River rafting


Tackling Enterprise Risk Management (ERM) in Government

Understanding the Office of Management and Budget’s (OMB's) Circular A-123 and implementing ERM in your agency

​Federal agencies face unprecedented risks to achieving their mission, goals, and objectives. To confront this dynamic risk environment, OMB raised the bar and expects agencies to effectively identify and manage risks using an enterprise approach. These expectations and related requirements are prescribed in a revised OMB Circular A-123 titled, Management’s Responsibly for Enterprise Risk Management and Internal Control.

Our view: How to advance Federal Enterprise Risk Management

Since the 2016 revision to OMB Circular No. A-123, “Management’s Responsibility for Enterprise Risk Management and Internal Control,” agencies have made progress in establishing ERM programs to create an integrated view of risks to their organization and manage them to an acceptable level. Deloitte and the Partnership for Public Service have researched the progress made in advancing ERM and defined steps to support greater ERM maturity—culminating in this May 2020 issue brief titled Mastering Risk.

Issue brief: Mastering Risk

ERM benefits

When appropriately implemented, ERM enables greater enterprise-wide discipline and reliability to help agencies better manage risks.

  1. Reduces chance of crises and problems, thereby allowing leadership to focus more on mission priorities
  2. Helps protect the agency’s reputation
  3. Identifies, elevates, and manages risks so that the right risks get to the right people at the right time
  4. Creates a culture where risk identification and elevation is encouraged and rewarded
  5. Builds line-of-sight into risks across organizational stovepipes to create the opportunity to leverage mitigation approaches for risks with similar root causes
  6. Provides greater knowledge and insights into enterprise risk to improve resource allocation and strategic decision-making

Life jackets

Early stages of ERM implementation

In OMB’s revised Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, released on July 15, 2016, OMB raised the bar on expectations for risk management. The Circular modernizes existing agency risk management and internal control efforts by requiring agencies to implement an ERM capability coordinated with the organization’s strategic planning process. Establishing an effective ERM program to address an agency’s universe of risks could allow the agency to unlock the value of ERM including allowing leadership to focus more on mission priorities rather than crises and problems, protecting the agency’s reputation, and informing strategic planning and budget decisions.

Continuing to mature ERM capabilities

Turning your risk profile into an action plan using risk appetite
Risk appetite gives organizational leaders a measuring tool to prioritize risks for action or capitalize on opportunities. Risk appetite (and tolerance) are a vital to setting parameters around how much risk the organization is willing to accept, where it is over exposed to risk, and provides guideposts for whether risk taking will achieve strategic results. Risk appetite can be used within ERM and other programs to inform a risk profile, or risk profiles can be used by organizational leaders to codify their risk appetite to inform risk response planning.

Adapting ERM for sustainability
Many agencies have learned that the way to success and sustainment in an ERM program is not through a standard “textbook” implementation, but through a flexible and adaptable approach. As a result, programs on the leading edge of government ERM are seeking guidance to adapt their processes and frameworks for sustainability by creatively navigating the many challenges that ERM programs face. By recognizing the challenges facing an ERM program and adapting to those challenges, ERM leaders can be better positioned to build sustainable programs.

Integrating ERM with operational risk management
As federal agencies continue to mature their ERM programs, many are asking how risk management at the enterprise-level relates to risk management at the program, function, or operation unit levels. If ERM is disconnected from the offices responsible for mission delivery, then risks may be identified but not elevated. Integration of ERM and operational risk management holds great opportunity to unlock performance gains that can advance an agency’s mission. In order to unlock those gains, agencies should build on what is already in place, and working well within the agency, so that implicit risk information can be used and acted upon—thereby increasing the value of the information.

Integrating ERM with management activities
As agencies mature their ERM programs, greater value can be driven by leveraging ERM to support and strengthen other agency-wide management activities. Mature ERM programs have enterprise risk profiles that drive risk awareness, mature enterprise risk governance capabilities that drive risk accountability, and risk and performance metrics that drive performance and operational effectiveness. How and when ERM is integrated with other agency-wide management activities depends on a variety of factors and should be tailored to each agency’s unique circumstances.

