Kevin Curry in an opinion piece for The Hill raised several issues which will ultimately impact the adoption of Enterprise Risk Management (ERM) in government. The article entitled “America’s public sector has a problem –

It’s not getting any Millennials”, makes four points.  These are; 1. the federal government is having trouble hiring Millennials, 2. the federal government has old legacy cyber systems, 3. millennials expect up to date cyber systems and 4. the lack of up to date cyber systems is one of the problems keeping Millennials away.

 Since the article does not specifically deal with ERM, one might ask: What is the intersection between the four issues and the adoption of ERM in government?  This article looks at the relationship of this problem with ERM in government.

Background

 To show the linkage, some background is necessary.  Curry notes that by 2020 Millennials will constitute 75% of the workforce, but currently only 7% of the federal work force is under 30.  Millennials are digital natives and are frustrated with old technology.  Ninety-three percent say that the presence of new technology is an important workplace consideration. Unfortunately, most government technology is far from cutting edge. Curry’s theme is: “As long as this remains the status quo, the nation’s best talent will not only turn, but run, away from government positions.”

Government’s IT Problems

Government’s reputation for not being technological savvy was demonstrated by the problems rolling out Healthcare.gov websites.  On the first day the federal Obama care website “HealthCare.gov was up, it had 4.7 million visitors, but only six people could sign up.  The website was full of errors. (1)

A 2018 U.S. Government Accountability Office examination of federal agency compliance with cyber-security requirements determined that most had not implemented actions to protect email, cloud services, host-based systems, and network traffic from cyber-attacks. 

The lack of preparation for a cyber-attack is not limited to the U.S. federal government. Further, cyber-attacks can be costly.  In 2018 the regional municipality of Mekinac paid $30,000 to resolve a ransomware cyber-attack that shut down it network for two weeks.   The U.S. city of Atlanta Georgia was the victim of a cyber-attack. The attack was attack, according to the Justice Department was initiated by the Iranian Government.  The attack shut down the city’s computer network for two weeks. It cost the city $9 million dollars to counter the attack.  In January 2019, information of approximately 30,000 Australian was breached by a cyber-attack.

These incidents show that cyber-attacks are global.  Further, where the old (legacy) computer systems and new systems are integrated it becomes more difficult to provide adequate cyber-security.  Because the languages used by legacy and new systems are often different the intersection creates opportunities for cyber-attacks.  There are several reasons the risk of cyber-attacks continues. These are:1. lack of resources and 2. lack of talent.

If these problems were not enough, a 2018 Protiviti and North Carolinas survey of 825 board members and C-Suite executives globally, found two of their top ten risks are Cyber-threats and talent shortage.  This means that the government and the private sector will be competing for similar talent.

ERM and Lack of Resources Competition for talent, a lack of resources and costly threats like cyber-attacks means that decision makers face difficult choices.  In the past, because of resource limitations, solving immediate problems was acceptable. Now with the increasing cost and the interrelationship of risk events, a more strategic approach is needed.  Increasingly, governments around the world are recognizing that an enterprise wide and comprehensive approach to risks is needed. 

The Office of Management and Budget in its Playbook: Enterprise Risk Management for the Federal Government states:

“While agencies cannot respond to all risks, one of the most salient lessons from past crises and negative reputational incidents is that both public and private sector organizations would benefit from establishing or reviewing and strengthening their risk management practices. Agencies are well advised to work to the greatest extent possible to identify, evaluate, and manage challenges related to mission delivery and manage risk to a tolerable level.” (2)

ERM is such an approach. It provides a systematic globally recognized approach which helps management to identify and prioritize the risks they face. Such a prioritization can assist in more effective allocation of resources.  Council of Bradford in the United Kingdom, in its risk management framework explicitly states the following as one reason for adopting ERM.

 “The Council is dedicated to reduce risks to the services it provides for its residents by using good Risk Management practices. It recognises that through Risk Management it will be able to reduce losses and create safer working environments for its employees.    Recognising that losses will inevitably occur, the Council will make every effort to identify and minimise loss exposures by implementing loss control measures whenever possible.”(3) 

The implementation of ERM also helps extend the focus to longer term.  For instance, The Executive Team, in order to develop the City of Coquitlam Canada’s ERM process, identified strategic risks that could affect the city three to five years in the future. 

