UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL Evaluation and Inspection Services May 5, 2009 Memorandum TO: James Manning Acting Chief Operating Officer Federal Student Aid FROM: Wanda A. Scott /s/ Assistant Inspector General Evaluation, Inspection, and Management Services SUBJECT: Final Management Information Report Review of Federal Student Aid’s Enterprise Risk Management Program (ED- OIG/I13I0005) This final management information report presents the results of our review of Federal Student Aid’s (FSA) Enterprise Risk Management Program and FSA’s response to those results. BACKGROUND In May 2006, FSA formally created the Enterprise Risk Management Group (ERMG). The ERMG is divided into two main areas: the Internal Review Division and the Risk Analysis and Reporting Division. The Internal Review Division is responsible for helping to ensure that an effective internal control framework is in place across the enterprise; however, it does not have any responsibilities related to the implementation of enterprise risk management. The Risk Analysis and Reporting Division is responsible for developing an enterprise risk management strategy and implementing an enterprise risk management program at FSA. The ERMG is headed by the Chief Risk Officer who reports to the General Manager of Enterprise Performance Management Services. According to FSA’s Five-Year Plan for 2006- 2010, the enterprise risk management function was intended to develop risk assessments and provide a more strategic view of future risks, and was designed to better equip senior management to anticipate, analyze, and manage risks inherent in the federal student financial assistance programs. FSA’s enterprise risk management program is based on the Enterprise Risk Management – Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO Framework). The COSO Framework defines enterprise risk management as a “process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that The Department of Education's mission is to promote student achievement and preparation for global competitiveness by fostering educational excellence and ensuring equal access. may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” The COSO Framework consists of eight interrelated components that are derived from the way management runs an enterprise and are integrated with the management process. The components are described as follows: • Internal Environment – this component serves as the basis for enterprise risk management and is comprised of the entity’s risk management philosophy; its risk appetite; 1 the integrity, ethical values, and competence of the entity’s employees; and the environment in which those employees operate. • Objective Setting – the entity ensures it has a process to set objectives and that the objectives support and are aligned with the entity’s mission. Objective Setting is a precondition to Event Identification, Risk Assessment, and Risk Response. • Event Identification – the entity identifies internal and external events affecting the achievement of its objectives, and distinguishes between risks (negative impact) and opportunities (positive impact). • Risk Assessment – the entity analyzes identified risks, considering likelihood and impact, to determine how they should be managed. 2 • Risk Response – the entity identifies and evaluates possible responses to risk, and selects a set of actions to align risks with the entity’s risk tolerances 3 and risk appetite. • Control Activities – the entity establishes and executes policies and procedures to help ensure that the risk responses are effectively carried out. • Information and Communication – the entity identifies, captures, and communicates relevant information throughout the entity in a clear form and timeframe that enables people to carry out their responsibilities. • Monitoring – the entire entity monitors itself through ongoing management activities and/or separate evaluations. According to the ERMG, enterprise risk management at FSA is “a coordinated, culture-based approach to holistically addressing all of an organization’s risks – including operational, financial, strategic, compliance and reputational risks under one umbrella.” The ERMG is implementing its COSO Framework-based enterprise risk management program in three phases. 1 Risk appetite is defined as the amount of risk an entity is willing to accept in pursuit of its mission. 2 Risks within the COSO Framework are discussed in terms of inherent risk and residual risk. Inherent risk is defined by the COSO Framework as the risk to an entity in the absence of any actions management might take to alter the risk’s likelihood or impact. The ERMG uses a similar term, aggregate risk, which it defines as the total amount of exposure associated with a specified risk that does not include the effect of risk strategies, controls or other measures designed to mitigate the effect of the specified risk. Residual risk is defined by the COSO Framework and the ERMG as the risk that remains after action has been taken to alter the risk’s likelihood or impact. 