Integrating ERM with internal control
Integrating internal control with an ERM program can enhance an agency’s ability to systematically identify and manage risks across the organization potentially resulting in increased value. To avoid common pitfalls, ERM and internal control should not be considered as independent risk management functions, but rather as an integrated and cohesive framework to drive strategic decisions across the enterprise. By integrating internal control and ERM programs, an agency can prioritize and respond to risks more effectively and efficiently.

Integrating ERM with strategy
Integrating ERM and strategic planning can make strategic plans stronger while helping focus limited resources on the risks that matter most. An effective ERM program provides visibility into the universe of risks that can impact an agency’s ability to deliver its mission—a mission often articulated in a strategic plan. As a result, the strategic planning process is an ideal place to find—and in some cases respond to—a surprisingly overlooked type of enterprise risk: Strategic risks.

Using ERM to inform OMB’s strategic review process
The annual strategic review assesses departments’ and agencies’ progress in meeting the mission, management, and crosscutting strategic objectives contained in their strategic plans. It informs strategic decision-making, budget formulation, near-term actions, and annual performance reporting. Section 260 of the Office of Management and Budget (OMB) Circular A-11, preparation, submission, and execution of the budget, provides guidance on performance reviews, strategic reviews, and ERM and requires covered organizations to submit a summary of findings to OMB in Spring 2019. The summary of findings must include a discussion of the key findings from their updated ERM risk profile. The ERM guidance in Circular A-11 is expanded on in OMB Circular A-123, management’s responsibility for ERM and internal control. The table below shows which types of organizations are covered by OMB’s guidance.

Back to top

ERM success factors and why Deloitte Risk and Financial Advisory

To achieve a positive, short-term impact and set the stage for long-term program maturation, Deloitte Risk and Financial Advisory recommends a phased approach to implementing and sustaining an ERM program.

An agency’s success will be impacted by the following factors:

  • Acquiring and maintaining buy-in from top leadership
  • Framing ERM as a program to help achieve its mission, not as a “gotcha” exercise
  • Using a consistent and common framework to identify and manage risk across the agency
  • Integrating the framework into the agency’s current risk-management capabilities
  • Tailoring the framework to the agency’s mission and programs, culture, and organizational and management structure
  • Creating a culture where identification and elevation of risks is encouraged and rewarded

For more than a decade, Deloitte Risk and Financial Advisory’s ERM specialists have helped over 100 clients implement and mature ERM programs, including small and large federal agencies and Fortune 250 organizations.

Deloitte named a global leader in Enterprise Risk Management Consulting

See the release

Leadership in federal ERM

We are passionate in supporting federal agencies implementing ERM, and recognize that our clients face unprecedented risks in achieving their mission, goals, and objectives. As an illustration of this commitment, Deloitte is entering its fifth year of working with the Partnership for Public Service to support ongoing ERM-focused events aimed at facilitating discussions on ERM topics of interest, initiatives, leading practices, and OMB updates. These events have helped create a sense of community among other federal Chief Risk Officers (CRO), ERM and internal control practitioners, and OMB. Further, we stay on top of federal ERM developments through our involvement in the Association for Federal Enterprise Risk Management (AFERM). Insights gained from this exposure mean we understand not only “what” OMB is requiring with its new ERM guidance, but also “why” and “how”.

In the news

How federal employees can become card-carrying experts on risk management
Federal News Network | November 6, 2018

Update on enterprise risk management in government
Government Matters | December 4, 2017

Federal CFO: Preparing for ERM implementation
The Wall Street Journal | November 10, 2017

Agencies get a new playbook for managing risks
Government Executive | August 3, 2016

7 steps to raise the bar on your agency’s enterprise risk management strategy
Federal News Radio | July 29, 2016

OMB prepares to ratchet up enterprise risk management
Government Executive | February 29, 2016

For media inquiries, please contact Megan Doern
+1 202 368 0524

Get in touch

Cynthia Vitters

Cynthia Vitters

Managing Director | Deloitte & Touche LLP

Cynthia is a Deloitte Risk and Financial Advisory managing director at Deloitte & Touche LLP’s Government & Public Services practice and assists federal clients in developing and implementing Enterpri... More