ERM Policy
Purpose
This document sets forth the U.S. Office of Personnel Management’s (OPM) Enterprise Risk Management (ERM) policy. ERM is an agency-wide approach to addressing the full spectrum of significant risks that the agency faces that considers both threats and opportunities as an interrelated portfolio. ERM can help to properly identify and manage risks to performance related to achieving strategic objectives, and improve agency capacity to prioritize efforts, optimize resources, and assess changes in the environment. This ERM policy establishes a framework for risk management across the agency that is integrated into OPM’s culture and operations.Scope
This policy applies to all OPM activities. It forms part of OPM’s governance framework and applies to all employees and contractors.Authorities
This policy is issued under the authority of the Federal Managers' Financial Integrity Act (FMFIA) of 1982, as codified in 31 USC 3512, and the Government Performance Results Act Modernization Act (GPRAMA) (Public Law 111-352). It is also issued pursuant to Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, which modernizes existing efforts by requiring agencies to implement an ERM capability coordinated with the strategic planning and strategic review process established by GPRAMA, and the internal control processes required by FMFIA and Government Accountability Office (GAO)'s Green Book.Additional References and Resources
- GAO-14-704G, Standards for Internal Control in the Federal Government, September 10, 2014.
- GAO GAO-15-593SP, A Framework for Managing Fraud Risks in Federal Programs, July 28, 2015.
- NIST IR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM), October 2020.
- OMB Circular A-11, Section 260 – Data-Driven Performance and Strategic Reviews, July 25, 2024.
- OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, July 15, 2016.
- OPM Cybersecurity and Privacy Policy, April 2024.
- OPM Financial Management Manual, Chapter 24 – Fraud Risk Policy, August 2024.
- Playbook: Enterprise Risk Management for the U.S. Federal Government, November 28, 2022.
Policy
- OPM shall establish an ERM Framework that is integrated into OPM’s culture and operations, including but not limited to strategic planning and reviews, internal controls, cybersecurity, privacy , antifraud, business continuity, budgeting, and program and project management.
- OPM shall conduct its decision making and operations in accordance with its Risk Appetite Statement. OPM’s Risk Appetite Statement provides broad-based guidance on the level and type of risk that the agency is willing to accept to achieve the agency’s mission and objectives. The Risk Appetite Statement shall be reviewed and updated on a regular basis.
- The Risk Management Council (RMC) provides governance of the ERM Program and drives implementation of this policy. This includes review and approval of enterprise risks and risk responses and ensuring that the ERM Framework is established and maintained.
- Risks that meet one or more of the following criteria shall be reported to the RMC for consideration as to whether the risk should be monitored in an Enterprise Risk Register. This includes risks that could impact:
- achieving a strategic goal or objective;
- operations of core or multiple significant programs or mission support functions; and/or
- achieving OPM’s overall mission.
- OPM shall maintain an Enterprise Risk Profile that lists the most significant risks that the agency faces. The Enterprise Risk Profile shall be reviewed by the RMC at least annually in coordination with the strategic review process.
- Each program and mission support office shall participate in routine risk assessment activities as needed and as part of the annual Enterprise Risk Profile update process.
- OPM has also established standalone Fraud Risk Policy and Cybersecurity and Privacy Policy that are in alignment with this policy.
Roles and Responsibilities
|
OPM Director |
Sets a tone at the top for the rest of the organization and drives the culture of risk management. |
|
Chief Risk Officer |
Chair of the RMC, has the primary responsibility for OPM’s ERM program including the policies, standards and procedures, organizational arrangements, and reporting requirements. |
|
Chief Financial Officer |
Has primary program responsibility for the design, implementation, and leadership of fraud risk management strategies and activities, including the development and execution of the agency’s fraud risk assessment process. |
|
Chief Information Officer |
Has primary program responsibility for OPM’s cybersecurity risk management program. While OPM’s cybersecurity risk management policy and strategy are part of OPM’s overall ERM program, individual cybersecurity risks should be managed in accordance with the cybersecurity risk management strategy. |
|
Chief Privacy Officer |
As the Senior Agency Official for Privacy, has responsibility and accountability for ensuring compliance with applicable privacy requirements and managing privacy risks at OPM. |
|
Enterprise Risk Manager |
Provides direct support to the CRO in coordinating the development of the agency’s overall risk management framework and maintaining the agency’s Risk Profile. |
|
Associate Directors and Office Heads |
Establish effective risk management within their business units and ensure staff comply with the enterprise risk management policy and foster a risk aware culture where risks can be identified and escalated. |
|
Managers |
Ensure staff comply with the enterprise risk management policy and foster a culture where risks can be identified and escalated. Work with the ERM function to provide regular updates on emerging risks to the agency. |
|
Risk Management Council |
Provides governance to the ERM program and implementation of this policy. This includes review and approval of key risks and risk responses, the agency’s Risk Profile and Risk Appetite Statement, and ensuring that an appropriate risk management framework is established and maintained. |
Definitions
|
Enterprise Risk Management |
An effective agency-wide approach to addressing the full spectrum of the organization’s significant risks by considering the combined array of risks as an interrelated portfolio, rather than addressing risks only within silos. ERM provides an enterprise-wide, strategically-aligned portfolio view of organizational challenges that provides improved insight about how to more effectively prioritize and manage risks to mission delivery. |
|
Risk |
The effect of uncertainty on the achievement of objectives. An effect is a deviation from the desired outcome, which may present positive or negative results. |
|
Risk Appetite |
The articulation of the amount of risk (on a broad/macro level) an organization is willing to accept in pursuit of strategic objectives and value to the enterprise. |
|
Risk Assessment |
The identification and analysis of risks to the achievement of business objectives. It forms a basis for determining how risks should be managed. Risk assessment involves evaluating the significance and likelihood of a risk, as well as any controls or other measures to manage risk. |
|
Risk Management |
A coordinated activity to direct and control challenges or threats to achieving an organization’s goals and objectives. |
|
Risk Profile |
A prioritized inventory of an organization’s most significant risks. |
|
Risk Register |
A full inventory of all identified risks for a project, program, support function, or enterprise. It contains pertinent information including a description of the risk, assessment of the rating of the risk in terms that include impact and likelihood, risk owner who is responsible for reporting on the status of the risk, and planned risk responses. |
|
Risk Response |
Management's strategy for managing (or responding to) a given risk. Risk response strategies include accept, reduce, avoid, pursue, or share (or transfer). |