Don't Delay-The Time Has Come to Use the Full Potential of Enterprise Risk Management to Reduce Costs and Enhance Program Delivery

Article excerpt

All levels of government are grappling with budget constraints and long-term fiscal paths that are widely recognized to be unsustainable. Governments are challenged to be more effective to meet the expectations of the public while addressing stark fiscal realities. Finding ways of doing more with less is of utmost importance.

An area for potentially significant savings is the elimination or streamlining of processes that divert staff from constructive, mission-oriented activities or delay and burden systems without yielding tangible operational or accountability results. By applying an enterprise risk management (ERM) framework, agencies can facilitate "cost take-out" by focusing attention on the highest priority risks, and thereby identifying less important issues that may warrant less scrutiny. ERM can also help identify weaknesses or gaps in controls that could lead to ineffective and inefficient program delivery, and/or fraud, waste or abuse.

This article explores ERM in government from the perspective of:

* An answer to the question "Why ERM?"

* Application of the ERM framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO)1 to government.

* Key aspects of successfully implementing ERM and the role of the CFO.

* The concept of "risk appetite."

* How ERM can reinforce and benefit from fraud risk programs.

* The importance of remediation to capitalize on the ERM process.

Why ERM?

ERM was introduced as a management concept in 1974 when a Swedish state risk manager, Gustav Hamilton/ identified four elements that are inextricably connected in a risk management process : assessment, control, financing and communications. He called this comprehensive view "the circle of risk,"3 and the concept has continued to evolve. In September 2004, COSO issued, Enterprise Risk Management - Integrated Framework,4 a method to systematically consider and manage risk across an enterprise. COSO's premise is that "value is maximized when management sets strategy and objectives to strike a balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity's objectives." COSO's bottom line is that ERM "helps an entity get to where it wants to go and avoid pitfalls and surprises along the way."

The ultimate goal of ERM for government is two-fold: remediate risks to acceptable levels, and eliminate unnecessary controls, processes and ideally, costs. Potential benefits, such as improved services delivery, increased efficiencies and resource allocation, and cost savings are just some of those documented in the literature.

At the heart of ERM is a holistic, integrated, future-focused and process-oriented approach that facilitates the management of risk across an enterprise as opposed to looking at it only within siloed organizational entities. The ERM process focuses on "the right things" and can identify processes and procedures that do not measure up to the cost-benefit ratios defined by the entity. Governments can no longer afford to address issues entity by entity or program by program - an approach that can foster duplication, inefficiency and added costs. Governments cannot afford internal controls and management processes that are layered on top of each other without regard to cost and benefit to the entire organization.

ERM allows them to take an enterprise look at what is important and what isn't, what works and what doesn't, and where time, resources and dollars can be put to better use. Doing so will be essential, since - if the past is prologue - funds for agency and program administration, including CFO organizations, may be early candidates for budget cuts.

Risk can come in many forms and often extends beyond the fraud, waste and abuse arenas typically associated with managing risk. Similarly, ERM goes to the essence of agency missions, as evidenced in the Federal Managers' Financial Integrity Act (FMFIA) of 1982,5 which addressed this broader concept of management controls. …