Exploring the Maturity of Risk Management Process in Government: An Integrated ERM Model at the U.S. Department of Education

Transcription

1 Exploring the Maturity of Risk Management Process in Government: An Integrated ERM Model at the U.S. Department of Education FEDERAL STUDENT AID ENTERPRISE RISK MANAGEMENT GROUP Cynthia Vitters

2 1. ERM in the Federal Government 2. Drivers for Risk Management in Government 3. Risk Management in Federal Agencies 4. FSA A Performance Based Organization 5. ERM Drivers at FSA 6. FSA s ERM Organization 7. FSA s ERM Program & Strategy 8. Current State of FSA ERM Program 9. Next Steps 10. Lessons Learned/Strategies to Consider Slide 1

3 Risk Management is not a new concept within federal government Need to integrate RM into strategic and decision making process Need to abandon outdated practices of managing risks in solos and stovepipes Few success stories, best practices, and a standard methodology in and across the federal sector Problems aren t unique to federal sector Slide 1

4 New Legislation & Regulations Requiring Better Management of Risk & Improved Controls American Recovery & Reinvestment Act Revised OMB Circular A-123 Federal Managers Financial Integrity Act (FMFIA) of 1982 Improper Payments Information Act of 2002 Federal Information Security Management Act (FISMA) of 2002 Slide 1

5 Health Risk - Food and Drug Administration, Center for Disease Control Security Risks - Department of Defense, Homeland Security Financial Risks Government National Mortgage Association, Securities and Exchange Commission Transportation and Safety Risks National Transportation Safety Board External Risks United States Postal Service Slide 1

6 An Integrated ERM Model at the U.S. Department of Education Office of Federal Student Aid

7 Federal Student Aid (FSA) is the largest program office in the U.S. Department of Education (ED) Administers programs that provide the nations largest source of student aid Responsible for administration and oversight of Federal financial aid programs (Pell Grants, Stafford Loans, PLUS Loans and Campus- Based programs) Has approximately 1,000 employees (augmented by 6,000 contractors) across the county at its headquarters in Washington, D.C, and at 10 regional offices throughout the U.S. Slide 2

8 Annual budget of approximately $690 million in FY 09 Administers approximately $100 billion of financial aid a year to college students Directly manages or oversees more than $575 billion in outstanding loans representing almost 95 million student loans to more than 30 million borrowers Is led by the Chief Operating Officer who is appointed by the Secretary of Education Slide 3

9 In 1998, Congress established Federal Student Aid as the first Performance-Based Organization (or PBO) in the Federal Government As a PBO, FSA operates under a congressional mandate to achieve concrete results while improving performance FSA is required to plan and report its operational and portfolio performance in administering the federal student financial assistance programs Slide 4

10 GAO High Risk List Designation Regulatory and reporting requirements (e.g., A-123, Improper Payments Act, President s Management Agenda, etc.) Increasing external threats (i.e., terrorism, pandemics, natural disasters, privacy and/or data security breaches, etc.) Desire to reduce Fraud, Waste, and Abuse More proactive approach to addressing risk Desire for improved risk management information across the organization Slide 5

11 Includes the Enterprise Risk Management Group (ERMG) and ERM Committee The ERMG was formally established in May 2006 and is headed by FSA s Chief Risk Officer (CRO) The CRO reports to the General Manager of Enterprise Performance Management Services (EPMS) with a dotted line to FSA s Chief Operating Officer FSA s ERM Committee is comprised of five executives: Chief Financial Officer, Chief Information Officer, Chief Business Operations Officer, Chief of Staff to the COO, and the CRO Slide 7

12 Chief Operating Officer Enterprise Performance Management Services Enterprise Risk Management Group Chief Risk Officer Risk Analysis & Reporting Division Internal Review Division Risk Analysis Data Analysis Internal Review Audit Liaison Slide 9

13 The Enterprise Risk Management Group (ERMG): Provides risk management oversight & guidance to Federal Student Aid Is responsible for driving enterprise risk strategy and implementing FSA s ERM Program Performs internal reviews and risk assessments Is organized into two main areas: Risk Analysis & Reporting Division Internal Review Division Slide 10

