December 7th, 2011

The following is a full transcript of FedCentral’ s interview with Debbie Fletcher and Mark Carey conducted by Jane Norris on December 7, 2011.

Jane Norris
Welcome to FedCentral brought to you by Deloitte, a program where executives and federal government leaders talk about the issues and initiatives that are making a real impact on the business of government today, to help government help America. Today, we’re talking about risk management and what federal leaders need to know to implement an enterprise risk management program. As agencies are struggling with their own set of unique challenges and issues, the agency leaders are thinking more strategically about finding innovative ways to run their organizations more effectively. So how can agency leaders get in front of risk before they become a news item, something that is sometimes good and sometimes is not so positive, especially for federal agencies?

Today, we talk about this issue with Mark Carey and Debbie Fletcher of Deloitte and Touche, LLP, and thank you both for joining us today.

Mark Carey
Thank you.

Jane Norris
Nice to see you. Mark Carey is currently a partner in the federal market leader of the government’s regulatory and risk strategies practice at Deloitte and Touche, LLP. He has more than 17 years of risk management and compliance experience and Debbie Fletcher is a principal and business risk services leader for Deloitte’s federal audited enterprise risk services practice at Deloitte and Touche, LLP. She’s also been recently appointed as a global public sector enterprise risk services leader where she’ll help with global industry and sector strategies. Debbie has more than 25 years of experience with financial and risk management disciplines.

So welcome to both of you, and let’s start with you, Debbie. Let talk a little bit about risk management and what federal agencies need to know about the climate that requires more risk strategies.

Debbie Fletcher
Well, there’s a variety of programmatic challenges that the federal leaders have always faced and to some degree, it’s likely they’ve been managing some risks, intentionally or unintentionally. However, the challenges are becoming more complex and the changes are happening at a greater pace. Federal leaders are finding the need to be more in front of these challenges with this less predictable future using a more robust and implementable approach to risk management will certainly help. Even at the recent federal enterprise risk management summit, several government leaders spoke about how risk management will become fundamental to how the government operates.

For example, this’ll apply to the approach of making funding decisions. Leaders will want a more thoughtful and systematic approach of risk and how these risks could impact accomplishing critical mission objectives. Agencies and programs that can more clearly connect their budget requests with risk will do better as they face these looming budget cuts.

Mark Carey
And Debbie, I remember at that conference where some people were talking about the fact that as people do better in the budgeting process that other agencies will see that and then risk will become even more of a mainstream topic in the future and in the subsequent budget cycles.

Jane Norris
So talk about risk. I mean, just talk about it as a discipline. What is it? What does it mean to federal agencies?

Mark Carey
Sure, well, I mean, the concept of risk goes back a long time, and really at the very core, you’re talking about the likelihood and consequence of some type of event that would have an adverse effect on your agency, on your department, your program, and what does that mean? What’s a consequence? Well, we could think about the damage to the reputation of the agency, to the leaders within that agency. You can think about financial losses or additional expenditures that were not planned for in the budgeting process, or even in many cases in the federal government, you can think about the fact that lives are put at risk when things go wrong and when mistakes are made in the federal government.

Jane Norris
All right, those have serious consequences and that is a sort of a strategic plan, then, that agencies sort of set out for themselves based on you know, what might work or what won’t work. So does it have a name? It’s I believe enterprise risk management is the term? Explain that. Explain what that is.

Debbie Fletcher
Yes, enterprise risk management or what we call an ERM is a systematic way to understand and mitigate the greatest risk that could impact the ability of an entire organization, a department, an agency, or even a program to accomplish its mission. So at the highest level, the risk management process is straightforward. There’s four parts – simply identify the risk; to assess and measure risk, three, control and manage risk; and four, monitor and report the risk. However, when actually using this risk management process, there are many challenges that make it harder than it sounds to actually implement and operate effectively.

