Risk management's role in government

When the risk is measured in lives, the solution is chosen with care

A jetliner crashes. Executives at investment banks earn bonuses while investors and homeowners lose billions of dollars as subprime mortgages melt down. Tainted food poisons dozens. A new flu virus closes schools and panics parents. At first glance, it's easy to get upset at the failures in managing the public's risk and overlook the successes.

The fact is, our air travel systems, financial markets, food inspections and healthcare system are safe and successful virtually all of the time thanks to a government that, overall, effectively manages our nation's collective risks – risks that individuals, companies or even nongovernmental organizations like charities cannot manage alone. The US government manages public risk in numerous ways:

• For the common good. Whether it's national defense, homeland security, or emergency and disaster response, the federal government manages a broad spectrum of risks that private individuals cannot address.
• Risk regulator. The federal government regulates risks between private entities and spells out who owns risks and what levels are acceptable.
• Shaper of risk. The government also creates opportunities through structured risks. Whether it's the Small Business Administration, Defense Advanced Research Projects Agency (DARPA), or the American Recovery and Reinvestment Act (otherwise known as the 2009 stimulus program), government can create an effective environment where risk and innovation are in balance.
• Risk manager of last resort. In a variety of ways, the government provides a firewall against runaway risks to ensure stability in numerous areas, such as the financial markets. The management of this risk, of course, must be counterbalanced by not encouraging moral hazard – that is, expecting the government to always absolve one of the negative consequences of the risks taken.
• Internal risk management. Federal agencies and departments of all stripes deliver programs and services to the public. They must manage the risks inherent in their own operations to ensure citizen satisfaction and the delivery of value for money.

Introduction of ERM
At first, each risk area (strategic, operational, financial and insurable) was managed independently, in silos. However, it soon became apparent that by adopting a holistic view of their overall risk exposures and initiatives, companies could benefit by ensuring risks were not being over- or under-managed. The concept of enterprise risk management was born. Enterprise risk management (ERM) improved the executive's ability to make better decisions that more accurately reflect the true nature of the risks in the business environment. Of course, no other organization presents both the levels of complexity and risk that the federal government faces daily. For instance, consider that, through Medicare and Social Security, the US is the largest insurer in the world. Consider also the magnitude of the strategic, operational, financial and insurable risks that the government confronts daily. Not surprisingly, ERM is rapidly gaining attention in government circles as a discipline that can significantly improve governmental performance.

Unfortunately, risk management in government isn't as straightforward as it is in the private sector. Not only is the magnitude of the consequences so much greater, there are also added dimensions in the form of politics and stakeholder motives that extend beyond simply measuring increases in a company's profit or loss statement. On Capitol Hill alone, there are 535 "risk managers," each with differing views of the importance of risk based on local concerns and party affiliation. With every election, or news event, the priority can radically change.

Government risk managers tasked with carrying out the wishes of Congress must fashion definitions of successful risk management that reflect both pragmatism and political concerns, not merely ROI. It is challenging to quantify both the probability of a negative outcome (a failure) and the impact of that failure on citizens. As a result of scale and political dimensions, it becomes daunting to stand up and answer the questions "What is the acceptable level of risk?" and "What losses are we willing to accept in pursuit of our objectives?" In a manufacturing context, this would be the limits of tolerance or quality control. But the federal government isn't a factory. Is it acceptable for some people to be injured by a new drug even if a vast number of others find relief from their pain and misery?

The impact of unintended consequences is much larger at this level as well. For instance, laws to limit lead products in children's toys can go too far if they also restrict all uses of lead in motorcycle brake and clutch pedals that pose a miniscule risk to children. Decisions to destroy batches of vegetables incorrectly thought to be tainted with salmonella can cost hardworking farmers, and their insurers, hundreds of millions of dollars. However, few public officials are willing to defend decisions that may lead to even the smallest failures. And, risk without responsibility is a recipe for disaster, as we've seen in instances ranging from the losses of space shuttles to Hurricane Katrina.

Manipulating risk
In recent years, this culture of preventing all failures without fully understanding the cost has become pervasive. The elemental definition of risk and risk tolerance has changed, and that's changing the fundamental assessments of risk by adding in significant uncertainty. Issues of moral hazard are far less clear today than they were even a year ago. It's impossible to simulate scenarios because political influences can disrupt the models without notice.

For instance, bondholders who have seen the bankruptcy of Chrysler and General Motors abrogate their preferred rights may fundamentally change their perception of lending risk. When long-standing rules change without any notice, and when failure can't be reasonably quantified or becomes subject to more arbitrary factors, then risk management really becomes akin to gambling. In addition, if the expectation or possibility of failure is eliminated, market participants may have incentive to engage in risky behaviors that can diminish the government's ability to manage risk for the good of all.

Transparency is required
For ERM to be effective, risk managers, rank-and-file employees, and executives must create decision-making behaviors that value transparency. That culture can only be achieved through objective information with attainable goals. In government settings, such information makes it virtually impossible to evade responsibility and accountability. Too often, this runs counter to the prevailing culture and necessitates a transformative change that will empower people to openly discuss assumptions, constraints and the risks that they confront. It requires boldness, even if it means that progress is measured in small steps. But, with President Obama's directives to improve transparency and collaboration, we're already seeing signs of improvement.

The future of ERM, IT and government
Collectively, these three factors – government agencies' reliance on IT and the reputational risk posed to senior executives by its failure; the Obama administration's mandates for an open, accountable government; and White House appointments of a CIO and CTO – make government IT operational risk management an imperative. IT is also a good place to start ERM since IT risk management involves the management of strategic as well as financial risk. By initially focusing on the management of IT operational risks (the people, processes and technology needed to implement or sustain IT operations), not only can IT operational performance improve, but the beginnings of an overarching ERM framework can be laid out that goes beyond IT.

Most successful ERM programs have a top-down, senior management pull (i.e., "What are my agency's or department's risks?") and a bottom-up push of objective information from the working level to answer that question. Remember, strategic decisions can't be better than the objective information created at the program and project levels. As government's role of risk manager expands in reaction to changing risks, and perceptions of risk, IT-led ERM will take on an increasingly greater role.

Robert Charette, President of the consulting firm ITABHI Corp., has advised federal agencies and FORTUNE 100® companies and written, lectured and consulted extensively on risk management strategies across the globe.