The coronavirus (COVID-19) pandemic has reminded CPAs that the world is risky, volatile, and uncertain. Some risk experts contend that the world has been this way for a long time. Analysis from the University of Cambridge’s Centre for Risk Studies shows that crashes of at least 10% have occurred every 16–17 years for the last 200 years in both U.S. and U.K. markets. The reasons vary, from the cotton crisis and railroad failures in the 19th century to the Great Depression, the OPEC oil embargo, and Black Monday in the 20th century to the dot.com bubble, the global financial crisis, and the COVID-19 pandemic in the 21st century.

In Against the Gods: The Remarkable Story of Risk, Peter Bernstein cautions that “nature has established patterns, but only for the most part.” It is “only for the most part” that seems to catch humans off guard. Unpredictable patterns and difficulty in managing risk and uncertainty are continual. What has changed is how enterprises have become more sophisticated at building methods to manage these risks and uncertainties.

Today, some form of enterprise risk management (ERM) is expected by stakeholders. It is mandated almost everywhere in the world for publicly traded corporations and other organizations.

Recently, for example, BMW disclosed to stakeholders that the purpose of its risk management system is “to identify, measure, and, where possible, actively manage internal or external risks that could threaten targets.” Rolls-Royce disclosed that the company is building its risk management capabilities “by uncovering previously hidden risks which commonly arise from external factors, incorrect assumptions, or a lack of clear accountability.” Furthermore, several large European donors stipulate that their contributions are contingent on the recipient organization demonstrating it is managing its risks. In the U.S. government, each federal agency must adopt an ERM approach, acknowledging “the importance of having appropriate risk management processes and systems to identify challenges early.”

ERM in Government

Although the ERM approach in many organizations is coordinated centrally and is a primary focus of key executives and board members, one place where a unified approach is not practiced is at the national government level. Some risks are so large that they are beyond the ability of any governmental agency to manage them. Leaders need to own and manage these risks. If there is not a formal, centralized approach to managing these risks, then the decision-making of an organization and its components may be severely hampered.

The President acts as the de facto “chief risk officer” of the United States. Although previous presidents have taken corrective action to address some of the greatest risks facing the country (e.g., national security and cybersecurity threats, economic downturns, natural disasters), developing an enterprise risk process that aggressively and proactively identifies, prioritizes, and manages risks would be a major step forward.

Imagine a Cabinet appointment that oversaw the nation’s risk management process, working with Congress, government agencies, corporations, nonprofit organizations, and various thought leaders. Developing an ERM process for the U.S. government would be an approach that:

  • Identifies the top risks on a regular basis.
  • Manages risks centrally instead of having different agencies manage risks in silos.
  • Manages the country’s risks proactively rather than taking correcting action after the fact.
  • Applies tools, such as scenario analysis, strategic disruption analysis, or pre-mortems to understand how risks would play out.
  • Applies advanced metrics (e.g., predictive analytics) using unbiased data, risk-indicating data, and data around impact, likelihood, and velocity.
  • Considers impact from a variety of perspectives, as well as how risks are connected, change or create other risks, and how they can be triggered.
  • Recognizes the trade-off between position and momentum for dramatically changing conditions (Heisenberg’s uncertainty principle applied to risk).
  • Understands and factors in the intentions of others (akin to game theory).
  • Understands and factors in human cognitive biases and viewpoints.
  • Routinely reports on its plans to manage significant risks to its stakeholders.

Now More than Ever

The hardest risks to manage are those borne of someone else’s behavior. For companies, this occurs when the government does not manage bigger risks. For the United States, this also means once an enterprise risk approach is adopted, some national risks need to be managed in cooperation with other governments and international organizations. A sophisticated enterprise risk process would have this set-up in advance for larger risks. It will not be easy. It will get political. But it is necessary. The consequences are too great. The current COVID-19 crisis is a powerful reminder why an ERM process for the U.S. government is more important than ever.

James H. Irving, PhD, CPA, is an associate professor of accounting and the Keiter Faculty Scholar at James Madison University, Harrisonburg, Va.
Paul L. Walker, PhD, CPA, is a professor of accounting and the James J. Schiro/Zurich Chair in Enterprise Risk Management at St. John’s University, Jamaica, N.Y. He is a member of the COSO ERM Advisory Council and is the executive director of the Center for Excellence in ERM at St. John’s.