How agencies can use enterprise risk management to implement new legislation
Widely used within the private sector, enterprise risk management, or ERM, is today used by federal agencies to address a broad range of risks across their organizations.
When deployed successfully as a formal part of the federal planning and budgeting process, ERM can help agencies identify, prioritize and respond to risks, often leading to more informed decisions and increased programmatic success.
On July 11, the Partnership and Deloitte held a working session, “ERM to Drive Programmatic Success,” featuring Deidre Harrison, acting controller at the Office of Management and Budget, and Bob Westbrooks, executive director of the Pandemic Response Accountability Committee. The meeting was part of a larger effort by the Partnership and Deloitte—first initiated in 2015—to bring together stakeholders from across government to discuss challenges and best practices in institutionalizing ERM.
Among other things, the session focused on OMB’s continued focus on ERM and how OMB expects agencies to use ERM to help successfully implement legislation such as the Infrastructure Investment and Jobs Act—a topic outlined in recent OMB memorandum M-22-12.
“It’s been a while since you’ve had OMB having a specific conversation about ERM,” Harrison said, “but what I am here today to do is make sure you all know that we do care … ERM has really become part of our normal course.”
Strategies for success with enterprise risk management
The session yielded several valuable insights on how agency leaders preparing to distribute infrastructure dollars could use ERM.
- Employ a top-down and bottom-up approach.
A top-down approach to risk-aware legislation implementation is usually effective when senior agency leaders embrace and prioritize ERM. In addition, blending this approach with a more bottom-up strategy can create an even stronger ERM program and identify risks to new programs proactively. For example, Harrison encouraged risk offices that were having “a problem getting a seat at the table” in these large new programs to “reach out to the program staff, go find the people that are actually implementing these programs, and offer your assistance and work at that level.”
- Prepare and monitor.
While recent coronavirus relief packages provided recipients with short bursts of money, infrastructure law funds are intended for long-term use. This makes it even more essential that agencies employ risk identification and monitoring functions for programs funded by the infrastructure law before they distribute money.
Westbrooks advised agencies to specify the controls they will use to verify eligibility pre-payment, as well as the controls they will use to monitor payments moving forward. That way, “the [Inspector General], Government Accountability Office, and anybody else can say, ‘This is what you told us on the front end. Is it working as you designed it to be, and do we need to make course corrections?’”
- Build strong relationships with your inspector general.
It is important for risk officers and inspectors general to establish a working relationship to promote information sharing throughout the year. This can be accomplished through ongoing discussions around risk planning, risk evaluation and lessons learned. Consistent dialogue and transparency can create more positive, productive relationships between all parties, and more successful legislation implementations.
“If you could work with your inspector general to have some sort of small win, whether you learn something and you’re able to change … the way a program is being implemented, or you identified a risk or a mitigation strategy, then you can have that conversation, ‘Look what this benefit of working with the inspector general was,’” Harrison said.
Overall, ERM enables inspectors general and agency staff to conduct proactive, risk-informed decision-making before—and not after—implementing a program. This approach helps agencies frontload important conversations and surface critical information before incurring unnecessary costs.
By embedding ERM into their organizational cultures, agencies will achieve better programmatic outcomes.
“At the end of the day,” Harrison concluded, “each agency needs to develop an ERM framework that works for their leadership and their team … You need to think about your enterprise and the way that your enterprise will best manage risk.”
This blog was co-authored by the Partnership for Public Service (Victoria Schaefer and Ryan Vuono) and Deloitte teams (including Cynthia Vitters, John Basso, Dave Mader, Larry Koskinen, Ryan Murphy, Eliza Clark and Mark Stofanak).
For more information on this blog post, contact: