… agencies are best served by a strong and independent risk management function positioned as high in the organizational structure as possible.
[More]Ask the Expert
How will auditors audit ERM, since this is different than regulation and procedure compliance? What conversations are happening with IGs to ensure they understand how ERM works?
… starting with foundational ERM program elements with a clear direction for program development and maturity will compel the audit team to consider how the agency is approaching its ERM program…
[More]How can the OIG’s risk assessment process for audit planning purposes coexist with the ERM program’s assessment for risk management purposes? Where is the line drawn for collaboration?
When it comes to discussing matters of risk management within an organization, there will always be some overlap. However, the Risk Manager should remain focused on the primary business/mission objective, the risk created from executing toward that objective, and what responses the organization would have for the risk created. When discussing the OIG and an (more…)
[More]The COSO ERM – Integrated Framework identifies three approaches to communicating an organization’s risk appetite (e.g., through general statement, by organization objectives, or by risk types identified by the organization). What organizational characteristics would benefit from each of these methods?
Risk appetite denotes the level and nature of risk that is acceptable. Risk tolerance refers to the degree of variability in Return on Investment (ROI) in programmatic execution or administration that an Agency is willing to withstand. Risk appetites and tolerances should be set at the Governance level, Executive level, and Operational level and should (more…)
[More]How do you maintain precise risk trigger descriptions when you aggregate risk profiles from low organizational levels to higher level summary risks? It becomes difficult to know which trigger event is monitored to determine when a risk response should be executed.
A risk trigger is an event or series of events that activate the execution of a particular action, usually associated with mitigation strategy or execution of contingency plans. Risk thresholds define the boundaries of fluctuation for those triggers. This is a difficult challenge. It is almost impossible without first defining an actual risk event scenario, (more…)
[More]I have yet to hear of anyone’s risk profile, including my own, that includes opportunities, even though A123 requires risk profiles to include opportunities. Why is that?
Because of the Federal government’s unique position, in comparison to perhaps a commercial entity, the Federal government tends to lean towards stability instead of volatility. This places more emphasis on managing downside risks, or threats, and seeking to monitor or minimize the accompanying risk exposure. Identifying and seeking to exploit opportunities involves numerous constraints in the Federal space…
[More]Considering the current market for Federal ERM Professionals, would it be highly unlikely to find a 10yr professional within a salary range of $95K – $105K?
Like any professional, the salary range for an ERM professional with 10 years of working experience will depend on many factors. Formal education, relevant peripheral experience (e.g., strategic planning, performance management, internal controls, audit, etc.), closely aligned experience (i.e., risk management and ERM), and specific familiarity with the organization and/or similar projects all play into (more…)
[More]After compiling the risk register, how do you score the risk? How do you score the claimed effectiveness of mitigation?
Compiling risk registers and claiming treatment effectiveness.
[More]How many small and large Federal agencies have Enterprise Risk Management Programs?
Wade, OMB A-123 update of July 15, 2016 required ERM to be implemented at all executive agencies, regardless of size. How robustly those agencies are implementing ERM is another question, and one that has not been authoritatively addressed to the best of my knowledge. There is an A-123 requirement, however, that ERM and internal controls (more…)
[More]Do you know of a repository for risk management specialist position descriptions?
Doug, I wish I knew of such a repository. We face many challenges in our risk management community. One challenge is that risk management is too seldom recognized as an actual discipline of knowledge. The recognition of Enterprise Risk Management is rising rapidly in the Federal government. This suggests that risk management will become more broadly recognized as (more…)
[More]