Federal Implementation Progress of ERM and Circular A-123

The Association of Government Accountants assembled a panel of federal risk management experts in late September at their 2018 Internal Control & Fraud Prevention Training conference to discuss progress to date and implementation lessons learned for ERM and Circular A-123.

OMB’s Circular A-123 was issued in 1981 to establish internal control systems. It’s most recent Appendix A revision entitled Management of Reporting and Data Integrity Risk was released in June to update existing internal control reporting guidance and find areas to reduce waste and burden on agencies, while balancing the need for transparency. The OMB memo describing the Appendix A changes includes a specific requirement for agencies to develop a Data Quality Plan to achieve the objectives cited in the DATA Act.

In July 2016 OMB revised Circular A-123 to define agency management’s responsibilities for ERM and internal control. The revision also included updated implementation guidance.

During AGA’s panel discussion, the moderator Todd Grams of Deloitte gave a brief history of ERM. According to Grams the federal government “has been doing ERM for 12-15 years.” DLA and Federal Student Aid were among the first to adopt ERM. IRS and VA started ERM five to seven years ago. Grams said that the July 2016 A-123 revision gave more impetus to ERM.

John Basso, Deputy Assistant Secretary for Planning and Performance Management at VA said the July 2016 A-123 revision opened a window of opportunity. Agencies had to implement ERM to be compliant.

Some of the lessons and advice he gave to conference attendees included:

• Take advantage of the new requirement and bring in stakeholders.
• Prioritize risks.  Put risks into logical portfolios and prioritize them.
• Take a risk-based approach to waste, fraud and abuse.  This was a key lesson for VA. 
• Create the value proposition for participants. People won’t follow through unless they see value. 

Ken Phelan Treasury’s Chief Risk Officer offered the following advice and take-aways from his experience:

• Beware of “anti-bodies” when you start something new.  People resist change and you can get outright rejection.
• ERM managers should work with federal managers to add ERM to processes they are already performing. At Treasury, they added ERM to quarterly performance reviews. Prior to that there wasn’t much of a connection between risk and projects.  Then they embedded risk into the strategic planning process.
• Their next step will be risk appetite. They are just in the beginning stages and asking questions such as, what are you willing to do for a positive result.  For example, the IRS is willing to take the risk of later refunds in order to take the time to scan for fraud.  On the other hand, the IRS will never put PII at risk.

Montrice Yakimov Chief Risk Officer at the Bureau of the Fiscal Service which started ERM in 2014, offered the following lessons learned:

• People actively fight against change.  You need to collaborate and know who the risk owners will be.  Talk to multiple levels of leadership across the organization and find out what keeps them up at night. 
• Develop a common taxonomy. Implement a framework and construct for business owners to use across the organization.
• Add value. Business owners need to believe that risk management is valuable. If your risk management analysis is being used to make decisions, then it is adding real value.   
• Include budget planning and IT investment planning.
• Risk planning professionals need to be part of the strategic planning process. They can provide an enterprise point of view.

The discussion ended with a conference attendee asking the panel’s opinion on a scale from 1-10 how far along they felt the government was in implementing ERM.

In Yakimov’s opinion, it varies. Some organizations are farther along.  Across the board she would say a 5. Basso agreed, saying 4 to 5. But he went on to say that the average is meaningless.  There are organizations that are doing well and others that he would grade a 1. Phelan concurred with the others rating progress at a 4. “We’ve made huge strides, but there’s a ton to do,” he stated. And Grams wrapped up with his opinion of a rating of 3 to 4. He personally thinks there should be ERM legislation, because “it’s only taken seriously if the senior leadership believes it’s important.  And the leadership changes frequently.” The direction is sound, but he would like to increase the velocity.