Integrating Enterprise Risk Management into Performance Management

By Kristina Narvaez

Senior Risk Manager, Smardt Inc.

Integrating Enterprise Risk Management with a Performance Management System at a federal agency involves aligning risk identification practices with strategic goals, embedding risk assessment into performance reviews, and using risk data to inform resources allocation across the organization. This approach ensures that performance targets are realistic; risks are managed within tolerance levels, and mitigation strategies directly support the mission of the federal agency.

It is very important that a federal agency starts by aligning its risk profile to its strategic plan (e.g. GPRA Modernization Act plans) to be able to identify, assess and mitigate risks that could affect achieving its mission initiatives. The federal agency should also encourage its employees to identify risks and opportunities associated with performance objectives by fostering an open culture that measures, monitors, and shares risk information across the organization. This requires both a Top-Down and Bottom-Up approaches combining senior leadership engagement (top-down) with operational staff insights (bottom-up) to ensure comprehensive risk management practices across all organizational levels are built into the performance management system.

Federal agencies should use their risk appetite statement to guide their decision-making process by setting specific and measurable risk boundaries for each of their projects and investments. They should also integrate their risk mitigation strategies directly into their performance reviews by monitoring the likelihood and impact of potential risk events in relationship to their ability to obtain their strategic initiatives. As part of every employee’s performance evaluation, the employee should be assessed on how well they have managed the risks associated with their job description. Those conducting the performance evaluation of the employee should be able to measure using both key performance indicators and key risk indicators how well the employee’s risk decisions impacted their performance goals.

The goal of integrating Enterprise Risk Management into the performance management system of a federal agency is to move away from a compliance focused Enterprise Risk Management program to a more strategic performance-driven approach. This can be done by determining the level of risk the federal agency is willing to accept to achieve its strategic goals. The next step is for the federal agency to develop a risk profile by mapping operational risks against performance metrics, utilizing data from tools like the Federal Employee Viewpoint Survey as a starting point. Risk assessments can then be used to prioritize budget funding for high-risk, high-impact areas, connecting risk management practices directly to resource allocation. By implementing structured, ongoing risk communication across the federal agency about risks will ensure that decision-makers are making better risk-informed decisions and that employees understand their role in that process.

The U.S. Office of Personnel Management states in their ERM policy, “ERM can help to properly identify and mange risks to performance related to achieving strategic objectives, and improve agency capacity to prioritize efforts, optimize resources, and assess changes in the environment. The OPM’s ERM policy establishes a framework for risk management across the agency that is integrated into OPM’s culture and operations.” U.S. Office of Personnel (OPM) integrates Enterprise Risk Management (ERM) into its performance management system by aligning strategic goals with risk appetite, using an Enterprise Risk Profile to identify, assess, and manage risks. The Risk Management Council (RMC) governs this, aligning performance reviews with risk mitigation.

OPM’s ERM framework ensures that strategic goals (from the GPRA Modernization Act) are pursued with defined risk tolerance, directly affecting performance planning and organization objectives. OPM maintains an annual risk profile, management by the RMC, which acts as a central repository for significant risks impacting performance and operations. ERM is embedded into daily operations, including budgeting, cybersecurity, and project management, to ensure that performance metrics account for potential threats and opportunities.

Managers are encouraged to address performance issues by identifying risks early, setting clear expectations, and using performance data to inform risk assessments. ERM aligns with the Federal Managers’ Financial Integrity Act (FMFIA) and OMB Circular A-123 to strengthen internal controls and program performance. The RMC oversees these activities to ensure that risks are monitored and mitigated to support OPM’s mission.

Kristina Narvaez is a Senior Risk Manager at Smardt, a manufacturing company headquartered in Montreal, Canada.  She leads the Enterprise Risk Management (ERM) program, including global supply chain risk management, global insurance program, strategic initiatives, business continuity, and crisis management plans.  Ms. Narvaez holds a Bachelor’s degree holder in environmental risk management from University of Utah and an MBA from Westminster University.