omb circular no. a-123: management's responsibility for ... · revised omb circular a-123 erm...
TRANSCRIPT
OMB Circular No. A-123: Management’s Responsibility for Enterprise Risk
Management and Internal Control
Association for Federal Enterprise Risk ManagersNovember 7, 2016From 1-2-3 to E-R-M
1
2
Enterprise Risk Management and A-123
CXO/Operations Support
• ERM has been a common practice in the private sector for years now, and not entirely new to government
• Risk management as a government program management practice is currently in use.
• For example, the Department of Treasury has a Chief Risk Officer who is charged with providing risk management across the department
• This Circular A-123 guidance includes ERM which builds off these best practices and requires their use across the government
• ERM consolidates all the challenges from various parts of the organization to ensure that a portfolio view of risk is available to the highest levels of leadership
3
Enterprise Risk Management and Internal Control
Risk is the effect of uncertainty on objectives. It is typically addressed within functional, programmatic, or organizational silos.
Enterprise Risk Management is: “a discipline that addresses the full spectrum of an organization’s risks, including challenges and opportunities, and integrates them into an enterprise-wide, strategically aligned portfolio view. ERM contributes to improved decision-making and supports the achievement of an organization’s mission, goals, and objectives.”
Internal Control is a process effected by an entity’s oversight body, management and personnel that provides reasonable assurance that the objectives of an entity will be achieved. (GAO Green Book)
A process to help achieve objectives (GAO Green Book)
In other words, things you do to make sure good things happen and bad things don’t.
Internal Control System is a continuous built-in component of operations, effected by people, that provides reasonable assurance, not absolute assurance, that an entity’s objectives will be achieved. (GAO Green Book)
Outcomes and Benefits of ERM
4
Benefits:• An increased likelihood of successfully
delivering on agency goals and objectives • Allows for increased preparedness before
adverse events occur which helps minimize surprises and losses
• Provides a holistic view of risks and interdependencies
• Helps align and allocate resources• Improves operational effectiveness and
efficiency• Reduces decisions based on risk aversion• Improves stakeholder confidence and trust
Illustrative Example of an Enterprise Risk Management Model
Communicate and Learn
1. Establish Context
4. Develop Alternatives
2. Identify Risks
3. Analyze and Evaluate
5. Respond To Risks
6. Monitor and Review
Outcomes: • An increased likelihood of successfully delivering on agency goals and objectives.• Fewer unanticipated outcomes encountered.• Better assessment of risks associated with changes in the environment.
5
What Is Required to Implement ERM?
• Risk Profiles: Establish a “risk profile” with the following components:
• Identification of Objectives• Identification of Risk• Inherent Risk Assessment• Current Risk Response• Residual Risk Assessment• Proposed Risk Response• Proposed Risk Response Category
• Integration: Risk profiles to be integrated with management evaluation of Internal Control (Reasonable Assurance Process)
• Disclosure: A-123 recognizes that the risk profiles will often include pre-decisional, sensitive and confidential information, and therefore will need to be treated as sensitive decision-making documents. Agencies should consult with their OGC when making determination on disclosures.
6
The Current Risk Environment
CXO/Operations Support
• The Federal government is facing greater change than at any other point in time• Current budget realities mean agencies compete for limited resources as never before• Budgets will go to those who best show value• There is greater scrutiny and expectations from internal and external stakeholders for agencies
to respond to risk faster and more effectively• The continual focus of risk management on financial areas has limited the broader
considerations of risk within organizations
Major Management ChallengesCould they have been avoided?
Could the impact have been minimized and more manageable?
What will be next?
7
OMB Circular No. A-123 History
• 1981 – OMB First Issued Circular No. A-123, Internal Control Systems• 1982 – OMB Issued Internal Control Guidelines and the Federal Managers Financial Integrity Act
(FMFIA) was enacted• 1983 – OMB Issued an Updated Circular No. A-123, Internal Control Systems• 1986 – OMB Updated A-123 to Require Management Control Plans to guide efforts• 1995 – OMB Updated A-123, Management Accountability and Control to reflect Government
Performance and Reporting (GPRA), Chief Financial Officers (CFO) Act, Inspectors General (IG) Act• 2004 – OMB updated A-123, Management’s Responsibility for Internal Control to reflect new
internal control requirements for publicly-traded companies contained in the Sarbanes-Oxley Act of 2002; added Appendix A, Internal Control Over Financial Reporting.
• 2005 – CFO Council Issued A-123 Appendix A Implementation Guide and OMB Required Appendix A Implementation Plans
• 2006 – OMB First Issued A-123 Appendix B for Government Charge Cards and Appendix C for Improper payments (Appendix C updates 2006 to 2014)
• 2013 – OMB First Issued A-123 Appendix D for Compliance with the Federal Financial Management Improvement Act (FFMIA).
