Part One
Introduction and Overview
Chapter 1
Managing Risk of Federal Agencies and Their Programs through Enterprise Risk Management
Thomas H. Stanton
Fellow, Center for Advanced Governmental Studies, Johns Hopkins University
Risk Management as an Essential Part of Federal Management
The world manifests increasing complexity, and this in turn has increased vulnerabilities for the people of the United States and our government. High-impact events, once thought to occur only rarely, happen with increasing frequency. In the early 2000s alone, costly events included the terrorist attack of September 11, 2001, Hurricane Katrina, the BP Gulf oil spill, and the near meltdown of the financial system, to name some of the larger ones. Chronic costly events include medical errors in U.S. hospitals and periodic outbreaks of food-borne illness such as salmonella and E. coli. Other high-impact risks that materialize from time to time include cyberattacks to bring down systems or steal critical information, and a variety of other homeland security events.
Government plays a role in all of these, either in trying to prevent risk from materializing or in trying to respond effectively. Sometimes there are concatenations of risks, such as when the financial crisis results in a massive increase in workload for the unprepared Federal Housing Administration (FHA) or when a crisis expands from the mortgage market to the larger financial system or when an agency's uncontrolled spending on conferences leads to reputational harm.
Many agencies try to focus on specific risks that gave them problems in the past, such as financial or operational risks for federal financial programs, or acquisition and investment risks for departments and agencies that rely heavily on procurement of major systems and other support for the agency's mission.
However, in today's complex world it is not enough to focus on specific risks identified in the past. A tragic example comes from Camp Lejeune, North Carolina, the nation's largest U.S. Marine Corps base. At Camp Lejeune the Corps trains marines to deal with risks of combat but neglected to respond to reports of contaminated groundwater that ultimately took the lives of hundreds of people, mostly babies, and impaired the health of many more marines and their families over several decades (Fears 2012; House Subcommittee on Oversight 2010).
This book seeks to present a broader concept of risk management, known as Enterprise Risk Management (ERM). Private firms developed the concept and practice of ERM, and federal agencies increasingly adopt ERM into their processes and practices. ERM relates to the fundamental question that federal managers face: âWhat are the risks that could prevent my agency from achieving its mission and objectives?â Depending on the circumstances and varying from agency to agency, major risks may involve loss of capable people, or lack of adequate systems, or inadequate internal controls, or failure to comply with legal and policy requirements, or need to move operations to a more secure site, or any number of diverse risks.
In Chapter 6, Douglas Webster, coeditor of this book, introduces ERM for federal managers. ERM is less developed in its applications to government than it is for the private sector. A small and growing network of enterprise risk managers is working with increasing success to expand application of ERM to an increasing number of federal agencies and offices. The network recently established a formal organization known as the Association of Federal Enterprise Risk Management (AFERM) and a web site located at www.aferm.org.
The following section sounds the themes of this book. The core idea is that good risk management is an integral part of good decision making. Just as the financial crisis revealed for financial institutions, good risk management in government is integral to general good management. The second section of this chapter focuses on the importance of risk management as a way to make sound decisions. The third section discusses the differences between government and private firms that can make public-sector management more difficult, or at least quite different, than management in the private sector. While some aspects remain constant, such as the importance of clear vision and good interpersonal skills, the rules and organizational environment are more complicated in government than in the private sector. Chapter 4 explores that issue in greater detail. That said, some government managers make sound decisions, while others get themselves into serious trouble when unexpected risks materialize. The section introduces ERM and ways that organizations can implement it. Finally, the fifth section concludes with a brief overview of the chapters of this book and makes recommendations for advancing the practice of risk management in the government.
Risk Management as an Integral Part of Good Decision Making
John Reed, CEO of Citigroup in the 1990s, uses a metaphor to make the case for risk management as a precondition for an organization's ability to perform:
Why does a car have brakes? A car has brakes so it can go fast. If you got into a car and you knew there were no brakes, you'd creep around very slowly. But if you have brakes you feel quite comfortable going 65 miles an hour down the street. The same is true of [risk] limits. (Financial Crisis Inquiry Commission 2010)
Each decision that a manager makes has potential benefits and risks. This is the risk/reward trade-off that determines whether an organization can thrive over the long term. The present author (Stanton 2012) studied a dozen firms in the financial crisis, including four that successfully navigated the crisis and eight that did not. As can be seen in Chapter 10 of this book, the essential difference between those firms was the extent that top managers were open to feedback about possible disadvantages of their decisions. Successful firms respected early warning signs and listened to their risk officers; firms that failed had leaders who fired, excluded, or otherwise disregarded their risk officers.
