The President of the US has emphasized:
“the importance of having appropriate risk management processes and systems to identify challenges early, to bring them to the attention of Agency leadership, and to develop solutions.”
The President’s Executive Office (Office of Management and Budget) is updating Circular A – 123 to ensure Federal executives and managers are effectively, efficiently, and economically managing risks that inhibit the agency from achieving its strategic and operational objectives.
We’ve been writing for more than a year that the US government is adopting Enterprise Risk Management (ERM). Check out these articles:
+ US Federal ERM Requirements
+ Federal ERM Mandates
+ Are the Feds Mandating ERM?
The ERM initiative was originally focused on financial accountability. Now, OMB A – 123 includes improving operational accountability in government and integrating risk management into mission delivery, cost reduction, and correction action. ERM is firmly positioned between organizational governance and internal risk controls. See figure below.
RISK MANAGEMENT FRAMEWORKS
Fed government agencies will use ISO 31000, COSO, or specialized ERM frameworks such as NIST 800 – 37 for cyber security. An enterprise group called the Risk Management Council will develop agency ‘Risk Profiles’, which identify risks arising from mission critical and mission support operations. The organization will develop a system of internal control to provide reasonable assurance to management that objectives can be and will be achieved.
OMB A – 123 Circular suggests the following elements for designing and deploying a framework:
- Establish the context. Understanding the internal control environment of the organization.
- Initial risk identification. Using a systematic approach to recognize the potential for undesired outcomes (downside risk) or opportunities (upside risk).
- Analyze and evaluate risk. Considering the causes and probability the risk will occur, the positive/negative outcomes, and prioritize risk.
- Develop alternatives. Identifying and assessing the range of risk response options.
- Respond to risks. Making decisions about the best options among the alternatives.
- Monitor and review. Evaluating performance to determine if risk management facilitated achieving objectives.
- Continuous risk identification. Deploying the process yearly or as necessary.
The above process has elements of ISO 31000 and COSO. The critical item is the process must be tailored to the organizational context. Tailoring requires architecting, designing, deploying, and assuring the framework. The figure below illustrates how the ERM model can be designed.
A number of critical items emerge from the above figure:
- Internal and external context define stakeholders, customers, and interested parties of risk.
- Extended enterprise consists of organizational dependent and interdependent relationships.
- Risk management framework is core to ERM.
- Risk management process follows a cycle.
NEXT STEPS FOR YOU?
In June 6 to 10 in Seattle, Washington USA, we will be spending 5 days at the CERM Bootcamp on how to architect, design, and deploy a risk framework to ensure objectives are being met and then assure the the framework is working effectively based on the risk appetite of the organization.
Bio:
Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com) is the founder of:
CERMAcademy.com
800Compete.com
QualityPlusEngineering.com
WorkingIt.com
He is the evangelist behind Future of Quality: Risk®. He is currently working on the Future of Work and machine learning projects.
He is a frequent speaker and expert on Supply Chain Risk Management and cyber security. His current books available on all platform are shown below: