United States Government Accountability Office
Highlights of GAO-17-63, a report to the
Committee on Oversight and Government
Reform, House of Representatives
December 2016
ENTERPRISE RISK MANAGEMENT
Selected Agencies’ Experiences Illustrate Good
Practices in
Managing Risk
What GAO Found
Enterprise Risk Management (ERM) is a forward-looking management approach
that allows agencies to assess threats and opportunities that could affect the
achievement of its goals. While there are a number of different frameworks for
ERM, the figure below lists essential elements for an agency to carry out ERM
effectively. GAO reviewed its risk management framework and incorporated
changes to better address recent and emerging federal experience with ERM
and identify the essential elements of ERM as shown below.
GAO has identified six good practices to use when implementing ERM.
Essential Elements and Good Practices of Enterprise Risk Management (ERM)
Align ERM process
to goals and
Leaders Guide and Sustain ERM Strategy
Implementing ERM requires the full engagement and commitment of senior
leaders, supports the role of leadership in the agency goal setting process,
and demonstrates to agency staff the importance of ERM.
Develop a Risk-Informed Culture to Ensure All Employees Can
Effectively Raise Risks
Developing an organizational culture to encourage employees to identify and
discuss risks openly is critical to ERM success.
Integrate ERM Capability to Support Strategic Planning and
Organizational Performance Management
Integrating the prioritized risk assessment into strategic planning and
organizational performance management processes helps improve
budgeting, operational, or resource allocation planning.
Select Risk
Establish a Customized ERM Program Integrated into Existing Agency
Processes
Customizing ERM helps agency leaders regularly consider risk and select
the most appropriate risk response that fits the particular structure and
Continuously Manage Risks
Conducting the ERM review cycle on a regular basis and monitoring the
selected risk response with performance indicators allows the agency to
track results and impact on the mission, and whether the risk response is
successful or requires additional actions.
Communicate and
Share Information with Internal and External Stakeholders to Identify
and Communicate Risks
Sharing risk information and incorporating feedback from internal and
external stakeholders can help organizations identify and better manage
risks, as well as increase transparency and accountability to Congress and
Source: GAO. | GAO-17-63
View GAO-17-63. For more information,
contact J. Christopher Mihm at (202) 512
-
Why GAO Did This Study
Federal leaders are responsible for
managing complex and risky missions.
ERM is a way to assist agencies with
managing risk across the organization.
In July 2016, the Office of
Management and Budget (OMB)
issued an updated circular requiring
federal agencies to implement ERM to
ensure federal managers are
effectively managing risks that could
affect the achievement of agency
strategic objectives.
GAO’s objectives were to (1) update its
risk management framework to more
fully include evolving requirements and
essential elements for federal
enterprise risk management, and (2)
identify good practices that selected
agencies have taken that illustrate
those essential elements.
GAO reviewed literature to identify
good ERM practices that generally
aligned with the essential elements
and validated these with subject matter
specialists.
GAO also interviewed officials
representing the 24 Chief Financial
Officer (CFO) Act agencies about ERM
activities and reviewed documentation
where available to corroborate officials’
statements. GAO studied agencies’
practices using ERM and selected
examples that best illustrated the
essential elements and good practices
of ERM.
GAO provided a draft of this report to
OMB and the 24 CFO Act agencies for
review and comment. OMB generally
agreed with the report. Of the CFO act
agencies, 12 provided technical
comments, which GAO included as
appropriate; the others did not provide
any comments.