Enterprise Risk Management and the Public Sector

The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.

By James Kline and Greg Hutchins
February 9, 2018

The use of Enterprise Risk Management (ERM) in the public sector is increasing. ERM is a methodology designed to assist management in identifying and mitigating risks that adversely impact the accomplishment of organizational objectives. This piece examines the extend of this growth.

In 2015, the Office of Management and Budget (OMB) issued Circular A-123. This circular requires federal departments to implement ERM. The Moving Ahead for Progress in the 21^st Century Transportation Act requires all state departments of transportation to develop a Transportation Asset Management Plan (TAMP) and a Risk Based Asset Management Plan (RBAMP). The TAMP, which is to include the RBAMP, is to be certified by the Federal Highway Administration (FHWA) by June 30, 2019. Failure to be certified could result in the loss of highway funds. The FHWA issued its RBMAP guide in November 2017. It is entitled “Incorporating Risk Management Into Transportation Asset Management Plans.” The guide encourages local government participation in the development of the state TAMP. Two states, Tenn. and Wash., also require ERM. Thus, ERM is mandated at the federal level, taking hold at the state level and filtering down to the local government level.

The federal adoption of ERM and the push to the state and local level is part of a global trend. An examination of government websites shows this. It also shows that local governments in the United States are lagging their contemporaries in the use of ERM. Of 79 Canadian local governments, 17 percent have an ERM policy. Thirty-three percent of 15 New Zealand local governments and 32 percent of 77 local governments in Australia have adopted ERM. ERM is a local government mandate in the United Kingdom (UK) and South Africa. The Canadian provinces of British Columbia, Alberta and the Northwest Territories have ERM policies. In the United States, seven local governments (four percent) indicated some aspect of ERM — out of the 204 websites examined.

The Devon County Council (UK) in its Risk Management Strategy (2011-2015) indicates its reason for implementing ERM.

“The purpose of the Risk Management Strategy is to effectively manage potential opportunities and threats to the Council achieving its objectives. Risk Management is not about avoiding risk; rather, it is about understanding and evaluating opportunities and threats and making informed decisions about how these are to be managed in order to maximize the efficiency of our services.”

The City of Coquitlam Canada in its July 15, 2013 Enterprise Risk Management Plan lists three objectives for ERM deployment:

1. Proactively identify, understand and manage the top strategic risks as effectively as possible;
2. Promote awareness of these risks in order to mitigate their likelihood and impact; and,
3. Promote a more systematic and consistent approach to managing strategic risk.

Clearly, ERM is viewed as a methodology which provides a strategic approach to risk management and helps improve the efficient use of resources. The FWHA goes even further. It believes “risk management is likely to become a new minimum competency which transportation executives are expected to master.”  It also expects risk management to be part of the state department’s performance measurement and budget process.

OMB has identified three major ERM models.  These are the Orange Book, Committee Of Sponsoring Organizations (COSO)-ERM, and International Organization for Standards (ISO) 31000.2009. The Orange Book is used in the United Kingdom. COSO-ERM is used in the private sector and mandated in South Africa and Tennessee. ISO 31000.2009 is the international ERM model. It is used by governments in Australia, Canada and New Zealand. The FHWA RBAMP guide is based on ISO 31000.2009.

No matter which model is used, there are seven common steps. The City of Alberta Canada lists these steps. They are:

1. Establish the Context
2. Identify the Risks
3. Assess the Risks: Likelihood versus Impact
4. Evaluate the Risks
5. Management the Risks
6. Monitor and Review
7. Communicate and Consult

In June 2017, COSO revised its ERM model. It now emphasizes strategic risk and governance. This revision moves COSO-ERM closer to ISO 31000.2009. ISO is expected to issue a revision of ISO 3100.2009 in 2018. The revision will determine the extent to which ERM methodologies are coalescing.

The website review and the various ERM mandates indicate that ERM’s use in the public sector is part of a global trend. It is viewed as helping governments improve performance and better manage resources. Its use in the public sector is likely to increase through mandates, if for no other reason. Finally, if the FHWA belief is correct about risk management becoming a new professional competency, then public administration curriculum will have to adjust accordingly.

---

Authors: James J. Kline, PhD, is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence and a Certified Enterprise Risk Manager. He has authored numerous articles on quality in government and risk analysis. He can be reached at [email protected] | Greg Hutchins, PE,CERM, is the CEO of QualityPlusEngineering, a quality and risk consulting firm, and cofounder of the CERMAcademy, which publishes a risk e-magazine “Risk Insights” and provides Enterprise Risk Management training and certification.  He has conducted Quality and Risk studies for fortune 500 companies, the state of Oregon and the FAA. He has authored over 100 articles on quality, supply chain management and enterprise risk management and written a number of books including; “Value Added Auditing”, “ISO: Risk Based Thinking”, and “ISO 31000: Enterprise Risk Management”.  He can be reached at [email protected]

(No Ratings Yet)
Loading...