River rafting


Tackling Enterprise Risk Management (ERM) in Government

Understanding the Office of Management and Budget’s (OMB's) Circular A-123 and implementing ERM in your agency

​Federal agencies face unprecedented risks to achieving their mission, goals, and objectives. To confront this dynamic risk environment, OMB raised the bar and expects agencies to effectively identify and manage risks using an enterprise approach. These expectations and related requirements are prescribed in a revised OMB Circular A-123 titled, Management’s Responsibly for Enterprise Risk Management and Internal Control.

Our view: How to advance Federal Enterprise Risk Management

Since the 2016 revision to OMB Circular No. A-123, “Management’s Responsibility for Enterprise Risk Management and Internal Control,” agencies have made progress in establishing ERM programs to create an integrated view of risks to their organization and manage them to an acceptable level. Deloitte and the Partnership for Public Service have researched the progress made in advancing ERM and defined steps to support greater ERM maturity—culminating in this May 2020 issue brief titled Mastering Risk.

Issue brief: Mastering Risk

Continuing to mature ERM capabilities

Turning your risk profile into an action plan using risk appetite
Risk appetite gives organizational leaders a measuring tool to prioritize risks for action or capitalize on opportunities. Risk appetite (and tolerance) are a vital to setting parameters around how much risk the organization is willing to accept, where it is over exposed to risk, and provides guideposts for whether risk taking will achieve strategic results. Risk appetite can be used within ERM and other programs to inform a risk profile, or risk profiles can be used by organizational leaders to codify their risk appetite to inform risk response planning.

Adapting ERM Program for Growth
ERM must continuously adapt and innovate to maintain momentum, expand executive buy-in, and drive shifts to organizational risk culture to deliver its value. To continue to grow and achieve maximum benefit for an ERM program leadership must adapt by being realistic about the enterprise, embracing risk, and making an impact though risk management. Agencies can create ERM growth for long-term success by focusing on these key areas to help foster and build a risk-aware culture that highlights ERM at all levels.

Integrating ERM with Operational Risk Management
As federal agencies continue to mature their ERM programs, many are asking how risk management at the enterprise-level relates to risk management at the program, function, or operation unit levels. If ERM is disconnected from the offices responsible for mission delivery, then risks may be identified but not elevated. This could cause agencies to miss opportunities to properly resource and effectively manage those risks and create the potential for those risks to mushroom into agency-wide crises.

Integrating ERM with Management Activities
As agencies mature their ERM programs, greater value can be driven by leveraging ERM to support and strengthen other agency-wide management activities. These management activities, which are critical to mission success, include strategy, program integrity, internal control, fraud, performance, budget, and cyber. Important information from an ERM program that can and should be integrated and shared across these activities includes: a risk profile, risk analytics & sensing, risk responses, risk appetite, risk tolerances, and key risk indicators (KRIs).

Integrating ERM with Strategic Planning
Agencies rely on strategic planning to deliver on their mission, however risks to the agency’s ability to deliver on its mission lie within the strategic objectives. Incorporating ERM functions to provide data and findings from ERM during the strategic planning process can help address both mission and mission-support challenges and opportunities.

ERM to Inform OMB’s Strategic Review Process
The annual Strategic Review assesses departments’ and agencies’ progress in meeting the mission, management, and cross-cutting strategic objectives contained in their strategic plans. It informs strategic decision-making, budget formulation, near-term actions, and annual performance reporting. Section 270 of the Office of Management and Budget (OMB) Circular A-11, Preparation, Submission, and Execution of the Budget, provides guidance on Performance Reviews, Strategic Reviews, and Enterprise Risk Management (ERM) and requires covered organizations to conduct strategic reviews annually. ERM is designed to make the Strategic Review more robust, enabling risk informed decision-making, budget formulation, and performance analysis and reporting. Effectively integrating ERM into core on-going business processes and requiring the engagement of critical stakeholders and their support. Effective ERM implementation involves breaking down silos and increasing transparency. Without using the risk profile to inform the Strategic Review process, department or agency leadership could potentially fail to understand risks that can only be effectively addressed through an organization-wide action plan.

Back to top

ERM success factors and why Deloitte Risk and Financial Advisory

To achieve a positive, short-term impact and set the stage for long-term program maturation, Deloitte Risk and Financial Advisory recommends a phased approach to implementing and sustaining an ERM program.

An agency’s success will be impacted by the following factors:

  • Acquiring and maintaining buy-in from top leadership
  • Framing ERM as a program to help achieve its mission, not as a “gotcha” exercise
  • Using a consistent and common framework to identify and manage risk across the agency
  • Integrating the framework into the agency’s current risk-management capabilities
  • Tailoring the framework to the agency’s mission and programs, culture, and organizational and management structure
  • Creating a culture where identification and elevation of risks is encouraged and rewarded

For more than a decade, Deloitte Risk and Financial Advisory’s ERM specialists have helped over 100 clients implement and mature ERM programs, including small and large federal agencies and Fortune 250 organizations.

Deloitte named a global leader in Enterprise Risk Management Consulting

See the release

Leadership in federal ERM

We are passionate in supporting federal agencies implementing ERM, and recognize that our clients face unprecedented risks in achieving their mission, goals, and objectives. As an illustration of this commitment, Deloitte is entering its fifth year of working with the Partnership for Public Service to support ongoing ERM-focused events aimed at facilitating discussions on ERM topics of interest, initiatives, leading practices, and OMB updates. These events have helped create a sense of community among other federal Chief Risk Officers (CRO), ERM and internal control practitioners, and OMB. Further, we stay on top of federal ERM developments through our involvement in the Association for Federal Enterprise Risk Management (AFERM). Insights gained from this exposure mean we understand not only “what” OMB is requiring with its new ERM guidance, but also “why” and “how”.

In the news

How federal employees can become card-carrying experts on risk management
Federal News Network | November 6, 2018

Update on enterprise risk management in government
Government Matters | December 4, 2017

Federal CFO: Preparing for ERM implementation
The Wall Street Journal | November 10, 2017

Agencies get a new playbook for managing risks
Government Executive | August 3, 2016

7 steps to raise the bar on your agency’s enterprise risk management strategy
Federal News Radio | July 29, 2016

OMB prepares to ratchet up enterprise risk management
Government Executive | February 29, 2016

For media inquiries, please contact Megan Doern
+1 202 368 0524

Get in touch

Cynthia Vitters

Cynthia Vitters

Managing Director | Deloitte & Touche LLP

Cynthia Vitters leads Deloitte’s Government and Public Service Enterprise Risk Management with experience helping colleges and universities build and mature their risk programs.... More