please contact us.