Enterprise Risk Management

Transcription

1

2

3 Enterprise Risk Management

4 Join Us at Josseybass.como Register at for more information on our publications, authors, and to receive special offers.

5 Enterprise Risk Management A GUIDE FOR GOVERNMENT PROFESSIONALS Dr. Karen Hardy Foreword by Allen Runnels

6 Cover Design: Wiley Cover Images: Isometric buildings istock.com/jamie Farrant, Business People Walking istock.com/ Robert Churchill, Tightrope Walker istock.com/adrianhillman, Business Executives istock.com/4x6, Informal Presentation istock.com/a-digit, Businesswoman Balancing istock.com/juhat, Businessman Sitting istock.com/trigga, Business Silhouette istock.com/ost, Balance istock.com/blackred Copyright 2015 by John Wiley & Sons, Inc. All rights reserved. Published by Jossey-Bass A Wiley Brand One Montgomery Street, Suite 1200, San Francisco, CA No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, , fax , or on the Web at Requests to the publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, , fax , or online at Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. Readers should be aware that Internet Web sites offered as citations and/ or sources for further information may have changed or disappeared between the time this was written and when it is read. The views herein are the author s and do not necessarily represent those of the United States Government. Jossey-Bass books and products are available through most bookstores. To contact Jossey-Bass directly call our Customer Care Department within the U.S. at , outside the U.S. at , or fax Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at For more information about Wiley products, visit Library of Congress Cataloging-in-Publication Data Library of Congress Cataloging-in-Publication Data has been applied for and is on file with the Library of Congress. ISBN (cloth); ISBN (ebk.); ISBN (ebk.) Printed in the United States of America first edition HB Printing

7 CONTENTS Figures, Tables, and Exhibits Foreword Preface: Managing Risk in the Current Federal Environment ix xi xiii Introduction 1 State of Risk Management in Government 5 How This Book Should Be Used 7 Emerging Risks Today 7 Top Government Risks 10 Criteria 11 Profiles of Select High-Risk Areas in Government 13 CHAPTER ONE Why Enterprise Risk Management? 27 Status of ERM in the Government 29 Limitations to ERM 30 Risk Management: What It Is and Why It Matters 32 What Is Risk? 33 Evolution of Risk Management 36 Traditional Risk Management versus Enterprise Risk Management 38 U.S. Federal Government Policy on Risk Management 41 Establishing an Agency Risk Management Policy 46 ERM Policy and Practice in Canada 48 Linking ERM and Internal Control 54 v

8 What Are the Standards for Internal Control? 55 Assessing Internal Control Structures 68 Overall Internal Control Summaries 68 CHAPTER TWO Examples of Risk Management in the Federal Government 81 Health Risks 82 Security Risks 82 Financial Risks 85 Transportation Safety Risks 86 External Risks 87 Case Study: Applying Risk Management in Government: National Institutes of Health 89 Case Study: National Archives and Records Administration 95 CHAPTER THREE Managing and Communicating Risk 105 Writing Risk Statements 111 Developing a Risk Statement 112 Inventory of Risk Statements 113 Risk Assessment Techniques 120 CHAPTER FOUR Risk Management Frameworks and Standards 125 Why Voluntary Standards? A Look at OMB Circular A GAO Risk Management Framework 129 ISO 31000: International Risk Management Standard 135 COSO ERM Integrated Framework 138 OCEG Red Book 2.0: FERMA: BS 31100: An Expanded View of ISO vi Contents

9 CHAPTER FIVE Risk and Performance Management 151 Risk and Performance: Government 153 Managing Risk to Performance 157 An Expanded View of Strategic Risk Management 160 Risk and Performance: Private Sector 167 Standard & Poor s ERM Analysis 170 CHAPTER SIX Building a Risk Culture 173 Risk Culture Survey 177 CHAPTER SEVEN ERM Maturity and Assessment 181 ERM Maturity Models 181 The Role of the Internal Auditor in ERM 194 Case Study: The Public Safety Canada Audit of Integrated Risk Management 196 CHAPTER EIGHT ERM Core Competencies 209 ERM Core Competency Survey 209 Summary of Survey Results 211 Federal versus State and Local Government Views of ERM 216 CHAPTER NINE ERM Best Practices of Federal Agencies 223 Ninety-Day Action Plan 223 Sample Implementation Plan 224 Words of Wisdom 225 CHAPTER TEN Conclusion 227 Notes 231 Appendix: Index of Survey Questions and Responses 243 About the Author 279 Index 281 Contents vii

10

11 FIGURES, TABLES, AND EXHIBITS Figures Figure 1.1. Evolution of Risk Management 37 Figure 1.2. Siloed and Enterprise Approach to Risk Management 41 Figure 4.1. GAO Risk Management Framework 131 Figure 4.2. ISO Risk Management Framework 135 Figure 4.3. COSO s ERM Framework Highlights 138 Figure 4.4. FERMA Risk Management Standard 141 Figure 4.5. World Map of ISO Figure 5.1. Illustration of Goal Relationships 158 Figure 5.2. Identifying Risks to Strategic Objectives 160 Figure 7.1. Risk Maturity Rating by Industry 187 Figure 8.1. Risk Manager Core Competency Model 210 Tables Table P.1. American Society for Public Administration Code of Ethics xviii Table I.1. Agency Hiring Activities 2 Table I.2. Changes to GAO s High Risk List, Table 1.1. Definition of Risk 34 Table 1.2. Selected White Collar Occupational Groups, Job Series, and Potential Risks 39 Table 1.3. Policies for Managing Various Types of Risk in Government 43 Table 1.4. What Components Are in Place at Your Organization to Aid in ERM Implementation? 48 ix

