OMB Circular No. A-123: Management’s Responsibility for Enterprise Risk

Management and Internal Control

Association for Federal Enterprise Risk ManagersNovember 7, 2016From 1-2-3 to E-R-M

1

2

Enterprise Risk Management and A-123

CXO/Operations Support

• ERM has been a common practice in the private sector for years now, and not entirely new to government

• Risk management as a government program management practice is currently in use.

• For example, the Department of Treasury has a Chief Risk Officer who is charged with providing risk management across the department

• This Circular A-123 guidance includes ERM which builds off these best practices and requires their use across the government

• ERM consolidates all the challenges from various parts of the organization to ensure that a portfolio view of risk is available to the highest levels of leadership

3

Enterprise Risk Management and Internal Control

Risk is the effect of uncertainty on objectives. It is typically addressed within functional, programmatic, or organizational silos.

Enterprise Risk Management is: “a discipline that addresses the full spectrum of an organization’s risks, including challenges and opportunities, and integrates them into an enterprise-wide, strategically aligned portfolio view. ERM contributes to improved decision-making and supports the achievement of an organization’s mission, goals, and objectives.”

Internal Control is a process effected by an entity’s oversight body, management and personnel that provides reasonable assurance that the objectives of an entity will be achieved. (GAO Green Book)

A process to help achieve objectives (GAO Green Book)

In other words, things you do to make sure good things happen and bad things don’t.

Internal Control System is a continuous built-in component of operations, effected by people, that provides reasonable assurance, not absolute assurance, that an entity’s objectives will be achieved. (GAO Green Book)

Outcomes and Benefits of ERM

4

Benefits:• An increased likelihood of successfully

delivering on agency goals and objectives • Allows for increased preparedness before

adverse events occur which helps minimize surprises and losses

• Provides a holistic view of risks and interdependencies

• Helps align and allocate resources• Improves operational effectiveness and

efficiency• Reduces decisions based on risk aversion• Improves stakeholder confidence and trust

Illustrative Example of an Enterprise Risk Management Model

Communicate and Learn

1. Establish Context

4. Develop Alternatives

2. Identify Risks

3. Analyze and Evaluate

5. Respond To Risks

6. Monitor and Review

Outcomes: • An increased likelihood of successfully delivering on agency goals and objectives.• Fewer unanticipated outcomes encountered.• Better assessment of risks associated with changes in the environment.

5

What Is Required to Implement ERM?

• Risk Profiles: Establish a “risk profile” with the following components:

• Identification of Objectives• Identification of Risk• Inherent Risk Assessment• Current Risk Response• Residual Risk Assessment• Proposed Risk Response• Proposed Risk Response Category

• Integration: Risk profiles to be integrated with management evaluation of Internal Control (Reasonable Assurance Process)

• Disclosure: A-123 recognizes that the risk profiles will often include pre-decisional, sensitive and confidential information, and therefore will need to be treated as sensitive decision-making documents. Agencies should consult with their OGC when making determination on disclosures.

6

The Current Risk Environment

CXO/Operations Support

• The Federal government is facing greater change than at any other point in time• Current budget realities mean agencies compete for limited resources as never before• Budgets will go to those who best show value• There is greater scrutiny and expectations from internal and external stakeholders for agencies

to respond to risk faster and more effectively• The continual focus of risk management on financial areas has limited the broader

considerations of risk within organizations

Major Management ChallengesCould they have been avoided?

Could the impact have been minimized and more manageable?

What will be next?

7

OMB Circular No. A-123 History

• 1981 – OMB First Issued Circular No. A-123, Internal Control Systems• 1982 – OMB Issued Internal Control Guidelines and the Federal Managers Financial Integrity Act

(FMFIA) was enacted• 1983 – OMB Issued an Updated Circular No. A-123, Internal Control Systems• 1986 – OMB Updated A-123 to Require Management Control Plans to guide efforts• 1995 – OMB Updated A-123, Management Accountability and Control to reflect Government

Performance and Reporting (GPRA), Chief Financial Officers (CFO) Act, Inspectors General (IG) Act• 2004 – OMB updated A-123, Management’s Responsibility for Internal Control to reflect new

internal control requirements for publicly-traded companies contained in the Sarbanes-Oxley Act of 2002; added Appendix A, Internal Control Over Financial Reporting.

• 2005 – CFO Council Issued A-123 Appendix A Implementation Guide and OMB Required Appendix A Implementation Plans

• 2006 – OMB First Issued A-123 Appendix B for Government Charge Cards and Appendix C for Improper payments (Appendix C updates 2006 to 2014)

• 2013 – OMB First Issued A-123 Appendix D for Compliance with the Federal Financial Management Improvement Act (FFMIA).

