Tackling enterprise risk management (ERM) in government has been added to your bookmarks.
Tackling enterprise risk management (ERM) in government
Understanding the Office of Management and Budget’s (OMB's) Circular A-123 and implementing ERM in your agency
Federal agencies face unprecedented risks to achieving their mission, goals, and objectives. To confront this dynamic risk environment, OMB raised the bar and expects agencies to effectively identify and manage risks using an enterprise approach. These expectations and related requirements are prescribed in a revised OMB Circular A-123 titled, Management’s Responsibly for Enterprise Risk Management and Internal Control.
- ERM benefits
- Early stages of ERM implementation
- Continuing to mature ERM capabilities
- ERM success factors
- Leadership in federal ERM
- Video: OMB guidance on ERM: What it is and why it’s important
- In the news
- Get in touch
- Join the conversation
- Related topics
When appropriately implemented, ERM enables greater enterprise-wide discipline and reliability to help agencies better manage risks.
- Reduces chance of crises and problems, thereby allowing leadership to focus more on mission priorities
- Helps protect the agency’s reputation
Identifies, elevates,and manages risks so that the right risks get to the right people at the right time
- Creates a culture where risk identification and elevation is encouraged and rewarded
- Builds line-of-sight into risks across organizational stovepipes to create the opportunity to leverage mitigation approaches for risks with similar root causes
- Provides greater knowledge and insights into enterprise risk to improve resource allocation and strategic decision-making
Early stages of ERM implementation
In OMB’s revised Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, released on July 15, 2016, OMB raised the bar on expectations for risk management. The Circular modernizes existing agency risk management and internal control efforts by requiring agencies to implement an ERM capability coordinated with the organization’s strategic planning process. Establishing an effective ERM program to address an agency’s universe of risks could allow the agency to unlock the value of ERM including allowing leadership to focus more on mission priorities rather than crises and problems, protecting the agency’s reputation, and informing strategic planning and budget decisions.
Continuing to mature ERM capabilities
Adapting ERM for sustainability
Many agencies have learned that the way to success and sustainment in an ERM program is not through a standard “textbook” implementation, but through a flexible and adaptable approach. As a result, programs on the leading edge of government ERM are seeking guidance to adapt their processes and frameworks for sustainability by creatively navigating the many challenges that ERM programs face. By recognizing the challenges facing an ERM program and adapting to those challenges, ERM leaders can be better positioned to build sustainable programs.
Integrating ERM with operational risk management
As federal agencies continue to mature their ERM programs, many are asking how risk management at the enterprise-level relates to risk management at the program, function, or operation unit levels. If ERM is disconnected from the offices responsible for mission delivery, then risks may be identified but not elevated. Integration of ERM and operational risk management holds great opportunity to unlock performance gains that can advance an agency’s mission. In order to unlock those gains, agencies should build on what is already in place, and working well within the agency, so that implicit risk information can be used and acted upon—thereby increasing the value of the information.
Integrating ERM with management activities
As agencies mature their ERM programs, greater value can be driven by leveraging ERM to support and strengthen other agency-wide management activities. Mature ERM programs have enterprise risk profiles that drive risk awareness, mature enterprise risk governance capabilities that drive risk accountability, and risk and performance metrics that drive performance and operational effectiveness. How and when ERM is integrated with other agency-wide management activities depends on a variety of factors and should be tailored to each agency’s unique circumstances.
Integrating ERM with internal control
Integrating internal control with an ERM program can enhance an agency’s ability to systematically identify and manage risks across the organization potentially resulting in increased value. To avoid common pitfalls, ERM and internal control should not be considered as independent risk management functions, but rather as an integrated and cohesive framework to drive strategic decisions across the enterprise. By integrating internal control and ERM programs, an agency can prioritize and respond to risks more effectively and efficiently.
Integrating ERM with strategy
Integrating ERM and strategic planning can make strategic plans stronger while helping focus limited resources on the risks that matter most. An effective ERM program provides visibility into the universe of risks that can impact an agency’s ability to deliver its mission—a mission often articulated in a strategic plan. As a result, the strategic planning process is an ideal place to find—and in some cases respond to—a surprisingly overlooked type of enterprise risk: Strategic risks.
Using ERM to inform OMB’s strategic review process
The annual strategic review assesses departments’ and agencies’ progress in meeting the mission, management, and crosscutting strategic objectives contained in their strategic plans. It informs strategic decision-making, budget formulation, near-term actions, and annual performance reporting. Section 260 of the Office of Management and Budget (OMB) Circular A-11, preparation, submission, and execution of the budget, provides guidance on performance reviews, strategic reviews, and ERM and requires covered organizations to submit a summary of findings to OMB in Spring 2019. The summary of findings must include a discussion of the key findings from their updated ERM risk profile. The ERM guidance in Circular A-11 is expanded on in OMB Circular A-123, management’s responsibility for ERM and internal control. The table below shows which types of organizations are covered by OMB’s guidance.
ERM success factors and why Deloitte Risk and Financial Advisory
To achieve a positive, short-term impact and set the stage for long-term program maturation, Deloitte Risk and Financial Advisory recommends a phased approach to implementing and sustaining an ERM program.
An agency’s success will be impacted by the following factors:
- Acquiring and maintaining buy-in from top leadership
- Framing ERM as a program to help achieve its mission, not as a “gotcha” exercise
- Using a consistent and common framework to identify and manage risk across the agency
- Integrating the framework into the agency’s current risk-management capabilities
- Tailoring the framework to the agency’s mission and programs, culture, and organizational and management structure
- Creating a culture where identification and elevation of risks is encouraged and rewarded
For more than a decade, Deloitte Risk and Financial Advisory’s ERM specialists have helped over 100 clients implement and mature ERM programs, including small and large federal agencies and Fortune 250 organizations.
Leadership in federal ERM
We are passionate in supporting federal agencies implementing ERM, and recognize that our clients face unprecedented risks in achieving their mission, goals, and objectives. As an illustration of this commitment, Deloitte is entering its fifth year of working with the Partnership for Public Service to support ongoing ERM-focused events aimed at facilitating discussions on ERM topics of interest, initiatives, leading practices, and OMB updates. These events have helped create a sense of community among other federal Chief Risk Officers (CRO), ERM and internal control practitioners, and OMB. Further, we stay on top of federal ERM developments through our involvement in the Association for Federal Enterprise Risk Management (AFERM). Insights gained from this exposure mean we understand not only “what” OMB is requiring with its new ERM guidance, but also “why” and “how”.
In the news
How federal employees can become card-carrying experts on risk management
Federal News Network | November 6, 2018
Update on enterprise risk management in government
Government Matters | December 4, 2017
Federal CFO: Preparing for ERM implementation
The Wall Street Journal | November 10, 2017
Agencies get a new playbook for managing risks
Government Executive | August 3, 2016
7 steps to raise the bar on your agency’s enterprise risk management strategy
Federal News Radio | July 29, 2016
OMB prepares to ratchet up enterprise risk management
Government Executive | February 29, 2016