US Government ERM Requirement Finalized

Guest Post by Greg Hutchins (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

We’ve been discussing how ISO 9001:2015 has adopted Risk Based Thinking that will impact 1.2 million companies.  ISO 14001:2015 will impact 400,000 companies.  Now, government agencies are adopting and putting into statute risk management.

We’ve been talking up the fact the US government is requiring Enterprise Risk Management (ERM), specifically Office of Management and Budget Circular OMB A 123, of all US departments.  This is a game changer for federal agencies.  In this article, we’ll look at some of the significant changes in ERM for Federal agencies.

WHAT’S DRIVING THE EMPHASIS ON ERM?

Government throughout the world are all facing the same challenges, specifically:

• Need to do more with fewer resources.
• Achieve strategic and tactical objectives more effectively and efficiently.
• Be able to anticipate events that may disrupt operations.
• Be able to manage operations due to increasing complexity driven by technology.

The solution is to design and deploy Enterprise Risk Management (ERM) capabilities that are coupled with strategic planning and strategic review process so the government organization can improve mission delivery, reduce costs, and focus on the approrpriate control to mitigate risks .  This is a tall order.

SO, WHAT DOES ERM LOOK LIKE IN A FEDERAL AGENCY?

Federal executive management is responsible for:

• Establishing mission critical operating business objectives.
• Ensuring compliance with laws and regulations.
• Managing expected, unexpected, and unanticipated events.
• Establishing risk management practices to identify, assess, respond, and report on risks.
• Identifying previously unknown opportunities to improve effectiveness, efficiency, and economics of operations.
• Designing and deploying internal controls to achieve operational, reporting and compliance objectives.

FEDERAL ERM FRAMEWORK

The Federal risk management framework is showed below.  The framework has an ISO 31000 or COSO ERM ‘look and feel.’  The risk framework is composed of the following elements:

• Establish the context.  Understanding the internal and external organizational environment.
• Risk identification.  Using a logical approach can look at upside risk opportunities or downside consequences.
• Analyze and evaluate risks.  Assess the likelihood and consequence of the risk occurring.
• Develop alternatives.  Assess the a range of risk response options based on the organizational risk appetite.
• Respond to risk.  Implement the best alternative options discussed in the previous element.
• Monitor and review.  Evaluate risk management performance to determine if it is mitigating risks within risk appetite of the organization.
• Continuous risk identification.  Is an iterative process to evaluate risks and controls.

An important element of the framework is the concept of the extended enterprise.  The risk environment is beyond the boundary of the enterprise.  This is important to understand because this means that an organization may have to extend the risk environment or boundary into the supply chain and bring interested parties into the scope of the ERM.

So, how do you get a copy of the OMB A 123?  Go to: White House A – 123 Circular.

Tell us what you think?