Risks prevent an organization from achieving its goals. Organizations benefit when management successfully identifies risks and takes steps to lessen their negative impact, and enterprise risk management (ERM) methodology makes it easier to identify and mitigate risk. ERM integrates well with other management techniques and helps organizations recognize ways to improve service and increase revenue.
ERM, which was developed in the private sector, is now being used in the public sector. The U.S. federal government mandates the use of ERM, as do the states of Tennessee and Washington. Local governments in the United Kingdom and South Africa also require ERM. Around the world, many other local governments have an ERM policy, but the United States has been slower to adopt ERM than its global counterparts.
This article discusses the core ERM methodology and how local governments around the world are applying it.
GLOBAL AND LOCAL REACH
A review of local government websites provides a rough assessment of ERM's reach into the public sector (see Exhibit 1).
The United Kingdom requires local governments to perform risk assessment, an aspect of ERM, as part of its "Best Value" practice. Local governments in the United States lag in ERM usage: Of 132 local governments reviewed, only three (2 percent) use some aspect of ERM. The City of Houston, Texas, has an ERM policy, and in Carson City, Nevada, and Modesto, California, ERM studies are underway. Only two states, Tennessee and Washington, require the use of ERM. At the international level, South Africa mandates ERM. In the United States, federal departments were required to implement ERM by October 2017, according to Circular A-123 issued by the Office of Management and Budget (OMB).
THE ERM METHODOLOGY
The OMB has identified three major ERM methodologies:
* Orange Book: Management of Risk--Principles and Concepts, by the Enterprise Risk Management Initiative (erm.ncsu.edu)
* Committee for Sponsoring Organizations of the Treadway Commission (COSO, at coso.org)
* International Organization for Standardization 31000 (ISO 31000, at iso.org)
The United Kingdom uses Orange Book. The private sector uses COSO, and South Africa requires its use. ISO 31000 is the international standard that is used by local governments in Australia, Canada, and New Zealand.
All three ERM methodologies follow the same basic steps:
* Establish Context. Identify stakeholders, risk owners, and the risk-creating elements in the environment.
* Identify the Risk. Identify the threats to operational and strategic goals by evaluating available data, interviews, experience, and other inputs.
* Assess the Risk. Determine the severity of each risk's impact by asking, "How likely is the risk, and what is its potential effect?"
* Prioritize the Risk. Create a risk register by first listing the risks in order of severity of impact and then prioritizing the risks for potential treatment.
* Treat the Risk. Decide how to respond to each prioritized risk: accept, mitigate, share, or transfer.
* Monitor. Continually review the risk register to determine if risks must be added or deleted, or if the treatment should be changed.
Exhibit 2 shows...