FOR MANY, TODAY'S PUBLIC sector management challenge is greater than at any time in our lives. That is certainly true in the United States, but is also true for much of the developed and developing world. Decades of deficit spending resting on the belief (or at least the hope) that “investments” would result in increased productivity generating revenues greater than costs have failed to come true. National governments have awoken, even if slowly, to the recognition that nations, just like individuals, cannot spend indefinitely at a rate higher than incoming revenues. While local governments may not be able to engage in deficit spending, they are nevertheless impacted by national governments that do so.
We have long heard the calls from leaders and consultants to “do more with less.” Yet such a goal requires productivity to increase faster than the rate of reduction in budgets. For most of our lifetimes that was feasible. Increasingly, however, it appears that budget challenges are making such a goal no longer credible. Given our introduction of the concept of value-based management, this battle cry should change to “do more of value with fewer resources.” While perhaps not as memorable, this phrase is much more meaningful in terms of solutions to the challenges that lie ahead.
Leaders must be driven not by a focus on spending less or doing more, but rather on creating increased stakeholder value through the balancing of results sought, resources available, and risks accepted.
Risk management, as indicated in the discussion of the value-based management framework in Part One, is an inherently critical element of any decision-making process that seeks to maximize stakeholder value. While balancing desired results and available resources/budget will always be part of the decision process, too often risk is left out of serious consideration. It is important to understand the challenges to meaningfully incorporate risk considerations in business decisions. However, before beginning that discussion, it is vitally important to define exactly what we mean by “risk.”
Risk is a very commonly used term, but a term that can mean considerably different things once one gets into the details of its definition. For the purposes of this book, we choose to use the word “risk” as defined in the international risk management standard ISO 31000: “the effect of uncertainty on objectives.” Defining a word such as “risk” in advance of a discussion using that term is important because many organizations and individuals have defined that term in different and inconsistent ways. The average person might think of a risk as a threat to safety or achieving an objective, in contrast to a possible opportunity or benefit. However, in defining risk as uncertainty, we are including both the downside (i.e., threat) and the upside (i.e., opportunity) associated with such uncertainty. Given that some degree of uncertainty is involved in almost every business decision, why does it not always naturally occur as part of the decision-making process?
There are many reasons for the traditionally diminished role of risk management in management decision-making. Thinking seriously about risk is not something that many decision makers have learned as a practice. They (1) simply ignore risk either because of a lack of awareness or concern of the uncertainty in achieving a desired objective, or (2) they briefly consider risks and assume them to be negligible and unworthy of serious consideration. Some decision makers may recognize that risks exist, but simply bypass proactively addressing risks and instead take a reactive approach that deals with risks only after they transition into adverse events (if a threat). Such decision makers also do not integrate an uncertain upside to risk (opportunity) as part of their decision-making process.
Additionally, many organizations – particularly those in government – desire not to acknowledge the existence of risk in delivering services to and on behalf of their various stakeholders. This unwillingness to address risks to the public thus transfers over into an unwillingness to manage those risks as part of planning and operations. This narrow-sighted approach to risk management in the public sector must cease if government leaders are to maximize the value delivered in exchange for limited resources. Pretending to their constituency that we live in a riskless world will come back to haunt many government leaders if risks are not consciously and proactively managed.
Whether primitive humans were managing the risk of attack by adversaries or wild animals, the concept of risk – and the effort to manage that risk – is as old as humankind. Early examples of a more formal approach to risk management can be seen in the Code of Hammurabi (circa 1755 BCE), which provided the underpinnings of maritime insurance contracts. The concept of risk and considering how to manage that risk further developed over the centuries. Marine insurance appeared in Italian port cities as early as the twelfth century, and an organization in Belgium in 1310 was the first in that country to offer marine insurance for their merchants. The establishment of the Fire Office in London, possibly the first company offering fire insurance, was a likely response to the Great Fire of London in 1666. The development of probability theory in the seventeenth and eighteenth centuries allowed for the calculation of quantifiable risks, which did much to formalize the practice of risk management and open it to a much larger area of application.
Despite an ability to trace the concern over risk in a very broad sense dating back several millennia, the focus until the mid-twentieth century was generally on insurance-related risk – those risks that could be insured by transferring to another party. The development of modern risk management focused on organizational functions beyond insurance has been a much more recent occurrence.
