It’s been three years since the Office of Management and Budget told agencies to embed enterprise risk management into their budgeting and strategic decision-making processes, but the mandate is as relevant as ever.
Margaret Weichert, OMB’s deputy director for management said she feels a “sense of urgency” to embrace a posture where risk is front-and-center, rather than the check-the-box compliance activities that most agencies have been using for years.
The pace of change in the 21st century demands that kind of culture shift, Weichert said, even if it’s not easy to embrace.
“Laws, rules and regulations aren’t inherently agile,” she said last month at the Association of Federal Enterprise Risk Management’s annual summit in Washington D.C. “They don’t take a short amount of time to develop. This notion of being overtaken by events is a reality. We could absolutely be out of sync with events. We have to constantly be re-framing what we’re doing in a continuous way.”
Insight by Tanium: National Cancer Institute, Treasury, FEMA and the Army explore how technology risk management lets organizations better ensure that the IT is doing what agencies need it to do in this free webinar.
In some cases, it’s been difficult for agencies to ditch the compliance lists. For others like the IRS, the concept of enterprise risk management is slowly making its way down to individual employees, who have recently been given the tools to raise their hands and point out potential concerns to agency leadership.
For Weichert, embracing enterprise risk management starts with asking different questions.
“Ask how might we get the outcome we’re looking for? How might we intervene if we have an early warning sense that there’s some risk that we find unacceptable? Do we wait for a nine-month audit to tell us the answer before we act?” she said. “I would say that’s among the riskiest things we could do.”
The IRS, which perhaps has one of the more mature enterprise risk management programs in government, is teaching employees to ask and raise similar questions.
The agency has created an employee risk channel where employees can submit a potential warning or concern in a confidential way.
Feedback from the Federal Employee Viewpoint Survey showed the IRS workforce had concerns about elevating risks to their managers. Though the IRS already had several channels where employees could submit a potential risk, those platforms didn’t offer confidentiality, said Debbie Poff, an IRS senior risk adviser.
Poff and the IRS risk management team review employee submissions to the channel and determine whether the concern rises to an enterprise level or if it’s one that an individual work unit could resolve.
“In some cases the liaisons may be able to address it readily,” she said. “In some cases it’s been a risk that’s already been identified on the business unit risk register and there was some followup and communication, and in some cases it may warrant pulling together a small group to review and determine what risk responses are in place. Are there are any gaps? Is there something else that needs to be addressed?”
Tom Brandt, the IRS chief risk officer, said the agency had its concerns when it first launched the employee risk channel on a pilot basis.
“If we establish this channel are we just going to get inundated with every grievance that an employee has about anything going on or an issue they raised and haven’t heard back from?” Brandt said. “There was a lot of discussion around that, but the sense at the end of the day was that it was important for us to have a fail-safe. We want to encourage employees to raise issues and concerns with their manager, but if for some reason they didn’t feel comfortable there was an alternative channel.”
The IRS got about 12 employee submissions to the risk channel in a year. Some of the issues employees had raised were known and being addressed, Brandt said, but others hadn’t gotten to the “right level of attention.”
The agency has since expanded the risk channel beyond the pilot phase, and several IRS business units have created their own similar channels as well.
The IRS also launched a risk management advocate certification program in July. The training program gives employees a chance to practice in identifying and describing a risk to the agency.
Meanwhile, the results of a new survey from the Association for Federal Enterprise Risk Management and Guidehouse show most agencies are still relatively slow to embrace and embed enterprise risk management practices within their internal controls, strategic planning, performance management and budget processes.
The survey captured responses from 35 federal agencies, including 15 cabinet-level departments. More than three-quarters of respondents said their agencies had an enterprise risk management program, according to the survey.
Survey results hint at small, incremental points of progress over the past three years. About 60% of respondents said enterprise risk management expectations had been baked into the performance plans for some or all of their Senior Executive Service members.
“We have made a ton of progress,” Weichert said. “We have further to go on getting better data and data-driven decisions into our strategic decision-making processes [and] into the budget process. We know this is a long-term endeavor. We would absolutely welcome thoughts that you have about how we can improve this strategic planning process.”