The Government Accounting Standards Board (GASB) on June 20, 2022, issued an exposure draft on the disclosure of certain risks. This piece examines the requirements and problems.

Government Accounting Standards Board

GASB is an independent private organization formed in 1984.  It has the two primary responsibilities. One is to establish and improve the standards of state and local government accounting. The second is to educate stakeholders – issuers, auditors, and other users of financial information, on how to best understand and use financial reports.

With these responsibilities in mind, GASB issued “Certain Risk Disclosure draft” for comment. It is predicated on the understanding that “state and local governments face a variety of risks that could negatively affect the level of service they can provide and their ability to meet obligations as they come due.” (1) The draft requires that certain of these risks be reported in the organization’s annual financial statement. The effective date of the requirement is June 15, 2023.

Risks to be Reported

Because the number of risks state and local government face are many, GASB is limiting the reporting to risks that fall into two categories, concentration, and constraints. GASB defines each as follows.

Constraint is a limitation imposed on a government by an external party or by formal action of the government’s highest level of decision-making authority.

Concentration risk are those that create a lack of sufficient diversity related to an aspect of a significant revenue source or expense.

The draft provides examples for each type of risk. They are presented below.

Constraints

1. Limitation on raising revenue
2. Limitations on spending
3. Limitations on the incurrence of debt
4. Mandated spending

Concentration

1. Principle employers
2. Principle industries
3. Principle resource providers
4. Composition of principal inflows of resources
5. Workforce covered by collective bargaining agreements
6. Supplier of material, labor, or services

When the organization feels that identified risks fall in the appropriate categories, GASB specifies the criteria that must be met for disclosure in the financial report.

Disclosure Criteria

The organization should disclose the risks if all the following criteria are met. These are:

• A concentration or constraint is known prior to the issuance of the financial statements.
• An event associated with concentration or constraint has either occurred or is more likely to occur within 12 months of the financial statement date.
• It is at least reasonably possible that within three years of the financial statement date, the event will cause a substantial effect on the government’s ability to 1) continue to provide services at the level provide in the current reporting period or 2) meet it obligations as they come due. (2)

Once these criteria are met, the risks and associated information are to appear in notes to the financial statement.

Notes to Financial Statement

The notes to the financial statement are to include the following information.

• A description of the concentration or constraint.
• A description of each event associated with the concentration or constraint including the following information:

1. The event either has occurred or is more likely than not to begin to occur within 12 months of the financial statement date or shortly thereafter.
2. It is reasonably possible that within three years of the financial statement date, the event will cause there to be a substantial effort on the government’s ability to a) continue to provide services at the level provided in the current reporting period or b) meet it obligation as they become due.

• A description of actions taken by the government prior to the issuance of the financial statements to mitigate the substantial effect. (3)

Because this is an exposure draft, the process is not yet set in stone. However, given the work that has gone into the development of this reporting requirement, the concrete is drying. Before it dries, it is worth making some observations on possible problems.

Observations

Not Consistent with International ERM Models

GASB is to be commended for tackling the issue of risk management. The inclusion of a description of actions to be taken to mitigate the identified risk is an important step. GASB also uses a definition of risk which is at least partially consistent with that used by the two international Enterprise Risk Management (ERM) models – ISO 31000:2018 and COSO ERM. That definition is an event which could negatively impact the accomplishing of the organization’s objectives or goals. Beyond this, there are some issues. The most important is that GASB’s approach to risk identification does not align well with that used in the ERM models. While the idea of constraints and concentrations are not inconsistent, the ERM model identification process is broader and requires a rank order. It is broader in that all potential risks are listed, not just those falling into the concentration or constraints categories. Once identified, the risks are evaluated, scored, and then ranked.

GASB’s approach to ranking is to use the term “most likely” to occur. With “most likely” being defined as a 50% chance of occurring. GASB’s approach to risk scoring is broad and vague. Further, it does not allow for either scoring or ranking. Two things the international models encourage. And because it is so broad, it cannot easily be audited.

There are numerous approaches to risk scoring. Scoring which allows auditing. The most used approach by governments worldwide is the heat map. Most heat maps contain four or five gradients. On the horizontal axis is probability. This is the probability that the event will occur. While the vertical axis is the impact. The impact is the estimated cost or damage caused by the adverse impact of the risk event.

An example of gradients used is from the Vale of Glamorgan Council in Wales U.K. heat map. (4) Table 1 are the Financial Impact gradient. While Table 2 are the probability gradient.

The Glamorgan Council has specified the financial values which guide the risk rating. They have similarly done so for the probability. Their gradients are more detailed than that proposed by GASB. Further, the validity of the risk scoring can be audited using these gradients.

The risk score is determined by combining the values of the impact and probability.  Based on the score the risks can be prioritized. The prioritized risks are listed on a risk register according to their score, highest to lowest.

Using Glamorgan’s approach, a risk can be very unlikely at 1, but have a Catastrophic impact at 4. Thus, the risk score would be 4. Similarly, a risk could be Almost Certain at 4, but be rated Less than £50,000 at 1 for a score of 4.

On the risk register both would be rated the same. It would be up to management to decide whether they want to accept the risk, pass it on to another agency, or take concerted actions to reduce the adverse impact.

Under the international models all risks, scores and mitigative actions would be listed on the risk register and presented to the governing body and citizenry. Under GASB’s approach it is unclear which of the two to report? Given the emphasis on concentration and constraints and the examples provided, it appears that neither would be reported. The second has a minimal financial cost, while the first has a low probability. But let’s add a real-life example of the first risk.

