Agency Risk Profile: Lessons Learned and Value

 

Background
On July 24, 2018, as part of the AGA’s annual Professional Development Training, AGA and TFC Consulting, Inc. (TFC) hosted a panel discussion entitled “Agency Risk Profile: Lessons Learned and Value.” The panel was dedicated to gathering insights from select agencies about their journeys through their first risk profile, including lessons learned, outcomes achieved, and value created.

This document addresses key points made during the panel discussion by Enterprise Risk Management (ERM) leaders from the public sector. Further, this paper supports the assertion that the Agency Risk Profile is an agile, appropriate tool to recognize and manage risk across an entity. Thoughtfully developed risk profiles, combined with agencies’ honest dialogue pertaining to risk, lead the federal government to greater risk-enabled performance and decision-making.

The paper is organized by questions asked during the session and their corresponding answers. In an effort to mirror ERM inclusiveness regarding risk assessment, the panel encouraged the audience to join the conversation. Both the moderator and the audience posed ERM-related questions, and responses to these questions have been summarized here, for as one panelist memorably stated, “Everyone is a risk manager.”

The panel was introduced and moderated by Daniella Datskovska, TFC Director, and included:

  • Ahmed Jamal Bouaichi, Director, Operational Risk Management, HUD
  • Dan Kaneshiro, JD, MPA, Senior Policy Analyst, OMB
  • Mark Krieger, CPA, Director of Finance, USPTO
  • Andrea Peoples, CRMA, Enterprise Risk Program Manager, SBA


How are the President’s Management Agenda (PMA) and ERM linked?
Government modernization, according to the PMA, will move away from a silo approach toward an intersection of transforming technology, data, processes, and people. Cross Agency Priority (CAP) Goals underscore the importance of strategically integrating the execution of mission. ERM will reflect the PMA’s focus on integration. It will graduate from a “bolt-on” approach that separates program and risk management processes to a “built-in” method that unifies current ERM practices with an agency’s operational cadence.

The ERM Framework contains seven cyclical components: Establish Context; Identify Risks; Analyze and Evaluate; Develop Alternatives; Respond to Risks; Monitor and Review; and Continuous Risk Identification and Awareness. It also includes three enterprise components: Communicate and Learn; Extended Enterprise; and Risk Environment/Context.

In addition to this ERM Framework, the Office of Management and Budget (OMB) indicates the following components should be included in Agency Risk Profiles: 

  • Identification of Objectives  
  • Identification of Risk 
  • Inherent Risk Assessment 
  • Current Risk Response 
  • Risidual Risk Assessment  
  • Proposed Risk Response 
  • Proposed Action Category 

Although the list of expected risk profile data elements has been defined, agencies have discretion and flexibility in designing their respective risk profiles. This agile approach allows entities to tailor risk assessments that represent their organizations and reflect their own culture, risk process maturity, and specific risk prioritization methodology.
 

What is OMB’s timeline for ERM implementation?
In Spring 2018, agencies took part in an “Integration with Strategic Reviews” phase, in which they updated risk profiles in coordination with agency Strategic Reviews. In addition, all key findings were included in the OMB-Agency Strategic Review agenda and discussion.

In Fall 2018, agencies will shift focus to an “Integration with Management Evaluation of Internal Control” phase. Organizations will present assurances on formal internal control processes for all risks included in the FY 2018 risk profile, the agency FY 2018 Annual Financial Report (AFR), or the Performance and Accountability Report (PAR).

In addition to ERM-related changes implemented in 2018, agencies must update their risk profiles at a minimum, annually.


What has been the process and lessons learned from defining agencies’ first risk profile?
Through engaging discussion, panel participants shared about on-going experiences in creating and maturing their risk profiles. While ensuring conformity with OMB guidelines, agencies reported appreciating the opportunity to create profiles that properly align with their own missions and their specific risk management culture and approach. In the first year, some agencies identified ERM as integral to strategic planning and development. Risk management leaders distributed questionnaires, conducted Strengths-Weaknesses-Opportunities-Threats (SWOT) analyses, and engaged Risk Management Council and subject matter experts (SMEs) to write up risk registers, or lists of risks within agencies. The risk management leaders and SMEs then scored risks on likelihood and impact. The results were generated into heatmaps, a common visualization tool, which allowed agencies to see where each risk fell within their risk universes. 

