Strengthening Risk Management Before the Next Big Crisis: A SIX-STEP GUIDE.

• Author: Beasley, Mark

As we begin to emerge from the pandemic, most business leaders, including those at the helm of state and local governments, are seeking ways to learn from this experience and to strengthen their level of preparedness for the next risk management crisis. In fact, our recent research finds that a strong majority of organizations (73 percent) report that there will be significant changes in their approach to continuity planning and crisis management processes. (1) These levels are even higher for state and local governments and nonprofits (84 percent of those surveyed). Some organizations are realizing that their approach to managing risks is woefully lacking in robustness and maturity.

Each year, through the work of the Enterprise Risk Management (ERM) Initiative at North Carolina State University, we work closely with business leaders across all sectors, including state and local governments, helping them identify opportunities to enhance their processes for getting their arms around the ever-changing risk landscape. (2) During the COVID-19 experience, we have provided hands-on coaching for government leaders and other executives about effective tactics and emerging best practices related to risk management processes. This included a municipality with a population of 500,000 and a $215 million budget, along with a larger municipality that has a population of more than one million people and an operating budget exceeding $1.5 billion. ERM has also advised two large state agencies.

Building on the reality that managing risks will remain challenging for all organizations, this article includes insights from our ongoing work to formulate a six-step guide. State and local government leaders can use this guide to refresh their organization's risk oversight capabilities to be ready for the inevitable next crisis, before it happens.

It's not getting easier

State and local government leaders have had a front-row seat in navigating the extraordinary events of the past year. They are still called upon to help manage many responses to risks triggered by the ongoing pandemic situation, including oversight of COVID-19 testing and vaccine distribution efforts, issuance of evolving social distancing community guidelines and policies, and responding to increased demands for existing services while managing a host of other issues related to social unrest, public safety, homelessness, cyber threats, political elections, and so on. At the same time, government leaders have had to address risks affecting core operations that have been disrupted, and as they anticipate what's next.

Leaders are looking for ways to better anticipate risks, especially as senior executives are being asked to provide more information about risks affecting their organizations. They are looking for new ways to elevate their organization's approach to navigating the ever-emerging risk landscape. Organizational leaders are convinced that complex and interrelated risks will continue to emerge--and stakeholder expectations for more effective risk oversight will continue to grow.

Many leaders are embracing a more enterprise-wide approach to risk management that is centered on better anticipating risks that may emerge and affect what is strategically important. But many leaders are unsure of what steps they should take. Our objective in this article is to highlight how state and local government leaders can either jumpstart or strengthen their enterprise-wide risk management efforts to obtain strategic value.

See the sidebar for a more detailed description of ERM.

Keep things simple: Use a frame of reference

Organizations can keep things simple by using a six-step framework to evaluate and enhance the enterprise-wide risk management processes. Because the concept of ERM isn't new, leaders have varying levels of understanding (and misunderstanding) about ERM's role and key elements. Therefore, the concept needs to be defined at the outset to make sure everyone is on the same page about ways in which ERM might be helpful and what comprises an effective risk management process. This has generally been accomplished through a brief overview at an existing meeting of the executive team. Keeping the process relatively simple and aligned with current business practices is generally a successful strategy. There will always be opportunities to enhance and make further improvements overtime.

The approach we tend to use is linked to six key elements of an effective ERM process, which are illustrated in Exhibit 1. Its circular nature highlights the fact that ERM is intended to be a continual, ongoing process, since risks will never stop emerging. The five inset ovals highlight critical components that business leaders should take to launch an ERM process that can provide proactive risk insights for strategic decisionmaking. These five elements are influenced by the organization's culture and leadership, which sit at the center, emphasizing the importance of setting the tone at the top. These elements are also in line with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management framework issued in June 2017. (3) Let's briefly walk through the six steps that directly correspond to the six elements of an effective ERM process.

STEP 1

Start with a strategic lens

The goal of ERM is to help management better anticipate risks that might emerge, impeding the government's ability to provide mission-critical products and services. The key is to get individuals focused on what's most important--that is, make sure everyone has a clear understanding of what the government works at every day to fulfill its core mission. We like to refer to these as the entity's "crown jewels." So, an effective ERM process starts with Step 1, which is highlighted by the top oval labeled "Core Value Drivers and Strategy" in the ERM cycle shown in Exhibit 1.

Most state and local governments provide a multitude of services such as public safety, parks and recreation, education, healthcare and childcare services, and libraries. We begin by engaging in conversations with government leaders to ensure there is a consistent and clear understanding of what is strategically most critical to the organization's mission and strategic success. These conversations are often conducted in a management meeting or an educational training session or workshop to ensure that key leaders agree about what is most important to the entity's strategic...