Printer Friendly

ENTERPRISE RISK MANAGEMENT: A Global Trend In Local Government.

Risks prevent an organization from achieving its goals. Organizations benefit when management successfully identifies risks and takes steps to lessen their negative impact, and enterprise risk management (ERM) methodology makes it easier to identify and mitigate risk. ERM integrates well with other management techniques and helps organizations recognize ways to improve service and increase revenue.

ERM, which was developed in the private sector, is now being used in the public sector. The U.S. federal government mandates the use of ERM, as do the states of Tennessee and Washington. Local governments in the United Kingdom and South Africa also require ERM. Around the world, many other local governments have an ERM policy, but the United States has been slower to adopt ERM than its global counterparts.

This article discusses the core ERM methodology and how local governments around the world are applying it.


A review of local government websites provides a rough assessment of ERM's reach into the public sector (see Exhibit 1).

The United Kingdom requires local governments to perform risk assessment, an aspect of ERM, as part of its "Best Value" practice. Local governments in the United States lag in ERM usage: Of 132 local governments reviewed, only three (2 percent) use some aspect of ERM. The City of Houston, Texas, has an ERM policy, and in Carson City, Nevada, and Modesto, California, ERM studies are underway. Only two states, Tennessee and Washington, require the use of ERM. At the international level, South Africa mandates ERM. In the United States, federal departments were required to implement ERM by October 2017, according to Circular A-123 issued by the Office of Management and Budget (OMB).


The OMB has identified three major ERM methodologies:

* Orange Book: Management of Risk--Principles and Concepts, by the Enterprise Risk Management Initiative (

* Committee for Sponsoring Organizations of the Treadway Commission (COSO, at

* International Organization for Standardization 31000 (ISO 31000, at

The United Kingdom uses Orange Book. The private sector uses COSO, and South Africa requires its use. ISO 31000 is the international standard that is used by local governments in Australia, Canada, and New Zealand.

All three ERM methodologies follow the same basic steps:

* Establish Context. Identify stakeholders, risk owners, and the risk-creating elements in the environment.

* Identify the Risk. Identify the threats to operational and strategic goals by evaluating available data, interviews, experience, and other inputs.

* Assess the Risk. Determine the severity of each risk's impact by asking, "How likely is the risk, and what is its potential effect?"

* Prioritize the Risk. Create a risk register by first listing the risks in order of severity of impact and then prioritizing the risks for potential treatment.

* Treat the Risk. Decide how to respond to each prioritized risk: accept, mitigate, share, or transfer.

* Monitor. Continually review the risk register to determine if risks must be added or deleted, or if the treatment should be changed.

Exhibit 2 shows the relationship between the basic steps of the COSO methodology (listed in the left column) and other risk assessment approaches. Many of these techniques will be new to both finance and accounting professionals. ISO's risk assessment manual (ISO 31010) lists 31 similar methods, and seven of these are common quality improvement techniques. Other approaches include environment risk assessment, structured interviews, business impact analysis, and the Consequence-Probability Matrix.


The risk register is a key product of the ERM methodology. It lists the identified risks by severity and provides information that helps the user develop an operational and strategic plan. Exhibit 3 provides an example based on a risk register created by the Eden Municipal District Fire Department of South Africa.


The standalone ERM methodology is just one part of the management toolkit. The City of Oshawa, Ontario, provides a good example of how different tools can be used together. Oshawa uses a core service review and a continuous improvement framework, which includes Lean initiatives, internal audits, service reviews, and risk management. Exhibit 4 shows the four continuous improvement framework tools and how they work together, in relationship to the city's strategic direction and the annual departmental budgets.

Each tool fulfills a different purpose:

* The core service review helps determine which services (and level of services) the city can and should provide. It includes two categories: mandated/legislated and discretionary.

* Lean initiatives are used to continually improve customer service and decrease waste and costs.

* Internal audits provide assurance that the city's processes, governance, and risk management are consistent with prescribed practices. They are also used to evaluate specific operations.

* Service reviews, which are less formal than Lean initiatives, also seek to increase efficiency, reduce costs, and improve customer service.

* Risk management provides a planned and consistent approach to identifying and reducing the impact of risks.

Oshawa's Lean initiatives program demonstrates the impact of the continuous improvement framework, improving customer service and operational efficiency. For example, a finance department project reduced the processing time for contracted waste services payments, and a Human Resources project streamlined the recruitment process. Evaluating and refining the planning applications approval process resulted in shorter approval times and improved customer relations. Annual budgets incorporate these efficiency improvements, and strategic decisions are based on the prioritization. The city completed 32 initiatives between 2014 and 2017, and now has 14 underway and 9 planned.