3 Risk tolerances are defined by the COSO Framework as the acceptable levels of variation relative to the achievement of objectives. In other words, it is the amount of variation that an entity is willing to accept in pursuit of its goals and objectives. 2 • Phase I involves establishing the ERMG and committee, developing a strategy and methodology for implementation, obtaining contractor services, and communicating enterprise risk management information to FSA’s executives. • Phase II consists of formalizing the enterprise risk management strategy and project plan, adopting a risk framework, developing an enterprise risk management website, conducting a high-level risk assessment at FSA, developing a methodology for performing business unit risk assessments, developing a risk tracking system, and identifying, assessing, and inventorying risks for 25 percent of FSA’s business units. These activities focus on the Event Identification and Risk Assessment components of the COSO Framework. • Phase III involves identifying, assessing, and inventorying risks for the remaining 75 percent of the business units, creating enterprise level reports for senior management, documenting FSA’s risk tolerances and appetites, and developing a methodology for fully implementing the remaining enterprise risk management components. The ERMG’s project plan indicates that all phases will be complete by September 30, 2010. REVIEW RESULTS The objective of our inspection was to evaluate FSA’s implementation of enterprise risk management. The ERMG has not fully addressed any of the COSO Framework’s eight components. The COSO Framework states that determining whether an enterprise risk management program is “effective” is a judgment resulting from an assessment of whether the eight components are present and functioning effectively. While it has developed plans and begun business unit activities related to three components (Objective Setting, Event Identification, and Risk Assessment), the plans for fully addressing the remaining five components at FSA (Internal Environment, Risk Response, Control Activities, Information and Communication, and Monitoring) have received limited attention. As a result, FSA has not implemented enterprise risk management. This report will present information on FSA’s progress toward implementation as of December 2008. The Chief Risk Officer began working at FSA in June 2004. FSA’s former Chief Operating Officer formally approved the ERMG in May 2006, nearly two years later. Prior to formal approval, the ERMG began conducting activities associated with Phase I of its program. After receiving formal approval, the ERMG officially started its enterprise risk management program and began strategic planning. The Chief Risk Officer and the Risk Analysis Team Leader informed us that FSA management also assigned them multiple high priority special projects, such as a regional workforce effectiveness study, conducted for approximately seven months, which limited the amount of time available to implement enterprise risk management. The ERMG completed Phase I of its program on December 30, 2006, and has nearly completed all activities associated with Phase II. The ERMG began work in FSA’s business units in May 2007. As of December 2008, the ERMG has completed risk identification, aggregate risk assessment, and inventory activities for 3 of 26 business units. As part of these initial business unit activities the ERMG also aligned 3 each business unit’s goals and objectives with FSA’s strategic objectives. These three business units are: • Communications, Reporting, and Analysis; • Facilities, Security, and Emergency Management Services; and • Workforce Development Services. The ERMG has nearly completed risk identification in two other business units: • Conferences and Administration Services; and • Human Resources and Workforce Services. The ERMG has initiated work in three more business units: • Strategic Planning; • Financial Management; and • Budget. None of FSA’s business units directly responsible for administering the federal student aid programs have been examined or included in ERMG’s business unit activities to date. The Chief Risk Officer anticipates that the ERMG will have risks documented in all 26 business units by the end of calendar year 2009, and has hired a contractor to help accomplish this task within this timeframe. In addition, as a training tool for new risk analysts, the ERMG is planning a review of the Enterprise Risk Management business unit. After risk identification, aggregate risk assessment, and inventory activities have been completed for all business units, the ERMG plans to return to each business unit to identify the risk responses and assess the amount of residual risk given the control activities in place. According to the ERMG’s project plan, the end date for these activities is September 30, 2010. The ERMG does not have a formal methodology in place for identifying risk responses and assessing the amount of residual risk. The business unit risk activities thus far have concentrated on Event Identification and Risk Assessment at the aggregate level. The ERMG has also given attention to the Objective Setting component at the