GFR October 2022

Government Finance Officers Association | OCTOBER 2022
Government Finance Review
A Beginner’s Guide
to Internal Controls
Segmented Pricing
for Fines and Fees
Financial Ratio
Analysis, Simplified
Cyber Risk
With more and more getting connected to
the cloud, how can governments manage
risk and protect critical services?

contents OCTOBER
2022 | VOLUME 38, NUMBER 5
16
4 Steps to Becoming
Cyber Risk Savvy
How to be a smart customer
of cyber insurance
By Shayne Kavanagh,
Rob Roque and Teri Takai
30
A Beginner's Guide
to Internal Controls
Simple but effective tips to
keep your organization safe
from fraud
By James Seaman
©2022 MICHAEL AUSTIN C/O THEISPOT.COM
34
Segmented Pricing
for Fines and Fees
Increasing revenues and
fairness at the same time
By Jean-Pierre Dubé, Bryan
Glenn and Shayne Kavanagh
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 1

contents
65
44 By
When Growth Fuels Change
Transformation in the Town of Nolensville, Tennessee
Christina Merle and Carey Smith
50
City Budgeting for
Equity and Recovery
Effective change management
in equity implementation
By Joe Buckshon and Matthew Stitt
58
Ratio Analysis,
Simplified
An alternative framework
for analyzing the financial
condition of a government
By Aman Khan and Olga Murova
6 Contributors
8 From the CEO
10 Rewind: A Look Back
at GFR in October 2003
11 Build Back Better Never
Something
By Galen McDonald
14 GFOA's International
Partnership Program
65 Creating a Collaborative
Budget Process in the City
of College Station, Texas
By Darrell Banks
68 Theory in Practice? GASB's
New Concepts Statement
on Note Disclosures
By Michele Mark Levine
72 The Brave New Frontier of
Public Sector Privacy
By Katherine Barrett &
Richard Greene
74 Recycling the Muni
Exemption Debate
By Justin Marlowe
76 Q&A with Veronica Carrillo,
Fiscal Administrator for the
City of San Antonio, Texas
By Timothy Martin
80 10 Steps to Taming Interruptions
and Preventing Rework
2

900+
CUSTOMERS
$120 billion+
PUBLIC SECTOR BUDGETS MANAGED
$15 billion+

Publisher
Chris Morrill
Editor in Chief
Michael J. Mucha
Managing Editor
Marcy Boggs
GOVERNMENT FINANCE REVIEW
www.gfoa.org/gfr
EDITORIAL
gfr@gfoa.org
ADVERTISING
gfoa.org/gfr-ads
PERMISSION & REPRINTS
gfr@gfoa.org
CHANGE OF ADDRESS
gfoa.org/update-membership
SUBSCRIPTIONS
gfoa.org/gfr
SUBMISSIONS
GFOA encourages finance officers, scholars,
private consultants, and other knowledgeable
individuals to submit manuscripts to GFR.
All manuscripts should conform to the Editorial
Policy and Guidelines for Authors, which are
available online at gfoa.org. Manuscripts should
be submitted electronically to gfr@gfoa.org.
CONTACT
Government Finance Review
c/o Government Finance Officers Association
203 N. LaSalle Street, Suite 2700
Chicago, Illinois 60601-1210
Phone: 312-977-9700
Fax: 312-977-4806
GFOA EXECUTIVE BOARD
Terri Velasquez
President
City of Aurora, CO
Michael Bryant
Past President
Mecklenburg County
Government, NC
Laura Allen
President-Elect
Town of Berwyn Heights, MD
Sonya Andrews
City of Scottsdale, AZ
Lunda Asmani
Norwalk Public Schools, CT
Laurie M. Brewer
City of Georgetown, TX
Jennifer Brown
City of Sugar Land, TX
Bruce H. Fisher
Nova Scotia Utility and
Review Board, NS
Tanya Garost
District of Lake Country, BC
Jason Greene
Town of Surfside, FL
Anne P. Harty
City of Rock Hill, SC
Rafiu O. Ighile
Howard County
Government, MD
Sue Iverson
City of Red Wing, MN
Brandon Kauffman
Kansas Turnpike Authority, KS
Grace Martinez
San Mateo County
Transit District, CA
Margaret Moggia
West Basin Municipal
Water District, CA
Kendel Taylor
City of Alexandria, VA
Chris Morrill
GFOA
GFR (Government Finance Review) (ISSN 0883-7856) is published bimonthly in February, April, June, August, October, and December.
Subscription price is $35 annually. Opinions expressed herein are the viewpoints of the authors. They may differ from the policies and
recommendations of the Government Finance Officers Association, its committees, and staff. Letters to the editor are welcomed.
Copyright 2022 by the GFOA. Published by the Government Finance Officers Association, 203 N. LaSalle Street, Suite 2700, Chicago,
IL 60601-1210. Periodicals postage paid at Chicago, Illinois, and additional mailing office. Postmaster: Please send address changes
to Government Finance Review, 203 N. LaSalle Street, Suite 2700, Chicago, IL 60601-1210.
4

CONTRIBUTORS
Joe Buckshon is a senior analyst in the Management and Budget Consulting practice at PFM. He
is the lead analyst for the nationwide equity project with Bloomberg Philanthropies What Works
Cities, and he has provided quantitative and qualitative analysis and project management support
for client projects with the City of Baltimore, Maryland; the City of New Orleans, Louisiana; and
the City of Vero Beach, Florida. Joe supported marketing, content creation, and thought leadership
efforts for PFM’s Center for Budget Equity and Innovation. Before that, he was a policy and
performance fellow with the City of Philadelphia Commerce Department.
Jean-Pierre Dubé is the James M. Kilts Distinguished Service Professor of Marketing at the
University of Chicago Booth School of Business. He is also director of the Kilts Center for Marketing
at the Booth School, a Research Associate at the National Bureau of Economic Research, and a
faculty fellow at the Marketing Science Institute. From 2008 to 2010, he was a research consultant
for the Yahoo! Microeconomics Research group. He has been working as a research consultant with
Amazon since 2018. Dubé’s research interests lie at the intersection of industrial organization and
quantitative marketing.
Bryan Glenn is the founder and chief executive office of SERVUS, a technology company focused
on segmented pricing. Before that, he was proprietor of Capital Glenn. He’s the author of Life
Adds Up: How Mindsets Determine Outcomes (New Degree Press), which explores transformative
yet straightforward principles to help readers grow personally. Bryan was also a member of the
Chicagoland Chamber of Commerce Greater Chicago Area and the Polsky Center I-Corps Program.
Shayne Kavanagh is the senior manager of research for GFOA’s research and consulting center.
He’s been a leader in developing the practice and technique of long-term financial planning and
policies for local government. Shayne’s financial planning experience also drives his research
at GFOA. He’s written a number of influential publications on financial planning and a number of
articles on long-term financial planning, financial policies, budget reform, using technology to
improve efficiency, and related topics for magazines including Government Finance Review, Public
Management, School Business Affairs, and Public CIO. Before joining GFOA, Shayne was the assistant
village manager for the Village of Palos Park, Illinois.
Aman Khan, Ph.D., is Professor of Political Science and Public Administration at Texas Tech
University. His teaching and research interests are in the areas of public budgeting, financial
management, cost and managerial accounting in government, and quantitative methods. Dr. Khan is
the founder and current director of the Institute of Governmental Finance, which provides professional
training to middle and upper-level managers in government and elected officials. Trained as an
economist and planner, he holds an MS in urban and regional planning, an MA in economics, and a
Ph.D. in public administration from the University of Pittsburgh.
Christina Merle has been the finance director for the Town of Nolensville, Tennessee, since April
2020. Christina received her Bachelor of Science degree in Accounting and her Master of Science
in Accounting and Taxation from St. John’s University in New York. She is a Certified Municipal
Finance Officer (CMFO) in the State of Tennessee.
6

Olga Murova, Ph.D., is an associate professor in the College of Agriculture at Texas Tech
University, Lubbock, Texas. Her research focuses on the areas of efficiency of agricultural
production, sustainable rural development, international development, and agribusiness.
Dr. Murova teaches the classes Computers in Agricultural Sciences and Statistical
Methods in Agricultural Research. She holds a Ph.D. in Agricultural and Applied
Economics from Mississippi State University, an MABM from Mississippi State University,
and a Bachelor of Science and a master’s degree in civil engineering from Ukraine.
Rob Roque is the technology services manager for GFOA’s Research and Consulting
Center. Rob’s primary responsibilities are providing enterprise system implementation
advisory services, enterprise system project management services, and enterprise
selection services, as well as contributing to GFOA technology publications and GFOA
training courses. He also assists with managing internal technology projects for GFOA,
but his primary role is managing GFOA’s larger technology projects. Before joining
GFOA in 1998, Rob was a senior budget analyst with the City of Pittsburgh, Pennsylvania,
where he worked on the city’s PeopleSoft implementation project.
Jim Seaman, Ph.D., CPE, CIA, CFE, is the director of finance/assistant borough manager
for Media Borough in Delaware County, Pennsylvania. Jim has more than 30 years of
well-rounded audit and managerial experience. Before coming to Media Borough, he
was the vice president for internal audit and management consulting services for Drexel
University and Drexel University College of Medicine. Other experiences include vice
president for internal audit services and corporate compliance officer for Mercy Health
System, and associate director of internal audit for the University of Pennsylvania.
Carey Smith, finance technician, started working for the Town of Nolensville, Tennessee,
in July 2020. Carey brings a great deal of knowledge and experience to the team and has
also played an integral role in assisting with all the changes the Finance Department has
undergone. She is a licensed notary public for the State of Tennessee.
Matthew Stitt is a director and national lead for equitable recovery and strategic financial
initiatives in PFM’s Management and Budget Consulting team. He advises public sector
leaders on structural changes, budget reforms and financial planning—with a particular
focus on applying an equity lens to solving governing challenges—especially in relation
to the financial and economic crises caused by COVID-19. Before he joined PFM, Matt was
the chief financial officer for the City Council of Philadelphia, Pennsylvania, leading the
annual review of the city’s operating and capital budgets and strategic plans, as well as
advising on all fiscal matters related to proposed legislation and key initiatives.
Teri Takai is the executive director of the Center for Digital Government, a national
research and advisory institute on information technology policies and best practices
in state and local government. She worked for Ford Motor Company in global application
development and information technology strategic planning and as chief information
officer of the states of Michigan and California before becoming the first woman appointee
as chief information officer of the U.S. Department of Defense. She then served as the CIO
for Meridian Health Plan. She is a member of several industry advisory boards.
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 7

FROM THE CEO
Bringing Members Together to
Address the Pressing Challenges
of Today and Tomorrow
Christopher P. Morrill
Executive Director/CEO
GFOA Materials Library
Stay up to date on all GFOA
events and monitor ongoing
research by visiting the
GFOA website events listing
and the materials library.
gfoa.org/events
gfoa.org/materials
As I speak with public
finance officers
throughout the United
States and Canada,
it’s clear that our state,
provincial, and local governments are
facing many challenges. Obstacles
related to balanced budgets, additional
accounting standards, aging
infrastructure, evolving technology,
and ongoing pension shortfalls are
perennial, but organizations are also
grappling with the many issues caused
by the COVID-19 pandemic. Perhaps
the main challenge I’m hearing about
is significantly altered workforce
expectations. This, combined with our
ever-changing political environment
and overall perception of local
government—and its role in shaping
our communities—adds to the stress of
being a finance officer while creating
a unique environment for change.
I believe GFOA plays an important
role in addressing these issues by
bringing members together to share
ideas, provide diverse perspectives,
and ultimately collaborate on
strategies and solutions that
will become the best practices of
tomorrow. At GFOA, we prioritize
member engagement, and we are
implementing new strategies to
connect members and encourage
participation in our programs. We
are also analyzing data and learning
from our past experiences to find
better ways to better serve you.
The annual conference is our
signature event of the year, bringing
together thousands of government
finance professionals for a week of
educational sessions, networking, and
social events, but equally important
ways to engage and participate are still
on the way. This fall, GFOA will host
several major events that will provide
opportunities not only for engagement
but, even more importantly, for
making contributions to the solutions
that will guide the evolution of
the public finance profession.
MiniMuni. GFOA’s virtual event that
highlights debt management best
practices and industry trends is back
on October 19 to 21, 2022, for the
fourth consecutive year. Government
entities have used debt to fund public
infrastructure for more than 200
years, but regulations are constantly
changing. This event provides GFOA
members with firsthand knowledge
from key leaders in Washington, D.C.,
and it allows our members to discuss
the latest trends, best practices, and
what to expect in the future. For more
information, visit gfoa.org/minimuni.
Rethinking Public Engagement
Summit. This virtual summit,
scheduled for November 7 to 10,
2022, will bring together academics,
researchers, and other thought
leaders in public administration
and engagement, along with civic
technology experts and local
government practitioners, to rethink
public engagement. The budget is the
most important policy document a
local government produces, but we’ve
known for decades that we need to do
a better job of meaningfully engaging
citizens in the budget process.
In recent years, new forces—distrust
of experts, loss of faith in institutions,
and the politics of cynicism—have
8

made it clearer than ever that local
governments need to consider public
engagement in a new light. The
Rethinking Public Engagement Summit
is connected to broader GFOA efforts to
“rethink budgeting” and to address ways
in which local governments can best
prioritize and allocate limited funding
to get the most for their community.
For more information, visit gfoa.org/
rethinking-public-engagement-summit.
©2022 MICHAEL AUSTIN C/O THEISPOT.COM
Alliance for Excellence in School
Budgeting Fall Meeting. The Alliance
for Excellence in School Budgeting,
which is open to all school districts,
is an early adopter group of 100-plus
organizations that are implementing
GFOA’s Best Practices in School
Budgeting. The alliance—a part of the
Smarter School Spending initiative—
includes a diverse group of districts
from across the United States. Each
year since the group first met in 2015,
finance and academic leaders from
these districts have convened to
discuss topics including academic
return on investment, equity in school
funding, strategic financial plans,
cost-saving strategies, and more.
This year, the alliance will meet in
Chicago on December 1 and 2, 2022,
to discuss strategies for improving
student achievement and to address
the realities of the new environment
for public education. For more
information and to get involved, visit
gfoa.org/smarterschoolspending.
Local Government 2030—Lessons
for the Future: A Convening of
Practitioners. GFOA is working with
25 professional associations to sponsor
a conference of public administration
practitioners representing cities,
counties, and regional councils
across the United States. Delegates
representing general administration,
finance, public works, utilities,
community services, public safety,
economic development, and more will
come together November 4 to 6, 2022,
at the University of Nebraska Omaha
to provide leadership in implementing
solutions to what the National Academy
of Public Administration called the
“Grand Challenges” facing our nation.
Work also continues on GFOA’s
Rethinking Revenue and Rethinking
Budgeting initiatives. Both projects
take a fresh look at how public funds are
raised, focusing on innovative ideas
for retooling local systems to align with
modern economic realities and treat
citizens more fairly. We are also looking
at ways in which governments make
decisions about resource allocation,
as well as introducing concepts from
behavioral science to improve key
elements of the traditional budget
process. Information about both
projects is available on GFOA’s website
at gfoa.org/rethinking-revenue and
gfoa.org/rethinking-budgeting.
I’m excited about the future of public
finance. GFOA members are a diverse
group of leaders uniquely qualified to
discuss, debate, and develop solutions
to the many challenges that state,
provincial, and local governments
face. GFOA is committed to providing
forums for discussion and resources
for developing ideas and supporting
their implementation. I look forward
to working with all of you as we
tackle these challenges together.
Sincerely,
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 9

ewind
Rethinking Budgeting
A look back at GFR in October 2003
In October 2003, GFR dedicated
an issue to a perennial question:
What’s wrong with budgeting?
Then—much like today, and
several times since—we
noted that state and local
governments were mired in
a challenging fiscal environment,
forcing policymakers and
administrators to make difficult
choices between painful cuts in
services and tax and fee increases.
We concluded that it “may well be
the ideal time to implement muchneeded
improvements to public
budgeting,” noting that “the current
fiscal crisis, however, has exposed
deficiencies in public budgeting
systems and generated some
momentum to correct them.” And this
conclusion could apply to most years
since that magazine was published.
In 2003, we were worried about
many of the features of budgeting—it
was incremental, took months and
thousands of hours of staff time
to implement, was dollar-centric,
ignored performance, and led
employees to focus on the wrong
targets at the expense of customer
service and overall corporate goals,
and restricted managerial flexibility,
which limited innovation. Back
then there were accusations that
budgetary incentives promoted
gaming the system.
Local governments have been
reforming the budget function almost
from the moment it was introduced
in the early 1900s. “Traditional
budgeting” is the result of a long
process of experimentation that has
settled on a number of traditions:
• Annularity—that uncertainty
makes it realistic to plan only one
year at a time.
• Citizen participation—that citizens
should influence priority setting.
• Intergenerational equity—
exemplified by the separation
of current expenditures from
long-term capital programs.
• Executive-driven processes—
pinpointing accountability for
administration.
• Input and control focus—controlling
what public money is spent on and
mitigating the risk of over-spending.
• Incrementalism—where the
previous year’s appropriation is the
starting point for budget formulation,
with negotiations focused on
increments or decrements.
• Balanced budget requirements—
found in most state statutes and
local ordinances.
A number of these traditions are being
challenged, but most remain intact.
Local governments have long relied on
last year’s budget to make incremental,
line-item changes around the margins
to make next year’s budget.
Though this form of budgeting has
advantages and can be useful in
times of stability, it can also make
local governments slow to adapt
in times of rapid change, like the
volatile and uncertain times we live
in today.
In 2003 GFOA provided an
evaluative framework that helped
governments identify, diagnose, and
correct problem areas, explaining
how to conduct operational reviews
and analyze the core factors that
shape and constrain budgeting’s
usefulness as a tool for allocating
resources and reaching goals—but
most of the problems we addressed
20 years ago are still with us.
That’s why GFOA’s new Rethinking
Budgeting Initiative is taking
tangible steps to help make
budgeting better. The incremental
nature of traditional line-item
budgeting can slow down efforts
to adapt to changing conditions,
but the Rethinking Budgeting
initiative—a collaborative effort
between GFOA, the International
City/County Management
Association, and National League
of Cities—considers new ways of
thinking, new technologies, and
updated practices to better meet the
changing needs of communities.
Rethinking budgeting is no small
matter, so we’ve broken it down
into subtopics, which we invite you
to explore at gfoa.org/rethinkingbudgeting.
The initiative is ongoing,
so our content will evolve and grow
as it moves forward.
©2022 TBD C/O THEISPOT.COM
10

In Brief
FEDERAL UPDATE | INTERNATIONAL PARTNERSHIPS
FEDERAL UPDATE
Build Back Better Never Something BY GALEN MCDONALD
Let’s talk about the Inflation
Reduction Act of 2022
(IRA). It may not be the
original Build Back Better
Act that the current
administration set out to enact, but
it is something. This article explains
what’s in the law and what it means
for your jurisdiction.
What is the IRA?
The IRA was signed into law on August
16, 2022, and according to the White
House, it “will lower costs for families,
combat the climate crisis, reduce the
deficit, and finally ask the largest
corporations to pay their fair share.”
The IRA is a reduced and revised
version of the Build Back Better
Act, or the climate and health bill.
The IRA focuses on three key areas:
healthcare, clean energy, and taxes.
This article will discuss each
of these areas, touching briefly on
healthcare and taxes before diving
deeper into clean energy. We’ll finish
off by providing some suggestions and
further resources.
Healthcare under the IRA
The act aims to cut prescription drug
costs and lower healthcare costs,
which may in turn lower healthcare
costs for employers. The act allows
Medicare to directly negotiate for
prescription drug prices in 2023. It
creates a cap on Medicare patients’
out-of-pocket costs, provides cost-free
vaccines for seniors, and more.
Taxes under the IRA
Deficit reduction, clean energy,
and climate investments are key
priorities, and the act contains four
primary tax-related instruments for
raising money to meet these priorities.
The act will raise $222 billion
through “a corporate alternative
minimum tax on corporations that
earn more than $1 billion in annual
profit, but do not pay at least a 15
percent tax rate.” Approximately $203
billion will come from “investing $80
billion over the next ten years for tax
enforcement and compliance” under
the IRS. This corporate minimum
tax would have a direct but minimal
impact on the demand for municipal
bonds, as the affected corporations
don’t generally invest in munis.
A 1 percent fee “on stock buybacks by
publicly traded corporations” will raise
$74 billion. Finally, $52 billion will be
raised “by extending the limitation on
excess business losses for two years.”
The act also reinstates the
Superfund tax, which will raise
more than $11 billion for Superfund
cleanups. The act also includes tax
credits to promote clean energy and the
environment. Another tax credit will
“make used clean vehicles affordable”
for those with low and moderate
incomes. The existing Investment
Tax Credit and Production Tax Credits
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 11

IN BRIEF
for renewable energy now include
“bonus 10 percent credits for projects
built within legacy communities”
and an “increase in energy credit for
solar and wind facilities placed in
service in connection with low-income
communities.” The latter involves
either a 10 or 20 percent bonus credit,
depending on where the projects are
installed. Finally, there is an extension
of the $10 billion advanced energy
project credit, which includes $4
billion to build new clean technology
manufacturing facilities in legacy coal
communities.
Clean energy and the
environment under the IRA
The administration has three main
clean energy goals with the act:
lowering energy costs, building a
clean energy economy, and reducing
harmful pollution. The act includes
the following terms.
• Environmental justice. The
Environmental Protection Agency
(EPA) defines environmental
justice as “the fair treatment and
meaningful involvement of all people
regardless of race, color, national
origin, or income with respect to the
development, implementation, and
enforcement of environmental laws,
regulations, and policies.”
• Legacy pollution. According to
the National Park Service, legacy
contaminants are “chemicals once
used in the U.S. but then discontinued
or outright banned,” and they often
“linger in soil and water” while slowly
breaking down.
• Disadvantaged communities.
According to Executive Order 14008:
Tackling the Climate Crisis at
Home and Abroad, disadvantaged
communities are those that “have
been historically marginalized and
overburdened by pollution and underinvestment
in housing, transportation,
water and wastewater infrastructure,
and healthcare.” GFOA’s Federal
Liaison Center will be monitoring this
definition development closely as it
is widely known that disadvantaged
communities may be defined
differently elsewhere (such as in state
or local policies).
• Non-attainment areas. According
to the EPA, a non-attainment area is
“any area that does not meet (or that
contributes to ambient air quality
in a nearby area that does not meet)
the national primary or secondary
ambient air quality standard for a
NAAQS.”
The clean energy and environment
investments promote three main points:
1. Legacy pollution reduction.
2. Affordable and accessible
clean energy for disadvantaged
communities.
3. Better quality of life and good jobs.
Legacy pollution reduction. The act
directs significant funding toward
reducing legacy pollution. Several
programs specifically build on the
environmental justice-related programs
within the Infrastructure Investment
and Jobs Act. Cities and counties will
likely be eligible for these funds, and
special districts or political subdivisions
are expected to be included as eligible
entities as well. This information will
be included in the forthcoming Notice of
Funding Opportunities.
12

The administration has
three main clean energy
goals with the act:
lowering energy costs,
building a clean energy
economy, and reducing
harmful pollution.
One such to be included is
the Neighborhood Access and
Equity Program, which includes
approximately $3 billion in
competitive grants, with priority given
to disadvantaged communities for
projects that improve connectivity/
mobility, reduce urban heat, and
improve safety, among other things.
Another program included is the $2.8
billion for Environmental and Climate
Justice Block Grants, which are
available to local governments that are
partnered with a community nonprofit
to fund community-led efforts in
pollution monitoring, prevention, and
remediation, and more.
Another $3 billion is allocated for
grants to reduce air pollution at ports
through climate action plans and
implementation of zero-emission
technology. A new Clean Heavy-Duty
Vehicles program at the EPA will receive
$1 billion to cover zero-emission buses
including school buses and garbage
trucks. Diesel emission reduction
from goods movement facilities will be
covered by $60 million in grants.
Another $236 million will go toward
air pollution monitoring, with a focus
on disadvantaged communities, and
an additional $50 million will go
specifically toward monitoring and
reducing air pollution in low-income
and disadvantaged community-area
public schools.
A low-emissions electricity
program will provide $87 million in
funding for a technical assistance
program to state and local
governments to help greenhouse gas
emission reduction.
Affordable and accessible
clean energy for disadvantaged
communities. The act includes a
greenhouse gas reduction fund to help
communities deploy or benefit from
clean energy projects and pollutionreducing
technologies. At least 60
percent of the funds will focus on
disadvantaged communities, and
it will be provided to non-federal
governments through one of three
collections:
• $7 billion “for zero-emission
technology deployment…in
low-income and disadvantaged
communities.” The technology
deployment may include rooftop
and community solar.
• $8 billion for low-income and
disadvantaged communities
“for a general fund making
broad investments in reducing
greenhouse gas emissions and
promoting environmental justice.”
• $11.97 billion for another general
fund that isn’t designated for
low-income and disadvantaged
communities.
The IRA also creates a $1 billion
grant program for “improving energy
efficiency or water efficiency or
climate resilience of affordable
housing,” and $9 billion for two home
energy rebate programs specifically
for low- and moderate-income singlefamily
and multifamily households.
Better quality of life and good jobs.
Several grant programs totaling $2
billion are directed at programs that
will improve communities’ quality
of life and provide jobs; $1.5 billion
is going toward planting trees and
establishing community and urban
forests, and an additional $50 million
will be available in competitive grants
to create urban parks. Disadvantaged
communities will receive another
$550 million for planning, designing,
and constructing water supply
projects. Nearly $400 million will go
directly toward building resiliency for
tribal governments and communities.
Obstacles and resources
A few obstacles governments
might face are finding funding
opportunities the community
qualifies for, meeting cost-sharing
requirements and/or meeting
federal data reporting requirements
and locating areas of your
community that meet definitions
of disadvantaged communities.
GFOA will work to help alleviate
any issues that come up.
• The federal update column from
the August 2022 issue of GFR
(gfoa.org/materials/gfr822-wheremy-money)
goes into detail about
the federal grant process and
suggests ways to overcome some
of the challenges to successfully
accessing government dollars.
• The current administration’s
Climate and Economic Justice
Screening Tool is also a great
resource for identifying
disadvantaged communities
and taking advantage of funding
targeted to those communities.
• GFOA’s IRA Funding Tracker is
another useful resource. Like
our Infrastructure Investment
and Jobs Act Notice of Funding
Opportunities tracker, the
IRA tracker will show notices
of funding opportunities and
relevant information including
submission deadlines and where
to apply. The IRA Funding Tracker
is available at gfoa.org/flc.
Galen McDonald is a policy associate
in GFOA’s Federal Liaison Center.
For further analysis, see Justin
Marlowe’s article on the topic on
page 74 of this issue.
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 13

