Enterprise Risk Management (ERM) is a large and sometimes confusing topic. It’s difficult to put boundaries around, by which I mean we have different tools, processes, and regulations to manage different types of risk. Questions arise, such as: if we already have tools, processes, and regulations to manage financial risk and IT Risk, for example, do they still fall under the umbrella term “ERM”? If yes, is there another ERM layer of tools, processes, and regulations that we must also use and follow? The underlying question then is “what is ERM?”.
So let's start with examples of federal enterprise risks. The “Maroon Book”, which I will discuss more below, gives many examples:
- cyber attacks on our critical infrastructure
- strategic human capital management
- the BP oil spill a few years back
- unfunded/underfunded pension programs
- protecting public health through oversight of medical products and food safety
- managing spending and acquisition programs that are constantly over budget
- financial viability of postal service
You can see that previous examples of financial and IT risk do fall under ERM, as do so many others. In the past some of these types of risk were poorly managed, or not managed at all. Even knowing where to start was confusing. This was made worse in the federal space where the Intelligence Community and DoD have invented so many unique risk management processes to protect sensitive areas, operatives, and operations. The federal government is so big and diverse that it has in the past had a schizophrenic understanding about what risk is, how to classify it, how to manage it, etc. Fortunately, that era seems to be coming to an end.
As a practitioner, I have personally seen a lot of meaningful development in the last 2-3 years, and I feel like 2015 is going to be the turning point for federal ERM. Some developments I would point out:
- The Association of Federal Enterprise Risk Management (AFERM) started small in 2008 as a steering group, but has built a lot of momentum in the last few years in terms of membership, visibility, and influence.
- The recent release of Enterprise Risk Management - A Guide for Government Professionals aka the “The Maroon Book” provides a single authoritative position on what federal ERM is and how to use it
- Embrace of ISO 31000 . The US federal government loves to create processes (even redundant layers of them) and to embrace this international standard without reinventing the wheel is a huge step forward and enables the federal space to be aligned with so many potential vendors, partners, industries, etc. and share a common taxonomy and processes.
- OMB repeatedly stating that risk management is a top management priority for federal agencies, and to that affect releasing revised version of circulars A-11, A-129, and working on an update for A-123 all with new language stressing risk-based decision making and
- Many Departments and agencies have recently created and filled positions titled “Chief Risk Officer” and “Risk Management Officer”
- Most compelling to me personally as an employee of a GRC company, is that we are starting to get regular invites from large federal civilian Departments and agencies to discuss RSA Archer’s approach to ERM through our solutions. This was not something that was happening even two years ago.
For more information on ERM visit the links above. You can also check out my colleagues’ blogs on RSA’s take on Operational Risk Management here and here and see Gartner's latest report which is also relevant.
As always, thanks for reading, and email me with questions or comments.