We performed our work for this report under the authority of the Comptroller General to conduct evaluations to assist Congress with its oversight responsibilities. Our objectives were to (1) update our risk management framework to more fully include evolving requirements and essential elements for federal ERM, and (2) identify good practices that selected agencies were taking that illustrate those essential elements. We also considered views of subject matter specialists with current experience in ERM. See appendix I for the list of subject matter specialists who advised us in our review of the practices.

To adapt our 2005 risk management framework to focus on ERM, we identified essential elements needed to execute ERM and assist agencies as they implement and sustain their ERM programs that are generally consistent with other commonly used ERM frameworks, such as the ISO 31000 Risk Management Principles and Guidelines and the 2004 COSO Enterprise Risk Management - Integrated Framework.6 When we shared these essential elements with subject matter specialists, they confirmed that they represent the critical elements of the ERM process.

To identify good practices in using ERM, we analyzed and synthesized ERM literature using ProQuest, First Search, and Scopus bibliographic databases in public and business sources.7 We validated these good practices with subject matter specialists with knowledge specific to the use of ERM in government settings, and, based on their suggestions, we refined the practices. We then considered the essential elements of ERM relative to our identified good practices and determined how these practices generally fit with the essential elements as a way to assist agencies as they implemented ERM.

To identify what agencies were doing consistent with our essential elements and how their good practices were used in implementing ERM, we used a semi-structured interview protocol and spoke with officials representing 21 of the 24 executive branch agencies covered in the Chief Financial Officers (CFO) Act of 1990, as amended.8 Three agencies did not participate in interviews but provided us with written responses to our questions, including the Departments of Agriculture and the Interior and the Social Security Administration. We asked each of the 24 agencies whether or not the agency had ERM in place and their perspectives on ERM.

To identify case illustrations of the good practices, we reviewed information from agency interviews and documentation they provided about their ERM practices. From the ERM practices of 24 CFO Act agencies and their component agencies, we selected examples that best illustrated our essential elements and good practices. In conducting the case illustrations, we interviewed agency officials and reviewed agency documentation about their use of ERM. We selected examples from nine agencies including the Department of Commerce (Commerce) and its component bureaus the National Institute of Standards and Technology (NIST) and the National Oceanic and Atmospheric Administration (NOAA), DHS’s Transportation Security Administration (TSA), PIH, the Office of Personnel Management (OPM), Treasury and the IRS, and FSA.