IN BRIEF
PROGRAMS
How GFOA’s International Partnerships Came About
GFOA’s annual conference
welcomes attendees
from across North
America, including
almost all states,
provinces, and U.S. territories. GFOA
also hosts delegations from several
other countries, who bring unique
perspectives but common values
and experiences as leaders in public
finance from across the world.
GFOA’s international program
started in 1988, when former GFOA
CEO Jeff Esser met Amir Bartov at a
Sister Cities conference in Jerusalem.
Amir was in charge of the Municipal
Finance Directors Association
(MDFA) of Israel, and Jeff invited him
to attend a GFOA conference. Amir
attended that year, and thereafter,
GFOA started sending delegations
to the MFDA’s annual conference. In
turn, MFDA also started sending a
delegation to the GFOA conference.
Amir’s vision of bringing countries
together to share information was the
impetus of the international program.
In Israel, municipal finance officers
were just starting to get organized
and provide training, and they were
eager to work with their counterparts
in the United States and Canada.
Many international local
governments are controlled by their
federal government and did not
share best practices the way GFOA
members do. Program participants
signed agreements to formalize
their role in sharing information
and learning from each other.
GFOA’s first agreement was with the
MDFA in Israel. Using that relationship
as a model, GFOA went on to develop
formal relationships with others
including the Swedish Association of
Local Government Finance Officers,
the Association of the Financiers
of the Local Self-Governing Units
of Georgia, the Chartered Institute of
Government Finance Audit and Risk
Officers of South Africa the German
Association of Treasurers, the Institute
of Chartered Accountants of India,
and the Brazilian Navy Office of the
Budget, and the Institute of Public
Works and Engineering Australasia.
For many of these organizations,
Amir was influential in helping GFOA
establish the initial connection.
Over the years, GFOA’s executive
leadership has represented GFOA at
numerous conferences hosted by our
partner organizations. Recently, GFOA
President Terri Velasquez attended
a conference in Sweden, and this
year GFOA will send delegations to
Israel, South Africa, and Georgia.
With the news of Amir Bartov’s
passing on August 7, 2022, at age 73,
GFOA recognizes his contributions
to the association and the many
friendships that developed through
these international partnerships.
14

Our Common Goal
GFOA is fortunate to have invaluable
partnerships with several foreign
countries. In March 2022, I had an
opportunity to travel to Israel to attend
the Municipal Finance Directors of
Israel Conference in the beautiful
city of Eilat. We were also joined by a
German delegation, which afforded us
an opportunity to exchange ideas and
learn about our cultures.
Remembering Amir Bartov
Amir Bartov will be missed by his family, friends, and the many finance
officers he worked with over the years. Amir was passionate about
advancing the work of government finance, and his vision was global. He
also informed finance directors around the world about the work being
done by GFOA and the international program.
Jeff Esser became close friends with Amir, fondly remembering him
as a brilliant man who had an amazing memory, an impressive grasp of
languages, and a drive for bringing people together.
“Amir was an incredible person,” Jeff said. “He could converse with
just about anyone, from any country or any culture, and learn about them
and establish a friendship almost immediately. He was very outgoing,
gregarious, and inquisitive. He became instant friends with whomever
he interacted with. And he was incredibly hard-working.”
Jeff noted that Amir led an organization that did youth exchanges
between Israel and Germany, in part to establish relations between the
two countries in light of the Holocaust. He also included Israeli Arabs and
Christians in the Israeli group, an important gesture, given the political
situation in the Middle East. “He made sure to include them in everything
they did and ensured that they had representation on committees and on
their executive board,” Jeff explained. “That was part of who he was. And
the atmosphere was always welcoming and friendly. “
Amir also translated classic works like the Odyssey and other English
texts into Hebrew and put them online as part of a free literacy project
called the Hebrew Literature Computing Association. Amir was a member
of the managing committee and treasurer of the association, and he
contributed to the organization by giving lectures and raising funds.
GFOA remembers and recognizes the significant ways Amir advanced
the work of government finance and his role in the inception of GFOA's
international outreach program.
GFOA’s international
partnerships provide
an opportunity to
advance excellence in
public finance globally.
GFOA’s international partnerships
provide an opportunity to advance
excellence in public finance globally.
Our international partners hold GFOA in
high regard and look to our organization
to assist them with promoting sound
financial practices. One of the
experiences I will value most from my
trip to Israel is having an opportunity
to discuss fiscal policy with Israeli
leaders from across their country in
an intimate setting. In moments such
as these, you realize that people are
more alike than different. We discussed
policies such as aging infrastructure,
intergovernmental relations, and of
course responding to a pandemic.
However, regardless of the challenge,
we all share a common goal—to improve
the quality of life for the residents in our
communities that we serve.
—GFOA Past President Michael Bryant
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 15

4 STEPS TO BECOMING
Cyber Risk
Savvy
How To Be a
Smart Customer of
Cyber Insurance
BY SHAYNE KAVANAGH,
ROB ROQUE AND TERI TAKAI
16

BECOMING CYBER RISK SAVVY
©2022 MICHAEL AUSTIN C/O THEISPOT.COM
Cyberattacks are a clear
and present danger for
all organizations, but
local governments are
particularly vulnerable.
A 2020 study showed
that local governments
are more likely to
be the targets of a
ransomware attack than any other
kind of organization and that 44% of
ransomware attacks targeted local
governments in 2020, a portion similar
to 2019. 1 The trend does not seem to be
abating: 2021 saw a nine-fold increase
in ransomware attacks on government
organizations between 2020 and 2021. 2
Local governments are attractive
targets for cybercriminals for a few
reasons. 3 First, local governments are
“soft targets.” This means that networks
WHAT IS RANSOMWARE?
are typically not very secure. For
example, smaller local governments
may not have dedicated IT staff, much
less dedicated cybersecurity staff. On
top of that, local governments often
operate many disparate services,
which creates a lot of “surface area”
for an attack. In other words, an
attacker could gain access to a city
government’s network through
information systems in public
works, community development,
or any other department. Second,
local governments maintain
sensitive data like tax records, voter
information, citizen and employee
health-related data, and employee
social security information. They
also provide essential services that
can’t be interrupted. A soft target with
sensitive information and essential
Local governments are more likely to
be the targets of a ransomware attack
than any other kind of organization.
Ransomware is “a type of malicious attack where attackers encrypt an organization’s data and
demand payment to restore access.” 4 Organizations fall prey to these types of cyberattacks by
clicking on a malicious web link in an unsuspecting email (phishing) or visiting an unprotected
website and unknowingly downloading and activating malware.
services is the proverbial “lowhanging
fruit” for the cybercriminal.
A third and, perhaps, surprising
reason is the public profile of local
governments, which refers to
transparency requirements, open
data sets, public-facing internetenabled
transactions, and more.
This public profile means hackers
have an advantage in calculating
an effective strategy to penetrate a
local government’s defenses. This
compares to private firms that
have a greater ability to conceal
their activities from the public and,
therefore, cybercriminals.
Cyberattacks are expensive. Cities
like Atlanta and Baltimore have made
headlines with the extreme cost of a
cyberattack. These cities are reported
to have incurred over $15 million
each, including data recovery costs
and the cost of downtime and lost
revenue. 5 The risks are not limited
to large governments. In 2019, the
City of Stuart, Florida, (population
16,000) was hit with a ransomware
attack and a demand for $300,000.
The city elected not to pay and had to
incur about 2,000 hours of staff time
to manage the recovery and workarounds
and spent a significant sum
on replacing/upgrading hardware
and software. 6 Further, a study of the
costs of cybercrime across industries
showed that there was barely any
relationship between the size of the
victim organization and the size
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 17

BECOMING CYBER RISK SAVVY
of the loss. 8 In other words, a smaller
organization does not necessarily
translate into lower potential losses
from cybercrime.
The potential extreme consequences
of a cyberattack have caused many
local governments to turn to cyber
insurance. Given the potential losses
from an attack, transferring the risk of
an attack to the insurance market could
be an attractive proposition. However,
cyber insurance is a relatively new type
of insurance instrument compared to
traditional insurances, like property
and liability insurance. Also, the cost of
a policy or the availability can change
dramatically in a short time. In fact,
as of this writing, many governments
have experienced rapidly increasing
premium costs. This article will help
local governments approach cyber
insurance in a risk-savvy manner and
make smart decisions about how to
invest in protection against cybercrime.
As a first step, let’s understand
three fundamental issues with cyber
insurance that an informed consumer
must be aware of.
First, insurance is remedial, whereas
controls (cybersecurity measures) can
be preventative. For example, training
on safe computing practices can make
it less likely that an employee clicks
on a malicious web link in an email,
thereby avoiding an attack that could
have otherwise succeeded.
Prevention is generally preferable
to remediation. Cyberattacks can have
consequences beyond what insurance
can cover. For example, the City of
Stuart found that even if it had been
able to use insurance to pay the ransom,
the files that would be “restored” by
the cybercriminal would go to one
folder, with all new names and no file
extensions! Insurance is not an “undo
button” for a cyberattack. There are
also indirect effects of a cyberattack
that are best avoided, such as the hit to
the reputation of a local government.
Reputation is not an inconsequential
intangible. A loss of public faith in
government has consequences. A
perceived vulnerability to cybercrime
also could have consequences for
bond ratings. 8 This means that local
governments must be savvy in choosing
when to invest limited resources in better
cybersecurity controls versus investing in
cyber insurance.
Second, commercial insurance, by
design, is a “bad bet” for the insured,
on average. If it weren’t, insurance
companies would go broke. This is why
governments can sometimes reduce
costs by self-insuring. This does not
mean local governments should never
buy commercial insurance. Commercial
insurance is great for protecting against
catastrophic losses that government
isn’t capable of absorbing. This means
local governments must be savvy in
determining when to accept the risk
(self-insure) and when to transfer risk to
commercial insurers.
Third, the market for cyber insurance
continues to change and evolve with
the level of threat posed to governments
by cybercrime. The cyber insurance
market is relatively underdeveloped, and
fewer actuarial models exist compared
to other kinds of insurance markets—
which have been around for decades
and maybe centuries. Hence, the market
A 2018 ransomware attack cost the City of
Atlanta over $15 million to restore systems
and make up for lost or delayed revenue.
18

for cyber insurance is evolving rapidly
as insurance sellers and buyers come
to understand the nature of the peril
better and the financial implications of
insuring it. As of this writing, the market
for cyber insurance is tightening up,
with policies becoming unaffordable
or unavailable for local governments
that don’t have adequate controls to
prevent cyberattacks. This means
local governments must be savvy about
recognizing the evolving nature of the
cyber insurance market and not assume
that today’s coverages will be available at
comparable prices in the future.
With these issues in mind, how
should a local government approach
cyber insurance? The rest of this article
will take you through a step-by-step
procedure for considering the costs
versus the benefits of cyber insurance.
Risk Mitigation vs. Risk
Transfer, or Cybersecurity
Controls vs. Cyber Insurance
We will start from the premise
that local government has limited
resources, so a dollar invested in cyber
insurance is a dollar not invested in
controls. The advantage of controls
is that they can be preventative; they
can stop the attack from doing damage
in the first place. A software patching
strategy leaves fewer vulnerabilities
for cybercriminals to exploit. Controls
can also reduce the potential damage
from an attack if an attack succeeds.
For example, high-quality data backups
make it easier to recover lost data.
Insurance is always remedial; it cleans
up the damage after it has happened.
The advantage of insurance is that it can
provide some relief from catastrophic
losses, where it is impractical to
develop sufficient controls. Hence,
there is a trade-off to consider. How
can this trade-off be analyzed? We will
present a four-step process:*
Step 1—Know the basics of your
cybersecurity situation
Step 2—Quantify your risk
Step 3—Examine the potential
of insurance
Step 4—Periodically reassess
STEP 1
Know the basics of your
cybersecurity situation
Some local governments will have
a good handle on their existing
cybersecurity situation, but others
may not. There are three questions
to ask as part of Step 1:
What are the most important assets
you need to protect? Technology
assets with sensitive data or that
administer mission-critical functions
are the most important. These may
include social security numbers,
credit card information, bank account
information, any kind of health data
that might be protected by law (e.g.,
the U.S. Health Insurance Portability
and Accountability Act), and criminal
justice data. Examples of critical
systems might include enterprise
resource planning (ERP), tax revenue
systems, or public health or public
safety systems.
What threats are most important?
Today, ransomware attacks are the
most prevalent threat. Other possible
threats include denial of service
attacks, leaks of sensitive data, or cyber
CAN YOU ELIMINATE RISKS?
sabotage of various forms. Ransomware
attacks will likely continue to be the top
threat because there is a clear financial
incentive for the perpetrator. It is worth
noting that these threats can combine.
For example, a ransomware attack could
lead to data leaks.
What is the state of your controls?
State and local governments have been
challenged with finding resources to keep
up with cyber threats. Important controls
include multifactor authentication,
firewalls, encrypted data storage,
encrypted data backups, incident
response planning, training staff to avoid
phishing attacks, software patching,
and endpoint detection response.** In a
2021 survey, 9 respondents indicated that
spending on cybersecurity focused on
software, hardware, backup, monitoring,
and training. Incident response was listed
as a lower priority. Only 57% of responses
indicated that cybersecurity training
was done annually for all employees.
The focus areas for business continuity
in the face of a cybersecurity attack were
data backups and recovery, operational
business plans, and ensuring manual
work-arounds in case of an outage.
There are comprehensive frameworks
for addressing cybersecurity risks, like
CIS Top 18 (perhaps the most accessible
for local government), COBIT, NIST, and
ISO. These are valuable for organizations
with the sophistication to use them.
However, even a basic assessment
of whether you have the controls we
described here, or not, can be useful for
Step 1. At the end of Step 1, many local
governments will find that they have
One strategy in risk management is to eliminate risks by eliminating risky activities. In the world of
cyber insurance, an opportunity might be to reduce the amount of sensitive data that government
collects and stores. You might ask if collecting and storing certain types of sensitive data is
necessary and worth the exposure it brings.
* The four steps of this process are based on the “Cyber Loop” method described in: “Protecting Today. Safeguarding Tomorrow. The Cyber Loop: Managing Cyber Risk Requires a
Circular Strategy,” published by Aon in 2019. https://www.aon.com/cyber-solutions/wp-content/uploads/Aons-Cyber-Solutions_The_Cyber_Loop.pdf.
** If you are not familiar with the controls in this sentence, please see the Appendix.
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 19

BECOMING CYBER RISK SAVVY
opportunities to invest more in cyber
controls. In particular, multifactor
authentication, firewalls, patching,
and training employees on safe
computing practices are potentially
valuable controls and may represent
a wise investment in cyber risk
prevention.
STEP 2
Quantify your risk
It will be difficult, if not impossible,
to make a savvy decision about the
trade-offs between investing in
controls and purchasing insurance
without quantifying the risks. “Risk”
can be defined as the chance of the
occurrence of a loss, disaster, or other
undesirable event multiplied by the
magnitude of the loss. This definition
implies that risk is a quantifiable
property.*
People have attempted qualitative
risk analyses in the form of a “risk
matrix” or “heat maps,” where risks
are classified along a scale such as
“low,” “medium,” and “high,” and
color coded according to severity.
However, research has shown that
this kind of analysis can lead to worse
Likelihood
decisions! 10 A reason for this is an
“illusion of communication,” where
decision-makers falsely believe that
everyone who is part of the decision
has a similar understanding of the
risk. 11 The problem is that categories
like “low,” “medium,” and “high”
are vague and invite different
interpretations by different people.
Imagine one of your colleagues
is an inveterate sports gambler
and another has never so much as
purchased a lottery ticket. These
two people probably have very
different definitions of “low” risk.
However, if risk is quantified, like
“we believe there is a 10% chance of a
ransomware attack costing us more
than $100,000 in the next year,”
there is less room for interpretation.
Another reason that risk matrices
can be counterproductive is they
act as an “analysis placebo,” 12
where decision-makers think they
understand the risk because they
have subjectively characterized the
risk as “high,” “low,” etc. But, because
the risk matrix is not based on hard
data about the chance of loss and the
potential magnitude of loss, decisionmakers
are overconfident about how
well they understand the risk.
Typical Risk Matrix Often Leads to Worse Decisions About Risk
Impact
Negligible Minor Moderate Significant Severe
Very Likely Low Med Medium Med Hi High High
Likely Low Low Med Medium Med Hi High
Possible Low Low Med Medium Med Hi Med Hi
Unlikely Low Low Med Low Med Medium Med Hi
Very Unlikely Low Low Low Med Medium Medium
Though risk matrices are easy
to create, easy to understand, and
inexpensive, if they lead to lower
quality decisions, they aren’t a good
deal. The alternative to a subjective
risk matrix is to quantify risks.
In this article, we will not get deep
into the details of how to quantify risk.
The details of quantifying risk are
best left to professional risk analysts.
Instead, we will show concepts that
will help you think about cyber risks
in a way that is consistent with a
quantified approach and that will
help you ask the right questions of the
risk professionals who are versed in
the details of risk quantification. If
you would like to dig deeper into risk
quantification, here are three sources
for further detail:
GFOA has built a sample Excel
ransomware risk model that uses
the same methods to quantify risks
that insurance companies use but
is built using the open Probability
Management standard. 13 This model
is not a substitute for professional
risk analysis and is intended only as
an educational tool for ransomware
risk. It will provide you with a basic
understanding of how the risks of
a cyberattack could be quantified.
It is not intended to provide a
comprehensive analysis of your
cybersecurity risk. The content of
Step 2 in this article will be largely
based on the sample model but will
not cover all of the details in the
model. You can get access to the
model at gfoa.org/cyber-insurance.
Finally, GFOA has found that some
insurance companies are taking
steps to provide clients with richer
quantification of risk. They believe
that more informed customers will
be better long-term customers.
Understanding the concepts in this
article will help you ask insurance
providers for the right information
and make the best use of the
information.
* Loss also includes things that are sometimes thought of as “intangible,” like community trust, reputation, etc. These losses are also measurable, though not as easily as some other losses.
For more on this subject, see: Hubbard, D. (2014). How to measure anything: Finding the value of intangibles in business. Wiley.
20

Before we start our discussion of
quantifying risks, we’d first like to
acknowledge that quantifying risks
is often not the normal course of
business for local governments. As
such, it is natural that there might be
some skepticism about the potential
for quantifying risks. We’d like to
present three common objections to
quantification posed by the skeptic
and our response: 14
Objection 1: Quantifying risk is more
appropriate for insurance industry
analysis and is unlikely to be
appreciated by local governments
looking for practical advice.
Answer: It is common for us to
underestimate the capabilities of
other people relative to our own. 15
GFOA has presented quantified risk
information to many elected officials
and government staff and has yet to
find one who could not at least grasp
the essential point. As for practicality,
given that subjective methods (like
a risk matrix) often lead to worse
decisions, we would suggest that it
is the subjective methods that don’t
work in practice.
Objection 2: The cyber insurance
market is volatile, so decisions based
on a quantitative model will be wrong.
Answer: Insurance companies have
been making decisions based on
quantitative methods as early as the
17th century. This does not mean
that every decision an insurance
company has ever made is perfect.
But it is understood within the
insurance industry that it would be
foolish to attempt to compete without
quantitative methods. 16 The next
objection is also relevant to this issue.
Objection 3: Within cybersecurity,
there are too many complexities
changing too quickly to make a
reasonably accurate assessment.
Answer: One way or the other, a
government has to decide on how
to invest in commercial insurance,
self-insurance, and controls for
cybersecurity. A government can either
take a wild guess and hope for the best
or take a more rigorous approach. No
quantitative model will be perfect,
but a model can still be useful. To be
useful, a model does not have to be
perfect; it just needs to outperform
the alternative, which is a subjective
judgment. Because a quantitative
model forces rigor and transparency in
how you think about a question, there is
a chance that even an imperfect model
will outperform subjective judgment. 17
With the common objections to
quantifying risk addressed, the first
step in quantifying your risk is to
get data on how likely a loss from
cybercrime is and how big that loss
might be. First, we must recognize
that definitive data is going to be very
difficult, if not impossible, to come by.
But remember, a model does not have to
be perfect; it just needs to outperform
the alternative (e.g., guesswork).
That said, let’s start with the chance
of a successful ransomware attack,
defined as multiple computers infected
and files are successfully encrypted.
This means the local government is
not able to stop the attack once the
computers were infected. Our offthe-record
conversation with a local
government risk pool found that their
pool members experienced roughly
a 5% to 10% chance of a successful
ransomware attack for a pool member
in a given year. Moving on to damages
from a successful attack, according to
the NetDiligence Cyber Claims Study:
2021 Report, the five-year average total
incident cost averaged $267,000, but
with a median of $98,000. 18 This tells
us that average is pulled upwards by a
small number of catastrophic losses.
The data showed 10% of incidents
cost more than $638,000, and some
cost much more: millions of dollars.
Total incident response includes costs
like forensics, business interruption,
recovery, and paying the ransom (if
one is paid). Finally, we should recall
that cyberrisk is an evolving threat,
so these figures could change year to
year, perhaps significantly.
Next is to visualize this data to
understand the implications of
your baseline level of risk. There are
many ways data could be visualized,
but we’ll use what is known as a
“loss exceedance curve” (LEC). An
LEC presents risk in the way that
REAL-LIFE EXPERIENCES | RENEWING CYBER INSURANCE IN 2022 FOR LOCAL GOVERNMENTS
On the GFOA member forum, we asked people to share their experiences with renewing cyber insurance for 2022. The two quotes below capture
the experience of people who replied.
“ The renewal quote has nearly doubled, and the retention amounts, particularly for ransomware incidents, have increased substantially, to the
point where an individual government would face significant (think potentially seven figure) out-of-pocket exposure to a cyber event before
any insurance coverage would kick in.”
“ We had cyber insurance until this past year. Upon renewal, the insurance provider needed a brand new questionnaire with far more significant
requirements, multifactor authentication, as well as a proven and regular phishing training program and other quite significant requirements.
As a result, we have been declined for this year and are working to see if we can get back onside with the requirement.”
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 21

BECOMING CYBER RISK SAVVY
insurance companies think about it
and is commonly used in different
industries to depict risk. An LEC
can be constructed for specific
applications (e.g., ERP), departments
(e.g., police), risks (e.g., ransomware),
or any other relevant perspective.
Exhibit 1 shows an LEC for a
successful ransomware attack. The
vertical axis shows the chance of a
given loss (or greater) occurring, and
the horizontal axis shows the loss. For
instance, there is about a 40% chance
of losing at least $160,000 because an
attack was successful. This is because
the blue line passed through the 40%
mark at about $160,000. The blue line
skims along the bottom of the graph
for some distance, which indicates a
small chance of catastrophic losses.
However, the damages from a
successful attack must be considered
against the chance an attack will
succeed in the first place. Exhibit 2
shows an LEC with the chance that a
successful attack will occur factored
in. You can see that the blue line that
intersects the vertical axis has a
much lower chance in Exhibit 2. This
is because a successful attack is not a
high-probability event.
The blue lines in Exhibits 1 and
2 show what is known as “inherent
risk.” This is your baseline level of
risk, reflecting the controls you have
in place now. The analysis can show
how the curve would change if you
invested in additional controls. For
example, perhaps you could invest
in better data backup to reduce the
damage from a successful attack—and
in better training for employees to
guard against phishing attacks to
reduce the chance of a successful
attack. Exhibit 3 shows what a 10%
reduction in the chance of a successful
attack and a 30% reduction in potential
damages would look like via the orange
line. You can see that the orange line
intersects the vertical axis at a lower
point, which means you’ve lowered
your chance of experiencing damages.
There is also a substantial gap between
the orange and blue lines all along
the curves. This gap represents the
lower potential damages from the
mitigations.
The orange line in Exhibit 3 is also
known as “residual risk.” This is the
remaining exposure that would be left
after making optional investments
in additional controls. In the sample
risk model, you determine the size and
type of the investment, and you could
explore different options for investing
in controls. Making additional
investments in controls shifts the
curve downward, which means the
risk profile becomes more favorable.
There are two caveats to consider
here, though. First, controls can fail,
be poorly implemented, or otherwise
not live up to expectations. Hence, a
good control strategy is diversified
so that you are not dependent on any
single control. Second, residual risk
can’t reach zero. Not only is this a
theoretical impossibility, as long as
the government uses information
technology, but it is also a practical
EXHIBIT 1 | LOSS EXCEEDANCE CURVE FOR A SUCCESSFUL RANSOMWARE ATTACK
Chance that
damages will
be at least what
is shown on the
horizontal axis
100%
80%
60%
40%
20%
0%
$0.0 $2.0 $4.0 $6.0 $8.0 $10.0
Millions
impossibility, given the limited
resources available for cybersecurity.
Hence, risk savvy is a matter of
identifying the point where you are
willing to make additional security
investments, where you will rely
on insurance, and where you will
absorb risk.
The quantification of your baseline
(or inherent risk) and of the potential
to invest in controls (or residual risk)
accomplishes two goals:
First, it helps you evaluate the value
of investing in additional controls.
For example, local governments may
find there is a strong case to invest
in new controls such as training
on safe computing practices for
staff, multifactor authentication,
virtual private networks, and data
encryption and backup services. In
particular, this kind of analysis can
show the value of training. Decisionmakers
can see the reduction in risk
that training provides. Research
suggests that local governments have
substantial opportunities to improve
their controls. One study showed that
local government was among the
least effective sectors in stopping
a ransomware attack before data
could be encrypted. This same study
showed two sectors most successful
in stopping attacks (media, leisure,
entertainment, and distribution/
transport) were about 60% more
successful than local government. 19
If your controls are already
strong, the analysis might highlight
the limited benefit available from
additional investment. For example,
if you had to spend $1 million on new
controls for an average reduction in
your damages of $100,000, you might
reasonably question if that is a good
investment! The GFOA sample risk
model for ransomware walks you
through some return on investment
calculations for controls.
The second goal that quantification
accomplishes is to set the stage for
making a wise decision about investing
in controls versus insurance. We’ll take
this up in more detail in Step 3.
22

