Not So Risky Business

Contrary to popular belief, risk management is not a new concept within the federal sector. What is new is the increased interest in risk management as a fundamental management practice integrated with the strategic decision-making process at agencies — otherwise known as enterprise risk management (ERM).

Several agencies have been engaged in risk management activities for some time. NASA and the Agriculture Department’s Risk Management Agency are just a few of the agencies with inherent, risk-oriented missions. Federal CIOs have been grappling with risk management and cybersecurity for quite some time as well. Yet, these have been mainly silo efforts; they don’t look at risk relative to the agency’s efforts as a whole. But that’s changing.

Many events served to raise awareness of risk management within the federal sector. Chief among them was the failure of Enron, which led to the enactment of the Sarbanes-Oxley Act for the private sector and the ensuing revisions to OMB-Circular A-123, “Management’s Responsibility for Internal Control.”

Despite the attention (most of it occurring some five years hence), there is still intense debate surrounding the definition and use of ERM within the federal sector. Rather than more discussion, it’s time for action.

IT at the Vanguard

Federal IT offers the ideal setting for applying ERM on a practical rather than conceptual or theoretical level.

Why? Because system and IT project managers are familiar with some form of risk management already. They address project risks when investing, reducing the chance of data or systems compromise through cybersecurity efforts and by completing risk assessments to comply with mandates such as the Federal Information Security Management Act. But here’s a caveat: These exercises often provide only a stovepipe view of risk, often driven by compliance activities, not necessarily by the performance goals, risk assessments and investment plans of the broader organizations.

To carry out federal ERM, IT professionals must push the envelope and begin to proactively integrate risk management decision-making models and processes into their day-to-day operations across programs, just as systems now span programs or even agencies. This approach will help embed ERM into the organizational culture
of government.

A good way to begin is by reviewing and implementing some of the steps in the Enterprise Risk Management Integrated Framework developed by the Committee of Sponsoring Organizations of the Treadway Commission. These include identifying, prioritizing and assessing events that could have a significant impact on the agency mission, reputation or operations.

Similarly, the role of the CIO must be included in the senior governance structure responsible for managing a portfolio of risks that cut across organizational silos and not just those that impact the IT function alone.

Former Labor Department CFO Doug Webster explains evolutionary use of ERM well: “Considering financial risk [or IT risk] across all organizational departments is not ERM. The term ERM is much more fundamental to basic management. While the tools of traditional risk management are certainly relevant, what is much more fundamental is the need for recognition by all managers that management of risk is an inherent part of all decision making. When decisions across the enterprise consider the key risks associated with those decisions — regardless of whether those risks are strategic, operational, financial, physical — then we are moving to real ERM.”