OMB Circular A-123 Revision
The long-awaited OMB Circular A-123 Management’s Responsibility for Enterprise Risk Management and Internal Control finally was issued on July 15, 2016. We all knew that it would contain new requirements for Enterprise Risk Management (ERM) but did not know exactly what it would require, and what else would change or be added. For starters, the document grew from 16 substantive pages to a little over 48 pages. That gives you some idea of the scope of the changes. Below is a definition of ERM and a summary of the significant additions/changes to the circular.
ERM as defined in the Circular: “ERM is an effective agency-wide approach to addressing the full spectrum of the organization’s external and internal risks by understanding the combined impact of risks as an interrelated portfolio, rather than addressing risks only within silos.”
In other words, rather than looking at risks just on a program by program basis – or just by division, directorate, function, or even bureau – entity-wide (i.e., department-wide, agency-wide, etc.) assessments will be done. In the past A-123 did not address risk this way, and most agencies did not do entity-wide risk assessments, while a few did set up formal ERM programs.
Summary of New A-123 Requirements
Agencies are required to implement an ERM capability coordinated with:
- The strategic planning and review process established by GPRAMA
- The internal control processes required by the Federal Managers Financial Integrity Act (FMFIA)
- GAO’s Green Book
That’s a lot of new work for most agencies! This is the first time agencies have been required to associate internal control assessments with the overall performance and strategic planning processes required by Government Performance and Results Modernization Act (GPRAMA). OMB provides references in A-123 to pertinent parts of OMB Circular A-11 Budget Formulation and Execution in order to make the association.
In terms of deadlines and deliverables, agencies must:
- Develop an ERM implementation approach. DUE: As soon as practicable before June 2017.
- Develop a risk profile in coordination with agency strategic reviews. DUE: June 2, 2017
- Integrate ERM assessments with management evaluation of internal control as required by FMFIA. DUE: September 15, 2017 (to be covered by the annual statement of assurance and reported in the Agency Financial Report (AFR) or Performance and Accountability Report (PAR)
Other New Requirements for Assessing Internal Control
While the above points represent the new A-123 requirements for ERM, it should be noted that there are further requirements for enhancing the internal control assessments that have always been required, most notably the following:
While internal control assessments were always supposed to be done by measuring against the GAO’s Standards for Internal Control in the Federal Government (the Green Book), the new A-123 lays down much more detailed guidance on how to use the standards. For example, agencies must now document assessments not only for the five components of the standards, but also for the 17 principles underlying the components. ALSO, if an agency concludes non-achievement of one of the principles, it must report that as a material weakness in its annual statement of assurance.
Have questions on this news? Keep an eye out for our A-123 Complimentary Webinar on September 28 – more information coming soon!