​Risk Management in Government: An Oxymoron?

Comments Views

Recent risk-management failures in Washington, D.C., have reflected what happens when an organization with so many risks associated with the achievement of its mission fails to anticipate and manage those issues effectively.

The consequences can be dire. Loss of public confidence and widespread reputational damage can be devastating at any level of government, but especially when it occurs on a national or international scale.

Government auditors play a central role in fostering trust. Without them, citizens would lack credible insight into the soundness of the many inner workings of government. The professionals who audit federal, state, and local governments or other public entities must cope daily with career-threatening political risks from which private-sector internal auditors are largely immune.

The IIA's 2011 Supplemental Guidance on The Role of Auditing in Public Sector Governance (PDF) offers considerable insight into public sector auditing and best practices. I also recommend McKinsey & Company's excellent 2011 working paper, Strengthening Risk Management in the U.S. Public Sector (PDF), which lists seven risk-management challenges and offers five solutions. Although this paper was written from a U.S. perspective, I think the recommendations are universal.


  1. Mission myopia. Mission goals are often the primary — and sometimes the only — consideration.
  2. Top-level turnover. The average tenure in office for appointed executives in the federal government is less than two years.
  3. Political patronage. The appointed leaders of most public-sector institutions are often outsiders to those institutions. As a result, an agency's most-senior leaders may not know the intricacies of the business and the institution, let alone the risk trade-offs involved in making critical decisions.
  4. Separation of operating budgets from program budgets. In most public-sector institutions, the operating budget is separate from the program budget, which can lead to sometimes conflicting goals and objectives.
  5. Lack of clear metrics. In the private sector, risk-oriented metrics (such as risk-adjusted return on capital) provide a quantitative basis for making risk trade-off decisions. Such return-related metrics are less clear in the public sector because most government institutions have both financial and mission objectives.
  6. Complex procedural requirements. Effecting change in the public sector requires complicated approval processes involving many internal and external stakeholders. Thus, public-sector institutions tend to be less nimble and flexible.
  7. Limited risk culture and risk mindset. Government workers are usually motivated primarily by the mission of their organization, and they often have the perception that the government could bail out their program should a risk event occur.


  1. Create transparency internally and externally. Develop an understanding of the biggest risks the organization faces. Agree on what information is most relevant, gather it in a central location, take the time to synthesize it, and draw actionable conclusions.
  2. Develop a risk constitution. Which risks are you required to own? Which should you own? Which should you transfer or mitigate? Is your risk capacity aligned with your strategy?
  3. Start small. Initially focus on modifying a few core processes. Are critical business decisions made with a clear view of how they change your risk profile?
  4. Establish a dedicated risk-management organization. Are structures, systems, controls, and infrastructure in place for you to manage risk and comply with regulatory requirements? Is your governance model robust?
  5. Build a risk culture. Such a culture is rare in the public sector, but some agencies have taken significant steps in the right direction. This involves not only training front-line personnel, but adopting a tone at the top that reinforces and rewards the desired behaviors.

Almost every scandal I can recall involving a federal agency in the past 40 years has involved a lack of control or lack of implementation of internal controls to mitigate key risks. You want to make sure that the criteria and controls you design are fair and transparent, and that you don't have the ability for any one individual or any group of individuals to decide that there is a different set of criteria by which they will view one group over another.

Internal controls are a means to mitigate the risk that can threaten an organization or help keep it from achieving its objectives. I would like to get your thoughts on this issue.

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this article

comments powered by Disqus
  • Temple_Dec 2018_Blog 1
  • IIA_AEC_Dec 2018 Blog 2
  • IIA Sawyers_Dec 2018_Blog 3