Figures, Tables, and Exhibits ix

Foreword xi

Preface: Managing Risk in the Current Federal Environment xiii

Introduction 1

State of Risk Management in Government 5

How This Book Should Be Used 7

Emerging Risks Today 7

Top Government Risks 10

Criteria 11

Profiles of Select High–Risk Areas in Government 13

Chapter One Why Enterprise Risk Management? 27

Status of ERM in the Government 29

Limitations to ERM 30

Risk Management: What It Is and Why It Matters 32

What Is Risk? 33

Evolution of Risk Management 36

Traditional Risk Management versus Enterprise Risk Management 38

U.S. Federal Government Policy on Risk Management 41

Establishing an Agency Risk Management Policy 46

ERM Policy and Practice in Canada 48

Linking ERM and Internal Control 54

What Are the Standards for Internal Control? 55

Assessing Internal Control Structures 68

Overall Internal Control Summaries 68

Chapter Two Examples of Risk Management in the Federal Government 81

Health Risks 82

Security Risks 82

Financial Risks 85

Transportation Safety Risks 86

External Risks 87

Case Study: Applying Risk Management in Government: National Institutes of Health 89

Case Study: National Archives and Records Administration 95

Chapter Three Managing and Communicating Risk 105

Writing Risk Statements 111

Developing a Risk Statement 112

Inventory of Risk Statements 113

Risk Assessment Techniques 120

Chapter Four Risk Management

Frameworks and Standards 125

Why Voluntary Standards? A Look at OMB Circular A–119 126

GAO Risk Management Framework 129

ISO 31000: International Risk Management Standard 135

COSO ERM Integrated Framework 138

OCEG Red Book 2.0: 2009 140

FERMA: 2002 140

BS 31100: 2008 142

An Expanded View of ISO 31000 143

Chapter Five Risk and Performance Management 151

Risk and Performance: Government 153

Managing Risk to Performance 157

An Expanded View of Strategic Risk Management 160

Risk and Performance: Private Sector 167

Standard & Poor’s ERM Analysis 170

Chapter Six Building a Risk Culture 173

Risk Culture Survey 177

Chapter Seven ERM Maturity and Assessment 181

ERM Maturity Models 181

The Role of the Internal Auditor in ERM 194

Case Study: The Public Safety Canada Audit of Integrated Risk Management 196

Chapter Eight ERM Core Competencies 209

ERM Core Competency Survey 209

Summary of Survey Results 211

Federal versus State and Local Government Views of ERM 216

Chapter Nine ERM Best Practices of Federal Agencies 223

Ninety–Day Action Plan 223

Sample Implementation Plan 224

Words of Wisdom 225

Chapter Ten Conclusion 227

Notes 231

Appendix: Index of Survey Questions and Responses 243

About the Author 279

Index 281

Figures, Tables, and Exhibits

Figures

Figure 1.1. Evolution of Risk Management 37

Figure 1.2. Siloed and Enterprise Approach to Risk Management 41

Figure 4.1. GAO Risk Management Framework 131

Figure 4.2. ISO 31000 Risk Management Framework 135

Figure 4.3. COSO’s ERM Framework Highlights 138

Figure 4.4. FERMA Risk Management Standard 141

Figure 4.5. World Map of ISO 31000 145

Figure 5.1. Illustration of Goal Relationships 158

Figure 5.2. Identifying Risks to Strategic Objectives 160

Figure 7.1. Risk Maturity Rating by Industry 187

Figure 8.1. Risk Manager Core Competency Model 210

Tables

Table P.1. American Society for Public Administration Code of Ethics xviii

Table I.1. Agency Hiring Activities 2

Table I.2. Changes to GAO’s High Risk List, 1990–2013 10

Table 1.1. Definition of Risk 34

Table 1.2. Selected White Collar Occupational Groups, Job Series, and Potential Risks 39

Table 1.3. Policies for Managing Various Types of Risk in Government 43

Table 1.4. What Components Are in Place at Your Organization to Aid in ERM Implementation? 48

Figures, Tables, and Exhibits

Table 3.1. Risk Taxonomy 107

Table 4.1. GAO Risk Management Framework Matrix 132

Table 5.1. Advantages of GPRA Implementation 156

Table 5.2. Adidas Group 2012 Corporate Risk Assessment 169

Table 6.1. Methods for Influencing Cultural Change 176

Table 7.1. Five Levels of SEI Process Maturity 183

Table 7.2. Aon RMI Five Levels of Maturity 186

Table 7.3. Treasury Board Risk Management Capability Model 191

Table 7.4. Public Service of Canada Key Risks Related to Integrated Risk Management 206

Table 8.1. ERM Components in Place in Organizations to Aid ERM Implementation 212

Table 8.2. Top Three ERM Components in Place: State and Local Government versus Federal Government 212

Table 8.3. Risk Management Training Rubric 214

Exhibits

Exhibit 1.1. Template for a General Risk Management Policy in the United States 47

Exhibit 1.2. Canada’s Risk Management Framework Policy 49

Exhibit 3.1. Inventory of Risk Statements 114

Exhibit 3.2. State of Washington Risk Map 124

Exhibit 4.1. Comparison of Standards and Frameworks 127

Exhibit 5.1. Overview of the GPRA Modernization Act of 2010 155

Exhibit 5.2. Six Principles of Strategic Risk Management 162

Exhibit 5.3. Strategic Risk Management Checklist 163

Exhibit 5.4. Glossary of Key Performance Terms 164

Exhibit 5.5. The Challenge of Applying Strategic Risk Management to Homeland Security 165

Exhibit 5.6 “At Risk” Brands as Reported by 24/7 Wall St. 168

Exhibit 6.1. Sample Risk Culture Survey 177

Exhibit 7.1. Canada Treasury Board Risk Management Capability Model: An Excerpt 188

KAREN HARDY is an expert risk management professional with extensive experience in the public sector. Dr. Hardy is a co–founder of the Association for Federal Enterprise Risk Management and serves on the U.S. Technical Advisory Group for ISO 31000. She also worked at Citibank and The White House Office of Management and Budget. She has published articles in numerous national and international publications, including Canada′s Public Sector Digest.

PRAISE FOR ENTERPRISE RISK MANAGEMENT

"We applaud Dr. Hardy′s latest contribution to the field of enterprise risk management. Her book, which expands on earlier work done for the IBM Center, provides a thorough foundation for public managers to appreciate and act upon the challenges they face, no matter at what level of government. Her book serves as a sorely–needed resource guide for busy executives, offering real–life examples, best practices, and different models for use."
—Daniel Chenok, Executive Director, IBM Center for the Business of Government

"C. W. Ceram once wrote: ′Genius is the ability to reduce the complicated to the simple.′ With this quote in mind, I have often found the topic of Risk Management and the related readings to be quite complicated to grasp and implement. Then along comes Dr. Hardy and her book, Enterprise Risk Management. She is a risk–management genius in that she takes this challenging concept and helps the reader to truly understand Risk Management and how to implement a solid Risk Management Approach."
—Christopher P. Neck, Associate Professor of Management, University Master Teacher, Arizona State University

"Dr. Hardy provides public sector professionals with a much–needed, comprehensive resource manual on the adoption of Enterprise Risk Management as a modern managerial tool. Through effective and practical advice, she does an excellent job of guiding readers through a step–by–step process, focusing on how to strengthen decision making at the strategic level."
—Stefano Losi, Enterprise Risk Management Programme Officer, United Nations, New York∗

∗The views expressed herein are those of the author and do not necessarily represent the views of the United Nations.