Contact Us | Print Page | Sign In | Join Now
News and Announcements: Article

From A-123 to A-11: Enterprise Risk Management’s Evolving Strategic Role

Wednesday, October 29, 2025   (0 Comments)
Posted by: Vince Lungaro

By: Nadya Korobko
Manager, Deloitte

For nearly a decade, the Office of Management and Budget (OMB) Circular A-123, Management's Responsibility for Enterprise Risk Management and Internal Control, positioned Enterprise Risk Management (ERM) as a component of internal control and assurance. With the 2025 update to OMB Circular A-11, Preparation, Submission, and Execution of the Budget, ERM is now central to strategic planning, performance management, and public accountability. This transition elevates ERM from a compliance-focused activity to a strategic leadership tool, shifting its emphasis from internal documentation to public reporting and from risk registers to executive decision-making.

OMB A-123: Establishing the Foundation (2016–2025)

  • Mandate and Scope: A-123 defined management’s responsibility for ERM and internal control, creating a unified framework linked to the Federal Financial Management Improvement Act (FFMIA) and agency assurance processes. Agencies were directed to establish risk profiles, governance structures (e.g., Chief Risk Officer/board), and integrate ERM with internal control.
  • Risk Profile as Core Artifact: Agencies identified, assessed, and prioritized enterprise risks in a risk profile that informed internal control evaluations and the annual Statement of Assurance.
  • Objective Coverage: Guidance reinforced that ERM spans strategic, operational, reporting, and compliance objectives.

Bottom Line: Under A-123, ERM matured as a governance discipline but remained primarily focused on controls and assurance.

Emerging Concerns
Recent reporting indicates that the forthcoming revision to A-123 may remove many ERM references, refocusing on internal control. This has raised concerns among ERM program owners regarding visibility and support. However, ERM is not being eliminated; rather, it is being repositioned under A-11, where it will influence strategic reviews, performance reporting, and leadership decisions.

OMB A-11: ERM’s Strategic Integration
The August 30, 2025 update to OMB Circular A-11 makes ERM requirements explicit within strategic planning and performance review sections. To implement this guidance, agencies are expected to:
  • Take a portfolio view of risk.
  • Define risk appetite and tolerance.
  • Embed governance processes to prioritize and monitor significant risks.
A key change is the requirement for agency heads and Chief Operating Officers to annually review progress against each strategic objective, considering all risks (budgetary, regulatory, legislative, and more) that could impact achievement. Agencies are encouraged to update risk profiles during these reviews and use findings to adjust strategies.

“ERM and strategic planning and performance should be viewed as complementary efforts to be orchestrated with each other, not as independent activities. ... Successful integration of ERM into an agency's day-to-day decision-making and management practices will enable an agency to leverage opportunities for managing, mitigating, or avoiding risks that affect strategic goals and objectives, which will ultimately result in more resilient and effective programmatic operations.”

Under the Federal Agency Performance Act of 2024, A-11 now requires agencies to publicly disclose risks in their Annual Performance Reports (APR). Each goal or objective must include a summary of progress, likelihood of achievement, and identification of risks or impediments. ERM has thus evolved from an internal management process to a public accountability mechanism.

Implications for ERM Leaders
This transition presents new opportunities. Under A-123, ERM supported certification of internal controls. Under A-11, ERM informs strategic decision-making, resource allocation, and performance transparency.

Rather than producing risk profiles solely for control assessments, ERM leaders will now shape risk narratives and evidence that inform strategic reviews and Annual Performance Reports. Senior leaders will use this analysis to make trade-offs, adjust strategies, and communicate risks to OMB, Congress, and the public.

ERM is now more visible, consequential, and directly linked to mission outcomes. ERM programs will be evaluated not only on risk register maintenance but also on their contribution to strategic decision-making.

Recommended Actions

For program owners, the following steps should be considered:

  • Maintain A-123 Discipline: Continue developing risk profiles and governance structures, integrating them into quarterly and annual performance decisions and the APR.
  • Integrate with A-11 Processes: Ensure each strategic objective in annual reviews includes a clear risk narrative, identifying top impediments, their likelihood, and mitigation options.
  • Elevate the Portfolio View: Consolidate programmatic, operational, IT, and reputational risks into a comprehensive portfolio for leadership decision-making.
  • Prepare for Public Transparency: Collaborate with performance and evidence officers to ensure risk narratives are seamlessly incorporated into the APR for external visibility.

To find out more about ERM and strategic planning and performance integration, contact:

Cynthia Vitters
Managing Director 
Deloitte & Touche LLP
+ 15718580857 | cvitters@deloitte.com
 
Anthony Fratta
Managing Director 
Deloitte & Touche LLP
+ 15718827708 | afratta@deloitte.com
 

Nadya Korobko has over 14 years of experience leading risk management, process automation, internal controls, compliance, and policy development throughout DHS and DoD. She has extensive experience in risk-based planning, deficiency remediation, and ERM program maturation, including risk appetite development, risk quantification, and operationalization of risk profile. She leads design, development, and dissemination of a Palantir-enabled risk management tools that provide enterprise-wide risk context to forward-looking decision-making through LLM-based visualized analysis.

 

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2025 Deloitte Development LLC. All rights reserved.

 

« Back to Index
© Copyright 2014-2024 AFERM. All Rights Reserved.
Association for Federal Enterprise Risk Management
1050 Connecticut Ave NW, PO Box 66281 | Washington, DC 20035-6281
Contact Us | | Privacy Notice
Request Organization Information
DUNS: 045074054 | CAGE Code: 7PL42
Association for Federal Enterprise Risk Management is a registered 501(c)(3) non-profit organization. Contributions to AFERM are tax deductible to the extent permitted by law. Membership dues and event registration fees are not considered contributions.