ERM Requirements for Federal Agencies Could Trigger Changes for Government Contractors (article)
In July 2016, the federal Office of Management and Budget (OMB) issued a policy change that would require all federal agencies to implement an Enterprise Risk Management (ERM) program. Integrated governance structures have the potential to improve agencies’ ability to deliver on their mission, reduce costs and focus corrective actions towards key risks. They can also help improve accountability and effectiveness of federal programs.
Since this memorandum was issued to the heads of executive departments and agencies, federal organizations have been working to build out and implement ERM frameworks within their organizations. As more ERM frameworks are implemented, organizations outside of the federal government will begin to be affected. It is likely that many agencies will create or redefine procurement requirements. Any organization currently contracted or bidding to perform work with a federal agency should consider implementing its own ERM program to remain competitive in the federal market.
What is ERM?
Risk is an inevitable part of any operating environment. It is also constantly evolving as new markets emerge, cyber-threats are revealed or regulations change. These risks threaten the entire organization, not just a single business unit, process or product.
ERM provides a framework that aligns risk management with the strategic goals of the entire enterprise and applies consistent tools and communications from department to department. This type of framework is particularly useful when an organization has limited resources to respond to all risks, because it allows management to focus on monitoring and mitigating significant risks that pose a major threat to the key areas of operations.
ERM is Not One-Size-Fits-All
Every organization is unique in structure, and it is important that the Board of Directors and senior management determine an ERM model that will meet those specific needs. There are a variety of well-established frameworks, like COSO’s Enterprise Risk Management Integrated Framework, that can be considered as a resource during this process. Regardless of which framework you use as a guide, the most important factor to consider is that your ERM program remains flexible to respond to changes to your needs or organizational structure.
Common Elements to Consider
Although there are many models for how ERM should be implemented, there are six common elements that all approaches tend to include:
- Define Context: Organizations need to understand the context in which their operations function, including the constraints that influence decision-making and any key assumptions. Defining this context will inform and shape the overall ERM program and implementation.
- Identify Risks: Management needs to identify all potential risks to the organization, pinpointing key risks that are significant to achieving organizational goals. Then, organizations should create a risk profile that categorizes these risks based on their threat to the organization. Consider risk velocity as part of the risk profile analysis, as some key risks may take longer to cause harm while others may cause harm immediately.
- Analyze Risks: Once your risks are identified and categorized, management should consider where the risks come from, the likelihood that they will occur and the potential outcome. It is possible that risk is an integral part of your operations. If this is the case, management should evaluate the potential benefits in relation to the inherent or perceived risk.
- Prepare to Respond: A plan for responding to the risks identified is critical. Management should understand the organization’s risk appetite and develop a strategy to accept, transfer, share, avoid or mitigate major risks.
- Allocate Resources: When the response strategy is in place, management should determine which resources, such as budget, staff or technology, will be allocated to execute that strategy. The approach should be evaluated over time to determine if any adjustments need to be made.
- Continuously Review: ERM is an ongoing process. Risk identification and assessment should be reiterated, and management should regularly review and update the risk information to account for changes both internally and externally.
For More Information
Successful integration of ERM into day-to-day practices provides management with the opportunity to accept, avoid, mitigate, or transfer risk resulting in more efficient operations. The ability to demonstrate an effective ERM program as part of your overall strategic plan will help federal agencies view your organization as less of an overall risk when considering whether or not to contract with you. To learn more information about the federal government’s ERM best practices, you can download a copy of the Playbook: Enterprise Risk Management for the U.S. Federal Governmentor reach out to a CBIZ risk management professional.
Copyright © 2016, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).