Mark Carey
And some of those challenges, Debbie, come from the fact that you’re trying to manage a whole portfolio or a whole bucket of risk across the entire department and there’re different types of risks. They all have their own ways of fbeing defined and being managed, so if you’re going to try to manage that portfolio, manage that group of risk, how do you do that consistently across your entire organization, and that’s kind of where the Genesis that was the start of this term enterprise risk management. How do we pull it together? Instead of thinking about each risk by itself, how do we pull it together across your entire program?

Jane Norris
So is this a relatively new concept for federal agencies?

Mark Carey
It is relatively new. It’s relatively new in the private sector, as well. It’s really only been the last 20 or so years where people have started to think hey, let’s think about risk in a more holistic way. It’s almost like the evolution of strategy. If you go back years before when strategy started to become a common business topic or approach to managing and getting priorities on what has to go right. Enterprise risk management is almost the flip side of that coin. It’s like the process of what do we have to do to make sure things don’t make mistakes or lose out on opportunities to deliver services based on adverse events.

Jane Norris
So give us some examples of key risk issues that federal agencies might face, Mark.

Mark Carey
Well, you know, really does go across a wide range of things. Every two years, GAO issues the high risk report and this past year, I think there were over 30 programs that were listed in that report, but if you step back and look at what are the themes that emerge? What are some of the common risk you find in the federal government space? You have things like management effectiveness, program integrity, the fraud – and fraud way and abuse related issues. You have things related to failures to protect the safety and security of the public. Acquisition risk is another key topic. So those are some of the things that emerge when you look at it across a federal government.

Jane Norris
So is it more like a program management issue? Is that kind of what risk management is?

Mark Carey
Well, risk management can be applied at any level, and when we talk about enterprise risk management, we’re talking about whatever the scope is. If you’re just talking about a program, if you’re talking about an agency, a department, or even the entire federal government, the question is how do you get that complete view? How do you get that line of sight, whether the risk is emerging in a program, in a functional office, in a certain geography or a certain type of thing that the government – a process or thing the government’s doing. How do you get a line of sight into what those risks are and make sure they’re being addressed and make sure that they’re being managed?

Jane Norris
And so is that related to program integrity? Debbie, is that something that has a relationship to what Mark is talking about?

Debbie Fletcher
Well, let me start with the view of taxpayers when we talk about program integrity. We can agree, right, that the taxpayers have high expectations, that the resources they entrust to the government will be used to provide maximum value with minimal waste or even better yet, no waste, fraud, or abuse. Federal oversight policy strives to ensure that fraud and abuse are identified in- what I’ll say is a controlled environment. Controls are put in place to mitigate the issues and prevent intentional or unintentional abuse. So now program integrity is the step after controls. Now we’re addressing the waste. Program integrity has the intention of ensuring that the taxpayer – that the federal programs provide the maximum value to achieve their missions with minimal waste. Ideally, the goal is for the agencies and the programs to achieve the highest intent of their mission as efficiently as possible and prevent that fraud and abuse.

Using risk methods and tools is one way to help achieve this goal. A risk-based approach to achieving program integrity can be used to assess a program’s current state and then implement the methods and tools to increase that likelihood of achieving the program’s highest intent.

Mark Carey
And Debbie, if you look at a program, often times we’re talking about program integrity and some of the risk-based methods that Debbie talked about. If you kind of step up a level and go to an operating division or an agency or even a department where you have a lot of programs and there’s risk kind of occurring in all of those, often times the term enterprise risk management is being used to understand how you get your arms around not only what’s happening at a program level and some of the program integrity issues but some of the broader risk issues that we mentioned earlier on.

Jane Norris
So agencies can really use risk technology and risk strategies to make determinations about how they will spend or what they’ll act upon. Is that kind of the idea here?

Mark Carey
Well, absolutely, and really risk management in some ways is no difference than any other business or management discipline that’s being applied in the federal government other than the topic is risk. So as this discipline has evolved and emerged, you have new risk tools, you have new methodologies, you have new approaches, and so one of the things we see happening in the federal government is the application of those approaches. In fact, some of my federal clients have told me we don’t even want to hear what’s going on in our peer federal agencies. We want to know what the private sector’s doing and how are they applying these concepts to the federal space.