The trail to financial risk management was blazed by the actuarial profession beginning in the mid-nineteenth century. However, risk in the eyes of the actuarial and accounting professions maintained a relatively narrow and limited focus. In the 1950s there were no textbooks on the broader topic of risk management, and no university courses offered on the subject. The first book published on what we think of as risk management nowadays in the broader business context was Risk Management in the Business Enterprise, written by Robert I. Mehr and Robert A. Hedges in1963. This book appears to have been the first formal use of the term “risk management.” Moreover, the book was the first to propose steps to the risk management process that can be seen reflected in the various risk management standards of today. These proposed steps were:
Financial risk management developed rapidly beginning in the 1970s with the use of derivatives to manage insurable and uninsurable risks, and many additional practices developed in the remaining years of the twentieth century. While much of the development of risk management in this period took place in the arena of finance and insurance, other areas developed strong risk management practices and procedures as well, such as engineering.
In 1995, Australia and New Zealand jointly published the world's first formal risk management standard, AS/NZS 4360. This standard considered risk as applicable to all endeavors, not only finance and insurance. Members of the committee that developed AS/NZS 4360 included communities of interest as diverse as the Australian Computer Society, Australian Customs Service, the Australian Department of Defense, Australian and New Zealand engineering associations, universities, and others. In short, this initiative included a broad cross-section of society that had a strong interest in and need for effective risk management. In 2004, the United Kingdom's HM Treasury published “The Orange Book: Management of Risk – Principles and Concepts.” Both AS/NZS 4360 and the HM Treasury Orange Book highly influenced the creation in 2009 of the International Organization for Standardization's risk management standard, ISO 31000. This standard was subsequently updated in 2017.
As risk management has matured over the past half-century, so, too, has the general concept of “risk” grown. As noted, early risk management was focused on insurable risk – that risk that could be transferred to another party in exchange for a risk premium. In more recent years, however, the concept of risk has increasingly focused on the idea of uncertainly, rather than simply potential loss. This important distinction recognizes that we may often knowingly and willingly take on the acceptance of loss in order to have the opportunity for gain.
No race car driver can take on the possibility of a win without considering the possibility of car damage or even bodily harm. How much risk such a driver undertakes depends in part on how much risk he or she is willing to take. A lower degree of risk would yield a lower chance of bodily harm, but also a lower likelihood of winning. We all typically face decisions on a daily basis of balancing the upsides and downsides of uncertainty (even if without such impactful consequences), but we recognize this should always be an upside benefit to taking on a potential for downside consequences. This broader definition of risk as uncertainty, rather than threat or loss, ensures that this balancing act is part of the decision-making process.
The management of risk in various functional areas has become increasingly sophisticated over the years. Whether concerned about fraud, financial reporting misstatements, expected return on investments, inability to accomplish program requirements, adequately managing cyber-security, or countless other needs, the necessity to manage risks to achieving specific objectives has become broadly recognized. Not until the 1990s, however, did risk management begin to be considered broadly across the organization and not limited to specific functional or programmatic areas of concern. Australia and New Zealand jointly developed and published the first risk management standard, AUS/NZS 4360, in 1995. This standard in turn directly led to the international risk management standard ISO 31000 published in 2009. In the meantime, COSO developed and published the COSO ERM-Integrated Framework in September 2004, and the United Kingdom published the Treasury Orange Book in October 2004.
While these various risk management standards are all unique and have slightly different approaches and terminology for elements of the risk management process, their description of the risk management process can generally be portrayed as illustrated in Figure 6.1. This figure was developed by the US's White House Office of Management and Budget and is influenced by both the United Kingdom Treasury Orange Book and ISO 31000. The two outside rings are typical for a federal agency, but should be adapted for a state or local government organization. While this diagram is not intended to be prescriptive, it does illustrate the steps that are typically included in the risk management process:
Examining an organization's external context (i.e., outside the boundaries of the specific organization in question) may include factors such as an understanding of the influence of the social, cultural, political, legal, regulatory, financial, technological, economic, and competitive environments. It will also include an understanding of the key drivers and trends affecting the objectives of the organization: the relationships, perceptions, values, and expectations of external stakeholders; and contractual relationships and commitments.
