Ask the Experts

SACoP Presentation: Enterprise Risk Management (ERM) and Cybersecurity

Risk management is a coordinated activity to communicate, direct and control challenges to agency goals and objectives. ERM risk profiles should capture A-123 risk and control objective assessments, including risks related to cybersecurity. This presentation developed by executives with the National Science Foundation (NSF) was presented at AFERM’s March 2018 Small Agency Community of Practice (SACoP) meeting. This presentation includes information related to FISMA and Financial Statement audit evaluations, IG management challenges, and cybersecurity risk management.


OCC Appetite Risk Assessment

The Office of the Comptroller of the Currency (OCC) is an independent agency entrusted with unique powers and authorities to administer the federal banking system. The OCC established its Enterprise Risk Management (ERM) function in 2015 to identify and assess OCC’s mission-critical risks and support the agency in managing those risks. By establishing a systematic approach to identifying, assessing, and managing risk, the OCC intends to continually improve the agency’s governance, increase accountability, and enhance overall performance.

The Office of Enterprise Risk Management, led by the Chief Risk Officer, reports directly to the Comptroller of the Currency and administers the agency’s ERM framework. As part of the framework, the Risk Appetite Statement articulates the level and type of risk the agency will accept while conducting its mission. This statement is the result of a careful evaluation of how risks affect the agency’s ability to achieve its strategic goals.

The Risk Appetite Statement establishes risk tolerance in nine categories


2016: PBGC OIG ERM Framework

This memorandum is to document the establishment and implementation of an Enterprise Risk Management program at the PBGC Office of Inspector General. By adopting a portfolio view of risks, ERM will enable the OIG office to:

  • lead by example,
  • provide for more effective risk management and internal control in accordance with OMB Circular A‐123,
  • align management activities with the CIGIE Quality Standards for Federal Offices of Inspector General (also known as the “Silver Book”),
  • concentrate efforts towards key points of failure and reduce or eliminate the potential for disruptive events,
  • allow for risk‐based planning, and
  • protect the PBGC OIG brand (“independent, positive engagement”) and identify opportunities to create value.

The framework for this program is based on (the soon‐to‐be issued) OMB Circular A‐123, The Orange Book, Management of Risk – Principles and Concepts (October 2004, HM Treasury), and the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management Framework. This memorandum describes responsibilities and governance structure, the foundation of this program, the components of this program, the external and internal environment to provide necessary context for assessment of OIG risks, the methodology for developing our risk appetite, and the methodology for developing our risk profile.


Enterprise Risk Management at PBGC – September 10, 2015

Consistent with the Office of Inspector General’s responsibility to provide leadership to promote efficiency and effectiveness, this white paper is intended to provide the Board of Directors and Pension Benefit Guaranty Corporation senior leadership with insight on Enterprise Risk Management as PBGC moves forward with implementation of its statutory and soon to be Office of Management and Budget mandate regarding ERM