You Are the New Chief Risk Officer of Your Agency. Now What?

Rising to the role of Chief Risk Officer (CRO) can be both an honor and a challenge. You likely earned your title for a mix of hard and soft skills, including thinking strategically and identifying innovative yet practical long-term solutions to problems.

As threats evolve—from cybersecurity to fraud to changing global politics—creating time for more data-driven, strategic work will become critical.

There are tangible steps you can take as a CRO—or as the heir apparent—to help your team streamline day-to-day work, so they can focus instead on areas of the greatest value and greatest risk.

Spoiler alert: both people and technology are key.

It's time to look at how we do our work

Agencies have been incorporating technology into their business processes for a while now, as billions of dollars have been allocated over the last two decades to modernize IT, systems of entry, or systems of record. At the same time, the amount of data produced has increased, with an estimated 1.7 megabytes of data created every second for every person on earth by 2020.

But what about systems of work?

Government agencies have invested in powerful ERP systems, yet investment has lagged in digitizing how we connect and use that data to inform decision-makers and stakeholders.

Raise your hand if your staff still has to copy and paste information from a database to a word-processing document or desktop-based spreadsheet. Do they collaborate by emailing spreadsheets, rough drafts, and risk matrices back and forth between team members?

You are not alone, according to attendees at a recent AFERM and AGA ERM workshop.

Those processes have helped teams get by for years. However, with the rise of data and the increasing need to collaborate across business functions, those processes are no longer sufficient.

A new generation of talent is entering the workforce and bringing a certain expectation of technology with them. For those who have grown accustomed to accessing information whenever they want, it can feel like stepping back in time to have to wait for someone to finish working on a file, save it, and either upload or email it over before others can start their work.

Traditional systems of work also can raise the risk of error. Multiple team members may have their own version of a document or dataset, with no clear indication of which is the most current. Amid all the importing, exporting, and uploading, there may also be offline or unstructured data inserted manually with no explanation of its origin.

It becomes nearly impossible to guarantee accuracy in this uncontrolled environment. The results can be costly—in one county, a spreadsheet was copied and pasted incorrectly, leading to a $494,000 budget error.

The time to start improving systems of work is now.

Transforming how we conduct risk management

As CRO, modernizing how your team works will be an ongoing journey. These are steps modern professionals can take to adopt the new way of working:

1. Connect data and context to aid data-driven decision-making

One of the complexities of enterprise risk management (ERM) and continuous reporting is wrangling all the data you need. Since there is no "Department of Connect the Dots," as the CRO, you need a centralized platform to collect and connect data while maintaining context.

Working from a central, permission-based platform that all contributors can access gives team members a single location to find and update information. With a centralized platform, you can more easily connect disparate planning and review activities, including policy and program development and implementation, program performance reviews, strategic and tactical planning, human capital planning, capital planning and investment control (CPIC), and budget formulation.

Connected data and reports also contribute to data assurance. Newer technology that lets you link shared data across multiple reports, pages, or spreadsheet cells can help you maintain consistency and update all connected instances automatically when information changes. In addition, analysts working from a centralized platform can slice and dice data to view risks by business units and/or crosscutting issue.

2. Empower employees to collaborate and share information

The ability to collaborate in real time facilitates a culture where risk is communicated quickly and managed effectively. A collaborative environment in which all the key contributors can easily see comments, questions, responses, documentation, and resolutions can enable more timely, more precise reviews. Instead of asking and re-asking employees to see if their tasks are complete, leverage dashboards to see individual and team progress at a glance.

In addition, overcome hierarchy-based barriers and distribute accountability by providing an environment that encourages a free flow of information about agency risks and the adoption of corrective actions.

3. Enable full visibility into the process with intuitive, user-friendly tools

An aging, retiring workforce poses its own form of risk. While documenting standard operating procedures can mitigate that risk, it can be difficult to piece together how risk management work actually gets done. Templated workflows with an audit trail of revisions and a record of approvals—as well as tools that new team members can learn on their own—can help ensure continuity as team members with years of institutional knowledge start to retire.

All of these steps are within reach. In the corporate world, CROs have been using cloud solutions for years to manage internal controls, internal audits, enterprise risk, and Sarbanes-Oxley (SOX) compliance. In higher education, Temple University is using technology to streamline financial and NCAA compliance reporting. Now your government agency—with your leadership—can revolutionize systems of work and modernize risk management as well.

Key takeaways

• Modernize your system of work to connect people, data, and processes
• Reinforce a culture of transparency, where everyone is encouraged to play a role in oversight, empowered to raise concerns, and track how they are resolved