Two years ago, the Office of Management and Budget made enterprise risk management (ERM) mandatory for federal agencies. Most agencies are complying, often setting up elaborate systems with pages of detailed reports and complex analysis. For some agencies, that is the right approach. But for others, are they getting real value in the form of better management for the agency? Or is ERM just becoming another compliance exercise?
ERM is a wonderful business discipline that, when used correctly, can add serious value to any organization. However, it can be all too easy to miss the forest for the trees when it comes to implementation. Keeping the focus of an agency’s ERM efforts on three goals can make better management through ERM concepts much simpler:
Adding value throughout the organization by developing insights;
Always looking for opportunities to improve;
Designing a governance structure to improve collaboration and accountability, tailored to the agency’s needs and culture.
Probably one of the most available but underutilized ways to gain immediate insights in agencies is through data analytics. Mining your existing data can often be done most effectively by supplementing existing functions with data analysis. Some simple examples include examining employee turnover trends to identify root causes of churn, analyzing payments to isolate risky transactions or tracking information technology and cybersecurity spending over time to predict trending and future needs.
Insights also can be gained by tracking and analyzing political and market trends which could impact your agency’s mission or operations. Trends and external events often can be predicted and planned for, which can move efforts from “firefighting mode” to thoughtful planning and tactical moves to reduce the impact of the event. One way to get started is to dedicate some time, perhaps one leadership meeting per quarter or during a leadership retreat, to a facilitated discussion of larger trends in the political sphere and relevant markets and to brainstorm potential impacts on the agency. This might already be done during agency risk assessments, saving even more effort. Whichever way it is collected the list can serve several purposes, including informing agency strategy, directing research on problems and solutions, and for benchmarking desired changes in agency services or in performance outcomes over time.
It often takes an enormous amount of time to get processes and controls through an approval process, and employees do not have time to renew and update the process every year. However, building in continuous improvement can actually save time and money and help your agency retain talent.
One way is through harnessing the pace of technology. As technology modernization and maintenance costs continue to escalate, many agencies either put off modernization or scale back. When agencies are able to update their systems, any analysis of return-on-investment can be outdated or overlooked. Using strategic approaches to evaluate how and where to invest limited IT dollars can help your agency better direct those dollars to technologies that support a continuous improvement approach. One approach may not work for every agency, but options to consider include a methodology that rates modernization and maintenance IT funding priorities by risk to mission, a historical analysis and future projection of IT cost trends, or risk appetite and tolerance limits to automatically prompt risk actions.
Another method is to consider what your agency’s future workforce will need. As baby boomers retire and Gen-Xers and millennials assume the responsibilities of running government agencies, the pressure and need to innovate will increase. Your agency can ease this inevitable transformation by starting to implement a continuous improvement culture now.
Organizations generally put little emphasis on governance structure but getting it right can really guide them to success. Likewise, a structure that is not right for your agency or lacks critical components will have people saying, “This whole effort was a waste of time.”
In this context, good governance means structuring your organization to provide both incentives and accountability measures to everyone’s daily work so that the right tasks, activities and decisions are prioritized. It does not change frequently, but should be looked at periodically to see if it is helping or hindering mission goals. With the proliferation of compliance requirements, it can be difficult to re-organize for optimal operational efficiency every time a new “accountable official” must be designated or a new management goal is introduced.
Understandably, agencies may find that it is easier to do the bare minimum to comply rather than rethinking their overall approach to governance. However, over time the agency can be overwhelmed by the inefficiencies of cobbling together all these small changes, and may overlook real opportunities for progress. Occasional governance structure changes can smooth that path to achieving mission goals.
The path to ERM may not be as daunting as it seems. Looking for new insights to aid in an understanding of the internal and external risks to mission are an easy way to get started. Setting the foundation for a culture of improvement not only has immediate payback, but positions an agency well for future challenges, including how to deal with future risks.
Finally, periodically looking back at how governance is set up in your agency can help make sure the agency is prioritizing the right things to manage both compliance activities and mission goals—one of the primary objectives of ERM.
Nicole Puri, a former risk management official with the Pension Benefit Guaranty Corporation (PBGC) and the Department of Housing and Urban Development (HUD), is a director with Grant Thornton Public Sector.