320 likes | 544 Views
ICE Office of Policy Enterprise Risk Management (ERM). AGA-DC and GWSCPA 8 th Annual Conference Briefing. Enterprise Risk Management (ERM): Overview DHS: Shifting towards risk-based decision-making Current ICE ERM accomplishments Initial ICE gaps and challenges
E N D
ICE Office of PolicyEnterprise Risk Management (ERM) AGA-DC and GWSCPA 8th Annual Conference Briefing
Enterprise Risk Management (ERM): Overview DHS: Shifting towards risk-based decision-making Current ICE ERM accomplishments Initial ICE gaps and challenges Current ICE gaps and challenges How ICE would benefit from a fully capable ERM program Potential Future of ICE ERM Key Dimensions for Successful ERM General Process to Achieve Desired End State Agenda
ERM: Overview Enterprise Risk Management informs the strategic allocation of resources ICE-wide in order to most efficiently mitigate risk events to ICE’s mission area both in steady-state and crisis environments. • ERM designed: • to assist in establishing and executing ICE-wide senior leadership’s priorities • Align risk events to senior leadership’s strategic goals • Inform the link between strategic planning and budgeting to improve efficiency and transparency • Identify performance metrics focused on increased efficiency and best resource allocation across all ICE programs • Example: ERM proposes where, how and how many resources should be deployed to best mitigate risks of humansmuggling and trafficking into the U.S.
ERM: Overview • 2006: No formalized risk management process in place • 2007: ICE Office of Policy initiated its first risk management program (ERM I), working with outside consultants and representatives from every major ICE program office • 2008: ICE concludes first risk management program (ERM I) resulting in the identification of • 31 prioritized risk events • Risk definitions and descriptions including assessment of adversary threat, ICE vulnerabilities and consequences to the Homeland • Optimal program strategies to mitigate high and medium risks • 2009: Conceptualized next generation of risk management, ERM II, which includes lessons learned, enhanced risk techniques, and improved alignment with risk partners from the level of risk ownership to federal enterprise architecture business lines
DHS: Shifting towards risk-based decision making Leadership: OMB, FY2010 Terminations, Reductions, & Savings, May 7, 2009 The Administration is proposing to eliminate the Emergency Operations Center (EOC) Grant Program in the 2010 Budget because the program's award allocations are not based on risk assessment. February 3, 2009. Secretary Napolitano’s letter to Director OMB: “For the longer term, I am also working to increase the Department's ability to incorporate risk analysis into its budget development process.” Bottom Line: Risk will be used to justify budget decisions.
DHS: Shifting towards risk-based decision making Current and Emerging Mandates: Homeland Security Act 2002, Sect. 889 “The President shall include in each budget…a detailed, separate analysis, by budget function, by agency, and by initiative area…(III) the most recent risk assessment and summary of homeland security needs in each initiative area….” HSPD-7, Sect. 14, Critical Infrastructure Identification, Prioritization, and Protection “The Secretary will establish uniform policies, approaches, guidelines, and methodologies for integrating Federal infrastructure protection and risk management activities within and across sectors along with metrics and criteria for related programs and activities.” Integrated Planning Guidance 2011 – 2015, December 2008 “…programs which act in the incident chain will be asked to answer how effective their programs are at reducing risk associated with identified incident sets…. To accomplish this, components, directorates and offices shall gather or generate evidence to support these effectiveness judgments. Components should be prepared to provide relevant cost information and anticipate answering questions about the expected program effectiveness impact of budget increments or decrements.” Recommendations made to Secretary Napolitano, DHS Tier II Risk Steering Committee, April 29, 2009 “Issue a DHS Management Directive establishing the processes, roles and responsibilities for achieving integrated risk management in DHS.” Bottom Line: Risk management will move from ‘optional’ to ‘required’.
