U.S. federal agencies are seeing increased pressure to provide an integrated capability of internal control and risk management. This pressure requires agencies to take a top-down approach to enterprise risk management that looks across financial and operational exposures and control. The challenge for many agencies is that they have limited resources to address this expanded requirement and need to look for ways to make it efficient with their existing resources as well as effective and agile in a dynamic environment.
OMB A-123 originally impacted federal agencies in 1981, with a significant expansion of it in 2004, as the U.S. federal government’s response to the Sarbanes-Oxley Act applied to government agencies. The focus for the past decade has been on internal control over financial reporting in a government agency context. This significantly expanded in June 2016 when a revised OMB A-123 circular that made changes to the original was released, and particularly set requirements for enterprise risk management (ERM) within federal agencies. The new circular is defined as Management’s Responsibility for Enterprise Risk Management and Internal Controls.
ERM, as defined in the revised OMB A-123, is "an effective agency-wide approach to addressing the full spectrum of the organization’s external and internal risks by understanding the combined impact of risks as an interrelated portfolio, rather than addressing risks only within silos.”
Up until this point, federal agencies had inconsistent approaches to managing risk. Risk management was done in the depths of the organization within specific functions and programs. Generally, federal agencies did not have a top-down, entity-wide approach to risk management. Particularly, federal agencies are required to align internal controls with the overall performance and strategic planning processes that the Government Performance and Results Modernization Act (GPRAMA) requires. This requires agencies to re-architect how they approach internal control management, OMB A-123 compliance, and align and integrate it with ERM.
Some specifics that agencies need to address are:
- Establish accountability for ERM in a senior accountable official, risk council, or committee
- Develop an overall entity-wide ERM program and process
- Align risks in context of strategic reviews of the agency
- Maintain an annual risk profile prioritized by significant risks
- Integrate risk assessments with the evaluation of internal controls by management
- Provide for a risk-based approach to internal controls
- Expand internal control management over all aspects of the agency, as it is no longer scoped to just financial management
- Detail corrective action plans that evaluate risk associated with control deficiencies and identify root cause
- Document internal control assessments to both the five components of the GAO’s Standards for Internal Control in the Federal Government (Green Book) as well as the 17 principles that support those components
- Understand that internal control management and ERM are not two distinct processes, but are integrated and depend on each other as controls mitigate risk
In the past, many agencies have relied on manual processes of documents, spreadsheets, and emails to address OMB A-123 requirements. This enabled them to get by and meet the requirements. However, the changes to OMB A-123 are more complex and require the integration of information from internal controls, risk profiles, assessments, attestations, reporting, corrective actions, and more. Agencies that assume they can get by with manual document-centric processes of the past will soon discover that the amount of information and ability to report on it will significantly increase their staff time and labor costs. Further, manual processes and documents do not provide the system of record and audit trail of activities that regulators are looking for increasingly in their reviews and evaluation.
Agencies are best served to implement an integrated solution to address OMB A-123 requirements across risk and internal control management that can plan, scope, document, report, and test internal controls with a risk-based approach. This will enable them to be efficient in their staff time, particularly in assessment and reporting. It will also enable them to be effective in understanding the relationships of risks and controls while providing a system of record of all compliance and risk activities and interactions.
Furthermore, an integrated solution will enable them to be agile to the changing risk and control profile of a dynamic and ever-changing environment, particularly as new requirements expand to include risk and control across agency operations and not just financial management.