The Office of Management and Budget is de-emphasizing enterprise risk management at a time when experts say this type of holistic approach is needed the most.
As part of its effort to rewrite Circular A-123, a draft copy of the document, obtained by Federal News Network, shows OMB has removed any mention of enterprise risk management, including section two of the current circular that specifically calls for establishing an ERM program and identifying current and residual risks and how to mitigate those potential or real challenges.
The draft Circular A-123 instead combines certain concepts of ERM back into the sections focused on internal controls and maintains some aspects of this enterprise approach, like the requirement for agencies to name a chief risk officer.
“What we have seen in nearly 10 years of ERM being a part of A-123 is agencies have been able to expand the conversation around risk management, especially around the C-suite table. They are able to talk about the risks that are pertinent to specific organizations that otherwise wouldn’t have been exchanged in these environments,” said Karen Hardy, the president of the Association for Federal Risk Management (AFERM). “The mention and acknowledgement of certain aspects of risk management is important. If not, it’s not top of mind and becomes a second thought.”
Hardy and other experts say it’s more important than ever for agencies to manage risk from all perspectives, operationally, cyber, reputational, financial and strategic, and that it’s embedded across the entire agency.
“ERM provides a way to look across the entire organization and look at different risks that often only get viewed in siloes. If you can look at them holistically and how they would impact the agency, agencies can address the most critical risks to their missions and put in place a method to treat those risks,” said one government official involved in ERM. “By putting risk back into internal controls, it’s an entirely different approach. You look at processes and operations, and you are making sure things are working properly. You are addressing those specific risks, but you are not getting a view from the top.”
Last update was in 2016
The official said OMB’s draft A-123 update pushes ERM backwards to being something that is done in conjunction with internal controls, which usually agencies worry about after they’ve figured out their risks.
“It misses the whole point of using ERM as a means by which agency leadership can understand the most critical risks to their agency. They also can drive better decisions by understanding the bigger picture, and ideally get ahead of something that turns into the crisis,” the official said.
An email to OMB seeking comment on its plans to update A-123 wasn’t returned.
OMB updated A-123 in 2016 to include enterprise risk management concepts. In that update, OMB outlined a flexible framework for how each agency, bureau and component can manage risk. In the update, OMB told agencies to focus more on ERM and less on internal controls to manage risk because internal more prescriptive, while ERM lets managers decide what areas to focus on and address broad-based real or potential risks.
OMB had started another update to A-123 in 2024 to focus on improper payments. But it didn’t complete it before the end of the Biden administration.
Since OMB updated A-123, the use of enterprise risk management has grown significantly across government and has become a standard across the private sector.
The 2024 survey from the Association of Federal Enterprise Risk Management and Guidehouse shows that 85% of all respondents, who came from 48 federal organizations, including 15 cabinet agencies, had a formal ERM program. That is slightly up from 2023. Of those with formal programs, 63% have had a program for at least five years.
“Larger agencies responding they have a formal ERM program are up slightly (86%) from 2023 (83%) but are still below the historical high in 2022 of 92%,” the survey stated.
It’s not just in the public sector where ERM has grown. Experts say this is a leading industry practice, too.
An October 2024 report by American Institute of CPAs (AICPA) & Chartered Institute of Management Accountants (CIMA) and North Carolina State University’s Enterprise Risk Management (ERM) Initiative found 47% of respondent organizations globally appointed a single individual, such as a chief risk officer or equivalent, to lead the risk management function. The survey also found 47% of organizations describe their ERM process as a process that is “mostly” to “extensively” systematic, robust and repeatable with regular reporting of top risk exposures to the board.
Folding ERM into internal controls
OMB is not getting rid of all aspects of ERM.
The draft circular does continue to call on agencies to appoint a chief risk officer, develop a risk management council and creating risk profiles that aggregate different opportunities and threats.
Tom Stanton, a fellow with the National Academy of Public Administration (NAPA) and a former president of AFERM, said getting rid of the word enterprise changes the underlying dynamics of the effort.
“If you just put risk management under internal controls, it’s a top-down effort. But that’s the opposite almost in terms of information flow about risk. ERM information has got to come from the bottom up,” he said. “ERM improves the quality of information to decision makers who need it, particularly now when so many agencies are in turmoil with layoffs and reductions in force. You need to use ERM as a way for information to flow across the agency so people at the top don’t have really bad things happen when they are not expecting it.”
The experts pointed to recent developments at the Federal Aviation Administration and the Social Security Administration where ERM would’ve benefited them.
The government official said ERM could’ve helped the FAA better handle the rash of outages and SSA better understand recent decisions to change the authentication processes.
“Not using ERM is a missed opportunity and not understanding risk when the government is facing more risk than it has in a long time is a problem. It’s not the time not to decrease risk management. Now is the time to shine a brighter light on government risk and what they can do about it,” the official said. “In the times we are in, it’s a bad message to send that ERM isn’t important and to reframe it as part of internal control reviews. They are not elevating it to the level it should be, especially when you look at other sectors, they are doing more to elevate the need for ERM and not de-emphasize it. This is an adopted business process that is being done for a reason.”
Draft focuses on FMFIA, GPRAM
OMB’s decision to change A-123 and remove ERM may be tied to the administration’s goals of only doing things required by statute.
OMB wrote in the introduction to the revised draft circular that it’s authorized by the Federal Managers’ Financial Integrity Act of 1982 and the Government Performance and Results Act (GPRA) Modernization Act of 2010. Neither law specifically calls out the requirement for agencies to use ERM.
At the same time, the experts say OMB seemed to want to rush the rewrite through the process. It initially gave agencies only a week to comment on the draft and extended it another week.
Additionally, the White House didn’t share the draft A-123 far and wide, particularly with agency CROs and others who work in enterprise risk management.
AFERM’s Hardy said while she supports relooking at A-123 to streamline it and make it easier to implement, not keeping specific references to ERM in the document could be problematic.
“If it’s not there, it may not be top of mind, which is why it’s important to include that vocabulary in the guidance so that people can learn from it, practice it because it may not be something that they normally think about. Risk is normally managed in siloes, but having enterprise in there connotates you have to manage it across the enterprise,” Hardy said. “External partners and industries are all practicing it and as we partner with them, they already have an advantage of understanding the positive effect ERM is having on their industry. The government will be at disadvantage if we are not as astute in this practice as they are, and it’s something that is positive and can help with efficiency and effectiveness of the government.”
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
