Federal risk officers face an uphill battle getting their agencies to take certain dangers seriously. But collaboration, a culture of transparency and intertwining Enterprise Risk Management into existing projects can make a difference.
The Office of Management and Budget updated Circular A-123, also known as the Management’s Responsibility for Enterprise Risk Management and Internal Controls, two years ago. It introduced a governmentwide risk management program. One of the major changes was that OMB wanted agencies to use internal controls across all facets of the agency, not just for financial management.
A panel of risk leaders from the Veterans Affairs Department, Bureau of the Fiscal Service and Treasury Department shared their experiences and advice for implementing ERM at the Internal Control and Fraud Prevention Training on Thursday, hosted by the Association of Government Accountants.
Thinking back over the past two years, John Basso, Veterans Affairs Department deputy assistant secretary for Planning and Performance Management, said the risk profile ended up being important for his agency. It acted as a deadline and allowed staff to “dig into” different operating units’ risks.
“Prioritizing was really important for us,” Basso said. “There’s so many risks out there that unless you can put them into logical portfolios and prioritizing them, it was hard for senior leaders to see what to do. And that was really the next lesson — it’s great to have a risk profile, but if you can’t give your senior leaders some actionable things to do to mitigate their risks, to reduce them … they wonder where the value really is.”
As a result, he said staff has worked to be specific about VA’s risks and why they are important.
At the Bureau of the Fiscal Service, collaboration has been a critical component in ERM.
Chief Risk Officer Montrice Yakimov said she was warned when she started using ERM that she would be seen as a “virus” introducing change, but the first ERM profile her team produced was done by talking with multiple levels of leadership.
“Know the folks at multiple levels in your organization that are the risk owners, that are going to be leading the charge with the risk mitigation strategies,” she said. “Do walkabouts.”
She said the first framework they built had a common taxonomy — using the language of the agency rather than “high-risk speak”— so as to compare apples to apples, and that the first risk assessment was data-driven. She also recommended risk managers ask themselves how they can add value or drive the perception that ERM is valuable to the organization.
One of the best strategies, according to Kenneth Phelan, acting director of the Treasury Department’s Office of Financial Research, is to figure out what is already happening and find a way to embed ERM. Even with a simple request to list their top five risks, what was the likelihood of each and what was being done about it, each mission area found it to be a challenge, he said.
“And that became a key point of conversation at our performance reviews,” he said. “And what was very interesting early on is that when they talked about their risks and then they went on to talk about their projects that they were working on, there wasn’t much of a connection between the two, which looked like a huge disconnect.”
He said things improved over time but looking ahead, Phelan wants ERM to be a part of Treasury’s five-year strategic plan. The stage of ERM is measuring risk appetite, but federal government is not always good at planning ahead that way, he said.
And although he recommended the ERM playbook as a guide, he said the document lacks a discussion of risk appetite.
When it comes to developing a culture of risk management, the panelists said it behooves leaders to consider what type of behavior that is rewarded and when people raise their hands with concerns, do not swat them away.
Coming from VA, Basso said reputational risk is also important at the leadership level. The agency decided to compare risks brought internally to those levied externally, either from the inspector general, media, Congress or other sources, he said, and made it part of the ERM prioritization scheme.
“We’re in the news a lot,” he said. “It’s a big deal. Every time we’re in the news it’s almost certainly true but it’s almost certainly smaller than what the news makes it look like. But we have to be able to do is figure out how to get ahead of that and reduce those problems that are happening because once they happen, there’s a lot of institutional energy that goes into trying to put out a fire.”