Enterprise Risk Management (ERM) for Government Agencies
By David Hulett
Many people discuss and write about "enterprise risk management (ERM)," but the definition is not always clear and distinct from "project risk management." Some people have written that enterprise risk management means just that everyone in the organization is continually risk-aware or that project risks trickle upward to senior leaders and the most important of these become enterprise risks, perhaps to be managed across several or many projects. These interpretations miss the point of the word "enterprise" in ERM. ERM is qualitatively different from project risk management in several respects, and to confuse the two will result in an underperforming ERM program.
Some Project Risks may be Important at the Enterprise Level.
There are elements of project risk that may be enterprise in nature. The recognition that some project risks are so pervasive that they can cut across many projects and in so doing become of greater importance to the organization than if they were limited to a specific project.
Of course a project risk can become an enterprise risk: think of a number of projects reporting that they do not have enough qualified engineers. Consider a commercial oil and gas company. An individual project can get well by taking engineers from another project, but that just shifts the problem to that other project. However, someone at a high level reviewing all projects may detect a systemic agency-wide shortfall in specific personnel, perhaps caused by uneconomic, unrewarding and unchallenging working environment. Only the leaders with the perspective across the company or a government agency can recognize the pervasive nature of an important risk affecting multiple projects and assess its importance to the organization, and they have the power to address it.
Enterprise Risk Management is Different from Project Risk Management.
However, enterprise risk is qualitatively different from aggregating project risks. Enterprise risk deals with the enterprise objectives that differ in character from those of even very large projects, and here we see an important distinction between project risk and enterprise risk.
Enterprise objectives include broad-scale statements of the impact that the government agency makes on its constituency. In the case of government agencies, the objectives can be quite sweeping, involving the agency’s mission statement.
Government agency mission statements are often both broad and ambitious on the one hand and difficult to achieve or even quantify on the other. Examples from NOAA, Department of commerce, include "weather-ready nation," "healthy oceans," "resilient coastal communities and economies," and "climate adaptation and mitigation." Think how different these statements are from project-level objectives such as achieving cost, time, scope and quality targets of a project that has already been approved and assigned.
Improving the health or education of specific or broadly-defined segments of the population, ensuring the availability of credit, enforcing government rules and regulations in the approval of drugs, and educating the population on the meaning of climate change are examples of government agency missions.
Agency Actions in Support of Achieving their Objectives
Just think about how to measure attainment of these objectives. Also, imagine how the organization is supposed to “move the needle” toward success or what actions might cause the government agency to be less able to perform its mission. Answering these questions may help to illustrate how enterprise risk management may be intractable and challenging. These objectives are probably more important than finishing a particular project on time and on budget with a complete scope.
The enterprise objectives are also more difficult to measure than are the project-level objectives. The objectives are so broad that many factors other than an agency’s actions can and usually do affect them. Issues of the economy, politics, demographics, world affairs and public attitudes may ultimately be more important than anything that the agency can accomplish even if it is successful in everything it does. Sorting out the influences on the measurement of the objective can be frustrating as well; for instance, the objective may be slipping away more slowly than if the agency were not on the job.
Measuring improvement in the broad enterprise objectives of government agencies is challenging. There may be some available measures such as the number of lives lost from hurricanes or the level of educational achievement or dropout rate, but usually the measures currently available are not devised to evaluate an agency’s mission. It may be possible to devise measures that are more on point than those measures now available, but to implement these may be difficult and expensive.
Various actions of the agency can drive toward or away from achieving the enterprise’s objectives. Examining the various risks to the agency’s ability to perform its mission should look broadly into what makes the agency effective (e.g., good top management, stewardship of public funds or fair dealing with employees). Avoiding failure in even one of these areas (e.g., poor control of public money or property) is the role of Agency leaders and senior managers. ERM contributes to the Agency’s strategic decision-making since it examines the risks and their causes that can deflect the agency from its stated mission.
Implementation of ERM
The agency should come to understand, from serious discussion and review of the organic implementing documents, what its risk attitude should be. The staff needs to know the extent of risk that the agency is willing to take in order to achieve its objectives. Too often the bureaucratic and political leadership wants to avoid making mistakes, and this is usually translated into not taking bold actions even in pursuit of objectives of paramount importance. This discussion may not take place, or if it does, it may become irrelevant to agency decisions about its programs, investments or procedures.
Most observers conclude that to organize the agency to deal effectively with enterprise risks requires the direct attention and involvement of top management, not just senior management. It also involves addressing how enterprise risk management should influence agency-wide actions, in good times (plenty of budget) or bad (budget cut-backs). Perceptions by agency staff of the importance of ERM are just as important as the actual fact of its consideration in major decisions. There are ways to develop organizational structures with the prestige and perspective of the agency, and to make those structures actually relevant to important decisions.
The task of involving the agency’s staff in the ERM process is challenging, since some of the characteristics of a successful ERM program are driven by agency leadership and culture. A significant success factor is that the agency leadership and staff can discuss and consider risks to important agency objectives openly and without jeopardizing programs or careers. A common concern is that the agency staff may fear the consequences of speaking up, or may wonder if any of this ERM effort means anything to agency actions and decisions in the end. Also, people are generally "stove piped" by thinking only of risks in their specific assigned areas, so they do not contribute their thinking to risks to the agency’s objectives.
Problems in Thinking about ERM
Many people are talking about "enterprise" risk management as just "all personnel are involved in risk management all the time." This may be an extension of attitudes toward project risk management. They do not understand or make clear the important distinctions and also relationships between enterprise risk and other kinds of risk such as project risk. Because of the perspective of the agency and the importance and breadth of their objectives, thinking in terms of project risk management may be keeping some organizations from developing effective ERM.