Given large federal budget deficits and an unsustainable long-term fiscal path, federal managers are being challenged to meet public expectations more effectively while substantially reducing the cost of administering programs.
Against this backdrop, can the government any longer afford the vast array of policies and procedures that guide its program and business operations — the dreaded "red tape"?
A Defense Department official illustrated this problem in 2010 in testifying about the DoD travel system. He said it was rendered virtually unworkable because, in trying to cover every possible travel permutation, it defined more than 70 types of travel and produced 2,000 pages of sometimes contradictory rules.
This is an example of having too many controls in an area where the risk of loss to the government is known to be low and the impact nonexistent compared with critical programs to protect national security. And this is just the tip of the iceberg of well-intended controls. But do they still make sense, and are they worth the cost?
There always will be scrutiny of breakdowns in control that, for example, result in fraud, waste or abuse. But the question for managers is whether the threat of such scrutiny has produced unintended consequences that bog down operations. Layering control upon control to address a problem without a clear consideration of the cost and benefits in relation to risk can take a toll on the functions of government.
There's a potential solution to help with this problem: enterprise risk management (ERM).
ERM can help managers prioritize risks based on their likelihood and impact. ERM is also an opportunity to help better calibrate the balance between risk and the cost of control. The ERM framework increases focus on more critical risks and on the cost and effectiveness of the controls that mitigate those risks, allowing time and resources to be put to better use.
ERM is a practical approach to allow managers to perform their duties more effectively and efficiently. It is premised on first establishing how much risk an organization is willing to accept — the risk appetite. That's followed by devising a strategy to strike a balance between the costs and benefits of processes within the risk appetite.
The risk appetite should:
• Reflect the organization's mission and strategy, including stakeholder expectations.
• Acknowledge a willingness and capacity to take on some level of risk and a tolerance for loss or negative events that can be reasonably quantified.
• Incorporate a governance process to help ensure decisions are consistent with the risk appetite.
• Include quantitative and qualitative performance measures for ongoing performance management and oversight.
• Be periodically re-evaluated.
Proper implementation includes communicating the risk appetite to key stakeholders — Congress and the public — and to oversight organizations, such as inspectors general and the Government Accountability Office, so that there is clear understanding of the expected level of performance and likely trade-offs.
Consider enterprise risk management to more effectively focus resources, reduce cost and enhance your agency's performance in this era of fiscal stress.
Jeffrey Steinhoff is executive director of the KPMG Government Institute and former assistant U.S. comptroller general for accounting and information management. Geoffrey Weber is a principal in KPMG's Federal Advisory practice. This article represents the views of the authors only and does not necessarily represent the views or professional advice of KPMG LLP.