Overview: Enterprise Risk Management is an integrated approach to achieving the Department's strategic, programmatic, and financial objectives with acceptable risk. To manage risk, the Department's business - our grant and contract recipients and our projects and programs - is arrayed in "portfolios" for which we can assess the costs, performance, and outcomes. The Management Improvement Team (MIT) in the Office of the Secretary is responsible for facilitating enterprise risk management. The team analyzes portfolio information using indicators of risk in order to identify grantees and program operations that need additional scrutiny or technical assistance. The MIT also supports other offices addressing concentrations of risk with their own programs, grantees, or contractors.

Identifying risk—Common Sense Approach: Beginning with a short-term or "common sense" approach, the Department has used readily available information to identify concentrations of risk. For example, those states that receive the highest amount of formula grant funds present a greater concentration of risk than those that receive the smallest amount. Other indicators, such as single audit findings, management of federal funds, program concerns, and student performance, are taken into consideration to identify states that could benefit from the Department's assistance. A similar approach is used to work with discretionary grantees, contractors, schools, lenders and guarantee agencies.

By sharing data and experiences among offices, managers across the Department soon discovered that there are agencies that receive many different Department grants who have conspicuous problems complying with a number of the financial management and instructional services requirements. Not always—but often enough to warrant special attention—agencies that have problems with one grant have the same problems with other grants. Similarly, by sharing information, offices have identified programs that are at risk of being mismanaged by the majority of grantees. These high-risk portfolios—identified by common sense and communication—have been the focus of the Department's initial risk management activities.

Identifying risk—An Enterprise Approach: While the common-sense approach was useful for identifying the most obvious targets of risk management and achieving good short-term results, a more rigorous formula is needed to systematically identify risk and trends. Long-term, the enterprise must integrate risk management into its culture and business practices, using information on costs, performance, results, and incidents of mismanagement or fraud to improve operations. This information can help inform decisions about data collection, grants and contracts oversight, or personnel and budget management. For example, a program monitoring team deciding how to deploy its personnel and travel budget can use risk factors to choose grantees that will receive an on-site monitoring review, and distinguish these from grantees that can be adequately overseen by desk audits. Monitoring protocols can be strengthened by adding indicators for the program components that are at the highest risk of being mismanaged; for example, new or particularly complex requirements.

Directions for the future: The MIT convenes a weekly Risk Management Team (RMT) meeting, attended by senior representatives of each office who function as risk managers for program offices and supporting staff offices, including the Offices of the General Counsel and the Inspector General, to promote communication on risk management activities. Cross-Departmental teams are working to find common issues, review the performance of specific grantees, design Department-level solutions to problems, and present a unified plan of corrective action to grantees in need of improvement. Each Department office "owns" the risks confronting its programs and should strategically track the known and potential concentrations of risk. As the Department incorporates risk-management into the way it does business, this information can help offices focus their work. And, as author James Lam, in Enterprise Risk Management - From Incentives to Controls, writes:

Over the long term, the only alternative to risk management is crisis management - and crisis management is more expensive, time consuming and embarrassing.