Chapter 1

Managing Risk of Federal Agencies and Their Programs through Enterprise Risk Management

Thomas H. Stanton

Fellow, Center for Advanced Governmental Studies, Johns Hopkins University

Risk Management as an Essential Part of Federal Management

The world manifests increasing complexity, and this in turn has increased vulnerabilities for the people of the United States and our government. High-impact events, once thought to occur only rarely, happen with increasing frequency. In the early 2000s alone, costly events included the terrorist attack of September 11, 2001, Hurricane Katrina, the BP Gulf oil spill, and the near meltdown of the financial system, to name some of the larger ones. Chronic costly events include medical errors in U.S. hospitals and periodic outbreaks of food-borne illness such as salmonella and E. coli. Other high-impact risks that materialize from time to time include cyberattacks to bring down systems or steal critical information, and a variety of other homeland security events.

Government plays a role in all of these, either in trying to prevent risk from materializing or in trying to respond effectively. Sometimes there are concatenations of risks, such as when the financial crisis results in a massive increase in workload for the unprepared Federal Housing Administration (FHA) or when a crisis expands from the mortgage market to the larger financial system or when an agency's uncontrolled spending on conferences leads to reputational harm.

Many agencies try to focus on specific risks that gave them problems in the past, such as financial or operational risks for federal financial programs, or acquisition and investment risks for departments and agencies that rely heavily on procurement of major systems and other support for the agency's mission.

However, in today's complex world it is not enough to focus on specific risks identified in the past. A tragic example comes from Camp Lejeune, North Carolina, the nation's largest U.S. Marine Corps base. At Camp Lejeune the Corps trains marines to deal with risks of combat but neglected to respond to reports of contaminated groundwater that ultimately took the lives of hundreds of people, mostly babies, and impaired the health of many more marines and their families over several decades (Fears 2012; House Subcommittee on Oversight 2010).

This book seeks to present a broader concept of risk management, known as Enterprise Risk Management (ERM). Private firms developed the concept and practice of ERM, and federal agencies increasingly adopt ERM into their processes and practices. ERM relates to the fundamental question that federal managers face: “What are the risks that could prevent my agency from achieving its mission and objectives?” Depending on the circumstances and varying from agency to agency, major risks may involve loss of capable people, or lack of adequate systems, or inadequate internal controls, or failure to comply with legal and policy requirements, or need to move operations to a more secure site, or any number of diverse risks.

In Chapter 6, Douglas Webster, coeditor of this book, introduces ERM for federal managers. ERM is less developed in its applications to government than it is for the private sector. A small and growing network of enterprise risk managers is working with increasing success to expand application of ERM to an increasing number of federal agencies and offices. The network recently established a formal organization known as the Association of Federal Enterprise Risk Management (AFERM) and a web site located at www.aferm.org.

The following section sounds the themes of this book. The core idea is that good risk management is an integral part of good decision making. Just as the financial crisis revealed for financial institutions, good risk management in government is integral to general good management. The second section of this chapter focuses on the importance of risk management as a way to make sound decisions. The third section discusses the differences between government and private firms that can make public-sector management more difficult, or at least quite different, than management in the private sector. While some aspects remain constant, such as the importance of clear vision and good interpersonal skills, the rules and organizational environment are more complicated in government than in the private sector. Chapter 4 explores that issue in greater detail. That said, some government managers make sound decisions, while others get themselves into serious trouble when unexpected risks materialize. The section introduces ERM and ways that organizations can implement it. Finally, the fifth section concludes with a brief overview of the chapters of this book and makes recommendations for advancing the practice of risk management in the government.

Risk Management as an Integral Part of Good Decision Making

John Reed, CEO of Citigroup in the 1990s, uses a metaphor to make the case for risk management as a precondition for an organization's ability to perform:

Why does a car have brakes? A car has brakes so it can go fast. If you got into a car and you knew there were no brakes, you'd creep around very slowly. But if you have brakes you feel quite comfortable going 65 miles an hour down the street. The same is true of [risk] limits. (Financial Crisis Inquiry Commission 2010)

Each decision that a manager makes has potential benefits and risks. This is the risk/reward trade-off that determines whether an organization can thrive over the long term. The present author (Stanton 2012) studied a dozen firms in the financial crisis, including four that successfully navigated the crisis and eight that did not. As can be seen in Chapter 10 of this book, the essential difference between those firms was the extent that top managers were open to feedback about possible disadvantages of their decisions. Successful firms respected early warning signs and listened to their risk officers; firms that failed had leaders who fired, excluded, or otherwise disregarded their risk officers.

Professor Sydney Finkelstein of the Tuck School of Business at Dartmouth has analyzed public and private organizations and their decisions. He and his colleagues (2008) found that decision makers may be hampered by misleading experiences in their backgrounds (“fighting the last war”), misleading prejudgments, inappropriate self-interest, or inappropriate attachments, all of which can lead to flawed decisions. Finkelstein and his colleagues point to two factors that must be present for an organization to make a major mistake. First, for any number of reasons an influential decision maker such as a CEO or an agency head makes a flawed decision, and second, he or she makes the decision without listening to feedback that might expose errors and correct the decision.

The remedy, they found, lies with improved decision making. Leaders need to design the decision process to elicit additional experiences and data relevant to major decisions. This can help to offset tendencies toward groupthink. Input from a chief risk officer (CRO) can be an essential part of the discussion. Leaders need to encourage group debate and challenge to ensure that opposing points of view are heard and understood, including the views of the CRO. Managers and cultures must be strong and self-confident enough to create that kind of robust decision-making process. By contrast, the cost of lower-quality decision making, as became clear in the financial crisis and as can be seen in the travails of a number of federal agencies recently called before angry congressional committees, can be substantial harm to an organization and its future.

The focus on sound decision making helps to distinguish what risk management should not be. Risk management does not derive merely from an elaborate quantitative model or formula. Similarly, good risk management is more than a complex new software package. The financial crisis provided painful evidence that strong risk management is not an effective reality at many large firms. Indeed, a major concern is that, if neglected by top management, risk management can become a gesture, loaded with analyses, quantitative models, and processes that add little to an organization's ability to assess and address actual enterprise risk.

The case studies in this book, and especially those in Chapters 7 through 9, of risk management at the Office of Federal Student Aid, the Defense Logistics Agency, and at the Canadian company Hydro One, show how the critical elements in good risk management are good judgment, which takes account of both sides of the risk/reward equation, and good processes that bring needed information, including carefully selected performance measures, to decision makers before they make major decisions. These attributes reflect the quality of an organization's leadership, culture, and approach to decision making. Those are much more important than outlays on expensive systems that, while potentially helpful, depend on decision makers' good judgment to be effective.

The Unique Challenges of Managing a Government Agency

Managing a government agency is different from managing a private firm. Even though many aspects of the two sectors seem similar, the legal rules that govern each sector create quite different dynamics. Former Kennedy School dean Graham T. Allison explored differences between public and private management and concluded that there is a fundamental constitutional difference between the two sectors:

In business, the functions of general management are centralized in a single individual:...