Jane Norris
So talk a little bit about that. I mean, obviously federal managers are very interested in overlaying best practices from private industry you know, to put to work in the federal government. So is that what Deloitte brings to bear here?

Mark Carey
Oh, absolutely. I think one of the reasons that some of our clients are working with us is because we have such broad access to what’s happening in the private sector. We have this wide range of clients that give us that insight, but it’s within the context of federal. I mean, it’s one thing to say hey, here’s what the private sector companies are doing, but you have to be able to then say okay, now let’s think about how that applies here in federal and what are the things that will work, and how can we manage risk better but still recognize some of the limitations and some of the requirements that go along with being a federal leader.

Jane Norris
Okay, and some of that would, I assume, mean that a person at an agency or program manager, whoever it is, would become the risk sort of leader or the person who takes that under their control. Are there, at this point, chief risk officers at federal agencies, Debbie?

Debbie Fletcher
Well chief risk officers are sometimes called CROs have been around in the private sector for quite some time, and yes, now you’ll see a number of CROs at federal agencies, as well. Even if there’s not a CRO, several agencies have established department-wide risk policies which will lend itself to creating a central risk office. We’ve talked about this challenging environment in the federal government right now. Budget constraints are requiring federal leaders to make almost impossible decisions on where to spend money and yet still achieve their missions. So we believe that the federal agencies will be forced to make a thoughtful and systematic approach to look at their risk across the organization. Creating this central office will be essential to accomplishing an enterprise-wide view.

Mark Carey
And the questions that they are considering – that our clients are asking us who are considering chief risk officers is who would the chief risk officer report to? Where would you place that person within our department? How big is the staff? What are the roles and the decision rights and the authority that a chief risk officer would have? What’s the budget? What’s the operating model? Is that chief risk officer making decisions or are they advising the other leaders and just bringing transparency into the risk issues? I don’t think there’s any – well I know there’s no one right answer. It has to be fit for the particular situation, the particular mission, and the particular structure of any agency or program.

Jane Norris
Well, we’ll talk more about that when we return, but let’s take a quick break here and be back in just a moment. You’re listening to FedCentral on Federal News Radio 1500 AM. We’re talking about risk management and what federal agencies need to know with Mark Carey and Debbie Fletcher of Deloitte and Touche, LLP. Back in a moment. This is FedCentral. I’m Jane Norris.

Welcome back to FedCentral brought to you by Deloitte. Today we’re talking about risk management, what federal agencies need to know in order to implement a risk management strategy. We’re talking today to Mark Carey, a partner and federal market leader in the government’s regulatory and risk strategies sector for Deloitte and Touche, LLP, and Debbie Fletcher. She’s a principal in the business risk services area and a leader for Deloitte’s federal audit and enterprise risk services practice for Deloitte and Touche, LLP. So – so let’s pick off where we left off and talk about what some of the key risk issues are that federal agencies are facing, Mark.

Mark Carey
Well, some of the key risk issues that we talked about a little bit earlier related to this wide range of risks that they face which really can be strategic or operational or security-related, etc., but I think one of the things to really think about is if we’re going to do an enterprise risk management-type approach, if we’re going to do more of a centralized type approach, what are some of those challenges that you typically see, and as we mentioned earlier, everyone has their own definition of risk. People have their own language or way in which describing types of risk. Risk is required. You have to manage risk that cuts across multiple functional or organizational silos. Sometimes people have to collaborate that where the programs that they operate in or the functions they are responsible for. I mean, they don’t even get along or they don’t even talk and so now you’re kind of forcing them to collaborate and deal with a risk issue that might cut across both of their functionals or their functional or specific responsibilities.

And then you start to get to well, as we identify risk, how do we know which are the most important ones? What’s the best way to figure out the relative priorities between those risks? How much money should we spend or budget in order to manage or mitigate those risks, and then how do we allocate that limited pool of money between the risks and then finally, what’s the consequence if we miss something? What happens if we prepared and how do we address it if something major happens that we did not prepare for specifically?

Jane Norris
All right, so these are certainly questions that have arisen before maybe in the private sector. Are there some pathways that have been forged already, Debbie? What about the private sector? Is there some insights that can be brought to the federal sector from the private sector?

Debbie Fletcher
Yes, we’ve actually mentioned one earlier, and that’s what we’re seeing a trend toward establishing enterprise risk function or an office. Typically these are led by a chief risk officer, CRO, or similar title like a risk management officer. There are other trends. One is implementing department-wide risk management policies or another is using risk modeling and simulation tools, and probably the most interesting development is the idea of thinking about risk tolerances or risk limits in decision-making. While federal leaders are dealing with the challenge of less resources, there’s a newer concept forming of doing less with less, not necessarily more with less.

Talking about risk tolerances provides managers the ability to decide how much risk can they accept while still accomplishing their mission or objectives.

Mark Carey
And on that question around risk tolerances and limits, a lot of times it’s something that’s implicit. It’s never stated out loud and there’s kind of this cultural understanding but when it comes time to actually execute on that and to really make decisions when someone is faced with a new challenge or if you have a rapidly changing or a dynamic environment you’re operating in, it makes it really hard to apply that concept of risk limits or tolerances because you’ve never made it explicit, so one of the things that we’re seeing organizations do is take the implicit and make it explicit. How much risk can we take on and what do we absolutely have to avoid or manage?

Jane Norris
Right, so there’s a way to actually model this. An actual tool that will allow agencies to see the risk that they’re taking on and what are the benefits or I guess the adverse effects might be. So something called risk analytics or risk modeling simulation? Talk about that, Mark.

Mark Carey
Sure. Well, if you think about how much data the federal government has, maybe it has more – it probably has more data than any other organization around.

Jane Norris
I think that’s right.

Mark Carey
Well, how can you look at that? What is the analysis you should do or the analyses you should do that allow you to identify trends that allow you to make connections or correlations or relationships between these different pieces of data that inform your understanding of risk? So that analysis gives you a better picture. The better you understand it, the better you can make decisions.

Now sometimes – in fact, in many cases with the big challenges that the federal government has to address, particularly those types of challenges where there’s a system-wide effect. So think about the financial system or where there’s a lot of different pieces that have to come together that are maybe outside of your direct control. This requires often times more than data because the data that you have is incomplete and so modeling and simulation tools and approaches are used, and this is really the whole idea around risk modeling is to use math in a way to define what the system looks like and once you get that system defined in a model, you can then manipulate it. You can do different things to see how it reacts, particularly for high risk area related to saving, security, or natural disasters, or the financial system. We can’t kind of play with the real world to learn and get better. We have to experiment with a model to see what those second and third order effects and consequences are.

And so the idea behind risk modeling is simulation is that it provides that micro world, that environment, in which you can better understand risk. You can look at the different scenarios. You can run your scenario analysis, and then you can apply different risk mitigation approaches to kind of come up with a what’s the right approach or what’s the best way that we can understand to manage this particular type of risk.

Jane Norris
That’s interesting. So essentially, you can plug in solution A, solution B, solution C, the costs of A, B, and C, and then determine whether A is the best scenario or a combination of A and B or B and C. Is that kind of the idea?

Mark Carey
That’s exactly right, and it’s kind of in a low risk environment, if you will, because you’re playing in a virtual world and you’re getting to test out those different scenarios and particularly in kind of the constrained environment that we’re looking at in the future, being able to look at your budget, look at how you allocate that money, and what are some of the potential effects, and how might that impact your ability to achieve your mission or to meet your objectives is really a large part of what we’re talking about.

Jane Norris
Okay, so Debbie, how do agencies get involved? How do they take their first steps to an enterprise risk management program?

Debbie Fletcher
Well we mentioned earlier developing and common understanding of risk and risk framework, etc., are very critical. The challenge of gaining the organization’s buy-in and commitment to any process also applies to ERM. ERM can represent a significant transformation of how an organization thinks about risk and therefore usually requires up-front conversations, the involvement of key stakeholders.

