It is not surprising that interest in Enterprise Risk Management (ERM) is growing fast among federal agencies. Recent experiences have demonstrated the need for improved awareness and alleviation of risks that jeopardize mission achievement. Leading organizations are also using insights from their risk-management process to optimize program outcomes.
Agencies should establish a greater link between performance and risk management for several reasons. First, increasing the line of sight at the highest levels of management will facilitate a better understanding of issues and uncertainties. Second, embedding risk management into processes and key decision-making will create value for the organization proactively, before risks materialize. This will require ERM to be seen as a means to strengthen performance and protect the organization, rather than just another compliance program. Third, as the operating environment for agencies becomes increasingly volatile and complex, managing risk across the enterprise provides a better view of which risks to mitigate and which can be leveraged to improve public service delivery.
Senior leaders should establish the risk appetite and give permission for subordinate levels of management to take informed risks that support reaching higher performance levels. In the private sector, there is often significant involvement from a number of parties, including the chief financial officer (CFO), head of audit and compliance, treasurer, as well as the chief risk officer (CRO) and other key leaders.
Likewise, there is no single answer in the public sector. Reflecting the historic focus on risk and internal control that resides in agency CFO organizations, CROs are sometimes part of that office. Regardless of geography, CFOs, performance improvement officers (PIO) and CROs are all good candidates for leadership roles. Ultimately, however, the link between risk and performance management is a collective effort.
It is important that agency leaders understand the value of integrating risk into strategy setting and set the tone for implementation. Operational and program managers may resist an open dialogue about risk for fear of hindering existing business practices. This can be addressed by changing the dialogue from “risks” to “uncertainties.” Performing a pilot in one program or part of an agency that appreciates the potential for risk-enabled performance improvement can increase acceptance. It’s also critical for policymakers who drive these processes to have balanced both a long- and short-term perspective.
A logical point for integrating risk knowledge into performance planning is during budget formulation, when the impact of program-funding scenarios is being evaluated. Other opportunities for federal agencies to incorporate risk insights include periodic reviews of strategic objectives during which project risks and uncertainties are communicated.
As risk management and its accompanying insights become embedded in performance management, organizations begin to demonstrate certain characteristics. Risks are linked to strategic objectives and then aligned and reported on in the context of program performance rather than in disjointed silos or, worse, not at all. Key risk indicators are established and used to maximize performance, as well as to indicate advance signs of not achieving strategic objectives. These real-time monitoring practices help organizations estimate critical operating factors, such as time to perform, demand, cost and resource needs.
Integrating risk in the rhythm of management and programs is critical to improving alignment, cooperation, prioritization and, ultimately, improved outcomes for both government and citizens.
Dan G. Blair is president and CEO at the National Academy of Public Administration. Linda M. Springer is executive director at Ernst & Young LLP.