The Association for Federal Enterprise Risk Management (AFERM) survey showed 66% of all respondents said their ERM program is led by a chief risk officer.
Agencies are required to use enterprise risk management approaches in their planning and budgeting. Despite the eight-year-old mandate in Circular A-123 from the Office of Management and Budget, a new survey highlights why certain agencies are more successful than others.
Jason Bruno, the director of the Office of Strategic Oversight and Performance and chief risk officer at the Department of the Interior’s Bureau of Trust Funds Administration and the president of the Association for Federal Enterprise Risk Management (AFERM), said it’s clearer than ever what it takes to manage agency risks at the enterprise level.
“What we found was that organizations that incorporated ERM, or risk management, into the performance plans for their Senior Executive Service members (SES) or equivalents were among the highest performing scores. Along with that were organizations where the ERM program lead reported directly to the agency head or the deputy of the agency,” Bruno said on Ask the CIO. “So what that tells me is that where agencies are taking proactive measures to take ERM seriously, it’s working, and those agencies are performing well.”
The 2023 AFERM survey showed 84% of respondents said their organization has an ERM program and 66% said their program has been in place for at least five years. Additionally, the survey showed a 20% increase to 66% of all respondents who said their ERM program is led by a chief risk officer.
Bruno said with each year of the survey, now in its sixth, AFERM sees more money and resources on ERM, including 38% who say they have at least 11 people work on risk management on a full-time basis.
“We’re seeing that organizations now are reporting that their ERM programs have been established for longer periods of time, and we’re finding that the ERM program leads generally are spending at least 50% of their time on ERM activities, rather than ERM being one of many activities that the lead is responsible for,” he said. “It’s having benefits. Those organizations where the ERM spends at least 50% of their time directly on ERM activities are scoring much higher than those who don’t.”
Kate Sylvis, an enterprise risk management practice leader at Guidehouse, which supported the AFERM survey, said the survey results tell a good news story about ERM in many ways.
She said with 83% of the survey respondents having an ERM program in place over three years, it’s clear the foundational aspects of this methodology are in place. Sylvis said that means agencies have the opportunity now to do some of the harder things with ERM.
“Those are the types of things like integrating their ERM programs and ERM thought with all of their management processes, and having conversations about risk appetite, or how much risk they’re willing to take or trade off as they’re trying to pursue their objectives,” she said. “If you look at the four markers of integration with management processes, the means for those four processes have been going up every year. This year, only one of those processes reverted back a little bit, but not much that it’s statistically significant. So we see that trend of increasing integration across all the management processes. We saw an increase in the number of organizations that have either implemented a risk appetite statement, have used that risk appetite statement or are considering using a risk appetite statement. And that is, that’s a big deal.”
Sylvis said understanding and applying a “risk appetite” to decision making is a more advanced concept for many organizations. She said more agencies are able to quantify risk and decide how much to accept demonstrates the continued maturity of ERM.
The survey found that more than 90% of the respondents indicated that their agency updated its risk appetite statement within the last three years, and over 60% of the respondents indicated that their programs plan to increase their focus on risk appetite over the next 12 months.
Bruno said it’s clear that across the government agencies are putting a higher focus on risk appetite statements as a way to communicate these challenges throughout the organizations and as a way to integrate them into their strategy development and decision making processes.
“What that shows is a maturation of ERM programs and how seriously people take it. We’re talking about mitigation strategies for risks,” he said. “In my organization, we formalized our ERM program probably about five or six years ago by developing a risk governance structure, a senior risk council and a senior assessment team that are there to assess risks. As we have matured, we’ve gone from just having a risk register that lists all the risk and a risk profile that talks about the treatments or the mitigations of the risk to really incorporating the concepts of what to do about those real world risks with the conversations about risk appetite.”
Sylvis added for a lot of organizations in both the public and private sectors this means moving from a theoretical to an intellectual exercise. More mature agencies are aligning their strategic objectives through their mission and customers and all underlying risks associated with those areas.
She said organizations are asking a lot more questions around:
“I can move those conversations around that strategic objective around that risk appetite and what I’m willing to take on that really hits at the business and the mission that the senior executives like, they can dig their teeth into those because it makes sense and it’s a real decision making conversation,” Sylvis said.
Sylvis said the survey results continue to demonstrate where the challenges to ERM continue to lie.
One area is the continued gap between the perception of risk and what management is doing about risk. She said many times the perception of risk is much lower than what management is doing about those specific risks, which tend to fall into one of five categories: business continuity, financial risk, compliance, reporting and fraud.
“That mismatch is an opportunity for organizations to say, ‘Am I over controlling this? Do these activities that we’re taking are they more than my residual risk appetite actually is for these particular risk types?’ I think those are questions that we need to ask ourselves and not just a business processes as usual, particularly as we look at budget constraints that are going to become more and more prevalent,” she said. “We have to look at programs and say, ‘Is there a way that we can maintain this program with the same risk profile? Or should my risk profile for this program be different so that I can release capacity, move resources to another area that needs them, so that our agencies can really build resilience in and be able to function in the event of more budget cuts, which I do think is a possibility to come?’ These five risk areas are the start of that, and I think building the capability to look at our processes from that perspective is something that will benefit us as a community down the line.”
Bruno said while the survey showed continued maturation of ERM programs, the pace remains slower than it needs to be. He said more agencies would benefit from formally designating a specific person as a chief risk officer versus dual-hatting that responsibility with someone in the CFO or other office.
“I get a lot of calls from people and agencies who are saying, ‘I’d like to get an ERM program off the ground. Do you have some recommendations for me? Can you walk through how you created your organization?’ I just talked to someone who wanted to get their ERM program off the ground, has only about 30 employees and it’s really hard to have a dedicated ERM or CRO professional who only does CRM when your entire office is only 30 people,” he said. “In situations like that, one of the things about ERM that I really like is the ability of risk leaders to change things up on the fly. One of the things that I tell the risk management analysts under me and my office is that going by the book is fine, and it’s a great start. But you got to break away from the by the book implementation of ERM because some organizations have 30,000 people like the CRO for the Department of Interior and some are much smaller. So the way you perform risk management is quite different from the way the CRO or the Department of Interior performance risk management.”
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Jason Miller is executive editor of Federal News Network and directs news coverage on the people, policy and programs of the federal government.
Follow @jmillerWFED