|
|
Posted By AFERM,
Friday, June 29, 2018
Updated: Monday, November 25, 2024
|
Question asked by Anonymous
AFERM EXPERTS SAY...
Within the Federal Government, there is no right answer to this question. Some agencies have designated a Chief Risk Officer (CRO) to report to the Chief Operating Officer or Chief of Operations (COO). In other agencies, the ERM program is led by a Risk Manager who reports to the Chief Financial Officer (CFO). Several agencies have decided to incubate their ERM program within the CFO organization with plans to elevate the position and program when they reach a certain level of maturity. Office of Management and Budget (OMB) Circular A-123 provides agencies with a great deal of latitude in this area in recognition that the same approach may not work across all agencies. However, agencies are best served by a strong and independent risk management function positioned as high in the organizational structure as possible. An executive leading ERM program efforts, who is also formally recognized as part of the agency’s senior leadership team, helps facilitate acceptance across the organization’s lines of business. Designating a CRO at the executive level, with the program reporting to the COO, also sends a message about how agency leadership views the importance of ERM, and this message can be an effective element of an agency’s tone-at-the-top.
How are your agencies addressing the governance issue? Share your thoughts – join the conversation!
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Thursday, June 14, 2018
Updated: Monday, November 25, 2024
|
AFERM EXPERTS SAY...
Past experiences with ERM program audits by the Government Accountability Office (GAO) and Inspector General (IG) lead to similar areas of focus. Their initial reviews concentrated on ensuring that basic program elements were present and documented. These elements included the maturity model and program development map; ERM governance structure; ERM framework, including standardized processes and procedures; ERM function staffing, including Chief Risk Officer (CRO) duties and responsibilities, as well as placement within the agency’s organizational structure; and the agency’s Risk Appetite Statement. After the audit teams understood the basic design and foundation elements supporting the ERM program, they investigated methods used to identify key risks, as well as conducted interviews with agency executives, ERM program staff, and ERM points of contact within each line of business. While auditors from both teams were interested in the enterprise risk register and responses to key risks, the GAO team did not raise questions regarding whether the risk appetite and risk response actions were appropriate. On the other hand, the IG audit team questioned various aspects of risk appetite and risk tolerance adopted by the agency. Each audit team will likely have a different focus, but starting with foundational ERM program elements with a clear direction for program development and maturity will compel the audit team to consider how the agency is approaching its ERM program and may help steer auditors away from judgements about whether agency leadership has set suitable risk appetites and tolerances and if risk response actions are appropriate.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Thursday, May 31, 2018
Updated: Monday, November 25, 2024
|
AFERM EXPERTS SAY...
When it comes to discussing matters of risk management within an organization, there will always be some overlap. However, the Risk Manager should remain focused on the primary business/mission objective, the risk created from executing toward that objective, and what responses the organization would have for the risk created.
When discussing the OIG and an Agency’s programs, it is very interesting indeed. The OIG and Agency Programs have very different objectives (i.e., the Agency executes the mission and the OIG provides assurance that the mission was executed appropriately and in compliance with laws and regulations).
“Drawing the line” is a good way to think about this by using the “who goes first” paradigm. Essentially, a paradigm that helps illustrate the cause and effect relationship within the Agency’s risk universe.
First, we have the Agency, which must execute its mission. An Agency is a collection of Programs, separated into Offices and Departments for administrative control. These Programs, once funded, initiate execution and create risks, specifically located within each Program’s execution toward its programmatic objectives.
Next, we have the Highest Level of Administrative Control within the Agency managing the Enterprise-Wide risk to the Program portfolio in its entirety by maintaining an ERM program.
Then, we have the OIG. The OIG was formed in response to the risk created by Program execution performing its own risk assessment. The expectation is that the OIG may leverage the Agency’s ERM program for risk, risk response, and resource application information, but the OIG may also add risk factors that the Agency may not have included, or may increase or decrease the prioritization of risk ranking for its own purposes, the achievement of a risk-adjusted audit plan, or investigation schedule.
So where should we draw the line? It is more like a Venn Diagram, but we must remember that 1) the Agency goes first, 2) the OIG comes after, 3) the Agency’s ERM process is focused on managing the enterprise-wide risk of acquiring programmatic objectives within given resource constraints, and 4) the OIG’s risk management process is focused on managing the risk of providing inspection and investigation assurance on the compliance, as well as ultimate effectiveness and efficiency of that execution.
