Data breaches. Natural disasters. Negative press. Funding cuts. If you work for a public entity or a not-for-profit you most likely understand the impact these events could have, but do you know how your organization is addressing them? Many organizations are addressing risks by implementing a sustainable enterprise risk management (ERM) program.
This article is the first part in a two-part series for building a sustainable ERM program in the public sector. The first part discusses the fundamental concepts of an ERM framework and the key components needed to launch an ERM program within a public sector entity. It begins with a discussion of commonly used frameworks and how to establish supporting structures, policies, and practices. Part one concludes with an explanation of how to conduct an initial risk assessment and how to report and act upon its results. Part two of this series will discuss systems, tools, and processes for the ongoing support and management of the program.
ERM provides a comprehensive and strategically aligned assessment of the challenges facing an organization in order to improve insight into prioritizing and managing risks. Effective ERM helps organizations clearly link strategies to risk and performance, which leads to better decision-making processes and more effective use of resources. Further, it enables an optimized approach to identify and remediate compliance issues, and promote communication and information-sharing across functions.
By implementing an ERM program, organizations can increase risk awareness and transparency, improve risk management strategies, and gain a portfolio view of the risks facing them. ERM enables agencies to define their risk appetite, or the amount of risk an organization is willing to accept in pursuit of strategic objectives, as well as their risk tolerance, or the acceptable variance threshold for performance relative to the achievement of objectives. By using an ERM framework, organizations can determine how to align their risks according to their appropriate risk appetites and risk tolerances.
Defining ERM guidanceMany definitions of ERM exist. Guidance from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines ERM as “the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with the purpose of managing risk in creating, preserving, and realizing value.”1 This definition provides the context and sets the stage for discussing the establishment of sustainable ERM in the public sector.
Several entities issue voluntary ERM guidelines. Some well-known and commonly utilized sources within the public sector are the guidance and framework issued by COSO, International Standards Organization (ISO) ISO 31000, and the federal Office of Management and Budget (OMB) Circular A-123.
OMB Circular A-123, updated in 2016, provides detailed guidance for federal agencies on improving the effectiveness of federal programs and operations by establishing, assessing, correcting, and reporting on internal controls. It provides recommendations for agencies to use when establishing a governance structure, such as a risk management council or committee. It also instructs agencies how to develop risk profiles to identify major risks arising from mission and mission-support operations, and it helps agencies analyze those risks in relation to achieving strategic objectives. An interpretative supplement for implementing the requirements under OMB A-123, which was published by the U.S. Chief Financial Officers Council and the Performance Improvement Council, was accepted by the OMB and includes a playbook for implementation. This playbook includes information, templates, and examples intended for implementation within federal agencies; however much of this material can also be used by not-for-profit and other organizations.
Whichever framework an organization chooses to follow, its purpose should be to serve as a helpful way to educate management and boards, and provide a shared methodology and vocabulary for better communication. ERM guidelines establish a starting point that helps identify and avoid pitfalls to implementation, and they help embed proven risk management concepts into the decision-making process at all organizational levels.
Implementing ERMERM can be implemented in a logical, sequenced manner by following these steps:
1. Create the foundation. The initial step should focus on setting up the necessary governance, policies, structures, and practices that will pave the way for implementation. While the needs, complexities, and nuances of every organization are unique, there are some widely recommended best practices to help establish this foundation.
Establish a charter. An ERM charter is an effective way to formally document expected outcomes and goals for the ERM program and emphasize the importance of ERM within the agency. It can be used to identify governance structures and key individuals and their roles in the process. When roles and responsibilities are communicated to key stakeholders and throughout the organization, it defines their accountability and provides a channel for reporting progress and modifying direction.
Charters should be tailored to fit the organization’s needs and culture. The basic components of a charter should include the:
- Purpose of ERM
- Roles and functional activities
- Levels of authority, staffing, and reporting channels
- Risk management approach, including frameworks, rules, or regulations
Build the structure. The structure adopted to implement ERM assists in communication and serves as the hub of information. The first step is the establishment of a risk management committee or council (RMC), typically comprising executive leaders in the organization. In nongovernmental agencies, the RMC might report to the board or a board committee. The RMC should have a separate charter that defines its purpose and objectives, structure and members, authority, roles and responsibilities, key functions, and reporting activities. An individual or group, such as a chief risk officer, internal audit, or general counsel, should also be designated as the ERM champion, which typically assigns responsibility for gathering and reporting information to the RMC and facilitates ERM discussions and workshops and other administrative duties for maintaining the program.