12 Table 3.1. Risk Taxonomy 107 Table 4.1. GAO Risk Management Framework Matrix 132 Table 5.1. Advantages of GPRA Implementation 156 Table 5.2. Adidas Group 2012 Corporate Risk Assessment 169 Table 6.1. Methods for Influencing Cultural Change 176 Table 7.1. Five Levels of SEI Process Maturity 183 Table 7.2. Aon RMI Five Levels of Maturity 186 Table 7.3. Treasury Board Risk Management Capability Model 191 Table 7.4. Public Service of Canada Key Risks Related to Integrated Risk Management 206 Table 8.1. ERM Components in Place in Organizations to Aid ERM Implementation 212 Table 8.2. Top Three ERM Components in Place: State and Local Government versus Federal Government 212 Table 8.3. Risk Management Training Rubric 214 Exhibits Exhibit 1.1. Template for a General Risk Management Policy in the United States 47 Exhibit 1.2. Canada s Risk Management Framework Policy 49 Exhibit 3.1. Inventory of Risk Statements 114 Exhibit 3.2. State of Washington Risk Map 124 Exhibit 4.1. Comparison of Standards and Frameworks 127 Exhibit 5.1. Overview of the GPRA Modernization Act of Exhibit 5.2. Six Principles of Strategic Risk Management 162 Exhibit 5.3. Strategic Risk Management Checklist 163 Exhibit 5.4. Glossary of Key Performance Terms 164 Exhibit 5.5. The Challenge of Applying Strategic Risk Management to Homeland Security 165 Exhibit 5.6 At Risk Brands as Reported by 24/7 Wall St. 168 Exhibit 6.1. Sample Risk Culture Survey 177 Exhibit 7.1. Canada Treasury Board Risk Management Capability Model: An Excerpt 188 x Figures, Tables, and Exhibits

13 FOREWORD Karen Hardy understands the value proposition associated with the practice of enterprise risk management (ERM). With this book, oriented toward informing the federal workforce about ERM, she has contributed significantly to expanding the body of knowledge about this extremely important subject. The insights she shares can help encourage and empower the federal workforce at all levels to identify, assess, and manage risk effectively. She writes from both thought-leader and practitioner points of view and focuses upon the need to advance the practice of enterprise risk management in the federal government. She gives readers specific examples of what the practice of risk management looks like in agency operations, and she also includes information about tools available to help manage risk. For the few current champions of risk management in government, this book lays the groundwork for enabling them to obtain buy-in from their agency leadership. For agencies without a champion, it provides an easy-to-read road map that answers the basic question of why organizations should adopt the practice of ERM. As risk in government becomes more dynamic and complex, managers must become more enlightened and equipped to effectively plan for it, anticipate it, and manage it. The huge balance of the federal debt and the lack of political cooperation to resolve it have led to the sequestration of federal funds, driving drastic reductions in resources available to agencies to accomplish their missions. Federal executives and managers have been asked to do more with less for the last several years, a situation that generates even more risk in the execution of government programs and services. In her book, Karen Hardy asserts that for agencies to best navigate their way through these uncertain times xi

14 and effectively accomplish their missions, they need to develop an enterprisewide approach to risk management wherein everyone in the organization becomes a risk manager. Karen Hardy has done a stellar job of introducing the subject of ERM to the federal workforce. She seamlessly guides the government risk manager through an extraordinary step-by-step review of all the pieces that make up ERM as a management tool. Her book should be mandatory reading for the federal workforce, because it can fill a huge knowledge gap regarding the value of ERM in contributing to the effectiveness of government. Those tasked with designing, implementing, and sustaining ERM at their agencies will find her book a much-needed reference in their ERM toolbox. Without her book, the practice of risk management in government would lack a key perspective from a real practitioner who not only writes about the subject matter but also is applying it. Karen gives readers an opportunity to understand the value of ERM for best accomplishing agency missions and programs, and, more important, how to apply it in their organizations. Thanks to Karen Hardy for her efforts in making such a tremendous contribution to the practice of enterprise risk management in government. Allen Runnels President Association for Federal Enterprise Risk Management xii Foreword

15 PREFACE: MANAGING RISK IN THE CURRENT FEDERAL ENVIRONMENT It has been said that the only thing constant is change and the risks and opportunities that come with it. Over the past century, we have seen constant change in every aspect of life. Traditions that were once seen as mainstays and permanent fixtures in our society are now distant memories. Thanks to changes in technology and social norms, the ways in which we live and interact with our families, businesses, and communities continue on a path of rapid evolution. Key indicators of this change include simple, yet transformational events that we may have taken for granted. Consider the once-popular radio disc jockey; to a great extent, these announcers have been replaced by itunes playlists. For many, the ipod has erased memories of the CD player, and books have been transformed into electronic delivery devices such as the Kindle. People by the millions are unplugging from telephone landlines and instead connecting with cell phones allowing 24/7 access from almost anywhere in the developed and developing world. Telephone booths are now on display in museums rather than on street corners, and drones are fast becoming the next big delivery service. Even the system for manufacturing products has changed. With development of the new 3D printing technology, the use of factory assembly lines will no longer be limited to big car manufacturers in Detroit or Michigan. Rather, manufacturing will be personalized and accessible to ordinary individuals, such as doctors, dentists, and small business owners. On a larger scale, these individuals may soon be able to replicate and customize organs, tools, parts, and other products in minutes and within the confines of their private garages and offices. xiii