Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Building the Hybrid Cloud
- Connected Government: How to Build and Procure Network Services for the Future
- Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps
- Federal Executive Forum
- Federal Tech Talk
- The Future of Government Data Centers
- The Future of IT: How CIOs Can Enable the Service-Oriented Enterprise
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- The New Generation of Database
- Satellite Communications: Acquiring SATCOM in Tight Times
- Targeting Advanced Threats: Proven Methods from Detection through Remediation
- Transformative Technology: Desktop Virtualization in Government
- The Truth About IT Opex and Software Defined Networking
- Value of Health IT
- Air Traffic Management Transformation Report
- Cloud First Report
- General Dynamics IT Enterprise Center
- Gov Cloud Minute
- Government in Technology Series
- Homeland Security Cybersecurity Market Report
- National Cybersecurity Awareness Month
- Technology Insights
- The Cyber Security Report
- The Next Generation Cyber Security Experts
Shows & Panels
Monday - Friday, 6-9 a.m.
Agency blunders put spotlight on risk management
Thursday - 6/26/2014, 4:51pm EDT
They've also highlighted the importance of better risk-management planning by agencies, current and former federal officials told Federal News Radio as part of a special discussion on risk management.
But the art and the science of "preventing bad things from happening," as former VA and Internal Revenue Service official Todd Grams describes risk management, remains a mostly low-profile practice in government.
"When you look overall at the relative state of risk management in the federal government, it's relatively immature," Grams said during a special panel discussion on risk management hosted by the Federal Drive with Tom Temin and Emily Kopp. "It's a relatively new concept to the feds, not like IT or financial management, which have both been around for decades."
It's only recently that organizations like VA, the IRS and the Transportation Security Adminstration "have gotten on board the risk-management train," said Grams, who's now a director at Deloitte. More recently, Treasury and the Centers for Medicare and Medicaid Services — itself no stranger to controversy following the botched rollout of the HealthCare.gov site — have both recently posted job announcements looking for chief risk officers.
"I think the good news is the trajectory is heading in the right direction," he said.
Risk-management a double-edged sword
So, what exactly is risk management?
"It's knowing what risks are out there and deciding, risk-by-risk, whether or not the risk is small enough to accept and live with or whether it's large enough that it could actually have a significant negative impact" on an agency's ability to meet its mission, Grams said.
Risky areas for federal agencies range from high-profile mission areas, such as responding to natural disasters, to lower-key, day-to-day federal management issues that only become more widely known when things go haywire — such as project-management and federal IT.
"Many people are cognizant of the issues that came about when the Affordable Care Act was rolled out," said Beryl Davis, the director of Financial Management and Assurance Issues at the Government Accountability Office.
Members of the panel discussion with Federal Drive co-hosts Tom Temin and Emily Kopp. From left to right: Tom Temin, Beryl Davis, Danny Werfel, Todd Grams and Emily Kopp.
GAO reports on the areas most at risk for waste and fraud when it compiles its High Risk List every other year. In recent years, GAO focuses on governmentwide areas of concern, such as improper payments, which totaled nearly $106 billion last year alone, as well as grant management and federal contracting, Davis said.
But robust risk-management isn't only about reducing risks. It's also about knowing when to take them, Grams said. Fail to take any risks at all and agencies risk falling behind the innovation curve. But take too many risks and agencies could be left without a net when things go wrong.
"Organizations create value by taking risks and they lose value by failing to manage them," Grams said.
From GSA to IRS
For Danny Werfel, a longtime Office of Management and Budget official who later went on to serve as acting IRS commissioner, the risk-management "wake-up call" was the 2012 scandal over wasteful spending by the General Services Administration. The GSA Inspector General uncovered wasteful, over-the-top spending on a 2010 Las Vegas training conference. The ensuing scandal led to the resignation and firings of a slew of top agency officials.
"It inspired me, for example, to want agencies to embed more risk management into their practices, so they were aware of these different types of issues that can do so much damage to citizens' trust in government," said Werfel, who's now the director of Boston Consulting Group's public-sector practice.
But the GSA scandal, it turns out, was only the first in what would be a series of agency blunders pointing to the need for more robust risk-management.
About a year after the GSA shakeup, revelations of improper targeting of conservative groups applying for tax-exempt status rocked the IRS, again leading to the resignation of the head of the agency and outrage on Capitol Hill.
Soon after, President Barack Obama tasked Werfel with temporarily leading the agency.
"We, very quickly, were able to diagnose very significant risk-management deficiencies within the organization," Werfel said.
Leaders need to be aware of emerging risks
Among the most glaring gaps in the agency's risk-management approach: a lack of communication between leadership and employees throughout the IRS's diffuse network of field offices.
"There wasn't either a culture or a process for those business units to push risks up to the leadership and say, 'Here's where we're having a problem. Here's where the issues are emerging,'" Werfel said. "And it's a two-way street. We also saw that the IRS, over the past several years, in the commissioner's office were not reaching down into the organization proactively to pull the important risk information up."
A good risk-management strategy means leaders are remaining aware of emerging risks, Werfel said.
"Leaders are there to help solve problems," he said. "If they're leaders, chances are, they're very smart and good at solving problems. That's how they got to be a leader, so you want that type of brainpower in the room."
There are also very practical considerations for making sure agency leaders aren't insulated from potential trouble spots.
"They can change policies; they can move resources around; they can eliminate barriers to help business units and organizations manage their risk more effectively," Werfel said. "And if they're not aware of the risk, then they can't take all those raw materials and all that authority and put it to bear towards solving problems."
VA lessons learned
The VA, embroiled in its own widening probe into long wait times faced by veterans seeking care, is learning similar lessons now about the importance of communication in a large organization.
"Whether it's VA or another nationwide-footprint federal agency, you have to have a culture where people have the psychological safety to feel like and know that they can speak up if they see something wrong and they will be listened to and that that will be acceptable," said Grams, who led the VA's Office of Management for three years beginning in 2010. "You also have to have the systems, and processes and policies — the machinery — in place, if you will, so that as risks are developing, people will identify them."
VA also didn't appear to take into account all facets of risk when it implemented a "stretch goal" of not making veterans wait more than 14 days to see a visit. According to the VA's IG, staff at VA medical centers routinely manipulated wait-list data to make it appear as if veterans saw doctors more quickly than they actually did in order to meet those steep goals.
"When you're setting a stretch goal and you're applying a lot of pressure from the top to hit that stretch goal, what are the secondary risks you could actually be creating by setting it as a stretch goal and putting pressure on the organization to hit it?" Grams said.