This is the sixth survey on the status of Enterprise Risk Management (ERM) in federal agencies. The survey was conducted by the Association of Federal Enterprise Risk Management and Guidance (1) The survey covers 37 federal agencies. This includes 15 cabinet agencies. Of the respondents, 14% have more than 50,000 employees, 22% have 10,000 – 50,000, 42% have 500 – 10,000 and 21% have less than 500 employees.
With respect to the individual respondents’ positions, 50% were Chief Risk Officers or an individual who had an ERM function, 11% had other risk management office function, 11% were mission, program, or operations function and 10% were other. In terms of grade levels, 13% were Senior Executive Service or equivalent, 39% were General Schedule (GS) 15 or equivalent, 30% GS 14 or equivalent, and 15% were other GS levels.
Given the breadth of the survey, it can be considered informative about ERM’s application. The results can be broken into four broad areas; Barriers, Adoption and Integration, Impact of Covid 19 and Top risks and mismatches.
Basic Conclusions
Respondents identified the three top problems to implementing ERM. The top three problems were:
Barriers
- Bridging silos
- Rigid Culture
- Executive level by in and support.
Government agency functions are often siloed by regulations and activity such as accounting and human resources. As a result, it is often difficult to obtain cooperation between operational silos. This difficulty is reinforced by the organizational culture. A culture which may not always encourage cross silo communications. Let me use a personal example. I worked for the Oregon Department of Revenue’s Local Government Section. When I started the section focused solely on Local Budget Law. Several months after I started, Real Property Tax related issues were added. The addition was because an individual in the Real Property Tax section was retiring. When asked for a briefing on the issues he dealt with, he declined saying it was now our job to administer the law. He did not want to share. Nor had he shared his knowledge in the past. That knowledge provided job security and a sense of unit identification. (As an aside, when the Local Budget Section members were at joint meeting or workshops, we peppered him with questions. Given the circumstances, he had to answer. Since he rode with us to many of these events, we also followed up in the car.)
Another example from the same unit shows how important it is for upper level management’s involvement. Towards the end of the fiscal year there was training money left. Not wanting to lose money in next year’s budget, the unit was sent to small group development training. After the training, I and other members of the unit thought we might use some of the techniques provided in the training to improve communications. However, our boss was not interested. His lack of interest was because his boss was not interested. In short, he took his queues from upper level management.
If upper level management supports something, subordinate supervisors take notice and act accordingly. Consequently, if upper level management encourages the adoption of ERM, it will be implemented. If upper level management stresses interagency cooperation and communication, some of the barriers will come down. In the long run, that will likely result in a cultural change.
Despite these barriers, ERM adoption and integration into the organizational processes has improved.
ERM Adoption and Integration
The adoption of ERM by federal agencies has increased from 77% in 2019 to 83% in 2020. Further, those agencies which have incorporated ERM into the performance plans for their senior executives and have been implementing ERM for more than three years, demonstrated the highest level of correlation with successful outcomes.
Looking at the specifics, 50% indicate that their agency was either Highly Engaged or Extremely Engaged in the ERM process. Forty-two percent have adopted a risk appetite statement. Eight percent have communicated the risk appetite throughout the organization and integrated it into the organization’s strategy and decision-making process.
Where the agency has a Chief Risk Officer (CRO), there have been positive changes in the implementation of ERM. One reason for this is that the CRO is uniquely positioned to evaluate the risk conditions the organization faces. In the current environment this includes assessing the impact of Covid-19.
Covid-19 Impact
Prior to December 2019 only 28% of the organizations enterprise risk profile included the possibility of a pandemic or similar global health crisis. For the remaining seventy-two percent, a pandemic was not on the risk radar. Now sixty-four percent of the agencies anticipate implementing changes to their ERM program because of the pandemic. The types of changes anticipated include:
- Focus on business continuity and contingency plans.
- Identify Covid-19 risks and update risk descriptions and risk scoring.
- Changes to the risk assessment process.
- Increase focus on risk response.
- Focus on black swan/disaster risks.
- Focus on resilience.
A review of these actions indicates that Covid-19 has shaken up agency’s risk management process. It has resulted in a heightened recognition of a risk’s impact and a need to review the process of scoring risks. This includes a new focus on black swans and disaster risks. This reassessment may change the listing of the top risks and mismatched risks found in the 2020 survey.
Top Risks and mismatches
The fact that so many federal agencies did not conceive of a pandemic as having a significant impact points to the problem of correctly identifying potential risks. There is also a frequent mismatch between resources/effort spent and identified risks.
The top three risks identified in the 2020 survey are the same as identified in 2019. The risks are Cyber security and privacy, “Operational/Programmatic Risks and “Human Capital Risks”.
The risks are straight forward. Cyber attacks on government systems are now a regular occurrence. Given the information governments collect and retain, the compromise of the that information can have significant adverse impact for the individual associated with that information.
Respondents recognized that Covid-19 has had a significant impact on Operational/Programmatic activities. Even after the pandemic fades, there will still be Operational/Programmatic risks.
Similarly, respondents recognize that there is significant competition for talent, human capital. The pandemic has shut down much of the country and reduced the money available for government activities. Even after the economy opens and businesses start spending, government revenue will lag. Thus, the private sector will have an edge in obtaining the top talent available. There is a risk that government will not be able to obtain the skills needed.
Just as the top three risks are holdovers from 2019, several mismatched areas are hold overs. The mismatches are Compliance Risk, Fraud Risk and Reporting Risk. While these are important risks, they reflect a narrow financial focus. The mismatch is because significant resources have been allocated to these risks, while their risk scores, when compared with the scores of other risks the agency faces, are lower and likely to either have a lower probability of occurrence or less of an adverse impact.
Conclusion
The 2020 AFERM and Guidehouse ERM survey of federal agencies indicates that ERM is being used across a wide variety of agencies. The top three barriers to EM implementation identified in 2020 are the same as 2019. These barriers are: Bridging Silos, Rigid Culture, and Executive level by in and support.
Despite these barriers, ERM’s implementation has increased from 77% in 2019 to 83% in 2020. A key to the success is the presence of a Chief Risk Officer. The Chief Risk Office is also seen as being particularly situated to deal with the impact of Covid-19. Covid-19’s impact on federal agencies has resulted a reassessment of the process used to assess and score risks. Greater awareness of organizational risks is likely to results. This will be particularly true as greater emphasis is placed on assessing the risks associated with Black Swans events.
Endnote
- AFERM and Guidehouse, 2020, “2020 Federal Risk Management Survey”, https://www.aferm-survey-results-2020.com/.
BIO:
James J. Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence, and a Certified Enterprise Risk Manager. He has work for federal, state, and local government. He has over ten year’s supervisory and managerial experience in both the public and private sector. He has consulted on economic, quality and workforce development issues for state and local governments. He has authored numerous articles on quality in government and risk analysis. His book “Enterprise Risk Management in Government: Implementing ISO 31000:2018” is available on Amazon. He is the principle of JK Consulting. jeffreyk12011@live.com