The Role of the Inspector General in Enterprise Risk Management

Inspectors General (IGs) have their roots in risk management. In October 1978, at the signing ceremony for the law that created Federal IGs, President Jimmy Carter remarked:

I think it’s accurate to say that the American people are fed up with the treatment of American tax money in a way that involves fraud and mismanagement and embarrassment to the Government. I consider and these Members of the House and Senate behind me consider the tax money to be a matter of public trust. We’ve not yet completely succeeded in rooting out the embarrassing aspects of government management—or mismanagement. This bill will go a long way toward resolving that problem.

In other words, while Federal managers are responsible for managing agency risk, IGs were created to respond to the financial and reputational risks facing the government in the wake of Watergate and to help restore public trust. IGs carry out this mission by:

  • Performing independent and objective audits and investigations;
  • Keeping the agency head and Congress informed; and
  • Providing leadership to (a) promote economy, efficiency, and effectiveness, and (b) prevent and detect fraud and abuse.

Balancing independence with positive engagement is sometimes described as “straddling the barbed-wire fence.”

Regrettably, public trust in government is near an all-time low. According to Pew Research, only 17 percent of Americans believe the government will always or most of the time do what is right. Public trust in government is also trending down, with the U.S. dropping out of the top 20 in Transparency International’s 2018 global corruption perceptions index.

In 2016, the Obama Administration mandated that Federal agencies integrate risk management and internal control functions to improve accountability and effectiveness of Federal programs. Enterprise Risk Management (ERM) is a framework to aid leaders in identifying, assessing, and managing their strategic, operational, financial, and reputational risks. ERM helps leaders make better decisions, alleviate threats, and identify previously unknown opportunities to improve government operations. ERM, along with internal control and oversight, are the building blocks in an agency’s governance framework and can work in conjunction to restore the public’s faith in government. In its guidance on risk management, the Office of Management and Budget challenged Federal leaders and IGs to “establish a new set of parameters encouraging the free flow of information about agency risk points and corrective measure adoption.” (emphasis added). While IGs perform a complementary but independent function, a key challenge to the successful implementation of ERM that thought leaders have identified is reconciling the roles of the risk function and the IG and finding these new parameters.

The recently published Public Sector Enterprise Risk Management: Advancing Beyond the Basics (Routledge: 2019) provides guidance and case studies for agency risk officials on overcoming bureaucratic obstacles, developing a positive risk culture, and making ERM a valuable part of day-to-day management. Chapter 7 specifically addresses the role of the IG and provides guidance on defining the new parameters. Offices of Inspector General (OIGs) can play an important role in risk management as champion, evaluator, and risk advisor. Promising practices are occurring throughout the IG community.

ERM Champion

The champion role involves encouraging the practice of ERM. Championing ERM is an activity that fits squarely within an IG’s statutory responsibility. Encouraging ERM in general does not impair an OIG’s organizational independence any more than championing strong internal control, robust information security, and sound financial management. The question is not whether OIGs should be championing ERM; it is a question of why they would not. The OIGs at the Tennessee Valley Authority, Amtrak, and the Pension Benefit Guaranty Corporation have issued reports championing ERM in their agencies. The Government Accountability Office has also issued thought leadership in this area including good practices guidance.

Program Evaluator

The program evaluator role involves providing an objective review of agency programs (including the ERM program or its components) to determine if they are suitably designed and operating effectively. All government programs benefit from an independent and objective evaluation, and this is the most well-known OIG function. OIG audits and evaluations can be a force multiplier for risk officers as they work with line-of-business leaders. Of course, for some this is the least appreciated role. Program evaluation reports from around the Federal IG community are posted on on a daily basis. Risk officers should review these OIG reports for underlying themes and identify risks that may be present in other agency operations.

Risk Advisor

The risk advisor role involves sharing emerging risks or thought leadership to help the agency better manage risks. All OIGs issue audit reports with findings and recommendations, as well as an annual top performance and management challenges report. Risk officers should not limit themselves to these reports for OIG insights on risks. An OIG’s emerging risk reports may be titled management alerts, management advisory reports, risk advisories, or other similar names. These reports are also important sources for risk identification. Some OIGs, such as the Department of Veterans Affairs, have rapid response teams to address exigent situations. Some OIGs, such as the Postal Service, have robust data analytics capabilities to share with management key risk indicators, data anomalies and trends. Some OIGs issue non-traditional special reports to help management better understand the context of their risks. The Peace Corps OIG, for example, periodically releases a recurring issues report of common challenges facing Peace Corps posts over time. The Federal Reserve OIG recently issued a report on Leadership and Management Best Practices to Increase Employee Willingness to Share Views. This report outlined root causes that contribute to employees’ reticence to speak up and best practices to encourage the free flow of communications. Successful implementation of ERM requires the free flow of information about agency risk between management and staff so that critical issues are elevated in a timely fashion.

These promising practices can be adapted and replicated to fit agencies of all sizes. Remodeling the relationship and establishing new parameters may require the OIG to rethink and recast how it communicates risk and management to rethink and reframe how it processes OIG risk information. A win-win relationship only strengthens an agency’s risk culture and supports the common goal of a better prepared, resilient, and more accountable government.