DHS: Shifting towards risk-based decision making Continuous Congressional Pressure: GAO Report on TSA use of Risk Assessments, March 2009 In recent years, the President and Congress have provided that federal agencies withhomeland security responsibilities are to apply risk management principles to inform their decision makingregarding allocating limited resources and prioritizing security activities. FY 2010 Budget of the U.S. Government, Terminations, Reductions, and Savings Due to the lack of risk assessments as recommended by GAO, the Administration is terminating the Trucking Security Program, Inter-City Bus Security Grant Program, and Emergency Operations Center Grant Program. Bennie Thompson, Chairman of the Committee on Homeland Security, April 22, 2009 “I look forward to working with President Obama and Secretary Napolitano to foster a culture at DHS that meaningfully embraces risk management principles so that programs and money are directed to where they are needed most.” Bottom Line: Congress will monitor DHS components’ progress on risk management
DHS: Shifting towards risk-based decision making Mgt. Directive Current recommendations to Secretary Napolitano Risk HSPD S1 letter to OMB 2009 Interim IRMF IPG 2011-2015 2006 NIPP 2009 NIPP 2005 ICE-specific GAO Report on OI* 2004 HSPD-10 2003 HSPD-7 2002 Homeland Security Act 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 *GAO-06-462T: Better Management Practices Could Enhance DHS’s Ability to Allocate Investigative Resources NOTE: There are also numerous GAO reports calling on DHS to conduct Risk Management, such as: GAO-09-492 Comprehensive Risk Assessments and Stronger Internal Controls Needed to Help Inform TSA Resource Allocation GAO-06-91: Risk Management – Further Refinements Needed to Assess Risks and Prioritize Protective Measures at Ports and Other Critical Infrastructures GAO-05-790: Homeland Security: Actions Needed to Better Protect National Icons and Federal Office Buildings from Terrorism GAO-02-208: A Risk Management Approach Can Guide Preparedness Efforts GAO-02-150T: Homeland Security – Key Elements of a Risk Management Approach
Current ICE ERM accomplishments • Established Strategic Management Division within Office of Policy • Established Risk Working Group with representatives from all ICE stakeholder programs • Developed preliminary category of risk events aligned to draft strategic plan • Identified Executive Risk Officers and subject matter experts for each risk event • Conceptualized Enterprise Risk Management program framework over two phases: • ERM I • ERM II
Current ICE ERM accomplishments • ERM I Prototype concluded 3/09 (See Appendix A for additional detail) • Identified 56 risk events prioritized in to high, medium and low categories • Assessed adversary threats • Assessed ICE vulnerabilities • Assessed consequences to the Homeland • Developed draft strategies to mitigate high and medium risks • ERM II Framework began development 11/08 (See Appendix B for additional detail) • Conceptualized next generation of risk management • Adversary-based • Advanced decision-making platforms • Connected sequential risk events (precursors and escalators) • Enhanced optimization criteria to include more than cost-benefit
Current ICE ERM accomplishments According to an analysis done by RMA, ICE is among the top 6% of risk programs at DHS that formally consider all steps in the risk management cycle. • These include: • ICE Enterprise Risk Management model • NPPD National Communications Sector Risk Assessment • TSA National Transportation Sector Risk Assessment
Initial ICE gaps and challenges ICE’s initial decision-making processes included the following gaps: • After extensive research, learned there were no known models that fit the needs of ICE law enforcement. • Relevant stakeholders had not been identified • Undesirable Events (UDEs) that affect ICE’s ability to attain goals identified in draft ICE Strategic Plan not identified. • Risk definitions, risk algorithms, risk descriptions including adversary threats, ICE vulnerabilities and consequences to the Homeland had not been developed. • Unclear how risks would be delineated (High, Medium, Low???) ICE’s ERM program faced the following challenges: • Funding lines were unclear. • Lines of authority were unclear. • How does one quantify the unquantifiable. • How does one determine which mitigation strategies are most viable (cost-benefit, national security, leadership individual tolerances).
Current ICE gaps and challenges • ICE’s current decision-making processes include the following gaps: • Decisions are currently made without formal risk analyses to support them. • Decisions are reactive, not proactive. • Risk management is not specifically aligned to the budget process. • Performance measures currently in place do not reflect ICE programs’ risk mitigation effectiveness. • ICE’s ERM program faces the following challenges: • ERM needs additional senior leadership support, direction, and championship to be effective. • The ERM program is currently supported by only 2 FTEs. • The ERM program cannot be fully implemented with current IT capabilities.
