Government agencies are increasingly under pressure to perform their missions more effectively while simultaneously adopting new technologies and operating with limited resources. Meanwhile, the legislative branch and the taxpaying public as a whole continue to demand increased transparency and openness about how resources are being spent. The successful adoption of enterprise risk management (ERM) can assist agencies by improving efficiency, increasing transparency, and allowing the government to be a more effective steward of taxpayer resources.
On July 15, 2016, the Office of Management and Budget (OMB) issued its revised Circular A-123, Management's Responsibility for Enterprise Risk Management and Internal Control (via M-16-17), which established various ERM processes in the federal government. The OMB has definitive authority over financial management of federal executive agencies, has oversight of federal information, and establishes regulatory policy. Circular A-123 established that federal executive agencies are required to adopt the principles of the U.S. Government Accountability Office (GAO) Green Book. (Some state and local governments are adopting the Green Book principles, too; see the sidebar, "Green Book for State and Local Governments," below.)
The GAO provides investigative, audit, and evaluation services for the legislative branch of the federal government. The Green Book adapts to a government environment the principles of the internal control framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). (Note: The AICPA is a member of COSO.) In 2014, the GAO revised the Green Book to reflect the update of the COSO framework, which describes 17 principles of internal control.
The OMB circular required agencies to prepare their initial risk profiles for OMB submission by June 2, 2017, with the full integration of risk profiles into agency financial reports scheduled for Sept. 15, 2017. The OMB mandates that agencies complete their updated annual risk profile reporting by June 3 of subsequent years.
The revised circular requires leaders and managers across federal executive agencies to implement ERM concepts to ensure each agency's risks are being identified and managed effectively. This revised policy also engages all agency managers, well beyond the CFO community, and "encourages open and candid conversations about risks facing an organization at all levels." The circular envisions significantly more interaction among each agency's CFO, chief risk officer, risk management council, and performance improvement officer, and it even advocates the use of professional-society approaches such as "maturity models."
The ERM mandates specified in the circular fall under the auspices of the Federal Managers' Financial Integrity Act (FMFIA) of 1982, as codified in 31 U.S.C. 3512. The OMB guidelines for ERM implementation also embrace a modern risk assessment framework known as the "risk maturity model."
WHO IS RESPONSIBLE?
The revised circular plainly states the responsibility of federal employees in these two well-phrased statements:
- Each federal employee is responsible for safeguarding federal assets and the efficient delivery of services to the public.
- Federal leaders and managers are responsible for establishing goals and objectives around operating environments, ensuring compliance with relevant laws and regulations, and managing both expected and unexpected or unanticipated events.
Thus, federal employees should consider incorporating ERM into management practices, help identify risks, analyze and evaluate risks, develop alternatives to risk, respond to risks, and monitor and track risks in a continuous process.
This ERM process, and its associated risk profile analysis requirement, was implemented to better incorporate the basic tenets of risk management into the lexicon of federal government accountability. In addition to risk management, the OMB has also established formal internal control requirements for federal executive agencies in its revision to Circular A-123. Federal managers are now challenged to "carefully consider the appropriate balance between controls and risk in their programs and operations" as part of their risk profile analysis process.
Agencies are encouraged to couch all of their risks in terms of the following objectives: strategic, operational, reporting, and compliance. Agencies should then ensure all aspects of the risk management process are reviewed at least annually and discussed each year with OMB as a component of their agency's strategic review process.
The circular provides additional guidance in the areas of fraud management, performance monitoring metrics, documentation, and corrective action plans. The circular introduces one final best practice for the oversight of risk, or risk management, through the cooperative audit resolution and oversight initiative known as CAROI, which is a collaborative approach to audit resolution designed to improve education programs and student performance at state and local levels through better use of audits, monitoring, and technical assistance.
All this effort culminates in a comprehensive annual assurance statement from each executive agency that should provide a summary of the agency's process for assessing internal control effectiveness. The annual assurance statement will now include the consideration of any risks, resulting material weaknesses, and corrective action plans identified through the OMB risk profile process as of the end of each fiscal year (Sept. 30).
ADVICE FOR IMPLEMENTATION
The following tips can help federal agencies use the guidance in Circular A-123 to successfully employ ERM concepts to improve their organizations:
- Identify the most significant risks that could prevent your entity from achieving its mission, objectives, and goals. It is important to consider risks for all objectives — including strategic, operational, reporting, and compliance.
- Consider even remote or improbable events that could be significant and impactful. Black swan events can occur, and if an entity has failed to consider the risk, the results can be catastrophic.
