Skip to main content

Trends in Federal Enterprise Risk Management

Internal Controls
Workiva and The MIL Corporation discuss risk management at federal agencies
8 min read
Shauneil Boyer
Manager of Solution Engineering
Published: December 15, 2020
Last Updated: August 8, 2023

Risk management was a hot topic even before COVID-19, but now more than ever, agencies need to consider their ability to identify and mitigate risk based on the ERM frameworks in place.

For real-world perspectives on what agencies can do, I spoke with Paul Marshall and John Hooley, Vice Presidents of The MIL Corporation (MIL), which provides services for financial management and systems, information technology, engineering, and cybersecurity to federal agencies. Both have experience using many technology platforms, including Workiva.

We talked about opportunities for agencies to use enterprise risk management (ERM) software and how risk reports are changing. Here are a few highlights from the conversation.


To help with transparency, Paul suggests publishing the risk appetite statement for your agency. In one document, agencies can answer several questions, like:

  • What is the agency's risk appetite?
  • What is the focus of attention? 
  • What is the likely response? 
  • How severe does the agency consider different threats and risks? 

"This is something that's becoming more popular in government, and there's some great ones out there. USAID has a really good one," Paul said.

Evangelize ERM programs within the agency, too.

"Appropriately accounting for internal stakeholders and engaging them in a thoughtful way is important as well," John said, since frontline staff really understand the challenges they're seeing on a day-to-day basis.

Cut through the noise

Paul said he has noticed ERM teams putting effort into making reports more impactful.

"I think there's a bit of information overload out there. Sometimes you get a 100-page report with all these things in there. It's just too much to really take in," Paul said. MIL recommends being  thoughtful, efficient, concise, and precise to make your risk reporting as comprehensible as possible.

Include visuals, and break information into digestible chunks. Paul suggests following what the U.S. Government Accountability Office (GAO) does with its reports, which include an executive summary of what was reviewed, findings, and recommendations. Often, that executive summary is just one page long.

The nature of your agency's mission will also influence how you communicate and to whom, John noted.

It can be tricky to identify risks that seem unimaginable (hello, COVID-19). Paul and John recommend war gaming and scenario planning to help ERM teams determine what they would consider effective risk management strategies in real time.

"It is incredibly important and is worth the time, is worth the investment," John said. "It's not always nefarious actors or some kind of crazy pandemic that is what's going to drive issues in your organization. Sometimes, it's innocent things that you don't even think about." Perhaps it's an inability to log in to systems remotely or an inefficient process that leads to expensive workarounds or delays.

In my experience in talking with Workiva customers in government, ERM software can be a powerful enabler to help risk management teams adopt a more flexible, agile ERM framework for keeping up with emerging risks.

Agile principles are part of how we work as a software company at Workiva, but both Paul and John see benefits to incorporating agile principles in all projects, not just IT. For more on agile, check out resources including GAO's guide, Paul suggested. The key is to dive in and just try it without being worried if the process isn't perfect at first. 
"I mean, that's the whole concept of agile—just to try something new, to not get too worried about very formalized ways of doing things. You want to be flexible. That's the whole point," Paul said. 

Get a risk assessment matrix template

Technology can be a key piece to enabling you to be more flexible, agile, and proactive in federal government risk management processes. Agency leaders should look for these features in their financial reporting and ERM software, to reduce risk: 

  • Easy-to-use interface that doesn't require extensive training
  • Flexibility to update processes, data, documents, spreadsheets, and presentations yourself
  • Centralized workspace for reporting and dashboarding that can provide real-time insights
  • Single source of truth for data
  • Embedded automation, robotic process automation (RPA), or artificial intelligence
  • Ability to link data across all the spreadsheets, documents, and presentations where you use it, to keep information consistent

"Just one final plug for platforms like Workiva: the ability to produce different reports, dashboards, the ability to link data through multiple different reports, multiple different analyses, and know that when you update your source of truth in one place, it's going to it's going to flow through to 15, 20 different reports—it just makes it so much easier to stay agile and to do the right types of analysis," John said.

