Integrated Risk Management

Background

In July 2016, the Office of Management and Budget (OMB) revised OMB Circular A-123 and renamed it Management’s Responsibility for Enterprise Risk Management and Internal Control. The revised circular requires “agencies to implement an Enterprise Risk Management (ERM) capability coordinated with the strategic planning and strategic review process established by the Government Performance and Results Act Modernization Act, the internal control processes required by the Federal Managers’ Financial Integrity Act and Government Accountability Office’s Green Book.” On June 6, 2018, OMB revised Appendix A to OMB Circular No. A-123 and renamed it Management of Reporting and Data Integrity Risk. The revised Appendix A balances the requirements to provide reasonable assurances over Internal Controls over Financial Reporting (ICOFR) “with giving agencies the flexibility to determine which control activities are necessary to achieve reasonable assurances over internal controls and processes that support overall data quality contained in agency reports.” Thus, expanding the focus of the reasonable assurance from solely ICOFR to Internal Controls over Reporting (ICOR) to cover both financial and nonfinancial reporting objectives. The revised Appendix A also reinforces the 2016 requirement of OMB Circular A-123 for all executive agencies “to integrate ERM processes and internal controls,” and aligns “ICOR with existing OMB Circular No. A-123 ERM efforts.” It also requires the development of a plan that integrates ERM processes and Internal Controls. Agencies should focus ERM and Internal Control efforts on reports beyond just the financial statements to those that impact management and external stakeholder’s decision-making across an agency’s enterprise. This poses a challenge since many organizations currently have their Internal Control and ERM programs operating independently in a siloed environment, and struggle visualizing how to fully integrate the two to create effective long-term mitigation strategies. In addition, the guidance from OMB stresses the need to assess the quality of data included in financial and nonfinancial reports used by management and external stakeholders for decision-making and risk management.