Exploring the Maturity of Risk Exploring the Maturity of Risk - - PowerPoint PPT Presentation

FEDERAL STUDENT AID

ENTERPRISE RISK MANAGEMENT GROUP

Exploring the Maturity of Risk Exploring the Maturity of Risk Management Process in Government: Management Process in Government: An Integrated ERM Model at the An Integrated ERM Model at the U.S. Department of Education U.S. Department of Education

Cynthia Vitters

Slide 1

1. ERM in the Federal Government 2. Drivers for Risk Management in Government 3. Risk Management in Federal Agencies 4. FSA – A Performance Based Organization 5. ERM Drivers at FSA 6. FSA’s ERM Organization 7. FSA’s ERM Program & Strategy 8. Current State of FSA ERM Program 9. Next Steps

• 10. Lessons Learned/Strategies to Consider

Slide 1

• “ Risk Management “ is not a new concept

within federal government

• Need to integrate RM into strategic and

decision making process

• Need to abandon outdated practices of

managing risks in solos and stovepipes

• Few success stories, best practices, and a

standard methodology in and across the federal sector

• Problems aren’t unique to federal sector

Slide 1

New Legislation & Regulations Requiring Better Management of Risk & Improved Controls

• American Recovery & Reinvestment Act
• Revised OMB Circular A-123
• Federal Managers’ Financial Integrity Act

(FMFIA) of 1982

• Improper Payments Information Act of 2002
• Federal Information Security Management Act

(FISMA) of 2002

Slide 1

• Health Risk - Food and Drug

Administration, Center for Disease Control

• Security Risks - Department of Defense,

Homeland Security

• Financial Risks – Government National

Mortgage Association, Securities and Exchange Commission

• Transportation and Safety Risks – National

Transportation Safety Board

• External Risks – United States Postal

Service

An Integrated ERM Model at the An Integrated ERM Model at the U.S. Department of Education U.S. Department of Education Office of Federal Student Aid Office of Federal Student Aid

• Federal Student Aid (FSA) is the largest

program office in the U.S. Department of Education (ED)

• Administers programs that provide the nations

largest source of student aid

• Responsible for administration and oversight
• f Federal financial aid programs (Pell Grants,

Stafford Loans, PLUS Loans and “Campus- Based” programs)

• Has approximately 1,000 employees

(augmented by 6,000 contractors) across the county at its headquarters in Washington, D.C, and at 10 regional offices throughout the U.S.

Slide 2

• Annual budget of approximately $690 million in

FY’09

• Administers approximately $100 billion of

financial aid a year to college students

• Directly manages or oversees more than $575

billion in outstanding loans representing almost 95 million student loans to more than 30 million borrowers

• Is led by the Chief Operating Officer who is

appointed by the Secretary of Education

Slide 3

• In 1998, Congress established Federal Student

Aid as the first Performance-Based Organization (or PBO) in the Federal Government

• As a PBO, FSA operates under a

congressional mandate to achieve concrete results while improving performance

• FSA is required to plan and report its
• perational and portfolio performance in

administering the federal student financial assistance programs

Slide 4

• GAO ‘High Risk List’ Designation
• Regulatory and reporting requirements (e.g.,

A-123, Improper Payments Act, President’s Management Agenda, etc.)

• Increasing external threats (i.e., terrorism,

pandemics, natural disasters, privacy and/or data security breaches, etc.)

• Desire to reduce Fraud, Waste, and Abuse
• More proactive approach to addressing risk
• Desire for improved risk management

information across the organization

Slide 5

• Includes the Enterprise Risk Management

Group (ERMG) and ERM Committee

• The ERMG was formally established in May

2006 and is headed by FSA’s Chief Risk Officer (CRO)

• The CRO reports to the General Manager of

Enterprise Performance Management Services (EPMS) with a ‘dotted line’ to FSA’s Chief Operating Officer

• FSA’s ERM Committee is comprised of five

executives: Chief Financial Officer, Chief Information Officer, Chief Business Operations Officer, Chief of Staff to the COO, and the CRO

Slide 7

Risk Analysis Data Analysis Risk Analysis & Reporting Division Internal Review Audit Liaison Internal Review Division Enterprise Risk Management Group Chief Risk Officer Enterprise Performance Management Services Chief Operating Officer

Slide 9

The Enterprise Risk Management Group (ERMG):

• Provides risk management oversight &

guidance to Federal Student Aid

• Is responsible for driving enterprise risk

strategy and implementing FSA’s ERM Program

• Performs internal reviews and risk

assessments

• Is organized into two main areas:

Risk Analysis & Reporting Division Internal Review Division

Slide 10

Vision

“To create the premier Enterprise Risk Management Program in the Federal

• government. One that provides for an

integrated view of risk across the entire Federal Student Aid organization; aligns strategic risks with the organization’s goals and objectives; ensures that risk issues are integrated into strategic decision making process; and manages risk to further the achievement of performance goals.”

