This post first appeared on Federal News Network. Read the original article.
Interview transcript:
Karen Hardy Well, first of all, thank you for having me on the show to talk about this. You know, enterprise risk management is embedded in operations and government operations, non-profit organizations, partnering organizations that were government agencies, so it’s still present within the government. The question is, who’s responsible for ensuring the continuity of the practice of enterprise risk, management at all levels of government? Because, as you know, risk management hasn’t gone anywhere. Risk is every day. We wake up, we’re dealing with risk. And just the risk itself is the effect of uncertainty on objectives. And government agencies have plenty of objectives. They have strategic objectives, program objectives, project objectives. So we have to understand what those risks are to those objectives at all levels of government. So while we have risk management as a practice, enterprise risk management is a more mature level of risk management. So risk still exists, you have to manage it, and that’s why a firm association is in place to help government leaders continue to apply that skill set to their job.
Terry Gerton Well, you’re absolutely right. There hasn’t been any diminishment in risk to federal agencies. We talk about it every day. But for a long time, ERM was sort of a compliance checklist. Do you feel like agencies are getting better at integrating it into routine practice?
Karen Hardy Over time it has. I’ve seen exponential growth of where we started years ago to where we are today in terms of where enterprise risk management has been integrated and included in agency operations at the strategy and operational levels. We’ve seen that in the strategic planning process. We’ve seen agencies actually grow into applying enterprise risk management techniques and practices in the budget process, in a budget setting. So that’s huge. That’s a huge win in progress of growth of enterprise risk management practice in government settings.
Terry Gerton With that in mind, OMB recently took ERM out of Circular A-123 and moved it into an internal controls approach. What message do you think that sends to the broader federal agency enterprise?
Karen Hardy Well, from my perspective, the message is that there’s a lot of confidence that a lot of executives already know how to do this. If you’re removing it from guidance and it is in step with the maturing of ERM over time, then there’s this sense of confidence that executives are aware of this skill and should come to the table with this skill. So my expectation, and probably everyone else’s, is that this will continue to move forward, whether it’s written down on paper or not. As we said, risk still exists, and you have to look at risk just not from a silo perspective, but from an enterprise perspective. So we’re betting on the expectation that executives come fully aware and prepared to manage risk that way.
Terry Gerton So you’re not concerned that, by taking it out of that explicit guidance, it’s a de-emphasizing of the ERM approach?
Karen Hardy I don’t think it’s de-emphasizing as much as it is a reminder that you have to look at risk across an organization. That’s very important. And we have to remember that executives are people, and it’s just not our nature to think about things from a cross-cutting view automatically. So removing that language from the document does have an effect of, you know, what’s top of mind when you start thinking about risk. I think it has an effect on that as a reminder of, this is what you need to do. Also, we’re creatures of habit, we go back to just looking at risk within our silos. So removing the language does have an impact in terms of how you mentally think about risk management. But as I said before, risk is here. And organizations, especially executives, need to look at risk across an organization. The ERM language was there to remind them to do that. Without that, then we’re with the expectation that executives understand that must continue and that they will continue to do that.
Terry Gerton I’m speaking with Dr. Karen Hardy. She’s the principal and chief risk officer of strategic leadership advisors and the current president of the Association for Federal Enterprise Risk Management. So Karen, let’s talk about a firm. You’re the president right now. What is on your agenda for the organization?
Karen Hardy Well first of all, we’re excited. We’re excited because, one, I’m one of those people that’s been around for a long time and engaged with this organization when it was just a movement, in a sense, in federal government. So we’ve gone from first identifying and using ERM as an informal tool chest to being required in federal agencies, and now to the point where we’re embracing our partnership with state and local government employees in terms of upskilling them in the area of enterprise risk management. So we’re working with our own state and local committee to start to integrate enterprise risk and management at the state and local levels and they’re very excited to partner with us.
Terry Gerton Is that a shift for a firm to now focus at state and local government levels?
Karen Hardy It’s more so a shift and a necessity because as you know, federal government has been shifting or pushing down a lot of federal requirements down to state and local areas. So that means that those state and local government representatives need to be ready and understand, how do you manage risk to these things like critical infrastructure and things of that nature. So we’re excited to have the bumps and the bruises through all of our experience. And the blueprint to help state and local government implement enterprise risk management.
Terry Gerton How are you keeping ERM sort of front and center for all of your various constituencies?
Karen Hardy Well, one of the things is recognizing how risk language is still being integrated into various policies, like we had the Federal Agency Performance Act, which was a bipartisan act passed in December 2024, which emphasizes risk management pertaining to strategy and strategic reviews. We have recent executive orders supporting risk-based rulemaking for operating drones as part of the national airspace, and normalizing what they call beyond visual line of sight operations. So risk management is there. It would be impossible not to look at risk across an organization, as risk is continually embedded in acts and guidance and just mere practice of government operations.
Terry Gerton Well, you’ve got the Affirmed Summit coming up in October. What is the theme for this year and how does that tie in?
Karen Hardy I’m excited about the Affirmed Summit because this is our virtual summit. And the theme is Mission Possible: Unlocking the Future of Enterprise Risk Management. We are 25 years into the millennium and five years away from a new decade. That’s incredible. So we’re not sitting back. We’re taking the lead. And we created this bigger table virtually, which invites enterprise risk management professionals to the table to talk about the future, and then talk about what their best practices have been across these different sectors and how public sector can look at these best practices and adopt them.
Terry Gerton Can you share any preview of sessions you’re particularly looking forward to?
Karen Hardy I wish I could tell you right now, but we’re not quite ready. But I would encourage everyone to visit our website at aferm.org. That’s A-F-E-R-M.org, and to see what our schedule is right now in terms of the topics. And I think they’ll be very interested and excited to, you know, attend this and have this seat at this virtual table to help define the future. It only happens once in a lifetime, so this is the opportunity to be a part of this event.
Terry Gerton Well, we’ll look forward to that, Karen. And as we kind of wrap this up, what would be your advice or your elevator pitch maybe to executives at any level of government who are a little skeptical about ERM? What would you say to them to convince them that they really need to do it and it matters?
Karen Hardy Well, you know, you can’t manage risk in the silos. You really can’t do that. Enterprise risk management is more of a mindset than anything else. You have to take into consideration how risk impacts other parts of your organization. Would you rather manage with less information and blind spots? I don’t think so. You have to be confident about your decisions, and having the data to support that with risk management data is extremely important, especially in this day and time, because the landscape is continuing shifting locally and globally.
The post Risk doesn’t pause for policy. Why ERM still belongs in every agency’s playbook first appeared on Federal News Network.