Featured Product
This Week in Quality Digest Live
Risk Management Features
Akhilesh Gulati
To solve thorny problems, you can’t have either a purely internal or external view
Using the CASCO Toolbox to repair and restore
Rupa Mahanti
Understanding data decay
Gleb Tsipursky
Putting the right policies and procedures in place
Todd Hawkins
Good documentation is worth the effort you put into it

More Features

Risk Management News
Improved, user-friendly solutions in pathogen detection
New guidance seeks to cultivate trust in AI technologies, promote AI innovation, mitigate risk
A cybersecurity expert offers guidance
Safe trading practices to secure supply chain activities
Automates adherence to guidance from leading quality and risk-management standards
Improving data security and validation while maintaining power efficiency
New data suggest most of the growth in the wage gap since 1980 comes from automation displacing less-educated workers

More News

James J. Kline

Risk Management

Risk-Based Thinking in Government

The future of mitigation in the public sector

Published: Thursday, May 30, 2019 - 12:03

The term “risk-based thinking” (RBT) is familiar to those in the quality profession. This familiarity comes in part from its inclusion in ISO 9001:2015, the International Organization for Standardization (ISO) quality management system standard. Although numerous articles and several books have been written on how to implement ISO 9001:2015 in the private sector, little has been done with regards to the public sector.

This reflects two facts. First, the idea of systematically managing the risks governments face is relatively new. Second, where risks are being managed by government organizations, there is no consistent approach. Some are using ISO 9001:2015 and others are using ISO 31000. ISO 31000, revised in 2018, is an enterprise risk management standard.

This article looks at what public-sector organizations are thinking about, and doing, to manage risks.

Risked-based thinking

RBT has caused considerable anxiety in the private sector. Part of the problem is that ISO did not define RBT in ISO 9001:2015. This would not have been an issue, except the term was new for quality management systems. Even though RBT is new, ISO had a more comprehensive risk management standard in ISO 31000. However, RBT does not appear in ISO 31000, either. Without a definition, it is difficult to decide how to implement RBT. Consequently, it is worth defining it and comparing it with ISO 31000.

RBT can be thought of as the intellectual process of identifying and evaluating the risks an organization faces. ISO 31000 is the administrative process used to implement the intellectual RBT. A comparison of how ISO 9001:2015 and ISO 31000 handle RBT indicates there are similarities. Both require organizations to have a process by which risks are identified and evaluated. The difference is that ISO 31000 is more detailed and specific in the risk identification and management process. In fact, ISO 31000 provides a stepped sequence that allows an organization to identify the risks, evaluate their impact, and develop a risk management strategy and risk register. The risk register is a document that formally details management’s risk management strategy. No such guidance is provided in ISO 9001:2015.

Why is risk management important?

That risk management is becoming a necessity can be seen in the increasing costs of the risks an organization faces. In 2018, the National Oceanic and Atmospheric Administration (NOAA) found that damage from weather-related catastrophes was approximately $91 billion. Lloyd’s of London, in a study titled “City Risk Index” estimates that the 22 largest global cities face $546 billion in potential damages due to the risks they face.

A good example is the 2013 flood in Calgary, Canada. It impacted more than 89,000 people in 32 communities. The flood required the evacuation of 6,000 homes and 4,000 businesses. There was more than $400 million in damages to municipal infrastructure. A wastewater treatment plant was flooded. Light rail transit tunnels were flooded. Sixteen light-rail transit stations were closed, as were 22 bridges and numerous roads. Municipal, provincial, and federal government complexes, recreational facilities, and schools were closed. As a result of the flood, the city of Calgary was forced to go to multiple insurance providers. Insurance premiums increased 100 percent. The premiums were later reduced to preflood levels after the city initiated resilience actions.

Since the 2013 flood, the city has committed $150 million to various flood-mitigation and resilience projects. As of 2018, 11 projects have been completed, and another 16 have been started. It is estimated that the completed projects will reduce the potential flood damage by 30 percent according to the March 2018 report “#ResilientYYC: Preliminary Resilience Assessment”.

The example shows the cost of a single risk event and mitigative activities. That cost can be substantive. It also shows the event can have unexpected consequences. In this case, the need for more insurers and the added insurance costs.

What are the risks?

The World Economic Forum conducts an annual risk assessment survey. Survey respondents identified 42 risks that private sector organizations face. The five risks considered the most troubling are economic confrontation, erosion of multilateral trading rules, political confrontation, cyber-attacks, and loss of confidence in collective security alliances. Other risks include destruction of natural ecosystems, job loss due to technology, and civil unrest/labor strikes.