Exhibit 5 shows these activities categorized by operational criteria. Core services review is done once every 10 years, and the other activities are ongoing. All activities, with the exception of risk management, provide a high level of service assessment (i.e., evaluation). Risk management, however, reduces risk exposure and increases success rates, efficiency and effectiveness, and accountability at high levels.


Even though ERM is a defined methodology that complements other management practices, cost versus benefit remains a common concern. Below, we will look at two examples of the benefits of risk mitigation. The City of Windsor, Ontario, evaluated the benefits of ERM by forecasting risk events, while the Electric Power Board of Chattanooga, Tennessee, demonstrated the real financial benefits of avoiding risk.

City of Windsor. In 2014, the city conducted an ERM cost benefit study after the auditor recommended adopting the methodology. Exhibit 6 shows the aggregate cost breakdown.

The city evaluated the ERM development costs, which included consultant fees and staff time, and determined that cash carryover from the previous year could pay for the consultant costs ($24,603). Because ERM benefitted the whole organization, management approved a shift of staff time ($51,780).

The city evaluated the feasibility of ERM by considering the operational costs and identifying the potential financial consequences of risk events. The operational cost was estimated at $43,347. The cost of risk events fell into three categories: high (more than $500,000), medium ($25,000 to $500,000), and low (less than $25,000). In order for ERM to be beneficial, the city determined that it would have to identify and avoid one high risk every 10 years, one medium risk every five years, and two low risks every year. After comparing actual past risk events to the potential for avoiding risk events with ERM, the city decided to adopt ERM.

Electric Power Board of Chattanooga. The Electric Power Board (EPB) of Chattanooga actually saved money by avoiding risk. EPB upgraded its system after Volkswagen proposed building a plant in the Chattanooga area, but was concerned about frequent power outages caused by tornados. EPB wanted to help ensure the plant's development, so the agency agreed to upgrade to fiber optics and include automated switching to reduce the chances of power outages. Automated switching for one storm in 2012 saved more $1 million in overtime costs. The system upgrade also included automatic meter reading, which provided an annual saving of $1.6 million, and high speed Internet, which significantly increased the revenue stream. By mitigating the risk of power outages caused by tornados, EPB enhanced the efficiency of its system, saved money, and increased revenue.


The basic elements of ERM are well defined, although various models exist. ERM integrates well with other management techniques to provide value to an organization. The ERM process of risk identification and mitigation can reduce the adverse impact of risk events and also help identify additional ways to improve service and enhance revenue.

JAMES J. KLINE is a senior member of the American Society for Quality, a Six Sigma green belt, a manager of quality/organizational excellence, and a certified enterprise risk manager. He has more than ten years of supervisory and managerial experience in both the public and private sector and has consulted on economic, quality, and workforce development issues for state and local governments. He can be reached at GREG HUTCHINS is the chief executive officer of QualityPlusEngineering, a quality and risk consulting firm, and cofounder of the CERMAcademy, which publishes Risk Insights, a risk e-magazine, and provides enterprise risk management training and certification. He has conducted quality and risk studies for Fortune 500 companies, the State of Oregon and the Federal Aviation Administration. He has written a number of books, including Value Added Auditing, ISO: Risk Based Thinking, and ISO 31000: Enterprise Risk Management He can be reached at
Exhibit 1: ERM in Local Governments

Country         Number of   Percentage of Local
                Websites    Governments with an
                Reviewed        ERM Policy

Australia          77               33%
New Zealand        15               33%
Canada             79               17%
United States      132              2%

Exhibit 2: The Relationship between COSO and Other Approaches

COSO Process      Inputs                     Types of Approaches

Risk               * Strategy and             * Data tracking
Identification       objectives               * Interviews
                   * Risk appetite and          Facilitated workshops
                     acceptable variation       Questionnaires/surveys
                     in performance           * Process analysis
                                              * Leading indicators

Assessment         * Risk universe            * Probabilistic modeling
                   * Risk severity            * Non-probabilistic
                     measures                   modeling (sensitivity
                                              * Judgmental evaluation
                                              * Benchmarking
                                              * Heat map

Prioritizing       * Pnontized risk           * Judgmental evaluations
Risk                 assessment results       * Quantitative scoring
                   * Prioritization             methods

