Tackling Enterprise Risk Management (ERM) in Government

Continuing to mature ERM capabilities

Turning your risk profile into an action plan using risk appetite
Risk appetite gives organizational leaders a measuring tool to prioritize risks for action or capitalize on opportunities. Risk appetite (and tolerance) are a vital to setting parameters around how much risk the organization is willing to accept, where it is over exposed to risk, and provides guideposts for whether risk taking will achieve strategic results. Risk appetite can be used within ERM and other programs to inform a risk profile, or risk profiles can be used by organizational leaders to codify their risk appetite to inform risk response planning.

Adapting ERM Program for Growth
ERM must continuously adapt and innovate to maintain momentum, expand executive buy-in, and drive shifts to organizational risk culture to deliver its value. To continue to grow and achieve maximum benefit for an ERM program leadership must adapt by being realistic about the enterprise, embracing risk, and making an impact though risk management. Agencies can create ERM growth for long-term success by focusing on these key areas to help foster and build a risk-aware culture that highlights ERM at all levels.

Integrating ERM with Operational Risk Management
As federal agencies continue to mature their ERM programs, many are asking how risk management at the enterprise-level relates to risk management at the program, function, or operation unit levels. If ERM is disconnected from the offices responsible for mission delivery, then risks may be identified but not elevated. This could cause agencies to miss opportunities to properly resource and effectively manage those risks and create the potential for those risks to mushroom into agency-wide crises.

Integrating ERM with Management Activities
As agencies mature their ERM programs, greater value can be driven by leveraging ERM to support and strengthen other agency-wide management activities. These management activities, which are critical to mission success, include strategy, program integrity, internal control, fraud, performance, budget, and cyber. Important information from an ERM program that can and should be integrated and shared across these activities includes: a risk profile, risk analytics & sensing, risk responses, risk appetite, risk tolerances, and key risk indicators (KRIs).

Integrating ERM with Strategic Planning
Agencies rely on strategic planning to deliver on their mission, however risks to the agency’s ability to deliver on its mission lie within the strategic objectives. Incorporating ERM functions to provide data and findings from ERM during the strategic planning process can help address both mission and mission-support challenges and opportunities.

ERM to Inform OMB’s Strategic Review Process
The annual Strategic Review assesses departments’ and agencies’ progress in meeting the mission, management, and cross-cutting strategic objectives contained in their strategic plans. It informs strategic decision-making, budget formulation, near-term actions, and annual performance reporting. Section 270 of the Office of Management and Budget (OMB) Circular A-11, Preparation, Submission, and Execution of the Budget, provides guidance on Performance Reviews, Strategic Reviews, and Enterprise Risk Management (ERM) and requires covered organizations to conduct strategic reviews annually. ERM is designed to make the Strategic Review more robust, enabling risk informed decision-making, budget formulation, and performance analysis and reporting. Effectively integrating ERM into core on-going business processes and requiring the engagement of critical stakeholders and their support. Effective ERM implementation involves breaking down silos and increasing transparency. Without using the risk profile to inform the Strategic Review process, department or agency leadership could potentially fail to understand risks that can only be effectively addressed through an organization-wide action plan.

Back to top

ERM success factors and why Deloitte Risk and Financial Advisory

To achieve a positive, short-term impact and set the stage for long-term program maturation, Deloitte Risk and Financial Advisory recommends a phased approach to implementing and sustaining an ERM program.

An agency’s success will be impacted by the following factors:

• Acquiring and maintaining buy-in from top leadership
• Framing ERM as a program to help achieve its mission, not as a “gotcha” exercise
• Using a consistent and common framework to identify and manage risk across the agency
• Integrating the framework into the agency’s current risk-management capabilities
• Tailoring the framework to the agency’s mission and programs, culture, and organizational and management structure
• Creating a culture where identification and elevation of risks is encouraged and rewarded
  

For more than a decade, Deloitte Risk and Financial Advisory’s ERM specialists have helped over 100 clients implement and mature ERM programs, including small and large federal agencies and Fortune 250 organizations.

In the news

How federal employees can become card-carrying experts on risk management
Federal News Network | November 6, 2018

Update on enterprise risk management in government
Government Matters | December 4, 2017

Federal CFO: Preparing for ERM implementation
The Wall Street Journal | November 10, 2017

Agencies get a new playbook for managing risks
Government Executive | August 3, 2016

7 steps to raise the bar on your agency’s enterprise risk management strategy
Federal News Radio | July 29, 2016

OMB prepares to ratchet up enterprise risk management
Government Executive | February 29, 2016