Managing Risk in the Federal Space
There are moments in any effort where you get the sense that the people, outputs, or efforts are out of control. You don’t know precisely when it happened, but you do recognize that you have a limited ability to sway the outcomes. In such situations, you may want to take a page from the General Accountability Office’s (GAO’s) report on the Federal Communications Commission’s (FCC’s) E-Rate program. The GAO review of potential fraud in the program is a classic object lesson in raising red flags earlier, rather than later, in risk prevention and mitigation.
The GAO’s September 2020 report is primarily a caution to those responsible for implementing the E-Rate program, saying that the environment is ripe for fraud and abuse within the program.
What Makes the Program Ripe for Spinning Out of Control?
- It relies on self-certification rather than outside certification
- It sometimes relies on a three-way relationship, creating opportunities for conflict of interest
- It lacks systematic data analytics, relying in many cases on human detection of any abuse
What Can the Average Organization Learn from the FCC’s Situation?
- Validate controls with outside oversight
- Minimize the use of third-party implementation of mission-critical tools
- Select trackable metrics for control
The FCC had historically done extensive tracking of financial mismanagement, but the GAO found them lacking in contracts and business relationships. That’s another major lesson here. Being “in control” in one arena does not inherently guarantee that every aspect of the organization will control. Specifically, a group of the FCC’s major consultants and contractors won contracts and signed on for work that they never performed.
In effective risk management, one of the keys to success is tolerance. These are the hard lines that are drawn to say, “We will never cross them.” No such lines existed in the E-Rate program, leading to waste of over $2.5-million. One of the key success factors in the GAO Fraud Risk Management Framework is that there’s a structure to enable risk management. Part of that structure is risk tolerance.
GAO’s call for data analytics would have addressed such concerns, but it was never implemented. GAO’s call for outside certification would have worked, but self-certification was more expedient. And all of these efforts would have worked in concert to flag what GAO calls the opportunities “to willfully self-certify misrepresented information and circumvent competitive-bidding requirements, collude, and engage in conflicts of interest.”
Throughout the GAO report, one theme pervades. For almost every aspect of the rule of law that was violated, there were two violations. The first violation is the law that was broken. The second is the certification, validation, or self-approval that said the organization stayed within the law’s boundaries. Asking organizations to self-police is a utopian ideal but fails to function in a society where there’s still a risk these laws may be broken.
Trust but Verify
For organizations both inside and outside the GAO’s grasp, this theme is significant. It hearkens back to a recurring theme in the relationship between Ronald Reagan and the Russians in the 1980s. Doveryai, no proveryai. Trust, but verify. While some claim that such an attitude reveals no trust at all, the FCC situation highlights the risk management concept of drawing lines and has a mechanism to ensure that the lines are monitored and enforced.
Note that the GAO demands only that the system track consumption of and value for federal taxpayer dollars. Asking if the money was well-spent is not an unreasonable demand. And if the answers are not readily available, them asking for an automated tracking system makes perfect sense. Within our organizations, we should, at a minimum, be proactive.
Carl Pritchard, PMP, PMI-RMP, is the principal and founder of Pritchard Management Associates and a senior instructor at Management Concepts. An expert lecturer, author, researcher, instructor, and coach, Carl focuses on project management, particularly risk and communications. Carl earned a bachelor’s degree in journalism from The Ohio State University and PMP. He welcomes your comments and insights.