• 2014 – OMB updated A-11, Preparation, Submission, and Execution of the Budget and includes Enterprise Risk Management and Internal Control
• 2016 – OMB updated A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control
Expanding on the Green Cube To Include ERM
8
Control Activities
Information and Communication
Monitoring
Function
Operating U
nit
Division
EntityRisk Assessment
Control EnvironmentObjective Setting
Event Identification
Risk Response
2017 Requirements of A-123
Incorporating Strategic Objectives
2016 Update to A-123
The organization of internal controls as introduced in the
2014 Green Book
The inclusion of a strategic process to risk management
and internal control
The introduction and refinement of ERM components to be
integrated into existing internal control processes
Federal Performance Framework
CXO/Operations Support
Strategic Goals
Strategic Objectives
Agency Priority Goals (APGs)
Performance Goals
Planning Evidence, Evaluation, Analysis, and Review
Reporting
Every 4 yrs. Annually Quarterly Quarterly Annually Quarterly Annually
Agency Strategic
Plan
Annual Performance
Report
APG Quarterly Progress Updates
Strategic Reviews
APG Quarterly Reviews
APG Action Plan
Updates
Annual Performance
Plan
Management feedback
Stakeholder feedbackDecision-making and Learning to Improve Outcomes and ProductivityOperational, policy, and budget decisions; and updates to plans including milestones and improvement actions
Cross-Agency Priority Goals
Mission-focused
Management
Federal Performance
Plan
CAP Goal Action Plan
Updates
CAP Goal Reviews
CAP Goal Progress Updates
9
ERM and Internal Controls
10
Governance
Enterprise Risk Management
Risk Management
Internal Controls
A-123 Future State
A-123 Prior to 2016
Source: Based on COSO
Risk Management
Internal Controls
11
Office of Management and Budget
Resource Management
Offices (Budget)
Natural Resources, Energy & Science
Programs
Education, Income Maintenance & Labor Programs
Health Programs
General Government
Programs
National Security Programs
OMB –Wide Support Offices
(M and B)
General Counsel Economic Policy
Budget Review
LegislativeReference Division
Office of Legislative Affairs
Management and Operations
PerformanceandPersonnel
Management
Strategic Planning & Communications
Statutory Offices(Management)
Office of FederalFinancial
Management
Office of FederalProcurement Policy
Office of E-Gov & IT
Office of Information &
Regulatory Affairs
Office of Intellectual Property
Enforcement
Director / Deputy Director
Addressing Risk as Part of Strategic Reviews
After the passage of the GPRA Modernization Act, OMB established annual Strategic Reviews. These reviews are an annual assessment which synthesizes broad sources of evidence to inform budget, legislative, and management decisions. • One of the priority maturity areas is to better manage risks to goal achievement.
Components of a Strategic Review
12
13
A-123: The Foundation for ERM
Strategic Decisions
(OMB A-11)
Budget Decisions(OMB A-11)
Program Management(OMB A-11)
Operational Control ObjectivesReporting Control ObjectivesCompliance Control ObjectivesRisk Assessments
Agency Priority GoalsCross Agency Priority GoalsFed Stat
PolicyPresident’s BudgetCongressional Justification
Mission/Vision Goals/ObjectivesStrategic Reviews
CXO/Operations Support(OMB A-123)
Risks and Uncertainty
StrategicOperational Reputational FinancialEtc.
14
OMB Circular A-123 and PlaybookExternal Rollout Plan
Overlapping and Concurrent Outreach Approach
• Continue to participate in AGA, PPS, AFERM and other public events.• Internal Briefings: Focused on CFO Act Agencies and Small Agencies.
o Schedule will be coordinated with PIC and RMO’s.o CFO Act Agency schedules will be coordinated through OMB through designated POCs.o Small Agency schedule will be coordinated through Small Agency Council, and other venues
• OMB Follow-up: OPPM and OFFM will work with agencies to address key challenges and gaps, including developing a plan for providing targeted training and supporting agency resource needs.
• Post-transition Guidance: OPPM will lead development of guidance to agencies following the transition for consideration of risk as part of the annual Strategic Reviews, new Strategic Plans, and budget process.
• Town Hall briefings: OMB will provide status updates and address commonly asked questions and concerns to Public and Government.
Public Events
CFO Act Agency EventsAct Agency Ev
Small Agency Events
ventsvents
cy Events
Town HallTown HallTown HallTown Hall
15
Internal Control Over Financial Reporting
External Financial Reporting Objectives
Internal Financial Reporting Objectives
External Non-Financial Reporting Objectives
Internal Non-Financial Reporting Objectives
②
③ ④
Source: COSO
Agencies must complete updates to their internal control assessments in accordance to the 2014 updates to the GAO Green Book which expanded the scope of internal control assessments from the 5 components to the 17 principles of Internal Control.
