Are agencies implementing enterprise risk management?

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Federal agency managers often talk about risk management, such as when allocating resources to cybersecurity. An enterprise approach to risk management is required under the venerable Office of Management and Budget circular A-123. That’s helped push ERM down into agency practices. The Partnership for Public Service and Deloitte studied the degree to which ERM has sunk in and how far agencies have laid the groundwork. For more, Deloitte’s Managing Director for Enterprise Risk Management, Cynthia Vitters spoke to Federal Drive with Tom Temin. Read more information here.

Interview transcript:

Tom Temin: Good to have you back.

Cynthia Vitters: Thanks. Good to be here.

Tom Temin: So there seem to be two kinds of issues here. One is agencies know what risk management is and it happens at the program or bureau level, but they’re not quite there yet at the enterprise or department wide or even government wide level. Tell us what you were looking for with the partnership and what the status of things is at this point with respect to ERM?

Cynthia Vitters: When we go back in time since 2016, the Office of Management and Budget put out a requirement asking federal agencies to implement an enterprise approach to risk management. And I think that at the time that the circular came out, there was a lot of realization that it would take time. It’s a cultural change and the change management initiative and to really build that into the fabric of an organization would take a while. And I think that, you know, what we found in our study was that a lot of great progress has been made the basic requirements of the circular that require agencies to develop risk profiles, build governance structures, consider implementation plans and roadmaps. Many, many agencies they’re doing that, they do have profiles that they’ve put in place. And what that is, is, it’s a list of the most significant risks that could prevent an organization from achieving its goals and objectives at an enterprise level, and how significant and likely those risks are and how they’re being mitigated. We’ve also seen a lot of momentum continue with the Office of Management and Budget developing an executive steering committee to continue to push progress forward. And even the council of inspector general’s issuing an OIG guide to assessing ERM. So you know, that’s kind of where we’re at with a current state. But what we also found is that there’s still a lot of progress to be made, whereas those initial requirements have been met and those foundational elements seem to be in place, there’s a lot more that can be done to build on top of those foundational elements to really drive risk information into the fabric of an organization and into leaders decision making processes, when they’re making decisions about resourcing, and budgeting and strategic planning and overall performance. And those were some of the overarching goals that the circular did have in place.

Tom Temin: Sure. So let’s back up for just a minute though. If you take an agency and it’s really a portfolio of submissions, and you take an agency like Health and Human Services or Transportation, they’ve got this big bundle of vertical types of missions that they have, if each one of those missions, each one of those bureaus, however you divide it, has good risk management in place for its own delivery. Does that by itself add up to ERM because what’s left after all the programs?

Cynthia Vitters: Great question. And when you really think about enterprise risk management, it’s taking a number of different risks across the entire enterprise. And many of them may be similar in the different bureau areas, and bubbling them up to look at them from an enterprise perspective and also think about developing enterprise wide risk mitigation plans that might end up being a lot more streamlined, logical and better use of resources and trying to implement them. And I think that you’re raising a point that gets at some of the challenges that still exists is government has been a sector that has been very proactive and understanding risk management, but often from a very siloed perspective. And it’s interesting, one of the points that we did find in our study was that that is a challenge that still remains is getting out of the siloed approach and looking at things from an enterprise perspective.

Tom Temin: And so I’ll play my own devil’s advocate here then, probably a good example of an ERM is, gosh, I’m transportation, I’ve got 50 different missions — what if nobody could get to the transportation building downtown or anywhere else we have facilities, such as in the pandemic?

Cynthia Vitters: That is a great example of an enterprise issue that has surfaced as of late. I think another great example of an Enterprise Risk issue that, you know, we’re seeing all of our federal agencies dealing with is how does each individual agency approach reopening coming back to work and what will that look like in this post COVID-19 environment, a lot of conversations around how that might get rolled out from an enterprise perspective versus in an individual siloed perspective. You know, just another example of looking at it from an enterprise perspective.

Tom Temin: Earlier you said that a lot of pieces of the groundwork has been laid for ERM. What do agencies have to do next that you find?

