Skip to page navigation
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

OPM.gov / Policy / Enterprise Risk Management Program / Risk Management Council Charter /
Skip to main content

Risk Management Council Charter

Introduction


To assist the US Office of Personnel Management (OPM) senior leaders in meeting the requirements of Office of Management and Budget (OMB) Circulars A-123 and A-11, a Risk Management Council (RMC) will focus on risk management throughout the agency at an enterprise-level, an organization level, and a program-level. The RMC will be responsible for implementing, directing, and overseeing the implementation of OMB Circular A-123 and all the provisions of a robust process of risk management and internal control.

Background

OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management (ERM) and Internal Control, “emphasizes the need to integrate and coordinate risk management and strong and effective internal control into existing business activities and as an integral part of managing an Agency.” It states that, “ERM as a discipline deals with identifying, assessing, and managing risks. Through adequate risk management, agencies can concentrate efforts towards key points of failure and reduce or eliminate the potential for disruptive events. Internal control is a processes [sic] effected by an entity's oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved.”

In setting the policy for the Federal Government, the Circular states:

“Federal leaders and managers are responsible for establishing goals and objectives around operating environments, ensuring compliance with relevant laws and regulations, and managing both expected and unexpected or unanticipated events. They are responsible for implementing management practices that identify, assess, respond, and report on risks. Risk management practices must be forward-looking and designed to help leaders make better decisions, alleviate threats and to identify previously unknown opportunities to improve the efficiency and effectiveness of government operations. Management is also responsible for establishing and maintaining internal controls to achieve specific internal control objectives related to operations, reporting, and compliance. Management must consistently apply these internal control standards to meet the internal control principles and related components outlined in this circular and to assess and report on internal control effectiveness at least annually. Risk management practices must be taken into account when designing internal controls and assessing their effectiveness.”

Annually, management must provide assurance on internal control effectiveness in its Agency Financial Report (AFR) or Performance and Accountability Report (PAR), along with a report on identified material weaknesses and corrective actions.

The Circular also states that management is responsible for “the establishment of a governance structure to effectively implement, direct, and oversee implementation of the Circular and all the provisions of a robust process of risk management and internal control.”

According to A-11 guidance, ERM is:

“…an effective agency-wide approach to addressing the full spectrum of the organization’s significant risks by understanding the combined impact of risks as an interrelated portfolio, rather than addressing risks only within silos. ERM provides an enterprise-wide, strategically-aligned portfolio view of organizational challenges that provides better insight about how to most effectively prioritize and manage risks to mission delivery. While agencies cannot mitigate all risks related to achieving strategic objectives and performance goals, they should identify, measure, and assess challenges related to mission delivery, to the extent possible.”

Purpose

The purpose of the OPM’s RMC is to develop, implement, and lead an enterprise-wide risk management program, including the strategies, policies, procedures, and systems established by management to identify, assess, measure, and manage the major risks facing the agency. The Council will also have responsibility for ensuring the establishment and maintenance of an effective system of internal control.

The RMC shall assist the RMC Chairperson by: 1) providing input and oversight for all risk management-related activities with regard to the overall mission and strategic goals and objectives; 2) enhancing understanding of the overall risk in accomplishing the agency’s strategic goals and objectives; and 3) reviewing the agency’s risk assessment methodologies to obtain reasonable assurance of the completeness and accuracy of mitigation strategies and their effectiveness in reducing the risk.

Responsibilities

The RMC shall have the following authority and responsibilities:
  1. Oversee the development, maintenance, and periodic update of an enterprise risk management program for governing, framing, assessing, valuing, mitigating, monitoring, and responding to enterprise risk;
  2. Champion a risk management culture and support the enhancement of risk management practices throughout the agency;
  3. Integrate risk reporting and management strategies into existing performance management structures, including Performance Dashboards, regular Results OPM meetings, and regular meetings of the Senior Executive Team (i.e., Senior Management Huddles);
  4. Establish requirements for reporting risks;
  5. Provide oversight of fraud risk management activities;
  6. View risks from an enterprise and program level and share all types and sources of risk related information among key stakeholders;
  7. Review significant issues raised by internal and external reports, audits, and reviews;
  8. Drive effective application of general Federal Managers’ Financial Integrity Act (FMFIA) and OMB Circular A-123 requirements at OPM;
  9. Recommend approval of the OPM Director’s annual FMFIA assurance statement;
  10. Provide oversight and accountability regarding OPM’s internal controls;
  11. Approve the overall results of internal control assessments, including any material weaknesses and or significant deficiencies;
  12. Assist management in implementing an internal control framework and fostering an organizational environment to support an on-going awareness of internal controls; and
  13. Advocate for an appropriate level of funding and resources to support ERM and internal control functions.

Membership

The RMC shall be chaired initially by Noah Peters, Senior Advisor to the Director, and will include the following members:

  1. Director, Office of Personnel Management
  2. Chief Financial Officer
  3. Chief Human Capital Officer
  4. Chief Information Officer
  5. Chief Information Security Officer
  6. Enterprise Risk Manager
  7. Senior Agency Official for Privacy
  8. General Counsel

The Enterprise Risk Manager will serve as Executive Secretary to the RMC. The RMC Chairperson, with the assistance of the Executive Secretary, will be responsible for:

  1. Establishing Board meeting frequency and schedules;
  2. Planning the meetings, including determining the focus of each meeting, preparing the agenda and determining the subject matter experts that will be needed;
  3. Chairing the meetings;
  4. Maintaining the agency’s Risk Profile; and
  5. Maintaining minutes of the meetings, recording decisions, and tracking action items.

Operating Procedures

The following guidelines apply to RMC actions:
  1. The RMC will generally meet on a monthly basis, but no less than quarterly.
  2. As needed, the RMC may establish subcommittees or other task teams to assist in carrying out its responsibilities.
  3. The RMC will address a broad range of risk management related issues, activities, and initiatives.
  4. Decisions required of the Council will be subjected to a vote of the members present. A quorum of the membership is required in order for the Council to conduct a vote. A quorum represents more than one-half of the Council members.
  5. A simple majority of the members present is required for acceptance or rejection of issues brought before the Council that require a vote. Members may designate a representative or assign a proxy for voting.
  6. The Council reserves the right to hold private meetings and executive sessions, as necessary.

The RMC’s responsibilities under this charter shall complement (not preempt, reduce, or otherwise alter) the responsibilities of the agency’s Office of the Inspector General, or any other agency governance committee, with the exception of those specifically related to managing risks, nor shall they be construed to relieve agency leaders of their primary responsibilities.

Control Panel