STEP 3
Examine the potential of insurance
First, “self-insurance” should not be
overlooked. Local governments often
set up self-insurance for all types of
risks. There is no reason that selfinsurance
couldn’t work for cyber
risk as well. Self-insurance might be
especially important in a tight market
for commercial insurance for two
reasons: First, to reduce the cost of a
commercial policy to an affordable
amount, governments might be forced
to accept a higher retention amount*
on the policy. A retention amount is
a form of self-insurance. Second, if a
policy is unobtainable, self-insurance
might be the only option left past the
point where investment in additional
controls ceases to be practical.
EXHIBIT 2 | LOSS EXCEEDANCE CURVE, GIVEN THE CHANCE OF ONE OR MORE
SUCCESSFUL ATTACKS IN A YEAR
Chance that
damages will
be at least what
is shown on the
horizontal axis
6%
5%
4%
3%
2%
1%
0%
$–
$0.5 $1.0 $1.5 $2.0 $2.5
Millions
EXHIBIT 3 | LOSS EXCEEDANCE CURVE WITH THE IMPACT OF NEW CONTROLS ADDED
Chance that
damages will
be at least what
is shown on the
horizontal axis
EXHIBIT 4 | LOSS EXCEEDANCE CURVE WITH AN AMOUNT AVAILABLE FOR SELF-INSURANCE
Chance that
damages will
be at least what
is shown on the
horizontal axis
6%
5%
4%
3%
2%
1%
0%
$–
6%
5%
4%
3%
2%
1%
0%
$–
$0.5 $1.0 $1.5 $2.0 $2.5
Millions
Damages without new controls
$0.5 $1.0 $1.5 $2.0 $2.5
Millions
Damages without new controls
Damages with new controls
Damages with new controls
Self-insurance limit
For these reasons, Step 3
should include an analysis of selfinsurance
capacity. This is a matter
of determining the amount of risk
you are willing to absorb via selfinsurance.
Exhibit 4 adds to our LECs
from Step 2 by including the amount a
government is willing to put aside for
self-insurance—$700,000 in this case.
This could be derived from the number
of liquid resources a government has
available to respond to unplanned
emergencies (e.g., reserves). You could
then determine the chance that you
will exceed this amount and compare
that chance to your appetite for risk. We
have indicated the chances in Exhibit
4, and the GFOA sample model shows
the chances for any self-insurance
amount you enter. Would you be
comfortable with an 8% chance (or one
in twelve years) that self-insurance
would be inadequate for the losses you
experience in a year or, put another
way, a 92% chance that self-insurance
would be adequate? If not, you might
need to consider commercial insurance
if further self-insurance is impractical.
Self-insurance is often most valuable
at a point where: A) investing in more
controls loses cost-effectiveness,
and B) commercial insurance can be
made more affordable by accepting a
higher retention. Knowing the amount
available for self-insurance is a good
place to start in considering the role
of commercial insurance.
Commercial insurance is most
useful at the far end of the loss
exceedance curve. There is some
unavoidable risk in operating a modern
local government. For example, a
local government could reduce a lot
of cybercrime risk by severing all of
its connections to the internet, but
that would present an unacceptable
cost in lost operational efficiency.
This means that the risk of extreme
losses is unavoidable. The far end of
the loss exceedance curve is where the
potential losses are too high to absorb
via self-insurance.
* Retention is the total amount of a loss the insurance policyholder must pay out of pocket. It includes the deductible but is not limited to the deductible. For example, insurance policies
have limits on how much will be paid out. The government is retaining the risk that the cost of a cyber incident could be more than the policy limit.
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 23

BECOMING CYBER RISK SAVVY
Commercial cyber insurance can,
theoretically, cover a variety of different
losses. Exhibit 5 provides an overview
of the different coverages that could
be available. 20 Make note of our use
of conditionals like “theoretically”
and “could.” Market conditions will
determine if an insurance company
is willing to sell you any of these
policies. In fact, GFOA spoke with one
large reinsurer that was refusing to
underwrite cyber policies.
That said, as of this writing, many
insurance providers are willing to
sell policies. Even so, they may place
limits on the policy (i.e., boundaries on
what is covered and what is not). Smart
customers will understand these limits
and their implications. Let’s examine
the limitations that appear in cyber
insurance policies in the next sections.
Underwriting
Underwriting is the process insurers
use to determine the risks of insuring
your government. The underwriting
process has intensified in recent years.
Many insurance companies are using
specialized cyber risk consultants to
help them assess risk more accurately.
Underwriters are increasingly
looking for the insured to have key
security features as a prerequisite for
a policy. Such features might include
multifactor authentication, incident
response planning, encrypted data
storage, patching cadence, and endpoint
detection response.* Governments
with inadequate internal security
might have trouble getting a policy or
might face increased costs. Earlier in
the article, we quoted a GFOA member
who could not secure a policy due to
more intensive underwriting. Another
member reported facing a doubling of
premiums unless they implemented
multifactor identification.
Key questions to ask: How can you
make the best impression on your
underwriters to convince them you
are a good risk? Do you have costeffective
opportunities to improve
your security controls?
* See the Appendix for definitions of these controls.
EXHIBIT 5 | CYBER COVERAGE OVERVIEW
Operational Risks
Network Business Interruption—Covers lost net income caused by a network security failure, as
well as an associated extra expense.
System Failure—Expands coverage trigger for business interruption beyond computer network
security failure to include system failure.
Dependent Business Interruption/Dependent System Failure—Coverage for lost income caused
by a network security failure of a business on which the insured is dependent, as well as an
associated extra expense.
Cyber Extortion—Coverage for expenses incurred in the investigation of a threat and any extortion
payments made to prevent or resolve the threat.
Digital Asset Restoration—Coverage for costs incurred to restore, recollect, or recreate intangible,
nonphysical assets (software or data) that are corrupted, destroyed, or deleted due to a network
security failure.
Privacy and Network Security Risk
Privacy Liability—Coverage for defense costs and damages suffered by others for failure to protect
personally identifiable or confidential third-party information.
Security Liability—Coverage for defense costs and damages suffered by others resulting from
a failure of computer security, including liability caused by theft or disclosure of confidential
information, unauthorized access, unauthorized use, denial of service attack, or transmission of a
computer virus.
Privacy Regulatory Fines and Penalties—Liability coverage for defense costs for proceedings
brought by a governmental agency in connection with a failure to protect private information and/or
a failure of network security pursuant to applicable laws or regulations.
Media Liability—Coverage for defense costs and damages suffered by others for content-based
injuries such as libel, slander, defamation, copyright infringement, trademark infringement, or
invasion of privacy.
PCI Fines and Penalties—Coverage for a monetary assessment from a payment card association
(e.g., MasterCard, Visa, American Express) or bank processing payment card transactions (i.e., an
“acquiring bank”) in connection with an insured’s noncompliance with PCI Security Standards.
Breach Event Expenses—Reimbursement coverage costs to respond to a data privacy or security
incident. Covered expenses include certain computer forensic expenses, legal expenses, costs for a
public relations firm and related advertising to restore your reputation, consumer notification, call
centers, and consumer credit monitoring services.
Cybercrime Insurance Coverage
Social Engineering Coverage—Coverage for direct financial loss as a result of fraudulent
instructions provided by a third party that is intended to mislead an insured through the
misrepresentation of a material fact.
Funds Transfer Fraud—Coverage for direct financial loss as a result of fraudulent instructions
provided to a financial institution that authorize the transfer of the insured’s funds by a third party
impersonating an insured.
Computer Fraud—Coverage for direct financial loss sustained resulting from the unauthorized
seizure of funds from their computer network by a rogue employee or malicious third party.
Miscellaneous Cyber Insurance Coverages
Reputational Income Loss—Coverage for lost net income caused by bad publicity resulting from a
security event.
Bricking Coverage—Coverage to replace hardware rendered inoperable due to a security breach.
Claims Avoidance Coverage—Coverage for expenses incurred as a result of the insured’s
reasonable investigation of a potentially covered claim.
Reward Payment Coverage—Coverage of payment for information that leads to the conviction of
any individual committing or attempting to commit an illegal act relating to a security event.
Betterment Coverage—Coverage for expenses incurred to update, restore, or improve computer
systems to a level beyond that which existed before a security event.
Overview of Coverages Provided Courtesy of Aon
24

Payout Limits and Sublimits
A policy limit is a maximum amount
a policy will pay out. Sublimits
are a traditional part of insurance
policies. Sublimits are a limit on the
reimbursable loss for a particular type
of risk that is less than the total limit on
the entire policy. The savvy customer
will review all policy language and
make note of any sublimits. Sometimes
sublimits are clear on the declarations
page of the policy; but other times
you will need to review the policy
definitions and endorsements to find
sublimits. Sublimits are important
because you may find that you have
less coverage for a particular type of
risk than the limit on the entire policy
might have led you to believe.
Common sublimits include:
Ransomware—Limiting the
total coverage available for a
ransomware attack versus the total
limit for all cybercrimes.
System failure—Limiting the
coverage for a cascading system
failure, where a failure in one
system leads to failures in other
integrated systems. For example,
staff may not be reimbursed
for personal devices that were
damaged as a result of connecting
to an infected network at work.
Bricking—Limiting the
reimbursement for replacing
hardware that is rendered unusable
by a cyberattack. For example,
the company may cover “hard
bricks,” where the device is made
inoperable, but not a “soft” bricked
device, where part of the device
may be operable or repaired.
Retentions
Retentions are another traditional part
of an insurance policy. Retention is
the risk that is retained by the insured
or, put another way, the amount of
damages the insured will have to pay
out of pocket outside of what is covered
by insurance. Lower retentions are
not necessarily better because a
policy with lower retention will cost
more. Higher retention could be a way
to reduce the cost of the policy if the
government can self-insure for the
larger retention. Note that “retention”
commonly refers to policy deductibles
but does encompass other retailed
risks. For example, if a policy has a low
limit, then the risk that an incident
will cost more than the limit would
also be retained by the government.*
Another issue is “single highest
retention.” Exhibit 6 shows a
hypothetical cyber insurance plan
with five policies. An attack happens
and triggers three of the policies. The
EXHIBIT 6 | SINGLE RETENTION VS. MULTIPLE RETENTIONS
single highest retention looks across all
three policies and selects the highest
retention (deductible) as the amount
the insured pays. The multiple retention
policy sums up all of the retentions.
Though a multiple retention policy
would likely be less expensive, a single
retention policy might be preferable
because it will be easier for the insured
to estimate the retention cost of a given
attack. In Exhibit 6, the insured need
only look across the retentions of all
five policies, find the minimum and
the maximum, and that is the range of
possible retentions for a given attack
under a single retention policy. For a
multiple retention policy, the range is
the smallest single retention to the sum
of all the retentions in the policy. The
latter would be more difficult to plan for.
Key questions to ask: What balance
between retention (self-insurance) and
policy price (commercial insurance)
is best for you? Is your policy single
highest retention?
Retention
Security liability $500,000
Regulatory liability $500,000
PCI (payment card industry) $500,000
Breach response $750,000
Business interruption $500,000
Attack happens and triggers these policies:
PCI (payment card industry)
Breach response
Business interruption
Key questions to ask: What are the
sublimits in your policy? Do these
sublimits change your understanding
of the level of coverage you have?
What implications does that have for
your investment in cyber insurance
(commercial or self-insurance) versus
cyber controls?
If you had Single Highest Retention:
PCI (payment card industry) $500,000
Breach response $750,000
Business interruption $500,000
You pay max of the
group above
$750,000
If you had Multiple Retentions:
PCI (payment card industry) $500,000
Breach response $750,000
Business interruption $500,000
You pay sum of the
group above
$1,750,000
* Other examples of retained risk include 100% self-insurance strategies that are apart from a commercial policy or risks that a government chooses not to insure at all (self or commercial).
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 25

BECOMING CYBER RISK SAVVY
Panel Requirements
Next, it is critically important to know
the requirements to secure assistance
from a preapproved cybersecurity
contractor in the event of a breach.
The list of preapproved contractors is
known as a “panel” and may include
all aspects of support for a breach (e.g.,
legal counsel, technology support,
etc.). This is similar to personal
automobile insurance, where, in
the event of an accident, the insurer
requires the insured to use an
approved auto repair shop. With cyber
insurance, if you use a cybersecurity
contractor that is not on the insurer’s
list of approved providers (known as
going “off panel”), then you may lose
all coverage for a breach response.
Some insurers provide options on
which contractors you may use (or may
require you to use a single contractor),
but it is important to know the
requirements and your options at the
start of the policy period. Finally, we
should note that panel requirements
are not necessarily a bad thing. For
example, paying a ransom might
require paying in cryptocurrency. An
experienced consultant, like would be
found “on panel,” will be able to secure
the right kind of cryptocurrency faster
than a government.
Key questions to ask: What obligations
do you have to use a specified security
contractor to help respond to a breach?
What options do you have to select
between contractors?
Exclusions
Insurance exclusions are policy
provisions that waive coverage for
certain risks or loss events. Smart
customers understand the exclusions;
otherwise, their policy may not
provide coverage for risks that the
customer assumed would be covered.
According to one cybersecurity expert
we spoke with, in almost every cyber
insurance event they’ve been involved
with, the insured did not take the
time to understand the exclusions, to
their great detriment. An example of a
common exclusion for cyber policies is
civil and legal liabilities for breach of
personal data.
Ransomware is the leading type of
cyber threat for local governments,
so let’s examine some of the germane
exclusions to that type of policy. In the
previous section, we discussed what
are known as “panel requirements,”
or the requirement that the insured
use only preapproved cybersecurity
contractors to respond to a breach.
Going “off panel” is a form of exclusion,
where using an unapproved contractor
could result in an exclusion from
coverage.
An evolving issue is federal
government policy on responding
to ransomware attacks.* From
the perspective of an individual
organization that is the victim of an
attack, the logical response is for the
insurer and the customer to figure
out if it is better to pay the ransom or
pay the cost to recover the affected
systems without access to the
ransomed data. However, this presents
a collective action problem: When
any single victim pays a ransom, it
encourages cybercriminals to launch
more attacks. Therefore, federal law
enforcement officially discourages
ransom payments and has outlawed
payments in some cases. 21 An
insurance policy would exclude
coverage for ransom payments when
making the payment would violate
federal policy. State governments
could join the federal government in
creating an exclusion. In April 2022,
North Carolina became the first state
in the U.S. to prohibit state agencies
and local governments from paying
ransoms. 22 Another sticky area is
exclusions of “acts of war.” Damages
from acts of war are excluded from
many types of insurance policies,
not just cyber. The reason is that an
act of war would presumably result
in widespread destruction, and an
insurance company could not afford to
cover large losses occurring to many
customers simultaneously. In some
cases, cyberattacks are perpetrated
by common cybercriminals, but
many cybersecurity experts consider
state-sponsored cyberattacks to be
a significant risk. For example, it is
thought that North Korea sponsors
ransomware attacks to raise money
for the North Korean regime. As of
this writing, Russian cyberattacks
are thought to be a risk from the
war in Ukraine. If a state-sponsored
cyberattack is considered to be an
“act of war,” it might be excluded. That
said, it is often difficult to attribute a
cyberattack to a particular attacker,
much less to determine if the attacker
is state sponsored. Nevertheless, a
customer should recognize that statesponsored
cyberattacks are a real
threat and policy exclusions could
complicate receiving coverage from
state-sponsored attacks.
Lastly, an exclusion with broader
implications than just ransomware is
if the insurance policy lists specific
types of hardware, data, or other IT
assets that are excluded from the
policy. For example, the cost to replace
“bricked” computers (i.e., computers
that are rendered useless by a
cyberattack) may be excluded from
a policy. Similarly, cyber insurance
policies generally don’t cover
bodily injury and property damage.
Examples might include modems and
connectivity devices for internetenabled
physical assets or damage to
water or sewer control systems from a
cyber sabotage attack. Also note that
property damage insurance policies
may have broad cyber exclusions,
thus leaving the insured with no
coverage under any policy.
Key questions to ask: What exclusions
does the policy contain? What are the
exclusions specific to ransomware
attacks? What are the exclusions
for particular types of IT assets you
might own?
Definitions
The customer should be familiar
with key provisions within the
definitions of the policy. First,
we’ll reiterate the importance of
understanding the requirements to
26

Insurance is not intended to protect
against “average” conditions; it is
intended to protect against extreme
conditions. Therefore, the cost-benefit
analysis must examine the value of
insurance at the extremes.
use certain preapproved cybersecurity
contractors in the event of a breach
(the panel requirements).
Next, be aware of provisions on
when the insurance provider must
be notified of claims and how that
relates to your knowledge of when
an insurable event has happened.
For example, if malicious software
infiltrated your network two months
ago but you just find out about it today,
then you can only report it today.
Know how your policy would cover
that situation. If your policy went into
effect last week, would you be covered?
Be aware of definitions around
internal security control standards
that you are required to maintain
as a condition of the policy. Earlier,
we described how the underwriting
process has intensified. Insurance
companies are expecting customers
to have more robust internal security
in place as a prerequisite for the
policy. Unsurprisingly, the insurance
company will also expect the insured
to maintain those standards over
the life of the policy. The definitions
are important for making sure the
customer understands and can meet
the requirements. For example, does
the policy require that the customer
remain current with software
updates? Many local governments
are not in the habit of applying new
patches immediately because of the
risk that a patch breaks important
operational functions of the software—
or because an update might disrupt
the integration of software that needs
to remain compatible. Hence, it would
be important to know what “remain
current with updates” means. Gaps in
maintaining the standards also arise
from renegotiating software contracts,
changes in key personnel, and broken
equipment.
Key questions to ask: Do you
understand important definitions in
your policy, such as requirements
to use specified cybersecurity
contractors when responding to a
breach, notice of claims, and
security standards?
The bottom line from the limits we
just reviewed is that if there is a
cyberattack that your policy addresses,
there is a nontrivial chance that you
might not recover as much from your
insurance policy as you might have
expected if you didn’t understand
the limits. The savvy customer
understands this risk and weighs it
when deciding where and when to
invest in insurance versus controls.
We’ll cover one other potential
pitfall of insurance purchasing that is
primarily a function of the customer’s
psychology and purchasing behavior.
That pitfall is buying a policy that is
overly focused on a narrowly defined
risk. Generally, the more focused a
policy is on a specific risk, the less
beneficial it is for the insured. This
is because the insured is insuring
against a lower probability event (the
narrowly defined risk) rather than the
higher probability event (the broadly
defined risk).
Insurance customers can fall
into this trap due to what is called
“recency bias.” This means that recent
events cause us to overestimate how
likely a similar event is to happen in
the future. A good example is flood
insurance. Right after a flood happens,
more people obtain flood insurance.
Years later, many of those people have
let the coverage lapse, though the
underlying risk of flooding is the same.
In the cyber world, a local government
might experience a certain kind of
cyberattack and then buy a policy to
cover similar types of attacks in the
future. The government would realize
lower premiums by buying a specific
policy. However, the likelihood that
the local government will experience
some kind of cyberattack in the future
is greater than the likelihood that the
government will experience an attack
similar to the one it experienced in
the past. Also, in a rapidly changing
market, a narrow breadth of coverage
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 27

BECOMING CYBER RISK SAVVY
could be dangerous because the nature
of the threats is rapidly evolving. This
means local governments should make
sure that past first-hand experiences
with cyberattacks or stories from peer
governments aren’t being overweighted
in the design and selection of insurance
policies to protect against future and
evolving risks. If the cost of a broader
policy is prohibitive, it might be wise
to consider if the money is better
spent on preventative controls.
Key questions to ask: Are past (and
painful) experiences with cyberattacks
clouding your judgment in preparing
for future risks? Is your cyber insurance
policy too narrow and not providing
adequate coverage for evolving threats?
If a broader policy is cost-prohibitive,
might you be better off investing in
preventative cybersecurity?
The end of Step 3 is to ask: What
prices/offers can you get from
different providers? The market is
rapidly changing. Working with a
good insurance broker is important.
Be sure to compare providers on:
Claims payment history: Do
customers get the coverage they
thought they were buying? As
we saw, limitations can cause
customers to recover less than
they thought they bargained for.
Pre-breach offerings: Can the
insurer offer useful advice for
strengthening your preventative
posture?
Flexibility on vendor utilization:
Does the insurer offer a reasonable
number of options on contractors to
support you in the event of a breach?
Experience in the public sector:
Does the insurer understand the
risks that characterize the public
sector?
Also, as with most if not all forms of
insurance, there may be significant
benefits available from pooling risk
with other local governments, either
as part of self-insurance pools or joint
purchasing of commercial insurance.
For example, the Municipal Excess
Liability (MEL) Joint Insurance
Fund of New Jersey has provided
its members with cyber insurance
coverage since 2013. 23
The quantification of risk we
discussed earlier can be extended to
include commercial insurance policies.
The cost-benefit of the policy could be
weighed based on the retention and
the limit of the policy. An important
nuance, though, is that “on average,”
an insurance policy will be a financial
loser for the insured; otherwise,
insurance companies would go out of
business. However, insurance is not
intended to protect against “average”
conditions; it is intended to protect
against extreme conditions. Therefore,
the cost-benefit analysis must examine
the value of insurance at the extremes.
The GFOA sample ransomware risk
model walks you through how you
could quantitatively analyze the value
of insurance under extreme conditions.
STEP 4
Periodically reassess
Because cybersecurity threats are
constantly evolving, a government’s
posture toward those threats must evolve
as well. A reassessment is critical after a
cybersecurity event but should be done
regularly even if no events have occurred to
give you a better chance of your good fortune
continuing. The Step 4 reassessment can
ask many of the same questions we asked
in Step 1. The objective is to find out if there
are new vulnerabilities perhaps due to:
Evolving methods of attack used by
cybercriminals.
Changed or new technologies,
operations, etc., that increase or change
the attack “surface area” presented by
the local government to cybercriminals.
The reassessment can also look for
opportunities to improve controls as
new technologies and methods become
available. There may be an opportunity
to improve the local government’s
preventative security posture and reduce
reliance on insurance.
Conclusion
Cybercrime is an evolving threat to local
government. Savvy risk management
requires making smart use of strategies to
manage that risk, including reducing risk
by implementing cybersecurity controls,
absorbing risk with self-insurance, and
transferring risk to the insurance market by
purchasing a commercial insurance policy.
Local governments can accomplish this by:
ADDITIONAL CYBERSECURITY RESOURCES
CIS 18 Critical Security controls: cisecurity.org/controls
Cyber Resilience and Financial Organizations: A Capacity-building Tool Box:
carnegieendowment.org/specialprojects/fincyber/guides
FS-ISAC Cybersecurity Resources: fsisac.com/resources
CIS Critical Security Controls: cisecurity.org/controls/v8
1. Knowing the basics of your
cybersecurity situation.
2. Quantifying your risk.
3. Examining the potential for insurance.
4. Periodically reassessing your situation
Shayne Kavanagh is the senior manager of
research for GFOA’s Research and Consulting
Center. Rob Roque is the technology services
manager in GFOA’s Research and Consulting
Center. Teri Takai is the executive director of
the Center for Digital Government.
28

Appendix | Definitions of Key Cybersecurity Controls
1
Coker, J. (2020). Local government organizations most
frequently targeted by ransomware. Info Security Magazine.
The article cites a study by Barracuda Networks. https://www.
infosecurity-magazine.com/news/local-government-targeted
2
2022 SonicWall cyber threat report. SonicWall.
https://www.sonicwall.com/2022-cyber-threat-report
3
Information in this paragraph is based on an article written by:
Dr. Oren Eytan, CEO of Odi-x. Eytan, O. (June 22, 2021) Municipal
cyberattacks: A new threat or persistent risk? Forbes.com.
Information is also from personal correspondence between Dr.
Eytan and the author of this article. https://www.forbes.com/
sites/forbestechcouncil/2021/06/22/municipal-cyberattacksa-new-threat-or-persistent-risk/?sh=673e79ee3ffb
4
Definition from the National Institute of Standards and
Technology (NIST).
5
Duncan, I. (2019). Baltimore estimates cost of ransomware
attack at $18.2 million as government begins to restore email
accounts. The Baltimore Sun. https://www.baltimoresun.
com/maryland/baltimore-city/bs-md-ci-ransomware-email-
20190529-story.html
Deere, S. (2018). Confidential report: Atlanta’s cyber attack could
cost taxpayers $17 million. The Atlanta Journal-Constitution.
https://www.ajc.com/news/confidential-report-atlanta-cyberattack-could-hit-million/GAljmndAF3EQdVWlMcXS0K
6
Information shared with GFOA directly by the City of Stuart.
7
NetDiligence Cyber Claims Study: 2021 Report. (2021).
NetDiligence.
8
Rising insurance costs add to US public finance cyber pressures
(2021). Fitch Wire.
9
Survey conducted by Center for Digital Government (2021).
10
Hubbard, D. W. (2020). The failure of risk management: Why it’s
broken and how to fix it (2nd ed.). Wiley.
11
Budescu, D. V., Broomell, S. & Por, H. (2009). Improving
communication of uncertainty in the reports of the
intergovernmental panel on climate change. Psychological
Science, 20(3): 299–308.
12
Hubbard, D. W. & Seiersen, R. (2016). How to measure anything
in cybersecurity risk. Wiley.
13
The methods we are referring to are Monte Carlo analysis and
computer simulation. Insurance companies will
vary in the specifics of how these methods are applied.
https://www.probabilitymanagement.org
14
The authors would like to acknowledge the assistance of the
attendees of the ProbabilityManagement.org March 2022
conference for their assistance with these answers.
15
This is known as “overplacement bias,” which is a subset
of the well-documented psychological phenomenon of
“overconfidence bias.”
16
Discussion of insurance industry taken from: Hubbard, D. W.
(2009). The failure of risk management: Why it’s broken and
how to fix it. John Wiley and Sons.
17
There is no shortage of research that shows quantitative
models regularly outperform human judgment. In the context
of government finance, see: Kavanagh, S. & Williams, D. (2017).
Informed decision-making through forecasting. Government
Finance Officers Association. This book also discussed relevant
research from other fields.
18
Note that the average figures we cite were compiled by
NetDiligence from observations that provided them with more
complete data, so it is slightly higher than the overall average
across all of their observations. See: NetDiligence Cyber Claims
Study: 2021 Report (2021). NetDiligence.
19
“The State of Ransomware 2021.” A white paper published by
Sophos (April 2021).
20
Definitions of coverages provided by Aon.
21
“Updated advisory on potential sanctions risks for facilitating
ransomware payments.” An advisory letter from the U.S.
Department of the Treasury (September 21, 2021). The letter
was associated with the U.S. Department of the Treasury’s
Office of Foreign Assets Control’s Sanctions Compliance and
Evaluation Division.
22
North Carolina becomes first state to prohibit public entities
from paying ransoms (May 2, 2022). National
Law Review.
23
MEL Cyber Risk Management Program (2nd ed.) (March 8,
2021). https://njmel.org/wp-content/uploads/2021/03/MEL-
Cyber-Risk-Management-Program-v2.pdf
Multifactor Authentication (MFA)—A
multilayered approach to security where a
second step of authentication is required to
complete a transaction. An example of MFA
is entering a username and password to
log into email as a first step. But a second
step of receiving a code to your registered
cell phone is required and entered to
access the email. The user must enter the
code; otherwise, the user cannot access
email even if the user entered the correct
username and password. MFA is used to
prove the user is legitimate.
Incident Response Planning—
Development of a plan based on a risk
portfolio of potential cyber events. Each type
of risk is typically assigned a priority, and
a mitigation strategy is developed for each
incident. Service level agreements may be
applied to outsourced technology services
as part of the incident response plan.
Patching Cadence—An established
frequency for applying patches or fixes to
software and other applicable technologies.
The cadence should be considered from
two perspectives. A vendor may establish
a cadence for normal fixes and bugs. In
these cases, the customer (the second
perspective) takes into consideration the
cadence to apply the fixes. For example, the
vendor may release a patch each month.
The customer may choose to apply the
patches each quarter to ease testing efforts.
The strategy should be defined and included
in a risk mitigation strategy.
Endpoint Detection and Response
(EDR)—A process of monitoring endpoints
of technologies (e.g., devices, nodes) for
suspicious activities and, in most cases,
removing the risk automatically. Antivirus
software can be considered a simple EDR
tool since it is designed to actively monitor
a device and remove issues that fit within
certain risk categories. Advanced EDRs
are constantly learning, analyzing, and
communicating to develop mitigation
strategies to respond to evolving cyber
threats.
Firewall—A combination of devices and
software that separate internal networks
from external networks (i.e., the internet).
Firewalls are configured to guard against
intrusions and other unauthorized network
traffic via device ports and other hardware,
software, or telecommunication means.
Training—Almost all cyber incidents start
at a system’s weakest link—the user.
Users should be trained on how to identify
suspicious emails, conduct good password
practices, use multifactor authentication,
and other general safe computing
practices.
Data Backups—This is the practice
of backing up enterprise data in a
safe means according to a backup
methodology. The approach is typically
based on a risk mitigation strategy that
defines the type of data to be protected,
the frequency of the backups, the physical
requirements to back up the data, and the
disaster recovery response requirements.
Encrypted Storage—Storing data in a
format that cannot be read without a key
and code interpreter. If this data is stolen,
it cannot be read by the criminal and is
useless—unless the criminal has access
to the key and code interpreter. Encrypted
storage is not commonly used since it can
slow down computing resources during
the encryption and reading process. It can
also be expensive to encrypt the data and
store it. Some organizations will select
the type of data that is encrypted to avoid
latency and minimize costs.
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 29

30

INTERNAL CONTROLS
A BEGINNER’S GUIDE TO
Internal
Controls
BY JAMES SEAMAN
Proper internal controls keep your organization and its employees safe from fraud and its repercussions.
Often, the key to success is prevention. This article looks at the different types of internal controls and
why they are important—and provides simple but effective tips to establish them.
©2022 MICHAEL AUSTIN C/O THEISPOT.COM
We have all
heard about the
fraud triangle:
rationalization,
opportunity,
and incentives/
pressures. But what we don’t always
do is to consider what that means
in our organizations. In many fraud
cases we read about, basic preventive
controls were found to have been
ignored, or were often completely
missing from the organization. At
the most basic level, these included
access to banking information, cash,
or other assets that an employee didn’t
need access to. Quite often, detective
controls including traditional
supervisory review activities are not
being performed. But these controls
can provide an additional level of
assurance beyond front-end and often
daily transactional controls.
Why controls are so important
Examples abound of what can happen
when proper internal controls aren’t
implemented. In one recent case,
a school district employee gained
access to cash deposits and skimmed
thousands of dollars from the district
before the scheme was finally
identified. At another municipality,
the council was hesitant to spend
American Rescue Plan Act (ARPA)
funds because they were concerned
about millions of dollars that
might have gone missing. In other
organizations, inappropriate credit
card activity and checks written to
ghost companies went undetected for
months before coming to light.
In many of these situations, a
simple supervisory review would
catch these schemes. However, one
key control for all organizations—
particularly smaller offices, where
segregation of duties can be a
challenge—is the completion and
review of bank reconciliations.
This is a fundamental step, but it
obviously isn’t being performed
as well as it should be. Of further
concern, many bank reconciliations
are superficial in nature and aren’t
performed to the degree required to
achieve effective cash control. It’s
been proven that timely completion
of bank reconciliations can help
mitigate instances of fraud or detect
it more quickly.
Segregation of duties is a key
internal control that should be
implemented wherever possible.
For example, once accounts payable
cuts a check, someone other than
accounts payable should mail it.
Bank deposits should be made by
someone other than the person who
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 31

INTERNAL CONTROLS
In many fraud cases
we read about, basic
preventive controls
were found to have been
ignored, or were often
completely missing
from the organization.
records the deposits. The person who
deposits funds or writes checks should
not be the person who completes the
bank reconciliation or posts to the
general ledger. Segregation of duties
holds individuals accountable. Bank
reconciliations should be completed
in a timely manner, and any
differences should be investigated
and resolved right away.
Another example of fraud occurred
because the business manager
had total control over the checking
account. The business manager’s
supervisors relied on the business
manager and trusted his work. There
was no supervisory review. It was not
until the business manager resigned
and a new manager was hired that
the fraud was discovered. The bank
had implemented a new process of
including check numbers on the bank
statements, so the new business
manager wondered why there were
two checks issued with the same
check number. The investigation
revealed that the previous business
manager had obtained two check
books—one for the business, and one
he used to supplement his lifestyle.
An additional best practice
is to periodically review your
organization’s vendor listing. Any
vendor that has been added to the
list, or a vendor that isn’t on the
government’s approved list, is a red
©2022 MICHAEL AUSTIN C/O THEISPOT.COM
32

flag. Vendors should be reviewed and
approved before any payments are
made to them.
To share another story, a trusted
business manager was able to
set up her husband as a fictitious
consultant, whom she paid a monthly
fee. This went on for some time until
a whistleblower complained, and an
investigation uncovered the scheme.
Governments need proper system
access controls. Be sure that only
individuals who are granted access are
those who require it to do their jobs.
This includes access to bank accounts,
the general ledger, inventory, payroll,
and other such assets. Proper access
controls protect the individual as well
as the organization. If an individual
does not have access, then they won’t
be suspected if an issue arises.
4 simple tips
to effective internal controls
1 Make sure management sets the tone with sound ethical practices
2 Establish communication, transparency and openness about public
funds from the top down
3 Engage in cross-functional dialogue about the organization's strategic,
operational, financial, compliance and reputational risks
4 Conduct a supervisory review on the accounts payable disbursements,
deposit register and bank reconciliations
Tips to protect your organization
So, what can we do to help mitigate the
risk of fraud? Here are a few tips.
First and foremost, make sure
that management sets the tone
at the top and implements sound
ethical practices. Management
must communicate that controls
are important, and they must hold
all employees accountable for
their actions. Management must
be transparent and communicate
frequently. Management must also act
as an example for others to follow.
Management controls are also
key internal controls. These include
communication and transparency—
because, to reiterate, transparency,
communication, and openness
about public funds act as a control.
The acts of management will trickle
down to staff, and when management
overrides internal controls, the
possibility of fraud increases. Sound,
ethical procedures from management
are a critical success factor to sound
internal controls overall.
Evaluate the risk and control
culture and engage in cross-functional
dialogue about the strategic,
operational, financial, compliance,
and reputational risks that exist
within the organization. Identify highpriority
risk exposures that should be
highlighted for focused management
attention and action. Develop policies
and implement internal controls that
help mitigate the risk of fraud.
A supervisory review should be
completed on the accounts payable
disbursements, deposit register, and
bank reconciliations. All journal entries
should be reviewed and approved by
management. Your external auditors
may require you to sign off on all these
reviews.
These are just a few examples of the
many internal controls that can be
implemented, quite a few of which are
unobtrusive and can be baked into the
process. If you have only a few staff
members, compensating controls can
be implemented. Employees can cross
check each other’s work, and supervisory
reviews should always be completed.
If you have a weakness and no control,
you have a problem. However, if you
have a control and no weakness, you also
have a problem—an efficiency problem.
We do not want to implement controls
for the sake of implementing controls;
this is not a “feel safe” process. Too many
controls will hinder the process and cut
down on efficiency. Controls need to
be focused for a specific process, and
reviewed, and then tested periodically.
When a process changes, it is a good
practice to review the controls in place
to ensure that they are still necessary
and effective.
Conclusion
The controls discussed in this article
are just a few examples of where
simple internal controls could save an
organization from loss of funds and the
reputational cloud that is associated
with fraud once it is publicized. Check
out the best practices of Sarbanes
Oxley and Internal Controls over
Financial Reporting for a more
comprehensive listing. Sarbanes
Oxley isn’t required for government
entities, but it is considered good
guidance and can be adapted to fit
your municipality, regardless of size.
There are also many organizations
that can help in determining what
controls are best for your organization.
Check with your external auditors if
you are not sure where to turn.
Jim Seaman is the director of finance/
assistant borough manager for
Media Borough in Delaware County,
Pennsylvania.
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 33

34

RETHINKING REVENUE | SEGMENTED PRICING
Segmented Pricing for
Fines and Fees
Increasing Revenues and Fairness at the Same Time
BY JEAN-PIERRE DUBÉ, BRYAN GLENN AND SHAYNE KAVANAGH
©2022 DAN PAGE COLLECTION C/O THEISPOT.COM
Cities and counties across
the U.S. increasingly
rely on fines and fees to
balance their budgets.
For example, an indepth
study of the 39
largest cities in the U.S. showed that
charges grew so much from 2003 to
2018 as to equal tax revenue for half
the cities. 1 However, fines and fees
disproportionally fall on low-income
residents who often are strained to
pay. 2 This has many ill effects: from
causing harm to the most vulnerable
communities that government serves
to reducing the revenues raised by
local government.
For these reasons, local governments
must become savvier about how they
manage fines and fees. A good start
would be to define fines and fees and
the purpose they serve. A user fee
attaches a price to a public service.
This raises revenue by allocating
part of the cost of the service to the
person who receives the service. User
fees also limit demand for a service. A
fine is meant to punish transgressors
of regulations and deter potential
transgressors. The contention of
this article is that a pricing strategy
called “segmented pricing” can serve
these purposes while reducing the
hardships that fines and fees can place
on low-income citizens. The essence
of segmented pricing is to charge the
citizen the price they can afford—no
more, no less.
Most fee and fine structures are flat,
with little or no differentiation in the
price for people of different abilities to
pay. Citizens pay fines and fees from
their discretionary income, which is
the income remaining after essentials
are paid for, like housing and food.
Customer segmentation recognizes that
different people have different abilities
to pay, and people are, therefore, treated
differently based on their ability to pay.
Segmentation is common in the private
sector. Any time a sales representative
is authorized to provide a discount to
convince you to buy, the company
is engaging in segmented pricing.
Insurance companies segment by the
risk posed by the insured. Airlines
provide seating options at different
price points. Universities segment by
offering scholarships to low-income
students.
Local governments commonly
engage in segmentation too, perhaps
without realizing it. The best example
can be found in the most important
local tax: the property tax. Senior
citizen tax exemptions assume that
seniors are on a fixed income and
have less ability to pay the tax, so
the exemption reduces the tax owed.
This is not so different from senior
citizen discounts provided by private
firms. In the public and private
sector, segmentation of seniors
makes it more likely that seniors
will pay because the price does not
exceed their willingness or ability to
pay. A more widespread example is
segmentation by wealth. Property tax
The Rethinking Revenue initiative is a joint project of many organizations that have an enduring interest in creating thriving local communities
and making sure that those communities are served by capable and ethical local governments. Rethinking Revenue is about providing local
governments with the ability to raise enough revenues for the services their communities need—and to raise those revenues fairly and in a way
that is consistent with community values.
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 35

RETHINKING REVENUE | SEGMENTED PRICING
rates mean that taxpayers are charged
according to property wealth—a proxy
for their ability to pay. Income taxes also
segment by the ability to pay, and the
segmentation is even more obvious.
Segmentation can be applied to fines
and fees. But, before we go further, it is
important to address a question that
some readers may have: If fines or fees
are lowered for some people, might
that encourage overconsumption of
services or even scofflaws? This is a
valid concern. For example, one study of
day care services showed that charging
parents a small fine for picking up
their children late came to be seen by
parents as a fee they could pay for the
privilege of picking up their children
later. 3 In another example, anyone
who lives in a big city has heard stories
of well-off people who park their cars
when and where they please and regard
parking tickets as a cost worth paying.
These examples show that fines can
be ineffective deterrents if set too low.
However, the approach we advocate
for in this article is not to undercharge
anyone but rather to find the right
charge for everyone—a charge that fits
people’s financial circumstances more
precisely so that they will be able to pay
the charge and the charge still fulfills its
function for limiting demand or creating
deterrence. Even in the case of a user
fee that is intended to generate revenue,
we will show that a segmented pricing
strategy has the potential to increase
total revenue, even if applied only to
low-income individuals.
In addition to creating financial
benefits for governments, segmented
pricing can support more ethical
government. The ethics of public
service commits public officials to treat
people fairly and produce good results
for the community. 4 For example, the
typical one-size-fits-all structure of
fines means that low-income people
pay proportionately more. That
means the punishment is greater for
low-income people. This is not fair. 5
Furthermore, excessive fines and fees
can further imperil the financial health
of vulnerable citizens. For example,
most low-income people don’t have
In addition to creating
financial benefits
for governments,
segmented pricing
can support more
ethical government.
much, if any, discretionary income. 6
A financial shock, in the form of an
excessive fine, makes it harder for
these people to afford essentials. This
might cause them to accumulate debt
with the local government. Aggressive
collection practices could worsen the
situation. 7 For example, suspending
a driver’s license makes it harder to
get a job, or a collection agency might
damage a person’s credit score. These
situations can lead to a poverty trap. 8
Further, people struggling to pay
their other bills tend to become less
compliant with other regulations, like
laws, building safety, etc. 9 None of this
is a good result for the community.
EXHIBIT 1 | DEMAND CURVE
Price
Customer segmentation:
the key to a better approach
In economics, a person’s willingness/
ability to pay is represented by a
demand curve, which we depict in
Exhibit 1. It shows that different
quantities of any good or service will
be purchased at different prices. Local
governments typically set a single,
one-size-fits-all price for everyone
(e.g., a water rate, a set fine for a given
infraction). At the given price, a given
quantity will be purchased. 10 This is
where the two dotted red lines intersect
the blue demand curve in Exhibit 1.
A greater quantity will be purchased
as the price decreases. However, it
could be financially unsound for local
government to simply lower its onesize-fits-all
price because the new price
multiplied by the new quantity might be
less than the old price multiplied by the
old quantity.
This is where segmentation comes
in. Every person’s willingness/ability
to pay can be understood to fall along
some point on the demand curve.
To illustrate, the “X” on Exhibit 1
represents a hypothetical willingness/
One-size-fits-all
price set by local
government
Quantity
Demand from a
low-income person
As the price goes
down, more
people will pay
36

©2022 MICHAEL AUSTIN C/O THEISPOT.COM
ability to pay for a low-income person.
Because the set price is above their
willingness/ability to pay, they will
likely not pay, either because they
don’t have the money or because
they are likely to spend the money
on other things (e.g., food, housing,
etc.). Hence, the local government can
realize greater revenue by charging
our hypothetical low-income person
the price that person is willing/able
to pay. The math is simple. If the
government maintains the price
for the low-income person at 100%
of its one-size-fits-all price, then
the government will get $0. One
hundred percent of zero is still zero.
If the government adjusts the price
to 80% or 70% of the one-size-fits-all
price or whatever meets the demand
of the low-income person, then the
government will get 100% of that
amount—an amount greater than
zero. This also speaks to why it would
not be financially savvy to reduce
the one-size-fits-all price. Everyone
who was willing/able to pay at a price
above the new, lower, one-size-fitsall
price is now being undercharged
(and perhaps undeterred from
undesirable behavior or encouraged
to overuse public services). It is
important that people who are not
financially challenged continue to
pay the original rate to avoid revenue
cannibalization with a lower price.
Exhibit 2 elaborates on Exhibit 1
by making the general demand curve
directly applicable to fines. Point
“F1” is the standard fine amount.
The green shaded area is the revenue
raised from price multiplied by
quantity at F1. The purple shaded
area is revenue not collected when the
price is set at F1. Segmented pricing
would offer lower, but different,
prices to different people in order to
collect the amounts represented by
the purple area. F2 represents one
such hypothetical price, and FN is
the lowest price that would need to be
offered to anyone. Recall that FN is
not the price that would be offered to
everyone unable to pay F1. It would
just be offered to people who were
EXHIBIT 2 | DEMAND CURVE FOR FINES AND SEGMENTED PRICING
Keep
charging
these
people F 1
Incremental
Fine Revenues
from Targeting
Fine
($)
Fine
Revenues
Payment
Rate
Total Delinquent Payments
Delinquency
Rate
PRICING AT BOTH ENDS OF THE INCOME SCALE?
100%
In this paper, we will only consider the potential effects on low-income
individuals. However, segmentation can be applied to the other end of
the income scale. For example, some countries, like Switzerland, have
begun to charge fines based on income, resulting in higher fines for
higher-income people. 11
F 1
F 2
F N
Based
on income
& SES
Share of
Payers (%)
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 37

RETHINKING REVENUE | SEGMENTED PRICING
COULD SEGMENTATION BE
APPLIED TO TAXES?
As discussed, local
governments already apply
segmentation to the property
tax. It might also be possible
to segment other types of
taxes, but we are focusing on
fines and fees. Fines and fees
have become more important
in recent years and are ripe
for savvier pricing strategies.
Debt from unpaid fines and
fees can be harmful to
low-income individuals.
Also, in the case of fines, the
financial shock of a fine can
be particularly damaging to
low-income individuals.
unable to afford any other price (like F2,
for example). Thus, more total revenue
would be generated because compliance
with the charge would improve at the
lower price points.
It is worth noting that Exhibit 2 does
not contemplate charging anyone a
price higher than F1. This leaves the
white area under the demand curve
as unrealized revenue. Theoretically,
people with greater ability to pay could
be charged an amount higher than F1 to
capture the white area as well. However,
in this article, we will focus on the lower
end of the demand curve because we
believe this is a more pressing concern
for most local governments.
The potential available from savvier
pricing is a conclusion reached not
just by our hypothetical demand
curves. The White House Council
of Economic Advisors determined
that the low compliance from lowerincome
groups can sometimes cause
cities to lose more revenue than
they would otherwise collect due to
the high direct costs of collecting
debt and the low rate of collection. 12
Direct costs of administering
delinquent payment collections can
be substantial, including staffing
collectors, locating offenders, and
administrating collections. The
persistent low collection rates
among local governments have led to
reliance on third-party debt collection
agencies. However, these agencies
might use harsh methods that might
not represent the government well to
its citizens (thus, reducing trust) and
harm citizens’ ability to thrive (by
harming credit scores).
Exhibits 1 and 2 also address the
ethical and compliance concerns we
raised in the introduction. With respect
to ethics, because the price does not
exceed the willingness/ability to pay,
it is fair and will not drive the lowincome
person further into poverty.
Also, because the price is not less than
the low-income person’s willingness/
ability to pay, the price would still be
an effective deterrent or limit on that
person’s demand.
Advantages of
Segmented Pricing
One-size-fits-all pricing will
predictably generate unpaid
accounts because the price
will exceed many people’s
willingness/ability to pay.
More aggressive collection
of unpaid accounts has
disadvantages. It can further
imperil the financial health
of vulnerable citizens. It also
requires the government to incur
collection costs. In extreme
cases, these costs might even
exceed the revenues collected. 13
Local governments can realize
more revenue and have more
ethical outcomes with segmented
pricing. Segmented pricing does
not let low-income people “off the
hook” for fines or fees. They are
still paying an amount that
causes them a proportional
burden to the average citizen.
©2022 DAN PAGE COLLECTION C/O THEISPOT.COM
38

Charging people
what they can afford—
no more, no less
Segmented pricing for fines and
fees is not a wholly unprecedented
approach for local governments.
In this section, we will review
practices related to segmented
pricing (payment plans and amnesty
periods) that local governments
commonly use. We’ll also discuss
the National League of Cities “LIFT-
UP” program—a framework used by a
small number of local governments
that is related to segmented pricing.
This will help ground us in: what local
government has done before; how
segmented pricing builds on what
local governments already know; and
where segmented pricing introduces
something new and different. We will
then go into how a government might
pursue a segmented pricing system.
Two local government practices
related to segmented pricing are
payment plans and amnesty periods.
Some governments offer payment
plans or other accommodations for
people who experience financial
difficulty. This approach is limited,
and citizens often fall behind in their
payments before assistance becomes
available. Segmented pricing aims to
prevent citizens from falling behind
in the first place. Payment plans and
similar mechanisms often rely on staff
discretion to administer them (e.g.,
determine the length of the plan, size of
payments). This limits how widely the
approach can be scaled. Even the most
well-meaning staff will likely produce
inconsistency in how discretion is
applied across citizens in similar
circumstances. To illustrate, research
demonstrates that even judges show
remarkable inconsistency in how they
apply the law, 14 so it is reasonable to
expect that payment discounts based
on staff discretion are likely to be
applied inconsistently. Segmented
pricing aims to create a systematic
approach that can be widely and
consistently applied.
Amnesty programs are where
late fees or penalties are waived for
a certain period with the hope that
people with outstanding debts will
take advantage of the waiver to pay off
the charges they originally incurred.
Though avoiding the problems of
inconsistent treatment of citizens
previously described, amnesty
programs still only do good after
citizens have gotten into financial
difficulty. Also, “best practices” for
HOW IMPORTANT IS THE STICK RELATIVE TO THE CARROT?
Not as important as we might think. In 2015, the San Francisco
Superior Court stopped suspending people’s driver’s licenses
when they could not pay their traffic tickets. Did this inhibit the
court’s ability to collect the debt? An analysis conducted by the
San Francisco Treasurer’s office showed no negative impact on
revenue collection. In fact, collections on delinquent debt per
filing have increased since eliminating the penalty. And across
California, on-time collections went up in the year following the
end of driver’s license suspensions statewide. The increase
in collections, without the use of driver’s license suspensions,
suggests that suspending driver’s licenses was not necessary to
ensure on-time payments.
amnesty programs call for offering
amnesties infrequently so that
people don’t deliberately incur debt
in anticipation of a later amnesty.
Similarly, untargeted debt reduction
plans may lead to some people only
paying their bills when there is a shutoff
notice or termination of services.
Segmented pricing is meant to be a
permanent, not intermittent, solution
to unaffordable fines and fees.
Let’s move on to a program that
gets closer to segmented pricing: the
Local Interventions for Financial
Empowerment through Utility
Payments (LIFT-UP) program,
developed by the National League of
Cities (NLC). 15 LIFT-UP has five core
components:
Identify and refer. Utility data is
used to identify customers who
are struggling financially and
contact them for intervention.
Examples of data used include a
history of service terminations,
high delinquent balances, or
prior receipt of assistance with
delinquent balances. Segmented
pricing works best when informed
by data about the customer’s
ability to pay.
Restructured utility debt. Longterm
and more lenient repayment
arrangements are made available.
Individualized financial counseling.
This includes a personal budget
review, a plan to address financial
needs, and referrals to appropriate
support services.
Financial incentives. Customers
are given incentives to complete
tasks, like attending a financial
counseling session or consistently
making payments on time. This is
somewhat like moving the price
point on the demand curve closer
to the customer’s ability to pay, like
segmented pricing.
Ongoing participant contact.
Participants are reminded to
maintain their commitment to the
program through various mediums
(text messages, phone calls, etc.).
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 39