ICE benefit from a fully capable ERM program A fully capable ERM program will help ICE identify the best resource allocation solutions to mitigate risks, thereby maximizing law enforcement coverage with limited resources, realizing cost efficiencies, and aligning ICE with Secretary Napolitano’s commitment to transparency and efficiency and One DHS. • Efficiency: Helps determine optimal allocation of resources to mitigate risks in current risk environment • Performance-based: Provides capability to analyze effectiveness of mitigation strategies and individual programs in risk mitigation • Transparency: Documents risk-based resource allocation decisions • Preparedness: Provides possible crisis response plans when needed with full sensitivity and outcome analysis • OneDHS: Coordinates with DHS RAPID and component agency risk programs
Potential Future of ICE ERM • This program will ultimately: • Integrate into the PPBE process to allow ICE’s finite resources to be allocated in a transparent and efficient manner • Monitor agency risk reduction effectiveness to increase efficiencies and identify the best resource allocation across all ICE Programs • Identify best action plans in times of crisis including consequences of resource shifts • Interface with DHS RAPID • ICE infrastructure of the ERM program will be aligned so that Risk “Champion” reports directly to Assistant Secretary or their designate. • Establish culture of risk management, endorsed and championed by senior leadership • Continue to engage internal and external risk partners/stakeholders to build stronger tool(s) from lessons learned both from ICE and other risk models.
Key Dimensions for Successful ERM I. GOVERNANCE, POLICY & DECISION-MAKING: This dimension encompasses the organization’s tone at the top, risk governance structure, risk and compliance roles and responsibilities, risk management policies including tolerance of specific types of risk. Key Recommended Practices: • Management annually describes its policy and process for risk assessment and risk management for all risks that constitute a major exposure. • Leadership has established a threshold above which all risks must be reported. • Risk policies and procedures are effective, well disseminated, supported by an effective disciplinary system, and updated on a periodic basis. • Accountability and authority for risk taking are clearly defined throughout the enterprise. • Specific executives are assigned responsibility and accountability for the identification, assessment, prioritization, and management of specific risks. • Senior leadership is effectively engaged in the risk management process, serving as a risk oversight and decision-making body. • Business units/functions play a key role in the risk management process by effectively tracking risk information, participating in risk assessments, and using risk information to mitigate risks and develop business strategies. • The enterprise systematically considers risk as part of its core decision-making processes.
Key Dimensions for Successful ERM II. RISK IDENTIFICATION & RISK ASSESSMENT: This dimension involves the processes for identifying and assessing potential internal and external risks that are relevant to the mission and could affect the entity and its key objectives, projects, processes, functions and/or systems. Interdependencies between risks should be considered. Strategic, execution and operational risks should be identified and assessed. Risk assessment enables the organization to consider: (1) The extent to which potential events may have an impact on achievement of its objectives, and (2) The net exposure of the organization after taking into account current risk mitigation and controls. Key Recommended Practices: • Standardized and robust risk definitions have been developed and shared and are updated regularly. • Tools and techniques (such as self assessments, stress tests, sensitivity analysis, and SWOT analysis) are effectively used to identify how the enterprise might fail to achieve its objectives. • Assessments are both qualitative and quantitative and utilize appropriate tools and techniques consistent with the type and complexity of risk. • Risk interdependencies are clearly identified and evaluated. • Internal and external subject matter specialists are involved in risk assessments.
