Enterprise Risk Management
A Guide for Government Professionals

Enterprise Risk Management: A Guide for Government Professionals is a practical guide to all aspects of risk management in government organizations at the federal, state, and local levels. Written by Dr. Karen Hardy, one of the leading ERM practitioners in the Federal government, the book features a no-nonsense approach to establishing and sustaining a formalized risk management approach, aligned with the ISO 31000 risk management framework. International Organization for Standardization guidelines are explored and clarified, and case studies illustrate their real-world application and implementation in US government agencies. Tools, including a sample 90-day action plan, sample risk management policy, and a comprehensive implementation checklist allow readers to immediately begin applying the information presented.

The book also includes results of Hardy's ERM Core Competency Survey for the Public Sector; which offers an original in-depth analysis of the Core Competency Skills recommended by federal, state and local government risk professionals. It also provides a side-by-side comparison of how federal government risk professionals view ERM versus their state and local government counterparts.

Enterprise Risk Management provides actionable guidance toward creating a solid risk management plan for agencies at any risk level. The book begins with a basic overview of risk management, and then delves into government-specific topics including:

• U.S. Federal Government Policy on Risk Management
• Federal Manager's Financial Integrity Act
• GAO Standards for internal control
• Government Performance Results Modernization Act

The book also provides a comparative analysis of ERM frameworks and standards, and applies rank-specific advice to employees including Budget Analysts, Program Analysts, Management Analysts, and more. The demand for effective risk management specialists is growing as quickly as the risk potential. Government employees looking to implement a formalized risk management approach or in need of increasing their general understanding of this subject matter will find Enterprise Risk Management a strategically advantageous starting point.

Figures, Tables, and Exhibits ix

Foreword xi

Preface: Managing Risk in the Current Federal Environment xiii

Introduction 1

State of Risk Management in Government 5

How This Book Should Be Used 7

Emerging Risks Today 7

Top Government Risks 10

Criteria 11

Profiles of Select High-Risk Areas in Government 13

Chapter One Why Enterprise Risk Management? 27

Status of ERM in the Government 29

Limitations to ERM 30

Risk Management: What It is and Why It Matters 32

What is Risk? 33

Evolution of Risk Management 36

Traditional Risk Management versus Enterprise Risk Management 38

U.S. Federal Government Policy on Risk Management 41

Establishing an Agency Risk Management Policy 46

ERM Policy and Practice in Canada 48

Linking ERM and Internal Control 54

What Are the Standards for Internal Control? 55

Assessing Internal Control Structures 68

Overall Internal Control Summaries 68

Chapter Two Examples of Risk Management in the Federal Government 81

Health Risks 82

Security Risks 82

Financial Risks 85

Transportation Safety Risks 86

External Risks 87

Case Study: Applying Risk Management in Government: National Institutes of Health 89

Case Study: National Archives and Records Administration 95

Chapter Three Managing and Communicating Risk 105

Writing Risk Statements 111

Developing a Risk Statement 112

Inventory of Risk Statements 113

Risk Assessment Techniques 120

Chapter Four Risk Management Frameworks and Standards 125

Why Voluntary Standards? A Look at OMB Circular A-119 126

GAO Risk Management Framework 129

ISO 31000: International Risk Management Standard 135

COSO ERM Integrated Framework 138

OCEG Red Book 2.0: 2009 140

FERMA: 2002 140

BS 31100: 2008 142

An Expanded View of ISO 31000 143

Chapter Five Risk and Performance Management 151

Risk and Performance: Government 153

Managing Risk to Performance 157

An Expanded View of Strategic Risk Management 160

Risk and Performance: Private Sector 167

Standard & Poor’s ERM Analysis 170

Chapter Six Building a Risk Culture 173

Risk Culture Survey 177

Chapter Seven ERM Maturity and Assessment 181

ERM Maturity Models 181

The Role of the Internal Auditor in ERM 194

Case Study: The Public Safety Canada Audit of Integrated Risk Management 196

Chapter Eight ERM Core Competencies 209

ERM Core Competency Survey 209

Summary of Survey Results 211

Federal versus State and Local Government Views of ERM 216

Chapter Nine ERM Best Practices of Federal Agencies 223

Ninety-Day Action Plan 223

Sample Implementation Plan 224

Words of Wisdom 225

Chapter Ten Conclusion 227

Notes 231

Appendix: Index of Survey Questions and Responses 243

About the Author 279

Index 281

KAREN HARDY is an expert risk management professional with extensive experience in the public sector. Dr. Hardy is a co-founder of the Association for Federal Enterprise Risk Management and serves on the U.S. Technical Advisory Group for ISO 31000. She also worked at Citibank and The White House Office of Management and Budget. She has published articles in numerous national and international publications, including Canada's Public Sector Digest.