Dave Mader wants to take the government back to the 1980s.
No, we aren’t talking about leg warmers, parachute pants and puffy shouldered blouses or even Wang computers with green screens — though some of those may still exist. Rather, Mader, the Office of Management and Budget controller, wants to change the view of internal controls in agencies back to what it was 30-plus years ago.
“One of the challenges we have been wrestling with over the last couple of the years we’ve been at OMB, if you go back to the origins of internal controls in the 1980s, it was more about internal controls over a program,” Mader said during a June 29 event sponsored by the Partnership for Public Service in Washington. “I think we can blame us, the CFO community, because we’ve embraced this to such an extent that people run around and say, ‘These are financial internal controls.’ But no it’s not. We want people in program offices to start understanding the requirements they have under A-123 for internal controls and we see internal controls as a tool you would use to mitigate risk.”
The idea that everyone should understand and consider internal controls is part of OMB’s update to Circular A-123, which includes a new section on enterprise risk management.
Insight by Carahsoft: This exclusive e-book demonstrates just how far agencies have come and where they still need to go to take fully advantage of DevSecOps to drive modern capabilities to their customers.
OMB has been discussing the update for the better part of almost two years now, and Mader said the new A-123 should be out in the next month. Of course, he also previously promised the new circular would be out by the end of June, so let’s not get too excited until it’s finally final.
Mader said enterprise risk management (ERM) and internal controls are not the same, but complementary efforts to improve agency programs.
“The fact we are actually renaming the circular shows the importance of ERM,” Mader said. “The title, which I think it’s really important, ‘Management’s Responsibility for Enterprise Risk Management and Internal Controls.’ We believe that rolling out, at this point in time, this concept is critical to strengthening federal agency management. Every day we face risk. What has happened over time, departments have seen the need to do this and bureaus have seen the need to do this and what this circular will now do is create a governmentwide framework that will be implemented over the next year.”
Under the revised A-123, agencies will not have to name a chief risk officer, but OMB will require them to name someone to be in charge of managing risk. Mader also wants to build on the work of the interagency ERM council and transform it into a formal body, equivalent to the chief information officer or CFO councils.
“The important thing to keep in mind when we think about departments and the complexity of this government, and whether you are an agency or private firm that does complex business processes that delivers complex missions, we need a framework, a mechanism that will allow leadership at every level of the organization to recognize the risk and mitigate the risk as we execute the programs,” he said. “There will be in every single department an ERM program.”
To help agencies get there, OMB also will release an enterprise risk management playbook.
Mader said the playbook will help agencies continue or begin the process of managing risk differently. He said the playbook will focus on how agencies would embed ERM in the structure and leadership of a particular department to make it a part of the fabric of how they manage their organization.
He said the playbook and the policy also will let agencies get a head start in preparing for the new administration and its 2019 budget planning process beginning next spring.
“It will allow organizations over the course of this summer through next spring when a new administration is firmly in place to be able to say to a new administration coming in, as you get ready to take the reins of government, here are things that you really need to watch; here are things that you really need to be careful; here are things that you need to mitigate against,” he said. “Launching it now is consistent with what this administration has done with trying to improve how we manage this complex enterprise, which I’ll call the U.S. government. And I think it fulfills a commitment the President made several weeks ago when he signed the legislation regarding presidential transition where he committed to actually deliver a better transition to the incoming administration than we received from the outgoing one. I think the Bush administration was recognized by nearly every as being the best transitions of government. We think by rolling this program out now gives us an opportunity to actually help the new administration transition over the course of early 2017.”
The new requirements under A-123 also will be flexible. Mader said one-size doesn’t fit all, and agencies will be able to implement the framework to meet their specific needs.
All of this is about changing the culture and structure of looking at risk. Mader said agencies shouldn’t look at the new A-123 as another OMB directive, but how they execute and manage programs.
This is part of the reason why Mader would like to talk to his colleagues on the budget side about how they can use the agency’s risk profile in reviewing budget submissions and making decisions.
“We spent a lot of time with the IG community and with our colleagues from GAO to get their views,” he said. “In early August, OMB is going to go out and say, ‘We are here to help you.’ Part of the role that the team at OMB, including the performance team, is to help people be successful over the next six or seven months as we move into the transitions. We want the career people who are going to be here in the next administration to be very comfortable and confident in bringing to their new political leadership a program that works. We will spend the time in August, September and October visiting with agencies, working with them on the playbook and helping them understand what needs to get done. When you see the guidance, there actually is a timeline of things that need to roll out. The goal is, by this time next year, there will be a fully backed enterprise risk program, which will include the first ever risk register. Where are my risks and in what programs, both horizontally and vertically?”