Former Chairman of the Joint Chiefs of Staff General Martin Dempsey was recently asked whether our country might face another 9/11. "There are just so many cases in history where after the fact someone will say, we just never imagined that something like that could happen," he replied. "We’ve got to be careful not to have a failure of imagination."

Leaders in the federal government, not just in national security, face a constant stream of potential crises that occur suddenly without warning and not only disrupt daily activity, but put the future of the organization’s mission significantly at risk. Agile leaders must ensure federal agencies build cultures that anticipate and manage risks to better prepare for "Black Swans."

A Black Swan, a term popularized by Nassim Nicholas Taleb, a finance professor, writer and former Wall Street trader, is a rare event or occurrence that deviates beyond what is normally expected of a situation and is extremely difficult to predict.

Throughout the 21st century, there have been several catastrophic Black Swan events that have affected our economy. The financial crash of the U.S. housing market during the 2008 crisis is one of the most recent and well-known Black Swan events. The effect was catastrophic and global and only a few outliers were able to predict it happening.

The U.S. Office of Personnel Management’s data breach and 9/11 are additional examples of Black Swans.

Unfortunately, federal agency inspectors general continue to report weaknesses in agency management that could lead to similar catastrophes. The U.S. Government Accountability Office is another source of information about potential risks to the government’s mission. These are important inputs to a mature enterprise risk management framework. Agencies should be reviewing that information now so they are prepared for the future.

Better enterprise risk management can help an agency anticipate, measure and prepare for a variety of risks. So what are the steps an agency can take to build and adopt better risk management?

The first place to look for best practices is the GAO’s Green Book. Based on the "COSO Cube," the guide categorizes risks in three dimensions: Type of risk (operational, reporting, compliance), efforts taken to manage risks (control environment, risk assessment, control activities, information and communication and monitoring activities) and the level of the organization facing the risks (entity, division, operating unit, or function).

The COSO Cube offers a framework for defining and aligning risks. But not all risks are created equal. Some can bring an organization to its knees, such as a Black Swan event, but a mature organization can prepare for and withstand the impact of such events. 

This past summer, the U.S. Office of Management and Budget released new guidelines encouraging federal agencies to do a better job anticipating and mitigating risks. "The administration has emphasized the importance of having appropriate risk management processes and systems to identify challenges early, to bring them to the attention of agency leadership and to develop solutions," wrote OMB Director Shaun Donovan in his memorandum announcing the new Circular A-123. He said the goal of the new guidelines was "to ensure federal managers are effectively managing risks an agency faces toward achieving its strategic objectives and arising from its activities and operations.

If OMB’s new guidance is to be taken seriously — and it should — agency leaders should be actively identifying the major risks and opportunities they face. They should (1) convene internal and external stakeholders to brainstorm potential low, medium or high risks, (2) create a risk management plan to mitigate the potential risks and (3) develop a strategic plan for managing these risks.

There’s more to it, of course, but with these near term steps, an agency is building its risk management roadmap for the future: Documenting risks and building risk management capabilities. It gives management a practical approach to risk management when at first it may seem overwhelming. The desired result is one integrated picture of risk factors, contributing factors and risk tolerance — one metric that details whether the organization is properly positioned with respect to taking on risk or whether it needs to increase or decrease its risk response activities. In addition to the identification of major risks, agencies should consider possible Black Swan risks.

We know that Black Swans will emerge. Are you prepared? There’s no excuse not to be; OMB’s new guidance tells you what to do. If you’re prepared, it probably won’t make the news. If you’re not, you can count on it.

Denise Lippuner, a former official with the U.S. Government Accounting Office (GAO), is the leader of Grant Thornton's Public Sector Business Risk Services Practice. Heather Adams is a manager with Grant Thornton Public Sector.

Share:
In Other News
Load More