Benchmarks in Public Sector ERM

Kenneth C. Fletcher and Thomas H. Stanton. 2019. Public Sector Enterprise Risk Management: Advancing Beyond the Basics.New York: Routledge.

Review by Stephen W. Hiemstra[1]

My interest in Enterprise Risk Management (ERM) dates back to late 1990s when I worked for the Office of the Comptroller of the Currency (OCC) and reported on national bank risk taking. Frustrated with the focus on risk components and a slew of financial ratios, we started to examine indicators of “whole bank risk,”which we defined as the risk that a bank would fail. Later, I started using the term ERM (Hiemstra 2007). More recently government agencies have started employing ERM to assess threats to their missional objectives (e.g. Campbell 2006).


In their 2019 book entitled, Public Sector Enterprise Risk Management, editors Kenneth C. Fletcher and Thomas H. Stanton define ERM as:

“the process of coordinated risk management that places a greater emphasis on cooperation among departments in order to understand and manage the organization’s full range of risks as a portfolio rather than trying to deal with individual concerns within organizational silos.”(4)

They see the audience for this book as “heads of risk functions, risk managers, and risk professional in the public sector”(5), which includes federal, state, and local governments. While public sector firms seldom fail the way that private sector firms do, their ability to succeed in pursuing their missional objectives is nevertheless of critical importance to their stakeholders.


This book is organized into four parts; an introduction, four case studies, three special topics, and a conclusion. The editors wrote the introduction together and each wrote their own chapter. The nine chapters are:

  1. Challenges in Implementing ERM in the Public Sector (Fletcher and Stanton)
  2. Change Management and Developing Organization Risk Culture: Transportation Security Administration Case Study (Fletcher)
  3. Using Data and Analysis to Add Value from ERM (Vetrano and Stayanovich)
  4. Laying the Groundwork for ERM: The Evolution of ERM at the U.S. Department of the Treasury (Phelan and Weber)
  5. ERM and Local Government: King County, Washington (Hills and Catanese)
  6. Enhancing Capabilities and Culture through Effective Coordination of Enterprise Risk Management and Internal Control (Vineyard and Kaizer)
  7. Working with the IG and GAO: Creating a Win-Win Relationship (Westbrooks)
  8. Cultivating and Measuring Risk Culture to Achieve Forward Momentum on ERM (Vitters, Oven and Gelles)
  9. Enterprise Risk Management: A Powerful Management Tool (Stanton) (vii-viii).

Having worked at six different federal agencies[2] during my career, I might have enjoyed case studies focused on other federal regulators and, from a strictly dollar perspective, at least one military agency.

Private and Public Sector ERM

ERM developed in the 1990s as an intensive management philosophy to aid in the development of interstate banks following the Riegle–Neal Interstate Banking and Branching Efficiency Act of 1994. Consolidation of regional banks into conglomerates with a national and international presence was a subject much debated in the Reagan Administration (e.g. Hiemstra 1990; Scott and Lodge 1985) because of fears that the U.S. could not compete with vertically integrated financial conglomerates in Germany and Japan.

Sophisticated financial modeling and ERM were believed to make these new U.S. financial conglomerates manageable and efficient. The chief risks identified as part of private sector ERM were credit, interest-rate, financial, and operations risk. Of these, operations risk proved to be the most enigmatic and theoretically difficult because markets typically would not price it into traded contracts and financial engineers did not know how to model it. A good actuary could estimate an expected value for operations risk, but few line officers would price their financial products in view of such estimates.

While this study does not try to estimate a value for operations risk, public sector ERM focuses almost exclusively on topics that fit into the category of operations risk, which makes it potentially interesting to ERM practitioners outside the public sector.

Culture Risk

One aspect of operations risk that challenges any assessment of ERM is evaluating the organization’s culture. In my own retrospective on the Great Recession, I wrote a series of articles entitled: “Can Bad Culture Kill a Firm?” (e.g. Hiemstra 2009) The main culprit in private sector ERM might be characterized as taking ERM as a compliance activity—a kind of symbolic action—that did not fundamentally affect the risks taken or how they are mitigated. One flag of a compliance attitude might, for example, be finding template language in annual reporting of risk events. Far from being a theoretical nicety, culture risk can make or break a firm during financial crises.

