Leading Insights Blog

Using Value to Drive ERM Adoption

Kearney & Company Internal Controls and Enterprise Risk Management (ERM) Practice Group

As OMB A-123 continues to change, Kearney’s understanding of ERM adapts and evolves with it.** Most importantly, ERM requires agencies to understand internal and external risk from a global perspective, rather than considering them in a vacuum.*** This requires agencies to proactively, rather than reactively, consider risks when setting strategy and performance management metrics, or executing budget formulation. Implementation requires identifying agency objectives, roadblocks, or accelerators. ERM allows agencies to detect risks across the full spectrum of strategic, operational, compliance, and reporting objectives, ties them directly to mission delivery, and then engrains risk management processes into the fabric of the organization. However, the enhanced value that ERM brings to daily agency activities should be highlighted to drive ERM adoption and motivate agencies to adopt a risk-aware culture that supports effective risk management.

Why is ERM Implementation Relevant Now?

ERM supports the President’s Management Agenda (PMA), and the Administration’s push to focus on a risk-based approach to strategic planning and the enhancement of data quality and transparency in decision-making. ERM supports these initiatives by emphasizing the importance of implementing risk management processes and systems to identify risks and challenges early on. A mature ERM program not only provides agencies with better information for decision-making, but also provides better insight for the prioritization of resources.

The Administration’s initiatives also reinforce the objective of the regulations supporting Circular A-123 guidance, Federal Managers’ Financial Integrity Act (FMFIA) and the Government Performance and Results Act Modernization Act (GPRAMA). Robust internal control and performance management processes, coupled with ERM, will support the Administration’s commitment to improve the efficiency and effectiveness of the Government.

The Federal ERM Playbook encourages the adoption of an ERM framework such as those developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) or the International Organization for Standardization (ISO) 31000. These frameworks highlight ERM’s ability to assist with setting high-level strategies across the entire enterprise. ERM facilitates the identification of possible events (e.g., positive or negative) that may affect an agency objective and supports an agency’s ability to adequately mitigate or monitor those events.

Expanding regulations and legislation, resource limitations, and the rising likelihood of major risk events have pushed ERM to the top of agencies’ to-do lists. A recent survey jointly administered by the Senior Executives Association (SEA) and Association for Federal Enterprise Risk Management (AFERM) found that 20% of Federal agencies had experienced a significant crisis within the last three years, and 85% of agency respondents could envision a serious threat or disruption happening at their agency in the next 24 to 36 months.**** In recent years, there have been several major events that have had a reputational impact on agencies that could have been avoided by an effective ERM strategy. Failure to anticipate high traffic on Health.gov, underestimating the mortgage default rate, and increasing workloads in agencies that process claims for entitlement benefits are all risks that could have been identified and mitigated with the proper framework. The long-term effect of the reputational risk presented by these types of disruptive events include losing the American taxpayer’s trust. In fact, the increasing fear of government failure is a large reason for the recent emphasis on ERM and related increase in relevant regulatory guidance.

A Robust Response

What is the benefit of committing to a more robust ERM framework? Many agencies might ask, “Why not just meet regulatory requirements? Why should I go above and beyond?” It is true that reaching full ERM maturity requires an agency-wide commitment to many years of ERM implementation, but the commitment to a well-rounded and mature ERM program is the only way to maximize the value gained from the process.

A robust ERM framework transforms agency activities that initially focused on a single process or outcome and reframes them to better align with an agency’s strategic goals and objectives, as well as supports continuous improvement. In turn, this creates the ERM Value Cycle, allowing for comprehensive risk identification and measured response based on the criticality of the risk. Fully integrating the ERM framework with key agency functions (e.g., strategic planning, performance management, Information Technology [IT], internal controls) enhances insight into an agency’s data by linking them together.

A fully integrated agency eliminates “low value activities” and enhances the value of remaining activities. Other benefits of ERM adoption include:

  • Improved Planning and Decision-Making: Implementing an ERM framework allows agencies to identify the opportunities or challenges ahead as they relate to the external environment in which they operate
  • Increases Value of Internal Activities: Places value on the supporting administrative and operational activities performed to support the agency’s objectives and mitigate associated risks
  • Encourages Collaboration and Innovation: ERM forces individuals to talk about potentials risks, increasing the lines of communication across an agency and breaking down silos between different workstreams

Driving Adoption with Value

Even when understanding the array of benefits that ERM brings to an organization, many agencies find themselves stalling halfway through implementation. Many Federal risk practitioners are asking, “How do I drive adoption within my agency?” Adopting ERM is a long-term commitment that requires executive-level support, as well as significant buy-in from individuals at all levels of an agency. When discussing the benefits of ERM, managers often focus on those that improve the agency, and the strategic value created. This normally serves to inspire agency leadership, but we find that when communicating with the entire agency, highlighting the strategic value that can be generated by activities that are done every day, and the elimination of “check the box” activities to meet regulatory requirements can serve as a significant motivator in ERM adoption and drive acceptance across an organization.

The notion of day-to-day activities as “low value” is one typical among agency personnel but imagine a Federal employee who believes that all of their work is “high value” and crucial to the fabric of the agency. One in which there is no action that is done simply to “check a box.” How much more motivated would those individuals be on a daily basis? How about an agency that is “One of America’s Best Places to Work”? With Human Resources (HR) and staffing issues being a key risk across the entire Federal Government, a continuous focus on training and internal communications to create a “risk aware culture” within the agency and demonstrate to employees how important their work is can help to drive ERM adoption and assist in motivating and retaining qualified staff.

Kearney brings a practical approach to help agencies leverage existing activities while addressing gaps in less-developed areas to lay the foundation for more effective ERM practices consistent with OMB Circular A-123. To learn more about how Kearney can assist agencies with ERM services, please contact Alyssa Fusisi, Principal ([email protected]) or call us at 703-931-5600.


* OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, July 2016; https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2016/m-16-17.pdf

** OMB Circular A-123, Appendix A, Management of Reporting and Data Integrity Risk, July 2018; https://www.whitehouse.gov/wp-content/uploads/2018/06/M-18-16.pdf

*** OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, July 2016; https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2016/m-16-17.pdf ; ERM is “an effective agency-wide approach to addressing the full spectrum of the organization’s external and internal risks by understanding the combined impact of risks as an interrelated portfolio, rather than addressing risks only within silos.

**** Getting Ahead of Risks Before They Become Government Failures: An Imperative for Agency Leaders to Embrace Enterprise Risk Management, June 2019; https://resources.aferm.org/wp-content/uploads/sites/2/2019/05/Getting-Ahead-of-Risks-Before-They-Become-Government-Failures.pdf

To top