14 Vision To create the premier Enterprise Risk Management Program in the Federal government. One that provides for an integrated view of risk across the entire Federal Student Aid organization; aligns strategic risks with the organization s goals and objectives; ensures that risk issues are integrated into strategic decision making process; and manages risk to further the achievement of performance goals. Slide 11

15 Mission To enhance the ability of Federal Student Aid to identify, assess and manage risk across the enterprise Slide 12

16 Strategy Involves Top Down and Bottom Up Approaches ERM Program is multi-phased effort Implementing a COSO-Based ERM framework Current Timeline & Project Plan Contractor assistance Slide 13

17 Top Down Approach = High Level Risk Assessment (Targeted effort to identify & assess high-level, or strategic risks at Federal Student Aid) Bottom Up Approach = Detailed Risk Assessment Activities (Comprehensive effort to identify & assess risks across the organization s 28 business units) Slide 14

18 PHASE I Creation of ERM Organization Development of Strategic Plan for ERM Program Adoption of Common Risk Language and Categories High-Level Risk Assessment PHASE II Adoption of COSO-Based ERM Framework Development of Risk Assessment Methodology Implementation of Risk Technology Solutions Conduct of Initial COSO-Based Risk Activities Slide 15

19 PHASE III Completion of Initial COSO Framework activities Use of Risk Tracking System to develop ERM reports for executive management Development of Key Risk Indicators (KRI s), trending reports and other means of risk monitoring Methodology, planning and completion of remaining framework activities: Risk Response, Control, Information, Communication, and Monitoring Slide 16

20 COSO ERM Integrated Framework The COSO ERM CUBE Slide 17

21 FSA s ERM Framework is based on the ERM framework issued by Committee of Sponsoring Organizations of the Treadway Commission (COSO) in September 2004 The COSO ERM Integrated Framework consists of eight interrelated components and four objective categories applied across an entity s units The COSO Framework was developed with a focus on stockholder owned, for profit institutions FSA is conducting activities based on the COSO framework, but utilizing additional practices, measures and approaches to maximize value in a government, PBO setting FSA s ERM Framework also includes consideration of concepts and/or guidance from other Risk Management Frameworks (e.g., ISO and AZ/NZ 4360) Slide 18

22 Creation and staffing of ERMG Organization Development of ERM Strategy and Program Adoption of COSO-Based ERM Framework Development of risk tools & resources (e.g., common risk vocabulary, categories and definitions) Development & implementation of Risk Tracking System (RTS) Conduct of High-Level (Strategic) Risk Assessments Slide 19

23 Risk Activities complete in over half of FSA s business units Over 600 business unit risks inventoried and assessed Associated risk information entered into Risk Tracking System Development of Enterprise and Strategic Level Risk Reporting Slide 20

24 FSA (Source: U.S. Postal Office) Slide 21

25 Documentation of Business Unit objectives Facilitated Risk Discussions Risk identification and categorization Cross-walk risks with A-123 and project risks Risk Ratings (Significance & Likelihood) and Aggregate Risk Scoring Heat Map Summary Report Slide 22

26 Risk Identification, Categorization & Scoring Slide 23

27 Heat Map Aggregate Risk Scores Critical (>10) - Likelihood High (9-10) - Medium ( ) Moderate (5-6.5) - Low (1-4.5) Significance Slide 24

28 ERM fully integrated into strategic planning and decision-making process All major risk types for FSA incorporated into ERM Program (i.e., business unit, project, program, and portfolio risks) Advanced risk monitoring, modeling, and trending capabilities Executive-level and comprehensive risk management organization Key risk functions fall under ERM umbrella Slide 25

29 Implementing ERM is a cultural change that takes time, resources and executive level support Assign ERM responsibility to a dedicated risk executive with direct access to the highest levels in your organization Institutional/organizational knowledge can be invaluable A separate risk organization with adequate risk resources will significantly increase chances for successfully implementing ERM Slide 26

30 Most ERM efforts, even mature ones, are works-in-process. Some flexibility is key to successfully implementing your ERM Program. ERM is a dynamic process that continues to evolve The real value of ERM is realized when it becomes a regular part of everyday business. Slide 27

31 Thank You We appreciate your feedback and comments. Cynthia Vitters (202) U.S. Department of Education Federal Student Aid Enterprise Risk Management Group