wfedstaff | April 17, 2015 8:34 pm
A chief risk officer (CRO) may be the answer to how agencies manage potential and real dangers. But whether or not agencies add another to the ever-growing list of CXOs, the White House will expect you to consider all the possibilities that may impede the mission success of individual departments.
The Office of Management and Budget recognizes there is a growing need for agencies to look at risk from across their entire portfolio.
“We have begun talking about how do we think about risk more broadly than just financial risk? I think when you look at [Circulars] A-11 and A-123, those were all borne out of the CFO Act. So everyone is narrowly focused on ‘well, it’s about financial risk and it’s about internal controls.’ What we are doing now is stepping back and thinking isn’t there really a way to take the lessons learned and what we’ve accomplished with A-11 and A-123 and broaden that perspective across the entire organization, particularly around mission programs,” said David Mader, the controller at OMB, during a panel discussion Wednesday sponsored by the Association of Government Accountants and Grant Thornton. “Are some of the controls we put in place, that discipline and that adherence to that discipline are the kinds of things that you need in the VA, or that you need at the IRS, or in CMS or in HHS?”
To that end, Mader said OMB believes there needs to be an enterprise risk protocol across government.
Insight by Okta: This exclusive e-book highlights how identity and access management will continue to evolve as agencies face more aggressive cyber threats while keeping data and systems accessible.
“We are not yet at a point yet where we will say, ‘you need to have a risk officer,’ because I don’t think one-size fits all. We do know that organizations across time have already established programs. I don’t know whether you say ‘I want the risk program to reside in the CFO community.’ I could argue maybe not,” he said. “I’m also reluctant at this point to say, ‘Oh, yes we designated someone as a risk management officer.’ Maybe there’s a construct that says we need at a department level a risk committee. When you think about some of the larger departments, DHS, [or] HHS, that have a broad portfolio of very different kinds of bureaus and agencies, do you want to have a risk person in every one of those bureaus? Maybe, maybe not. But if I were the deputy secretary of HHS, I think I would be looking for some kind of risk board that on a very periodic basis could be doing a constant assessment of the entire organization.”
Risk management is playing a bigger role in government because of two big factors: budget uncertainty, including continuing resolutions and overall reductions bring on huge risks, and high profile failures such as Healthcare.gov and Defense Department’s ERP systems or the FBI’s virtual case file system.
New guidance or memo coming
Mader said OMB is talking to agencies and private sector organizations who have established risk management practices and organizations to figure out how best to proceed. He said OMB will issue guidance or a memo or some sort of document in the second quarter of fiscal 2015.
“For sure, we have to have core structure and some core attributes that define this risk program, things that people do need to do” he said. “Personally, I’m one for being flexible with the departments. I don’t think when you look at the breadth of agencies, one-size fits all. I think if you set the expectations that you will manage risk and allow each of the agencies to decide how best to construct that. I think it will vary across government.”
Mader added he doesn’t think legislation is required to get agencies to pay more attention to and use risk in their day-to-day decision making. He said even though Congress got involved to get OMB to create Circulars A-123 and A-11 that addresses risk management from a financial perspective, this is something agencies already are coming to terms with.
In fact, a new survey by AGA and Grant Thornton of federal CFOs shows just that.
The organizations’ 19th annual survey found 71 percent of the respondents say their agency doesn’t have a CRO and 20 percent say they do and the other 8 percent said other, which was not defined.
Jim Taylor, a managing director for Grant Thornton’s global public sector, said agencies distribute risk across the organization.
Some agencies such as the Bureau of Fiscal Service has an enterprise risk management office, while for most other agencies, risk management is done at the CXO level, meaning the CIO manages cyber risk and CFOs manage financial risk, and CAOs manage acquisition risks. Few agencies, however, manage across all the functional areas.
But, Taylor said, having a structured way to identify, measure and mitigate risk is coming to the forefront.
However, Mader said there are some concerns about having one CRO.
“I think in any organization, when you say, ‘this person is the risk officer,’ the other leaders and managers in the organization say, ‘well that’s really his problem to worry about,” Mader said.
When Mader was an executive at Booz Allen Hamilton, he said he had to certify under Sarbanes-Oxley “all sorts of risk. In fact, we didn’t have a risk officer because it was the partners who were overseeing the business units who had to basically certify on a monthly basis that we had identified and mitigated risk.”
Data analytics, transparency high priorities
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
Mader’s described approach to enterprise risk management seems similar to how previous administrations have approached privacy.
The George W. Bush administration pushed back against having a single chief privacy officer (CPO), and instead let the agencies decide how best to implement it.
Beyond risk management, CFOs in the survey say data analytics and transparency are among their top priorities. These results are different as compared to last year’s survey when the impending government shutdown and budget cuts shifted CFOs’ focus to how best to deal with more requirements in light of fewer resources.
The 2014 version of the survey found 79 percent of the respondents say they are improving financial information so that data can be used to make management decisions.
Taylor said CFOs now need to make sure they give program managers the data they can understand and use to make decisions.
“Now we have very robust systems, processes in place, we are focusing our staff more on the analytics side to be able to use the data to program managers can compare one field office with another in terms of how efficient and effective they are with their products,” he said. “At the Department of Labor, I was very impressed with the deputy secretary when I went there, Seth Harris, who actually had a very, very aggressive management agenda. I never thought I’d would have seen that there. He kept challenging me to provide information for him about ‘how do I use that next dollar. Give me the data so I can get to that kind of decision analysis.’ I think it’s a systems issue, and it’s also a maturity issue in terms of the model of the CFO’s office.”
Taylor retired from the government earlier this year after 30 years in government, including three years as Labor’s CFO.
The other issue that garnered a lot of attention in the survey is shared services. OMB is pushing agencies to move to financial management shared service providers.
Economy Act on OMB’s agenda
The survey found 66.7 percent of the CFOs say they need more assurances that the quality of services will remain the same with a shared service provider, and 33.3 percent say the loss of control, and 33.3 percent say cost control and predictability are among their top concerns.
Taylor said CFOs are more accepting of the need to move to a shared service provider and it’s doable.
The survey showed these concerns were not highly rated, only 24 percent worried about whether the federal provider could scale and modernize to meet their needs, and 29 percent say they are worried the provider will not be able to meet their requirements.
But one major issue that OMB needs to tackle is the 1933 law called the Economy Act, which forbids agencies from charging other agencies more than the cost of the service. Shared services providers need to have a franchise or working capital fund to charge a certain percentage over and above the cost of the service to be used for modernization or contracting support. None of the four shared services providers have such a fund.
“We are creating a very different business model for the government, something that heretofore we haven’t operated under,”
Mader said. “That topic is on our agenda to address over the next year. We need to explore what a fully matured shared service provider needs to be successful. I think it will require examining whether it’s the working capital fund, the franchise fund or maybe it’s some brand new fund that’s created to support this.”
The other big issue for CFOs is, of course, workforce. CFOs say their workloads are increasing, but losing long-time employees or not having the ability to train current employees is a major concern.