- Be sure to consider fraud risks — their financial and nonfinancial aspects. Important nonfinancial impacts of fraud to think about include the potential loss of the public's trust and confidence (reputational risk).
- Assign inherent (initial or exposure) risk scores using impact and probability (high, medium, or low). Be sure to consult subject-matter experts when trying to determine the impact and probability scores for a risk.
- Consider all possible current risk responses (i.e., accept, avoid, reduce, transfer, share). Often, multiple risk-response actions can be performed, or are being performed already, for the same risk.
- Determine the residual risk scores after the risk responses, again considering the impact and probability of the risk.
- Develop additional actions/strategies, including the establishment of internal control activities when warranted, to further mitigate risks. This is a key part of the risk profile process. It is paramount to establish appropriate risk-response actions or strategies to manage the identified risks.
- When implementing a risk response, assign or designate a risk owner. This person or office is responsible for implementing the risk response and tracking and monitoring the risk-response actions.
- Regularly review and monitor risks to determine if those identified in the risk profile have significantly changed. In addition, all risks should be assessed at least annually to determine whether significant new risks have arisen that necessitate an additional risk response.
While full-fledged governmentwide ERM adoption won't happen overnight, these risk management practices should quickly have a positive effect on federal financial management. Implementation of ERM practices will benefit the government and taxpayers with increased transparency and enhanced decision-making. The adoption of ERM will further encourage federal leaders to make forward-looking decisions and improve the effectiveness and efficiency of their agencies' operations.
About the authors
Donald Holzinger, CPA, (email@example.com) and Christopher Parker, CPA,(Christopher.Parker@hq.doe.gov) are staff accountants in the Office of Finance and Accounting at the U.S. Department of Energy. This article represents the views of the authors but not necessarily the views of the Department of Energy.
To comment on this article or to suggest an idea for another article, contact Ken Tysiac, a JofA editorial director, at Kenneth.Tysiac@aicpa-cima.com or 919-402-2112.
Green Book for state and local governments
Internal control framework adoption is producing benefits.
By Ken Tysiac
Although the U.S. Government Accountability Office Green Book was created for federal government agencies, some state and local governments are discovering benefits from adopting its principles.
Following the Green Book principles can help state and local governments fulfill compliance requirements and uncover opportunities to improve their operations. The compliance objective originates with the Office of Management and Budget's Uniform Guidance, which took effect in 2014. A Uniform Guidance provision requires nonfederal entities that receive federal funds to establish and maintain effective internal control, comply with federal regulations, monitor compliance with federal rules, and protect personally identifiable information.
The Green Book provides a mechanism for state and local governments to meet these objectives. Recent revisions have modified the Green Book to reflect the 2013 update of the popular internal control framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). (Note: The AICPA is a member of COSO.) Although some governments may adopt the COSO framework directly, others have concluded that the Green Book's principles fit a government context better because the Green Book was created for government entities.
Following the Green Book's principles is helping state and local governments tighten up their internal control. Joseph Seibert, CPA, a KPMG partner who serves government clients, said an assessment against the Green Book principles helps governments protect their resources and identify risks that may not be adequately mitigated. Adopting the Green Book principles also can have other benefits.
Governments may be able to identify and eliminate redundant controls, discover opportunities to use new tools incorporating data analytics or automation, and find reorganization opportunities.
"The chance to actually stand back and look at the big picture that comes from doing an assessment is really a great opportunity," Seibert said.
Implementation is being handled in a variety of ways, he said. Some governments are creating an internal control office or officers to engage the organization. Some governments are establishing boards to oversee the control assessment and ensure findings are addressed appropriately. Some organizations are enlisting internal auditors to assist with the assessment, evaluate controls, and report their findings to management.
"I do think that organizations are starting to see benefits from this," Seibert said. "The ones that are further down the path are identifying gaps that they're remediating, and evaluating opportunities for process improvement."
— Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is a JofA editorial director.
- "A 10-K for the Taxpayer," JofA, Oct. 2016
- COSO Enterprise Risk Management — Integrating With Strategy and Performance (#ACOSOERM17P, paperback; #ACOSOERM17E, ebook; #ACOSOERM17O, online access)
- Enterprise Risk Management: Guidance for Practical Implementation and Assessment (#APAERM14P, paperback; #APAERM14E, ebook; #APAERMO, online access)
For more information or to make a purchase, go to aicpastore.com or call the Institute at 888-777-7077.
Governmental Audit Quality Center
The Governmental Audit Quality Center (GAQC) is a firm membership center that helps member firms achieve the highest standards in Yellow Book, not-for-profit, HUD, or government audits through targeted email alerts, resources, and teleconferences. Visit the GAQC at aicpa.org/GAQC.