Understanding enterprise risk management (ERM) in government
Enterprise risk management (ERM) is a big deal for many organizations. But, ERM in government plays a unique role in public services. It’s not just about managing risks; it’s about making government entities safer, more efficient, and transparent.
Federal, state and municipal governments and other public sector organizations face diverse risks with far-reaching consequences. That makes ERM an invaluable tool for governments to not only mitigate risk but proactively prevent threats across the agency before they can develop.
This article will explain the role of ERM in government, including:
- What enterprise risk management in government is
- Why ERM is important for government agencies
- The impact of OMB Circular A-123
- Common ERM challenges
- How government agencies can start executing ERM now
What is enterprise risk management in government?
Enterprise risk management in government is an approach that prioritizes the strategic identification and mitigation of risks across the organization. It’s a critical yet challenging function. For government agencies, the “organization” can include countless departments and sub-agencies with their own organizational structures, and it can also face risks ranging from cybersecurity to fraud and so many more.
Effective ERM and its components enable governments to continue meeting the needs of their citizens without unnecessary expenditures related to risk. That’s a tall task, one that requires ERM in government to define the risk strategy, identify and mitigate risks and continuously monitor the risk landscape should unprecedented threats arise.
The impact of the Office of Management and Budget on ERM
The Office of Management and Budget (OMB) has led the way for ERM in the U.S. government, specifically by issuing standards for how government agencies should apply risk-based decision-making.
According to the OMB, “the Enterprise Risk Management Priority Area focuses on promoting and facilitating a risk-aware culture across the Federal Government through comprehensive strategy-setting supported by quality data.”
This includes their most notable guidance: OMB Circular A-123.
OMB Circular A-123
At its core, Circular A-123 requires government agencies to establish internal controls. More broadly, it pushes U.S. federal government agencies to approach decision-making through the lens of enterprise risk.
To do that, OMB recommends a strategic approach to enterprise risk management in the federal government that includes:
- Establishing ERM best practices, including choosing an effective ERM framework and offering training to employees
- Developing an ERM maturity model for federal government organizations and reporting on an annual basis
- Integrating risk practices to ensure organization-wide adherence to ERM policies
- Facilitate collaboration on ERM, including by pulling in key stakeholders
Common ERM challenges government entities face
As succinct as OMB’s direction may seem, government agencies in the U.S. face many challenges that can make executing enterprise risk management particularly complex. These include:
- The services the government provides: U.S. government agencies at all levels provide critical services and programs to the American people, all of which come with distinct risks. What’s more, the needs around these services and how they’re delivered are constantly evolving.
- Increasing stakeholder expectations: The government agency is under constant scrutiny from the public and within the government entity itself. This heightens the importance — and the visibility — of ERM in government organizations.
- Budget restrictions: Many government agencies are operating on tight budgets, leading to the perception that investing in ERM means divesting from other critical initiatives or reducing employment levels.
The benefits of end-to-end risk management
Despite the many challenges ERM in government can bring, it also adds value. ERM can unlock more efficient, more secure operations, which benefit government organizations and their citizens alike. More specifically, ERM can help governments:
- Build a risk-aware culture: Adopting ERM means integrating risk into every facet of operations. This creates a culture based on risk, one where staff at all levels feel empowered to participate in risk management.
- Improve compliance: Agencies that manage risk also comply with relevant regulations. Tackling ERM will also lead to more compliant policies, procedures and systems.
- Allocate resources effectively: Though many see ERM as a resource draw, effective ERM in government can lead to more efficient resource management. When ERM is strategic and streamlined, government organizations manage risk without wasting time or overburdening their teams, helping with productivity in other areas.
- Universal risk management strategy: When government entities implement ERM, they centralize their risk management approach. This helps government agencies more quickly understand their risk exposure, develop a mitigation strategy and execute their approach no matter how dispersed their workforce or systems are.
How to execute ERM in government
Enterprise risk management is a methodology. As a result, adopting enterprise risk management in government doesn’t happen quickly. Instead, it’s a systematic and strategic engagement that requires participation at all levels of the agency.
Government organizations can start by:
- Encouraging leaders to buy in: Department leaders and entry-level staffers alike must equally embrace the agency’s ERM strategy. Ensure leadership is fully committed to ERM, so the program is supported by a thorough culture of compliance.
- Identifying risks: Government organizations need to know what risks they face. They should consider their risk exposure in many areas, including their operational environment, physical environment, ethical environment and even emerging risks, like cybersecurity.
- Assessing risks: Risks identified, government organizations then need to assess how severe each risk is. For ERM in government, this includes how likely the risk is, how costly it would be if it did occur, and how capable the government is of mitigating it.
- Developing mitigation strategies: Next, government organizations should create a plan for mitigating risk. This plan will depend on what the risk is and its severity. That said, governments typically choose from several approaches: avoiding the risk, accepting the risk as a cost of doing business, transferring the risk (such as to an insurance company by purchasing a policy) or sharing the risk with other agencies or contractors.
- Executing risk management policies: Like the corporate sector, government organizations need comprehensive risk management policies and procedures. This can include assigning roles and responsibilities, offering ongoing training and requiring employees to engage in risk-based practices, like not logging onto government properties on public workspaces.
- Implementing risk monitoring and reporting: Risks evolve, and ERM in government should, too. This requires monitoring risk on an ongoing basis to detect any changes in the risk landscape, as well as reporting on how effective the ERM strategy is. Defects in either the risk landscape or the ERM approach itself may warrant changes to the program.
Understand the risks you face and how to address them
ERM in government is a critical practice, yet many government organizations fail to understand what risks they face or how to mitigate them. But without that understanding, government organization’s ERM efforts may miss the mark, leading to a costly program that’s ultimately ineffective.
As a result, government entities are now opting for robust ERM solutions rather than relying on spreadsheets.
Along with implementing the right technology, government organizations should aim to build from an existing ERM framework. They should use a framework that provides the rigor many governments need to move from risk awareness to a performance-enhancing ERM program.
Click here to learn more about leveraging Diligent for ERM in your government entity.