Lloyd’s of London, in “Cities at Risk,” identified 22 risks. Among them are cyber-attack, civil conflicts, market crash, floods, nuclear accidents, and tropical windstorms.

Growing enterprise risk management awareness and risk-based thinking push

Both organizations identified multiple risks that impact both the public and private sectors. These risks have significant costs. To reduce these costs, risks must be managed. Former Secretary of State Condoleezza Rice and Amy B. Zegart, in their book Political Risk (Twelve, 2018) present a risk management model. It is like ISO 31000. The book is the result of a political risk class taught to MBA students at Stanford University. The risks MBA students are being taught to consider and manage include geopolitics, internal conflict, law, regulations, policies, corruption, social activism, terrorism, and cyber-threats.

What is important is that RBT and risk management are being taught to MBA students. To my knowledge, classes toward a master’s degree in public administration (MPA) in the United States, are not providing such training. Given the general recognition that organizations face multiple risks, and the lack of risk management training in MPA programs, a key question is: Does risk management work in the public sector?

Does risk management work?

As noted in the Calgary example, that city’s risk mitigation efforts have reduced the potential damage from another flood by 30 percent. On a broader level, Lloyd’s estimates that if the 22 cities it examined were more resilient, they would save $73.4 billion, or 13.4 percent, a year in damages and repair costs.

Enterprise risk management’s penetration in government

Governments around the world are beginning to recognize the benefits of proactively managing the risks they face. Enterprise risk management has been adopted by the Commonwealth of Australia; the states of New South Wales, Western Australia, and Queensland; and the provinces of Nova Scotia, British Columbia, and New Brunswick. Enterprise risk management is a mandate for local governments in South Africa and the United Kingdom.

In Australia, Canada, New Zealand, and the United Kingdom, the enterprise risk management model is ISO 31000. India, Jamaica, and the Philippines are also mandating risk management. However, they are requiring their governments to become ISO 9001:2015-certified.

In 2015, the United States Office of Management and Budget issued Circular A-123, which requires federal agencies to adopt enterprise risk management. The U.S. Congress has mandated that state departments of transportation develop a risk-based asset management plan by 2019. The Federal Highway Administration’s guide for risk-based asset management plan development is based on ISO 31000. The Federal Emergency Management Agency (FEMA) has proposed a mitigation strategy. It includes a goal of developing a common risk vocabulary and risk management process. The National Institute of Standard and Technology (NIST) has developed cybersecurity standards for federal agencies and provided a similar standard for private organizations, states, and local governments. Both standards are risk-based and are designed to be plugged into the organization’s enterprise risk management process.

At the local government level, an analysis of websites indicates the following.
1. Canada: Out of 79 government websites examined, 17 percent have an enterprise risk management policy.
2. New Zealand: Out of 15 websites examined, 33 percent have an enterprise risk management policy.
3. Australia: Out of 77 websites examined, 32 percent have an enterprise risk management policy.
4. United States: Out of 242 websites examined, 3 percent have some aspect of enterprise risk management.

The data show four things. First, enterprise risk management is well entrenched in government at all levels. Second, state and local governments in the United States lag behind their international counterparts. Third, in the United States, federal agencies are pushing enterprise risk management implementation. Lastly, while well entrenched, enterprise risk management adoption still has a way to go before it can be considered a government norm.

Future of enterprise risk management in government

The private sector and the business academic community recognize that risk management is a necessity. The U.S. Office of Management and Budget, the U.S. Congress, FEMA, and NIST also recognize this reality. While the United States lags behind Australia, Canada, New Zealand, South Africa, and the United Kingdom in enterprise risk management implementation, a push by federal agencies will likely increase the adoption of enterprise risk management.

The growing recognition of the need to manage organizational risks and their costs means enterprise risk management will become a government standard. In fact, it will likely end up a minimum competency for government professionals. Therefore, MPA programs will eventually be incorporating enterprise risk management into the curricula, just like MBA programs.

A more fundamental question is: Which approach to risk management in government will become dominant? Will it be ISO 9001:2015 or ISO 31000? Because ISO 31000 is the model used by most governments, and because it provides a more comprehensive and systematic approach for the development of a risk management strategy, it will likely become the dominant model.


About The Author

James J. Kline’s picture

James J. Kline

James J. Kline, Ph.D., CERM, is the author of numerous articles on quality in government and risk analysis. He is a senior member of the American Society for Quality. A manager of quality/organizational excellence and a Six Sigma green belt, he has consulted for the private sector and local governments. His book, Enterprise Risk Management in Government: Implementing ISO 31000:2018, is available on Amazon. He can be reached at jeffreyk12011@live.com.