#147 – ERM STATUS UPDATE WITH FEDS – GREG HUTCHINS

Greg Hutchins

US Office of Management and Budget is releasing Enterprise Risk Management update to Circular A – 123 on July 15, 2016.

The new policy document is known as ‘Management’s Responsibility for Enterprise Risk Management and Internal Controls.’  The policy document requires an enterprise risk management program with operational risk controls.  The policy document is a game changer.

We’ve been writing for more than a year that the US government is adopting Enterprise Risk Management (ERM).  Check out these articles:

+  US Federal ERM Requirements
+  Federal ERM Mandates
+  
Are the Feds Mandating ERM?

The ERM initiative was originally focused on financial accountability.  Now, OMB A – 123 includes improving operational accountability in government and integrating risk management into mission delivery, cost reduction, and correction action.  ERM is firmly positioned between organizational governance and internal risk controls.

ERM has been implemented in private sector for years.  Now it is moving into the public sector through statute.  ERM is being institutionalized across the Federal executive branch, states, and local jurisdictions.

Several interesting things come out of these developments

EVENT BASED APPROACH TO ERM

Federal risk programs focused on event and threat based risk.  Critical assets were identified.  Threats and vulnerabilities to the assets were then identified.  These would be risk assessed based on likelihood and consequence/impact analyses.  Then, a response was designed based on organizational risk appetite.  The response could be to accept, share, transfer, avoid, or control the risk.  This is a standard risk management process often based on COSO or ISO 31000 risk management frameworks.

The new OMB A – 123 program is called: Management’s Responsibility for Enterprise Risk Management and Internal Controls.  It introduces a government wide risk management program and updates internal control requirements.  The new OMB A – 123 program promotes a business objective approach to risk.

BUSINESS OBJECTIVE BASED APPROACH TO RISK

Another ERM approach is to focus on business objectives.  The organization defines its business objectives.  Risks are the obstacles that inhibit the organization from meeting its objectives.  Then a risk management or response plan can be developed to accept or control the risks.

While an event approach to risk can still be pursued, the OMB requirements emphasize internal controls that reduce or mitigate the risks getting in the way of meeting mission critical objectives.  This means that risk is considered in the implementation of all daily decision in each level of the organization.

So, what should you do now if you want to learn about the new the new ERM requirements?

By the end of July 2016, the Feds will have ERM Playbook that we think is a must read for all operations professionals.  As well, check out Certified Enterprise Risk Manager(R) certificate program.

Bio:

Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com)  is the founder of:

CERMAcademy.com
800Compete.com
QualityPlusEngineering.com

WorkingIt.com

He is the evangelist behind Future of Quality: Risk®.  He is currently working on the Future of Work and machine learning projects.

He is a frequent speaker and expert on Supply Chain Risk Management and cyber security.  His current books available on all platform are shown below:

Leave a Reply

Your email address will not be published. Required fields are marked *