Given the value that ERM software can deliver, I asked the MIL crew for their take on areas where technology might be underutilized. Their short list:

  • To coordinate highly collaborative exercises involving many people and inputs
  • To connect data that must appear in multiple reports such as budget reports and Congressional Budget Justifications to media requests
  • To link internal controls or audit tests directly to final reports
  • Data analysis
  • Robust data mining
  • Automation and artificial intelligence (AI) for continuous monitoring of risk
  • Connecting data from multiple source systems for ERM managers to analyze
  • Connecting narratives across reports for consistency

"When you think about the executive secretary, you think about Office of Public Affairs, you think about chief financial officers when they have to produce documents and responses to questions for the record from Congress or whatever it might be, there's so much data that's in these reports," John said. "What I've been really impressed with about Workiva is that you can link data, and then it flows through to a whole bunch of different documents."

The linking ensures data points are consistent, mitigating risks, even as teams update the data.

"It's so important to make sure that federal agencies respond appropriately and answer the questions with the right data, whether it be finance or performance, in that they also don't issue some kind of report or data point that conflicts with something that they recently said," John said. "A platform like Workiva is wonderful for that."

Inconsistency is one of the major risks of not having proper ERM software to connect numbers and narrative across different reports. That, of course, lends itself to reputational risk and conversations that you probably don't want. 

The best advice for helping colleagues adopt new technology often comes from reviewing what worked—and what definitely didn't—in implementations at other agencies. Based on their experience, Paul and John have a few pointers.

  1. Know what you're trying to solve so you can better evaluate potential solutions. Paul shared an anecdote of an agency that wanted better access to data within a financial system, but the solutions they implemented didn't quite meet their needs. It turns out a key requirement, which hadn't necessarily been specified, was to not just have access to data but access to real-time data. 
  2. Have a strong executive sponsor to support the change. If an executive sponsor moves on, make sure someone else who is just as committed to the vision can step in.
  3. Take a phased approach. Implement a proof of concept or a pilot with a core team before expanding across the entire organization. "Then really the world's your oyster from there," John said.


People tend to get on board with changes that deliver tangible benefits.

"I do think it all kind of boils down to ROI: return on investment," Paul said. But it's not just about ROI in terms of cold, hard dollars saved. "Are you saving time? Are you saving resources? Are you improving the quality of work life? And are you making a good case to show that with this tool that you're implementing?" Paul said. 

While you might want your new ERM software to save you time, money, or both, some technology could give you brand new powers. "Workiva is a great example," John said. "It allows you to have access to data for decision-making that you simply did not have before."

When you release new software, applications, or programs into the wild, carve out time for training and questions. If your vendor offers training videos or courses, take advantage of their existing resources and expertise.

Where to start

We all know procurement processes can take a minute, so kick it off early. Where to start? The MIL team has ideas of what you can do today:

  1. Think about what are your pain points: what just bugs you and what's hard to do? 
  2. What is your staff complaining about? 
  3. What software is your agency already using, and are licenses already available for your team? If you can use existing programs, you may not have to worry about securing a new ATO (authority to operate).
  4. Ask peers what tools they're using and what they like or dislike. Vendors also may be able to share customer stories, and the consultants you work with can discuss what has worked for their clients.

If you liked this post, there's more where that came from. Subscribe to the blog, so you don't miss a thing.

About the Author
Shauneil Boyer Headshot
Shauneil Boyer

Manager of Solution Engineering

Shauneil Boyer is a solutions engineer in Workiva's integrated risk management practice for the public sector. She spends her time helping agencies identify areas for improvement in their current enterprise risk management, audit, and internal controls programs and designing technology-enabled solutions that improve the agency's overall compliance posture. She has over six years of experience in financial management, internal controls management, risk management, and audit across federal and state organizations and specializes in compliance with federal guidance and regulations, such as FMFIA, GAO Green Book, and OMB Circular No. A-123.

Online registration is currently unavailable.

Please email events@workiva to register for this event.

Our forms are currently down.

Please contact us at

Our forms are currently down.

Please contact us at