Responding         * Prioritized risk         * Risk profile templates
to Risk              assessment results         or pro forma risk
                                              * Cost-benefit analysis

Developing a       * Residual risk            * Judgmental evaluations
Portfolio View       assessment results       * Quantitative scoring

Monitoring         * Residual risk            * Dashboards
Performance          assessment results       * Performance reports

COSO Process      Outputs

Risk               * Risk universe

Assessment         * Risk assessment results

Prioritizing       * Prioritized nsk
Risk                 assessment results

Responding         * Develop risk response
to Risk            * Residual risk
                     assessment results

Developing a       * Portfolio view of risk
Portfolio View

Monitoring         * Corrective actions

Source: Figure 8.1 COSO June 2016 Public Exposure

Exhibit 3: A Risk Register

Risk Type     Risk Category         Risk Level

Strategic     Skills and Capacity   High

Operational   Service Delivery      High

Strategic     Governance            High

Operational   Governance            Extreme

Operational   Compliance            Extreme

Risk Type     Cause of Risk (Root Cause)        Impact

Strategic     Shortage of staff                 Catastrophic

Operational   Shortage of funds to attend       Catastrophic
              forums, where best practice
              models are discussed (internal
              and external political

Strategic     Lack of strategic leadership      Catastrophic

Operational   Lack of skills development        Catastrophic
              and training

Operational   Lack of internal coordination     Catastrophic
              (shortage of budget, capacity,
              and tools)

Source: Eden Municipal Distria Fire
Department Risk Register, South Africa

Exhibit 4: Continuous Improvement Framework Tools in Relationship
with a City's Strategic Direction and Annual Budget

Leadership Competencies

Strategic Direction         Lean Initiatives

There is corporate          Processes are
alignment with the          streamlined, redundancies
strategic direction         eliminated, and new
found in the Oshawa         opportunities identified
strategic plan and the      while tapping into front-
financial strategy.         line knowledge and

                            Service Reviews

                            Attention is given to
                            what services the city
                            provides and how they
                            are provided, while
                            respecting the role of
                            government, public
                            interest, affordability,
                            and value for money.

Leadership Competencies

Internal Audit              Annual Department Business

The city's auditing         Plans and Budget Process
firm, in cooperation        Strategic direction and
with city staff,            identified opportunities
undertakes evidence-based   inform the annual budget
research to ensure          process and are
efficient and effective     implemented by
service delivery,           the departments.
accountability, and
consistent and clear
policy direction.

Risk Management

A cleariy defined
corporate risk management
policy and procedure
helps the corporate
leadership team and
departments proactively
identify, assess, and
manage risk.

Source: City Core Service Review and the City's Continuous
Improvement Framework, the City of Oshawa, Ontario.

Exhibit 5: The Impact of the Continuous Improvement Framework

Criteria                 Core Service      Lean
                         Review            Initiatives

Frequency                Infrequent        Ongoing
                         (1 in 10 years)

Categorizes              High              High

Engages                  Low               High
Front-Line Staff

Evidence-Based           Medium            High

Accountability           Medium            High

Focus on Efficiency      Medium            High
and Effectiveness

Focus on Innovation      Medium            High

Reduces Risk Exposure    Low               High

Success Rate             Low               High

Criteria                 Internal   Service   Risk
                         Audit      Reviews   Management

Frequency                Ongoing    Ongoing   Ongoing

Categorizes              High       High      Low

Engages                  High       High      Medium
Front-Line Staff

Evidence-Based           High       High      Medium

Accountability           High       High      High

Focus on Efficiency      High       High      High
and Effectiveness

Focus on Innovation      High       High      Medium

Reduces Risk Exposure    High       High      High

Success Rate             High       High      High

Source: City of Oshawa Core Service Review and the City's
Continuous Improvement Framework

Exhibit 6: Aggregate Breakdown
of ERM Cost Benefit Study

Estimated Costs               One-Time   Annual

Development Phase
  Staff Time                  $51,780
  Consulting time for         $24,603
  training and assistance

Operational Phase

  Staffing, software, etc.               $43,347

Total Cost                    $76,383    $43,347

Source: City of Windsor Cost Benefit
Analysis of Enterprise Risk Management
COPYRIGHT 2017 Government Finance Officers Association
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2017 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Kline, James J.; Hutchins, Greg
Publication:Government Finance Review
Article Type:Report
Geographic Code:1USA
Date:Dec 1, 2017
Next Article:Want to Become a Better Finance Director? Work on Your Storytelling.

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters |