US Federal Enterprise Risk Management Requirements

Guest Post by Greg Hutchins (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

Last year, we reported that White House Office of Management and Budget (OMB – executive office) is requiring US departments to design and implement Enterprise Risk Management (ERM). The requirements are part of the OMB Circular A 11 Section 270 – Performance and Strategic Reviews.

US Departments are:

expected to manage risks and challenges related to delivering the organization’s mission. ERM is a strategic discipline that can help agencies to properly identify and manage risks to performance, especially those risks related to achieving strategic objectives.

ISO 31000 IS REFERENCE RISK MANAGEMENT FRAMEWORK

ISO 31,000 is the core reference in the OMB standard in the OMB circular. It also spells out the ISO 31000 core risk management principles for effective risk management:

Creates and protects value;
Is an integral part of all organizational processes;
Is part of decision-making;
Explicitly addresses uncertainty;
Is systematic, structured, and timely;
Is based on the best available information;
Is tailored and responsive to the evolving risk profile of the agency;
Takes human and cultural factors into account;
Is transparent and inclusive;
Is dynamic, iterative, and responsive to change;
Facilitates continual improvement of the organization.

Full Text of OMB ERM Requirements

Enterprise Risk Management

270.24 What is Enterprise Risk Management (ERM)?

Risk is the effect of uncertainty on objectives. Risk management is coordinated activity to direct and control challenges or threats to achieving an organization’s goals and objectives. Enterprise risk management (ERM) is an effective agency-wide approach to addressing the full spectrum of the organization’s significant risks by understanding the combined impact of risks as an interrelated portfolio, rather than addressing risks only within silos. ERM provides an enterprise-wide, strategically-aligned portfolio view of organizational challenges that, provides better insight about how to most effectively prioritize and manage risks to mission delivery. While agencies cannot mitigate all risks related to achieving strategic objectives and performance goals, they should identify, measure, and assess challenges related to mission delivery, to the extent possible. 1

1 These terms have been defined in various non-government sources, such as but not limited to International Organization for Standardization 31000; NCHRP 08-93 “Managing Risk Across the Enterprise”; and A Guide to Project Management Body of Knowledge, Fifth Edition.

Effective risk management:

creates and protects value;
is an integral part of all organizational processes;
is part of decision-making;
explicitly addresses uncertainty;
is systematic, structured, and timely;
is based on the best available information;
is tailored and responsive to the evolving risk profile of the agency;
takes human and cultural factors into account;
is transparent and inclusive;
is dynamic, iterative, and responsive to change;
facilitates continual improvement of the organization.

270.25 How is ERM relevant to strategic reviews?

Agencies are expected to manage risks and challenges related to delivering the organization’s mission. ERM is a strategic discipline that can help agencies to properly identify and manage risks to performance, especially those risks related to achieving strategic objectives. An organizational view of risk positions the agency to quickly gauge which risks are directly aligned to achieving strategic objectives, and which have the highest probability of impacting mission. When significant, prioritized risks are vetted and escalated appropriately, challenges and opportunities can be routinely analyzed and incorporated into performance plans. When well executed, ERM improves agency capacity to prioritize efforts, optimize resources, and assess changes in the environment. Instituting ERM can help agency leaders make risk-aware decisions that impact prioritization, performance and resource allocation.

270.26 What are the key roles of risk managers at an agency?

Enterprise risk managers, who may be referred to as the Chief Risk Officer (CRO) in some agencies, champion agency-wide efforts to manage risk within the agency and advise senior leaders on the strategically-aligned portfolio view of risks at the agency. The responsibilities of managing risk, however, are shared throughout the agency from the highest levels of executive leadership to the service delivery staff executing Federal programs.

While agencies are not required to have a CRO or enterprise risk management function, they are expected to manage risks to mission, goals, and objectives of the agency. Where applicable, a CRO or other person designated with these responsibilities may serve as a strategic advisor to the COO and other staff on the integration of risk management practices into day-to-day business operations and decision-making. An effective enterprise risk manager does the following:

Develops, manages, coordinates, and oversees a comprehensive system for proactively identifying, prioritizing, monitoring, and communicating an organization’s enterprise-wide risks. Such risks include relevant strategic, operational, financial, and programmatic barriers as well as reputational risks that could interfere with an organization’s defined strategic objectives or performance goals.
Oversees the development and use of a robust set of risk management indicators that are representative of organizational operations and prioritized risks.
Establishes and provides oversight of policies that enable consistent use of enterprise risk management principles and supports an integrated view of risk across the organization.
Ensures the incorporation and dissemination of enterprise-wide risk management protocols and best practices appropriate for the whole organization to reduce duplication of effort and improve agency performance.
Establishes the procedures for determining the amount of risk an agency will accept or mitigate, including the manner in which these elements of the decision-making process are documented.
Creates and maintains institutional capacity and accountability for risk management through the exchange of information, knowledge, education and training staff.

270.27 What other guidance does OMB provide agencies regarding risk management concepts discussed in this Circular?

OMB provides agencies with guidance related to risk management in some specialized areas.

Agency activities designed to reduce risks are influenced by numerous factors, including Congressional priorities, information on the degree of risk faced by different populations, entities, or individuals, resources available, and the ease of implementing chosen priorities. Recognizing the diversity of documents that stem from risk analysis techniques, this memo reinforces generally-accepted principles for risk analysis related to environmental, health, and safety risks.

Federal credit programs are intended to accomplish a variety of social and economic goals. To support agencies’ efforts to effectively and efficiently manage programs, the Circular includes guidance for objectives that agencies should achieve with respect to risk management, data reporting, and use of evidence to improve programs through regular program reviews. It also established the Federal Credit Policy Council, an interagency collaborative forum for identifying and implementing best practices.

This guidance defines management’s responsibility for internal control and risk management in Federal agencies and outlines requirements for conducting management’s assessment of internal control over operations, financial reporting and compliance objectives.

270.28 What is the difference between internal control (per OMB Circular A-123) and Enterprise Risk Management?

Enterprise Risk Management is not the same as internal control. OMB Circular A-123 focuses on the management of internal controls to support reasonable assurance that management has met three objectives of internal controls:2

2 For more on internal controls, reference GAO http://www.gao.gov/greenbook/overview. Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved.

Operations – Effectiveness and efficiency of operations
Reporting – Reliability of reporting for internal and external use
Compliance – Compliance with applicable laws and regulations.

Enterprise Risk Management (ERM) is a strategic business discipline that addresses a full spectrum of an organization’s risk, beyond internal controls. This encompasses all areas of organizational exposure to risk (financial, operational, reporting, compliance, governance, strategic, reputational, etc.). The ERM discipline is carried out by following a process that prioritizes and manages risk exposure as an interrelated risk portfolio (e.g.; information technology, human capital, privacy, grants, facilities) rather than as individual silos (e.g.; financial risk and reporting). In other words, ERM pulls all the risks together from various parts of the organization to ensure that a portfolio view of risk is available at the highest levels of leadership to help inform decision-making.

Both ERM and internal control activities provide risk management support to an agency in different but complementary ways. ERM does not exclude internal control activities nor is ERM the absence of internal control. ERM embraces the disciplined foundation of A-123 policy on internal control, which includes structure and staff awareness of good controls, procedures, accountability and program management. Because ERM draws on an interrelated risk portfolio, it is important to understand the controls related to key organizational risks and how these controls can be used to mitigate or reduce the level of exposure to risk.