In mature agencies and programs, OIG input into the Agency’s ERM process will be very helpful as long as it does not blur the lines of independence, and as long as Agency executives seek to have that conversation.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Wednesday, May 16, 2018
Updated: Monday, November 25, 2024
|
Question asked by Sharon White
Additional Details
COSO ERM Understanding and communicating risk appetite identifies 1) general statement, 2) by org objectives, or 3) by risk types identified by the org. What organizational characteristics would benefit from each of these methods? (e.g. education level of employees, complexity of org, variety of programs administered)
AFERM EXPERTS SAY...
Risk appetite denotes the level and nature of risk that is acceptable. Risk tolerance refers to the degree of variability in Return on Investment (ROI) in programmatic execution or administration that an Agency is willing to withstand. Risk appetites and tolerances should be set at the Governance level, Executive level, and Operational level and should flow downward from the top of the organization to the various lower levels of management, with actual risk information flowing from the lower levels of the organization, upward.
Should risk appetite and risk tolerance statements be documented by organizational objective or by risk classes?
Depending on the agency, risk appetite and risk tolerance statements can be documented by organizational objective or by risk classes, and in some agencies, risk appetite and risk tolerance statements can both be documented at the same time. Some agencies manage complexity large enough to have to deal with differentiated risk classes within each organizational objective, and some agencies manage programs where a single set of risk classes can apply across the enterprise.
The most important thing to remember is that risk appetite and risk tolerance statements enable the ERM program and officers to respond to risk in a dynamic and direct way. In other words, an Agency should make sure it does not create risk appetite and risk tolerance statements that constrain behavior (unless by design) and delay risk response actions.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Tuesday, May 8, 2018
Updated: Monday, November 25, 2024
|
It becomes difficult to know which trigger event is monitored to determine when a risk response should be executed.
AFERM EXPERTS SAY...
A risk trigger is an event or series of events that activate the execution of a particular action, usually associated with mitigation strategy or execution of contingency plans. Risk thresholds define the boundaries of fluctuation for those triggers.
This is a difficult challenge. It is almost impossible without first defining an actual risk event scenario, because risk triggers exist to respond to risk events within a threshold of an actual scenario. It is especially difficult where risk action is defined at a very detailed level across large portfolios of disaggregated risks. This is where we rely on the expertise of our Risk Management professionals to prioritize risk actions, and by doing so, prioritize risk triggers and thresholds.
For example, not all risks are created equal, and although we have defined impact and severity probabilities (if quantitative), not all risks contribute similarly to the overall risk of a risk pool. Overall, risks assessed at “high” matter more. Then, if the Risk Management professional can either 1) provide anecdotally the risk triggers that control risk actions for “a majority” of the risk or 2) leverage risk management software to determine which risk triggers are specifically associated with risk actions in that scenario. This provides an opportunity to then aggregate the profiles from the bottom up, and give meaningful risk trigger information.
Without specific scenarios to discuss, a Risk Management professional could have the challenging task of either discussing an endless list of “if/then” scenarios or providing an inert dictionary of all the risk triggers in the portfolio. Risk management software can be very helpful in the case of the latter.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Thursday, March 22, 2018
Updated: Monday, November 25, 2024
|
AFERM EXPERTS SAY...
While OMB Circular A-123 requires agencies to present instances of uncertainty (i.e., opportunities and threats), where applicable, it does not necessarily mean that both will be presented in the risk profile. However, there are likely two reasons why opportunities are not readily identified in Federal risk profiles to the extent that threats are identified:
- The Federal government is inherently risk averse; and
- Most agencies are still in the early stages of ERM program maturation.
Because of the Federal government’s unique position, in comparison to perhaps a commercial entity, the Federal government tends to lean towards stability instead of volatility. This places more emphasis on managing downside risks, or threats, and seeking to monitor or minimize the accompanying risk exposure. Identifying and seeking to exploit opportunities involves numerous constraints in the Federal space, including potential alignment with the President’s agenda and the agency’s mission and priorities, not to mention sufficient funding to pursue the opportunity. However, trends in information technology modernization, business intelligence, data analytics, and shared services, may support near-term reporting of opportunities in agencies’ risk profiles.
