Why risk is becoming a key conversation in the C-suite

The Office of Management and Budget has been promising for the last 18 months to change the way agencies measure and mitigate risk.

Whether in policy or through the update of Circular A-123, OMB has been working to require agencies to take an enterprise approach to risk management.

Well, within the next four-to-six weeks, we should get a look at what managing enterprise risk will look like across government.

Dave Mader, OMB controller, said May 13 at the CFO-CIO Summit sponsored by the Association of Government Accountants and AFFIRM in Washington, that the update to A-123 will come out by the end of June.

Download our free ebook to find out how agency CIOs and CHCOs implementing the president's reorganization executive order.

Advertisement

“We are introducing a new chapter requiring every CFO Act agency to implement over the next year an enterprise risk management (ERM) program,” Mader said. “When the circular comes out in the next month or so, the thing that will be interesting is ERM will not be the responsibility of the CFO. We talked with a group of assistant secretaries for management recently and they asked us not to tag the CIO or the CFO to own ERM. So the way we are describing it and implementing it is this is a C-suite responsibility and it should be embedded in how the department runs on a day-to-day basis. It needs to be owned by the leadership across the department.”

Mader offered me a clarification after his presentation on what he meant that it has to be owned by the C-suite.

He said each agency will make an individual decision about where enterprise risk management best fits within that agency. He said it could be the CIO or the CFO or the chief risk officer, or some other senior executive, but every agency will have a set of requirements they must follow as they implement ERM.

The concept of managing and mitigating risks is not new, but it is growing across the C-suite.

CIOs have long talked about cyber risk. CFOs talk about financial management risks.

House 2018 budget proposal lays groundwork for federal retirement cuts.

Several agencies have created a new position of chief risk officer, such as the Treasury Department’s Bureau of Fiscal Service or the Census Bureau.

The focus on and discussion around risk also comes into play as agencies implement the Federal IT Acquisition Reform Act (FITARA). CIOs, CFOs, chief acquisition officers and chief human capital officers are collaborating on decisions to fund programs.

Luke McCormack the Homeland Security Department’s CIO, said agencies need to take calculated risks about where to make investments and that is how FITARA is opening up the lines of communication and collaboration.

Jon Holladay, the CFO at the Agriculture Department, said FITARA is promoting more data sharing and collaboration.

“We are able to use that to make better decisions,” he said. “There are some projects that we changed the way it was executed or that we stopped because it was not executing like it was supposed to,” Holladay said. “FITARA has been incredibly useful for that.”

Mader said one other reason CFOs and CIOs will be connected at the hip in the long term is OMB is seeing more material weaknesses with agency financial statements.

He said in fiscal 2015 more agencies are struggling with IT internal controls and cybersecurity of financial management systems.

“That is proof that CFOs and CIOs need close integration and collaboration,” Mader said. “In order for us to accomplish what we want to, they need to work together.”

McCormack and DHS CFO Chip Fulghum, who also is the deputy undersecretary for management, demonstrated this close relationship recently to obtain millions of dollars more for the agency’s cybersecurity efforts.

Fulghum said in the months after the White House cyber sprint DHS recognized it needed to do more to address cyber vulnerabilities.

So he and McCormack brought the component CIOs, CFOs and mission owners together to review spending plans, and develop a model to score or rate the areas that were in most need of funding.

“We did the review through our enterprise architecture group and used a capability maturity model concept to describe and score the elements on a score of 1-to-5,” McCormack said. “Each element was based on risk of cyber, and we took input from the intelligence community, the National Protection and Programs Directorate, the Science and Technology Directorate and CIOs and chief information security officers from across the department.”

Fulghum said DHS then took the scores and put costs against them and came up with a plan which it presented to lawmakers.

Fulghum said in the final fiscal 2016 spending bill Congress included additional funding for DHS cyber. He wouldn’t say how much more funding lawmakers approved.

Congress gave the CIO’s office $309 million in funding for 2016, which was $5 million more than the Senate approved and $1 million more than the House approved in their separate bills.

“Now our CIO, CFO, CAO team is putting that money to work to address our cyber risks,” he said.

Whether its FITARA or A-123, the C-suite is finding more reasons than not to work together to solve problems–to many, it’s about time.

Return to  Reporter’s Notebook