How can the OIG’s risk assessment process for audit planning purposes coexist with the ERM program’s assessment for risk management purposes? Where is the line drawn for collaboration?
Question asked by
AFERM Experts Say...
When it comes to discussing matters of risk management within an organization, there will always be some overlap. However, the Risk Manager should remain focused on the primary business/mission objective, the risk created from executing toward that objective, and what responses the organization would have for the risk created.
When discussing the OIG and an Agency’s programs, it is very interesting indeed. The OIG and Agency Programs have very different objectives (i.e., the Agency executes the mission and the OIG provides assurance that the mission was executed appropriately and in compliance with laws and regulations).
“Drawing the line” is a good way to think about this by using the “who goes first” paradigm. Essentially, a paradigm that helps illustrate the cause and effect relationship within the Agency’s risk universe.
First, we have the Agency, which must execute its mission. An Agency is a collection of Programs, separated into Offices and Departments for administrative control. These Programs, once funded, initiate execution and create risks, specifically located within each Program’s execution toward its programmatic objectives.
Next, we have the Highest Level of Administrative Control within the Agency managing the Enterprise-Wide risk to the Program portfolio in its entirety by maintaining an ERM program.
Then, we have the OIG. The OIG was formed in response to the risk created by Program execution performing its own risk assessment. The expectation is that the OIG may leverage the Agency’s ERM program for risk, risk response, and resource application information, but the OIG may also add risk factors that the Agency may not have included, or may increase or decrease the prioritization of risk ranking for its own purposes, the achievement of a risk-adjusted audit plan, or investigation schedule.
So where should we draw the line? It is more like a Venn Diagram, but we must remember that 1) the Agency goes first, 2) the OIG comes after, 3) the Agency’s ERM process is focused on managing the enterprise-wide risk of acquiring programmatic objectives within given resource constraints, and 4) the OIG’s risk management process is focused on managing the risk of providing inspection and investigation assurance on the compliance, as well as ultimate effectiveness and efficiency of that execution.
In mature agencies and programs, OIG input into the Agency’s ERM process will be very helpful as long as it does not blur the lines of independence, and as long as Agency executives seek to have that conversation.