Benchmarks in Public Sector ERM

Kenneth C. Fletcher and Thomas H. Stanton. 2019. Public Sector Enterprise Risk Management: Advancing Beyond the Basics.New York: Routledge.

Review by Stephen W. Hiemstra[1]

My interest in Enterprise Risk Management (ERM) dates back to late 1990s when I worked for the Office of the Comptroller of the Currency (OCC) and reported on national bank risk taking. Frustrated with the focus on risk components and a slew of financial ratios, we started to examine indicators of “whole bank risk,”which we defined as the risk that a bank would fail. Later, I started using the term ERM (Hiemstra 2007). More recently government agencies have started employing ERM to assess threats to their missional objectives (e.g. Campbell 2006).


In their 2019 book entitled, Public Sector Enterprise Risk Management, editors Kenneth C. Fletcher and Thomas H. Stanton define ERM as:

“the process of coordinated risk management that places a greater emphasis on cooperation among departments in order to understand and manage the organization’s full range of risks as a portfolio rather than trying to deal with individual concerns within organizational silos.”(4)

They see the audience for this book as “heads of risk functions, risk managers, and risk professional in the public sector”(5), which includes federal, state, and local governments. While public sector firms seldom fail the way that private sector firms do, their ability to succeed in pursuing their missional objectives is nevertheless of critical importance to their stakeholders.


This book is organized into four parts; an introduction, four case studies, three special topics, and a conclusion. The editors wrote the introduction together and each wrote their own chapter. The nine chapters are:

  1. Challenges in Implementing ERM in the Public Sector (Fletcher and Stanton)
  2. Change Management and Developing Organization Risk Culture: Transportation Security Administration Case Study (Fletcher)
  3. Using Data and Analysis to Add Value from ERM (Vetrano and Stayanovich)
  4. Laying the Groundwork for ERM: The Evolution of ERM at the U.S. Department of the Treasury (Phelan and Weber)
  5. ERM and Local Government: King County, Washington (Hills and Catanese)
  6. Enhancing Capabilities and Culture through Effective Coordination of Enterprise Risk Management and Internal Control (Vineyard and Kaizer)
  7. Working with the IG and GAO: Creating a Win-Win Relationship (Westbrooks)
  8. Cultivating and Measuring Risk Culture to Achieve Forward Momentum on ERM (Vitters, Oven and Gelles)
  9. Enterprise Risk Management: A Powerful Management Tool (Stanton) (vii-viii).

Having worked at six different federal agencies[2] during my career, I might have enjoyed case studies focused on other federal regulators and, from a strictly dollar perspective, at least one military agency.

Private and Public Sector ERM

ERM developed in the 1990s as an intensive management philosophy to aid in the development of interstate banks following the Riegle–Neal Interstate Banking and Branching Efficiency Act of 1994. Consolidation of regional banks into conglomerates with a national and international presence was a subject much debated in the Reagan Administration (e.g. Hiemstra 1990; Scott and Lodge 1985) because of fears that the U.S. could not compete with vertically integrated financial conglomerates in Germany and Japan.

Sophisticated financial modeling and ERM were believed to make these new U.S. financial conglomerates manageable and efficient. The chief risks identified as part of private sector ERM were credit, interest-rate, financial, and operations risk. Of these, operations risk proved to be the most enigmatic and theoretically difficult because markets typically would not price it into traded contracts and financial engineers did not know how to model it. A good actuary could estimate an expected value for operations risk, but few line officers would price their financial products in view of such estimates.

While this study does not try to estimate a value for operations risk, public sector ERM focuses almost exclusively on topics that fit into the category of operations risk, which makes it potentially interesting to ERM practitioners outside the public sector.

Culture Risk

One aspect of operations risk that challenges any assessment of ERM is evaluating the organization’s culture. In my own retrospective on the Great Recession, I wrote a series of articles entitled: “Can Bad Culture Kill a Firm?” (e.g. Hiemstra 2009) The main culprit in private sector ERM might be characterized as taking ERM as a compliance activity—a kind of symbolic action—that did not fundamentally affect the risks taken or how they are mitigated. One flag of a compliance attitude might, for example, be finding template language in annual reporting of risk events. Far from being a theoretical nicety, culture risk can make or break a firm during financial crises.

Authors Cynthia Vitters, Carey Oven, and Michael Gelles write in their chapter, “Cultivating and Measuring Risk Culture to Achieve Forward Momentum on ERM” defining culture risk as: “…the misalignments that can occur between the values and beliefs and what is actually happening within and around the organization…” (113) They advocate “closing the gap how people actually behave and what’s acknowledged on paper.” (117) Measures cited include noting patterns of at-risk behavior, keeping track of significant incidents and response to them, and numbers of cases received (121).

Interestingly, in my own research of public regulation in the early 1990s I noted a correlation between stakeholder complaints and poor management in other dimensions—gaps in one dimension of performance that is measurable suggest gaps in other dimensions not so easily observed. Keeping good records of risk events—information security, brand and reputation, reporting and performance incentives, and compliance—is an important first step in developing effective cultural oversight (116).


Kenneth C. Fletcher and Thomas H. Stanton’s Public Sector Enterprise Risk Management provides an overview of the theory and application of ERM in government agencies. The case studies given cover a variety of subject areas in federal service and local government. Risk managers both inside and outside government may want to be familiar with this work.


Campbell, Alexander. 2006. The Real Rocket Scientists [in NASA]. Risk. June. Pp. 50-51.

Hiemstra, Stephen W. 1990. Prospective Rural Effects of Bank Deregulation. USDA, ERS, Rural Development Research Report No. 76. March.

Hiemstra, Stephen W. 2007.An Enterprise Risk Management View of Financial Supervision. Enterprise Risk Management Institute. International Institute of Enterprise Risk Management. October.

Hiemstra, Stephen W. 2009. Can Bad Culture Kill a Firm?Society of Actuaries. Pp. 51-54 of Risk Management. June.

Scott, Bruce R. and George C. Lodge [ed]. 1985. U.S. Competitiveness in the World Economy. Boston: Harvard Business School Press.


[1] I received a review copy of this book directly from the publisher.

[2] Economic Research Service, USDA, Farm Credit Administration, Office of the Comptroller of the Currency, Office of Federal Housing Enterprise Oversight, Federal Housing Finance Agency, and Commodity Futures Trading Commission.

Benchmarks in Public Sector ERM

Also See:

Stanton: Creating Constructive Dialogue is the Key Management Skill 

Other ways to engage online:

Author site:, Publisher site:


You may also like

Leave a Reply