Key Dimensions for Successful ERM III. RISK RESPONSE (MITIGATION):Risk response is management's determination on how best to respond to a specific risk or set of risks. This includes whether to avoid, accept, mitigate, monitor, or transfer risks. Risk response also involves the process of prioritizing risks, allocating resources, and executing risk response plans. The focus of recommended practices in this dimension is on developing, evaluating and deploying risk mitigation strategies. Key Recommended Practices: • Effective risk mitigation strategies are identified and evaluated for alignment with the organization’s risk appetite and size and scope of the risk exposure. • Risk mitigation strategies are designed and prioritized to incorporate such factors as: speed of risk onset, likelihood of occurrence, vulnerability, cost of mitigation (compared to expected benefit), degree of difficulty, and effort to implement. • Risk mitigation strategies are aligned with organizational and financial objectives through the budgeting and planning process. • Risk mitigation strategies are integrated and communicated to provide effective and timely enterprise-wide preparation, response, and recovery. • Risk mitigation strategies are reviewed to ensure they meet compliance requirements (e.g., mandatory disclosures, etc.). • Risk owners/managers are supported with tools, experienced staff, venues for discussion, knowledge-sharing, and advisory services.
Key Dimensions for Successful ERM IV. CONTROL ACTIVITIES, ASSURANCE & TESTING:Control activities are the policies, procedures, and systems that help ensure that an organization’s risk mitigation plans are carried out. Control activities include approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties, among others. Controls must be periodically tested and verified to ensure they are designed appropriately and operating as intended. Key Recommended Practices: • Management has defined and implemented appropriate, effective control activities (e.g., preventive, detective, manual, and automated controls) to ensure the quality of risk mitigation strategies. • Controls are effectively tested across key processes, systems, and functions throughout the enterprise. • A systematic, independent verification of the risk management process (including risk assessment, mitigation, and testing) is performed on a periodic basis.
Key Dimensions for Successful ERM V. RISK INTELLIGENCE, COMMUNICATIONS & TRAINING:Risk intelligence is the product resulting from gathering and analyzing an organization’s risk information. Pertinent risk intelligence is identified, captured, and communicated on a timely basis to allow trained people to carry out their responsibilities. Personnel are trained to make rapid and appropriate decisions using risk intelligence provided to them. Key Recommended Practices: • Risk information is effectively incorporated into core business decision-making processes (e.g., strategic planning, capital allocation, etc.). • Risk information reporting systems enable managers to access, aggregate, analyze, and report on relevant risk data. • Risk information is shared throughout the enterprise, as well as with external stakeholders. • Effective risk management training is carried out at all levels of the enterprise to ensure that personnel have the knowledge and skills to perform their risk-related responsibilities.
Key Dimensions for Successful ERM VI. MONITORING & ESCALATION: Monitoring is the periodic or continuous observation of the portfolio of risks in order to detect and give timely warning of change. Monitoring includes supervision, observation, and reporting to responsible individuals. Monitoring is an ongoing activity embedded into the entity's operations. Escalation is a procedure by which risks that exceed or are about to exceed specified thresholds or triggers are elevated to the appropriate level of authority for resolution in a timely basis. Key Recommended Practices: • Thresholds and triggers for escalation to Senior Management have been established for all major risks. • There is a well defined, effective escalation process for major risk events that exceed specific thresholds (including timeframes, procedures, notification instructions, actions, etc.). • Early warning systems based on established thresholds detect potential adverse events. • Validity, completeness, and accuracy of risk data/reporting are sufficient to detect significant variations and allow corrective action to be taken to avoid incidents.
Key Dimensions for Successful ERM VII. SUSTAINABILITY & CONTINUOUS IMPROVEMENT: The risk management process should be sustainable, continuously assessed, evaluated, and improved over time. Its effectiveness depends on the integration, coordination, and capability of people, processes, and technology. Key Recommended Practices: • There are formal, effective processes to review and evaluate risk management activities. • The organization monitors whether progress is being made in managing major risk exposures and takes corrective action as necessary. • Failures to correctly identify, assess, and mitigate risks are investigated and remediation efforts implemented. • The organization has a successful track record of managing large initiatives that require changes in people, process, and technology.
