What many in the financial management and oversight community called the worst kept secret in government is finally out. The Office of Management and Budget is releasing the long-awaited update to Circular A-123 on July 15.
OMB has been working on the first major update to the policy document, which focuses on financial management internal controls, for almost two years. OMB last updated the circular in 2004.
The biggest changes for A-123 are two-fold, said David Mader, the OMB controller.
He said A-123, now known as Management’s Responsibility for Enterprise Risk Management and Internal Controls, introduces a governmentwide risk management program, and it updates the internal controls program to better align with recent changes made by the Government Accountability Office.
Insight by Splunk: Explore how data is the glue that will hold JADC2 together by downloading this exclusive ebook
“When we think about enterprise risk management we recognize this has been a practice that has been used extensively and effectively in the public sector and private sector for a number of years. What we’ve done now through the issuance of the A-123 update is actually now to formalize this across the government,” Mader said in an exclusive interview with Federal News Radio. “There have been agencies, whether it’s the Treasury Department, Education, Commerce or others that over the years have developed an enterprise risk management program. We saw how these programs have developed over time. We looked at best practices in the private sector and said, ‘It’s time now to institutionalize this across the Executive Branch.’ The issuance of this now begins the roll out of this ERM program and the updates to a lot of the sections that heretofore have been in A-123 around internal controls. I know there is a lot of excitement around the newness of the ERM, but I also think it’s important to emphasis that the chapters around internal controls have all been updated.”
OMB has been open about the planned changes to A-123, discussing it with industry and other private sector experts.
In June, Mader announced OMB would issue an A-123 playbook to help agencies implement the new requirements. He said July 14 that the playbook remains on track to come out around July 29, and will serve as the basis for training and education over the next 6-to-12 months.
“It’s one thing to put out a policy framework, but it’s another thing to actually give agencies and individuals practical examples of how this worked in this particular situation, and here are things that you need to take into consideration as you think through structuring your risk program,” he said. “I think this fits with our overall modernization in how we manage the government. It will be useful not only now in this administration but in subsequent administrations.”
Robert Shea, a former OMB senior official and now a principal with Grant Thornton Public Sector, said the potential impact of these changes are enormous.
“Moving risk management from a focus on financial management and reporting to the enterprise and mission is long overdue and will help our government avoid or mitigate the inevitable crises in the future,” Shea said.
The administration’s approach to risk management mirrors many of its ideas around priority goal-setting and technology modernization efforts where it’s both a top-down and bottom-up approach.
Mader said A-123 outlines a flexible framework for how each agency, bureau and component can manage risk. He said whereas internal controls are prescriptive, risk management lets managers decide what is best.
“If I’m a manager managing a particular project, I need to take into consideration risk in the implementation each and every day in how I deliver those services, let’s say to citizens,” he said. “As you continue to roll up, you also need at the very top level, at the department level, to understand the risk across all of those different mission programs.”
Mader said the top-down and bottom-up approach also helps institutionalize risk management and change the culture to understand everyone is responsible for measuring and managing threats to the mission.
“We have examples in both the private sector and in the government over the years where people were reluctant perhaps to raise their hand and say they have a particular risk that they need to mitigate,” he said. “When you don’t identify the risk and you don’t mitigate it, then you wind up having problems down the road.”
Under the framework, OMB will require agencies to name a senior accountable official for risk. That person may be a chief risk officer, or may lead a risk council.
Mader said that’s part of the flexibility that OMB is trying to build into A-123.
“We don’t ERM to be viewed as some separate program. We want it embedded how managers, executives, careers and appointees operate day-in, day-out,” he said.
OMB will begin a series of training sessions starting with the release of the playbook on July 29. He said agencies with effective ERM programs led the development of the playbook.
Mader said then in August OMB will meet with agencies to discuss more specifics around implementation plans.
“It really culminates next year in the spring of 2017 when OMB will be conducting strategic reviews required under the Government Performance and Results Modernization Act and strategic plans so part of what we will look at next spring is for agencies to tell us, show us how they implemented ERM,” he said. “We also are holding them accountable next spring in being able to present to OMB what their risk management program is, their initial set of risks they’ve identified. I think the way we’ve done it gives them flexibility but ensures accountability that everybody has moved to this new approach.”
While OMB wants agencies to have flexibility with enterprise risk management, A-123’s update of internal controls is more specific. The big difference in the new circular is OMB wants agencies to use internal controls across all facets of the agency, not just for financial management.
“We need to make sure we have controls in all of our IT systems, and certainly heightened interest with controls around cybersecurity,” he said. “What will be fascinating to people, when you look at the table of contents on A-123, you will see brand new sections around establishing and operating internal controls and also a new section around what is characterized as internal controls, additional considerations.”
He said the additional considerations section deals with management functions, privacy, acquisition and grants to name a few, to help agencies view internal controls as more than a financial area.
“If I’m running a grants program, what kinds of controls do I need for the grants program? What kind of controls do I need for contracting and acquisition? And, especially in this day and age, what kind of controls do I need to have in place to ensure the safeguard of personally identifiable information data?” he said. “We’ve expanded, I think greatly, the internal control application going forward.”
Mader emphasized that agencies shouldn’t look at internal controls and enterprise risk management as two different things. He said one way to mitigate risks is to have strong internal controls.
“Internal controls are a key component of an overall strategy and risk management program,” he said. “We see this fitting very nicely into each agency’s strategic management program from identifying strategic goals to conducting performance reviews. I think all of these concepts fit very nicely together and are mutually supportive.”