The White House is putting enterprise risk management front and center in its update to a key policy on internal controls expected later this year.
The revised Circular A-123 will not direct agencies to change their approach to internal controls, said Mike Wetklow, branch chief at the Office of Management and Budget. Rather, it’s an effort to get them to think more holistically about any and all challenges to their missions.
OMB will provide a draft of the new A- 123 to the Chief Financial Officers Council in the spring. It will become effective in fiscal 2016, Wetklow said.
The guidance will encourage agencies to follow in the steps of the private sector. While agencies now comply with standards in a “check-the-box” fashion, they need a push to incorporate risk management into their operations, Wetklow said.
“It’s not our intent that this is going to cost you a lot of money to do this,” he said. “It will be less of a mandate but we will challenge agencies to put on their thinking caps and talk about risks.”
OMB wants agency managers to assess their appetite and tolerance for risk in the name of fulfilling their missions.
“We’ve seen folks get a lot of resources like risk registers and calculus to come up with risk. That’s a little overboard,” said Wetklow Wednesday during a panel discussion on enterprise risk management sponsored by the Association of Government Accountants in Washington.
While agencies may incorporate risk management into their operations through strategic reviews or compliance with the Government Performance and Results Act, it tends to be in isolated pockets, said Karen Hardy, the deputy director for risk management at the Commerce Department.
Often it takes scandals such as the General Services Administration’s Western Regions conference in Las Vegas, or crises such as the botched rollout of HealthCare.gov to ignite agency management’s enthusiasm for enterprise risk management, said Tim Soltis, the deputy chief financial officer at the Education Department.
“It’s ‘Let’s clamp down on credit cards, let’s stop people from abusing things. We don’t want negative impact so let’s minimize the negative impact,'” he said.
Enterprise risk management flips that concept on its head. Rather than focusing on stopping the bad stuff, it requires agencies to look for opportunities to do things differently, which may mean taking new risks to maximize benefits, he said.
“I’ve heard several times from agencies that people who have never had discussions about risk come to the table for the first time and really benefit from that cross-collaborative conversation. It builds partnerships with stakeholders to support their cases and then it enables a performance-management culture,” she said.
The new Circular A-123 will eschew a one-size-fits-all framework because of the diversity of situations among agencies. For example, the Defense Department, in which Soltis was the comptroller of the Defense Intelligence Agency until 2012, still is trying to get its financials in order.
“Some of these activities are unaudited. They don’t even know what internal controls are in some cases,” he said.
But smaller agencies with singular missions, such as Education, have an easier time of it.
“So how do you put out policies that don’t hinder the integrated, but don’t hamper the people trying to get to the rudimentary?” he asked.
Will more agencies get chief risk officers?
Some agencies have turned to chief risk officers to coordinate functions across departments. The IRS, for example, hired its first CRO following a political scandal over its tax-exempt group’s treatment of some conservative applicants.
But agencies should not rush out to hire people right away, Soltis said.
“It’s a judgment call. There’s fatigue with all the c-suite positions we’re creating,” he said.
Expertise in the area often lies in the chief financial officer’s domain, yet a CFO may not have the authority to oversee risk management in program areas, he said.
“If I were a chief operating officer, I’d hire people with experience gained from working in an internal control program to run it,” he said. “But the big issue is positional authority. Do you have the authority to do that? Can you go into someone’s silo and say, ‘I’m going to control your operation, drive efficiency and bring risk management to your operation?'”
Ultimately, he said, it’s up to agency leaders to drive the change.
Yet all employees can play a role, Hardy added.
“You don’t need to have a title position to manage risk. Everyone is a risk manager within the organization,” she said.