RETHINKING REVENUE | SEGMENTED PRICING
In 2016, NLC evaluated the
implementation of LIFT-UP in five
cities, ranging in size from 465,000
residential accounts (Houston)
to 281,052 residential accounts
(Newark). The evaluation found
“evidence of a positive impact of
LIFT-UP on the outcomes that are
most relevant to the city and customer
behaviors within that city” for three
of the four cities examined. 16 For
example, in two cities, the relevant
metric was whether customers
avoided water shutoffs. In St.
Petersburg, LIFT-UP participants were
about 50% less likely to experience
a shutoff after enrolling, though in
Savannah, there was no significant
improvement. In two other cities,
reducing outstanding balances was
the most relevant. 17 In Houston and
FEES AND FINANCIAL
FOUNDATIONS FOR THRIVING
COMMUNITIES
GFOA has published the paper
“Financial Policies for Imposed
Fees, Fines, and Asset Forfeitures,”
which shows how you can create a
policy for these revenue sources.
The paper provides the rationale
for a policy and the elements of
such a policy. It complements the
information provided in this paper
by helping to define when fines and
fees are appropriate, acceptable
collection practices, and limitations
on how revenues should be used.
Find the report at gfoa.org/
materials/fees-fines-forfeitures.
Newark, outstanding balances were
reduced by about 25%. The evaluation
also examined the cost-effectiveness
of the program for a single city (St.
Petersburg) and found that the program
was highly cost-effective for that city.
We’ve seen that a program like LIFT-
UP has potential, but could segmented
pricing offer further opportunities?
Segmented pricing is a preventative
strategy, where the goal is to
avoid delinquency and encourage
payment from the beginning. Thus,
we might think of segmented pricing
like credit scoring. Credit scoring
uses data about the borrower to
prevent the lender from making a
loan that the borrower is unlikely
to repay. Segmented pricing is used
to avoid charging customers a price
they are unable to pay.
Under segmented pricing, 100% of
eligible people could participate
automatically. It can be a formidable
challenge and cost to recruit people
into special programs for delinquent
accounts. Segmented pricing can
use data to determine who is eligible,
and they automatically get a price
that is better aligned with their
ability to pay. Automatic or default
enrollment has proven a powerful
tool for achieving public policy
goals in many applications, not
just pricing. 18
Segmented pricing provides a direct
reduction in the rate charged to
financially struggling customers.
Thus, the price of the basic water
charge is brought down to a level
of what the customer can afford.
Without a rate reduction, there might
be continuing struggles to avoid
shutoffs, reduce balances, etc.
The successes of LIFT-UP show that
the concepts underlying segmented
pricing have potential, like using data
to determine who participates and
giving people financial incentives.
We saw that a true segmented pricing
system may present new opportunities
for local governments to better serve
low-income individuals.
What are the next steps
to bringing a segmented
pricing system to local
government?
First, the local government must reach
an agreement among its decisionmakers
to pursue segmented pricing
and/or payment plan restructuring.
Some or all of the following could be
important for reaching an agreement:
Understanding the seeming
paradox at the heart of segmented
pricing: Lowering the price for
some customers could result in
higher total revenues and greater
compliance with regulations.
Recognition that local government
can and should help low-income
citizens thrive by easing the burden
imposed by fines and fees (while
also recognizing that segmented
pricing still results in low-income
citizens “paying their fair share”).
A related point to recognize is that
most low-income citizens want
to pay their fair share to support
public services* but simply may
not have enough money to pay the
standard one-size-fits-all price and
also pay for other important things
in their life.
A willingness to try new ideas and
experiment. Though segmented
pricing is in use in the private
sector, it is still an advanced
pricing strategy and one that has
not been widely used by local
governments for most revenue
sources. This means that it will
probably be necessary to work
with outside experts on segmented
pricing to get the best results.
*For example, according to Vanessa Williamson of Brookings in her book “Read My Lips: Why Americans are Proud to Pay Taxes,” surveys have consistently found that “over 90 percent of
Americans agree with the statement, ‘It is every American’s civic duty to pay their fair share of taxes.’”
40

After an internal agreement has
been reached to try segmented
pricing, pick a revenue stream to
start with. The best candidates will
be large collection streams, where
there is considerable uncollected
debt and where low-income people
are especially burdened by the
charge. This might be a revenue
stream where the local government
is losing money on collections, on
net. Revenues that often meet these
criteria are utility bills, parking
citations, and court fines.
Next, determine the data that
can be used to identify eligibility
for segmented pricing. The goal is to
identify eligibility automatically,
without any input required by
citizens. Also, it is best to use
publicly available data so that the
government does not have to collect
additional personal information
about its ratepayers, which could
create new cybersecurity risks.
Examples of data that could be used
for segmented pricing include:
The person’s existing debt with
the local government.
The median income of the
neighborhood in which they live.
Their participation in other
government assistance
programs, like WIC, Medicaid,
or unemployment.
Using this data, a “pricing experiment”
is conducted. The accounts are
divided into segments using data
like that shown above. Then people
within those segments are offered
a discount (10%, 30%, 50% off, etc.).
Different people are offered different
discounts (e.g., one might be offered
10% and another 15%). You can then
count how often a given discount led
to a payment. For a given segment,
let’s imagine that 0% of customers paid
with a 10% discount, 75% of customers
paid with a 15% discount, and 80% of
customers paid with a 25% discount.
We might then conclude that a 15%
discount is the right amount. Ten
percent made no difference at all, and
the difference in uptake between 15%
and 25% might not be large enough
to justify the additional discount.
Artificial intelligence and machine
learning techniques can be used to run
the experiment on a large scale and
use the results to develop an algorithm
that categorizes individual customers
into segments accurately and
consistently. It should be noted that an
algorithm that uses publicly available
data for large groups of people will
not perfectly segment all individual
ratepayers into “just right” prices.
Some people might be undercharged
compared to their true willingness/
ability to pay, while others might be
overcharged. Still, the price should be
closer to the true willingness/ability
to pay of most people and generate the
benefits of segmented pricing that we
have described in this article.
After the results of the experiment
are in, prices can be adjusted
accordingly for people in each segment.
As with the LIFT-UP program, you
will need to determine how to handle
existing debt. A new, lower price going
forward may not do much to resolve
a large accumulated debt. A payment
plan that restructures or amortizes
the debt over a series of affordable
monthly payments (that includes
current charges) could be a solution
to this problem. Similar to the logic
of segmented pricing more generally,
the longer time period it would take to
recoup the debt (and the associated
costs of capital) may be preferable
to not collecting the debt at all.
©2022 JAMES FRYER C/O THEISPOT.COM
SEGMENTED PRICING IS NOT
A SILVER BULLET SOLUTION
Segmented pricing will not
solve every problem related
to fines, fees, and low-income
individuals. For example, it will
not do much to resolve existing
debts. Some people may face
greater financial hardships than
the information available to a
local government might suggest.
Hence, there will still be a need
for payment plans or other ways
to address accumulated debt.
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 41

RETHINKING REVENUE | SEGMENTED PRICING
Where to next?
Readers who want to put the ideas in
this article into practice have options
for what to do next.
First, you can visit the NLC to learn
more about municipal financial
empowerment strategies,
like LIFT-UP, to increase the financial
stability of low-income families.
These strategies link vulnerable
households to financial services and
public benefits, and they provide
them with tools to build assets and
manage money more effectively. The
NLC provides a guide to LIFT-UP as
a strategy to reduce utility debt and
resident financial insecurity. The
LIFT-UP program includes many
of the basic concepts of segmented
pricing, and there have been several
successful applications of LIFT-UP.
Second, the Government Finance
Officers Association (GFOA), NLC, and
the University of Chicago are working
on feasibility studies for segmented
pricing relating to different revenue
streams. We will publish the results,
and if you have an interest in getting
involved, email research@gfoa.org.
Characteristics of organizations
that would be a good fit for a feasibility
study include: 19
Possess a large revenue stream
with significant problems with
delinquency/nonpayment.
At least 5,000 active accounts for
the fine/fee that will be segmented.
A willingness to waive or at least
restructure debts. This is part of
moving the price on the demand
curve to a point where people are
able to pay. Of course, you must also
be willing to offer different price
reductions to people.
An ability to pass historical account
data via an API or a downloaded
CSV file; and an ability to add a
hyperlink to your current website or
configure your DNS (Domain Name
Server) management.
Conclusion
Price is inextricably linked to
affordability. And affordability
fluctuates by the socioeconomic status
of the customer. Local governments
may have an important opportunity to:
Raise more revenue through
some fines and fees while at
the same time…
Administering those fees more
ethically…
All while not compromising
the ability of the fine/fee to
deter unwanted behaviors or
limit demand.
This opportunity is segmented pricing.
Segmented pricing accomplishes all
of this by finding the price point that
is closest to people’s true willingness/
ability to pay. When offered this price,
more people will agree to pay, bringing
more revenue to the government,
reducing the need for costly (and
possibly harsh) collection practices, and
reducing the risk that local government
fines and fees will exacerbate an atrisk
individual’s precarious financial
position into crisis.
Jean-Pierre Dubé is the James M. Kilts
Distinguished Service Professor of
Marketing, University of Chicago, Booth
School of Business, Director of Kilts
Center for Marketing. Bryan Glenn is
the chief executive officer of SERVUS.
Shayne Kavanagh is the senior manager
of research for GFOA’s Research and
Consulting Center.
1
Ahern, Kenneth R. (May 2021). The business of city hall.
Working Paper 28805. National Bureau of Economic
Research.
2
Financial health can be ascertained by signs of increased
vulnerability, poverty indicators, or delinquent bills.
Brockland, Beth; Garon, Thea; Dunn, Andrew; Wilson,
Eric; Celik, Necati (2019). Financial Health Network:
U.S. Financial Health Pulse. 2019 Trends Report.
https://s3.amazonaws.com/cfsi-innovation-files-2018/
wp-content/uploads/2019/11/13204428/US-Financial-
Health-Pulse-2019.pdf
3
Gneezy, Uri; Rustichini, Aldo (January 2000). A fine is a
price. Journal of Legal Studies, 29(1). SSRN: https://ssrn.
com/abstract=180117
4
See the GFOA Code of Ethics at https://www.gfoa.org/
ethics.
5
The principle of fairness at work here is called
“proportionality.” Psychological research shows
it to be one of the most important ways that people
judge fairness. See: Harward, Brian; Taylor, Alison;
Kavanagh, Shayne (August 2021). What’s fair?
Equity, equality, and fairness. Government Finance
Officers Association. https://www.gfoa.org/materials/
whats-fair-3
6
The Pew Charitable Trusts (March 30, 2016).
Household expenditures and income. https://www.
pewtrusts.org/en/research-and-analysis/issuebriefs/2016/03/household-expenditures-and-income
7
Cite NLC’s CAFFE project Why Cities Should Find
Equitable Ways to Impose and Collect Fines and
Fees—CitiesSpeak, Helping Cities Find Equitable Ways
to Assess and Reform Fines and Fees, How Cities are
Transforming Fines and Fees to Advance Equity and
Financial Security – National League of Cities
8
Mello, Steven (November 14, 2018). Speed trap or
poverty trap? Fines, fees, and financial wellbeing.
https://mello.github.io/files/jmp.pdf; Kessler, Ryan
E. (May 1, 2020). Do fines cause financial distress?
Evidence from Chicago. SSRN: https://ssrn.com/
abstract=3592985 or http://dx.doi.org/10.2139/
ssrn.3592985
9
Chambers, Dustin; Thomas, Diana; McLaughlin, Patrick
A.; Waldron, Kathryn (January 2019). The effect of
regulation on low-income households. https://www.
mercatus.org/system/files/mclaughlin_thomas_
chambers_and_waldron_-_policy_brief_-_the_
regressive_effects_of_regulation_a_primer_-_v1.pdf
10
Though it may be unconventional to think of a fine as
a “purchase,” when an individual pays a fine, they are
essentially purchasing a form of forgiveness for their
transgression.
11
BBC (August 12, 2010). Swede faces world-record $1m
speeding penalty. https://www.bbc.com/news/worldeurope-10960230
12
Council of Economic Advisors (December 2015). Fines,
fees, and bail: Payments in the criminal justice system
that disproportionately impact the poor. Executive
Office of the President of the United States, Council
of Economic Advisors. Washington, D.C. https://
obamawhitehouse.archives.gov/sites/default/files/
page/files/1215_cea_fine_fee_bail_issue_brief.pdf
13
CEA. loc. cit.
14
Kahneman, Daniel; Sibony, Olivier; Sunstein,
Cass R. (May 18, 2021). Noise: A flaw in human
judgment. Daniel Kahneman, et al reviews a large
body of research demonstrating the considerable
inconsistency in judgments made in the court system.
It is unlikely that payment plans would be much
different. Publisher: Random House Audio. Narrator:
Jonathan Todd Ross.
15
Collins, J. Michael; Moulton, Stephanie (May 2016).
Implementation and impact evaluation of local
interventions for financial empowerment through
utility payments (LIFT-UP). University of Wisconsin-
Madison Center for Financial Security.
https://cfs.wisc.edu/2016/09/08/study-showsnational-league-of-cities-lift-up-program-helps-citiesrecoup-lost-revenue-families-build-financial-security/
16
The fifth city could not provide the necessary data
due to a utility billing system conversion.
17
Cities with more aggressive shutoff policies did
not have customers with larger balances but did
experience a cycle wherein customers would not pay
until shutoff, pay to have the water turned on, and
then not pay again until the next shutoff. Clearly, not
an ideal situation.
18
Halpern, David; Sanders, Michael (2016). Nudging
by government: Progress, impact and lessons
learned. Behavioral Science & Policy, 2(2): 53–65.
https://behavioralpolicy.org/wp-content/
uploads/2017/06/Sanders-web.pdf
19
In addition, reaching agreement among relevant
decision-makers that segmented pricing and
new payment plan guidance is something worth
implementing.
42

2022 COACHING PROGRAM
THRIVE IN LOCAL GOVERNMENT
UPCOMING FREE WEBINARS – Register at icma.org/coachingwebinars
WEDNESDAY, OCTOBER 20
Alternatives to Silos – Leadership at
Every Level
THURSDAY, NOVEMBER 17
Everyone Has Personal Challenges:
How to Balance Personal Requirements
and Organizational Demands
All Webinars start at 1:30pm Eastern time.
Can’t make it to the live webinar? Register and get an automatic email notice when the
recording is available. icma.org/coachingwebinars
SAVE TIME! SIGN UP FOR BOTH 2022 WEBINARS AT ONCE!
bit.ly/3r5k4nm
Additional free coaching resources at ICMA’s Career Center
(icma.org/careers):
• Digital archives
• Career Compass monthly advice column
• CoachConnect for one-to-one coach matching
• Live speed coaching events, talent development resources, and more.
Join our list for coaching program updates and more: email coaching@icma.org.
Learn more at icma.org/coaching

When Growth
Fuels Change
The Finance Department initiates transformation
in the Town of Nolensville, Tennessee
BY CHRISTINA MERLE AND CAREY SMITH
44

WHEN GROWTH FUELS CHANGE
©2022 JAMES STEINBERG C/O THEISPOT.COM
The Finance Department
for the Town of Nolensville,
Tennessee, was under
significant public scrutiny
for not providing sufficient
information to residents.
To address this concern,
the department committed
to implementing new
financial practices that
provided transparency and
accountability, along with a
focus on overall excellence.
MAKING CHANGES
The town’s finance team, which started
out as part of a combined finance
and human resources department,
recognized the limitations of this
organizational structure, in which
the staff was continuously juggling
too many priorities with too few staff
members—with only two employees
to manage all the functions of both
disciplines. This structure also limited
the segregation of duties and the need
and ability to satisfy internal control
procedures. It was clear that the town
was experiencing significant growth
and the finance department needed to
implement long-term changes to keep up
with ever-expanding service demands.
As a result, the finance and human
resources functions were separated into
distinct municipal departments.
The new organizational structure
for the Finance Department put in
place in FY2021 included the hiring
of a finance director and finance
assistant, initially a part-time position
that would later evolve into a full-time
position supporting departmental
functions, while also providing
necessary segregation of duties. The
following fiscal year, the town created
a human resources department that
included the hiring of a full-time
human resources director to manage
personnel matters.
The new organizational structure
has proven more responsive and
sustainable for the town’s continued
growth and ongoing needs, and
citizens have provided support and
positive feedback. For example,
when the town's first budget book
was produced, one resident wrote:
“Breaking news! I have never been
more proud of my government than I
am right now. I got involved in town
government because of financial
transparency issues I saw when I first
moved here. … Municipal government
starts and ends with budgets. We
barely notice it when we argue about
density and visions, but it’s by far
the most important process. And we
finally have a strong foundation.”
Recognizing the need for human
resource functions to keep up with the
employee growth in the organization,
a standalone human resources
department was created. Public
safety is the town’s biggest focus
area for recruiting and retaining, so
it’s important to have a competitive
benefits package to keep up with
neighboring municipalities. HR
undertook several initiatives to
improve employee recruitment and
retention, including hiring a benefits
broker to change the town’s healthcare
plans and providers to improve the
level of service and coverage for
employees. The town was now able
to offer full family coverage and to
provide contributions toward health
savings accounts, while also saving
almost $90,000 a year in premium
expenses. A consultant also reviewed
compensation, allowing the town to
adopt a new pay scale in FY 2023 that
will keep Nolensville aligned with
market rates.
Located in Williamson County, Tennessee, the Town of Nolensville
is approximately 22 miles southeast of Nashville. According to the
United States Census Bureau, the town has a total area of 10.44
square miles, all land. The population was 15,487 at the 2020 census.
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 45

WHEN GROWTH FUELS CHANGE
The new organizational structure
also complements the new councilmanager
form of government that was
recently enacted, following a citywide
referendum on changing the form of
government. Department heads serve
often in multiple roles in Nolensville,
which is a common situation in
smaller municipalities. Citizens
viewed the town’s previous form of
government (mayor-aldermanic) as
inadequate to keep up with the many
challenges of a growing municipality.
Citizens voted for a structure that
divided control equally across
multiple board members, solving
the problems of limited segregation
of duties and insufficient staff to
handle the amount of work that was
needed to bring the departments up
to date on policies. The town is also
experiencing significant growth, and
the new structure satisfies the need
to keep up with future growth.
THAT’S A LOT OF RESERVES
Nolensville also has a healthy
general fund reserve balance, so
one of the first initial projects for the
Finance Department was to establish
and implement a fund balance
policy. While no municipality is
going to complain about having a
good amount of money in reserve,
the town had accumulated nearly
200 percent of its annual operating
budget in reserves. The savings grew
significantly because of one-time
monies collected on development; the
town was experiencing significant
growth and had no prior policy in
place for what to do with revenues
associated with development.
The amount of reserve—nearly
200 percent of annual operating
budget—was significantly more
than guidelines recommended by
the Municipal Technical Advisory
Service in Tennessee, and more than
other municipalities consider as
best practice. There were concerns
that because of the excess savings,
the town would be perceived as not
using the money to fund necessary
infrastructure and roadway
improvements, along with other
important capital projects.
BUILDING A FIRE DEPARTMENT
Given the growth the town was
experiencing and the amount of
money it had available, officials
decided the town would be best
served by using some of its
reserves to help create its first fire
department. Nolensville originally
contracted with a 501(c)(3) volunteer
fire organization, providing funds
each budget year to cover the costs
of providing fire protection and
emergency response to the town.
Fire protection became a major focus
through the FY 2021 budget process.
SKYE MARTHALER, WIKIPEDIA COMMONS
46

The town explored the strategy of
creating a combination department
by hiring a minimum number of fulltime
staff members and maintaining
the current volunteers. The change
would be funded through a tax
increase to cover the operational
costs of the additional staff. The
town’s growth was resulting in more
calls to the volunteer organization
(and therefore additional expense),
making it clear that some full-time
staff would be necessary for the town
to ensure that a sufficient level of fire
protection and emergency response
was being provided.
A budget amendment proposed
shortly after the FY 2021 budget was
approved provided funds for nine
full-time firefighters and a fire chief
to address the immediate need for
full-time fire suppression coverage,
while starting the town down the
path of establishing the first town
combination department. Hiring an
experienced and professional fulltime
fire chief was the first objective.
The fire chief was tasked with
initiating the plan and implementing
the combination department, which
would provide the foundation of
a full fire department that would
still be supported by the amazing
volunteers who had been servicing
the town for years.
A FUND BALANCE POLICY
The fund balance was being
discussed at the same time, and it
was recognized that implementing
the fund balance policy would
likely open up a significant amount
for spending on capital needs for
projects such as land acquisition and
construction of a new fire station.
Town leadership realized there
would be significant capital project
requirements, including building
construction and the acquisition of
fire apparatus. Since the town was
starting from scratch, this was going
to be a significant undertaking.
The fund balance policy was
adopted and implemented in August
2020 to mitigate current and future
risks, plan for future capital projects
and equipment needs, and ensure
stable tax rates. The fund balance
will be limited to unanticipated
expenditures; specific and reasonable
cash flow purposes; grant anticipation
reimbursement; new public health and
safety needs; service enhancements;
early retirement of debt; and one-time
capital expenditures that align with
essential services. The objectives of
the policy will maintain reservations
of fund balance in accordance with
GASB statement No. 54, Fund Balance
Reporting and Governmental Fund Type
Definitions. The policy establishes:
• Fund balance policy for the
general fund.
• Reservations of fund balances
for the general fund.
• The method of budgeting in
the general fund, the amount
of estimated unrestricted fund
balance available for appropriation
during the annual budget adoption
process, and the actions that
may be needed if the actual fund
balance is significantly different
than the budgeted fund balance.
• The spending order of the
general fund's fund balance.
CAPITAL IMPROVEMENT
AND DEBT
Adopting a fund balance policy was a
catalyst to many other opportunities
for developing and implementing best
practices and updates that the town
needed. One of these was making
funding available for appropriation to
create a capital improvements fund,
which led to the creation of a capital
improvements advisory committee.
This committee is made up of both
town staff and five local citizens
who represent town residents. The
committee is responsible for making
recommendations to the Board of
Commissioners on the selection and
prioritization of capital projects.
The advisory committee provides
both added transparency into the
capital improvement plan (CIP)
process as well as an opportunity to
engage citizens in the process. The
committee’s monthly meetings are
open to the public.
With a multi-year CIP comes
the possibility of incurring debt,
depending on the sufficiency of other
funding sources to cover the town’s
many capital project needs. These
include road infrastructure (such as
road widening, a major thoroughfare
plan, turn lanes, flashing beacons,
traffic lights, crosswalks, bike
lanes, sidewalks) and facilities
expansion (for instance, fire station,
police headquarters, public works
maintenance building expansion,
land, and opportunities for town
parks). Currently, all town staff,
including the Police Department,
are in the Town Hall, but as the
town continues to hire additional
staff, facility expansions and new
facilities will be necessary. The Fire
Department is currently using the
county-owned volunteer fire station,
but the town has plans underway
that include land acquisition and
the design and construction of a new
fire station to support its growing fire
suppression needs.
The Finance Department
began rewriting the outdated debt
management policy, adopted 10
years ago, to reflect contemporary
best practices for debt management,
ensuring that fiscally sound
debt management practices will
be followed. The previous debt
policy had vague limitations and
guidelines. For example, there was no
set limit on the total outstanding debt
obligations—it was just indicated that
the total amount of debt obligations
would be determined by the board.
The new policy bases the town’s
debt limit on a percentage of annual
revenues, along other factors. It
also includes a bundle of financial
policies, including the fund balance
policy, an operating budget policy, a
capital improvements plan policy,
investment policies, and a cash
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 47

WHEN GROWTH FUELS CHANGE
management policy, along with more
specific and formalized guidelines.
The update was presented to the
Board of Commissioners in July
2021, and the finance director and
town manager also recommended
engaging a financial advisor to advise
town leaders about debt and fiscal
practices, and to help the town secure
the best solutions for financing
capital investment needs. This
includes providing suitability and
needs analysis, developing a plan for
financing or refinancing, preparing,
and reviewing material for bond
rating interviews, and other services
related to issuing debt obligations.
Through all of this, the town has
become proactive in establishing
strategic and long-term planning
in a fiscally responsible manner.
The town manager and finance
director created a five-year operating
budget and 10-year CIP, as well as
fiscal analysis that helps the board
understand the long-term impacts
of potential developments as far as
the revenue to be received and the
expected operating costs.
A NEW REPORTING PLATFORM
The Finance Department remains
committed to seeking opportunities to
improve performance and efficiencies.
In November 2021, Finance achieved
its goal of implementing new software,
updating a dated and limited onsite
reporting platform to a cloud-based
platform that provides efficiencies,
eliminates redundancies, and
streamlines manual processes across
departments.
Before the upgrade, when another
department would submit a request
for purchasing, that request was
submitted by paper to the Finance
Department. Finance was then
responsible for entering the request
into the system for processing
payment, a time-consuming manual
process. The new system allows
every department to submit their
own requests via the software, which
channels through an integrated
approval process based on available
department fiscal resources and
in accordance with the purchasing
policy. The software provides instant
and simultaneous updates, including
a department dashboard to track and
monitor fiscal performance.
Since all the historical data had
to be loaded into the town’s new
software, the Finance team also
capitalized on the timing of this
upgrade to change over the town’s
old chart of accounts format to the
state’s standard chart of accounts.
This was done manually by mapping
each account under the old chart
of accounts. This allowed for better
account options that helped make the
town’s budgeting more transparent
and consistent with those of other
municipalities as well as the state.
NOLENSVILLETN.CLEARGOV.COM
As part of the effort to increase transparency, the Town of
Nolensville launched an innovative module that provides an
easy-to-understand, interactive view of the town budget by
fund, department, source, debt, demographics and more.
48

“I have never
been more
proud of my
government
than I am
right now.”
Nolensville resident,
after receiving the town's
first budget publication
The Finance team, working with
the town manager, conducted a
very transparent budget process,
providing information to the board
of commissioners and the public in
graphical and tabular form for the
first time ever. The budget process
included launching an innovative
Finance transparency module that
provides web-based data using
dynamic infographics that tell the
town’s financial story. The module
is hosted on the town’s Finance page
(at nolensvilletn.cleargov.com),
where it’s available to the public. The
information presented in the module
provides an easy-to-understand,
interactive view of the town budget
(expenditures and revenues) by
fund, department, source, debt,
demographics, and more. The next
step is to walk viewers through the
CIP, showing the status of each
project, amount of funding expended
to date, total budget per project,
project overview, and location.
THE TOWN’S FIRST
BUDGET BOOK
Following the annual fiscal budget
approval, the Finance Department
produced its first-ever budget
publication, for which the town
received the GFOA Distinguished
Budget Presentation Award. Before
this, the budget was prepared in
Excel and only provided to the
public in the form of the ordinance
that was required by the state. This
meant the public was receiving very
limited information about revenues
and expenditures with little to no
details. There were no visuals or
explanations, making it very difficult
for citizens to understand the scope
and breadth of the town’s budget. The
new budget document format and
content, which provide significant
detail on revenues and expenditures,
have been well received by elected
officials as well as citizens.
PURCHASING AND
PROCUREMENT PRACTICES
The Finance Department has
continued to reevaluate and improve
on processes and practices. For
example, the department created
the town’s first purchasing policy
that provides a formalized process
for all types of procurement of goods
and services. As a result, the bidding
process has been formalized and
aligned with best practices.
The Finance Department also
issued a request for proposals for new
municipal auditing services and a
request for proposals for purchasing
cards to provide more control over
spending while enabling purchases
from vendors that don't accept checks.
CONCLUSION
The Finance Department’s ongoing
goal and commitment is to shape a
culture of efficiency while continuing
to evaluate current systems,
policies, and processes. This will
help us identify opportunities to best
optimize resources by eliminating
redundancies and increasing
automation, while also promoting
the development of new policies and
guidelines for consistent and efficient
improvements. The focus of these
efforts is to provide transparency to
our citizens, and to provide excellence
in finance.
Christina Merle, CMFO, is the finance
director for the Town of Nolensville,
Tennessee. Carey Smith is a finance
technician for the Town of Nolensville.
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 49

