by Alyssa Fusisi, Kearney & Company
Integration, as it relates to the maturity of agencies’ Enterprise Risk Management (ERM) Programs, has been a hot topic recently. According to the Chief Financial Officer’s (CFO) Council and Performance Improvement Council (PIC), Playbook: Enterprise Risk Management in the U.S. Federal Government (ERM Playbook), “Successful integration of ERM into agencies’ day to day decision-making and management practices enables agencies to leverage opportunities and avoid, mitigate, and transfer risk, resulting in more resilient, effective, and efficient programs.1” By including risk considerations as part of day-to-day decision-making, agencies can better identify and respond to risks. The Committee of Sponsoring Organizations (COSO) ERM Framework builds on this concept by indicating that integration of ERM with strategy-setting and performance management practices allows organizations to realize benefits related to value, including an increased range of opportunities, increase in positive outcomes, capability to identify and manage entity-wide risks, better resource allocation, and reduction of performance variability2.
As risk management matures across the Federal Government, administrations have enacted a multitude of requirements to implement risk management frameworks at the program-level. The Office of Management and Budget’s (OMB) Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control requires an evaluation of fraud risks as part of the agency’s annual Risk Profile. The Government Accountability Office (GAO) has released the GAO Framework for Managing Fraud Risks in Federal Programs, which provides leading practices for managing fraud risks within a Fraud Risk Management Framework. OMB Circular A-11, Preparation, Submission, and Execution of the Budget, requires agencies to assess and manage risk through strategic and data-driven reviews as part of the broader agency ERM framework, as appropriate to the agency’s mission. Additionally, the National Institute of Standards and Technology (NIST) has established a Cybersecurity and Privacy Risk Management Framework (RMF) as a prioritized, flexible, repeatable, performance-based, and cost-effective approach to identify, assess, and manage cyber and privacy risks.
Agencies can integrate ERM capabilities to support strategic planning and organization performance by incorporating ERM into strategic planning processes and using ERM to improve information for agency decisions; however, they must consider potential integration challenges that can arise when planning and executing integration with the program-level risk management activities occurring across an agency. Potential integration challenges include:
- Governance – To ensure a clear understanding of how program-level risk data will be evaluated by oversight bodies, as well as ingested for consideration by these bodies, is integral to proper integration of agency risk management activities. If an agency’s governance structure is not well-established or does not support the processes needed to facilitate communication flow, then the agency will have challenges establishing and obtaining the proper risk data needed from program-level risk management activities to inform the agency’s ERM Program.
- Silos – In large, decentralized agencies, it is common that many activities occur in silos across different areas of the agency. Program-level risk management activities are often focused on particular risk areas, such as fraud, improper payments, privacy, or cybersecurity, and it is challenging to determine what risk data is available if risk management activities have been built in silos and do not align with the agency’s overarching ERM framework.
- Program Maturity – Similar to an agency-wide ERM Program, program-level risk management activities typically also follow a maturity model. As many programs will continue to build on the risk activities in place, there may be a need to revisit integration to determine if there are any changes needed among the communication frequency or other supporting tools used to facilitate integration. It may also be necessary to plan for a side-by-side “maturity” of the overarching ERM Program, in conjunction with the programs planned for integration.
The successful integration of ERM into daily decision-making, management practices, and agency culture will allow agencies to take advantage of opportunities and avoid, mitigate, and transfer risks. An ERM Integration Framework can be developed to outline the integration strategy for the agency decision-making processes and outline the governance structure, roles and responsibilities, and communication strategies for integration with the broader ERM Program. Agencies must take a thoughtful approach that considers the maturity of both the overall agency ERM Program and the program-level activities planned for integration. A phased integration strategy, that leverages an agile methodology, where agency risk management activities are integrated using a staggered approach will allow an agency to identify lessons learned and adjust future integrations. Additionally, the agency should determine the necessary outputs when determining the planned communication channels and reporting needs from program-level risk management activities.