The US federal government has been taking on more and more of the corporate world’s lessons in enterprise risk management (ERM) for a while now, but it became much more urgent this past July with the Office of Management and Budget’s (OMB) update to Circular A-123 (pdf). The circular is issued to all federal CFOs, CIOs, and program managers.
Now, executive departments and agencies must adopt ERM along with internal controls, and they’re on a tight timeline to do so. Agencies have been encouraged to implement ERM “as soon as practicable”, and their required initial “risk profiles” of the risks facing their agency are due on June 2, 2017.
However, hard as it may be, senior agency staff, who are already working through an administration transition, should focus on more than just the looming deadline, or view ERM implementation as yet another box to check.
ERM can help entire organizations be more productive and effective. It can help senior teams align their tolerance of risk with the organization’s strategy, it can give employees a greater understanding of senior managers’ decision making, it can make it easier for those in different “organizational silos” to work together and to manage big risks – such as cyber attacks – that require that kind of coordination.
But, for all this goodness to flourish, managers at all levels in the organization will need to understand the role they should play in introducing and maintaining an ERM approach.
Supporting the Front Lines of ERM
Right now, many government agencies are focused on activities such as gaining buy-in for ERM from senior leadership, setting up ERM councils, and writing charters to prepare for the upcoming deadlines.
But 66% of those already running ERM programs at government agencies report that the greatest challenge to risk management comes from middle and front line management. Because these middle and front line managers will become the risk owners responsible for identifying and mitigating risks, it’s important to start planning for how to properly engage them early on.
The key to getting ERM implementation right is to help employees develop the right capabilities for ERM, rather than getting them energized and committed to the idea. When undergoing any big change, such as ERM, organizations will see three times as much success in building the “capability for change” rather than building commitment to the change itself, according to CEB analysis.
This requires organizations to help all employees adapt to the change they are facing; there are three steps that will help with this.
Provide risk owners with support tools: One common problem organizations face when transitioning to ERM is the lack of a standard language of risk across the enterprise. Risk terminology may be unfamiliar to employees, or certain terms may mean different things to different people.
One organization in CEB’s networks of government finance teams overcame this challenge by providing risk owners with a standard risk taxonomy along with a home-grown database for documenting and analyzing risk events. Organizations will also benefit from creating a glossary of common risk terms.
Embed risk management coaching into business units to reinforce ERM accountability and support: Because ERM teams are small and often sit outside the networks of risk owners, ERM can be met with skepticism and struggle to gain legitimacy.
Agencies can overcome this problem by creating an ERM liaison network. These liaisons help embed ERM by coaching risk owners, ensuring risk-adjusted strategic decisions, fostering a culture of risk awareness, and sharing best practices and information.
Ensure continuous risk communication among all levels of the organization: Another common challenge when transitioning to ERM is the misalignment between risk policy and behavior. For example, employees often fail to act within the executive team’s desired risk appetite due to a lack of communication, vagueness of communication, or mixed messages.
One organization overcame this challenge by setting up a feedback loop to foster consistency between risk appetite and actual risk-taking behavior. This post also has more on the topic.