CITY BUDGETING
FOR EQUITY
AND RECOVERY
EFFECTIVE CHANGE
MANAGEMENT IN EQUITY
IMPLEMENTATION
BY JOE BUCKSHON AND MATTHEW STITT
50

CITY BUDGETING FOR EQUITY AND RECOVERY
Changing practices to drive
greater equity can be
extremely intimidating
for cities that aren’t yet
substantively educated
or exposed to the relevant
concepts, and for those within cities who perceive
their status or authority as being threatened by
the adoption of new principles. This is especially
the case given today’s turbulent environment.
Creating a sense of urgency about change
can be relatively easy as an executive, but
significantly less so as a subordinate. Finding
champions may seem impossible if cities
are struggling to get stakeholders to even
entertain a particular topic. Both proven and
emerging change management practices can
be simultaneously deployed to help overcome
these challenges and dramatically improve
the probability of success. If an individual who
is seeking to make change lacks a traditional
leadership position, or active supporters for their
cause, or simply does not know where to begin,
this article can help them model an approach
to lead from their current position and effect
sustainable, enduring organizational change.
As part of our ongoing work with the cohort of
cities looking to make transformative change
through the Bloomberg Philanthropies/What
Works Cities/Results for America City Budgeting
for Equity and Recovery (CBER) Initiative, this
article represents a combination of lessons
learned and promising change management
practices that have emerged over the duration of
the initiative.
What is change management?
Fundamentally, change management speaks
to the process that ultimately drives a city’s
culture (and, to quote the renowned Peter
Drucker, “culture eats strategy for breakfast”).
We are more specifically speaking to the process
that drives a city’s new program, initiative, or
strategic focus to gain additional, necessary
buy-in from stakeholders across the entire
government. This can take place at any level
within the organization—from one’s mind to
one’s team—and from one-on-one relationships
with global institutions. Many of the critical
factors will remain very similar across the board.
Some of the standard best practices include: 1
• Creating a sense of urgency; action must be
taken quickly.
• Finding champions to help spread the word,
implement changes, and eliminate barriers.
• Establishing working groups, committees, or
taskforce teams (composed of champions and
subject matter experts) to lead change efforts
across government.
• Focusing on short-term wins to build
momentum on the way to long-term success.
• Reinforcing the established change at a
systems level.
• Creating continual evaluation and feedback
loops to better inform future refinements.
While these are tried-and-true tactics that can
support your city’s leading efforts to improve on
the existing culture, and to achieve the brighter
This article was adapted from a What Works Cities Budgeting for
Equity and Recovery resource, “Effective Change Management
in Equity Implementation.”
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 51

EXHIBIT 1 | CHANGE MANAGEMENT PRACTICES FOR EQUITABLE PRINCIPLES
CONDUCT A
BRIEF, INFORMAL
ENVIRONMENTAL
SCAN
WHEN DEFINING
EQUITY IN YOUR
JURISDICTION,
FOCUS ON METRICS
IDENTIFY THE KEY
PLAYERS, BOTH
CHAMPIONS AND
DETRACTORS
BE AWARE OF EXISTING
LEADERSHIP PRIORITIES,
AS WELL AS TIMING OF
ELECTORAL CYCLES
PROMISING
PRACTICES
IN CHANGE
MANAGEMENT
FOR EQUITABLE
PRINCIPLES
ESTABLISH
WORKING GROUPS,
COMMITTEES, OR
TASK FORCES
UNDERSTAND
THE PERSPECTIVE
OF YOUR KEY
DETRACTOR(S)
WHERE POSSIBLE,
USE THESE
CONVERSATIONS TO
CREATE CHAMPIONS
IN ALL CASES,
ADVOCATE FOR LOW-
EFFORT REPORTING AND
TRANSPARENCY INITIATIVES
52

CITY BUDGETING FOR EQUITY AND RECOVERY
future your city envisions, it must be
acknowledged that aligning a large
organization can be challenging
(particularly in the public sector).
To tackle this specific type of change
management challenge as it relates
to equity, PFM has curated a series
of promising practices from across
the United States that can be applied
to your unique opportunity to refine
your department’s operations,
municipal operating budget, or capital
improvement plan.
Promising practices in
change management for
equitable principles
Traditional change management
best practices assume: a certain
level of power for decision-making
and political capital committed by
the initiative’s champion, a certain
level of responsibility vested in the
person or team charged with leading
the change, and a general level of
awareness that the existing culture
must be altered or disrupted to achieve
desired outcomes. (See Exhibit 1.)
The goal for this review is to make
sure you have a general understanding
of how equity work has been conducted
in the past and to what extent it
was successful. This can include a
consideration of peer organizations—
however, their relative success or lack
thereof is not necessarily predictive of
your own experience. Keep cultural,
political, and demographic realities
in mind when making comparisons,
and avoid digging too deeply into
quantitative data at this stage.
In a recent project with the City of
Chula Vista, California, the project
team spoke with several departments
that had previously published equitycentric
documentation to ask about
their process and goals. The team was
able to collect equity definitions and
other data points to bolster their own
work. This also led them to uncover
additional equity champions that
could be aligned to their specific
project goals.
Identify the key players, both
champions and detractors
If you can’t make the final decision—
who can? Who else has influence
over the decision, or the ultimate
implementation of the decision? Is
there a way to turn our detractors
into champions? If so, how should we
pursue the best path to securing that
buy-in?
Start by creating a rough power
map as it relates to your city’s goal.
A simple format to consider is an
X and Y axis showing more or less
influence in one dimension and more
or less support for your position in the
other. 2 Understanding these change
management power dynamics and how
they impact decision-making authority
and workflows will help you plot the
most efficient course of action.
Establish a working group, steering
committee, or task force made up
of champions to lead change
Establishing working groups,
committees, or task forces can further
support communication, coordination,
and collaboration efforts across the
government. If existing, effective
groups are already up and running for
cross-cutting initiatives or priorities,
joining those committees might be
an effective way to make progress
and find others who support your
cause. The larger and more complex
the government entity, the greater
the need to join or establish a formal
working group or committee to lead
these efforts. These teams should also
include “A-Team” members to ensure
that the change remains a substantive
and visible priority. Diversity of
department and positions is crucial,
as was outlined in a recent ICMA study
of the City of Evanston, Illinois. 3 In
this example, Evanston intentionally
built its equity committees through
diversity of positions, departments,
and supervisory responsibilities.
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 53

CITY BUDGETING FOR EQUITY AND RECOVERY
When defining equity in your
jurisdiction, focus on metrics,
not just language
While a baseline understanding of
the definition of equity (for example,
how it is different from equality) is
typically helpful in getting your team
thinking similarly, the conversation
will inevitably move to “how do we
measure this abstract concept?”
In many places, governments are
adopting place-based, third-party
definitions that are often set by and
monitored through federal agencies,
such as the Center for Disease Control
(CDC) Social Vulnerability Index,
or HUD’s Qualified Census Tracts.
Focusing on these types of metrics
initially helps to alleviate pressure
on any individual who may be seen
as “defining equity” for an entire
community (that person should be but
may not be engaged in this process). It
also generally aligns with federal and
state funding streams, which can be a
useful leverage point when discussing
the fiscal implications of this type of
focus (for example, if we use HUD’s
definition, it is highly likely we can
apply for grants that support impactful
programming on this metric).
In Harris County, Texas, city
officials have started to use the
CDC Social Vulnerability Index
more consistently across multiple
areas of their operating and capital
budget processes, including flood
plain project prioritization 4 and
small business relief. 5 Using the
same metric across both programs
allows for a comparison of outcomes
and consistent reporting across
departments.
Be aware of existing leadership
priorities as well as timing of
electoral cycles
When pursuing equitable change,
it is critical to understand where
leadership stands in relation to your
own vision of equity. If appropriate,
consider ways to elevate this work
to the executive themselves, or,
more likely to their deputies and key
support staff. If the elected official
can take things a step further by
issuing a jurisdiction-wide mandate,
or even an executive order, it will
likely set the tone for equity work
across the organization. It can also
further the push for more alignment
with larger organizational goals.
When pursuing
equitable change,
it is critical to
understand
where leadership
stands in relation
to your own
vision of equity.
54

For example, one city in the City
Budgeting for Equity and Recovery
cohort (that is working to increase
equity in its capital budget)
discovered that a key driver to
completing more equitable work is
the amount of available discretionary
capital funding each year. If the
mayor, city manager, and other city
leadership can articulate the need and
scale of deferred maintenance and
can make a collective, unified push for
additional funding from other entities
(including philanthropic, state, and
federal government), it would be a
more powerful push than one coming
from the budget office alone, and
it should increase the chances of
securing additional available funding
for all proposed capital projects.
If your city’s administration and
leadership are coming up on the end
of their terms, consider how this kind
of work may be affected (positively or
negatively) by the result of a primary
or general election. While there should
be urgency around equity in all cases,
the timing of when to pursue certain
conversations, policy or process
changes—and potential presentations
or reports—must follow a logical cadence
that considers the practical and feasible
focus of the administration at any given
moment.
Understand the perspective
of your key detractors
If your internal detractors substantively
rely on key data for their work, this factor
should inform the way you formulate a
persuasive argument and strategically
approach the conversation or meeting
with these stakeholders. For example, if
your city’s team is attempting to change
public works’ policies, your team may
need to dive deeper as to where the more
granular data stems from, how often
projects are similarly (or identically)
rated, and what level of subjective
prioritization comes into play at more
senior levels of the organization—in
order to offer a more relevant context
or perspective.
In the City of San Diego, California,
street projects are prioritized based
on street condition, proximity to
one another, and so on. 6 This can be
considered an asset quality-centric
approach to budget allocation. In the
City of Oakland, California, a similar
process is used, although Oakland
also incorporates equitable factors
in their prioritization criteria. For
instance, individual complaints are
not included as rationale for paving
a particular street, and geographies
considered “underserved” by the
city’s definition receive preference
in project funding. 7 This additional
layer of consideration can potentially
counteract persistent underfunding
of some community priorities.
The Three Cs of Change Management
When in doubt, focus on the three Cs: coordination, communication, and collaboration.
COORDINATION COMMUNICATION COLLABORATION
AS THE COVID-19 PANDEMIC demonstrated, an increasingly
unpredictable future requires new ways of thinking about
government operations. When the critical moment is upon
you, it is too late to plan for what you might do. Preparing
for these scenarios is ideal—however, if your organization is
facing a new challenge, the three c’s should be your default
methodology for quickly establishing alignment, effectively
sharing information, and working across silos to deliver
critical services and save precious time and resources along
the way.
• Racial equity and reconciliation initiative team, City of
Long Beach – In June 2020, city council members in the
City of Long Beach, California, unanimously approved a
resolution to review historical inequities related to race
and other demographic factors. This cross-departmental
team was responsible for engaging residents on how
best to eliminate systemic racism. Ultimately, this team
delivered a comprehensive report and recommendations
for enhancing racial equity in the city. 1
• Stimulus task force, City of New Orleans, Louisiana –
Following the announcement of $375 million in federal
funding, the mayor of New Orleans, Louisiana, convened
a 28-member task force with five sub-committees
representing the city’s priorities. This group is tasked with
identifying the best opportunities for spending, and with
exploring potential funding through subsequent rounds
of ARPA guidance. 2 The city adopted this strategy based
on multiple prior experiences with federal relief funding
following hurricanes and associated flooding.
1
Dr. Anissa Davis, Initial report, Racial Equity and Reconciliation Initiative, City of Long Beach, California.
2
Jessica Williams, “How will $375M in coronavirus aid get spent in New Orleans? This stimulus task force will decide,” April 15, 2021, NOLA.com. This initiative includes real-time public
dashboards that show spending trends for the city and its agencies.
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 55

CITY BUDGETING FOR EQUITY AND RECOVERY
While there is
still significant
resistance to equity
in many places,
incremental change
is always possible,
and transformative
change can follow.
...And, where possible, use
these conversations to create
champions
To further the capital budget example,
perhaps your equity team meetings
with this department team reveal
a lack of sustainable, discretionary
funding for projects that are not tied
to grants or state or federal aid. One
potential solution is to use your team’s
equitable push as a starting point
to request increased funding for all
capital projects, in particular, those
aligned with equitable principles.
When Oakland was revamping its
capital improvement plan, working
groups focused on getting feedback
and input at multiple points along the
way to ensure buy-in, and to create
champions for the plan. 8 This type of
broad engagement approach allows
you to aggregate feedback and frame
your goals in a shared, inclusive
context that can be supported by all
involved.
In all cases, advocate for loweffort
reporting and transparency
initiatives
For example, if your team would like to
change the decision-making process
for funding new programs in the local
government’s jurisdiction, that may
take significant staff time and effort
to design ahead of upcoming budget
cycles. But if your internal team
could introduce a new variable in a
shorter timeframe for reporting on
budget figures, it may be possible to
clearly demonstrate a need for new
decision-making criteria when faced
with data on the growing disparities
among various communities.
The City of Baltimore, Maryland,
has made a significant push toward
transparency and open data on many
city services, including those related
to COVID-19 recovery. This includes
real-time, public dashboards that
show spending trends for the city
and its agencies. 9
Conclusion
With increased federal funding
to support economic recovery in
the wake of COVID-19, cities are
being handed the keys to allocate
Coronavirus Aid, Relief, and
Economic Security Act (CARES),
American Rescue Plan Act (ARPA),
and any future federal dollars
toward more equitable programs
and services. Resistance to equity
may show up in an organization
as skepticism around these funds
and their purposes—however,
the guidance for CARES Act, ARP
Act, and, likely, any eventual
infrastructure bill creates incentives
for investment in previously
neglected communities. Sharing
plans for this spending alongside the
annual operating budget can further
demonstrate a comprehensive
response to constituent needs and
goals, regardless of the funding
source. As these federal programs
pave the way, one’s change
management muscles must be
well-developed to take on budgeting
for equity, and other equitable
initiatives in additional contexts.
Ultimately, change management is
about shifting the existing culture—
preserving the great things about
an organization while restructuring
and updating its activities and
service delivery to better align
with its core values and priorities
moving forward. In an ideal world,
this might happen with the flip of a
switch—however, even the best plans
cannot be developed or successfully
implemented in the real world without
a receptive and supportive culture.
The tactics laid out in this resource
can be catalysts for positive,
incremental change to create that
future culture—and to shape it with
a focus on more equitable policies,
investments, and outcomes.
Joe Buckshon is a senior analyst in the
Management and Budget Consulting
practice at PFM. Matthew Stitt is a
director in the Management and Budget
Consulting practice and co-director
of the Center for Budget Equity and
Innovation at PFM. He is also the former
chief financial officer for City Council,
City of Philadelphia, Pennsylvania.
PFM is a technical assistance provider
for the City Budgeting for Equity and
Recovery program.
1
Adapted from Kotter’s Model for Change
Management, Kotter Inc., kotterinc.com/
methodology/8-steps/.
2
The Power Mapping Template, the Change Agency,
thechangeagency.org/power-mapping-template/.
3
Kathleen Yang-Clayton and Kimberly Richardson,
“Operationalizing Racial Equity: Beginning from within
Your Organization,” September 2021, PM Magazine.
4
Christopher Flavell, “A Climate Plan in Texas Focuses
on Minorities. Not Everyone Likes It,” July 24, 2020,
New York Times.
5
Danica Lloyd, “Harris County to launch $30M
small-business relief fund Sept. 20, August 10, 2021,
Community Impact.
6
Lisa Halverstadt, “Why Some Streets Get Repaired
Over Others, January 25, 2019, Voice of San Diego.
7
City of Oakland, 2019 3-Year Paving Plan
Development Process, oaklandca.gov/projects/2019-
paving-plan-development-process.
8
Elliot Karl, “Prioritizing Community Values in Capital
Budgeting.” Government Finance Review, June 2021.
9
Recall the prior recommendation on initially using
metrics as definitions of equity—by simply including a
report of spending by the CDC or HUD geographical
variable, any city could display potential opportunities
to increase equitable spending.
56

RETHINKING
PUBLIC
PUBLIC
ENGAGEMENT
ENGAGEMENT
SUMMIT
SUMMIT
This summit will bring together academics, researchers,
This summit will bring together academics, researchers,
civic technology experts, local government praccconers,
civic technology experts, local government praccconers,
and other thought leaders to rethink public engagement.
and other thought leaders to rethink public engagement.
Explore “design principles” for improving public engagement
Explore
on local government
“design principles”
budget
for
discussions.
improving public engagement
on local government budget discussions.
Foster an exchange of ideas around providing new outlets
for
Foster
public
an
engagement
exchange of
to
ideas
flourish.
around providing new outlets
for public engagement to flourish.
VIRTUAL EVENT
VIRTUAL EVENT
November 7-10
10+ Sessions
REGISTRATION
REGISTRATION
gfoa.org/rpe
Rethinking Public Engagement is part of GFOA’s Rethinking
Rethinking Budgeeng Public iniiaave Engagement which seeks is part out and of GFOA’s shares Rethinking unconvennonal
Budgeeng but promising iniiaave methods which for seeks local governments out and shares to unconvennonal
improve how
but they promising budget, and methods how they for local embrace governments the defining to improve issues of how our me.
they budget, and how they embrace the defining issues of our me.

58

RATIO ANALYSIS, SIMPLIFIED
Ratio Analysis,
Simplified
An Alternative Framework for Analyzing
the Financial Condition of a Government
Using Mead’s 10-Point Ratios
BY AMAN KHAN AND OLGA MUROVA
©2022 MICHAEL AUSTIN C/O THEISPOT.COM
Financial ratios are a
valuable tool for analyzing
an organization’s
financial condition. While
the 10-point ratios and
their extensions continue
to provide the foundation for much
of the discussion on the subject, the
methodology underlying the approach
has an important weakness: it is
heavy on data requirement, which
could be extremely time-consuming.
Also, the choice of the scale—as used
by Ken Brown and subsequently by
Dean Mead—to determine the overall
financial condition of a government
needs further refinement. In this
article, we develop a composite
measure, an index, based primarily on
Mead’s ratios, that is simple and easy
to analyze and interpret. 1
Methodological overview
Several important characteristics
of both Brown and Mead’s ratios are
worth noting. 2
• Like Brown, Mead uses 10 ratios
but refines them considerably in
light of the changes in the reporting
procedures introduced in 1999,
under the Governmental Accounting
Standards Board (GASB) Statement
34, Basic Financial Statements
– and Management’s Discussion
and Analysis for State and Local
Governments.
• The refined ratios are inherently
financial in character, which better
reflects the financial conditions of a
government, for example, financial
position, financial performance,
liquidity, solvency, revenues, debt
burden, debt coverage, and longterm
fixed (capital) assets.
• The use of purely financial ratios
makes it possible to collect the
relevant data directly from the
annual financial reports.
• Both Brown and Mead use a large
number of similar-size governments
as a benchmark against which the
ratios of a government are compared
to determine its overall financial
condition, as noted previously. For
instance, Brown uses 750 small
cities of similar size and Mead also
uses a large number of cities. It can
require an enormous amount of time
to gather the relevant data, analyze
it, and compare the results.
From a methodological perspective,
both Brown and Mead use quartile
analysis, an ordered statistic that
divides data into four quarters, with
each quarter containing 25 percent
of the data (Q1 = lowest 25 percent;
Q2 = between 25 and 50 percent; Q3 =
between 50 and 75 percent; and Q4 =
the highest 25 percent) to determine
where the ratios of a city in question
would fall on a particular quartile.
Both authors also use a four-point
Likert-type scale that ranges between
-1 and +2. For example, if the ratio of a
city falls on Q1 it will receive a value
of -1; if it falls on Q2 it will receive 0; if
it falls on Q3 it will receive +1; and if it
falls on Q4 it will receive +2. Finally,
to determine the overall ranking of
a city relative to the database cities,
both authors use a scoring system that
ranges between -10 and +20, where
10 or more is considered among the
best, 5 to 9 is better than most, 1 to
4 is about average, 0 to -4 is worse
than most, and -5 or less is among the
worst. It is unclear why this particular
scoring system was used, along with,
more importantly, the cut-off points
for determining the overall financial
condition. Brown recognizes this
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 59

RATIO ANALYSIS, SIMPLIFIED
apparent weakness, however, and
suggests that individual researchers
could modify the scoring technique
if necessary.
The approach suggested here
is based on Mead’s ratios, rather
than Brown’s, because they are
predominantly financial in
character. Also, the information
can be easily obtained from a
government’s annual financial
report, which makes the data
collection considerably easy. In fact,
Mead does a great job of indicating
the specific statement in the report,
which contains the information
one would need to construct a
particular ratio. On the other hand,
our approach does not require a
large number of governments of
comparable size to determine the
overall financial condition of a
government. Additionally, it avoids
the ranking system both Brown
and Mead use, which is somewhat
inconsistent as to the arithmetic
distance between the ranks, with a
scale that is consistent. The product
of this approach is an index, a single
measure, based on the same 10
ratios Mead uses. 3 Operationally,
a single measure such as an index
is more efficient than a measure
that compares each individual ratio
against a benchmark based on many
similar governments. The process,
as we noted, can be extremely timeconsuming.
Constructing the index
The index suggested here has several
important characteristics:
• It ranges between 0 and 1 (for
instance, between 0 and 100
percent), which is important for
maintaining the consistency of
the ratios.
• It ensures that the ratios fall
within this range. To achieve
this, the original ratios were
algebraically reformulated
without changing any of the
variables in a ratio, except for a
minor change in one-R7.
EXHIBIT 1 | COMPARISON OF BROWN-MEAD AND THE ALTERNATIVE FRAMEWORK
BROWN-MEAD
SCORE
BROWN-MEAD
RATING
• The individual ratios (scores)
are then averaged to produce a
composite score (for example,
an index).
• The index is compared against
a five-point Likert-type scale
(5 = excellent, 4 = very good, 3 =
good, 2 = poor, and 1 = very poor)
to determine a government’s overall
financial condition.
Since the composite score can fall
anywhere between 0 and 1 (as in,
between 0 and 100), we use quintiles
instead of quartile range to make the
final ranking consistent with the
rating structure Brown and Mead use.
Exhibit 1 shows the comparison of the
two rating systems.
According to Exhibit 1, for instance,
a composite score of 0.25, under our
alternative framework, would fall
between 0.2 and 0.4, and will be rated
as poor—which would be worse than
most under the Brown-Mead system.
Similarly, a composite score of 0.75
ALTERNATIVE
FRAMEWORK SCORE (%)
ALTERNATIVE RATING
(AND SCALE)
-5 or less among the worst 0.0-0.2 (0-20) very poor (1)
0 - (-4) worse than most 0.2-0.4 (20-40) poor (2)
1 - 4 about average 0.4-0.6 (40-60) good (3)
5 - 9 better than most 0.6-0.8 (60-80) very good (4)
10 or more among the best 0.8-1.0 (80-100) excellent (5)
A single measure
such as an index is
more efficient than a
measure that compares
each individual ratio
against a benchmark
based on many similar
governments.
under our system would fall between
0.6 and 0.8 and will be rated as very
good; under the Brown-Mead system,
it would be better than most. Another
significant difference between the two
systems is that, while we use the same
10 ratios as Mead, we use a slightly
different algebraic formulation for
each ratio to ensure that our scores fall
within the specified range between 0
(low) and 1 (high). This is necessary
to make sure that all the ratios have a
positive constant within the defined
range, making the index construction
simple and also easy to interpret.
Exhibit 2 shows the comparison of our
ratios with those of Mead, and their
corresponding algebraic formulations.
Two things are worth noting in our
formulation of the ratios. One, all but
three of the ratios (R1, R3, and R10)
were algebraically reformulated to
ensure that, when converted, our
ratios would produce a value between
0 and 1 to help us construct the index. 4
Two, the debt burden ratio (R7), which
is per capita debt, was refined to better
reflect the extent of debt burden.
While per capita debt is frequently
used as a measure of debt burden, it
has an inherent weakness in that it
doesn’t provide a precise measure
of the severity of debt, especially
considering a government’s ability to
meet its debt obligations. For instance,
two governments with identical debt
but different population size will
produce different ratios—providing
different pictures of the burden, which
may not reflect the actual severity of
60

