Risk management is more important than ever before, as fast-moving technologies and external forces create new and more powerful threats for state governments. Based on a limited set of questions by design, this paper provides an overview of how state governments approach risk management. 

Most states have not defined the full taxonomy of potential risks or adequately prioritized those areas where state governments have the highest exposure and face the greatest potential impact. No single state or city across the country has done risk management uniformly well. This report encourages state leaders to adopt best practices and lessons-learned from both public and private sectors.

Key Findings

• Only half of the states surveyed have a regularly evaluated enterprise risk management strategy.
• Many governments lack necessary awareness and centralized oversight of all risks faced by the state.
• States may have different risk appetites, leading to varying levels of financial, environmental, or other regulations.
• Among the states, there is wide variation in risk management processes, including how states delegate risk ownership and manage risk evaluation.
•  CAOs are responsible for critical risk management topics including cybersecurity, financial security, and facility security.