Status of ERM in the U.S. Federal Government
Guest Post by James Kline (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
In 2015 the Office of Management and Budget (OMB) issued Circular A-123. It requires all federal agencies to implement Enterprise Risk Management (ERM). ERM is a methodology which allows an organization to, in a systematic manner, identify, prioritize and reduce the adverse impact of risks events, such as fraud, cyber-attacks, mismanagement, and natural disasters, that could prevent the organization from accomplishing its mission and objectives.
For the past several years federal agencies have been surveyed to determine the extent of the ERM implementation. This article reviews the results of the past four years.
Federal Enterprise Risk Management Survey
In November 2018, the results of the latest ERM survey of U.S. federal agencies was released. Twenty-one federal agencies responded to the survey in 2018.
The main conclusion of the 2018 survey was that there are still structural and cultural barriers to the ERM maturity development. On the positive side the maturity of ERM is facilitated when the ERM process is run by a Chief Risk Officer.
Extent of ERM Implementation and Integration into Organization Practices
A comparison of the 2016 to 2018 results on several questions shows the overall ERM changes. The questions and results are below.
Question: Is the focus of your Organization’s ERM program comprehensive, encompassing a holistic view of mission and mission support functions?
Answer: Yes 2018 – 71%, 2017- 73%, 2016 – 57%
Question: To what extent has your Organization integrated Enterprise Risk Management into strategic planning?
- Very Highly Integrated: 2018 – 4%,
- Highly Integrated: 2018 – 24%, 2017 – 3%, 2016- 20%, 2015 – 8%
- Moderately Integrated: 2018 – 36%, 2017 – 67%
- Slightly Integrated: 2018 -42%
- Not Integrated: 2018 – 4%, 2017 – 31%
Question: To what extent has your Organization Integrated Enterprise Risk Management into the budget processes?
- Very Highly Integrated: 2018 – 4%, 2017 – 5%
- Highly Integrated: 2018 – 8%
- Moderately Integrated: 2018 – 26%, 2017 – 44%
- Slightly Integrated: 2018 – 46%
- Not Integrated: 2018 – 16%, 2017 – 44%, 2016 – 38%
The responses to these three questions indicate federal agencies are progressing with ERM implementation. In 2016, 57% of the agencies has implemented ERM. By 2018 the 71% had implemented ERM. In terms of actual practices, by 2018, 96% were using ERM in their organization’s strategic planning. This is an improvement over the 69% in 2017. Eighty-four percent had integrated ERM into the budget process in 2018. This is an improvement from 2017, where fifty-six percent indicated they had integrated it into the budget process.
Reason for and Benefits from Implementation
The data does indicate that twenty-nine percent had not implemented ERM. This is in line with the overall conclusion that there are barriers to ERM implementation. The main barriers include cultural resistance to change, problems bridging silos, and getting Executive level buy in.
The key motivators for the adoption of ERM are: OMB Circular A – 123 (2018 – 54%) and a Desire to improved management decision-making (27% – 2018, 39% – 2017). Thus, the reason for adoption are mixed.
The key benefits of implementing ERM were:
- Enhanced Management Decision Making by using data produced by ERM: 2018 – 61%,
- Improved Resource Deployment: 2018 – 27%
- Reduced Duplication and Risk Assessment and Compliance Activities: 2018 – 24%,
- The mandate from OMB that agencies adopt ERM is the key reason that ERM is being adopted.
While improved decision making is stated as the second most common reason for ERM adoption. The efficiency benefits most often cited are Enhanced decision making, improved resource development and reduced duplication.
Areas where improvement needed
The two areas which would have the most beneficial impact on ERM implementation are; Upper level management commitment and tone at the top and Cultural change to accept ERM.
Agency ERM emphasis for the next twelve months are; ERM training and awareness, Monitoring and reporting and OMB Circular A -123 compliance. OMB Circular A – 123 compliance receives greater emphasis from larger agencies and the smaller ones.
The surveys indicate that ERM is being successfully implemented in federal agencies. It is slowly being integrated into the budgetary and strategic planning process. However, twenty-nine percent are not implementing ERM. The barriers to implementation are lack of upper management support, cultural resistance and breaking down silo barriers.
The progression of the question gradients,( slightly, moderately and highly), shows that federal agencies are progressing to the point where risk maturity can be assessed. Risk maturity is the degree of ERM sophistication an agency exhibits. As agencies become more sophisticated in their implementation and integration of ERM, it is likely that ERM will find its way into policies, procedures and regulations. Ultimately, it will become a federal mandate. A mandate which could find its way into grant and loan application requirements. In short, as federal agencies become more sophisticated and comfortable with ERM, they will push its use to lower levels of government. This is a process which is occurring in Australia, South Africa and the United Kingdom.
James J. Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence and a Certified Enterprise Risk Manager®. He has over ten year’s supervisory and managerial experience in both the public and private sector. He has consulted on economic, quality and workforce development issues for state and local governments. He has authored numerous articles on quality and risk analysis in government. He can be reached at firstname.lastname@example.org