Slide 11

Mission

“To enhance the ability of Federal Student Aid to identify, assess and manage risk across the enterprise”

Slide 12

• Strategy Involves “Top Down” and “Bottom

Up” Approaches

• ERM Program is multi-phased effort
• Implementing a COSO-Based ERM framework
• Current Timeline & Project Plan
• Contractor assistance

Slide 13

“Top Down” Approach = High Level Risk Assessment (Targeted effort to identify & assess high-level, or strategic risks at Federal Student Aid) “Bottom Up” Approach = Detailed Risk Assessment Activities (Comprehensive effort to identify & assess risks across the organization’s 28 business units)

Slide 14

PHASE I

• Creation of ERM Organization
• Development of Strategic Plan for ERM Program
• Adoption of Common Risk Language and Categories
• High-Level Risk Assessment

PHASE II

• Adoption of COSO-Based ERM Framework
• Development of Risk Assessment Methodology
• Implementation of Risk Technology Solutions
• Conduct of Initial COSO-Based Risk Activities

Slide 15

PHASE III

• Completion of Initial COSO Framework

activities

• Use of Risk Tracking System to develop ERM

reports for executive management

• Development of Key Risk Indicators (KRI’s),

trending reports and other means of risk monitoring

• Methodology, planning and completion of

remaining framework activities: Risk Response, Control, Information, Communication, and Monitoring

Slide 16

Slide 17

The COSO ERM CUBE COSO ERM – Integrated Framework

• FSA’s ERM Framework is based on the ERM framework

issued by Committee of Sponsoring Organizations of the Treadway Commission (COSO) in September 2004

• The COSO ERM – Integrated Framework consists of

eight interrelated components and four objective categories applied across an entity’s units

• The COSO Framework was developed with a focus on

stockholder owned, for profit institutions

• FSA is conducting activities based on the COSO

framework, but utilizing additional practices, measures and approaches to maximize value in a government, PBO setting

• FSA’s ERM Framework also includes consideration of

concepts and/or guidance from other Risk Management Frameworks (e.g., ISO 31000 and AZ/NZ 4360)

Slide 18

• Creation and staffing of ERMG Organization
• Development of ERM Strategy and Program
• Adoption of COSO-Based ERM Framework
• Development of risk tools & resources (e.g.,

common risk vocabulary, categories and definitions)

• Development & implementation of Risk Tracking

System (RTS)

• Conduct of High-Level (Strategic) Risk

Assessments

Slide 19

• Risk Activities complete in over half of FSA’s

business units

• Over 600 business unit risks inventoried and

assessed

• Associated risk information entered into Risk

Tracking System

• Development of Enterprise and Strategic Level

Risk Reporting

Slide 20

(Source: U.S. Postal Office)

FSA

Slide 21

• Documentation of Business Unit objectives
• Facilitated Risk Discussions
• Risk identification and categorization
• Cross-walk risks with A-123 and project risks
• Risk Ratings (Significance & Likelihood) and

Aggregate Risk Scoring

• Heat Map
• Summary Report

Slide 22

Risk Identification, Categorization & Scoring

Slide 23

Likelihood

5 4 3 2 1 1 2 3 4 5

Significance

Aggregate Risk Scores Critical (>10)

• High (9 - 10)
• Medium (7.0 - 8.5)
• Moderate (5 - 6.5)
• Low (1 - 4.5)
• 2

6 8 10 1 18 5 12 14 21

7

28 29 11 23 15 26 24

3

16 9 25 13 27

4

20 22 19 17

Heat Map

Slide 24

• ERM fully integrated into strategic planning

and decision-making process

• All major risk types for FSA incorporated

into ERM Program (i.e., business unit, project, program, and portfolio risks)

• Advanced risk monitoring, modeling, and

trending capabilities

• Executive-level and comprehensive risk

management organization

• Key risk functions fall under ERM umbrella

Slide 25

• Implementing ERM is a cultural change that

takes time, resources and executive level support

• Assign ERM responsibility to a dedicated risk

executive with direct access to the highest levels in your organization

• Institutional/organizational knowledge can be

invaluable

• A separate risk organization with adequate

risk resources will significantly increase chances for successfully implementing ERM

Slide 26

• Most ERM efforts, even mature ones, are

works-in-process.

• Some flexibility is key to successfully

implementing your ERM Program.

• ERM is a dynamic process that continues to

evolve

• The real value of ERM is realized when it

becomes a regular part of everyday business.

Slide 27

Thank You – We appreciate your feedback and comments.

Cynthia Vitters cynthia.vitters@ed.gov (202) 377-4264

U.S. Department of Education Federal Student Aid Enterprise Risk Management Group