Rafael Borrás is a Senior Advisor at A.T. Kearney. Previously he was Under Secretary for Management and Acting Deputy Secretary of the Department of Homeland Security.
The Government Accountability Office recently released its 2015 High Risk List, a list through which it "calls attention to agencies and program areas that are high risk due to their vulnerabilities to fraud, waste, abuse, and mismanagement, or are most in need of transformation."
This year's list includes updates to the 2013 list, as well as adds two additional areas to which the executive and legislative branches need to provide increased attention: IT acquisitions and operations, and managing risk and improving health care provided by the Veterans Affairs Department. Also in this report, GAO identifies the program area "Strengthening Department of Homeland Security Management Functions" as "demonstrating sufficient progress to narrow the scope of the high risk designation," and recognizes that DHS has "continued efforts to strengthen and integrate its management functions since those issues were placed on the High Risk List in 2003."
I believe that the DHS enterprise risk management approach was a solid foundation to comprehensively address the key criteria that GAO uses to determine removal from the high risk list. Indeed, the enterprise risk management approach we began at DHS in 2010 (I was Under Secretary for Management at the time), and the current Secretary's Unity of Effort strategy have been recognized in narrowing the scope of a critical high risk designation.
Recently, I wrote an article for this publication titled "Government agencies should adopt enterprise-level risk management programs." In that article, I discussed the four essential pillars that make up the basic foundation of most commercial enterprise risk management programs: a robust governance structure; integrated management coordination; performance measurement; and the identification, mitigation, and management of risk. The article outlined how these four pillars can also be used to build an enterprise risk management (ERM) initiative in the Federal Government, using the DHS acquisition enterprise risk experience as a model.
In this current piece, I will take the next step and lay out a series of stages to consider as federal agencies begin to plan where they want their ERM programs to go. The best commercial enterprise risk management programs begin with a solid assessment of where the organizations are, and most importantly, where they believe they must be to achieve the level of risk management their enterprises require.
The development and implementation of an enterprise risk management program can be viewed along a continuum, with various stages of development and maturity. The view is based on two key assessments: 1) At what stage of enterprise risk management is your agency currently? 2) How robust an enterprise risk management program does your agency need to adequately address your enterprise risk requirements. The former is the necessary baseline for recognizing your agency's current level of risk, its ability to tolerate risk, and how well prepared you are to plan and mitigate against your critical enterprise risks. For example, how well you understand your agency's enterprise risk profile related to legacy IT systems, which are often interdependent on one another, will determine not only where your vulnerabilities are, but will provide you with a priority funding roadmap for dedicating resources to migrate or replace those old and antiquated legacy systems.
An agency's determination of how extensive an enterprise risk management program it needs begins with a fact-based understanding assessment of your agency's risk profile. This can be done through the application of the following stages:
Stage 1:No Focus on Risk Management. Organizations in this category rely mainly on intuition or past practice to make decisions, and they have little-to-no understanding of their risk portfolio. Thankfully, and due in part to GAO's attention on matters of high risk, this stage is virtually non-existent in most organizations.
Stage 2:Risk Control Focus. These organizations are characterized by some recognition of the more obvious risks, with some controls in place. However, many of the controls are segregated in organizational silos, rather than being enterprise wide, and they often have an audit focus. Limited structures are in place to provide enterprise governance.
Stage 3:Linking Risk to Service. Here is where we see the beginning of organizational maturity, with a recognition of the need to focus on enterprise risks. This stage is characterized by a focus on mitigation and the necessary contingency plans to reduce the impact of identified events that constitute an enterprise risk. Formal planning and portfolio approaches are present, with measurement and analysis tools being used, often by dedicated resources. An increasing number of Federal Government organizations are in the early phase of this stage, testing various models and approaches to find the right balance for their agencies.
Stage 4:Stakeholder Value Management. At this stage, we find that organizational maturity has taken hold, and business planning and investments are linked to risk analysis. One can find a direct linkage between policy objectives, operational planning and budgeting, and resource allocation, with a direct correlation to an adopted set of acknowledged enterprise management risks. Also, cross-functional collaboration to address enterprise risks, led at the headquarters level, are the norm. Rarely are enterprise risks wholly contained within a single silo, and organizations at this stage exhibit their maturity by viewing enterprise risk along a horizontal, as well as a vertical, axis. Finally, a set of rigorous and well-documented processes and procedures are clearly evident in stage 4 organizations.
Stage 5:Think "Risk" Culture. In this final stage, we see clear agency-wide positions on risk tolerance and exposure, with alignment of risk and agency strategy. Additionally, risk management is part of the day-to-day decision-making process, and advanced tools and systems are used to plan, quantify, and manage risks. Most importantly, incentive structures and decision metrics are clearly defined. A common characterization of organizations at this stage is a strategic focus on the long term, or the ability to look well over the horizon.
What's important to recognize about this continuum of enterprise risk excellence across the five stages is that rarely does a single organization exhibit uniformity across the enterprise. Indeed, using benchmarks, you could assess the enterprise risk health of your organization and rate its progress against a baseline of the stages of excellence to see how well it stacks up—for example, in acquisition risk, financial risk, or even various forms of operational risk. The key is to address your agency's approach to enterprise risk management with an honest assessment of where you are and where you need to be to meet your organizational risk needs. The point is not to solely aim for stage 5, but to first understand your organization's current profile and then develop the foresight of where you want the agency to be along this continuum. Once you've established that goal, the agency needs to determine its best approach for maturing and building a sustainable and repeatable approach to enterprise risk management.
In my experience across the public and private sectors, an effective ERM program is essential to both understanding and enabling the mission of an organization. Understanding where your organization is and where it needs to be is essential. Having this understanding is a best practice found throughout the commercial sector. Based on my experience at DHS, furthermore, I have found GAO to be willing to work with any agency that has a clear sense of how it wants to build and use an ERM approach to address matters of its high risk designation.
My next article on ERM will cover how successful commercial companies have developed their ERM roadmaps and implementation strategies, and how federal agencies can learn from and adapt those commercial best practices to implement a successful ERM program.