The Role of Risk Leadership in Defining ERM Readiness in Government
by Peter C. Young and Trang Hoang
This article is adapted from The Role of Risk Leadership in Defining
ERM Readiness in Government by Peter C. Young and Trang Hoang
(Washington, D.C., IBM Center for The Business of Government,
2024).
Today’s risk landscape requires a unified, coordinated, disciplined, and consistent approach, no longer focused on risk management as a compliance exercise or perceiving risks solely as problems to avoid. Research is needed on reconceiving risk management as a value-creating. activity integral to strategic planning, decision making, and organizational resiliency.
As former federal Chief Information Officer Suzette Kent so aptly notes, “People and operational changes due to service delivery being significantly more digital, workforce in hybrid location mode and massive growth in automation and artificial intelligence drive the need to reexamine workforce, risk practices, and operational resiliency.” This need to reexamine risk and how its effectively dealt with is made even more pressing in a world and at a time where government leaders increasingly agree that “rare unexpected events” are now neither rare nor unexpected. Indeed, they are shocks—more frequent and more destabilizing.
The report provides timely and insightful perspectives that underscore the connection between leadership actions that support government risk management and successful efforts to implement enterprise risk management (ERM). It explores two distinct concepts—risk leadership and ERM readiness. It aims to better understand the question of ERM readiness, seeking to ascertain the measure by which an organization can self-evaluate readiness for ERM implementation. The findings outlined in this report will help those planning to adopt ERM, as well as those in more advanced stages of implementation.
Supported by nearly two dozen interviews, we address how the role that risk leaders play in ERM implementation is essential to accessing an organization’s readiness. Based on an analysis of survey results and interviews with U.S. federal leaders regarding ERM practices, along with supporting evidence from scholarly and professional research, the report documents observations and offer insights on the interconnection between risk leadership and organizational ERM readiness.
Peter C Young
3M Endowed Chair, Professor of Risk Management
Opus College of Business University of St. Thomas
Minneapolis, Minnesota
Peter holds the 3M Endowed Chair in International Business, and in that position is responsible for global business education initiatives. Most recently, he was awarded the Otto Mønsted Visiting Professorship at Copenhagen Business School in recognition of research excellence in risk management.
Observations on ERM Readiness and Risk Leadership
It is a leadership imperative for government executives to mitigate potency of both risk and uncertainty. Employing an enterprise risk management (ERM) process can assist leaders in doing just that. When employed on a strategic level, ERM can help decision makers evaluate the likelihood and impact of major events and formulate the best way to either prevent them or manage their effects, if they do occur.
ERM proposes a proactive and comprehensive management approach that enables agencies to better function within a complex environment. Many federal agencies are well down the road in implementing ERM, their experiences illuminating both accomplishments and challenges. In this report, we aim to better understand the question of ‘ERM readiness,’ seeking to ascertain the measure by which an organization can self-evaluate its readiness for ERM implementation, what is expected, and how an organization develops a preparatory process for that implementation. This objective necessitates a brief retrospective look at the ERM story, which assists in informing a more prospectively oriented evaluation of ERM preparedness.
In looking back, a changing perspective on ERM in federal agencies emerges to undergird the observations recorded in this report. Given the current state of ERM adoption in federal agencies, it could be argued this report might better be oriented toward ‘maturation’ more so than ‘readiness.’ Either would benefit from the report’s backward/forward approach, however. This report will strive to be attentive to the interests of those planning to adopt as well as those in more advanced stages of implementation.
ERM holds great promise for federal agencies—nearly all efforts to clarify assess and address threats and opportunities in a rational and organization-wide manner can yield positive benefits to leaders and managers. Supported by nearly two dozen interviews, it has become evident that understanding the role risk leaders play in ERM implementation is essential to clarifying an organization’s readiness. Emphasis on risk leaders not only reflects the fact that it is critical to understanding leadership attributes, knowledge, skills, and abilities/strategies—a useful outcome in its own right—but also that risk leadership itself is an artifact of dynamic changes observed in the wider evolutionary story of modern risk management thought and practice.
Trang Hoang
Assistant Professor of Public and Nonprofit Finance
School of Public Administration, University of Nebraska at Omaha
Omaha, Nebraska
Trang is an Assistant Professor of Public and Nonprofit Finance at the University of Nebraska. Published in many leading journals, his research focuses on public pension, state and local governmental budgeting and financial management, and risk management.
Six Key Insights
Based on an analysis of survey results and our interviews with risk leaders regarding the actual practices of ERM in U.S. federal agencies, along with supporting evidence from scholarly and professional research, six key observations and insights related to ERM readiness and risk leadership are outlined below:
• Risk leaders and risk leadership concepts remain insufficiently understood: The early demand for risk leaders, such as chief risk officers (CROs) outpaced a concrete understanding of the type of leader needed and the skills, knowledge, and abilities these leaders may need to be successful at managing risks across an enterprise. Though this may not be as concerning at the level of the individual risk leaders, this lack of understanding seems to be a significant issue for what we call the practice of risk leadership. Managing risk is imperative for successful leadership. Leaders must develop processes like ERM to improve their ability to manage risks effectively. ERM cuts across an organization’s silos to identify and manage a spectrum of risks, which underscores the critical importance of understanding the purpose of risk leadership.
• Risk leaders act as agency entrepreneurs: Many risk leaders interviewed for this report leveraged highly imaginative, innovative, and adaptive efforts to build ERM processes within agencies. As such, the qualities they project and the insights they offered on how they implemented and matured ERM within their respective agencies share similarities to those typically associated with entrepreneurs. This is more than a clever description or turn of phrase and more indicative of the core capabilities needed today for risk leaders not usually found in traditional risk management practitioners.
• ERM expands the aperture of threats and opportunities to include in measurable (and even non-detectable) phenomena: Expanding the risk landscape ushers in complexity, uncertainty, the unknown, the unknowable, and emergent phenomena. This evolving change of emphasis and focus requires risk leaders to acquire or possess different knowledge, skills, and abilities, such as behavioral psychology, organizational change management, complexity leadership, strategic foresight, and scenario planning.
• ERM supports sustainable resilience: An uncertain future will challenge efforts at prediction, leading to different approaches to forecasting. This suggests that efforts to anticipate future events should focus on building a capacity to be resilient, and to maintain resilience over time.
• Characteristics of risk leadership should include the right mindset and behaviors: It is important to identify essential qualities of how risk leaders think—their mindset, but also what they do—what behaviors they employ to implement, manage, and mature the ERM function successfully within their government agency or department. This report outlines possible responses to both assertions.
• Obstacles to ERM implementation seem endemic: Given this observation, it might be better to imagine these obstacles as risks or uncertainties that fall within the domain of the risk leader’s responsibilities, rather than as exogenous constraints on implementation. Tending to the well-being of the ERM function itself, beyond the operational methods implemented to address risk and uncertainty, appears to be a critical and—it could be said—political dimension of the risk leader’s role.
The report describes the importance of risk leaders having an overall vision of the interaction between organizational structure and ERM readiness, given the siloed nature of many government operations. The insights outlined in this report can help governments grow more resilient in the face of increasing risks, promoting research on preparing for and responding to shocks that increase in frequency and magnitude.