Tackling Enterprise Risk Management (ERM) in Government

Risk appetite gives organizational leaders a measuring tool to prioritize risks for action or capitalize on opportunities. Risk appetite (and tolerance) are a vital to setting parameters around how much risk the organization is willing to accept, where it is over exposed to risk, and provides guideposts for whether risk taking will achieve strategic results. Risk appetite can be used within ERM and other programs to inform a risk profile, or risk profiles can be used by organizational leaders to codify their risk appetite to inform risk response planning.

ERM must continuously adapt and innovate to maintain momentum, expand executive buy-in, and drive shifts to organizational risk culture to deliver its value. To continue to grow and achieve maximum benefit for an ERM program leadership must adapt by being realistic about the enterprise, embracing risk, and making an impact though risk management. Agencies can create ERM growth for long-term success by focusing on these key areas to help foster and build a risk-aware culture that highlights ERM at all levels.

As federal agencies continue to mature their ERM programs, many are asking how risk management at the enterprise-level relates to risk management at the program, function, or operation unit levels. If ERM is disconnected from the offices responsible for mission delivery, then risks may be identified but not elevated. This could cause agencies to miss opportunities to properly resource and effectively manage those risks and create the potential for those risks to mushroom into agency-wide crises.

As agencies mature their ERM programs, greater value can be driven by leveraging ERM to support and strengthen other agency-wide management activities. These management activities, which are critical to mission success, include strategy, program integrity, internal control, fraud, performance, budget, and cyber. Important information from an ERM program that can and should be integrated and shared across these activities includes: a risk profile, risk analytics & sensing, risk responses, risk appetite, risk tolerances, and key risk indicators (KRIs).

Agencies rely on strategic planning to deliver on their mission, however risks to the agency’s ability to deliver on its mission lie within the strategic objectives. Incorporating ERM functions to provide data and findings from ERM during the strategic planning process can help address both mission and mission-support challenges and opportunities.

The annual Strategic Review assesses departments’ and agencies’ progress in meeting the mission, management, and cross-cutting strategic objectives contained in their strategic plans. It informs strategic decision-making, budget formulation, near-term actions, and annual performance reporting. Section 270 of the Office of Management and Budget (OMB) Circular A-11, Preparation, Submission, and Execution of the Budget, provides guidance on Performance Reviews, Strategic Reviews, and Enterprise Risk Management (ERM) and requires covered organizations to conduct strategic reviews annually. ERM is designed to make the Strategic Review more robust, enabling risk informed decision-making, budget formulation, and performance analysis and reporting. Effectively integrating ERM into core on-going business processes and requiring the engagement of critical stakeholders and their support. Effective ERM implementation involves breaking down silos and increasing transparency. Without using the risk profile to inform the Strategic Review process, department or agency leadership could potentially fail to understand risks that can only be effectively addressed through an organization-wide action plan.