Two years before the Office of Management and Budget released the updated A-123 to include Enterprise Risk Management guidance, the Transportation Security Administration was experimenting with implementing its own ERM system. Now, as OMB establishes governmentwide risk management, TSA has lessons learned, challenges and metrics to share with other agencies to help ease implementation.
Most organizations come to ERM through financial risks and auditing procedures, said Marianne Roth, branch manager for the Office of the Chief Risk Officer at TSA during a July 28 webinar. But TSA was different, taking a security-based approach to implementing ERM instead.
“We were very focused on ensuring that ERM was built-in rather than bolted on,” Roth said. “We didn’t want it to be perceived as just a trend or something that could be waited out. We really wanted to build it into the core of the organization and how the organization approaches decision-making, approaches resource allocation, approaches all of its operations.”
TSA followed four guiding principles to ensure they achieved this:
It used a systematic approach custom-tailored to the agency.
It focused on a culture change, starting with building the capacity to implement the changes.
It established a common framework throughout the agency to ensure consistency among different units that had unique responsibilities while still remaining flexible.
It established a value proposition up front in order to increase organizational buy-in.
Roth said the first step was to change perceptions about risk within the agency.
“Risk is not something to be afraid of. It exists,” she said. “Not all risk can be eliminated, and the goal of ERM is not even to eliminate all risk. It is to effectively prioritize your responses to the most pressing risks facing your agency.”
Instead, she said, TSA focused on ERM’s potential to help agencies organize resources.
“We thought that ERM would help us better align our activities to ensure that we can achieve our strategic objectives,” Roth said. “So we thought of it as a very effective means of improving decision-making and governance of the organization, allowing for more objective budgeting, and increasing the transparency throughout the organization.”
TSA created an ERM structure to help improve organization and consistency within the agency. The Executive Risk Steering committee oversees all risk management operations throughout the agency. The ERM team then provides a unified approach to risk management throughout the agency. Finally, the program offices maintain ownership of the risks and manage risk on a daily basis.
Meanwhile, the Office of the Chief Risk Officer focuses on building organizational capacity and understanding of risk across the agency. It’s done this by providing training to the workforce and creating core competencies. It’s included ERM in employee performance plans, holding individual employees accountable for managing risks in their offices.
It also established a risk-owner who reports to the CRO office on a quarterly basis and is responsible for risk management in their own offices.
Finally, it provided tools to identify, track and quantify risks in different offices.
The first activity CRO Ken Fletcher undertook in creating the system was to establish a baseline for risk management within the agency. He and the ERM team developed a risk management maturity model based on four dimensions of risk:
Taking these dimensions into account, they created a five-stage model to use as a means of measuring agency progression, ranging from “ad-hoc” to “strategic.” In 2014, they judged TSA to be in the second, “fragmented” stage, meaning that risk management functions independently within business units, and the types of risk are limited to hazard, financial and compliance.
They set a goal to bring the agency up to level three – “comprehensive” – by the end of 2016. Roth said TSA has already reached that goal ahead of schedule, meaning the agency’s risk management is enterprise-wide; encompasses all risk types; that common standards, tools and techniques are being used; and that risk appetite and tolerance are set for all types.
TSA set its new goal at level four, wherein risks are treated as a portfolio and are correlated and aggregated, by 2020. Roth said it’s an “ambitious but achievable” goal.