EXHIBIT 2 | ALGEBRAIC FORMULATION OF MEAD’S RATIOS: ORIGINAL AND ALTERNATIVE FORMULATION
MEAD’S RATIOS
ALGEBRAIC
FORMULATION
(A= numerator and
B= denominator)
ALTERNATIVE
FORMULATION OF
MEAD’S RATIOS
MEAD’S RANKING
INTERPRETATION
RANKING UNDER
ALTERNATIVE
FORMULATION
R1: Short-run financial position: Unreserved
general fund balance ∕ General fund revenues
R2: Liquidity: General fund cash and investments ∕
(General fund liabilities − General fund deferred
revenues)
R3: Financial performance: Change in governmental
activities net assets ∕ Total governmental activities
net assets
R4: Solvency: (Primary government liabilities −
Deferred revenues) ∕ Primary government revenues
R5: Revenues, A: (Primary government operating
grants + Unrestricted aid) ∕ Total primary
government revenues
R6: Revenues, B: (Net expense, or revenue, for
governmental activities ∕ Total governmental
activities expenses) x -1
A∕B A ∕B (Unchanged) High Good High
A∕B A ∕(A+B) High Good High
A∕B A ∕B (Unchanged) High Good High
A∕B B∕(A+B) Low Good High
A∕B B∕(A+B) Low Good High
(A ∕B) x (-1) 1-((A+B)∕B) Low Good High
R7: Debt burden: Total outstanding debt of the
primary government ∕ Population
A∕B
1−(Total Debt∕ Total
Assets (Changed)
Low Good High
R8: Coverage, A: Debt service ∕ Non-capital
governmental funds expenditures
R9: Coverage, B: (Enterprise funds operating
revenue + Interest expense) ∕ Interest expense
R10: Capital assets: (Ending net value of primary
government capital assets − Beginning net
value) ∕ Beginning net value
A∕B (B-A)∕B Low Good High
A∕B (A ∕B)/((A ∕B)+1) High Good High
A∕B A ∕B (Unchanged) High Good High
the debt. A better alternative would
be to use total assets rather than
population because it is the size of
the asset that, in the final analysis,
determines the ability of a government
to incur debt (for instance, its ability
to borrow). 5 Additionally, obtaining
the information should not be difficult
since it is easily available from the
annual financial reports.
Another point worth noting in our
approach is that all the ratios we use
have the same weight. Both Brown
and Mead assume that the ratios are
of equal importance and therefore
have the same weight, although Brown
leaves the option to future users to
make any changes. Our index also
doesn’t make changes in the weight
structure, keeping it the same as
Brown and Mead—but, like Brown, it
leaves the door open.
EXHIBIT 3 | APPLICATION OF THE METHOD
MEAD’S RATIOS
ALGEBRAIC
EXPRESSION
APPLIED TO
MEAD’S STUDY
R1: Short-run financial position A∕B 0.37 0.33
R2: Liquidity A ∕(A+B) 0.90 0.86
R3: Financial performance A∕B 0.07 0.47
R4: Solvency B∕(A+B) 0.47 0.29
R5: Revenues−A B∕(A+B) 0.90 0.96
R6: Revenues−B 1−((A+B)∕B) 0.72 0.72
R7: Debt burden 1−(A ∕ B) 0.77 0.99
R8: Coverage−A (B−A)∕ B 0.84 0.76
R9: Coverage−B (A ∕B)∕((A ∕B)+1) 0.98 1.00
R10: Capital assets A∕B 0.05 0.11
APPLIED TO
LUBBOCK (2020)
Index = (R1:R10)∕10 Arithmetic average 6.07∕10 = 0.607 6.49∕10 = 0.65
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 61

RATIO ANALYSIS, SIMPLIFIED
EXHIBIT 4 | FINANCIAL INDEX FOR LUBBOCK
AVERAGE INDEX
RATIO CALCULATIONS (as applied to Mead’s study)
R1 = A/B (Stays the same)
= 0.37 or 37%
R2 = A/(A+B)
= 4,377,368/(4,377,368 + (796,058-306,473)) = 4,377,368 / 4,866,953 = 0.899 or 89.9%
R3 = A/B (Stays the same)
= 0.07 or 7%
R4 = B/(A+B)
= (15,877,339+1,425,380 + 627,815+19,928,578)/((43,441,261-179,857)
+ (15,877,339+1,425,380 + 627,815+19,928,578))= 37,859,112/(43,261,404 + 37,859,112)
= 37,859,112/81,120,576 = 0.47 or 47%
R5 = B/(A+B)
= (15,877,339+1,425,380+627,815+19,928,578)/((1,425,380+2,666,347)+37,859,112)
= 37,859,112/(4,091,727+37,859,112) = 37,859,112/41,950,839 = 0.90 or 90%
R6 = 1-((A+B)/B))
= 1-(-15,921,202+22,228,063)/22,228,063) = 1-(6,306,861/22,228,063) = 1-0.28 = 0.72 or 72%
R7 = 1-(A’/B’)
= 1-(22,981,400+11,603,300)/151,642,682 = 1-(34,584,700/151,642,682) = 1-0.23 = 0.77 or 77%
R8 = (B-A)/B
= ((26,518,698-4,601,515)-3,500,823)/(26,518,698-4,601,515) = 18,416,360/21,917,183
= 0.84 or 84%
R9 = ((A/B)/((A/B)+1)
= (11,257,893/232,908)/((11,257,893/232,908)+1) = 48.3362/49.3362 = 0.98 or 98%
R10 = A/B (Stays the same)
= 0.05 or 5%
0.800
0.700
0.600
0.500
0.400
0.300
0.200
0.100
0.000
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020
Application of the index
To determine the soundness of our
index—in other words, how well it
compares with Mead’s ratios—we apply
it in two stages: first, to the study Mead
uses, and, next, to a mid-size city in
the State of Texas. For the latter, we use
ratios for several years to provide an
assessment of the financial condition
of the city over time, although it is not
necessary to use multiple years. A single
year to determine the current financial
condition should suffice. Exhibit 3
shows the results of our approach, when
applied to Mead’s study, as well as to the
sample city.
As shown in Exhibit 3, when applied
to Mead’s study, our approach produces
a composite score (arithmetic average)
of 0.607, or 60.7 percent, which puts the
city’s financial condition as very good
(better than most) and compares well
with Mead’s own ratio. The score
Mead’s analysis produced was 5, which
means the financial condition of the
city, according to Mead, was better than
most (very good). Interestingly, the
scores produced by both approaches
place the city at the lower end of the
scale—the lower end of better than most
and very good.
Next, we apply the index to the
City of Lubbock, Texas, a mid-size
city that has been growing slowly but
consistently over the years. It has a good
economic base that is relatively stable
and healthy, with a strong foundation
in agriculture, followed by advanced
technology, energy, financial services,
healthcare and bioscience, education,
and hospitality. Lubbock is also the
central hub of the South Plains region,
one of the largest cotton-producing
regions in the world 6 —which, along
with energy, healthcare services, and
education provides a financial safety
net against the economic ups and downs
that often affect larger communities.
This is evident in the overall financial
condition of the city. For instance, the
composite score for Lubbock for 2020
was 0.65, or 65 percent (see Exhibit 3),
which rates the city’s overall financial
condition as very good (better than
62

©2022 MICHAEL AUSTIN C/O THEISPOT.COM
most). Exhibit 4 shows the composite
scores for the city over a 19-year
period, from 2002 to 2020.
As Exhibit 4 shows, the scores
range between 0.5 and 0.7, indicating
that the financial condition of the
city has been consistently between
good and very good. Looking at the
trend and, more importantly, the
growth in population—which has
been increasing steadily—it seems
unlikely that the trend will change
anytime soon. In fact, we can use
this information to forecast the
future financial condition of the
city. This is an important advantage
of ratio analysis: If one has data on
past financial ratios, they can be
easily used to forecast the financial
condition of a government for any
number of years.
Conclusion
While ratio analysis has its strengths
and limitations, Mead’s 10-point
ratios will continue to be used as
firsthand approximation of the
financial condition of a government.
Also, as the financial conditions of a
government change, or as changes are
made in the reporting requirements
by GASB, the ratios will need to be
updated to reflect the change. The real
challenge, though, is to find a suitable
approach for analyzing the ratios
without placing a heavy demand on
time or data requirements—but the
approach must be methodologically
sound, and, more importantly, appeal
to an organization that is interested in
using the ratios. The advantage of the
approach suggested here is that it is
simple and can be applied to any level
of government, as well as to business
enterprises, which have a long history
of using ratio analysis. Furthermore,
the suggested methodology can be
expanded to include any number of
ratios, not just 10.
Aman Khan is a professor at Texas
Tech University, Lubbock, Texas.
Olga Murova is an associate professor at
Texas Tech University, Lubbock, Texas.
THE HISTORY OF FINANCIAL RATIOS
Financial ratios have been extensively used in the private sector since the 1920s,
following the development of the income tax code in 1913 and the establishment
of the Federal Reserve System in 1914. In government, they drew considerable
attention, first with the publication of ICMA’s Financial Trend Monitoring System,
followed by two major developments—the publication of Ken Brown’s 10-Point
Ratios and the subsequent refinement by Dean Mead. Since then, there have been
numerous studies suggesting ways to improve the ratios, along with an extensive
array of applications of these ratios in government.
For more information:
• Performance Audit of City’s Financial Condition, Office of the Auditor, City of
San Diego, California, 2015.
• Measuring San Jose’s Financial Condition, Office of the Auditor, City of San Jose,
California, 2016.
• Indicators of Financial Condition: A Comparison of Chicago to 12 other Cities,
The Civic Federation, 2013.
• William C. Rivenbark and Dale J. Roenigk, “Implementation of Financial Condition
Analysis in Local Government,” Public Administration Quarterly, Summer 2011.
1
Dean Michael Mead, “The New Financial Statements:
Reconnecting with Basics of Financial Management”
Journal of Public Affairs Education, April 2001.
2
Kenneth W. Brown,” The 10-Point Test of Financial
Condition: Toward an Easy-to-Use Assessment Tool for
Smaller Cities,” Government Finance Review, December
1993; ibid.
3
An important contribution of the approach suggested
here is that it does not have to be restricted to 10 ratios
both Brown and Mead use; it can be applied to any
number of ratios, such as those suggested by ICMA
(1980), and for any level of government or type of
organization—public, private, and quasi-public. The
only requirement is that the algebraic formulations
will be different in each situation, depending on the
type of ratio, but the overall framework for analysis will
remain the same. See: J. Griesel and J. Leatherman,
Evaluating Financial Condition, A Handbook for Local
Government, ICMA Fiscal Indicators Resource Guide,
Kansas State University, Office of Local Government,
2005.
4
Interestingly, under our system, as shown in Exhibit 3, the
algebraic formulation of R6 produces exactly the same
result as Mead’s but has the advantage of not needing to
be multiplied by -1 to avoid a negative value, which could
not be explained otherwise.
5
We assume here that total debt will not exceed total
assets, which is, by and large, the case with state and
local governments because of the restrictions on these
governments regarding how much they can borrow,
given their overall financial condition, in particular the size of
their assets. The logic of the argument is simple: It is the size
of the asset that determines the ability of a government to
borrow. There is a parallel here with firms and businesses
in that when a firm defaults, it sells off its assets to meet
its debt obligations—first to the debt holders, and then to
the stockholders. Likewise, if a government defaults, it may
be required to do the same. For instance, when the City of
Cleveland, Ohio, defaulted in 1978 for failing to repay $14
million in loans it owed to six local banks and subsequently
was unable to market its bonds for almost two years, it was
on the verge of selling off some of its assets to meet its
debt obligations to the debt holders until the state came to
its rescue, according to Case Western Reserve University,
Encyclopedia of Cleveland History.
This does not, however, apply to U.S. government debt
because it does not have the same restrictions for
borrowing as the state and local governments do. For
instance, the total assets of the government were $4.9
trillion in FY 2021, compared to its debt for the year of $34.8
trillion, which includes $22.3 trillion in actual debt, $10.2
trillion in federal employee and veterans benefits payable,
and the rest on interest payable (see: Bureau of the
Fiscal Service, Financial Report of the United States). The
government is able to borrow more than its assets because
it has a variety of instruments that it can use without
necessarily requiring it to sell off its assets to meet its debt
obligations.
6
Cotton Production Regions of Texas, Texas A&M AgriLife
Extension
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 63

Building up your infrastructure?
Start by Building knocking Building up down your up infrastructure?
your your financing infrastructure?
costs.
Start by knocking by knocking down your down financing your costs.
financin
More than 15,000 issuers have saved money by insuring their bonds
with us. Their interest rates are lower because of our financial strength,
More than than 15,000 15,000 issuers issuers have saved have money saved by insuring money their by bonds insuring their bonds
unconditional More than guaranty 15,000 of issuers timely principal have and saved interest money payments, by and insuring their bonds
with us. us. Their Their interest interest rates are rates lower because are lower of our because financial strength, of our financial strength,
disciplined with us. credit Their selection interest and rates surveillance. are lower To learn because how to issue of more our financial strength,
unconditional guaranty guaranty of timely of principal timely and principal interest payments, and interest and payments, and
cost-efficient unconditional municipal guaranty bonds, visit of AssuredGuaranty.com.
timely principal and interest payments, and
disciplined credit credit selection selection and surveillance. and surveillance. To learn how to To issue learn more how to issue more
disciplined credit selection and surveillance. To learn how to issue more
ASSURED cost-efficient GUARANTY municipal MUNICIPAL municipal bonds, CORP. — ASSURED visit bonds, AssuredGuaranty.com.
GUARANTY visit CORP. AssuredGuaranty.com.
— NEW YORK, NY
cost-efficient municipal bonds, visit AssuredGuaranty.com.
64
ASSURED GUARANTY MUNICIPAL MUNICIPAL CORP. — ASSURED CORP. GUARANTY — ASSURED CORP. — GUARANTY NEW YORK, NYCORP. — NEW YORK, NY
ASSURED GUARANTY MUNICIPAL CORP. — ASSURED GUARANTY CORP. — NEW YORK, NY

In Practice
FINANCE | ACCOUNTING | PERSPECTIVES | INTERVIEW
FINANCE
THE CITY OF COLLEGE STATION, TEXAS
Creating a Collaborative Budget Process
BY DARRELL BANKS
Not long ago, the budget
process for the City of
College Station, Texas,
was what Director
of Fiscal Services
Mary Ellen Leonard describes as a
“kind of cloak-and-dagger” affair.
Departments would receive their
projected budgets and then turn in
sheets with their budget requests to
the budget team. A group consisting
of the city manager, the assistant
city manager, the director of fiscal
services, and the budget manager
would then sift through and prioritize
the requests in a closed-door meeting.
The group would leave the meeting
with the completed budget that
had been divined by what people
thought was “some kind of magic
behind the scenes,” Leonard said.
As a result, some departments
would go directly to the city council
with budget requests that had not
been granted, causing unexpected
changes to the budget.
“It was uncomfortable for me.
It went against how I was taught in
the private sector about how things
needed to happen,” Leonard explained.
“It was really kind of odd to me that
we would just go into a room, and I
would come out saying, ‘Go do this.’”
When a newly appointed city
manager tasked Leonard with
improving the city’s FY 2020 budget
process, these frustrations were top of
mind for Leonard and her team.
he request was simple. “He
basically said he wanted me to
figure out how to make the process
collaborative, Leonard said.
Leonard, in partnership with
Erik Walker, city budget manager, took
this directive and developed a process
that Walker describes as “breaking the
mold of what they've done before.”
They call their new process
the Budget Congress.
“We would take a little bit of what had
been done, but then make that secret
room meeting wide open,” Leonard
said. “And that secret room meeting is
what became the Budget Congress.”
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 65

IN PRACTICE | FINANCE
Leonard explained how the new
process works. The directors submit
their priorities, and then the budget
team sets aside some days for each
department to explain their requests in
greater detail and why they matter to the
city manager group. At that point, the
other directors can listen. “They don't
have to be there, but all do show up now,
and they listen to what has happened
with the other departments and what
their needs are,” she said. After that
meeting, the group puts together a
survey form listing the departmental
requests and asks the directors to rank
the requests and tell the group what
they think the city needs.
At this point, some of the directors
take what they’ve learned in the
meetings and confer with their
departmental leadership to reprioritize
their needs before submitting their
survey responses.
“Once I heard the requests of the other
departments, I took that information
back to leaders in my department,
and we looked at those requests and
weighed them against our own needs.
We prioritized what we thought would
be best for the city overall,” Director of
Public Works Emily Fisher said.
The budget team takes those
rankings into the Budget Congress,
attended only by the directors, Leonard
said. The directors look at what
everybody thought their priorities were
and decide if the group agrees. Not only
has this process led to departments
being willing to accept receiving less
than 100 percent of their requests but
being actively involved in advocating
for the needs of other departments
over their own in the interest of the
community.
For example, Police Chief Billy
Couch came to the Budget Congress
this year with a request for a “Canine
Sustainability Plan” (or as Leonard
lovingly calls it, the “Paw Patrol”).
The canine unit received the highest
ranking from all the departments
going into the Budget Congress, but
during further discussions, Couch
changed his mind, realizing that
there was a problem area that needed
to take precedence. At this point, the
directors packaged all the numerous
requests for that area. “Everyone came
to realize that this issue was more
important than they’d realized, and
the budget requests were reprioritized
accordingly,” she explained.
“The Budget Congress gives me an
opportunity to hear other departments’
needs that I wouldn't have been
familiar with at all,” Couch shared.
“Having them come forward and talk
through their priorities and what
they are encountering that they need
budgetary help with is important
because I wouldn't get that information
any other way. It's important for me
not just to be able to sell my needs to
others, but to also sell others’ needs to
my department. My team has buy-in
with the requests that go forward,
knowing that we didn't get our canine
sustainability plan this year because
it was too expensive, and it offset the
important needs of other departments.”
In addition to being a tool to cultivate
buy-in, the open communication the
Budget Congress has fostered has also
opened the door for other creative
solutions.
“The fleet is a commodity we rely
on heavily, and nowadays, everything
with the cars is so technical that the
IT departments are pretty integral into
the field, to make sure those things
stay up and running,” Couch said “It’s
not mechanical anymore. It’s more
technology.”
Couch detailed some of the struggles
his department has had with a
backlog of tickets for fleet service.
“This year, we created a position for a
field tech who would serve the Police
Department in addressing these issues
in our fleet. The IT Department would
need to credential [the position] the
way that they do their employees—but
they’re going to be assigned to the
Police Department to address the
demands of the fleet, so the sense
of urgency needed for public safety
concerns doesn’t interfere with all the
other city’s IT emergencies. They will
just focus on keeping these cars up and
66

unning. And without this meeting,
we wouldn't have had the level of
collaboration needed to talk through
this solution.”
After three years of operations, the
results are easy to see, although the
team admits that success did not come
overnight. It took time.
“I would say it's definitely evolved
over time,” Walker shared. “The
departments hesitated at first just
because it was new, and they weren't
quite sure how this information was
being used.” Some wondered how
honest they should be in an open forum.
Walker vividly remembers the
struggles the first Budget Congress
meeting faced because “there wasn't
necessarily an inflection point, where
a decision would be made on how
to proceed.” He recalled that after a
long period of discussion, one of the
department directors stood up and
moved the conversation along.
“The first year was really painful,”
Leonard agreed, adding that “we in
Fiscal Services didn't want to be the
ones stepping out there, trying to get
people to talk. We didn’t have the clout.
Then the second year was COVID,
and it was all via Zoom. That was also
interesting, because some people
had their cameras on, some people
didn't, and you couldn't get a lot of the
I would say to a budget
director of another city
that didn't have this
that transparency can
be scary, but you're
going to be better off if
you take that leap.”
MARY ELLEN LEONARD
DIRECTOR OF FISCAL SERVICES,
COLLEGE STATION, TEXAS
nonverbal communication feedback.
It has taken some time to be able to
overcome communication challenges
and build the necessary trust.” “True
trust doesn't happen overnight.”
With that in mind, the team shared
their advice for other governments that
want to try implementing a similar
budgeting process.
“It's important to really get down into
the weeds of understanding the other
departments. It starts with just trust
in the directors, and when they make
the presentations, take good notes,
listen, and bring that back home to my
department,” Couch said.
“You can't just drop a new process
on a team and say, ‘This is what
we're going to do now,’” Fisher added.
“Change management, explaining the
process, and cultivating buy-in are all
very important.”
Walker agreed. “No department is
an island,” he said. “Even if you don't
see the immediate impact of what
another department is requesting,
there’s going to be second, third,
fourth order effects down the line.
We might not see it in year one or year
two, but an improvement that another
department is asking for will have an
impact on the city at-large, and it will
affect how your department operates.”
“I would say to a budget director of
another city that didn't have this that
transparency can be scary, but you're
going to be better off if you take that
leap,” Leonard concluded. “You can
lead your city to a more open place
if you do it by example. The most
critical process is the development
of the budget, and if you want a more
transparent, open, and collaborative
city, take that first step.”
Darrell Banks is an intern in GFOA’s
Research and Consulting Center.
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 67

IN PRACTICE | ACCOUNTING
ACCOUNTING
Theory in Practice?
GASB’s New Concepts Statement on Note Disclosures and … a Proposal for More Notes!
BY MICHELE MARK LEVINE
In June 2022, the Governmental
Accounting Standards Board
(GASB) issued its latest expansion
of the conceptual framework for
governmental generally accepted
accounting principles (GAAP), Concepts
Statement No. 7, Communication Methods
in General Purpose External Financial
Reports That Contain Basic Financial
Statements: Notes to Financial Statements
(CS7). Concepts statements are not
themselves GAAP standards, of course;
instead, they provide current and future
board members with a framework that
should help to set standards that are
consistent with each other and logically
function together. Also in June, GASB
issued an exposure draft of a statement,
Certain Risk Disclosures (ED), that, if
adopted in final form, would require
new note disclosures. Let’s look at both
and then consider how closely the ED
seems to follow CS7.
What’s in the Concepts Statement?
Much of CS7 carries forward the
preexisting concepts on note disclosures
from GASB Concepts Statement No. 3,
Communication Methods in General
Purpose External Financial Reports That
Contain Basic Financial Statements
(CS3), with few substantial changes.
As part of basic financial statements,
note disclosures remain limited to
information that explains, describes,
or supplements the financial
statements, including:
1. Descriptions of accounting
and finance-related policies
underlying the amounts in the
financial statements.
2. Details and explanations of those
amounts.
3. Information about the financial
position or results of operations
that do not meet the criteria for
recognition (e.g., because they are
not reasonably estimable). 1
CS7 added “other finance-related
information associated with the
©2022 MICHAEL AUSTIN C/O THEISPOT.COM
68

accountability of the government” to
this list. 2 While this is a change from
CS3, it is drawn from existing language
in GASB Concepts Statement No. 1,
Objectives of Financial Reporting, so
it is not a substantive addition to the
objectives of note disclosures so much
as a way of tying them more explicitly
to the overall objectives of financial
reporting.
To the prohibitions against including
“Subjective assessments of the
effects of reported information on
the government’s future financial
position” and “predictions about the
effects of future events on future
financial position” (more on this
shortly), CS7 added a carve-out
explicitly permitting disclosure of
“expectations and assumptions about
the future that are inputs to current
measures in the financial statements
or notes to financial statements.” This
simply acknowledges the extensive
use of estimates throughout financial
statements and the information about
those estimates required under current
GAAP. Additionally, CS7 specifies that
“general or educational information
that is not specific to the government”
is not appropriate for notes. 3
CS7 states that users “are responsible
for (a) obtaining a reasonable
understanding of government and
public finance activities and of the
fundamentals of governmental
financial reporting, (b) studying the
information with reasonable diligence,
and (c) applying relevant analytical
skill.” 4 The same level of user
sophistication was referenced in CS3,
in a slightly different context.
What is new and notable in CS7
is that characteristics of essential
information are included. Like beauty,
GASB’s initial research demonstrated
that essentiality is in the eye of the
beholder. While there is much general
agreement across constituencies that
note disclosures are too voluminous,
seemingly every existing disclosure
has its own cadre of supporters. CS7
tells us that the determination of
essentiality should be based on the
degree to which information (1) has, or
While there is much
general agreement
across constituencies
that note disclosures
are too voluminous,
seemingly every existing
disclosure has its own
cadre of supporters.
is expected to have if it were available,
a meaningful effect on users’ analyses
for making decisions or assessing
accountability, and (2) the breadth
or depth of users expected to use the
information for such analyses. 5
What’s in the Exposure Draft?
The premise of the ED is that
governments should be required to
disclose situations where certain
concentrations or constraints limit
financial flexibility such that the
occurrence of an event may have a
substantial negative effect on the
government’s ability to continue
to provide services and meet its
obligations as they come due. 6 The
ED specifies that the level of services
that were provided in the financial
reporting period is the benchmark
that should be used when determining
if a reduction will be substantial; it
provided no guidance for situations
where the types or levels of services
in the period were unusual (e.g.,
nonrecurring pandemic services and
dedicated funding for them).
Concentrations. Governments are
exposed to risks based on a lack of
diversity in significant revenue
sources or expenses, which may limit
their ability to acquire resources or
control spending. The listed examples
include concentrations of principal
employers, industries, and other
resource providers (taxpayers,
grantors, suppliers), and a workforce
covered by a collective bargaining
agreement. 7 This is analogous to
investment concentration risk in that
the financial health of a government is
highly dependent on a single provider of
funds, labor, or materials.
Constraints. Similarly, governments
are exposed to risks based on
limitations on raising revenue
(property tax caps), spending, and
incurring debt, as well as mandated
spending. As with concentrations, the
ED points out that such constraints
may limit a government’s ability to
acquire resources or control spending
and ultimately its ability to continue to
provide services or meet obligations as
they come due.
Presumably, requiring disclosure of
all such concentrations and constraints
would become “boilerplate,” increasing
the volume of note disclosures without
having “a meaningful effect on users’
analyses.” 9 So the ED proposes to require
disclosure only in situations in which
some specific event that is related to the
concentration or constraint may have a
substantial effect on the government’s
ability to provide services or meet its
financial obligations.
Criteria for disclosure. The ED proposes
to mandate disclosure (discussed
below) when:
• A concentration or constraint is
known to a government prior to the
issuance of the financial statements;
• An event associated with the
concentration or constraint has
occurred or is more likely than not to
begin to occur within 12 months of the
financial statement date, or shortly
thereafter (for which the ED gives the
example of three months); 10 and
• It is at least reasonably possible (the
chance is greater than remote) that
within three years of the financial
statement date, the event will cause
there to be a substantial effect on the
government’s ability to either:
– Continue to provide services at
the level provided in the current
reporting period, or
– Meet obligations as they come due. 11
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 69