• 2014 – OMB updated A-11, Preparation, Submission, and Execution of the Budget and includes Enterprise Risk Management and Internal Control

• 2016 – OMB updated A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control

Expanding on the Green Cube To Include ERM

8

Control Activities

Information and Communication

Monitoring

Function

Operating U

nit

Division

EntityRisk Assessment

Control EnvironmentObjective Setting

Event Identification

Risk Response

2017 Requirements of A-123

Incorporating Strategic Objectives

2016 Update to A-123

The organization of internal controls as introduced in the

2014 Green Book

The inclusion of a strategic process to risk management

and internal control

The introduction and refinement of ERM components to be

integrated into existing internal control processes

Federal Performance Framework

CXO/Operations Support

Strategic Goals

Strategic Objectives

Agency Priority Goals (APGs)

Performance Goals

Planning Evidence, Evaluation, Analysis, and Review

Reporting

Every 4 yrs. Annually Quarterly Quarterly Annually Quarterly Annually

Agency Strategic

Plan

Annual Performance

Report

APG Quarterly Progress Updates

Strategic Reviews

APG Quarterly Reviews

APG Action Plan

Updates

Annual Performance

Plan

Management feedback

Stakeholder feedbackDecision-making and Learning to Improve Outcomes and ProductivityOperational, policy, and budget decisions; and updates to plans including milestones and improvement actions

Cross-Agency Priority Goals

Mission-focused

Management

Federal Performance

Plan

CAP Goal Action Plan

Updates

CAP Goal Reviews

CAP Goal Progress Updates

9

ERM and Internal Controls

10

Governance

Enterprise Risk Management

Risk Management

Internal Controls

A-123 Future State

A-123 Prior to 2016

Source: Based on COSO

Risk Management

Internal Controls

11

Office of Management and Budget

Resource Management

Offices (Budget)

Natural Resources, Energy & Science

Programs

Education, Income Maintenance & Labor Programs

Health Programs

General Government

Programs

National Security Programs

OMB –Wide Support Offices

(M and B)

General Counsel Economic Policy

Budget Review

LegislativeReference Division

Office of Legislative Affairs

Management and Operations

PerformanceandPersonnel

Management

Strategic Planning & Communications

Statutory Offices(Management)

Office of FederalFinancial

Management

Office of FederalProcurement Policy

Office of E-Gov & IT

Office of Information &

Regulatory Affairs

Office of Intellectual Property

Enforcement

Director / Deputy Director

Addressing Risk as Part of Strategic Reviews

After the passage of the GPRA Modernization Act, OMB established annual Strategic Reviews. These reviews are an annual assessment which synthesizes broad sources of evidence to inform budget, legislative, and management decisions. • One of the priority maturity areas is to better manage risks to goal achievement.

Components of a Strategic Review

12

13

A-123: The Foundation for ERM

Strategic Decisions

(OMB A-11)

Budget Decisions(OMB A-11)

Program Management(OMB A-11)

Operational Control ObjectivesReporting Control ObjectivesCompliance Control ObjectivesRisk Assessments

Agency Priority GoalsCross Agency Priority GoalsFed Stat

PolicyPresident’s BudgetCongressional Justification

Mission/Vision Goals/ObjectivesStrategic Reviews

CXO/Operations Support(OMB A-123)

Risks and Uncertainty

StrategicOperational Reputational FinancialEtc.

14

OMB Circular A-123 and PlaybookExternal Rollout Plan

Overlapping and Concurrent Outreach Approach

• Continue to participate in AGA, PPS, AFERM and other public events.• Internal Briefings: Focused on CFO Act Agencies and Small Agencies.

o Schedule will be coordinated with PIC and RMO’s.o CFO Act Agency schedules will be coordinated through OMB through designated POCs.o Small Agency schedule will be coordinated through Small Agency Council, and other venues

• OMB Follow-up: OPPM and OFFM will work with agencies to address key challenges and gaps, including developing a plan for providing targeted training and supporting agency resource needs.

• Post-transition Guidance: OPPM will lead development of guidance to agencies following the transition for consideration of risk as part of the annual Strategic Reviews, new Strategic Plans, and budget process.

• Town Hall briefings: OMB will provide status updates and address commonly asked questions and concerns to Public and Government.

Public Events

CFO Act Agency EventsAct Agency Ev

Small Agency Events

ventsvents

cy Events

Town HallTown HallTown HallTown Hall

15

Internal Control Over Financial Reporting

External Financial Reporting Objectives

Internal Financial Reporting Objectives

External Non-Financial Reporting Objectives

Internal Non-Financial Reporting Objectives

②

③ ④

Source: COSO

Agencies must complete updates to their internal control assessments in accordance to the 2014 updates to the GAO Green Book which expanded the scope of internal control assessments from the 5 components to the 17 principles of Internal Control.

