By Tiffany Goddard, Sales Director, Carahsoft


The goal of the U.S. government’s Enterprise Risk Management (ERM) protocols is not to completely eliminate risk, but rather to increase risk awareness and prepare for the worst case scenario. The U.S. Department of Defense defined ERM in their Defense Risk, Issue and Opportunity Management Guide. This guide aims to help organizations make decisions about the best solutions for a technology acquisition while identifying, analyzing and attempting to handle the consequences of known risks, issues and opportunities. The key areas addressed in the guide are:


  • Risks – Future events or conditions that may have a negative effect on achieving program objectives for cost, schedule and performance.
  • Issues – Events or conditions that have already occurred, are occurring or are certain to occur in the future and have a potentially negative impact on the program.
  • Opportunities – A proactive methodology that seeks to not only minimize the negative effects of dealing with chance, but also look at the positive outcome of obtaining the means and methods to deal with that risk.


To comply with the principles of ERM and the specifics in the DoD guide, organizations are being asked to consider these five basic steps:


  • Planning – What is the program’s risk management process?
  • Identification – What can go wrong?
  • Analysis – What are the likelihood and probable consequences of that risk?
  • Handling – Should the risk be accepted, avoided, transferred or mitigated?
  • Monitoring – How has the risk changed?


Doing this kind of analysis and risk prediction for every program within the U.S. government is not only a best practice but is also now mandated by the Office of Management and Budget under a new circular called OMB A-123. Compliance entails a mix of governance, processes and tools that can cost agencies a lot of time and money.


These compliance goals are a huge cultural and technological shift for many U.S. organizations; so how are agencies approaching OMB A-123, RIO and other risk management protocols? The U.S. Air Force Materiel Command is a great example of meeting these goals.


U.S Air Force Materiel Command and Risk Management
The U.S. Air Force Materiel Command (AFMC) is responsible for 50% of the Air Force’s budget. In this role, risk management is critical to ensuring stewardship of U.S. taxpayer dollars as well as the success of mission-critical programs. AFMC needs to know the risk profile of each Air Force program. The goal of implementing ERM in AFMC is to encourage a more comprehensive risk-management process and communicate risk at all levels. This allows for the delivery of consistent processes across the entire Air Force.


Through consistent risk-management procedures, AFMC helps the Air Force reduce costs, increase transparency for senior management, and get more solid understanding of the risks, not just for today’s missions, but also for those of the next generation. With a holistic effort that defines processes and employs tools to automate risk-profiles and reporting, AFMC is able to effectively meet these goals. This translates into clearer risk-based decision-making, especially when it comes to funding.


The Future of ERM in Government Acquisitions
While the tenets of ERM in U.S. government have been around for over a decade, the major revision to OMB A-123 last year underlines the importance of the relationship between Internal Controls and Enterprise Risk Management (ERM). With new deadlines for risk assessment to be integrated within an organization’s framework as well as risk profiles to be submitted to OMB by June 2, 2017, agencies have a huge workload ahead of them.


Meeting these deadlines is a huge undertaking for any agency that does not already have a robust Enterprise Risk Management capability, and many of those that do will need to formalize their existing processes in order to comply. This level of risk-management maturity cannot be achieved with spreadsheets and stand-alone risk registers.


That’s why Sword Active Risk has partnered with Carahsoft, a government IT solutions provider who works with manufacturers, value-added resellers, system integrators and consulting partners to deliver hardware, software and support solutions to U.S. federal, state and local government agencies. As part of our partnership agreement, we’ve added Active Risk Manager (ARM) to Carahsoft’s General Services Administration Schedule and SEWP V contracts. ARM will help U.S. government agencies comply with necessary protocols, like OMB A-123, and to manage risk across departmental and enterprise projects and programs.


To learn more about how together with Carahsoft, Sword Active Risk is helping agencies meet new risk guidelines, check out our recent joint webinar. And learn more about how Sword Active Risk worked with AFMC meet their risk management goals, download the case study.


A version of this post was originally published on the Carahsoft Community.

Leave a Response