Agencies are managing their enterprise risks to drive decision making in a much more integrated and strategic way. That’s one of the most significant trends in the 8th annual federal enterprise risk management survey.
The Association for Federal Enterprise Risk Management Enterprise Risk Management (AFERM) found, however, that ERM is far from institutionalized.
Marianne Roth, the chief risk officer for the Consumer Financial Protection Bureau and the president of AFERM, said while the use of ERM is accelerating across government, there are continued challenges to push these concepts further into an agency.
“I think that you’ve seen greater buy-in for ERM across the board. You see much more advanced analytical activities and analytical abilities in ERM programs,” Roth said on Ask the CIO. “You also see a lot more integration of the ERM function across other key operational areas in the organization’s like alignment with the strategic plan, aligning with budget, aligning with cybersecurity and all of those things. I think these significant changes really demonstrate how ERM is becoming part of the way agencies just do business rather than an added responsibility or something that is not as valuable for their overall objectives.”
The 2022 survey, which included 62 federal agencies, including 16 cabinet agencies, and half of which identified as chief risk officers or working in the ERM office, found 85% of all respondents said they had an ERM program and 83% said they have been practicing these principles for at least three years.
Where the survey really demonstrates the buy-in that’s happening is around how ERM is used across the entire agency’s mission. A strong majority of the respondents (70%) said their organization’s ERM program encompasses a holistic view of mission and mission support functions. This is up from 68% in 2021.
“The longer that you have to do something, the more you can move into what I would call it more sophisticated activities around ERM, rather than some of the foundational aspects of setting up a program developing principles,” said Kate Sylvis, an enterprise risk management practice leader at Guidehouse, which co-sponsored the survey with AFERM. “You’re running enterprise risk assessments, and now we’re moving into that integration, or how do you use all of the data that an agency has in order to do better data analytics and look at key risk indicators, key performance indicators. How does that derive your decision making? I think the duration and the maturity of some of the ERM programs are helping to drive some of the changes that we’re seeing around integration, around some of these more sophisticated aspects of ERM.”
Of course, the survey also showed that agencies are not investing enough resources, people or money into their ERM practices, as 65% of the respondents said overall their budget has stayed the same over the last year. That is a 10% increase over what the respondents said about their budgets in 2021.
Sylvis said that despite resourcing challenges, the use of ERM to manage and understand risks is one of the biggest surprises and highlights of the survey.
More than double the number of respondents in 2022 (18%) than in 2021 said their organization has a defined risk appetite statement, and that it is communicated throughout the organization and integrated into strategy and decision making.
Sylvis said she is seeing this in practice as leaders spend time with their executive risk committees to do resource tradeoffs based on risk to their objectives.
“When I talk about risk appetite with them now, it’s about what types of risks are you going to take in order to achieve those objectives? Not only what risks are you trying to avoid to keep you from not meeting those objectives, but what do you actually have to take from a risk perspective?” she said. “We don’t often talk about risk taking in the federal government. We tend to be extremely risk averse. But there are a lot of really big challenging complex objectives that the administration wants to achieve, and I think we have to talk about what risks we’re willing to take in order to achieve those big complex objectives because we’re not going to be able to do it if we have a completely risk averse approach.”
Roth added agencies not only have a better understanding of their risk appetite, but see it as creating guardrails to operate within as they are addressing their ever-changing mission environments.
Bring all data together
By understanding the risk appetite and having a maturing program, Sylvis said the survey respondents said, once again, that the biggest benefit of ERM was enhanced management decision making by using data.
“In my experience in working with clients, it is one of the key challenges in moving down a path of key risk indicators, advanced data analytics, determining whether or not you can use something like natural language processing, machine learning or artificial intelligence in order for you to really understand how some of the risks are showing up in your organization,” she said. “It’s the ability to bring all of these different data pieces together and attempt to feel the heartbeat of the organization.”
Roth added the big challenge for a lot of agencies when it comes to data is availability, reliability, integrity and usability.
“I think that one of the challenges is, first of all, identifying those data sources and ensuring the data elements are reliable,” she said. “You also have to leverage what’s in place so that it becomes a natural integration into the agency’s operations, rather than creating a plethora of new metrics that are specific to ERM, but are not meaningful to the process owners and to the decision makers in the organization.”
Roth said to tackle the data challenges means creating a strong connection between the chief risk officer and chief data officer.
She said at CFPB, their operations are so heavily dependent on data that having a high level of data integrity is mission critical. The CRO and CDO partnered on the risk mitigation strategies to help create that successful ERM program.
“I really think that, again, is that integration, not only with the CFO but with your chief data officer, with your CIO, with your human capital officer and your procurement officer across the C suite. I think that is critical to bringing your ERM program forward to continuing to make sure you’ll be able to really influence decision making as intended,” Roth said. “We really need to expand the type of thought leadership and training that we provide to our members so that it’s more focused on what an executive level ERM practitioner needs. For many years, a lot of our training was really focused on the fundamentals, like how do you build a risk profile? How do you set a risk appetite? How do you do all these basic type of things, these core elemental, fundamental elements of an ERM program? I think what we need is to go more toward how can we support executives when they’re having those conversations. Now, what are the things that you need to think about so that you can raise these issues effectively with your leadership, and how can we influence non-ERM leaders to think about things from an ERM perspective, whether that be integrating with trainings that those new leaders receive or thought leadership and finding ways that that we can really meet the needs of chief risk officers and heads of your own programs?”