Mark Carey
That’s right, and so often times, the way that you really then take that to the next level that we see organizations saying here’s how we’ll get started – really, two things. One is what’s our current capability? What are the systems and the structures, the process, the modeling, the analytics, all those different pieces? Kind of forget what the type of risk is but how good are we at managing risk, in general, and if we want to get to the next level, what are those infrastructural or process or tools that we need to put in place. That’s the first.

Then the second dimension is okay, what are out top risks? What are the top ten or fifteen risks? Do we have someone assigned to be responsible for those, and how good are we doing at managing those specific risks? So if you take our general capability around risk and then what are our top risks and how good we are at managing those? That typically provides a pretty good road map for how you want to move forward. You want to make sure you address some key priorities as well as plan for the future and build the structure that you need to successfully manage risk into the future.

Jane Norris
Okay, so there must be some challenges involved in getting all of this implemented. It sounds like agencies would really need to provide very specific kinds of data in order to get the output that they’re looking for. Is that right?

Mark Carey
Well, that’s right, and just like any other program, there are always challenges with moving forward. Finding the right business case for your agency. What is the low hanging fruit? What are the risk challenges that we can address in the short term so you can get some kind of quick hits, build some support for your leadership team, build support from your stakeholders so that you can move forward to a more sustainable risk management capability.

Jane Norris
So if you’re making those decisions and you’re trying to make those determinations, you know, what agencies really need to take into consideration in order to enter into the possibility of an enterprise risk management program?

Mark Carey
Well, I think as we talked about a couple minutes ago, the idea of understanding the key risks, so if you think about someone going through and you know, most agencies or programs have hundreds of risks that could affect them, so you need to get your arms around what are the critical few?

Jane Norris
What areas in your agency really need the attention? What areas you really have to make evaluation decisions that need some assistance in order to do that. That’s kind of what I’m getting.

Mark Carey
Right, and as you go down through that process, you will often get a lot of insight on what the structural issues are with how we think about and manage risk? Well, we never have the data we need. We’re always kind of relying on abgut feel or we have challenges in our department of talking openly about risk issues because there’s this fear of providing that transparency into what might go wrong. That’s kind of one side of it, and then looking at – at the systems. Do we have the right risk tools? Do we have the right methods that we’re using? Does our leadership understand and buy into it? Do we have the right culture that’s being set at the top of our organization, etc.? Those types of questions.

Jane Norris
All right, so those are important questions to be asked. So what recommendations can both of you offer federal leaders as they’re looking at the potential here for enterprise risk management? Debbie, I’ll start with you.

Debbie Fletcher
Well, identifying the most critical risks that could impact the mission, and I think Mark just talked about that. That seems to be very key; also, allocating the limited budget and resources to mitigate those risks. Thinking through all those problems is really important up front early and making sure that there’s department wide buy-in to those decisions

Mark Carey
And then also making sure that as the things that Debbie talked about, but getting that integrated into how you manage your organization, how you look at strategy, how you measure performance, how you do your budgeting process, making sure that risk is a consideration. The idea of risk is not that it slows down. It’s not that it prevents you from doing the things that you need to, but the better you understand it, the better you can clarify and articulate what the issues are that we have to address, the easier it is to manage those risks by providing that transparency. We have a set of principles, our nine principles that we think really cut across all organizations. We’ve just revised those and released those for the federal marketplace so those will be available for people to look at and use those as a guide to how should we think about risk and what are some of the key principles we should try to adopt into our organization.

Jane Norris
And all of that data and material will be available at federalnewsradio.com on the FedCentral site, and we’ll certainly direct you to the Deloitte site, as well. So thank you both for joining us today to talk about this issue, risk management and what federal agencies need to know to think about a risk program for themselves.

You’ve been listening to FedCentral on Federal News Radio 1500 AM. I’m Jane Norris. Thanks so much for joining us.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.