ERM ImplementationPlans
Internal Control Assessments in Accordance with 2014 Updates to GAO Green Book
Initial Risk Profile
Integration with Management Evaluation of Internal Control
Agencies must complete their initial risk profiles in coordination with the agency Strategic Reviews. Key findings should be made available for discussion with OMB by May 15, 2017 as part of the Agency Strategic Review meetings and/or FedSTAT.
For those risks for which formal internal controls have been identified as part of the Initial Risk Profile in FY 2017, assurances on internal control processes must be presented in the Agency FY 2017 Annual Financial Report (AFR) or Performance and Accountability Report (PAR).
As soon as practicable, prior to June Initial Risk Profile deliverable
September ‘16 June ‘17 Sept ‘17
Revised OMB Circular A-123ERM and Internal Control Requirements
Agencies are encouraged (not required) to develop an approach to implement Enterprise Risk Management.
No less than annually, agencies must prepare a complete risk profile and include required risk components and elements required by this guidance. CFO Act Agencies, at a minimum, must complete their risk profiles in coordination with the agency Strategic Review. For these Agencies, key findings should be made available for discussion with OMB by June 3rd as part of the Agency Strategic Review meetings and/or FedSTAT.
Updated Risk Profile
Annually,June 3, 20XX
16
OMB Circular A-123 and PlaybookOutreach Efforts and Major Milestones
11/1/2016
SeptApr 2016 May June July Aug OctSept Oct Nov Dec Jan2017 Feb Mar Apr May June July Aug
4/21 - NOVAGA Spring Training Event
4/25- AGA Forum
5/9- Joint Financial ManagementImprovement Program
6/29-Partnership A-123Roll Out
7/17-20 - AGA PDT Anaheim
8/8- AICPA Eastern Conference
Release A-123 Appendix A (Tentative)
5/10- Partnership IGRound Table Discussion
5/4- AFERM Luncheon
7/14- Potomac Forum
5/5- AGA Montgomery/PG County5////
5
11/1- DOT
7/7 – AFERM Luncheon/ERM Blitz
6/17- NAPA
y7/15 A-123 Public Release
5/24 CAOC
5/23- American Assoc. forBudget & Program Analysis
5
3/23 - BOAC
3/24 - PIC
4/24 – Performance Leads
6/22 – Small AgencyCouncil
7/29 - Release ERM Implementation Playbook 1.0
6/3/2017 – Initial Risk Profile
6/3 – Annual discussion of Key Risk Findings as part of A-11 Strategic Reviews
6/2 ASMC
Jan – ERM Town Hall
9/20-21 – AGA Internal Control Forum
Dec – CIO Council
Jan – Financial Systems Summit
Nov – ERM Town Hall
9/16 – ERM Town Hall
3/2 – Executive Council
May – ERM Town Hall
6/15- COFAR/FACE
7/15 – OMB Blog Post
*Known dates are provided.Approximate timeframes are provided for events which are in the planning phase.
Major Milestones
Government Event
Public Event
A-123 Deliverable
Completed Event
g
8/2- IICW
8/9- WG of FederalCompliance Professionals
11/7/8 – AFERM Summit
9/15/2017 – Integration of ERM and Internal Control
Mar – ERM Town Hall
Agency Rollout
8/16- CIGIE
9/23 – USAID
8/23- Potomac Forum
9/26 – DCIE Audit Committee
8/24- AFERM Small Agencies COP
8/88
9/7 - AGA Hawaii Chapter8/30 – Treasury
9/22 – EPA
9/23 – TSA
9/27 – VA9/28 – NSF
10/4 – HHS10/5 – OPM10/6 – NASA10
10/12 – SSAn 10/14 – ED
10/19 – Statemallll AA
1
10/21 – DOD
9/26 – SBA99
9/21 – DOC
10/24 – GSA
10/26 – HUD10/20 – DOI
1SBAAAAAAA
12/2 – IIA
11/8 – NRC
10/25- USDAIDD
1
10/3 – DOE
10/18 – PPS1111
10/27 – NRC IC
10/27 – DHS
17
18
ERM Implementation Playbook
ERM Playbook Steering CommitteeSet project policy and established the timeline
for the project.
ERM Playbook OverviewPlaybook Purpose: To provide an ERM Framework and practical guidance to support A-123 compliance and effective ERM implementation across agencies.
ERM Playbook Working GroupImplemented the project goals set by steering
committee and keyed up decisions and recommendations for the Steering Committee.
Multi-disciplinary representation from across the federal government
Over twenty federal agencies represented
Financial ManagementProcurementRisk ManagementInternal ControlsHuman Capital
ITPerformance ManagementGrants ManagementFederal Credit
More Questions?
Please Contact Office of Federal Financial Management (OFFM)
Mark Reger, [email protected]