exploring the maturity of risk exploring the maturity of
play

Exploring the Maturity of Risk Exploring the Maturity of Risk - PowerPoint PPT Presentation

Exploring the Maturity of Risk Exploring the Maturity of Risk Management Process in Government: Management Process in Government: An Integrated ERM Model at the An Integrated ERM Model at the U.S. Department of Education U.S. Department of


  1. Exploring the Maturity of Risk Exploring the Maturity of Risk Management Process in Government: Management Process in Government: An Integrated ERM Model at the An Integrated ERM Model at the U.S. Department of Education U.S. Department of Education FEDERAL STUDENT AID ENTERPRISE RISK MANAGEMENT GROUP Cynthia Vitters

  2. 1. ERM in the Federal Government 2. Drivers for Risk Management in Government 3. Risk Management in Federal Agencies 4. FSA – A Performance Based Organization 5. ERM Drivers at FSA 6. FSA’s ERM Organization 7. FSA’s ERM Program & Strategy 8. Current State of FSA ERM Program 9. Next Steps 10. Lessons Learned/Strategies to Consider Slide 1

  3. • “ Risk Management “ is not a new concept within federal government Need to integrate RM into strategic and • decision making process • Need to abandon outdated practices of managing risks in solos and stovepipes • Few success stories, best practices, and a standard methodology in and across the federal sector • Problems aren’t unique to federal sector Slide 1

  4. New Legislation & Regulations Requiring Better Management of Risk & Improved Controls • American Recovery & Reinvestment Act • Revised OMB Circular A-123 Federal Managers’ Financial Integrity Act • (FMFIA) of 1982 Improper Payments Information Act of 2002 • • Federal Information Security Management Act (FISMA) of 2002 Slide 1

  5. • Health Risk - Food and Drug Administration, Center for Disease Control Security Risks - Department of Defense, • Homeland Security • Financial Risks – Government National Mortgage Association, Securities and Exchange Commission • Transportation and Safety Risks – National Transportation Safety Board • External Risks – United States Postal Service Slide 1

  6. An Integrated ERM Model at the An Integrated ERM Model at the U.S. Department of Education U.S. Department of Education Office of Federal Student Aid Office of Federal Student Aid

  7. Federal Student Aid (FSA) is the largest • program office in the U.S. Department of Education (ED) • Administers programs that provide the nations largest source of student aid • Responsible for administration and oversight of Federal financial aid programs (Pell Grants, Stafford Loans, PLUS Loans and “Campus- Based” programs) Has approximately 1,000 employees • (augmented by 6,000 contractors) across the county at its headquarters in Washington, D.C, and at 10 regional offices throughout the U.S. Slide 2

  8. Annual budget of approximately $690 million in • FY’09 Administers approximately $100 billion of • financial aid a year to college students • Directly manages or oversees more than $575 billion in outstanding loans representing almost 95 million student loans to more than 30 million borrowers • Is led by the Chief Operating Officer who is appointed by the Secretary of Education Slide 3

  9. In 1998, Congress established Federal Student • Aid as the first Performance-Based Organization (or PBO) in the Federal Government • As a PBO, FSA operates under a congressional mandate to achieve concrete results while improving performance FSA is required to plan and report its • operational and portfolio performance in administering the federal student financial assistance programs Slide 4

  10. GAO ‘High Risk List’ Designation • Regulatory and reporting requirements (e.g., • A-123, Improper Payments Act, President’s Management Agenda, etc.) • Increasing external threats (i.e., terrorism, pandemics, natural disasters, privacy and/or data security breaches, etc.) Desire to reduce Fraud, Waste, and Abuse • More proactive approach to addressing risk • • Desire for improved risk management information across the organization Slide 5

  11. • Includes the Enterprise Risk Management Group (ERMG) and ERM Committee • The ERMG was formally established in May 2006 and is headed by FSA’s Chief Risk Officer (CRO) • The CRO reports to the General Manager of Enterprise Performance Management Services (EPMS) with a ‘dotted line’ to FSA’s Chief Operating Officer • FSA’s ERM Committee is comprised of five executives: Chief Financial Officer, Chief Information Officer, Chief Business Operations Officer, Chief of Staff to the COO, and the CRO Slide 7

  12. Chief Operating Officer Enterprise Performance Management Services Enterprise Risk Management Group Chief Risk Officer Risk Analysis & Reporting Division Internal Review Division Risk Analysis Data Analysis Internal Review Audit Liaison Slide 9

