Federal agencies are taking a cue from the corporate world, appointing chief risk officers and putting in place more processes to identify and manage operational risks.
A big reason, according to government risk managers: Many agencies haven’t had strong controls in place to guard against reputational and other nonfinancial risks, and there is increasing sensitivity to how those risks can affect public confidence in the government.
“It’s just the nature of government; we are subject to more scrutiny,” said Tom Brandt, chief risk officer at the Internal Revenue Service and president of the Association for Federal Enterprise Risk Management. “When something goes off track in the government, it is more likely to end up on the front page of a newspaper.”
Enterprise risk management is a method used by organizations to identify and prioritize threats that span across business lines and could affect their ability to operate. Many big companies have adopted more mature risk-management programs in recent decades, following high-profile accounting scandals and the global economic crisis.
The focus on managing enterprisewide risks in the government has been a more recent development, however. The Office of Management and Budget in 2016 revised a key policy on financial controls, urging agencies to establish enterprise risk-management programs.
The OMB’s revision to what is known as Circular A-123 followed high-profile controversies, including allegations of political targeting at the IRS and the troubled rollout of HealthCare.gov following the passage of the 2010 Affordable Care Act.
“We were having at the time all of these incidents in things outside of financial reporting,” said Michael Wetklow, a former OMB official who was involved in drafting the guidance. Mr. Wetklow, now deputy chief financial officer at the National Science Foundation, said the goal was to expand the financial-reporting guidance to include all types of risk.
The OMB’s guidance strongly encouraged agencies to document risk exposures in areas such as reputation, staffing and information technology. It stopped short of requiring agencies to appoint a chief risk officer, although several have done so.
Many risk-management programs in the federal government are still in their early stages, meaning some agencies haven’t yet realized the benefits, according to David Fisher, managing director for public-sector risk consulting at Guidehouse and the first chief risk officer at the IRS.
Fifty-eight percent of federal agencies have created enterprise risk-management programs within the past three years, according to a 2018 survey from Guidehouse and the Association for Federal Enterprise Risk Management. Chief risk officers are responsible for the programs at 43% of agencies, according to the survey.
One of the major benefits of implementing risk management controls is that it forces executives in sometimes walled-off bureaucracies to have conversations across departments, current and former federal chief risk officers said in interviews.
The goals of enterprise-risk programs in government are different from those in business—agencies deliver public services instead of generating profit—but the process is largely the same. A crucial step in setting up a program involves meeting with executives from across an organization to better understand and manage risks.
“It is applied common sense, but it’s hard because what it forces you to do is to ask tough questions,” said Larry Koskinen, who has served as chief risk officer at the Department of Housing and Urban Development since 2017.
One of the top risks facing HUD is its shrinking workforce from staff turnover and budget cuts, Mr. Koskinen said. Between 2008 and 2017, HUD lost 19% of its full-time staff, while staffing increased 11% governmentwide, according to an October report from HUD’s inspector general.
Since implementing its risk-management program, HUD has figured out ways to accelerate the hiring process, according to a spokesman. Between the 2016 and 2018 fiscal years, the length of the hiring process declined 12%, to 111 days, according to data provided by HUD.
Other agencies have created plans to minimize administrative backlogs or improve the way they manage large contracts.
John MacWiliams served as the Energy Department’s first chief risk officer during the Obama administration. One of the most important changes made during his tenure involved helping the agency improve its project management, he said.
The Energy Department has been criticized for cost overruns in its major contracts. Mr. MacWilliams, who now teaches at Columbia University, said the agency established a committee of its experienced engineers from across the department to help officials stay within project budgets and anticipate possible setbacks.
“That kind of discipline did not exist before,” he said. “There was not this interdisciplinary approach.”
Federal agencies are taking a cue from the corporate world, appointing chief risk officers and putting in place more processes to identify and manage operational risks.
A big reason, according to government risk managers: Many agencies haven’t had strong controls in place to guard against reputational and other nonfinancial risks, and there is increasing sensitivity to how those risks can affect public confidence in the government.
“It’s just the nature of government; we are subject to more scrutiny,” said Tom Brandt, chief risk officer at the Internal Revenue Service and president of the Association for Federal Enterprise Risk Management. “When something goes off track in the government, it is more likely to end up on the front page of a newspaper.”
Enterprise risk management is a method used by organizations to identify and prioritize threats that span across business lines and could affect their ability to operate. Many big companies have adopted more mature risk-management programs in recent decades, following high-profile accounting scandals and the global economic crisis.
The focus on managing enterprisewide risks in the government has been a more recent development, however. The Office of Management and Budget in 2016 revised a key policy on financial controls, urging agencies to establish enterprise risk-management programs.
The OMB’s revision to what is known as Circular A-123 followed high-profile controversies, including allegations of political targeting at the IRS and the troubled rollout of HealthCare.gov following the passage of the 2010 Affordable Care Act.
“We were having at the time all of these incidents in things outside of financial reporting,” said Michael Wetklow, a former OMB official who was involved in drafting the guidance. Mr. Wetklow, now deputy chief financial officer at the National Science Foundation, said the goal was to expand the financial-reporting guidance to include all types of risk.
The OMB’s guidance strongly encouraged agencies to document risk exposures in areas such as reputation, staffing and information technology. It stopped short of requiring agencies to appoint a chief risk officer, although several have done so.
Many risk-management programs in the federal government are still in their early stages, meaning some agencies haven’t yet realized the benefits, according to David Fisher, managing director for public-sector risk consulting at Guidehouse and the first chief risk officer at the IRS.
Fifty-eight percent of federal agencies have created enterprise risk-management programs within the past three years, according to a 2018 survey from Guidehouse and the Association for Federal Enterprise Risk Management. Chief risk officers are responsible for the programs at 43% of agencies, according to the survey.
One of the major benefits of implementing risk management controls is that it forces executives in sometimes walled-off bureaucracies to have conversations across departments, current and former federal chief risk officers said in interviews.
The goals of enterprise-risk programs in government are different from those in business—agencies deliver public services instead of generating profit—but the process is largely the same. A crucial step in setting up a program involves meeting with executives from across an organization to better understand and manage risks.
“It is applied common sense, but it’s hard because what it forces you to do is to ask tough questions,” said Larry Koskinen, who has served as chief risk officer at the Department of Housing and Urban Development since 2017.
One of the top risks facing HUD is its shrinking workforce from staff turnover and budget cuts, Mr. Koskinen said. Between 2008 and 2017, HUD lost 19% of its full-time staff, while staffing increased 11% governmentwide, according to an October report from HUD’s inspector general.
Since implementing its risk-management program, HUD has figured out ways to accelerate the hiring process, according to a spokesman. Between the 2016 and 2018 fiscal years, the length of the hiring process declined 12%, to 111 days, according to data provided by HUD.
Other agencies have created plans to minimize administrative backlogs or improve the way they manage large contracts.
John MacWiliams served as the Energy Department’s first chief risk officer during the Obama administration. One of the most important changes made during his tenure involved helping the agency improve its project management, he said.
The Energy Department has been criticized for cost overruns in its major contracts. Mr. MacWilliams, who now teaches at Columbia University, said the agency established a committee of its experienced engineers from across the department to help officials stay within project budgets and anticipate possible setbacks.
“That kind of discipline did not exist before,” he said. “There was not this interdisciplinary approach.”
Leave A Comment