FSA-wide level and as part of each business unit review. The Chief Risk Officer said that the Risk Assessment component is more straightforward than the Internal Environment and Objective Setting components of the COSO Framework. The ERMG has not focused on the Internal Environment component, including defining FSA’s risk appetite and risk philosophy, nor has it begun to conduct activities specifically related to the Risk Response, Control Activities, Information and Communication, and Monitoring components. The ERMG’s limited attention to the Internal Environment component is noteworthy given the importance placed on it throughout the COSO Framework and in the ERMG’s own definition. The COSO Framework states that the Internal Environment “sets the basis for how risk and control are viewed and addressed by an entity’s people.” The ERMG’s definition of the Internal Environment, based on the COSO Framework’s description of that component, states that the Internal Environment is “the tone of an organization, influencing the risk consciousness of its people, and is the basis for all other components of risk management.” According to the ERMG’s definition, Internal Environment elements include an entity's risk management philosophy; its risk appetite; the integrity, ethical values, and competence of the entity's people; and the way management assigns authority and responsibility. The COSO Framework states that 4 the “effectiveness of enterprise risk management cannot rise above the integrity and ethical values of the people who create, administer, and monitor entity activities.” While both the COSO Framework and the ERMG, as expressed in its definition, agree that the Internal Environment serves as a basis for all other components of enterprise risk management, the ERMG’s work has not addressed the specific elements of the Internal Environment. The ERMG has not ensured that FSA has a defined risk management philosophy or risk appetite. Additionally, the ERMG has not given attention to existing information on FSA’s Internal Environment such as FSA-wide surveys indicating that there are perceptions on the part of FSA staff concerning a lack of integrity, ethical values and commitment to competence from FSA leadership or Office of Inspector General audits that have also found issues with FSA’s Internal Environment. The COSO Framework emphasizes that the negative impact of an ineffectual Internal Environment can be far-reaching. FSA COMMENTS On March 17, 2009, we provided FSA with a copy of our draft management information report for comment. We received FSA’s comments to the report on April 14, 2009. FSA did not take issue with any of the factual information presented in the report, but did have comments on the way in which the information was presented. We have summarized FSA’s concerns and provided our responses below. FSA’s response, in its entirety, is attached. FSA Comment FSA stated that we did not elaborate on what is meant by the statement in the report that “ERMG has not fully addressed any of the COSO Framework’s eight components,” and that this implies that the ERMG’s efforts relating to the eight components of COSO are in some way deficient. FSA also stated that OIG’s assertion that FSA has “not implemented enterprise risk management” is somewhat misleading because it states the obvious and could undermine the ERMG’s efforts because many of the benefits associated with enterprise risk management can be and are realized prior to the “full implementation.” OIG Response The statement that the “ERMG has not fully addressed any of the COSO Framework’s eight components” is a conclusion based on a review of the ERMG’s activities thus far. The Review Results section of the report fully explains the status of each of the eight components. For example, on page 3 we explained that the ERMG has developed plans and begun activities related to three components and that the plans for fully addressing the remaining five components have received limited attention. On page 4 we noted that none of FSA’s business units directly responsible for administering the federal student aid programs have been examined or included in ERMG’s business unit activities to date. The statement that FSA has “not implemented enterprise risk management” is also a conclusion in answer to our objective and is supported by all of the facts presented in our report. This conclusion is necessary for a full understanding of the current state of enterprise risk management at FSA. To the extent that FSA management recognizes value in the efforts of the ERMG, the facts presented in our report should not undermine the work of the ERMG. We note that in its response, FSA did not provide 5 any specific benefits that have been realized as a result of its enterprise risk management implementation efforts. FSA Comment FSA stated that while the business unit activities referred to in the report represent a significant part of FSA’s enterprise risk management program, the ERMG conducted other activities between May 2007 and December 2008. FSA provided a list of activities the ERMG had conducted during this time. FSA stated that OIG’s failure