Enterprise Risk Management
for the Federal Government –
Where’s the Value?
Donna Davis
Defense Finance and Accounting Service
June 2010
Integrity - Service - Innovation
Agenda
 ERM - Where’s the Value?
 Putting the COSO Framework to Work in the Federal Sector






Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication
Monitoring
 Some Pitfalls to be Wary of
 A Gallery of Tools and Techniques
4/13/2015
Integrity - Service - Innovation
2
ERM in the Federal Government – Where’s the Value
Three Parts of Business
 Objective
 Risk
 Controls
Objective
Risk
4/13/2015
Control
Integrity - Service - Innovation
3
ERM in the Federal Government – Where’s the Value
Three Parts of Business
 Objective – what you are trying to accomplish
Not For Profit
To achieve a mission or
objective while protecting
assets.
For Profit
To maximize shareholder
wealth or, in the case of a
corporation, to maximize
the value of the firm as
measured by stock price.
Realize a benefit from
resources expended.
Achieve goals and
objectives for resources
expended.
Focus on efficiency.
Focus on effectiveness.
4/13/2015
Integrity - Service - Innovation
4
ERM in the Federal Government – Where’s the Value
Three Parts of Business
 Objective – what you are trying to accomplish
 Risk – the barrier that will stop you from accomplishing the
objective
Not For Profit
Avoid Risk seeking safest
path to mission
achievement.
For Profit
Seek Risk as a means for
expanding market value.
Measure Value at Risk.
Measure Impact of Risk on
Goals and Objectives.
4/13/2015
Integrity - Service - Innovation
5
ERM in the Federal Government – Where’s the Value
Three Parts of Business
 Objective – what you are trying to accomplish
 Risk – the barrier that will stop you from accomplishing the
objective
 Controls – the action that will remove or diminish the risk
For Profit
Affect controls for the
purpose of minimizing loss.
4/13/2015
Not For Profit
Affect controls to assure
compliance, accountability,
effectiveness/efficiency,
reliability of reported data
and safeguarding assets.
Integrity - Service - Innovation
6
ERM in the Federal Government – Where’s the Value
 What Do We Want From the “Business” of Government?




4/13/2015
To be Affordable and Efficient
To be Effective
To provide Quality Service
To be Dependable
Integrity - Service - Innovation
7
ERM in the Federal Government – Where’s the Value
 What Do We Want From the Business of Government?




To be Affordable and Efficient
To be Effective
To provide Quality Service
To be Dependable
So –
We need to be able to achieve the established mission in order to retain
the confidence of our funders.
We need to provide value for our services.
Bottom Line –
We need to meet our objectives and protect our assets, including
intangible ones such as reputation.
4/13/2015
Integrity - Service - Innovation
8
ERM in the Federal Government – Where’s the Value
 What Value does ERM Provide?