Authors Cynthia Vitters, Carey Oven, and Michael Gelles write in their chapter, “Cultivating and Measuring Risk Culture to Achieve Forward Momentum on ERM” defining culture risk as: “…the misalignments that can occur between the values and beliefs and what is actually happening within and around the organization…” (113) They advocate “closing the gap how people actually behave and what’s acknowledged on paper.” (117) Measures cited include noting patterns of at-risk behavior, keeping track of significant incidents and response to them, and numbers of cases received (121).

Interestingly, in my own research of public regulation in the early 1990s I noted a correlation between stakeholder complaints and poor management in other dimensions—gaps in one dimension of performance that is measurable suggest gaps in other dimensions not so easily observed. Keeping good records of risk events—information security, brand and reputation, reporting and performance incentives, and compliance—is an important first step in developing effective cultural oversight (116).


Kenneth C. Fletcher and Thomas H. Stanton’s Public Sector Enterprise Risk Management provides an overview of the theory and application of ERM in government agencies. The case studies given cover a variety of subject areas in federal service and local government. Risk managers both inside and outside government may want to be familiar with this work.


Campbell, Alexander. 2006. The Real Rocket Scientists [in NASA]. Risk. June. Pp. 50-51.

Hiemstra, Stephen W. 1990. Prospective Rural Effects of Bank Deregulation. USDA, ERS, Rural Development Research Report No. 76. March.

Hiemstra, Stephen W. 2007.An Enterprise Risk Management View of Financial Supervision. Enterprise Risk Management Institute. International Institute of Enterprise Risk Management. October.

Hiemstra, Stephen W. 2009. Can Bad Culture Kill a Firm?Society of Actuaries. Pp. 51-54 of Risk Management. June.

Scott, Bruce R. and George C. Lodge [ed]. 1985. U.S. Competitiveness in the World Economy. Boston: Harvard Business School Press.


[1] I received a review copy of this book directly from the publisher.

[2] Economic Research Service, USDA, Farm Credit Administration, Office of the Comptroller of the Currency, Office of Federal Housing Enterprise Oversight, Federal Housing Finance Agency, and Commodity Futures Trading Commission.

Benchmarks in Public Sector ERM

Also See:

Stanton: Creating Constructive Dialogue is the Key Management Skill 

Other ways to engage online:

Author site:, Publisher site:


Continue Reading

Stanton: Creating Constructive Dialogue is the Key Management Skill

Stanton_review_10262014Thomas H. Stanton.  2012.  Why Some Firms Thrive While Others Fail: Governance and Management Lessons from the Crisis.  New York:  Oxford University Press.

Review by Stephen W. Hiemstra

When my kids were young, I taught them that there are 3 kinds of people in this world:

  • People who never learn;
  • People who learn from their own mistakes; and
  • People who learn from other people’s mistakes.

The point is to become someone capable of learning from other people’s mistakes.  Learning behavior determines personal success; it also determines the success of firms.


Thomas Stanton’s book, Why Some Firms Thrive While Others Fail, examines firm learning behavior in the context of financial stress: the Great Recession. He is in a position to know a lot about this subject both because of his long tenure in financial law practice in Washington and because he served as a researcher on the Financial Crisis Inquiry Commission in 2010-2011, a commission established by Congress.  As a researcher, he personally interviewed many of the major players in the financial crisis and the federal regulators.

Stanton is an attorney by trade with the mind of an economist.  He is well-known among Washington insiders, especially in finance, and his book, A State of Risk [1], led Congress to create a new federal agency, the Office of Federal Housing Enterprise Oversight (OFHEO) [2], where I worked during my last 7 years of federal service until I retired at yearend 2010.  Tom and I have known each other since the 1980s when I worked on Farmer Mac legislation and supervision [3].  Tom graciously gave me a copy of this book knowing that I would eagerly read it and write about it.


