Failure happens. Risk is omnipresent. The traditional approach to risk has been to minimize losses and make sure you have enough insurance coverage.
But now there is a new approach, called "enterprise risk management." Instead of looking at risks separately - accidents, financial losses, hurricanes, theft, cyber attacks - the idea is to prioritize efforts and be more predictive, preventative, and holistic.
The Recovery Act guidance from the Office of Management and Budget is a good example. It requires federal agencies to identify the risk associated with each program and develop a plan of action to reduce such risks. After all, if a program gets a 3,100 percent increase in funding, like the home weatherization program did, there must be some risk involved! Vice President Joe Biden has said he would like the entire federal government to adopt the new standards being developed under Recovery Act programs.
What does good risk management look like?
Risk researcher Dr. Karen Hardy observes in a recent report that agencies have traditionally tended to deal with new risk-reduction requirements on a discrete, program-by-program basis. They put in place compliance mechanisms to meet new IT security risk reduction requirements, or new financial management requirements, or new internal control requirements, or new erroneous payment reduction requirements, etc. "While traditional risk management has its merits," writes Hardy, "It is often still carried out in silos and stovepipes within organizations..."
Hardy says leading organizations in the private sector have undertaken enterprise-wide risk management efforts, and government is moving in that direction as well. The emerging practice of Enterprise Risk Management, or ERM, "challenges the status quo and requires managers and leaders to step out of their organizational comfort zones and into a collaborative environment to discuss not only common risks, but uncover latent risks as well." Holistic efforts across an organization can reduce risk - and administrative burdens - at the same time.
Identifying and keeping track of possible events, and classifying them into opportunities or risks, requires a taxonomy or classification scheme and a common language for understanding these risks. Improved data management allows a large organization to take advantage of modern analytical methods to quantify and track current trends and potential risks. As part of its audit work, the Government Accountability Office reviewed "risk management" at the National Institute for Health, and its analysis of that agency can help other organizations think through the elements of comprehensive risk management.
While the concept of enterprise-wide risk management may be relatively new in the public sector, the federal government has been steadily adopting this approach on an ad hoc basis. Dr. Hardy gives concrete examples of enterprise-wide efforts in the federal government, noting that "for the first time in its 75-year history, the Federal Housing Administration (FHA) announced intentions to hire its first Chief Risk Officer." She also describes efforts underway to address health risks (Food and Drug Administration and Centers for Disease Control and Prevention), security risks (Defense and Homeland Security), financial risks (Ginnie Mae), transportation safety risks (National Transportation Safety Board), and operational risks (Internal Revenue Service and Student Aid).
Hardy notes that a group of federal managers have self-organized into a Federal Executive Steering Group for Enterprise Risk Management and they've created an unofficial website to foster and continue a conversation on the topic.
But federal agencies are not the only ones that are embracing this new approach. Washington State has a risk management manual for its financial management employees but it reaches beyond just finance. Arizona's risk management efforts focus on protecting state assets from losses and minimizing employee injuries on the job.
And just as federal agencies are working together, states are working together as well, sharing information and pooling resources. The State Risk and Insurance Management Association is the professional association for state governments and North Carolina State University is the home of state enterprise risk management initiatives.
All levels of government are beginning to see managing risk as a component of successful leadership. The increasing complexity of what citizens expect from government means that addressing risk will be increasingly important in reassuring citizens that government can deliver, even in a world where things go wrong.
----------------
Jonathan D. Breul is the executive director of the IBM Center for The Business of Government and a partner with IBM Global Business Services. He is also a fellow of the National Academy of Public Administration and can be reached at jonathan.d.breul@us.ibm.com.
John M. Kamensky is a senior fellow with the IBM Center for The Business of Government. He is also an associate partner with IBM Global Business Services and a fellow of the National Academy. He can be reached at john.kamensky@us.ibm.com.
For more on this topic, read: "Managing Risk in Government: An Introduction to Enterprise Risk Management" (IBM Center for The Business of Government) at http://www.businessofgovernment.org/pdfs/HardyReport.pdf