to recognize these activities in the ‘Review Results’ section of the report could present an unbalanced view of the status of FSA’s enterprise risk management program and associated implementation efforts. OIG Response OIG did not recognize all of the ERMG’s activities in the Review Results section. In the Background section of our report, we noted that Phase I of FSA’s enterprise risk management program included “obtaining contractor services,” and “communicating enterprise risk management information to FSA executives” and Phase II included “conducting a high-level risk assessment” and “developing a risk tracking system.” In the Review Results section of our report, we stated that the ERMG had completed Phase I of its program and had nearly completed all activities associated with Phase II. The report did not discuss the development of tools, resources, policies, procedures, and process documents to guide and support the program because they are typical activities when starting new programs and are not unique to the implementation of enterprise risk management at FSA. The report is not designed to be a catalog of all the activities conducted by the ERMG since its inception, but rather to explain the current state of enterprise risk management at FSA. FSA Comment FSA stated that it disagrees with the characterization that it has devoted limited attention to the Internal Environment component and stated that it has performed or is in the process of performing significant efforts relating to FSA’s internal environment. The specific example that FSA provided was the high-level risk assessment performed under a purchase agreement with Grant Thornton LLP which, according to FSA, provided a high-level baseline review and documentation of FSA’s internal environment. OIG Response We reviewed Grant Thornton’s high-level risk assessment and the associated purchase order during the course of our fieldwork. We found that a review of FSA’s internal environment was not the primary purpose of the work as it was not mentioned in the task order and was not included in the initial draft report provided to FSA. In fact, the Risk Analysis Team Leader, who also served as the Contracting Officer’s Representative for the purchase order, told us during our fieldwork that the internal environment section was not very involved. When discussing the assessment, the Chief Risk Officer said that he wanted the contractor to do a quick review of the internal environment so the ERMG could check off that it had been completed. The listing of documents reviewed by Grant Thornton, found in Appendix B of its final report, does not contain OIG reports or FSA-wide employee surveys. At the time of Grant Thornton’s work, OIG had completed audits that identified significant internal control weaknesses at FSA. Additionally, there were employee survey results suggesting a concern among FSA staff about a 6 lack of integrity, ethical values and commitment to competence from FSA leadership. Because the high-level risk assessment is the only area in which the ERMG claims to have addressed Internal Environment on an enterprise-wide level and based on the weaknesses related to the report noted above, we concluded that the ERMG has given limited attention to the Internal Environment component. FSA Comment FSA stated that it believes the ERMG efforts related to the Internal Environment component are substantial; however, it stated that it did not intend to audit or opine on the strength or effectiveness of this component. FSA further stated that to do so would be premature and offer little or no added value. OIG Response We stand by our conclusion that the ERMG’s efforts related to the Internal Environment component are limited. The ERMG defines the Internal Environment component as “the tone of an organization, influencing the risk consciousness of its people, and is the basis for all other components of risk management.” [Emphasis added.] According to the ERMG definition, Internal Environment elements include an entity’s risk management philosophy; its risk appetite; the integrity, ethical values, and competence of the entity’s people; and the way management assigns authority and responsibility. As we stated in our report, “[t]he ERMG has not ensured that FSA has a defined risk management philosophy or risk appetite. Additionally, the ERMG has not given attention to existing information on FSA’s Internal Environment such as FSA-wide surveys indicating that there are perceptions on the part of FSA staff concerning a lack of integrity, ethical values and commitment to competence from FSA leadership….” The COSO Framework states that the “effectiveness of enterprise risk management cannot rise above the integrity and ethical values of the people who create, administer, and monitor entity activities.” The ERMG’s efforts related to the Internal Environment component are not substantial due to the fact that the ERMG has not addressed the specific elements of the component. The fact that FSA believes that determining the strength or effectiveness of this component would be premature and offer little or no added value is contradictory to the importance placed on it in the COSO Framework and by the ERMG’s own definition. OBJECTIVE, SCOPE, AND METHODOLOGY The objective of our inspection was to evaluate FSA’s implementation of Enterprise Risk Management. We began our fieldwork on July 17, 2008 and conducted an exit conference on February 10, 2009. The scope of our review included the ERMG’s implementation activities at FSA from the hiring of the Chief Risk Officer in June 2004 to December 2008. 