Establish context. Effective risk management must give full consideration to the context in which the organization functions and to the risk aspects of its partner organizations. The risk context includes all factors, both internal and external, that affect the ability of an agency to achieve its stated mission and program objectives. For federal agencies, these factors might include (but are not limited to) the United States Congress, the economy, the agency’s capacity, legal and compliance structures, dependency on partner organizations, and taxpayers.
Understanding and defining the context can inform and shape successive stages of ERM implementation. OMB Circular A-123 lists several vital steps in defining context when applying risk management principles. These include:
- Defining risk tolerance and risk appetite
- Understanding the scope and criticality of the decisions
- Establishing clear goals and objectives
- Considering the relevant time frame for decision-making
- Identifying resource and risk management capabilities
- Considering the availability and quality of relevant information
- Engaging decision makers and key stakeholders
- Relying on existing policies, standards, and requirements
2. Identify risks. This step represents the first major activity of an ERM program. Organizations should recruit subject matter experts across major business units and functions to identify top-of-mind risks that might impede the organization’s ability to achieve its objectives. To provide the most value, the selected individuals should possess both an enterprisewide perspective of strategies and risks and expertise in a specific area. Common examples include representatives from legal, accounting and finance, information technology, human resources, and the organization’s core business functions or programs. There are many ways to accomplish this activity, including but not limited to brainstorming sessions, individual or group interviews, and surveys.
Once risks are determined, organizations should create a risk register. A risk register is essentially an inventory of risks that represent a comprehensive view or a risk portfolio. The risk register should include various attributes such as its category, description, and source. This register is a useful tool to define the population and help the RMC determine priorities and action plans, as described in the next step.
Analyze and evaluate risks. Once risks are identified and categorized, the RMC should assess each risk’s impact to the organization’s mission or strategic objectives, its likelihood of occurrence, and its velocity. With this information, the RMC can decide which are the most significant and prioritize them based on their likelihood and impact. The velocity of the risk should also be considered. For example, the dissolution of a joint venture might take a long time for the risk to come to fruition, but a systems failure could cause immediate disruption and therefore it has a much higher risk velocity.
When analyzing risk, it is important to consider which risks are integral to what an agency does and whether that level is acceptable based on the organization’s risk appetite. Using scoring criteria for risk impact and likelihood can help prioritize risks by assigning numerical values. This data is useful for reporting purposes since it quantifies the risk value; often the ERM champion will create charts, graphs, heat maps, or other data visualizations to clarify the risk profile for the RMC in order to aid in risk prioritization and response decisions. This analysis helps the RMC monitor whether each risk remains within acceptable levels, and it supports efficient allocation of resources to address the highest priority risks.
Once risks are prioritized, risk response strategies can be determined. These approaches encompass acceptance, avoidance, reduction, and sharing of risks and should be detailed in their planned risk management execution. The RMC should assign risk owners to develop and implement the risk response plans and report progress back to the committee.
3. Create a risk profile. Creating a risk profile is a useful way to summarize key risks and determine which ones have the most influence on the organization’s mission. For example, the RMC might use the risk profile to identify themes that cross business units or functional areas, such as the threat of a data breach.
Organizations can identify risks by using a top-down approach, a bottom-up approach, or some combination of both. The RMC can serve as a critical transition point to navigate across organizational silos so that management can assess a particular risk from an organizationwide, portfolio perspective. The process of identifying risks consists of conducting interviews and surveys with managers and subject-matter experts who are closest to the operations and most knowledgeable about the risks faced.
4. Respond to risks. With these tools and analyses completed, the organization’s leadership can use this information to decide how to allocate scarce resources to address risks, such as budget, analytical capabilities, and management focus. The organization’s chief risk officer or ERM champion can help facilitate this process, although managing risk is the responsibility of the unit leader in which the risk primarily resides, and establishing a risk owner to manage each response and related action plan is a best practice. Reports and other documentation can be provided periodically for the board or other members of leadership to track progress.
Reducing riskTo be effective, ERM should be supported by organization leaders who set the tone at the top and who actively participate in the process with all levels of management. ERM is an inclusive process, and key participants should have a diverse and high-level view of the organization. Business unit leaders can participate by helping to define the ERM purpose formally, as well as the authority, structures, and other activities for the organization. With active support of leadership, the agency can implement an iterative, repeatable ERM process to assist in effectively reducing and managing risk.
1 Richard Chambers, “COSO ERM Update: A Vital Tool in 21st Century Risk Management,” Internal Auditor, Sept. 6, 2017, https://iaonline.theiia.org/blogs/chambers/2017/Pages/COSO-ERM-Update-A-Vital-Tool-in-21st-Century-Risk-Management.aspx