In 2023 the Federal Enterprise Risk Management and Guidehouse 9th Consecutive survey of 52 federal agencies was published. (1) The survey was conducted from July 24 to September 2023. Sixty-two percent of the respondents had some Risk Management Function. Seven percent had Finance, Budgeting and Accounting responsibility. In terms of position, nineteen percent were from the Senior Executive Service (SES). Eighty-four percent were non-SES. This piece looks at key survey questions and the responses. Where possible the 2023 and 2022 responses are shown side by side.
Maturity Level
Given that this is the 9th annual survey, it is important to understand the maturity level of the federal ERM program. The respondents were asked the following question. Which of the following best characterizes the maturity level of your organization’s ERM program?
Table 1 shows the responses.
Benefits of ERM Program
Respondents were asked to identify the benefits of the ERM program. Table 2 shows the results.
Manage Risk Exposure
Understanding the level of maturity and the benefits is fine, but when the rubber hits the road, how well is the organization managing its risks. Respondents were asked the following question. How well does your organization manage risk exposure in the following areas? (Five-point Likert scale.) Table 3 shows the responses.
Barriers to ERM Program
Respondents were asked the following question. Which barriers does your organization face in establishing a formal ERM program and how significant are those barriers? Please select the appropriate rating for each. Table 4 shows the results. The question only related to 2023.
Impactful Improvements
The respondents were asked to identify the most important impactful improvements that could be made to improve ERM. The results are presented in Table 5 below.
Risk Appetite
Turning to aspects of the ERM approach. Respondents were asked about the organization’s risk appetite and when the risk appetite was last updated. The responses appear in Table 6 and 7 below.
Respondents were asked to look into the future and identify the most significant risks for the next three years and risks that need to be added. Tables 8 and 9 show the response.
Risks in Next 3 Years
The top three risks anticipated in the next three years.
Risk to be added.
The Risks which respondents felt needed to be added to the list are below.
Discussion
The survey results provide some insights into the progress and issues facing the U.S. governments ERM implementation process. After nine years, 73 percent of the agencies have a mature ERM process. Thus, ERM is firmly established in the U.S. Federal government.
The ERM process has helped improve decision making, reduced decision making in compliance activities and helped prevent adverse impact events. It has also helped manage finance, compliance, operational and strategic risk exposure.
The biggest impediments to ERM implementation are Bridging silos across organizations. This is followed by Resistance to change and Management support.
In terms of the most impactful change that is needed to implement ERM, Management buy in is top. Followed by a defined risk appetite and the need to align resource allocation with ERM process.
In most agencies management has indicated their risk appetite and updated it within the last three years. However, 32% do not feel it has been well transmitted throughout their agency.
Technology change is the greatest risk identified for the next three years. This concern increased six percent over 2022. The second highest rated risk at 46%, a decrease of thirteen percent from 2022. The third highest risk, Geopolitics increased four percent from 2022.
With respect to risks that need to be added, Cybersecurity, Supply Chain and Public Infrastructure failures can all be impacted by technology risks. Further, the issue of recruitment and retention can also be linked to technology risks because government at all levels lack the professional talent to adequately keep up with the speed of technological change. This is particularly true for the increasing need for Artificial Intelligence (AI) Risk Management experts. AI is currently, even more so than cybersecurity, a highly specialized technical field, with few top-quality professionals. These professionals, like the cybersecurity professionals, are in demand. Thus, governments at all levels, must compete with the private sector for their services. The problem is the private sector can almost always offer higher wages and better benefits. Consequently, recruitment and retention are a problem.
In summation, the ERM program in the U.S. federal government is well established. The benefits of the program are understood. They are substantive. The problems faced are those that any organization implementing an ERM program will face. Thus, the survey provides helpful information. Finally, as federal agencies increasingly become comfortable with the ERM, the ERM process, given the perceived benefits, will become part of the rules, program requirements and contracts associated with obtaining federal dollars.
Endnote
- Federal Enterprise Risk Management, 2023, Federal Enterprise Risk Management and Guidehouse 9th Consecutive Survey, https://analytics.guidehouse.com/ERM/ERMSurvey2023html.
BIO
James J. Kline has worked for federal, state, and local government. He has over ten years supervisory and managerial experience in both the public and private sector. He has consulted on economic, quality and workforce development issues for state and local governments. He has authored numerous articles on quality and risk management. His book “Enterprise Risk Management in Government: Implementing ISO 31000:2018” is available on Amazon. He is the editor of “Quality Disrupted’ which is available on Amazon.