Managing Risk in the Public Sector
Risk management has gained importance over the last decade in response to numerous public crises associated with the failure to manage risk. The mortgage and subprime loan crises are prominent examples of what can happen when public and private organizations fail to recognize and manage risk.
In this environment, enterprise risk management (ERM) is a framework to help organizations understand and manage the risks they face. The ERM framework enables organizations to manage risk in a systematic and holistic manner.
What is ERM?
ERM has been defined by the U.S. Committee of Sponsoring Organizations of Treadway Commission (COSO 2004), as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Risks can take many forms, but are often broadly categorized as strategic, financial, operational, reputational, and compliance risk.
COSO divides the ERM process into eight components:
- Internal environment
- Objectives setting
- Event identification
- Risk assessment
- Risk response
- Control activities
- Information and communication
Public and private applications
Initially, ERM was used as a discipline for private sector organizations, but over time, its application has been extended to the public sector. In both it is important for organizations to:
- Identify their objectives, in terms of risk and opportunity
- Understand and assess risks and opportunities in terms of likelihood and magnitude of positive and negative risk events
- Identify plans to ensure positive outcomes are achieved and negative outcomes do not occur, or are minimized
- Monitor and report progress against risk management plans
While the public sector may not have some of the same motivations as the private or commercial sector, ERM should not be discounted as a discipline for managing risk. The fundamental concepts of ERM are applicable to both the public and private sectors.
While the profit motivation may not be significant to the public sector, the ability to achieve mission, goals, and objectives is — and is therefore not dissimilar. The public sector may not define its success in terms of profit, but the ERM framework enables agencies to define performance in terms of meeting expectations, cost and resource allocation, and achieving a stated mission.
Certain public sector risks may take on heightened importance. For example, reputational risk will be very important, as the impact on public trust is critical. In many ways, agencies are no different from their private sector counterparts, as they are being increasingly required to do more with less and to update their requirements, all under major scrutiny from the public and elected officials.
A word of caution
Having an ERM infrastructure in place does not guarantee success. For program elements to work effectively, they should not be viewed as a compliance exercise, or be misunderstood.
Key characteristics of successful risk management frameworks include a risk-based, holistic, and proactive approach and culture — that will identify, manage, and monitor risks. It is a challenge to get it right, even in an environment where the risk management program is viewed as being a mature and proven success.
Even though addressing risk may seem like a daunting task, any progress toward a risk management system helps an agency by increasing everyone’s understanding of risk. It is a positive step forward when both leaders and employees can
- Define its risk tolerance
- Understand the effect of risk on its processes
- Manage and monitor risks to increase the likelihood of goals and objectives being met
An agency on this path is heading in the right direction to better manage the risk that is inherent in almost any organization, and bring value to its stakeholders.
Pat Byer, Managing Partner, Federal Government
firstname.lastname@example.org or 301-902-8514