Secondly, it is taking time to shape agency risk culture and awareness to understand that risk essentially translates to uncertainty, and that uncertainty is not always negative. Focusing early ERM adoption and implementation strategies on enterprise risks helps build the foundation of an effective ERM program that may eventually seek to identify, exploit, and report on opportunities. Additionally, ERM may be leveraged to review and understand existing risk exposures when evaluating new strategic objectives and opportunities. Due to many Federal ERM programs still being in their early stages of implementation, adopting a risk profile and a risk awareness that promotes the identification of opportunities will take time to complete.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Tuesday, July 18, 2017
Updated: Monday, November 25, 2024
|
Question asked by Michael Charles
Additional Details
Federal GOV contractor supporting a Law Enforcement Agency, seeking guidance in regards to salary budget and current market for professionals with this skill set.
AFERM EXPERTS SAY...
Like any professional, the salary range for an ERM professional with 10 years of working experience will depend on many factors. Formal education, relevant peripheral experience (e.g., strategic planning, performance management, internal controls, audit, etc.), closely aligned experience (i.e., risk management and ERM), and specific familiarity with the organization and/or similar projects all play into an individual’s marketability. However, let’s assume you have a candidate with 10 years of experience closely aligned with ERM and the individual can be a major contributor to analyzing the current risk environment and mapping out an ERM approach. Several senior leaders in federal consulting organizations have confirmed for me that it is highly unlikely you will be able to find such an individual in the specified compensation range.
This does not mean there are not individuals claiming expertise in ERM that will accept such compensation. However, in all such cases, I would highly suggest you ensure they: (1) truly understand ERM (versus internal controls or some informal approach to risk management), and (2) have significant verifiable experience specifically related to ERM.
If anyone has experience to the contrary, we would certainly welcome the feedback. Best wishes with your ERM efforts.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Monday, July 3, 2017
Updated: Monday, November 25, 2024
|
AFERM EXPERTS SAY...
Risk is typically considered a function of probability/likelihood of an event occurring, and the impact/consequence of that impact if the event does occur. The scoring of the risk is thus a function of the combination of those two factors. This is often graphically displayed on a “heat map”, in which one axis is likelihood/probability and the other impact/consequence. The axes may be numbered (e.g., 1-5) or have descriptions (e.g., Rare, remote, moderate, likely, very likely for probability and insignificant, minor, significant, major, critical for impact). The intersection of a specific risk’s likelihood and impact is its risk rating. These ratings can be quantitative (often the product of the numbers associated with the impact and probability ratings) or qualitative (e.g., low, medium, high, critical). There is no single accepted approach to how many levels are designated for probability, impact or risk rating.
Keep in mind that risk treatment is not always mitigation. Mitigation literally means to reduce, and that term is generally used in risk management to mean reduction in the likelihood or impact of a risk, and thus the overall level of risk after treatment. However, other treatment options include accepting the risk as it is, avoiding the risk, or transferring the risk to another party. In any event, the risk after treatment is scored in the same fashion as evaluation of the risk before treatment. Depending on the nature of the risk, this may be very quantifiable with significant precision. In other cases, the estimation of a risk before and after treatment may be very subjective. In the latter case, it is often advisable to gather a number of subject matter experts to discuss the risk and seek to achieve consensus on the level of risk before and after treatment. In all cases, the level of claimed reduction in a risk after treatment should be justified as well as practical.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Monday, June 5, 2017
Updated: Monday, November 25, 2024
|
Question asked by Latreece Wade
AFERM EXPERTS SAY...
Wade,
OMB A-123 update of July 15, 2016 required ERM to be implemented at all executive agencies, regardless of size. How robustly those agencies are implementing ERM is another question, and one that has not been authoritatively addressed to the best of my knowledge. There is an A-123 requirement, however, that ERM and internal controls be integrated by September 15, 2017. This is arguably the deadline for implementation of some meaningful level of ERM.
Regards,
Doug
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Saturday, February 11, 2017
Updated: Monday, November 25, 2024
|
AFERM EXPERTS SAY...
Doug,
I wish I knew of such a repository. We face many challenges in our risk management community. One challenge is that risk management is too seldom recognized as an actual discipline of knowledge. The recognition of Enterprise Risk Management is rising rapidly in the Federal government. This suggests that risk management will become more broadly recognized as a career field. However, this growing recognition has not yet reached the level of the Office of Personnel Management establishing risk management as a job series. I strongly suggest it is time for OPM to take such action. However, until that occurs, we will be faced with sharing amongst our peers. AFERM has an online resource library for members (www.aferm.org/resources/), so you might want to check that out. Those organizations that have drafted position descriptions focused on risk management could provide value to the community by offering those documents for posting on the AFERM website (www.aferm.org).
Doug
This post has not been tagged.
Permalink
| Comments (0)
|
|
Blog Home
All Blogs
Print Page
RSS