The organization's internal context may include but not be limited to vision, mission and values, governance processes, organizational structure, strategies and policies, capabilities (such as budget allocation, time, people, processes, and technologies), relationships with internal stakeholders, organizational culture, and contractual relationships and commitments. The context also includes consideration of the organization's risk appetite, which forms the basis for evaluating acceptability of risks to the organization's objectives.
Defining the organization's objectives and the overall risk appetite for achieving various objectives is an important part of the context. Clearly defining objectives is a critical element of establishing the context, because the identification of risks to achieving objectives – the purpose of the following step in the risk management process – cannot be achieved until the organization first establishes what those objectives are intended to be.
Also, along with understanding what objectives the organization seeks to accomplish, an understanding of the level of risk the organization finds appropriate in seeking to accomplish those objectives is essential. This appropriate level of risk to be accepted by an organization, which is known as “risk appetite” and was mentioned above, can be defined as the amount and type of risk that an organization is prepared to pursue, retain, or take. A risk appetite statement is a higher-level statement that broadly considers the levels of risk that management deems appropriate.
Establishing and communicating an organizational risk appetite is a critical and often missed step in the risk management process. A risk appetite is the basis for judging whether or not an existing risk is at an acceptable level, and whether or not further risk treatments are appropriate. If that risk appetite is not clearly defined and used to guide decisions across the organization, different managers will make risk treatment decisions in different and inconsistent ways. The level of risk an organization is willing to take in pursuit of objectives is not a trivial matter and should not be an ad hoc process exercised by individuals inconsistently across the organization.
The “appropriate” level of risk should be determined after considering tradeoffs between the upside potential for new opportunities versus the downside potential for adverse impacts. This is not a “one-size-fits-all” proposition. For example, the United States knew full well in the 1960s that seeking to land a man on the moon was fraught with great risk. However, the upside opportunity for new knowledge was deemed greater than the downside possibility of loss, including the loss of human life. It would be inappropriate to take such risks for most other ventures. An individual starting up a small business typically wants reasonable assurance that they will profit from their venture. Lacking such expectation, such individuals might be more inclined to work as an employee for another company that has decided to take such business risks.
While the overall risk an organization finds appropriate to accept in pursuit of objectives should be considered and communicated across the organization, this level of risk may appropriately vary from one part of the organization to another. For example, an organization may be compelled to knowingly accept large uncertainty in pursuit of certain program objectives, as the upside potential is much greater than the downside. Scientific research and exploration is an area of human endeavor that easily falls into this general category. At the same time, the organization may have a far lower risk appetite for cyber-security or the loss of personally identifiable information (PII). It is thus appropriate – and often critical – to tailor an overall enterprise risk appetite statement to various functional or programmatic areas of the enterprise. This tailoring, however, should be a coordinated process that incorporates enterprise stakeholder interests, and is not done on an isolated basis by individual functional or program managers having no awareness of or commitment to the overall enterprise risk appetite.
A related consideration for the context step is risk tolerance. Risk tolerances set the acceptable level of variation around specific objectives. Risk tolerance is thus focused on specific objectives and is typically quantifiable in setting measurable boundaries for acceptable variation in those objectives.
Once the context has been established, elements at all levels of the organization should identify risks to achieving objectives set for their particular part of the organization. There are numerous risk identification techniques, such as:
Once risks are identified, they must be analyzed in terms of their likelihood of occurrence and the impact if those risks do transition into actual events. In practice, the risk identification and risk analysis steps frequently overlap, as the techniques for identifying risks often yield insight into the likelihood and impact of the risk. In addition to the techniques identified under Initial Risk Identification, various specialized techniques relevant to particular types of risks (e.g., credit, information technology, engineering, project management and others) may be used, often enabling more quantifiable analyses.
After risks are analyzed for likelihood and impact, they must be evaluated by comparing the identified risks to the established risk appetite, and prioritizing those identified and analyzed risks in terms of potential treatment. This prioritization takes into account the level of risk compared to the risk appetite.
Based upon the risk analysis and evaluation, various options are considered for treating any particular risk. Options for treating risks can be categorized into one of four categories:
There may be a number of options developed in the prior step to potentially address any particular risk. In responding to a risk, choices are made by the organization as to how to treat a particular risk. Key considerations in determining the selected treatment include both (1) whether or not the risk treatment will reduce the treated risk to within the organization's risk appetite, and (2) the return on investment when considering the level of risk reduction versus the cost of achieving that reduction. Generally, risk treatments are selected that ensure risks stay within the risk appetite, and that maximize the return on investment in treating the risk. Treatments should never cost the organization more to implement than the increased value offered by reducing risk.
It must be noted that even when risks are within the risk appetite of the organization, there may be times when further treatment of the risk will generate a positive return on investment (ROI). This occurs when further treatment of a risk yields benefits in excess of the costs of additional treatment.
Starting down the road to implementing a risk treatment by applying the preceding risk management steps is essential. However, it is then required that risk treatment plans are monitored on a timely basis to ensure schedules for treating risks are met, and that the proposed risk treatment is actually implemented and achieves the intended result. This requires periodic monitoring of risk treatment plans to ensure plans are progressing on schedule to meet desired deadlines, or changes are made as needed to achieve intended results.
A final and critical element of managing risk is a consistently used approach to documenting risks and risk treatments. For this purpose, organizations typically use what may be referred to as a risk register or risk profile. Too many organizations, however, fall into the trap of simply listing risks. Identifying a risk is but a small part of the risk management process. Meaningful risk management requires all of the following:
Typically, a register will list risk vertically as rows in the register, while the above elements of the register serve as columns.
The risk register/profile plays a critical role in risk management by allowing management to see all key risks at once to:
Moreover, having all key risks documented in a consistent manner using the above elements will enable risk managers across the organization to consider risk treatment in a consistently documented manner. This will become critical if the organization choses to implement enterprise risk management, as discussed below.
Finally, risk management is not a one-time activity. New risks constantly arise that may not have been evident or even present when organizational risks were previously reviewed. Because the environment within which every organization operates is constantly changing, new risks are constantly arising. It is thus essential for organizations to understand that risks must be identified and managed on an ongoing basis.
How frequently risks to objectives should be reviewed, as well as how frequently existing risk treatment plans are reviewed, is dependent on the nature of the organization and the environment within which it operates. Rapidly changing environments – whether that change is a result of political environment, advancing technology, changing financial conditions, or other considerations – means the organization's risks should be reviewed more frequently. Typical public sector organizations review organization-wide risks on a quarterly or semiannual basis. Organizations operating in a rapidly changing environment, or where risks must otherwise be tightly controlled, will want to monitor organization-wide risks on a more frequent basis.
Just as risks change over time, so do organizational risk appetites. Whether due to a change in the external environment within which an organization operates, a new strategy for achieving results, or simply a difference in leadership, the organization's stated risk appetite should occasionally be reviewed. While there is no prescriptive timeline for such a review, and the “ideal” frequency of review is certainly related to the rate of change in the organization's environment, it is suggested that the risk appetite statement initially be reviewed on an annual basis, with that frequency being revised as deemed appropriate.
Certainly, no discussion of risk management would be complete without including the role of internal control. However, the relationship between internal control and the broader topic of risk management is frequently misunderstood.
Just as with risk management, the concept of internal control can be traced back many centuries to ancient Egypt and Babylonia. Written records were kept, and an elaborate system of internal controls required that the records of one official agreed with those of another. Accounts were audited by officials, and gross irregularities were severely punished, even by death. Over the years, internal controls have been an important element of ensuring the accuracy of record keeping. Stated in terms of risk management, internal controls have helped limit the risk of incorrect or inaccurate records. For this reason, internal controls have become an important element of the accounting and audit profession.
The American Institute of Accountants (AIA, now the AICPA) was the first to offer a definition of internal control in 1936: “Those measures and methods adopted within the organization itself to safeguard the cash and other assets of the company as well as to check the clerical aspects of the book-keeping.” This definition was broadened and made more binding on the accounting and audit profession in a number of revisions in subsequent years.
In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published the “Internal Control – Integrated Framework.” The document defined internal control as:
a process, effected by an entity's Board of Directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
The 1992 COSO document was a major step forward in formalizing the concept of internal control as having much broader applicability to risk management than accounting and auditing. Moreover, the COSO framework contained the following five control components:
These elements of internal control clearly influenced formalization of the broader elements of general risk management reflected in AS/NZS 4360, the UK HM Treasury Orange Book, and ISO 31000.
