On July 15th 2016 the Office of Management and Budget, an Executive Office for the President, released a major revision to OMB A-123. Now entitled ‘Management’s Responsibility for Enterprise Risk Management and Internal Control’ the new version underlines the importance of the relationship between Internal Controls and Enterprise Risk Management (ERM). This is the next step following the introduction of ‘risk based thinking’ in ISO9001:2015.


To our minds, we are seeing a natural progression as organizations worldwide look to improve performance by operating at higher levels of risk maturity which integrate ERM, Internal Controls, and Governance in a closed-loop process.


Enterprise Risk Management


In OMB A-123, the administration emphasizes the importance of having appropriate risk management processes and systems in place to identify challenges early, to bring them to the attention of agency leadership and to develop solutions.


It also states that implementation of this policy will engage all agency management, going beyond the traditional ownership of OMB A-123 by the Chief Financial Officer community.


Enterprise Risk Management capabilities are required to be coordinated with strategic planning and strategic review processes established by the Government Performance and Results Act Modernization Act (GPRAMA), the Federal Managers’ Financial Integrity Act (FMFIA) and the Government Accountability Office’s Green Book. The idea being that this integrated governance structure will improve mission delivery, reduce costs and focus corrective actions towards key risks.


This is a huge undertaking for any Federal agency that does not already have an Enterprise Risk Management capability; and many of those that do will need to formalize their existing processes in order to comply. This level of risk management maturity cannot be achieved with spreadsheets and stand-alone risk registers.



  • During FY16: Agencies are encouraged to develop an approach to implement Enterprise Risk Management, to include a Risk Structure, understand their risk appetite and tolerance
  • During FY 17: Agencies must continuously build risk identification capabilities into the framework to identify new or emerging risks, and/or changes in existing risks. An Agency’s risk profiles should be made available to the OMB by June 2nd 2017 for discussion

For a closer look at how Active Risk can help you comply with the revised OMB Circular A-123 requirements, please provide your contact information below.


To read the report in full register for your copy here: http://resources.activerisk.com/grc20-20-review-of-active-risk-manager

Leave a Response