7 We reviewed COSO’s Enterprise Risk Management – Integrated Framework. To evaluate FSA’s implementation of enterprise risk management, we reviewed the ERMG’s Strategic Plan, Project Plan, methodology for conducting business unit risk activities, risk categories, risk ratings, risk heat map, risk terminology, and listing of special projects. We also reviewed seven of the ERMG’s PowerPoint presentations and documents related to Business Unit Risk Activities in five business units, including summary reports for three of those business units. We reviewed documents associated with both of the ERMG’s purchase agreements for enterprise risk management support services, ED-06-AG-0039 with Grant Thornton and ED-08-AG-0003 with ADI Consulting, including the High-Level Risk Assessment created by Grant Thornton under Task Order 1 of their purchase agreement. We also interviewed FSA staff in the ERMG. Our inspection was performed in accordance with the 2005 President’s Council on Integrity and Efficiency Quality Standards for Inspections appropriate to the scope of the inspection described above. ADMINISTRATIVE MATTERS In accordance with the Freedom of Information Act (5 U.S.C. §552), reports issued by the Office of Inspector General are available to members of the press and general public to the extent information contained therein is not subject to exemptions in the Act. Electronic cc: Linda Hall, Acting General Manager, Enterprise Performance Management Services Stan Dore, Chief Risk Officer Marge White, Director, Internal Review Division Cynthia Vitters, Team Leader, Risk Analysis Team 8 April 10, 2009 Mr. W. Christian Vierling Director, Evaluation and Inspection Services U.S. Department of Education Office of Inspector General 550 12th Street, S.W., Room 8153 Washington, DC 20024 Dear Mr. Vierling: Thank you for providing us with an opportunity to respond to the Office of Inspector General’s (OIG) draft management information report entitled, “Review of Federal Student Aid’s Enterprise Risk Management Program” (Control Number ED- OIG/I13I0005). While we understand that since this report did not contain any recommendations for corrective action, no response is required, we appreciate the opportunity to address some of the information, comments and assertions contained therein. As noted in the background section of this management information report (MIR), Federal Student Aid’s Enterprise Risk Management Group (ERMG) was created in May 2006 to provide a more strategic view of risks at Federal Student Aid (FSA) and better enable senior management to identify, assess, manage and monitor those risks. In support of those objectives, ERMG’s Risk Analysis & Reporting Division is leading the effort to implement an Enterprise Risk Management (ERM) Program at FSA. This effort, which is among the first of its kind in the federal government, represents a forward- looking and proactive approach to evaluating and managing risk, especially at the enterprise or strategic level. Since much of the focus of this inspection was centered on evaluating FSA’s implementation of its ERM program against its adherence to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework, we feel compelled to respond to some assertions contained in the OIG Inspection report that we do not believe to fairly characterize the results of our effort to date. One such example of this is the statement that “ERMG has not fully addressed any of the COSO Framework’s eight components.” The report does not elaborate on what is meant by “fully addressing” the components, yet implies that ERMG’s efforts relating to the eight components of COSO are in some way deficient. 9 Page 2 - Mr. W. Christian Vierling FSA has chosen to adopt a framework, which is based on the ERM Integrated Framework issued in 2004 by COSO. Since the COSO Framework was developed primarily with public stockholder-owned corporations in mind, Federal Student Aid has spent considerable time evaluating and considering how to utilize various aspects of this Framework to be most applicable and beneficial to a federal entity. Federal Student Aid has made the decision to address all eight components in its ERM Program, Strategy, and/or Project Plan documents, which were provided to the OIG inspectors at the beginning of their fieldwork. At no point during the inspection did ERMG represent that all activities related to these components were complete and some are not yet even in process. However, we are not applying the COSO Framework in the exact manner or order described in the COSO guidance. The guidance in COSO all but mandates this approach. Specifically, COSO states: “No two entities will, or should, apply enterprise risk