Risk Management in Government: An Oxymoron?

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession.  

 

Recent risk-management failures in Washington, D.C., have reflected what happens when an organization with so many risks associated with the achievement of its mission fails to anticipate and manage those issues effectively.

The consequences can be dire. Loss of public confidence and widespread reputational damage can be devastating at any level of government, but especially when it occurs on a national or international scale.

Government auditors play a central role in fostering trust. Without them, citizens would lack credible insight into the soundness of the many inner workings of government. The professionals who audit federal, state, and local governments or other public entities must cope daily with career-threatening political risks from which private-sector internal auditors are largely immune.

The IIA’s 2011 Supplemental Guidance on The Role of Auditing in Public Sector Governance (PDF) offers considerable insight into public sector auditing and best practices. I also recommend McKinsey & Company’s excellent 2011 working paper, Strengthening Risk Management in the U.S. Public Sector (PDF), which lists seven risk-management challenges and offers five solutions. Although this paper was written from a U.S. perspective, I think the recommendations are universal.

Challenges:

  1. Mission myopia. Mission goals are often the primary — and sometimes the only — consideration.
  2. Top-level turnover. The average tenure in office for appointed executives in the federal government is less than two years.
  3. Political patronage. The appointed leaders of most public-sector institutions are often outsiders to those institutions. As a result, an agency’s most-senior leaders may not know the intricacies of the business and the institution, let alone the risk trade-offs involved in making critical decisions.
  4. Separation of operating budgets from program budgets. In most public-sector institutions, the operating budget is separate from the program budget, which can lead to sometimes conflicting goals and objectives.
  5. Lack of clear metrics. In the private sector, risk-oriented metrics (such as risk-adjusted return on capital) provide a quantitative basis for making risk trade-off decisions. Such return-related metrics are less clear in the public sector because most government institutions have both financial and mission objectives.
  6. Complex procedural requirements. Effecting change in the public sector requires complicated approval processes involving many internal and external stakeholders. Thus, public-sector institutions tend to be less nimble and flexible.
  7. Limited risk culture and risk mindset. Government workers are usually motivated primarily by the mission of their organization, and they often have the perception that the government could bail out their program should a risk event occur.

Recommendations:

  1. Create transparency internally and externally. Develop an understanding of the biggest risks the organization faces. Agree on what information is most relevant, gather it in a central location, take the time to synthesize it, and draw actionable conclusions.
  2. Develop a risk constitution. Which risks are you required to own? Which should you own? Which should you transfer or mitigate? Is your risk capacity aligned with your strategy?
  3. Start small. Initially focus on modifying a few core processes. Are critical business decisions made with a clear view of how they change your risk profile?
  4. Establish a dedicated risk-management organization. Are structures, systems, controls, and infrastructure in place for you to manage risk and comply with regulatory requirements? Is your governance model robust?
  5. Build a risk culture. Such a culture is rare in the public sector, but some agencies have taken significant steps in the right direction. This involves not only training front-line personnel, but adopting a tone at the top that reinforces and rewards the desired behaviors.

Almost every scandal I can recall involving a federal agency in the past 40 years has involved a lack of control or lack of implementation of internal controls to mitigate key risks. You want to make sure that the criteria and controls you design are fair and transparent, and that you don’t have the ability for any one individual or any group of individuals to decide that there is a different set of criteria by which they will view one group over another.

Internal controls are a means to mitigate the risk that can threaten an organization or help keep it from achieving its objectives. I would like to get your thoughts on this issue.

Posted on Jul 11, 2013 by Richard Chambers

Share This Article:    

  1. Richard. We in the UK have similar problems with internal controls (http://www.accountingweb.co.uk/article/rail-franchising-excel-error-strikes-again/532450). I wonder if the underlying problem is that the political masters of government workers don't want to face risks. When risks occur, they are events. When Harold Macmillan (UK Prime Minister 1957 - 1963), was asked by a journalist what can most easily steer a government off course, he answered ‘Events, dear boy. Events’. Politicians don't like risks because they are unexpected. However, instead of trying to build a risk culture they take the usual politicians' way out of ignoring them. ('Don't give me problems, give me solutions!'). There have been attempts in the UK to set up a risk culture. In 2004 the Treasury Department issued the 'Orange Book: Management of Risk - Principles and Concept' and the public sector internal audit standards are based on the IIA standards. (http://www.internalaudit.biz/weblinks/linksinformation.html provides the links). I believe your recommendation to build a risk culture is the most important, but needs to start with the politicians.
  1.  Good to read such a good article from your side. willing to have more article also.

  1. Please allow me to elaborate on your statements:

    "Political patronage. The appointed leaders of most public-sector institutions are often outsiders to those institutions. As a result, an agency’s most-senior leaders... " appoint their families and relatives in the company, change the HR policy to include families and relatives up to the second degree (instead of the fourth degree)..

    "You want to make sure that the criteria and controls you design are fair and transparent, and that you don’t have the ability for any one individual or any group of individuals to decide that there is a different set of criteria by which they will view one group over another. (when those appointed are related to the most senior leader, they can and will have a different set of criteria by which they will be viewed over another.

    we are a long way towards creating a risk culture.

     

     

     

     

     

     

Leave a Reply