Alarm Raised About Mischaracterization of Enterprise Risk Management

An increasing trend of conflating risk management and enterprise risk management (ERM) in government has drawn the attention of the Association for Federal Enterprise Risk Management (AFERM), whose board of directors issued a warning statement last week.

“The linkages and references to ERM are likely occurring because there is not a broad risk management standard or framework for government,” the AFERM board wrote. “Unfortunately, as a result, ERM is becoming the defacto substitute for all manner of risk management related recommendations emanating from audit reports and other areas.”

Risk management is focused on a specific function or area, whereas ERM is focused on the bigger picture driven by a portfolio-view approach, according to Curtis McNeil, AFERM Vice President for Outreach and Advancement. Blending the two minimizes the impact and utility of both for an organization, McNeil told FEDmanager.

ERM came into prominence in the federal government in 2016, when the Office of Management and Budget (OMB) updated its Circular A-123 with new guidance for agencies to implement ERM.

“The community would appreciate OMB’s continued leadership and support,” in clarifying the distinctions between internal controls, risk management, ERM, and governance,” AFERM’s McNeil said.

“The increased attention and awareness of the value of practicing and integrating effective risk management across government is welcome, but it is important that the distinct purpose and role for ERM remains intact. ERM, when practiced appropriately, enables a holistic and organization-wide view of the most significant risks that could impact an agency in achieving its mission. It should not be diluted into a one-size fits all or catch-all for anything risk management related in government,” the AFERM board wrote.