Print this page Share

Enterprise Risk Management: A Guide for Government Professionals

Karen Hardy, Allen Runnels (Foreword by)
ISBN: 978-1-118-91102-0
336 pages
November 2014, Jossey-Bass
Enterprise Risk Management: A Guide for Government Professionals (1118911024) cover image


Winner of the 2017 Most Promising New Textbook Award by Textbook & Academic Authors Association (TAA)!

Practical guide to implementing Enterprise Risk Management processes and procedures in government organizations

Enterprise Risk Management: A Guide for Government Professionals is a practical guide to all aspects of risk management in government organizations at the federal, state, and local levels. Written by Dr. Karen Hardy, one of the leading ERM practitioners in the Federal government, the book features a no-nonsense approach to establishing and sustaining a formalized risk management approach, aligned with the ISO 31000 risk management framework. International Organization for Standardization guidelines are explored and clarified, and case studies illustrate their real-world application and implementation in US government agencies. Tools, including a sample 90-day action plan, sample risk management policy, and a comprehensive implementation checklist allow readers to immediately begin applying the information presented.

The book also includes results of Hardy's ERM Core Competency Survey for the Public Sector; which offers an original in-depth analysis of the Core Competency Skills recommended by federal, state and local government risk professionals. It also provides a side-by-side comparison of how federal government risk professionals view ERM versus their state and local government counterparts.

Enterprise Risk Management provides actionable guidance toward creating a solid risk management plan for agencies at any risk level. The book begins with a basic overview of risk management, and then delves into government-specific topics including:

  • U.S. Federal Government Policy on Risk Management
  • Federal Manager's Financial Integrity Act
  • GAO Standards for internal control
  • Government Performance Results Modernization Act

The book also provides a comparative analysis of ERM frameworks and standards, and applies rank-specific advice to employees including Budget Analysts, Program Analysts, Management Analysts, and more. The demand for effective risk management specialists is growing as quickly as the risk potential. Government employees looking to implement a formalized risk management approach or in need of increasing their general understanding of this subject matter will find Enterprise Risk Management a strategically advantageous starting point.

See More

Table of Contents

Figures, Tables, and Exhibits ix

Foreword xi

Preface: Managing Risk in the Current Federal Environment xiii

Introduction 1

State of Risk Management in Government 5

How This Book Should Be Used 7

Emerging Risks Today 7

Top Government Risks 10

Criteria 11

Profiles of Select High-Risk Areas in Government 13

Chapter One Why Enterprise Risk Management? 27

Status of ERM in the Government 29

Limitations to ERM 30

Risk Management: What It Is and Why It Matters 32

What Is Risk? 33

Evolution of Risk Management 36

Traditional Risk Management versus Enterprise Risk Management 38

U.S. Federal Government Policy on Risk Management 41

Establishing an Agency Risk Management Policy 46

ERM Policy and Practice in Canada 48

Linking ERM and Internal Control 54

What Are the Standards for Internal Control? 55

Assessing Internal Control Structures 68

Overall Internal Control Summaries 68

Chapter Two Examples of Risk Management in the Federal Government 81

Health Risks 82

Security Risks 82

Financial Risks 85

Transportation Safety Risks 86

External Risks 87

Case Study: Applying Risk Management in Government: National Institutes of Health 89