4/13/2015
Supports Government’s Governance Responsibilities
Improves Results
Strengthens Accountability
Enhances Stewardship
Integrity - Service - Innovation
9
ERM in the Federal Government – Where’s the Value
 How does ERM support Government’s Governance
Responsibilities?
By ensuring that significant risk areas associated with polices, plans,
programs and operations are identified and assessed.
By ensuring that appropriate measures are in place to address
unfavorable impacts and to benefit from opportunities.
4/13/2015
Integrity - Service - Innovation
10
ERM in the Federal Government – Where’s the Value
 How does ERM Improve Results ?
Through more informed decision-making and by ensuring that values,
competencies, tools, and a supportive environment form the foundation
for innovation and responsible risk-taking.
By encouraging learning from experience while respecting parliamentary
controls.
4/13/2015
Integrity - Service - Innovation
11
ERM in the Federal Government – Where’s the Value
 How does ERM Strengthen Accountability?
By demonstrating that levels of risk associated with policies, plans,
programs and operations are explicitly understood.
By facilitating the optimum balance in risk management measures and
stakeholder interests.
4/13/2015
Integrity - Service - Innovation
12
ERM in the Federal Government – Where’s the Value
 How does ERM Enhance Stewardship?
By strengthening public service capability to safeguard people,
government property and interests through increased insight to the
potential impact of abnormal events.
4/13/2015
Integrity - Service - Innovation
13
Putting the COSO Framework to Work in the Federal Sector
DFAS-ization of COSO
4/13/2015
Integrity - Service - Innovation
14
Putting the COSO Framework to Work in the Federal Sector
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Controls Activities
Information &
Communication
Monitoring
• DFAS ‘ ERM Philosophy and Methodology
• Risk Taxonomy
• Risk Polices and Standards
• DFAS Mission
• Strategic Objectives
• Operational Objectives
• Potential Events affecting Objective Achievement
• Positive/Negative Impact
• External/Internal Factors
• Likelihood and Impact
• Category of Impact
• Response Options: Accept, Avoid, Mitigate, Share, etc.
• Response Cost versus Benefit
• Policies and Procedures
• Control Activities: Approvals, Authorizations, Verifications,
Reconciliations, Reviews, etc.
• Timely ERM Communication Flow Up, Down and Across the
Agency
• Integration of Risk Information Across the Agency (Audit
Findings, SITREPS, Self-Identified Deficiencies)
• Internal and External
• Training
• Assessment of Presence and Functioning of ERM Components
• Regular Control Testing and Reviews
DFAS alignment to the Risk Components ensures a robust program and
strengthens compliance with the GAO Standards for Internal Control.
4/13/2015
Integrity - Service - Innovation
15
Putting the COSO Framework to Work in the Federal Sector
Compliance
Accountability
(Strategic)
Reliability
(Reporting)
Effective and Efficient
(Operations)
Safeguard Assets
• With Federal Regulations and Laws
• With DFAS Regulations and Polices
• With Operational Policies and Procedures
• For Achievement of Strategic Objectives and desired outcomes
• For Achievement of Operational Objectives and desired outcomes
• For use of public resources
• Provide reliable, useful and timely information
• Accurate and timely recoding of transactions and events
• Carryout public functions legally, effectively, efficiently, economically,
ethically, and equitably
• Access restrictions to and accountability for resources and records
• Segregation of duties
DFAS expanded the Risk Management Objectives to address data
security concerns and general auditing standards.
4/13/2015
Integrity - Service - Innovation
16
Putting the COSO Framework to Work in the Federal Sector
Agency
Cycle
Cycle
Program
• DFAS
• Business
• Enabling
• Governance
• Payroll Disbursements
Mngt
• Other Disbursements
Programs
• Revenue & Receipts
Execution
• Assets & Liabilities
• Financial Reporting
Personnel
Customer Relation
Procurement
Mgt of Processes &
Provide IT Support
Strategic Planning &
Infrastructure
Finance & Budget
• 63 Programs - Business Functions (Mil Pay,
Accounts Payable, Budget, ERM, etc.)
Functions
• A group of related actions (Payroll Record
Maintenance, Process Payroll, Certify
Payroll, etc.)
Processes
• A series of tasks or operations conducing to
an end ( Input data, edit data, validate entry,
save data, etc.)
Level 3 Maps
• Detailed steps for accomplishing a task
Stratification across business units and at every level of the organization
was applied to enable accurate reflection of the interrelationships of
risks and create a common taxonomy for business activities.
4/13/2015
Integrity - Service - Innovation
17
Putting the COSO Framework to Work in the Federal Sector
Agency
Cycle
Cycle
Program
• DFAS
• Business
• Enabling
• Governance
• Payroll Disbursements
Mngt
• Other Disbursements
Programs
• Revenue & Receipts
Execution
• Assets & Liabilities
• Financial Reporting
We are actually finding this
layer adds little value as we
evolve the program.
Personnel
Customer Relation
Procurement
Mgt of Processes &
Provide IT Support
Strategic Planning &
Infrastructure
Finance & Budget
• 63 Programs - Business Functions (Mil Pay,
Accounts Payable, Budget, ERM, etc.)
Functions
• A group of related actions (Payroll Record
Maintenance, Process Payroll, Certify
Payroll, etc.)
Processes
• A series of tasks or operations conducing to
an end ( Input data, edit data, validate entry,
save data, etc.)
Level 3 Maps
• Detailed steps for accomplishing a task
Stratification across business units and at every level of the organization
was applied to enable accurate reflection of the interrelationships of
risks and create a common taxonomy for business activities.
4/13/2015
Integrity - Service - Innovation
18
Some Pitfalls to be Wary of
Trying to risk
manage
EVERYthing
Just focusing on
financial risks
An obsession with internal
controls – an inward
looking limitation
4/13/2015
Integrity - Service - Innovation
19
A Gallery of Tools and Techniques
 Agency Mission and Functions Manual
 Provides the business objectives
 COSO Framework
 Identifies a comprehensive view of the elements of a robust ERM
 A Catchy Logo
 CARES – covers the five Risk Management Objectives DFAS assesses
Compliant
Accountable
Reliable & Accurate
Effective & Efficient
Safeguarded
4/13/2015
Integrity - Service - Innovation
20
A Gallery of Tools and Techniques
 SIPOC Model
 Guides process mapping through a complete end to end review of the
factors impacting the business activity
4/13/2015
Integrity - Service - Innovation
21
A Gallery of Tools and Techniques
 IDEF Model
 Denotes the role of compliance/regulations/controls in the business
activity
 Denotes the role of the supporting mechanisms for the business activity
Integration DEFinition Model
4/13/2015
Integrity - Service - Innovation
22
A Gallery of Tools and Techniques
 Risk Identification Questionnaire
 Facilitates comprehensive and consistent assessment of potential risks
1. Policies, procedures, plans, laws, and regulations are
complied with;
1. What laws are applicable to your group?
A. What is the risk if laws are not followed?
2. What regs are applicable to your group?
B. What is the risk if regs are not followed?
3. What procedures (SOPs) are applicable to your group?
C. What is the risk if procedures are not followed?
4. What management policies are applicable to your group?
D. What is the risk if management policies are not followed?
Economically:
1. Do you have a program budget?
2. Are you responsible for aquiring products or services?
3. Are you making decisions regarding best use of government
(taxpayer resources)?
What are your risks if these resources are not used in an
economical manner? Fraud, Waste, Abuse, etc?
Efficiency:
1. Guidelines (policies or regs) that dictate timeliness?
2. Deliverables on budget, on time?
2. Resources are used and procedures are performed in
an economical and efficient manner; and
What are the risks if these efficiency guidelines are not met?
Courtesy of Brian Williams
4/13/2015
Integrity - Service - Innovation
23
A Gallery of Tools and Techniques
 Process Map & Narrative
 For business processes
 For Information Systems data flow
Transfer bond data
to DCPS
<CSR>
<OPM MyPay
<Savings Bonds
Enter bond data
online to DCPS
Review Bond
Reports
<DFAS
2
4
1
DCPS
Issue Bond Detail
File
Bond Reports
Bond Issuing
Agency>
3
4/13/2015
Receive Issue
Bond Detail File
Integrity - Service - Innovation
24
End
Questions?
4/13/2015
Integrity - Service - Innovation
25