Enterprise Risk Management: A Guide for Government Professionals

PRAISE FOR ENTERPRISE RISK MANAGEMENT "We applaud Dr. Hardy's latest contribution to the field of enterprise risk management. Her book, which expands on earlier work done for the IBM Center, provides a thorough foundation for public managers to appreciate and act upon the challenges they face, no matter at what level of government. Her book serves as a sorely-needed resource guide for busy executives, offering real-life examples, best practices, and different models for use." —Daniel Chenok, Executive Director, IBM Center for the Business of Government "C. W. Ceram once wrote: 'Genius is the ability to reduce the complicated to the simple.' With this quote in mind, I have often found the topic of Risk Management and the related readings to be quite complicated to grasp and implement. Then along comes Dr. Hardy and her book, Enterprise Risk Management . She is a risk-management genius in that she takes this challenging concept and helps the reader to truly understand Risk Management and how to implement a solid Risk Management Approach." —Christopher P. Neck, Associate Professor of Management, University Master Teacher, Arizona State University "Dr. Hardy provides public sector professionals with a much-needed, comprehensive resource manual on the adoption of Enterprise Risk Management as a modern managerial tool. Through effective and practical advice, she does an excellent job of guiding readers through a step-by-step process, focusing on how to strengthen decision making at the strategic level." —Stefano Losi, Enterprise Risk Management Programme Officer, United Nations, New York* *The views expressed herein are those of the author and do not necessarily represent the views of the United Nations.

Figures, Tables, and Exhibits ix Foreword xi Preface: Managing Risk in the Current Federal Environment xiii Introduction 1 State of Risk Management in Government 5 How This Book Should Be Used 7 Emerging Risks Today 7 Top Government Risks 10 Criteria 11 Profiles of Select High–Risk Areas in Government 13 Chapter One Why Enterprise Risk Management? 27 Status of ERM in the Government 29 Limitations to ERM 30 Risk Management: What It Is and Why It Matters 32 What Is Risk? 33 Evolution of Risk Management 36 Traditional Risk Management versus Enterprise Risk Management 38 U.S. Federal Government Policy on Risk Management 41 Establishing an Agency Risk Management Policy 46 ERM Policy and Practice in Canada 48 Linking ERM and Internal Control 54 What Are the Standards for Internal Control? 55 Assessing Internal Control Structures 68 Overall Internal Control Summaries 68 Chapter Two Examples of Risk Management in the Federal Government 81 Health Risks 82 Security Risks 82 Financial Risks 85 Transportation Safety Risks 86 External Risks 87 Case Study: Applying Risk Management in Government: National Institutes of Health 89 Case Study: National Archives and Records Administration 95 Chapter Three Managing and Communicating Risk 105 Writing Risk Statements 111 Developing a Risk Statement 112 Inventory of Risk Statements 113 Risk Assessment Techniques 120 Chapter Four Risk Management Frameworks and Standards 125 Why Voluntary Standards? A Look at OMB Circular A–119 126 GAO Risk Management Framework 129 ISO 31000: International Risk Management Standard 135 COSO ERM Integrated Framework 138 OCEG Red Book 2.0: 2009 140 FERMA: 2002 140 BS 31100: 2008 142 An Expanded View of ISO 31000 143 Chapter Five Risk and Performance Management 151 Risk and Performance: Government 153 Managing Risk to Performance 157 An Expanded View of Strategic Risk Management 160 Risk and Performance: Private Sector 167 Standard & Poor’s ERM Analysis 170 Chapter Six Building a Risk Culture 173 Risk Culture Survey 177 Chapter Seven ERM Maturity and Assessment 181 ERM Maturity Models 181 The Role of the Internal Auditor in ERM 194 Case Study: The Public Safety Canada Audit of Integrated Risk Management 196 Chapter Eight ERM Core Competencies 209 ERM Core Competency Survey 209 Summary of Survey Results 211 Federal versus State and Local Government Views of ERM 216 Chapter Nine ERM Best Practices of Federal Agencies 223 Ninety–Day Action Plan 223 Sample Implementation Plan 224 Words of Wisdom 225 Chapter Ten Conclusion 227 Notes 231 Appendix: Index of Survey Questions and Responses 243 About the Author 279 Index 281 Figures, Tables, and Exhibits Figures Figure 1.1. Evolution of Risk Management 37 Figure 1.2. Siloed and Enterprise Approach to Risk Management 41 Figure 4.1. GAO Risk Management Framework 131 Figure 4.2. ISO 31000 Risk Management Framework 135 Figure 4.3. COSO’s ERM Framework Highlights 138 Figure 4.4. FERMA Risk Management Standard 141 Figure 4.5. World Map of ISO 31000 145 Figure 5.1. Illustration of Goal Relationships 158 Figure 5.2. Identifying Risks to Strategic Objectives 160 Figure 7.1. Risk Maturity Rating by Industry 187 Figure 8.1. Risk Manager Core Competency Model 210 Tables Table P.1. American Society for Public Administration Code of Ethics xviii Table I.1. Agency Hiring Activities 2 Table I.2. Changes to GAO’s High Risk List, 1990–2013 10 Table 1.1. Definition of Risk 34 Table 1.2. Selected White Collar Occupational Groups, Job Series, and Potential Risks 39 Table 1.3. Policies for Managing Various Types of Risk in Government 43 Table 1.4. What Components Are in Place at Your Organization to Aid in ERM Implementation? 48 Figures, Tables, and Exhibits Table 3.1. Risk Taxonomy 107 Table 4.1. GAO Risk Management Framework Matrix 132 Table 5.1. Advantages of GPRA Implementation 156 Table 5.2. Adidas Group 2012 Corporate Risk Assessment 169 Table 6.1. Methods for Influencing Cultural Change 176 Table 7.1. Five Levels of SEI Process Maturity 183 Table 7.2. Aon RMI Five Levels of Maturity 186 Table 7.3. Treasury Board Risk Management Capability Model 191 Table 7.4. Public Service of Canada Key Risks Related to Integrated Risk Management 206 Table 8.1. ERM Components in Place in Organizations to Aid ERM Implementation 212 Table 8.2. Top Three ERM Components in Place: State and Local Government versus Federal Government 212 Table 8.3. Risk Management Training Rubric 214 Exhibits Exhibit 1.1. Template for a General Risk Management Policy in the United States 47 Exhibit 1.2. Canada’s Risk Management Framework Policy 49 Exhibit 3.1. Inventory of Risk Statements 114 Exhibit 3.2. State of Washington Risk Map 124 Exhibit 4.1. Comparison of Standards and Frameworks 127 Exhibit 5.1. Overview of the GPRA Modernization Act of 2010 155 Exhibit 5.2. Six Principles of Strategic Risk Management 162 Exhibit 5.3. Strategic Risk Management Checklist 163 Exhibit 5.4. Glossary of Key Performance Terms 164 Exhibit 5.5. The Challenge of Applying Strategic Risk Management to Homeland Security 165 Exhibit 5.6 “At Risk” Brands as Reported by 24/7 Wall St. 168 Exhibit 6.1. Sample Risk Culture Survey 177 Exhibit 7.1. Canada Treasury Board Risk Management Capability Model: An Excerpt 188

KAREN HARDY is an expert risk management professional with extensive experience in the public sector. Dr. Hardy is a co-founder of the Association for Federal Enterprise Risk Management and serves on the U.S. Technical Advisory Group for ISO 31000. She also worked at Citibank and The White House Office of Management and Budget. She has published articles in numerous national and international publications, including Canada's Public Sector Digest .