Lack of Talent and  Cyber-Attacks

Perhaps the best way to demonstrate the ability of ERM to assist management in recognizing and dealing with diverse events is to examine the strategic risks identified by several local government using ERM.  The Bradford Council in its 2017 strategic register recognizes the need to retain a skilled workforce, the risk of cyber-attack and the risk consequences. “Failure to maintain a skilled and motivated work force during a period of sustained change and reducing financial resources may lead to:
-Reliance on temporary staff.
-Management stretch.
-Under capacity.
-High sickness levels.
-Poor performance.”   

 A failure “to prevent the loss or theft of electronic data or corruption of an ICT system” it notes that this may lead to:
– Reputational damage.
– Service disruption or failure.
– Censure and or fines by the Information Commissioner.
– Loss of revenue.
– Additional budget pressures.

To deal with these two risks the Council implemented the mitigative  actions.

Risk: Maintain a skilled and motivated workforce:

•Comprehensive risk management arrangement for all work streams within the programme.

•Leveraging of technological opportunities.

•Ensure there are effective processes for staff engagement and feedback.

Risk: Failure to prevent loss or theft of electronic data:

• Ensure compliance with the Computer User Security Policy.
•  Ensure there is a current ICT Disaster Recovery and Business Continuity Plan in place.
•  Ensure that network security access testing is undertaken at least annually by an external tester.
• Ensure there is a current ICT Disaster Recovery and Business Continuity Plan in place.
• There is an agreed Disaster Recovery and Business Continuity Plan for the ICT service, which is subject to annual audit and testing, to ensure that services and data can be restored in the event of a loss of business continuity.
• Ensure that network security access testing is undertaken at least annually by an external tester.
• Annual network penetration testing is carried out by an external company to identify any potential vulnerabilities to malicious action so that preventative measures can be put in place.   
•  Ensure compliance with the Government’s Public Services Network standard.     

 The City of Saskatoon Canada is another example. The two related 2017 strategic risks are below

Risk: The city may be using outdated or un supported software and/or hardware that may fail.

            Key current risk mitigation activities:

• Current state assessment and establishment of an IT strategy are underway.

•Contingency plans (manual processes, workarounds) have been established at the business unit level.

•Secondary data center has been established for essential applications and services.

Risk: The City’s existing strategies may not be attracting, hiring, managing, developing and retaining top talent to support existing and future operations

Key current risk mitigation activities:

•Succession planning framework has been developed for senior positions.

• Competency frameworks have been/are being developed.

•“Employee Rewards and Recognition” program under development.

• “Investing in Leaders” program continues to offer a variety of opportunities for staff.

• Mandatory supervisor training program implemented.

These examples show two things.  First, governments around the world recognize recruitment and retention and cyber-security are problems. Second, each local government is implementing risk mitigation efforts which are designed for their specific circumstance. 

Summary

There is increasing recognition that the risks related to the inability to recruit millennials, maintain skilled workers and prevent cyber-attacks have substantive consequences for government.  Kevin Curry has pointed out the interrelationships between these risks.  The municipal governments of the Borough of Bradford in the United Kingdom and Saskatoon Canada are two examples of governments which have recognized these risks and taken mitigative actions. The process they have used to evaluate these risks and develop mitigative action is ERM.

Endnotes

1. Eggers, William D., 2016, “Delivering on Digital: The innovators and Technologies ThatAre Transforming Government”, Deloitte University Press, New York, NY.
2. “Playbook: Enterprise Risk Management for the U.S. Federal Government”, 2016, https://cfo.gov/wp-content/uploads/2016/07/Final-ERMPlaybook pdf. Page 6.
3. BradfordBorough Council Risk Management Strategy, 2017, H://Bedford%20borough%20council%20u%20risk%20management%20strategy.pdf.page 8.

Bio

James J. Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence and a Certified Enterprise Risk Manager.  He has over ten year’s supervisory and managerial experience in both the public and private sector.  He has consulted on economic, quality and workforce development issues for state and local governments.  He has authored numerous articles on quality in government and risk analysis. jeffreyk12011@live.com