Professor Sydney Finkelstein of the Tuck School of Business at Dartmouth has analyzed public and private organizations and their decisions. He and his colleagues (2008) found that decision makers may be hampered by misleading experiences in their backgrounds (âfighting the last warâ), misleading prejudgments, inappropriate self-interest, or inappropriate attachments, all of which can lead to flawed decisions. Finkelstein and his colleagues point to two factors that must be present for an organization to make a major mistake. First, for any number of reasons an influential decision maker such as a CEO or an agency head makes a flawed decision, and second, he or she makes the decision without listening to feedback that might expose errors and correct the decision.
The remedy, they found, lies with improved decision making. Leaders need to design the decision process to elicit additional experiences and data relevant to major decisions. This can help to offset tendencies toward groupthink. Input from a chief risk officer (CRO) can be an essential part of the discussion. Leaders need to encourage group debate and challenge to ensure that opposing points of view are heard and understood, including the views of the CRO. Managers and cultures must be strong and self-confident enough to create that kind of robust decision-making process. By contrast, the cost of lower-quality decision making, as became clear in the financial crisis and as can be seen in the travails of a number of federal agencies recently called before angry congressional committees, can be substantial harm to an organization and its future.
The focus on sound decision making helps to distinguish what risk management should not be. Risk management does not derive merely from an elaborate quantitative model or formula. Similarly, good risk management is more than a complex new software package. The financial crisis provided painful evidence that strong risk management is not an effective reality at many large firms. Indeed, a major concern is that, if neglected by top management, risk management can become a gesture, loaded with analyses, quantitative models, and processes that add little to an organization's ability to assess and address actual enterprise risk.
The case studies in this book, and especially those in Chapters 7 through 9, of risk management at the Office of Federal Student Aid, the Defense Logistics Agency, and at the Canadian company Hydro One, show how the critical elements in good risk management are good judgment, which takes account of both sides of the risk/reward equation, and good processes that bring needed information, including carefully selected performance measures, to decision makers before they make major decisions. These attributes reflect the quality of an organization's leadership, culture, and approach to decision making. Those are much more important than outlays on expensive systems that, while potentially helpful, depend on decision makers' good judgment to be effective.
The Unique Challenges of Managing a Government Agency
Managing a government agency is different from managing a private firm. Even though many aspects of the two sectors seem similar, the legal rules that govern each sector create quite different dynamics. Former Kennedy School dean Graham T. Allison explored differences between public and private management and concluded that there is a fundamental constitutional difference between the two sectors:
In business, the functions of general management are centralized in a single individual: the chief executive officer. The goal is authority commensurate with responsibility. In contrast, in the U.S. government, the functions of general management are constitutionally spread among competing institutions: the executive, two houses of Congress, and the courts. The constitutional goal was ânot to promote efficiency but to preclude the exercise of arbitrary power,â as Justice Brandeis observed. (Allison 1982, 21)
Allison then observes major differences in two key areas: (1) deciding the lines of business and business methods of a company or federal agency, and (2) ability to select the right people for the job. While a company executive has considerable leeway in determining corporate strategy, an agency head manages an organization whose mission is largely determined by other actors, and especially by Congress, the president, and private constituencies. While a company executive has largely a free hand in making sweeping personnel decisions, the newly appointed agency head usually comes to an agency that is already staffed, and has much less freedom, in law and as a practical matter, to hire, promote, fire, or transfer subordinates. Finally, Allison quotes several top executives who served in business and government who contend that while a company has a bottom line of profitability that sooner or later compels accountability for the company's performance, government leaders often may benefit or suffer from reputations that have little to do with the results they deliver. While Allison's observations are more provocative than most, there is significant agreement among public administration professionals about their general validity (e.g., Stanton and Ginsberg 2004; Stanton 2006).
Seasoned government officials make other observations as well. First, government agencies often lack continuity among top officials. As one person says, at his department it is as if they undergo a hostile takeover every four years. New political appointees arrive with different priorities from the outgoing leadership. Another problem is the uneven quality of political appointees, especially with respect to management skills. These two factors relate to a third issue that is especially significant for sustaining a risk management program: The shift in leadership often means that an activity that formerly benefited from a champion can lose that champion as another leadership team arrives with different skills, views, and objectives. In Chapter 4, Paul Posner and Thomas Stanton suggest yet other ways that management differs for public agencies compared to private firms.
The implications for managing risks of government agencies and programs are significant. As Posner and Stanton point out in Chapter 4, the short tenure of many political appointees can create an incentive to emphasize short-term initiatives rather than make longer-term commitments, such as creating either a âtone at the topâ in support of effective risk management or, more generally, investing in processes and systems that may pay off only after the political appointee has left the agency. This short time horizon is exacerbated by the nature of annual government appropriations and the vagaries of a federal budget process that may not deliver needed funding to support longer-term investments in systems or other improvements to the way that the agency functions.
That said, as Thomas Stanton argues in Chapter 3 and Gary Glickman shows in Chapter 11, on reputational risk, neither political appointees nor career civil servants will find it comfortable to live with major risks that materialize on their watch that could have been avoided. The case studies in this boo...