It is important to recognize, however, that the context of internal control in which these control components are set is narrower than that intended in the referenced risk management standards. At their core, internal controls are focused on controlling risks internal to the organization or created within or by the organization. Any major new initiative, especially those calling for innovation and addressing new challenges, will face significant risks. As noted in Figure 3.2, we must always consider both reactive change and proactive change. Internal controls typically have a major role in managing reactive change, because we are generally seeking to manage or improve how we do business in today's environment. Improving the processes we have in place to meet today's needs is a key element of reactive change, and an area in which internal control is critical.
However, most organizations face many risks far beyond the boundaries of their current operations and processes. Strategic decisions such as which line of business an organization should pursue, how well customers will accept new product or service offerings, what impacts possible future regulatory changes will have on a business or government organization, and even the likelihood of a future economic recession are all potential risks, but not ones for which controls can be established. In short, control of such risks is often not within the ability of the organization to manage. At best, one can only hope to influence in some manner such external risks. Even if controls cannot be set in place for such risks, however, it is essential that these risks be considered in the decision-making process and decisions and actions adjusted accordingly.
If the above description of the risk management process is pertinent to the good practice of risk management in general, what then does the concept of enterprise risk management (ERM) add to the discussion? More specifically, what is the difference between traditional risk management and ERM? To answer this question, we can begin with a short history of what prior generations felt might be missing from traditional risk management. Perhaps the first visualization of the concept of ERM was from Gustav Hamilton, the risk manager for Sweden's State Company Limited. In 1974 he created a “risk management circle” in which he sought to graphically describe all elements of the risk management process (see Figure 6.2). This is the earliest known effort to show the interconnectedness of various categories of risk across the organization.
It would be almost two decades later, however, before the idea of an integrated approach to the management of risk, including strategic risks, was formally addressed. This occurred in 1992 in a journal article titled “A Framework for Integrated Risk Management in International Business” by K.D. Miller. This paper clearly laid out the much broader landscape of risk in general beyond that of internal control. General environmental uncertainties such as political instability, government policy instability, social uncertainties, and natural uncertainties were included. So, too, were various industry uncertainties, such as market uncertainties. While such risks cannot generally be managed through internal controls, it is important to note that while they may be “strategic,” they can impact every level of the organization. Risk managers at every level of the organization thus need to be thinking of management risk external to their immediate environment, as many of those risks will be unaffected by internal control. In 1995, James Deloach further added to the literature with his journal article “Managing Business Risk: An Integrated Approach,” published by the Economist Intelligence Unit.
While K.D. Miller addressed the need for “integrated risk management,” the earliest located record of the term “enterprise risk management” was in a paper so titled and published in 1996 by Glyn A. Holton. That paper, however, was arguing for the need to exercise risk management across all of the business enterprise, but made no mention of the need to integrate these risks into an enterprise-wide, portfolio view of risk. In 2000 the first book titled Enterprise-Wide Risk Management was written by James Deloach.
It should be clear that the evolution of ERM has occurred largely over the last two decades. However, what specifically does ERM add to the traditional risk management process to support any organization – public sector or private sector – in meeting the needs of their various stakeholders?
A key contribution of ERM is improved linkage between organizational strategy and performance by managing risk as a portfolio across the organization. Such an approach brings with it a requirement to have in place a supportive governance process and organizational culture. A recurring assessment of ERM practices will aid the organization on opportunities to further improve and benefit from the potential advantages of ERM over traditional risk management practices. Following are some key elements necessary for meaningful implementation of ERM.
As we have stated, organizations need to maximize stakeholder value, and doing so requires a careful balancing of the risks accepted, results sought, and resources allocated for any particular objective. We began our more in-depth discussion of these three considerations with this chapter's focus on risk. The choice to discuss risk first was not that it was more important than the other two; all three considerations are equally important. If we are to generalize among these three balancing factors, perhaps the easiest differentiator is that risk is the least understood of the three and the most frequently ignored in decision-making. It is thus appropriate that we began with risk. However, there are of course results (performance) and resources (cost) to consider. Chapter 7 will discuss the results management element of the three Rs: the management of activities within the end-to-end business processes designed to set and achieve a particular result