ERM ImplementationPlans

Internal Control Assessments in Accordance with 2014 Updates to GAO Green Book

Initial Risk Profile

Integration with Management Evaluation of Internal Control

Agencies must complete their initial risk profiles in coordination with the agency Strategic Reviews. Key findings should be made available for discussion with OMB by May 15, 2017 as part of the Agency Strategic Review meetings and/or FedSTAT.

For those risks for which formal internal controls have been identified as part of the Initial Risk Profile in FY 2017, assurances on internal control processes must be presented in the Agency FY 2017 Annual Financial Report (AFR) or Performance and Accountability Report (PAR).

As soon as practicable, prior to June Initial Risk Profile deliverable

September ‘16 June ‘17 Sept ‘17

Revised OMB Circular A-123ERM and Internal Control Requirements

Agencies are encouraged (not required) to develop an approach to implement Enterprise Risk Management.

No less than annually, agencies must prepare a complete risk profile and include required risk components and elements required by this guidance. CFO Act Agencies, at a minimum, must complete their risk profiles in coordination with the agency Strategic Review. For these Agencies, key findings should be made available for discussion with OMB by June 3rd as part of the Agency Strategic Review meetings and/or FedSTAT.

Updated Risk Profile

Annually,June 3, 20XX

16

OMB Circular A-123 and PlaybookOutreach Efforts and Major Milestones

11/1/2016

SeptApr 2016 May June July Aug OctSept Oct Nov Dec Jan2017 Feb Mar Apr May June July Aug

4/21 - NOVAGA Spring Training Event

4/25- AGA Forum

5/9- Joint Financial ManagementImprovement Program

6/29-Partnership A-123Roll Out

7/17-20 - AGA PDT Anaheim

8/8- AICPA Eastern Conference

Release A-123 Appendix A (Tentative)

5/10- Partnership IGRound Table Discussion

5/4- AFERM Luncheon

7/14- Potomac Forum

5/5- AGA Montgomery/PG County5////

5

11/1- DOT

7/7 – AFERM Luncheon/ERM Blitz

6/17- NAPA

y7/15 A-123 Public Release

5/24 CAOC

5/23- American Assoc. forBudget & Program Analysis

5

3/23 - BOAC

3/24 - PIC

4/24 – Performance Leads

6/22 – Small AgencyCouncil

7/29 - Release ERM Implementation Playbook 1.0

6/3/2017 – Initial Risk Profile

6/3 – Annual discussion of Key Risk Findings as part of A-11 Strategic Reviews

6/2 ASMC

Jan – ERM Town Hall

9/20-21 – AGA Internal Control Forum

Dec – CIO Council

Jan – Financial Systems Summit

Nov – ERM Town Hall

9/16 – ERM Town Hall

3/2 – Executive Council

May – ERM Town Hall

6/15- COFAR/FACE

7/15 – OMB Blog Post

*Known dates are provided.Approximate timeframes are provided for events which are in the planning phase.

Major Milestones

Government Event

Public Event

A-123 Deliverable

Completed Event

g

8/2- IICW

8/9- WG of FederalCompliance Professionals

11/7/8 – AFERM Summit

9/15/2017 – Integration of ERM and Internal Control

Mar – ERM Town Hall

Agency Rollout

8/16- CIGIE

9/23 – USAID

8/23- Potomac Forum

9/26 – DCIE Audit Committee

8/24- AFERM Small Agencies COP

8/88

9/7 - AGA Hawaii Chapter8/30 – Treasury

9/22 – EPA

9/23 – TSA

9/27 – VA9/28 – NSF

10/4 – HHS10/5 – OPM10/6 – NASA10

10/12 – SSAn 10/14 – ED

10/19 – Statemallll AA

1

10/21 – DOD

9/26 – SBA99

9/21 – DOC

10/24 – GSA

10/26 – HUD10/20 – DOI

1SBAAAAAAA

12/2 – IIA

11/8 – NRC

10/25- USDAIDD

1

10/3 – DOE

10/18 – PPS1111

10/27 – NRC IC

10/27 – DHS

17

18

ERM Implementation Playbook

ERM Playbook Steering CommitteeSet project policy and established the timeline

for the project.

ERM Playbook OverviewPlaybook Purpose: To provide an ERM Framework and practical guidance to support A-123 compliance and effective ERM implementation across agencies.

ERM Playbook Working GroupImplemented the project goals set by steering

committee and keyed up decisions and recommendations for the Steering Committee.

Multi-disciplinary representation from across the federal government

Over twenty federal agencies represented

Financial ManagementProcurementRisk ManagementInternal ControlsHuman Capital

ITPerformance ManagementGrants ManagementFederal Credit

More Questions?

Please Contact Office of Federal Financial Management (OFFM)

Mark Reger, Mark_A_Reger@omb.eop.gov