Problem Three Year Forecasting

Several years ago, the City of Houston Texas was hit by a third consecutive one-hundred-year flood. The damage to infrastructure and the economy was substantive.

Now consider that you are to use the GASB approach after the first event. It is known that the impact was substantive. Reporting it for that fiscal year would be appropriate and no problem. The dollar cost can be estimated.  However, knowing that the event was considered a one-hundred-year event and thus not likely to occur for another ninety-nine years, should it be reported as a potential future event in the next three years?

This three-year crystal ball forecasting by government officials is problematic. If the Houston city officials examined the past records trying to find the number of times a one-hundred-year event occurred back-to-back, few, if any, would likely be found. The probability of a second one-hundred- year flood occurring would be very low. Three years in a row, the probability would be almost negligible. Yet, it happened.

The issue is not that these events can be costly and are worth reporting, but that forecasting their occurrence is problematic. Another example is Ransomware attacks. Ransomware attacks are frequent problems for governments around the world. That being said. Please forecast the next Ransomware attack. What governments will be attacked within the next three years?

When such an attack will occur is not in government’s control. The attackers select the target and when to attack. The best that governments can do is protect against such an attack. The risk is an attack. If the mitigative efforts are not effective, then like the City of Atlanta Georgia, which was attacked on March 22, 2018, the cost can be substantive. It cost the city an estimated $9 million to correct the problem.

Reputational Risk

Another issue which does not fit well in either the constrain or concentration category is Reputational risk. Reputational risk is one which many local governments around the world have listed in the risk register. Glamorgan’s Reputational risk gradient, for instance, goes from “Increases in Complaints” on the low end, to “Intervention by external regulators” on the high (Catastrophic) end. What dollar value does one put on a decline in reputation?

This is not an inconsequential question, as exemplified by the city of Portland Oregon. The city for years has been known as the City of Roses. The independent candidate for governor calls Portland the City of Roaches. This is because of the number of homeless in the city. This author calls Portland the city of riot, and ruin.

Daily, for about six months, there were attempts to burn down the federal courthouse. The district attorney at the same prosecuted a member of the riot control unit. This was done even though a standard review board found his actions were consistent with required training. The result was the resignation of the entire unit. At a time of continual riots, the riots continue to this day, the city does not have a trained response unit. This problem is compounded by the reduction in police funding, early retirements, and the inability to attract new police officers.  Crime is increasing.

Portland residents are negatively impacted. For instance, friends were waiting in the queue to make a left-hand turn. Two cars turned onto their street. The first car smashing into a car in the queue. The occupants of the second vehicle fired on the first vehicle with semi-automatic weapons. The occupants of the first vehicle returned fire. The occupants of the first vehicle were wounded. The second vehicle sped off. It took the police ten minutes to respond.

There is one more problem worth mentioning. This is inconsistency with existing ERM trends.

ERM Trends

As noted earlier, the GASB approach to risk identification is not consistent with international standards. These standards are being used by federal, state, and local governments around the world. (5)

But equally important, the requirements do not appear to be in sync with the federal government’s risk management emphasis. In CERM Insights #377 and #378, the Biden administration’s ERM push via executive orders and the proposed Environmental Risk reporting requirement issued by the Security and Exchange Commission (SEC) and the Federal Deposit and Insurance Corporation (FCIC) were discussed.

Executive Orders M-22-04 and M-22-12 are designed to improve the coordination between operational staff and their Inspector Generals in the identification of risks that can negatively impact strategic goals.  These orders reinforce OMB’s Circular A123 ERM mandate.

While the executive orders are designed for federal agencies, several agencies have risk management guides or directives which impact either state and local governments or the private sector. The National Institute of Standards and Technology (NIST) has issued both a cyber security guide and a cyber security supply chain guide. The target audiences are state and local governments and the private sector. Both guides are based on an ERM approach. Both are designed to be plugged into the organization’s ERM process.

The Food and Drug Administration has issued an industry guide to assist with the development of risk management plans to mitigate the potential for drug shortages. In addition, the SEC and the FDIC are proposing rules which would require regulated organizations to report climate related risks which would have a material impact on business operations and their financial statement.

What makes these federal actions important is that GASB’s risk management approach seems out of sync with the federal government’s risk management approach.  The federal approach is enterprise wide and guided by “Playbook: Enterprise Risk Management for U.S. Federal Government”.  The Playbook is consistent with ISO 31000:2018 and COSO ERM.

While it has yet to be seen how GASB’s rule will play out, there is the potential for conflict between GASB’s rule and federal requirements. Since the federal requirements are consistent with international models, conflicts could reflect badly on GASB and damage its reputation.

Endnotes

1. Government Accounting Standards Board, 2022, Certain Risk Disclosure draft”, June 20, page iii, https://www.gasb.org/info/exposuredocuments
2. Ibid page 2.
3. Ibid pages 2-3.
4. Kline, James, 2019, Enterprise Risk Management in Government: Implementing ISO 31000:2018, pages 145-46. Available on Amazon.
5. Kline, James J., and Greg Hutchins, 2019, Auditors, Accountants and ERM, Journal of Government Financial Management, pages 33-37.

BIO:

James J. Kline has a PhD in Urban Studies from Portland State University. He is a Certified Enterprise Risk Manager. He has worked for federal, state, and local government. He has consulted on economic, quality and workforce development issues. He has authored numerous articles on quality and risk management. His book “Enterprise Risk Management in Government: Implementing ISO 31000:2018” is available on Amazon. He edited the book “Quality Disrupted”. It is also available on Amazon. He can be contacted at jamesjk1236@outlook.com