Descriptors of Risk States • 1 - Trailing = No evidence of formal adoption of recommended risk management practices. Practices followed tend to be ad hoc, inconsistent, or reactive in nature. • 2 - Emerging = Limited evidence of recommended practices. There are significant improvement opportunities for creating a more integrated and strategically aligned risk management capability. There is growing understanding of the importance of applying improved risk management practices, but no formalized plans are in place. • 3 - Maturing = Meeting some recommended practices, particularly in more specialized risk functions. The importance of building a stronger risk management capability is generally accepted in the organization and key areas of improvement are recognized by management. There is evidence of incorporating fundamental risk management practices into planning and performance aspects of the core mission. • 4 - Sustaining = Meeting most recommended practices. The organization has or is implementing many recommended risk management practices. There are dedicated resources and executive commitment focused on maintaining and improving existing risk management processes, systems, and specialized risk management expertise. • 5 - Leading = Fully meeting or exceeding recommended practices. The organization has implemented and is sustaining risk management practices that are consistent with those prescribed by authoritative sources. There is evidence that risk management practices are recognized as a key factor in the achievement of strategic, operational, and compliance objectives. The organization is also striving to develop innovative risk management strategies that provide tangible strategic benefits. Others recognize the organization as a leader in integrated, enterprise-wide risk management capability and strive to emulate its practices.
General Process to Achieve Desired State The following can occur simultaneously and/or sequentially…depends on funding, timing, capabilities… • Conduct ICEERM Capability Assessment • Development of a Sustainable Enterprise Risk Assessment Process. • Establish ERM Organizational Structure and Responsibilities • Establish ERM Operational Policy and Framework • Integrate Strategic and Business Planning • Conduct ERM Training • Develop an Executive Dashboard / Reporting Tool • Implementation Roadmap Development
Risk Management Overview • Risk is the potential for an unwanted outcome from an incident or event. • Example: The risk of a bomb exploding in a federal facility is the potential for human lives lost, damage to federal property, and damage to the government’s ability to function. • A RiskEvent is the event or incident that leads to the unwanted outcome. • Example: The risk event is the bomb exploding in a federal facility. • The MeasureofRisk is a function of threat, vulnerability, and consequence.
DHS increasing focus on Risk Management Last slide from DHS Tier II Risk Steering Committee meeting (April 29, 2009) • Below is the complete list of recommendations to the Secretary: • Approve and sign the Integrated Risk Management Framework as the Department’s keystone doctrine and guidance for integrated risk management. This document will build on the already published Interim Integrated Risk Management Framework, and provide the opportunity for the Department’s new leadership to guide the development of, and publicly endorse, the Department’s vision for integrated risk management. • Pursue the issuance of a Homeland Security Presidential Directive on risk management defining a nation-wide program. • Issue a DHS Management Directive establishing the processes, roles and responsibilities for achieving integrated risk management in DHS, consistent with the existing delegation of authorities to the Under Secretary for National Protection and Programs. • Form a Federal interagency working group to develop the Homeland Security National Risk Assessment in conjunction with the Quadrennial Homeland Security Review. • Provide additional resources to improve the Department’s risk analytic capability, including the development of a Risk Analysis Cell, and a Risk Knowledge Center to support DHS and, ultimately, State and local partners in better assessing, analyzing and managing risk to the homeland. Slide 56
DHS increasing focus on Risk Management • Secretary Napolitano issued Action Directive on January 21st • Two directive focused on two questions: • What is the status of risk analysis metrics and what is the plan and time frame for setting up a full-blown system to govern the establishment of critical infrastructure programs, the priorities among national planning scenarios, and the distribution of grants to state, local, and tribal entities? • How can DHS enhance risk management as the basis of decision making? • Coordinated response was provided on February 27
DHS increasing focus on Risk Management • February 3, 2009. Secretary’s letter to Director OMB: • “For the longer term, I am also working to increase the Department's ability toincorporate risk analysis into its budget development process.”
Current ICE ERM Alignment to Strategic Planning ICE’s ERM program identifies risk events that could impact our ability to achieve our objectives and develops mitigation strategies to reduce these risks. High Risks (to those Goals) Goals (from draft ICE Strategic Plan) Goal 1 (Strategic) Goal 2 (Strategic) Goal 3 (Strategic) Goal 4 (Enabling) Goal 5 (Enabling)