In addition to plotting risks on a heatmap, agencies registered them in a risk catalog and selected key risk indicator data points to monitor risk triggers and control identified risks. All of these methods are examples of the government’s initiative to strengthen ERM through customized processes. Although profile definitions differ across government, agencies agree that an effective risk profile is one that is easy for senior management to interpret and manage and one that can persuade leadership that ERM informs the strategy, goals and mission of the agency.


What was the most difficult experience of the risk profile process? Most satisfying?
The excitement of a new and improved risk assessment process brings with it both frustration and satisfaction. ERM leaders have found the most difficult part of the initial exercise is getting employees to disclose perceived risks honestly and transparently. Stakeholders and senior management at times have attempted to persuade decision-makers to prioritize certain risks rather than describe the risk process.  Stakeholders who are merely interested in personal agendas do not effectively contribute to the process of creating risk profiles. In fact, they exemplify the silo approach ERM is meant to replace.

Although transparency was a hurdle in the risk profile definition process, it was also used in the most satisfying part of the new program, which panelists agreed was the chance to sit down and have an honest discussion about risk, how it is managed now, and what must be done to help an organization prepare for risk in the future. When agency entities agree to work together to assess and manage common risks, the process can prove to be a rewarding and valuable exercise.


Once the risk profile was developed, how was it shared with GAO, OIG and OMB? 
The 2016 release of OMB’s updates to the A-123 program took longer than expected. OMB cites challenges in defining the role of OIG and integrating their involvement. Multiple paragraphs of the A-123 revision were dedicated to this topic. Although OMB’s involvement has been defined, little has been shared about agencies’ coordination with OIG in A-123 efforts.

This gap in coordination is mirrored in ERM’s initial stages. Some agencies have had their reservations about discussing specific risks to maintain confidentiality. Fortunately, other agencies have found ways to include OIG in the ERM process by developing strong relationships with OIG representatives to enable systems of communication and assurance. In some instances, agencies have invited OIG to events, such as the Partnership of Public Service, to help OIG personnel learn the purpose, importance and function of ERM and its risk profile. One participant suggested that proper training will enable accurate assessment of the program. Although OIG, OMB and GAO have not yet been invited to share any specifics on agencies’ risk profiles, the confidentiality of the program is understood. The goal is to get the process up and running effectively before formally sharing specific risk profile elements with OIG, GAO and OMB.


What is the ERM Value Proposition? 
One participant noted, “If managers do not find value in this process, they have not implemented it correctly.” Indeed, OMB asserts that the ERM program offers inherent value because:

  • ERM addresses a fundamental organizational issue—the need for information about major risks to programs and operations, flowing both up and down the organization and across its organizational structures, to improve the quality of decision-making.
  • ERM seeks to open channels of communication to grant managers access to information they need to make sound decisions.
  • ERM increases the probability that agencies will achieve strategic objectives.
  • If the risk management approach chosen by an agency does not appear to be creating value, there is little rationale for continuing on that trajectory.
  • An agency should be capable of discerning whether a particular approach is creating value or if it is time to institute new processes.

Our panelists agreed that once an agency uses a value-based mindset rather than a compliance-based thought process to consider risks, a more productive conversation begins, which leads to greater risk-enabled daily management of an agency’s mission and mission-support operations. In addition, when senior management meets with Congress, the risk profile contains substance and support for the proposed Strategic Goals and Budget.


Conclusion
To date, 2018 is the most important year in the federal government for risk management and assessment. Through the PMA, OMB has updated Appendix A of OMB Circular A-123, Management of Reporting and Data Integrity Risk, and updated the mandates, guidelines and schedule for ERM implementation, beginning with the agencies’ robust challenge to complete risk profiles. This charge, although laden with parameters, does allow organizations to execute according to their mission and strategic goals. Also, while the process can be unique to each organization, agency representatives report similar experiences, including the importance of honest dialogue about risk with senior leadership. ERM buy-in from all levels of the organization, from analyst to CFO, will foster a more effective campaign and a risk-responsible government. Gone are the days of siloed risk responsibility. We are all risk managers.