Automated reporting removes days of manual effort. Image: BritCats Studio/Shutterstock.com
By: Jeff Ladner, OnspringAs federal agencies prepare for fiscal year 2026, budget proposals indicate leaner appropriations and significant workforce reductions. However, risk doesn’t shrink just because dollars and headcount do. Cyber threats, regulatory demands and emerging challenges from AI are accelerating even as many agencies prepare to tighten belts. The question for leadership then is not if risk management must continue, it’s how to maintain and even strengthen enterprise risk management (ERM) when resources are stretched.
Rising Risks, Fewer Hands
ERM has evolved from a checklist-based approach to a discipline that supports mission continuity. Sustaining that progress is harder with fewer people. When staff decreases, reporting fragments, responses slow, and blind spots emerge in areas like cyber defense and financial oversight. The Government Accountability Office still lists federal cybersecurity as “high risk,” noting gaps in logging, monitoring and implementation of directives. Adversaries are also using AI tools and disinformation to exploit weaknesses. This is the worst time to let disciplined ERM degrade.
The Pressure is Palpable
Proposed FY 2026 proposals aim for sharp staffing reductions. Public reporting has estimated cuts exceeding 100,000 non-defense positions, roughly 7% of that workforce segment. In parallel, guidance from the Office of Management and Budget (OMB) and the Office of Personnel Management (OPM) directs agencies to submit “workforce optimization” plans under the Department of Government Efficiency (DOGE), targeting non-statutory functions, reducing property footprints, eliminating redundant management layers and cutting full-time equivalent positions. These measures heighten the need to protect core risk and compliance functions.
The Case for Centralization
One of the most effective steps is centralizing oversight of risk, compliance and governance. Instead of each office running its own controls and reports, a single view cuts duplication and clarifies ownership. A centralized risk register mapped to NIST, ISO and CMMC gives leaders a shared foundation to see how an issue in procurement, IT or finance can cascade elsewhere. Centralization also keeps knowledge in systems, not personal files such as spreadsheets, email attachments, or locally saved documents managed by individual staff that aren’t visible or standardized across the organization. These programs prevent the loss of institutional knowledge with workforce turnover.
Do More with Less Through Automation
Automation turns limited capacity into leverage. Automated reporting removes days of manual effort. Scheduled control testing and attestation tracking reduce missed deadlines. Dashboards that surface live metrics and risk scores give executives instant visibility, so action doesn’t wait for quarterly reviews. Agencies that adopt these practices report meaningful efficiency gains and fewer redundant tasks. Just as important, embedding procedures and remediation steps in automated workflows preserve continuity when people leave.
Embedding Risk into Daily Decision-Making
Risk management is most effective when it informs routine choices. Managers need real-time access to risk and compliance data, via dashboards, portals or shared workflows, to weigh tradeoffs in the moment. Configurable updates let teams adapt quickly to new mandates without waiting on IT or outside contractors. Agility is essential in a fast-changing environment with limited budgets.
Build for Sustainability
Workforce reductions will likely persist, so programs must hold up even as people move on. Centralize control libraries and policies in one system with clear review workflows, and capture incidents from intake through remediation so nothing is lost. Keep a single-pane view of POA&Ms, including issues, owners, timelines and costs, so leaders can steer resources where they matter most. Apply the same discipline to third-party risk by managing due diligence, contracts and compliance obligations in one place.
Here are five strategic actions for federal leaders to take:
- Centralize oversight to eliminate duplicate effort and blind spots.
- Automate repetitive work so staff can focus on analysis and response.
- Provide real-time, self-service access to risk data for everyday decision-making.
- Capture processes and controls in shared systems to ensure continuity.
- Tighten third-party oversight to manage risks across the extended enterprise.
Risk Doesn’t Wait
Budget cuts may reduce headcount, but exposure is rising. By connecting oversight, automating where possible and embedding resilience into daily operations, agencies can maintain strong GRC practices even with constrained resources. The result? They can develop agile, efficient and durable programs for the long term.
Jeff Ladner is Chief Product Officer for Onspring, a GRC workflow automation platform delivering real-time reporting through a flexible, cloud-based platform.
Large Share of Federal Workforce about to Experience a Payless Pay Period
OPM Details Coverage Changes, Plan Dropouts for FEHB/PSHB in 2026
OMB Says Federal Workforce RIFs are Starting as Shutdown Drags On
Financial Impact of Shutdown Starts to Hit Home; WH Threatens No Back Pay
Surge of Retirement Applications Is in the Pipeline, Says OPM
See also,
TSP Takes Step toward Upcoming In-Plan Roth Conversions
5 Steps to Protect Your Federal Job During the Shutdown
Over 30K TSP Accounts Have Crossed the Million Mark in 2025
The Best Ages for Federal Employees to Retire
