What to Know Now in Federal Enterprise Risk Management

Risk management was a hot topic even before COVID-19, but now more than ever, agencies need to consider their ability to keep pace with changes in risk. 

For real-world perspectives on what agencies can do, I spoke with Paul Marshall and John Hooley, Vice Presidents of The MIL Corporation (MIL), which provides services for financial management and systems, information technology, engineering, and cybersecurity to federal agencies. Both have experience using many technology platforms, including Workiva.

We talked about opportunities for agencies to use enterprise risk management (ERM) software and how risk reports are changing. We may have even talked about air fryers for a second. Here are a few highlights from the conversation.

Make a statement on risk—literally

To help with transparency, Paul suggests publishing the risk appetite statement for your agency. In one document, agencies can answer several questions, like:

• What is the agency's risk appetite?
• What is the focus of attention? 
• What is the likely response? 
• How severe does the agency consider different threats and risks? 

"This is something that's becoming more popular in government, and there's some great ones out there. USAID has a really good one," Paul said.

Evangelize ERM programs within the agency, too.

"Appropriately accounting for internal stakeholders and engaging them in a thoughtful way is important as well," John said, since frontline staff really understand the challenges they're seeing on a day-to-day basis.   

Cut through the noise 

Paul said he has noticed teams putting effort into making reports more impactful.

"I think there's a bit of information overload out there. Sometimes you get a 100-page report with all these things in there. It's just too much to really take in," Paul said. MIL recommends being  thoughtful, efficient, concise, and precise to make your risk reporting as comprehensible as possible. 

Include visuals, and break information into digestible chunks. Paul suggests following what the U.S. Government Accountability Office (GAO) does with its reports, which include an executive summary of what was reviewed, findings, and recommendations. Often, that executive summary is just one page long.

"That's something that risk managers are starting to do as well and really should consider," Paul said, "just because there's just so much out there. It's good to condense it down and make it comprehensible."  

The nature of your agency's mission will also influence how you communicate and to whom, John noted.

On becoming agile to better manage emerging risks

It can be tricky to identify risks that seem unimaginable (hello, COVID-19), but war gaming and scenario planning can help teams think through an agency's response to the unexpected, Paul and John said.

"It is incredibly important and is worth the time, is worth the investment," John said. "It's not always nefarious actors or some kind of crazy pandemic that is what's going to drive issues in your organization. Sometimes, it's innocent things that you don't even think about." Perhaps it's an inability to log in to systems remotely or an inefficient process that leads to expensive workarounds or delays.

In my experience in talking with Workiva customers in government, technology can be a powerful enabler to help teams adopt a more flexible, agile process for keeping up with emerging risks. 

Agile principles are part of how we work as a software company at Workiva, but both Paul and John see benefits to incorporating agile principles in all projects, not just IT. For more on agile, check out resources including GAO's guide, Paul suggested. The key is to dive in and just try it without being worried if the process isn't perfect at first. 
 
"I mean, that's the whole concept of agile—just to try something new, to not get too worried about very formalized ways of doing things. You want to be flexible. That's the whole point," Paul said. 

What to look for in software solutions

Since technology can be a key piece to enabling you to be more flexible, agile, and proactive in risk management processes, agency leaders should look for these features in their ERM and financial reporting software, according to Paul and John: 

• Easy-to-use interface that doesn't require extensive training
• Flexibility to update processes, data, documents, spreadsheets, and presentations yourself
• Centralized workspace for reporting and dashboarding that can provide real-time insights
• Single source of truth for data
• Embedded automation, robotic process automation (RPA), or artificial intelligence
• Ability to link data across all the spreadsheets, documents, and presentations where you use it, to keep information consistent

"Just one final plug for platforms like Workiva: the ability to produce different reports, dashboards, the ability to link data through multiple different reports, multiple different analyses, and know that when you update your source of truth in one place, it's going to it's going to flow through to 15, 20 different reports—it just makes it so much easier to stay agile and to do the right types of analysis," John said.

Overlooked opportunities to use technology

Given the value that software can deliver, I asked the MIL crew for their take on areas where technology might be underutilized. Their short list:

• To coordinate highly collaborative exercises involving many people and inputs
• To connect data that must appear in multiple reports such as budget reports and Congressional Budget Justifications to media requests
• To link internal controls or audit tests directly to final reports
• Data analysis
• Robust data mining
• Automation and artificial intelligence (AI) for continuous monitoring of risk
• Connecting data from multiple source systems for ERM managers to analyze
• Connecting narratives across reports for consistency

"When you think about the executive secretary, you think about Office of Public Affairs, you think about chief financial officers when they have to produce documents and responses to questions for the record from Congress or whatever it might be, there's so much data that's in these reports," John said. "What I've been really impressed with about Workiva is that you can link data, and then it flows through to a whole bunch of different documents."

The linking ensures data points are consistent, even as teams update the data.

"It's so important to make sure that federal agencies respond appropriately and answer the questions with the right data, whether it be finance or performance, in that they also don't issue some kind of report or data point that conflicts with something that they recently said," John said. "A platform like Workiva is wonderful for that."

Inconsistency is one of the major risks of not having technology to connect numbers and narrative across different reports. That, of course, lends itself to reputational risk and conversations that you probably don't want. 

Tips for successful implementation of new software

The best advice for helping colleagues adopt new technology often comes from reviewing what worked—and what definitely didn't—in implementations at other agencies. Based on their experience, Paul and John have a few pointers.

1. Know what you're trying to solve so you can better evaluate potential solutions. Paul shared an anecdote of an agency that wanted better access to data within a financial system, but the solutions they implemented didn't quite meet their needs. It turns out a key requirement, which hadn't necessarily been specified, was to not just have access to data but access to real-time data. 
2. Have a strong executive sponsor to support the change. If an executive sponsor moves on, make sure someone else who is just as committed to the vision can step in.
3. Take a phased approach. Implement a proof of concept or a pilot with a core team before expanding across the entire organization. "Then really the world's your oyster from there," John said.

Getting buy-in for adopting new technology

People tend to get on board with changes that deliver tangible benefits.

"I do think it all kind of boils down to ROI: return on investment," Paul said. But it's not just about ROI in terms of cold, hard dollars saved. "Are you saving time? Are you saving resources? Are you improving the quality of work life? And are you making a good case to show that with this tool that you're implementing?" Paul said. 

While you might want your new software to save you time, money, or both, some technology could give you brand new powers. "Workiva is a great example," John said. "It allows you to have access to data for decision-making that you simply did not have before."

When you release new software, applications, or programs into the wild, carve out time for training and questions. If your vendor offers training videos or courses, take advantage of their existing resources and expertise.

"I'll just give a quick little anecdote here. We recently purchased a new toaster oven. It's one of the air fryers," John said. "When I first looked at it and tried to figure out how to use it, I was like, 'I don't want to have to learn how to use this new thing.' In the end, it was a click of three buttons, and I love it now. The point is, this new technology is there for a reason, right? Workiva is very successful for a reason: because it is easy to use."

Where to start

We all know procurement processes can take a minute, so kick it off early. Where to start? The MIL team has ideas of what you can do today:

1. Think about what are your pain points: what just bugs you and what's hard to do? 
2. What is your staff complaining about? 
3. What software is your agency already using, and are licenses already available for your team? If you can use existing programs, you may not have to worry about securing a new ATO (authority to operate).
4. Ask peers what tools they're using and what they like or dislike. Vendors also may be able to share customer stories, and the consultants you work with can discuss what has worked for their clients.

If you liked this post, there's more where that came from. Subscribe to the blog, so you don't miss a thing.