Case Study: National Archives and Records Administration 95

Chapter Three Managing and Communicating Risk 105

Writing Risk Statements 111

Developing a Risk Statement 112

Inventory of Risk Statements 113

Risk Assessment Techniques 120

Chapter Four Risk Management

Frameworks and Standards 125

Why Voluntary Standards? A Look at OMB Circular A-119 126

GAO Risk Management Framework 129

ISO 31000: International Risk Management Standard 135

COSO ERM Integrated Framework 138

OCEG Red Book 2.0: 2009 140

FERMA: 2002 140

BS 31100: 2008 142

An Expanded View of ISO 31000 143

Chapter Five Risk and Performance Management 151

Risk and Performance: Government 153

Managing Risk to Performance 157

An Expanded View of Strategic Risk Management 160

Risk and Performance: Private Sector 167

Standard & Poor’s ERM Analysis 170

Chapter Six Building a Risk Culture 173

Risk Culture Survey 177

Chapter Seven ERM Maturity and Assessment 181

ERM Maturity Models 181

The Role of the Internal Auditor in ERM 194

Case Study: The Public Safety Canada Audit of Integrated Risk Management 196

Chapter Eight ERM Core Competencies 209

ERM Core Competency Survey 209

Summary of Survey Results 211

Federal versus State and Local Government Views of ERM 216

Chapter Nine ERM Best Practices of Federal Agencies 223

Ninety-Day Action Plan 223

Sample Implementation Plan 224

Words of Wisdom 225

Chapter Ten Conclusion 227

Notes 231

Appendix: Index of Survey Questions and Responses 243

About the Author 279

Index 281

Figures, Tables, and Exhibits


Figure 1.1. Evolution of Risk Management 37

Figure 1.2. Siloed and Enterprise Approach to Risk Management 41

Figure 4.1. GAO Risk Management Framework 131

Figure 4.2. ISO 31000 Risk Management Framework 135

Figure 4.3. COSO’s ERM Framework Highlights 138

Figure 4.4. FERMA Risk Management Standard 141

Figure 4.5. World Map of ISO 31000 145

Figure 5.1. Illustration of Goal Relationships 158

Figure 5.2. Identifying Risks to Strategic Objectives 160

Figure 7.1. Risk Maturity Rating by Industry 187

Figure 8.1. Risk Manager Core Competency Model 210


Table P.1. American Society for Public Administration Code of Ethics xviii

Table I.1. Agency Hiring Activities 2

Table I.2. Changes to GAO’s High Risk List, 1990–2013 10

Table 1.1. Definition of Risk 34

Table 1.2. Selected White Collar Occupational Groups, Job Series, and Potential Risks 39

Table 1.3. Policies for Managing Various Types of Risk in Government 43

Table 1.4. What Components Are in Place at Your Organization to Aid in ERM Implementation? 48

Figures, Tables, and Exhibits

Table 3.1. Risk Taxonomy 107

Table 4.1. GAO Risk Management Framework Matrix 132

Table 5.1. Advantages of GPRA Implementation 156

Table 5.2. Adidas Group 2012 Corporate Risk Assessment 169

Table 6.1. Methods for Influencing Cultural Change 176

Table 7.1. Five Levels of SEI Process Maturity 183

Table 7.2. Aon RMI Five Levels of Maturity 186

Table 7.3. Treasury Board Risk Management Capability Model 191

Table 7.4. Public Service of Canada Key Risks Related to Integrated Risk Management 206

Table 8.1. ERM Components in Place in Organizations to Aid ERM Implementation 212

Table 8.2. Top Three ERM Components in Place: State and Local Government versus Federal Government 212

Table 8.3. Risk Management Training Rubric 214


Exhibit 1.1. Template for a General Risk Management Policy in the United States 47

Exhibit 1.2. Canada’s Risk Management Framework Policy 49

Exhibit 3.1. Inventory of Risk Statements 114

Exhibit 3.2. State of Washington Risk Map 124

Exhibit 4.1. Comparison of Standards and Frameworks 127

Exhibit 5.1. Overview of the GPRA Modernization Act of 2010 155

Exhibit 5.2. Six Principles of Strategic Risk Management 162

Exhibit 5.3. Strategic Risk Management Checklist 163

Exhibit 5.4. Glossary of Key Performance Terms 164

Exhibit 5.5. The Challenge of Applying Strategic Risk Management to Homeland Security 165

Exhibit 5.6 “At Risk” Brands as Reported by 24/7 Wall St. 168

Exhibit 6.1. Sample Risk Culture Survey 177

Exhibit 7.1. Canada Treasury Board Risk Management Capability Model: An Excerpt 188

See More

Author Information

KAREN HARDY is an expert risk management professional with extensive experience in the public sector. Dr. Hardy is a co-founder of the Association for Federal Enterprise Risk Management and serves on the U.S. Technical Advisory Group for ISO 31000. She also worked at Citibank and The White House Office of Management and Budget. She has published articles in numerous national and international publications, including Canada's Public Sector Digest.

See More
Back to Top