INTRODUCTION
In a recent e-mail in which he noted that of U.S. Office of Management and Budget (OMB) is issuing its update to Circular A-123 on July 15, 2016, Greg Hutchins, co-founder of the CERM Academy, commented “this is really big. The circular is entitle “Management’s Responsibility for Enterprise Risk Management (ERM)”. It requires all federal agencies to adopt ERM. ERM is a framework by which federal agencies can identify and mitigate risk. I agree with Greg, this will be big. Thus, it is worth stepping back and seeing some of the factors which lead to the adoption of ERM.
KEY FACTORS
There are four broad factors which facilitated the revision of A-123. These are: 1. A general trend toward having government act like the private sector – more cost efficient. 2. The increasing risk in today’s environment. These risks cut across both political and bureaucratic boundaries. 3. The desire to create consistency between public and private sector internal audit procedures and federal operational procedures. 4. A key group of federal executives created an ERM advocacy and support network, developed case studies and supported an ERM survey of federal agencies.
Over the years U.S. Presidents have issued and Congress has passed various regulations and laws which are designed to improve government performance. For instance in 1993 Congress passed the Government Performance and Results Act (GPRA). This act required federal agencies to establish strategic planning, performance planning and performance reporting. In 2010 the GPRA Modernization Act was passed. It requires cross-organizational collaboration to achieve shared goals and the use and analysis of goals and measures to improve outcomes. The revision of Circular A-123 is a continuation of this process.
VUCA (Volatility, Uncertainty, Complexity and Ambiguity) seems almost prosaic. Yet, whether the issue is terrorism, computer hacking, natural disasters, or industrial accidents, governments at all level face substantive adverse impacts. The occurrence of such events increases the pressure on an organization’s financial and manpower resources. For instance, hurricane Gustav, which hit Louisiana after Katrina, while resulting in little loss of life, shut down the southern half of Louisiana for two weeks. It affected electrical systems, crops, and personal and commercial property. The recovery effort involved Federal, State and Local governments.
In 2014 the Government Accountability Office updated the Green Book, its internal audit standards. It brought the federal government’s internal auditing process into sync with the private sector, as standardized by the Committee of Sponsoring Organization (COSO).
Finally, a group of federal executives formed the Association of Federal Enterprise Risk Management (AFERM). The association’s mission is to advance the practice of ERM in the federal government and “foster collaboration with organizations/stakeholders to promote laws, regulations and policies to establish Federal ERM in the various Agencies and Departments.” Towards this aim, the association has developed case studies. The case studies and early adopter’s experience indicate four patterns: 1. ERM is not staff intensive 2. ERM adds value by identifying problems early. 3. ERM integrates well with other planning, management and budget process 4. ERM provides a tool which helps organizations manage better.
CURRENT STATE OF ERM IN FEDERAL ORGANIZATIONS
AFERM in 2015 teamed with PWC to conduct a survey to determine the current state of ERM within federal agencies. The results show that 44% of the respondents do not have an ERM program. Of these, 80% expected to implement ERM in the near future, with all expecting full implementation within five years. Of those with an ERM program only 26% believe that their organization scores well, with 46% scoring their organization acceptable. A majority, 57% see siloed data and decision making as a major inhibitor to the adoption of ERM. The top five risks identified in the survey are: Strategic Risk (56%), Operational (48%), Data Security (48%), Reputational (37%) and Financial/Reporting (25%). Sixty percent of all respondents indicate that they use COSO and/or ISO 31000 to implement ERM methodologies. Finally, 50% agreed that in order for ERM to gain the legitimacy across all federal agencies an OMB Circular needs to be issued.
CONCLUSION
With OMB’s issuance of the revision of Circular A-123, ERM is now a federal requirement. But, as the survey results indicate, there will be a learning process before ERM becomes a firm federal fixture. The presence of AFERM and a core group of federal agencies with increasing ERM experience should result in a fairly quick adoption process. As this process unfolds, the use of COSO and ISO 31000 will bring federal agencies closer to private sector and world standards.
Bio:
James J. Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence and a Certified Enterprise Risk Manager. He has over ten year’s supervisory and managerial experience. He has consulted on economic, quality and workforce development issues for the City of Corvallis, Benton County Oregon, the State of Oregon and the League of Oregon Cities. He has also published numerous articles on quality in government and risk analysis.