By James C. Ansberry, Senior Manager, and Bert G. Nuehring, CPA, CGMA, Partner,
Crowe
Federal agencies have been required by OMB to implement ERM for several years, but
many have struggled to overcome their stakeholders’ skepticism toward the program.
This is a reprint of a previous newsletter published in March, 2020
____________________________________________________________
Stakeholders often tend to regard ERM as nothing more than another burdensome compliance exercise that should be a priority only for those charged with the program’s governance. The challenge for chief risk officers (CRO) or chief financial officers (CFO) is to obtain buy-in and educate all levels of their agencies on the ongoing importance and benefits of ERM and how their participation affects it.
The ERM requirement
The 2016 update to OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, imposes the ERM requirement. The update reflects OMB’s realization that government operations have undergone significant changes since the circular first published in 1981. Among other developments, technology has made dramatic advances, and expectations related to government accountability have intensified. The ERM requirement was designed to address such shifts by improving mission delivery, reducing costs, and better focusing corrective actions.
The OMB defines ERM as an agency-wide approach to addressing the full spectrum of the organization’s external and internal risks – including financial, strategic, and reputation risks – by understanding the combined impact of risks as an interrelated
portfolio. ERM gives an enterprise-wide, strategically aligned portfolio view of risk that provides greater insight on how to most effectively manage risks to achieve successful mission delivery. While OMB concedes that agencies cannot respond to every risk related to achieving strategic objectives and performance goals, it expects agencies to identify, measure, and assess risks related to mission delivery.
For the naysayers among the stakeholders, though, such language fails to communicate the on-the-ground advantages – in other words, what’s in it for them. It is up to leadership (typically the CRO or CFO) to help them understand why they should dedicate their time and limited resources to aid in building a robust ERM program. Perhaps the most effective strategy to get stakeholders on board with ERM is to highlight how the data and information collected and analyzed through the program can help them in their own roles.
Budget development and funding requests
Ideally, stakeholders will come to view ERM as a way of uncovering risks that are not being properly managed and use the data to make the case for more personnel systems, software, and processes to effectively manage those risks. Risk data could inform the annual budgeting process (for example, resource allocation planning in the Department of Homeland Security (DHS) or planning, programming, budgeting, and execution in the Department of Defense) or when making unfunded requests.
In fact, ERM programs produce critical evidence, data, and supporting documentation for justifying all sorts of proposed solutions for both internal and external problems. For example, the individuals spearheading a departmental or agency reorganization can use the information to develop the new structure and the requisite business plan. Considering the relevant portfolio of risks identified by ERM can improve the odds that the new structure is well aligned with risk management. It might, for instance, steer the reallocation of staff time to higher-risk priorities and tasks.
Efficiency improvements
An ERM program can help agencies identify and prioritize the mitigation activities and controls that they could automate and make more efficient by implementing systems, software, data analytics, artificial intelligence, robotic process automation (RPA), and machine learning.
For example, an agency might have one or more employees who currently consume a lot of time manually combing through spreadsheets to clean and analyze data. An employee might have the bandwidth to audit only 10% of a sample of listed transactions, but an RPA running 24/7 potentially could audit the entire data set and send potentially noncompliant records for review and correction. Post-automation, those
personnel can be redirected to higher-priority tasks, which supports a Cross-Agency Priority goal of the President’s Management Agenda – shifting the federal workforce from low-value to high-value work.
In recent years, government employees have grown accustomed to being told they need to do more without any additional funding, staff, or other necessary resources. They likely will welcome the opportunity to automate certain processes and procedures while redirecting resources to manage higher risks. In addition, the funds saved through automation can be otherwise deployed to further an agency’s mission.
The good news is that agencies can employ the best practices and lessons learned from other departments and agencies’ established programs, processes, procedures, and systems. Stakeholders should find adopting (and tailoring) partner agencies’ proven initiatives and measures less daunting than starting from scratch. An agency with a mature ERM program will be able to take advantage of opportunities for informed risk taking and strategic planning, understand their risk appetite and tolerance, have an open dialogue about risks, and align mission to strategy.
For example, DHS comprises multiple components, such as the U.S. Secret Service (USSS), U.S. Customs and Border Protection (CBP), and U.S. Immigration and Customs Enforcement (ICE) – each of which has its own CRO or CFO. To identify industry best practices, CBP and ICE can refer to what USSS has done with its ERM program. Questions CBP and ICE could ask might include: Which systems, policies, and procedures does USSS have in place? What hurdles did it face in implementation? How did it overcome those hurdles?
The General Services Administration has taken some steps to encourage such sharing of information. In 2019, for example, it launched a community of practice (CoP) for RPA.ii The CoP is designed to allow federal government leaders to explore opportunities, share ideas, and collaborate on how they can effectively implement RPA in their respective agencies, including for risk management purposes. The community has grown to include representatives from dozens of agencies.
A more holistic approach
ERM programs are required for federal agencies, but merely mandating them is not enough to reap all the potential benefits. When the stakeholders in an agency see their ERM responsibilities as simply another box to check off and move on from, the ERM program will fall short. CROs and CFOs, therefore, must take the time to earn their stakeholders’ buy-in. Explaining how the data and information can help stakeholders in their own roles will encourage them to become invested in a program they might otherwise see as tangential at best.
_________________________
Jim Ansberry may be contacted jim.ansberry@crowe.com and Bert Neuhring may be reached at bert.nuehring@crowe.com.
i General Services Administration and the Office of Management and Budget, “Shifting From Low-Value to
High-Value Work,” Performance.gov, https://www.performance.gov/CAP/low-value-to-high-value-work/
ii Ed Burrows, “GSA Calls on Federal Emerging Tech Leaders to Form RPA Community of Practice,” April
18, 2019, GSABlog, https://www.gsa.gov/blog/2019/04/18/gsa-calls-on-federal-emerging-tech-leaders-toform-
rpa-community-of-practice
iii U.S. General Services Administration, “2019 Agency Financial Report,” accessed March 18, 2020,
https://www.gsa.gov/reference/reports/budget-performance/annual-reports/2019-agency-financialreport/
managements-discussion-and-analysis/performance-summary