IN PRACTICE | ACCOUNTING
The issuance of both a concepts statement on note disclosures
and a proposal for additional disclosures in the same month
seems to beg stakeholders to judge how closely the proposed
standard tracks the concepts statements.
Disclosure requirements. When the
above criteria are met, the ED proposes
to require:
• A description of the concentration or
constraint;
• A description of each associated
event, including:
– That the event has occurred or
is more likely than not to begin
to occur within 12 months of
the financial statement date or
shortly thereafter;
– That it is at least reasonably
possible that within three years of
the financial statement date there
will be a substantial effect on the
government’s ability to either
• Continue to provide services
at the level provided in the
current reporting period, or
• Meet its obligations as they
come due; and
• A description of actions taken
by the government prior to
the issuance of the financial
statements to mitigate the
substantial effect.
Of course, if mitigation actions taken
result in the criteria for disclosure no
longer be met, none of the disclosures
are required. 12 The ED would not
require governments to repeat a prior
period’s disclosure in comparative
financial statements; however, if
the criteria are still met for an event
associated with a concentration or
constraint, that should be included in
the current year disclosures. 13
Use CS7 concepts in developing
ED proposal
The issuance of both a concepts
statement on note disclosures and a
proposal for additional disclosures
in the same month seems to beg
stakeholders to judge how closely the
proposed standard tracks the concepts
statements.
Characteristics of essentiality.
Preliminary to issuing any exposure
drafts, GASB staff members conduct
research on the issue, often including
discussions with relevant parties.
As part of the project that led to the
ED, staff members interviewed
representatives of various user groups.
In addition to the concentration
and constraint disclosures in the
ED, GASB staff had sought feedback
on additional categories of risk
disclosures, risks, and uncertainties
pertaining to significant estimates
and those unique to the government
environment. Feedback showed that
neither a broad range of users across
all user groups (“a breadth of users”)
nor a large proportion of users in a
specific group (“a depth of users”)
said that they expected to use, and
could articulate how they would use,
the information if it were available,
so GASB removed those from further
consideration. 14 Therefore, regarding
the only significant change made by
CS7, the ED proposal can be seen as an
appropriate application of
the new concepts statement.
Predictions. As mentioned above,
CS7 retained and reiterated the
conceptual framework’s warning
against including “predictions about
the effects of future events on future
financial position” in note disclosures.
Nonetheless, that the ED proposes to
require governments to predict both
the likelihood and the magnitude
of future events, 15 which GFOA and
others observe seems like GASB is not
putting their theory into practice.
Michele Mark Levine is the director of
GFOA’s Technical Services Center.
1
GASB Concepts Statement No. 7, Communication
Methods in General Purpose External Financial
Reports That Contain Basic Financial Statements:
Notes to Financial Statements (CS7), paragraph 9.
2
CS7, paragraph 9.
3
CS7, paragraph 10.
4
CS7, paragraph 8.
5
CS7, paragraph 11. The meaning of depth and breadth
of users may be clearer when the terms are used in
context, below.
6
Substantial is not defined in the ED or elsewhere,
but is used in other GASB standards and is intended
to refer to amounts quantitatively greater than the
minimums that would be considered material or
significant; which are themselves equivalent terms
(CS7 nonauthoritative basis for conclusion, paragraph
B31).
7
GASB Exposure Draft Certain Risk Disclosures (ED),
paragraph 4.
8
ED, paragraph 5.
9
See note 5, above.
10
“Event” is not defined (or even explained) in the ED,
although it includes a nonauthoritative appendix with
illustrations where examples of events include (1) a
government’s awareness that a primary taxpayer (the
concentration) was “experiencing significant financial
difficulties” and subsequently filed for bankruptcy (the
event) and (2) the expiration of a labor agreement
covering nearly all firefighters (the concentration) that
could lead to labor disruption (the event).
11
ED, paragraph 6.
12
ED, paragraph 7.
13
ED, nonauthoritative basis for conclusion, paragraph
B11.
14
Based on the writer’s observation, review of
discussion papers, and review of minutes of GASB’s
deliberations at its June-July 2021 meetings.
15
[GFOA’s comment letter has been drafted based on a
AAFRC taskforce discussion of the ED. As soon as it is
approved by the full committee it will be sent to GASB
and posted on our website. A link to that letter should
be included in this note.]
©2022 MICHAEL AUSTIN C/O THEISPOT.COM
70

Helping public finance leaders of of tomorrow through
Helping public finance leaders of of tomorrow through
Academic Scholarships
GFOA provides several scholarship opportuniies for for students interested in in pursuing
GFOA provides a a several career in in scholarship state/provincial opportuniies or or local for government for students finance. interested in in pursuing
a a career in in state/provincial or or local government finance.
“I “I am am incredibly thankful for for GFOA’s generous scholarship for for allowing me me to to
“I “I am am accomplish incredibly my my thankful educaaonal for for GFOA’s goals while generous decreasing scholarship the the for financial for allowing burden me me to to
accomplish of of earning my my the educaaonal the graduate goals degree while required decreasing to to further my financial my career.”
burden
of of earning the the graduate degree required to to further my my career.”
Ashley McGowen, 2020 scholarship recipient
Ashley McGowen, 2020 scholarship recipient
$100,000+
in in scholarships awarded annually.
in in scholarships awarded annually.
Applicaaons open
Applicaaons open
November 1, 1, 2022
November 1, 1, 2022
Apply online
Apply online
gfoa.org/scholarships
gfoa.org/scholarships
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 71

IN PRACTICE | PERSPECTIVE
PERSPECTIVE
The Brave New Frontier of Public Sector Privacy
BY KATHERINE BARRETT AND RICHARD GREENE
Cybersecurity efforts
have been the main
way state and local
governments have tried
to secure data from the
prying eyes of potential malefactors.
But breaches are inevitable—the bad
guys frequently seem to be at least a
little step ahead of the good guys in
that domain. As a result, privacy is the
key for entities that are interested in
taking a prophylactic approach toward
securing confidential records.
It’s no surprise then that a recent
study by the National Association
of State Chief Information Officers
(NASCIO) reported that: “In the last
decade there has been immense
growth in the state chief privacy
officer (CPO) role. As demand
increases for online services and
states capture more personally
identifiable information from citizens,
more states are emphasizing the
importance of privacy.”
The speed with which that title is
gaining currency, at least at the state
level, is impressive, with 21 states
reporting that they had a chief privacy
officer role in May 2022, up from 12 in
2019, according to NASCIO.
At the local level, the chief privacy
officer position is somewhat less
widespread, but that doesn’t mean
cities and counties aren’t carefully
focusing on privacy issues as well—
often through staffers within their
chief information officer’s shop.
“I think the issue of privacy has burst
onto the scene nationally,” said Katy
Ruckle, chief privacy officer for the
State of Washington.
With faith in government at a
historic low, there’s probably been no
better time to reassure people that
governments are being careful with
the reams of data they collect from
them. “Privacy can help build better
trust with the public,” said Daren
Arnold, chief privacy officer for the
State of Ohio. “I think people have this
feeling that they have to turn over
information to whatever government
agency requests it, but they have no
say as to how it’s going to be used. But
if there are proper rules around that
information and if it’s used for the
purpose for which it’s provided, that
will build trust.”
Naturally, finance offices need
to be abundantly careful about
maintaining privacy of the data they
receive directly through one means
or another, from tax returns to bids
for procurements to internal records
©2022 ALEX NABAUM C/O THEISPOT.COM
72

of the finance offices themselves,
such as the social security numbers of
employees.
And that’s just the beginning.
Because finance offices are often
sharing data with other agencies,
they carry the heavy burden of
helping to ensure that information
isn’t revealed to prying eyes. “They
need to have safeguards, to make sure
that information isn’t leaked out,”
explained Amy Glasscock, program
director for innovation and emerging
issues for NASCIO.
“Finance professionals are handling
large amounts of financial information
for individuals,” Ruckle said, “and I’ve
seen cases where large spreadsheets
full of private information have been
generated and sent to the wrong email
address, with the potential that it will
go out to large numbers of people.”
Ginger Armbruster has been chief
privacy officer for the City of Seattle,
Washington, since 2017. Her job is
particularly complicated because
Seattle, like other cities, operates
under the strictures of the state’s open
information laws. That means that if
a city agency gathers information of
any kind, it doesn’t require a hacker to
get to it—it’s open to the eyes of anyone
who requests it. “I have to make
nearly anything that the city creates
available to the public.”
Armbruster provided a particularly
powerful example. The Department
of Transportation in Seattle wanted to
make it easier and safer for children to
walk to school—an estimable goal. As
part of that effort, it issued a survey
that included questions like, “How
do you walk to school?” “What’s your
gender?” “How old are you?” “At what
time do you travel?”
“So, we worked with the department
of transportation, which was very
open to our counsel, and said, you
don’t need to know the exact route any
individual child travels or exactly
when they’re taking that walk. That’s
way too intrusive,” Armbruster said.
“They hadn’t thought about how that
information could be used in bad ways.
They were just trying to protect the
kids, not put them at risk.’”
Privacy shops need to
concern themselves
with two primary
questions: Do we really
need the data in the first
place? and Who should
have access to the data
that’s being collected?
Privacy shops need to concern
themselves with two primary questions.
The first is, “Do we really need the data
in the first place?” With the capacity
of technology to store endless troves
of data, there’s a distinct tendency
toward getting every bit of information
available from anyone interacting
with a state or local government. But
if personal identification data isn’t
necessary for the purpose for which
it’s being collected, then gathering it
in the first place isn’t wise.
Arnold provided another example.
“In the finance space, you don’t need
people to put their social security
numbers on their invoices. There’s
rarely a reason to put that on there.”
The second big question is who should
have access to the data that’s being
collected. Fewer eyes on privileged
data mean it’s less likely to leak out. As
a result, states and local governments
that are concerned with privacy are
careful to make certain that data is
shared only on a need-to-know basis.
“Because privacy is a relatively new
area of focus, people don’t necessarily
realize they shouldn’t provide that
broad access to data,” said Cherie
Givens, chief privacy officer for the
State of North Carolina.
Efforts to maintain privacy have
gotten trickier than ever because the
pandemic led to many public-sector
employees working from their homes.
North Carolina state employees receive
guidance on how to protect state data
when working remotely, Givens said.
“Personal information or personally
identifiable information held by
the state needs to be protected from
unauthorized access by others,
including people in your home.
Your spouse or your children are not
authorized to see state-held personally
identifiable information.”
What are the risks if someone’s
teenage child gets a glimpse of a
spreadsheet? The answer becomes
clear if you think like a chief privacy
officer. “Think about the selfie
generation,” Givens said. “Someone
could take a picture with a laptop in
the background and post it on social
media.” If the laptop hasn’t been
locked, then the information on the
screen could be seen by potential
identity thieves or others who view
this kind of social media post as if it
were a pile of gold dumped in their lap.
Although privacy is clearly an
important goal for a growing number
of state and local governments, like
other government efforts, one major
challenge to progress is the lack of
money necessary to do the work.
Consider the City of Oakland,
California. The city’s Privacy Advisory
Commission has taken important steps
to protect its citizens from the abuse of
data gathered through technology like
automatic license plate readers.
But Joe DeVries, deputy city
administrator and chief privacy
officer, said he’d like cities like
Oakland do more, and he explains
why that hasn’t come to pass yet. “Like
many cities, we’re under-resourced. We
struggle with huge swaths of poverty,
and we have a large vulnerable
population with a lot of needs. What
I’ve observed in my work on privacy
is that it’s hard for people who are
housing the insecure or victims of
violent crime to think of privacy as a
hot topic.”
Katherine Barrett and Richard Greene
are principals of Barrett and Greene,
Inc (greenebarrett.com). and are coauthors
of the recently released Making
Government Work: The Promises and
Pitfalls of Performance-Informed
Management.
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 73

IN PRACTICE | PERSPECTIVE
PERSPECTIVE
Recycling the Muni Exemption Debate
BY JUSTIN MARLOWE
With a bit of late
summer, premidterm
election
legislative
maneuvering,
Congress passed the Inflation
Reduction Act of 2022 (IRA). Critics
and defenders of the law both seem to
agree that its name doesn’t describe
its main objective. In fact, the IRA is
really a climate bill. It calls for $737
billion in new spending over the next
decade, most of it for climate-focused
investments like energy security,
climate adaptation, and drought
resiliency.
As is often the case with major pieces
of federal legislation, IRA’s unintended
consequences could far outweigh
its intentions. That’s especially true
for state and local finance. If IRA
works as intended, we’ll see a lot more
wind farms, solar panels, recycling
facilities, and electric vehicles. But this
legislation might also inadvertently
reopen a longstanding and acrimonious
debate about the federal government’s
role in the municipal bond market.
IRA doubles down on many of the
Biden Administration’s core principles
around climate adaptation. One of
those principles is “carrots before
sticks.” President Biden and many
Congressional leaders have said
they’d much prefer to encourage
businesses and individuals to invest
in clean energy than to discourage
fossil fuel use through a carbon tax
or other “sticks.” The challenge with
this approach is that the federal
government’s main tool—in many ways
its only tool—to that end is tax subsidies
©2022 DANIEL HERTZBERG C/O THEISPOT.COM
74

that encourage investment by reducing
an individual’s or business’s federal
tax liability. We know from decades of
research that tax preferences of that
sort are a decidedly imperfect way to
encourage investment. But despite
those imperfections, IRA includes more
than $200 billion for energy-related tax
subsidies over the next decade.
Tucked into IRA’s arcane details are
two subtle but enormous shifts that
chart a new course for these types
of energy tax subsidies. One is that
IRA allows a business that’s received
many of these credits to sell or transfer
those credits to “unrelated parties.”
This is similar to affordable housing
tax credits, where developers that
seek to build or rehabilitate affordable
housing receive the credits and sell
them to investors. That upfront capital
from investors is often what makes
a project profitable. Before IRA, most
energy-related tax credits were not
transferable. Now they are.
But IRA doesn’t stop there on
transferability. It goes a monumental
extra step by defining “unrelated
parties” for some credits to include
tax-exempt organizations. Broadly
speaking; that could include state and
local governments, public pension
funds, nonprofits, and philanthropies,
among others.
That begs an obvious question: Why
would a local government that doesn’t
pay federal income taxes buy federal
income tax credits?
The answer is IRA’s other big change.
It allows tax-exempt entities to convert
certain climate-focused subsidies
into “direct pay” credits. A direct pay
tax credit allows the holder to redeem
that credit for a direct payment from
the federal government. No need to
file income taxes. Just request a check
directly from Uncle Sam.
Direct pay is not new to municipal
finance generally, and definitely not
to the municipal bond market. Muni
veterans will remember Build America
Bonds, a brief experiment with direct
pay brought about by President Obama’s
2009 stimulus. In that program, states
and localities issued taxable bonds,
This legislation might
also inadvertently
reopen a longstanding
and acrimonious debate
about the federal
government's role in the
municipal bond market.
and then received a payment from the
federal government roughly equivalent
to the foregone income taxes that would
have been claimed by investors if the
bonds had been tax-exempt. Federal
law has also allowed forms of tax credit
bonds where investors in taxable
munis receive a tax credit rather than
tax-exempt interest. Programs like
the Qualified Zone Activity Bonds
for schools and the Qualified Energy
Conservation Bonds for economic
development projects made use of this
tax credit structure.
If we take this combination of
transferability and direct pay to its
logical end, we can concoct a few
hypothetical—but likely—scenarios.
Imagine, for instance, that a developer
receives tax credits to build a solar
farm. It builds that farm and then sells
it to a public employee pension fund.
That pension fund converts those
credits to direct pay credits, and in turn
leases the farm back to the developer.
The developer then sells the power
generated by that farm to a utility and
realizes additional credits for power
production. The pension fund converts
a small financial investment into a
reliable revenue stream and new clean
energy. The developer makes money on
an otherwise risky project.
One can imagine similar scenarios
with wind farms, electric vehicle
charging stations, and other
infrastructure investments, with
many types of tax-exempt entities as
the counterparty. Imagine a wind farm
owned by a rural county government
and used to power an Amazon data
center. Or high-capacity battery
production in a rehabilitated factory,
heavily subsidized by a major local
foundation, in a city in the old industrial
Midwest. And so forth.
Whether governments and
nonprofits ought to make these types
of investments is an important policy
question. State and local policymakers
around the country will now inevitably
take up that debate.
The more immediate question for
municipal finance is what will happen
if IRA normalizes the large-scale state/
local government use of direct pay
credits? Critics of traditional taxexempt
municipal bonds have hoped for
precisely that for decades. They’ve long
argued that we ought to replace most
municipal bonds with a taxable, direct
subsidy structure, which they consider
much more efficient than the status quo.
Proponents of traditional tax-exempt
munis have pushed back, pointing out
that many small and infrequent muni
issuers would flounder in a taxable
bond-direct pay market. They also point
out that uncertainty about the federal
government’s long-term commitment to
making those direct payments is a major
deterrent for many government issuers.
The BABs experience, where the federal
subsidy payments routinely become
ensnared in federal deficit reduction
plans, only underscores that concern.
So, the stage is set. State and local
governments have new tools that will
allow them to play a much greater role
in clean energy production. That’s a top
priority for many governors, mayors,
and other state/local policymakers, so
it seems inevitable that many will use
those tools to the greatest extent possible.
But using those tools could upend
municipal finance as we know it.
For details about the IRS, see
Galen McDonald’s article on page 11
of this issue.
Justin Marlowe is a research professor at
the University of Chicago, Harris School of
Public Policy, and a fellow of the National
Academy of Public Administration.
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 75

IN PRACTICE | INTERVIEW
with Veronica Carrillo, Fiscal Administrator
for the City of San Antonio, Texas
Veronica Carrillo grew up surrounded by family in a
Hispanic neighborhood on the west side of San Antonio.
Her home was on a block where many aunts, uncles,
cousins, and grandparents lived just a yard over or down
the block. GFOA’s Timothy Martin spoke with Veronica
as part of GFOA’s FINE(ance) Fridays podcast series
about how her tight-knit family kept her centered and
grounded, how her father worked multiple jobs to ensure
his children would have opportunities for a better life, and
how his advice led her into a long, varied, and satisfying
career with the City of San Antonio, Texas.
Let’s start out by talking about
a conversation you had with
your dad.
I have shared this story with leaders
and people I mentor because I think it’s
important. As leaders, we should make
an effort to understand people’s perspective “windows”
and then look for ways to help open those windows to new
opportunities.
I remember cleaning offices with my father and one night
when we were emptying trash, he told me I should study
accounting. When I asked why, he said he’d noticed a few
things. We were working in the accounting area, and he
had noticed that a lot of ladies worked there, they seemed
to have reasonable hours, and they wore suits. I don't know
if I would tell a young woman that today, but my father
envisioned a better life for his daughter that included a
better work environment and a position of respect. That
was my dad’s perspective window.
So, with my first job at the City of San Antonio, as a fiscal
officer in the Finance Department, I thought that I had
made it. My father’s guidance got me there, but it could
only take me so far. Thankfully, I have been fortunate to
also have other mentors that have shared other “windows”
that have helped guide me and further my career.
76

When you were in college, what
were you thinking about the
future? A lot of college students
don't know what they want to do
with their lives.
In my junior year of college, my father
sat me down and told me his insurance
would only cover me until I turned
21. He made sure I understood that I
needed to find a job with insurance.
That’s a real “dad” piece of advice!
I remember realizing that I needed to
stay on task and on schedule, and that's
what I did. When I graduated, I set out
to find a job with good benefits and the
opportunity for growth.
After college, you spent six years
at Kroger. Were you in a corporate
office or in a store?
At the time, I worked in-store
operations, where I managed people
on the front lines. I had just turned
21 and was responsible for about
$15 million in inventory, much of
which was perishable. As part of a
six-month training program, I learned
about customer service, inventory
management, cash controls, and how
to manage and lead a team. At any
given time, I had between 150 and 200
employees and between six and eight
division managers.
What did you learn from that
experience?
One of the most valuable lessons
I learned during my experience at
Kroger was the power of my words.
My first year on the job was not my
shining moment. As a young manager,
I said things then that I would not say
today. I was fortunate that I learned
early in my career that the choice and
tone of my words can impact, inspire,
and influence others.
It seems like your experience
at Kroger was a good setup for
where your career ultimately led.
Definitely. Eventually, we returned
to San Antonio. It was important
to me that our son experience the
kind of family environment that
I had experienced growing up,
surrounded by cousins, aunts, and
uncles. I will always be grateful to
the Kroger Company for providing
a solid foundation for my career. I
carried over my skills in customer
service, inventory management, cash
controls, and employee management
to my positions here at the City of San
Antonio. These are foundational skills
for any organization, including local
government.
What did your parents think about
your career?
My parents are very proud of my career
and service to the city. And my dad is
aware that I still wear suits some days!
They have also been very supportive
and respectful of my decision to be a
working mother.
You've talked about the importance
of getting to know people and
expanding that network. How
important has that been for you?
It has been key. One of the first
organizations I was introduced to
when I began working for the City of
San Antonio was GFOA. GFOA was
introduced to me by our finance
director, who was working on a bid
for the 2005 annual conference. In
the past, I have often said that I have
grown up not only with the City of San
Antonio, but also with my colleagues
at GFOA. My involvement at GFOA has
been gradual, starting with assisting
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 77

IN PRACTICE | INTERVIEW
with the host committee, then serving
on the budget committee, followed
by serving on the nominating
committee, and then serving on the
executive board. Being part of GFOA
has been a real honor.
As you climbed the ladder in San
Antonio, you also climbed the
ladder as a member of GFOA.
It's great to see that you looked
at and took advantage of the
opportunities that members
have with GFOA. Members can
network as well as do more
advanced things within the
organization—and you’re such a
great example of how a member
can start at the beginning and
work their way up to even joining
the board.
Thank you for saying that. I believe
that success anywhere starts with
getting involved and engaged. This
has been a process over the last
20-plus years. My career has been
more rewarding because I had the
opportunity to work with incredibly
bright individuals and provide service
to our communities. These things give
purpose to the work we do.
Looking at your 24-year career
so far at San Antonio, you've had
several positions: fiscal officer,
public utilities manager, fiscal
administrator, assistant director
of the city center development
operations, all the way up to
managing grant money for the
city’s COVID-19 Executive Office.
You’ve had a lot of responsibilities
and opportunities along the
way. What are some of the most
rewarding moments for you?
Throughout my 24-year career
with the City of San Antonio, there
have been a lot of career highlights.
Implementing our city's fiscal shared
services program is definitely at
the top of the list. For this project,
we had implemented SAP and were
struggling with departments operating
in silos. We implemented a shared
services program to standardize our
fiscal business processes across our
organization. We also standardized
positions and finance processes for
functions including accounts payable
and accounts receivables across the
organization.
We have seen significant results with
improved audits. I spent 10 years
leading the fiscal shared services
program, and it is a great honor to
now see our fiscal administrators do
so well. I find working with people
and watching them develop and
succeed incredibly rewarding. This
program has provided a career path for
individuals in fiscal operations, and it’s
great for our team members and the
City of San Antonio.
Did you experience any pushback?
It is not always fun reapplying for new
positions at work. There is always a lot of
anxiety surrounding this, but we always
try to take measures to mitigate stress.
We kept a bigger picture in mind, and
the success of shared services depended
on collaboration, communication,
and demonstrating the benefits of the
program. Fiscal staff were able to see a
career path and realized that everyone
would be treated equitably across the
organization. Many people ended up
with opportunities for promotions. It
took a little while, but after a year or two,
team members and departments started
getting excited about the program and the
opportunities that were available to them.
To touch on another subject: You
got your master’s degree relatively
recently, which had to be a challenge.
Why did you decide to do it?
When I became a GFOA executive board
member, I felt that my education credits
needed to be better aligned with my
professional career accomplishments.
This was something I had always wanted
to do, so I returned to the University of
Texas in San Antonio and completed the
Executive MBA program. As with most
things in life, the second time around
benefitted from my life experience and
the perspective that comes with that
experience.
Timothy Martin is GFOA’s senior
manager for member engagement.
FINE(ance) Fridays
This interview was adapted and condensed from an episode of
GFOA’s FINE(ance) Fridays. Keep a look out for our new season,
starting soon and available wherever you listen to podcasts.
gfoa.org/fineance-fridays
78

Welcome to New Orleans!
GFOA is excited to bring in-person training to The Big Easy,
December 12-15. The following courses will be offered:
Accounnng for Capital
Assets
December 12
Revenue Policies
December 12-13
Advanced Governmental
Accounnng
December 13-15
Role of the Finance Officer
in the Budget Process
December 14-15
Register at
gfoa.org/events
OCTOBER 2022 | GOVERNMENT FINANCE REVIEW 79

10 STEPS
to Taming Interruptions
and Preventing Rework
Behind meetings, interruptions
and rework are the leading
causes of wasted time for
many GFOA members. Our
poll showed that more than
a quarter of respondents
rated interruptions as the
most annoying source of lost
time at work—again, right
behind meetings. Rework—
when you have to do a task
over again because it wasn’t
done right the first time—is
pretty annoying as well and
is a frequent consequence of
interruptions.
Here is a checklist with
5 recommendations to
minimize interruptions
and 5 recommendations
to avoid rework.
1
Designate physical
no-interruption zones in
your office. This could be dedicated
physical space or an agreement to
respect time blocked out on calendars
as “no interruption.”
2
Create checklists that
describe critical but easily
overlooked tasks for work processes
that are interruption prone.
3
Adjust the settings on
your electronic devices
and apps to eliminate cues (beeps,
lights, icons) to engage in low- or
no-value activities.
4
Find ways to make using
your devices and/or apps
slightly more unreachable—
just enough that checking them is no
longer habitual but now takes
conscious effort.
5
Create opportunities for
the necessary occasional
diversions from work that
have less potential to degenerate into
long periods spent on unproductive
apps. Examples might be keeping an
enjoyable book or magazine nearby
for a planned break.
6
Collect data on work
defects, including where in
the process the defect is discovered,
where the error that creates the defect
occurs, and how common it is.
7
Strive to understand what
truly caused the defect.
Conduct a simple root
cause analysis by using “the 5 Why’s”
or similar approach.
8
Establish written standard
operating procedures that
describe clear standards for
how processes should be performed.
9
Use visual controls such
as conditional formatting
and check cells in Excel, and
visual warnings for values for out-ofparameter
values in the ERP system.
10
Employ mistakeproofing
strategies to
avoid rework, including
using data validation rules and locking
cells in Excel, as appropriate, and using
automated entry of fields to eliminate
human intervention.
For more information on how to
reclaim wasted time at work, visit
gfoa.org/timebackchallenge.
©2022 CHRIS GASH C/O THEISPOT.COM
80

November 14-15, 2022 | Washington D.C.
A stronger nation starts
with a stronger infrastructure
State and local governments are armed with a $550 billion influx of federal infrastructure
funds at a time when getting the country’s infrastructure into proper shape is just the
start to meeting future challenges. For the first time ever, The Bond Buyer will convene
key experts and industry innovators to dive deep into all the complexities of these
endeavors at its exclusive INFRASTRUCTURE conference.
Use promo code: GFOAVIP
Register and join hundreds of muni leaders
https://conference.bondbuyer.com/infrastructure
Questions about the event? Contact Ryan Fallon at(212)-803-8817 | Ryan.fallon@arizent.com