Click here to load reader

Enterprise Risk Management Practitioner’s Guide for Offices of Inspectors General · PDF file 2019-12-27 · Enterprise Risk Management Practitioner’s Guide for Offices of Inspectors

  • View
    1

  • Download
    1

Embed Size (px)

Text of Enterprise Risk Management Practitioner’s Guide for Offices of Inspectors General · PDF...

  • Enterprise Risk Management Practitioner’s Guide for Offices of

    Inspectors General

    OCTOBER 2019

  • Enterprise Risk Management Practitioner’s Guide for Offices of Inspectors General OCTOBER 2019

    i

    EXECUTIVE SUMMARY

    As with all public sector organizations, OIGs face risks to achieving their mission, goals, and objectives. Risks associated with talent recruitment and retention, complex operations, technological breakthroughs, public perception, budget shortfalls, and organizational culture may not promote OIG engagement, high performance, or transparency. OIGs need to identify risk challenges that lie ahead to remain flexible, respond to changes in their particular risk environment, and create public value. ERM is a useful process that improves decision-making by providing an understanding of both risks and opportunities associated with mission accomplishment. Essentially, ERM is a holistic approach that uses an enterprise-wide lens to identify and prioritize internal and external risks to the organization, along with related mitigation efforts. The key to an effective ERM capability is for entities to understand the combined impact of risks in an interrelated portfolio, rather than by addressing risks only within silos. The objective of this guide is to share good practices for ERM implementation activities in an effort to facilitate the adoption of ERM within the OIG community. This guide is not prescriptive. Each OIG should take into account the strength of its existing risk management controls, budget, organizational culture, and structure and size before choosing to develop an ERM implementation strategy. That is, each OIG should customize an ERM approach that complements its unique mission, vision, core values, goals, objectives, and available resources. Although the good practices described in the guide highlight the experiences of practitioners within the IG community, these experiences can serve as a useful resource for any Federal agency or public sector organization seeking to implement or enhance ERM practices. The contributors to this guide, a group of ERM professionals within OIG organizations, have had the opportunity to plan, champion, and implement ERM programs within their organizations, while experimenting with different approaches and techniques along the way. During the development of this guide, working group members relied on their expertise, combined with real-world experiences, to steer the reader through developing, implementing, integrating, and sustaining ERM.

    Purpose

    The purpose of the Enterprise Risk Management (ERM) Practitioner’s Guide is to provide good practices and share lessons learned to Federal Offices of Inspector General (OIG) that seek to develop and implement an ERM program. This guide offers practitioners insights and considerations on how to identify and manage potential risk events that may affect mission goals and objectives, as well as a how to develop a basic governance and management structure to oversee and implement risk management activities. The guide facilitates implementation of the Council of Inspectors General on Integrity and Efficiency’s (CIGIE) Silver Book, the Office of Management and Budget (OMB) Circular A-123, the Fraud Reduction and Data Analytics Act of 2015, and other applicable guidelines.

    Approach

    Members from ten OIG organizations with expertise in ERM volunteered to share their good practices. They participated in workshops and group discussions leading to the development of this guide. The guide was subject to extensive review to ensure harmonization, readability, and plain language.

  • Enterprise Risk Management Practitioner’s Guide for Offices of Inspectors General OCTOBER 2019

    ii

    TABLE OF CONTENTS

    EXECUTIVE SUMMARY ................................................................................................. i

    INTRODUCTION ............................................................................................................. 1

    Background .................................................................................................................. 1

    CIGIE Enterprise Risk Management Working Group ................................................... 1

    How to Use This Guide ................................................................................................ 1

    ERM CONSIDERATIONS ............................................................................................... 3

    Seeking ERM Champions ............................................................................................ 3

    Placement of the ERM Function .................................................................................. 5

    Reporting Lines ............................................................................................................ 5

    ERM Staffing ................................................................................................................ 6

    Risk Management Council ........................................................................................... 7

    Organizational Culture ................................................................................................. 8

    Available Guidance ...................................................................................................... 9

    DEVELOPING AN ERM FRAMEWORK ....................................................................... 11

    Implementation Plan .................................................................................................. 12

    Strategy and Objectives ............................................................................................. 12

    Establishing the Context ............................................................................................ 14

    Internal Considerations .............................................................................................. 14

    External Considerations ............................................................................................. 14

    Developing Risk Categories ....................................................................................... 15

    Risk Attitude . ............................................................................................................ 16

    Risk Management Philosophy .................................................................................... 16

    Risk Appetite .............................................................................................................. 17

    Risk Tolerance. .......................................................................................................... 19

  • Enterprise Risk Management Practitioner’s Guide for Offices of Inspectors General OCTOBER 2019

    iii

    Risk Assessment ....................................................................................................... 19

    Risk Rating Criteria .................................................................................................... 19

    Risk Assessment Scales ............................................................................................ 20

    Impact Rating Criteria ................................................................................................ 20

    Likelihood Rating Criteria ........................................................................................... 20

    Effectiveness of Controls Rating Criteria .................................................................... 22

    Risk Velocity Rating Criteria ....................................................................................... 22

    Scoring and Depicting Results ................................................................................... 23

    IMPLEMENTING ERM .................................................................................................. 26

    Leveraging CIGIE, Federal Agencies (non-OIG), and Private Sector Networks ........ 26

    Record Keeping of Enterprise Risk Management Materials ....................................... 27

    Risk Management Discussions with Your Agency ..................................................... 27

    Identifying Risks ......................................................................................................... 28

    Planning In-Person Interviews ................................................................................... 29

    Conducting Interviews ................................................................................................ 30

    Aggregating and Analyzing Risks .............................................................................. 31

    Inherent Risk and Residual Risk ................................................................................ 32

    Developing a Risk Profile ........................................................................................... 32

    Approaches for Developing a Risk Profile .................................................................. 33

    Analyzing Risks .......................................................................................................... 34

    Implementing Risk Appetite ....................................................................................... 35

    Leveraging the Risk Profile to Enhance Internal Controls and Decision-Making ........ 36

    Visualization O