OMB Prepares to Ratchet Up Enterprise Risk Management

For more than a year, the Office of Management and Budget has been readying an update of the seminal Circular A-123, which provides guidance on agency internal financial controls.

Expected in April, the new version will likely impose new requirements that agencies formalize the discipline known as enterprise risk management. “The timing is really important,” according to longtime agency financial executive W. Todd Grams, now director of the Federal Government Services Practice at Deloitte & Touche LLP. He began a stint this month as president of the Association for Federal Enterprise Risk Management, a professional development group that advocates the approach.

OMB, which has circulated drafts and made several promises on timing for the revised circular, declined on Monday to set a release date.

“We’re at a point in the federal government where agencies are facing the greatest risks ever for their mission and must consider the protection of their reputation,” said Grams, a former chief financial officer of the Veterans Affairs Department who has also worked at OMB, the Census Bureau and the Internal Revenue Service. As examples of current risks, he cited budget cuts, intense oversight, leadership turnover, cyberattacks and an Office of Personnel Management Federal Employee Viewpoint Survey from 2015 in which only 61 percent of respondents said they believe they can disclose a suspected violation of law or regulation without fear of reprisal for blowing the whistle.

“Enterprise risk management is a way to begin to have these risks elevated,” Grams told Government Executive. “Program leadership conveys to management and employees that it’s okay to raise risks, that it’s actually encouraged, that it’s even a bad thing to sit on risks.”

Throughout his federal career, Grams added, “being clean and open about risk was a good thing. The increase in the number of people who know about risks means they then can mitigate them. But if you’re sitting on a risk, then if it materializes and things go wrong, the impact is not only that you’ll take the hit, but it’s also a surprise to everyone—which is a lot worse.”

When the scandal at the VA erupted over misreported hospital patient wait times, the department “was actually standing up an [enterprise risk management] program that was in its infancy,” Grams said. Had VA been working with a robust ERM program for years, those problems might have been avoided or been dealt with much sooner, Grams said. “Some of the stuff we saw at VA was employee reluctance to raise the issue when they saw it happen,” he said, a phenomenon he labels “psychological safety.”

The same could apply at the IRS’s Exempt Organizations division, which was accused of political bias against conservatives after it mishandled nonprofits’ applications for social welfare status. When Grams arrived at IRS with acting commissioner Danny Werfel in May 2013, one of their first actions was to create an enterprise risk management program, he said. “We need to have the program in place because it’s a journey of years.”

OMB set the stage in June 2015 when it released circular A-11 on budget formulation, Grams said, which for the first time impressed upon agencies that they should be aware of enterprise risk management and view it as an emerging tool. “It put agencies on notice that ERM is a good way to do that. It’s definitely a way to force an organization to establish a formal framework it can consistently apply, so that risks get raised to the attention of senior leaders and management.”

Such an approach “can drive strategy, help with performance and drive budget decisions,” Grams said. “If you know the risks, then you can make decisions on how to accept, eliminate or manage them.” OMB also wants to “make sure agencies all define risk the same way across the organization.”

When the new Circular A-123 emerges, “agencies are going to need help implementing it because the vast majority don’t have the experience,” said Grams, who now takes five or six hours a week from his private-sector day job to lead the risk management association in offering agencies help.

Will the approach endure during the coming new administration? “OMB is positioning the federal government to talk more intelligently about risks,” Grams said. “So when the new president and a new team comes into office, if they’ve implemented [the revised] A-123, agencies can do an initial risk registries list,” a kind of prioritized inventory of things that could go wrong for each agency. “Think of how valuable that would be to new agency heads,” he said. 

(Image via txking/Shutterstock.com)