management in the same way. Companies and their enterprise risk management capabilities and needs differ dramatically by industry and size, and by management philosophy and culture. Thus, while all entities should have each of the components in place and operating effectively, one company’s application of enterprise risk management – including the tools and techniques employed and the assignments of roles and responsibilities – often will look very different from another’s.” The implementation and execution of an effective ERM program is a multi-year effort that requires time, commitment, support and resources. Therefore, we believe that the OIG’s assertion that FSA has “not implemented enterprise risk management” is somewhat misleading. Our concern is that since it merely states the obvious, it tends to undermine ERMG’s efforts as this is not a realistic expectation or goal at this point in time. In fact, only a very small percentage of publicly traded companies have fully implemented ERM programs, despite having a significant head start over their government counterparts. Most ERM programs, like FSA’s, are works-in-progress. Despite this, many of the benefits associated with ERM can be and are realized prior to the “full implementation” of ERM. FSA’s ERM Program competes with other ERMG efforts including special projects, risk assessments and internal reviews. It was developed internally with extensive planning, analysis and research, which was a necessity as there is no governmental guidance directly related to ERM, or other federal ERM programs to model after. The ERM Program consists of various additional efforts beyond the business unit risk activities referred to in the OIG’s report. While the business unit risk activities represent a significant part of FSA’s ERM Program, numerous other activities were underway during the May 2007 through December 2008 time period referenced by this report. These activities include: 10 Page 3 - Mr. W. Christian Vierling • Conduct a high-level risk assessment to identify and assess FSA’s strategic risks; • Development and finalization of various risk resources and tools to guide and support the ERM Program; • Development and implementation of an advanced risk tracking database; • Training and presentations provided to internal business units, senior management and entities outside of Federal Student Aid; • Conduct various activities required to acquire contractor support for the ERM effort; and • Completion of various policies, procedures and/or process documents in support of FSA’s ERM Program. We believe that failure to recognize these activities in the ‘Review Results’ section of this report can present an unbalanced view of the status of FSA’s ERM Program and associated implementation efforts. Considerable attention in this report also focuses on what OIG characterizes as “ERMG’s limited attention to the Internal Environment component” of the COSO ERM Framework. We respectfully disagree with this characterization and maintain that significant efforts relating to FSA’s Internal Environment have been performed or are in process. Prior to beginning the detailed risk activities currently underway, ERMG engaged an independent contractor, Grant Thornton, LLP (GT), to perform a high-level risk assessment at FSA. As part of that effort, GT also performed a high-level baseline review and documentation of FSA’s Internal Environment as defined by the COSO ERM Framework. The results of that review were contained in the high-level risk report presented to executive management. At the same time, efforts to document and evaluate the Internal Environment at FSA continue as part of other activities associated with the implementation of FSA’s ERM Program. We believe that the combined ERMG efforts discussed above and relating to the COSO Internal Environment component are substantial. Nonetheless, we appear to have fundamental differences with the OIG about the timing of activities associated with incorporating this component into FSA’s framework. Although the baseline review and documentation of the Internal Environment were performed as planned, we did not intend as part of that effort to audit or opine on the strength or effectiveness of this COSO component. To do so, in our opinion, would be premature and offer little or no added value. 11 Page 4 - Mr. W. Christian Vierling While efforts to implement an ERM Program at FSA are not free from challenges or mistakes, they do offer a unique opportunity to enhance the organization’s risk management practices, understanding and culture. Our process of implementing an ERM Program is one of continuous enhancement, refinement and adoption of best practices. As such, we appreciate the chance to share our efforts and progress with the OIG’s inspection team and hope to further improve FSA’s ERM Program based on the feedback provided. Sincerely, /s/ James F. Manning Acting Chief Operating Officer 12
Review of Federal Student Aid's Enterprise Risk Management Program.
Published by the Department of Education, Office of Inspector General on 2009-05-05.
Below is a raw (and likely hideous) rendition of the original report. (PDF)