Cynthia Vitters: So we found a number of things that I want to bring up. One is that there were three themes of ways that agencies could continue to advance and build off of the foundational elements that they had already set in place directly from the requirements of the circular. I’m continuing to encourage buy in from leaders and stakeholders, helping them to really understand what risk management is, enterprise risk management, and bring them along on the journey. The more that leaders, key leaders and executives see value in enterprise risk management, the more they’ll be interested in supporting it further. Another thing that we saw was that there’s a lot of advancement that’s happened around developing risk appetite and tolerance. And that is all really about figuring out how much risk are you willing to take on in order to meet your goals and objectives. So not just understanding what your risks are, but then really thinking through how much risk are you willing to take to get where you’re trying to go. Another example that we found or another instance was integrating ERM with other management functions. It’s a concept that agencies have started to embrace and build off of, but it’s a place where we see that more work could be done. And that’s all about taking the risk information that you have learned and gained from your profile and sharing it with places like strategic planning offices and budget offices, so that you can use the risk information to make more informed decisions about budget performance and strategy. So those were some of the places we found that we could advance the topics, but then we also found some specific recommendations that we want to make to help agencies continue to drive forward and continue to advance their overall maturity of their programs, just to run through them quickly. The first is push don’t pull risk information. In the early years of implementation risk managers were constantly asking what are your risks, tell us what you’re worried about, what keeps you up at night. We want to get to a place risk managers are thinking proactively about, hey, have you thought about this risk that could really derail your organization or there’s something that you might want to be better prepared for. The second recommendation that we’re making to advance ERM is increasing the use of data and analytics. We’re at a point where not only should you have identified risks, but really support those risks that better understand the magnitude of them by putting some hard numbers and quantitative analytics right behind them. The third recommendation that we had was around emphasizing risk response and strengthening overall preparedness. And I think that there’s no better time to think about this concept of being prepared for a risk event or crisis than right now. I think you find many agencies are looking at their profiles and saying, did we have the right risk response in place? Did we need to do more? So there’s really an opportunity right now to really focus on risk response focus on whether your plans are working, use them to better plan for the next crisis. Consider scenario planning, consider all the ways that you can be better ready and better prepared. The fourth item was integrating ERM at an enterprise and program level. You know, you raised a little bit of that at the beginning of the interview. And then the last one, that really focal point of the report, I think, is this concept of using a risk profile to aid with transition. And when we think about transition, we think about political transition changes in leadership at all different type of levels of the organization. You know, when you think about our risk profile, it’s a nonpartisan, non political view of what are the things that could go wrong in your agency and how well are you ready to respond and be prepared for those things to happen It’s a great document to consider is the first page of a transition briefing book to help new leaders coming in really look at you know, where they’re at in the organization. So really want to focus on that as a final recommendation in the report.

Tom Temin: Let me just ask you this. You mentioned earlier risk tolerance. How can you get agency managers, whether senior career people or appointees, to increase their tolerance for risk because nobody was ever rewarded for losing a bet on risk?

Cynthia Vitters: You know, I don’t know if the goal is to have them increase their risk tolerance, but rather really understand and embrace the concepts of risk appetite and tolerance, and understanding the importance of finding that sweet spot in between taking on too much risk to meet your objectives versus not enough. I think a great example right now of this concept of risk appetite and tolerance, is thinking about how the federal government has very quickly been asked to get stimulus funds out the door to individuals across the country. You know, in order to meet the objectives of that, the funding had to go very quickly, and that was a lot of risk based decisioning. Does it happen too fast, were enough controls are response plans put in place? You know, I think it’s finding that sweet spot between what do you need to do to meet your overarching objective, how many controls do you need to put in place or mitigation strategies, is it enough, is it too little? And I just think embracing those concepts and actively thinking about them is where we want to get our federal leaders to be.

Tom Temin: Cynthia Vitter is the managing director for the enterprise risk management practice at Deloitte and former senior advisor at OMB. Thanks so much for joining me.

Cynthia Vitters: Thank you.