Stanton writes Why Some Firms Thrive While Others Fail in 10 chapters, including:

  1. Repairing Our Public and Private Institutions: A National Imperative;
  2. Dynamics of the Financial Crisis;
  3. Coping with the Crisis;
  4. Company Governance and the Financial Crisis;
  5. Risk Management and the Financial Crisis;
  6. Company Organization, Business Models, and the Crisis;
  7. Supervision and Regulation of Financial Firms;
  8. Hyman Minsky: Will It Happen Again?
  9. Governance and Management: Lessons Learned; and
  10. Governance and Management: Beyond the Financial Crisis (v).

These chapters are preceded by a preface and acknowledgments and followed by a Table of Acronyms, Notes, References, and an Index.


An important theme in the Great Recession, as reflected in the book, is the need to link and understand intimately highly technical knowledge of financial markets, financial instruments, firm operations, and modeling to firm risk management and business objectives.  The image of a Fortune-500 CEO who wanders the halls having substantive conversations with staff throughout the organization captures this dynamic. Stanton highlights this hands-on, engaging management style in his concept of constructive dialogue.

Stanton writes:

One of the critical distinctive factors between successful and unsuccessful firms in the crisis was their application of what this book calls “constructive dialogue.”  Successful firms managed to create productive and constructive tension between (1) those who wanted to do deals, or offer certain financial products and services, and (2) those in the firm who were responsible for limited risk exposure (10).

The importance of quality dialog within the firm or government agency arises from the simple observation that no single individual, no matter how bright or experienced, could understand the totality of the highly technical financial environment that now exists.  Having an open-minded executive is accordingly insufficient; the firm culture must embrace active learning and open communication.

Stanton’s has an interesting blend of wide scope and technical depth within its subject-matter: governance and management.  Four firms who succeeded received the majority of his attention:  JPMorgan, Goldman Sachs, Wells Fargo, and TD Bank.  Stanton makes the case that these firms survived because of operational competence and intelligent discipline (43).  In other words they maintained disciplined risk taking, combined good judgment with good information, and had good communication (54-55).  Failing firms (Fannie Mae, Freddie Mac, Bear, Lehman, Merrill, Countrywide, WaMu, IndyMac…) failed for different reasons, including focus on short-term growth, ineffective data systems, weak capacity to answer simple questions, and lack of effective communication (57-66).


Stanton’s Why Some Firms Thrive While Others Fail should be of keen interest to financial policy makers and bank supervisors who deal with large institutions.  Because the federal agencies have mostly shied away from writing studies of what went wrong in the Great Recession (unlike earlier crises [4]), this book functions as a quasi-official study of the Great Recession.  For the reader interested in enterprise risk management, his contribution consists of a series of case studies of important firms that both succeeded and failed.  For students of organizational behavior this book should be required reading.

[1] A State Of Risk: Will Government Sponsored Enterprises Be The Next Financial Crisis? (New York:  HarperCollins Publishers, 1991)

[2] OFHEO was created by Federal Housing Enterprises Financial Safety and Soundness Act of 1992 and folded into the Federal Housing Finance Agency (FHFA) in 2008 by the Housing and Economic Recovery Act.

[3] I studied and wrote about the Federal Agricultural Mortgage Corporation (Farmer Mac) as a researcher in the Economic Research Service, USDA and later took a role in Farmer Mac supervision as a financial economist at the Farm Credit Administration (FCA) responsible for Farmer Mac regulation and supervision.

[4] See, for example, an exhaustive study of the banking crisis of the 1980s by the Federal Deposit Insurance Corporation (FDIC) at:


Stanton: Creating Constructive Dialogue is the Key Management Skill

Also see:

Stanton Explains the Risk in Government Sponsored Enterprises

Books, Films, and Ministry

Other ways to engage online:

Author site:, Publisher site:

Newsletter at:

Continue Reading