  13. The Enterprise Risk Management Group (ERMG): • Provides risk management oversight & guidance to Federal Student Aid • Is responsible for driving enterprise risk strategy and implementing FSA’s ERM Program • Performs internal reviews and risk assessments • Is organized into two main areas: � Risk Analysis & Reporting Division � Internal Review Division Slide 10

  14. Vision “To create the premier Enterprise Risk Management Program in the Federal government. One that provides for an integrated view of risk across the entire Federal Student Aid organization; aligns strategic risks with the organization’s goals and objectives; ensures that risk issues are integrated into strategic decision making process; and manages risk to further the achievement of performance goals.” Slide 11

  15. Mission “To enhance the ability of Federal Student Aid to identify, assess and manage risk across the enterprise” Slide 12

  16. • Strategy Involves “Top Down” and “Bottom Up” Approaches • ERM Program is multi-phased effort Implementing a COSO-Based ERM framework • Current Timeline & Project Plan • • Contractor assistance Slide 13

  17. “Top Down” Approach = High Level Risk Assessment (Targeted effort to identify & assess high-level, or strategic risks at Federal Student Aid) “Bottom Up” Approach = Detailed Risk Assessment Activities (Comprehensive effort to identify & assess risks across the organization’s 28 business units) Slide 14

  18. PHASE I Creation of ERM Organization • • Development of Strategic Plan for ERM Program • Adoption of Common Risk Language and Categories High-Level Risk Assessment • PHASE II Adoption of COSO-Based ERM Framework • Development of Risk Assessment Methodology • Implementation of Risk Technology Solutions • • Conduct of Initial COSO-Based Risk Activities Slide 15

  19. PHASE III • Completion of Initial COSO Framework activities • Use of Risk Tracking System to develop ERM reports for executive management Development of Key Risk Indicators (KRI’s), • trending reports and other means of risk monitoring Methodology, planning and completion of • remaining framework activities: Risk Response, Control, Information, Communication, and Monitoring Slide 16

  20. COSO ERM – Integrated Framework The COSO ERM CUBE Slide 17

  21. • FSA’s ERM Framework is based on the ERM framework issued by Committee of Sponsoring Organizations of the Treadway Commission (COSO) in September 2004 • The COSO ERM – Integrated Framework consists of eight interrelated components and four objective categories applied across an entity’s units • The COSO Framework was developed with a focus on stockholder owned, for profit institutions • FSA is conducting activities based on the COSO framework, but utilizing additional practices, measures and approaches to maximize value in a government, PBO setting • FSA’s ERM Framework also includes consideration of concepts and/or guidance from other Risk Management Frameworks (e.g., ISO 31000 and AZ/NZ 4360) Slide 18

  22. • Creation and staffing of ERMG Organization • Development of ERM Strategy and Program • Adoption of COSO-Based ERM Framework • Development of risk tools & resources (e.g., common risk vocabulary, categories and definitions) • Development & implementation of Risk Tracking System (RTS) • Conduct of High-Level (Strategic) Risk Assessments Slide 19

  23. Risk Activities complete in over half of FSA’s • business units Over 600 business unit risks inventoried and • assessed • Associated risk information entered into Risk Tracking System Development of Enterprise and Strategic Level • Risk Reporting Slide 20

  24. FSA (Source: U.S. Postal Office) Slide 21

  25. Documentation of Business Unit objectives • Facilitated Risk Discussions • • Risk identification and categorization Cross-walk risks with A-123 and project risks • Risk Ratings (Significance & Likelihood) and • Aggregate Risk Scoring Heat Map • • Summary Report Slide 22

  26. Risk Identification, Categorization & Scoring Slide 23

  27. Heat Map 5 16 10 4 1 Aggregate Risk Scores 11 12 Critical (>10) - Likelihood 17 5 6 20 18 High (9 - 10) - 2 3 28 19 21 22 7 8 Medium (7.0 - 8.5) - 26 13 3 Moderate (5 - 6.5) - 29 2 27 14 15 4 Low (1 - 4.5) - 23 9 1 24 25 1 2 3 4 5 Significance Slide 24

  28. • ERM fully integrated into strategic planning and decision-making process All major risk types for FSA incorporated • into ERM Program (i.e., business unit, project, program, and portfolio risks) Advanced risk monitoring, modeling, and • trending capabilities • Executive-level and comprehensive risk management organization • Key risk functions fall under ERM umbrella Slide 25

Recommend


More recommend