After-Action Review: Enterprise Risk

Management

Bureau for Management

Office of Management Policy, Budget, and Performance

February 2019

Executive Summary: Key Recommendations at-a-Glance The following recommendations are based on the findings from the Enterprise Risk Management (ERM) After-Action review.

Recommendations Owner Impact Management Response

Issue 1: Training was theoretical, lacked clarity, and was inaccessible to Mission staff

1.1 Enhance existing ERM training content to include: a)

an articulation of the Agency’s vision for risk

management at the corporate and individual AU

levels; b) how the ERM and FMFIA processes should

relate to each other; c) how USAID integrates ERM

across the program cycle; and d) step-by-step task-

level guidance on completing the risk profile

development process.

ERM Secretariat

and Risk Management Council (RMC)

1.2 Leverage M/CFO’s train-the-trainer model to more

efficiently deliver standardized ERM training content

to staff in the field and serve as regional resources

during risk profile development.

ERM Secretariat

1.3 Make training more accessible for Mission staff by hosting more webinars, and creating an online training module and job aids.

ERM

Secretariat

Time

i

Quality

Issue 2: Staggered and compressed roll-out of guidance, template, and risk-appetite statement

Recommendation Owner Impact Feasibility

2.1 Issue annual risk profile guidance to Missions earlier

(i.e, no later than mid-April) to allow adequate time for

the development of Assessable Unit (AU) level risk

profiles.

ERM Secretariat

Issue 3: Risk-appetite statement purpose and value not understood consistently across AUs

Recommendation Owner Impact Feasibility

3.1 Include messaging regarding Risk-Appetite statement

purpose and benefits in annual risk profile guidance to

AUs and in a webinar.

ERM Secretariat

Issue 4: Lack of understanding of relationship between the ERM and FMFIA processes in some AUs

Recommendation Owner Impact Feasibility

4.1 Subsequent to completion of recommendation 6.1,

create ADS help documents that include a process map

on how the ERM and FMFIA processes interrelate, a

table with the differences between the ERM and

FMFIA processes, and guidance on how AUs can

successfully and accurately complete both processes.

ERM Secretariat and M/CFO

4.2 In annual risk profile guidance, recommend as a best

practice that AUs execute a development process co-

facilitated by financial analysts and program officers to

encourage a holistic, cross-AU ERM approach.

ERM Secretariat

Issue 5: Lack of integration of the ERM process with existing program and management operations

Recommendation Owner Impact Feasibility

5.1 Revise ADS 201 and ADS 597 to include guidance on

how ERM will be integrated across USAID’s

programmatic and operational frameworks, and how

AUs should leverage risks identified throughout the

Program Cycle to develop the risk profile.

ERM

Secretariat,

M/MPBP,

and PPL

5.2 Execute a change management plan that: a)

emphasizes how ERM will be integrated across the

Program Cycle; b) leverages a change champions

model with program and management office

participation to create buy-in; and c) includes

communications messages that highlight the case for

change, benefits to the individual AUs, and clarifies

Agency expectations on AU roles and responsibilities.

ERM Secretariat and RMC

Issue 6: Insufficient guidance and knowledge sharing on use of risk profile as an AU business management tool

Recommendation Owner Impact Feasibility

6.1 Create a new ADS chapter for Enterprise Risk

Management that clearly articulates the Risk-Appetite

Statement’s intended usage at each level of risk profile

development (Agency, Bureau and Mission). See

related recommendation 8.1.

ERM Secretariat and M/CFO

6.2 Subsequent to recommendation 6.1, create

supplemental help documents for a new ERM ADS

chapter that provide various examples of how AUs can

use risk profiles at each stage of the program cycle,

during acquisition and assistance planning, and other

Agency operations.

ERM

Secretariat

and M/CFO

6.3 Leverage an existing Agency knowledge management

or document management platform where Missions

can share their risk profiles, best practices, and

experiences with risk management in order to create a

community of practice around ERM focused at the

field level (e.g., ProgramNet or Huddle).

ERM

Secretariat

Issue 7: Lack of risk profile feedback post submission

Recommendation Owner Impact Feasibility

7.1 Expand Risk Management Liaison responsibilities

outlined in ADS 596mab and a new ERM ADS chapter

(subsequent to 6.1) to include provision of feedback

and suggestions to Missions that facilitates learning

related to the risk profile development process and

alignment with Agency expectations.

ERM

Secretariat

and M/CFO

7.2 Improve communication surrounding the risk profile

development process by instituting a feedback loop

that facilitates acknowledgement of Mission and

Bureau level risks and identifies how they contribute

to the Agency-level Risk Profile.

ERM

Secretariat

Issue 8: Lack of clear, cross-Agency consensus on the purpose and desired outcomes of ERM

Recommendation Owner Impact Feasibility

8.1 In the new ADS chapter created as part of

recommendation 6.1, articulate clearly the Agency’s

vision for risk management at the corporate and

individual AU levels and its value in strengthening

Agency operations.

ERM

Secretariat

and M/CFO

Table of Contents Executive Summary: Key Recommendations at-a-Glance i

Background 1

What was the intent? 2

What actually happened? 4

What went well, and why? 6

What can be improved and how? 7

Issue 1: Training was theoretical, lacked clarity and was inaccessible to Mission staff 7

Issue 2: Staggered and compressed roll-out of guidance, template, and risk-appetite statement 7

Issue 3: Risk-appetite statement purpose and value not consistently understood across AUs 8

Issue 4: Lack of understanding of relationship between the ERM and FMFIA processes in some AUs 8

Issue 5: Lack of integration of the ERM process with existing program and management operations 8

Issue 6: Insufficient guidance on use of risk profile as an AU business management tool 9

Issue 7: Lack of risk profile feedback post submission 9

Issue 8: Lack of clear, cross-Agency consensus on the purpose and desired outcomes of ERM 9

Appendix A: Governance Structure for ERM and Internal Control Systems 11

Appendix B: List of Focus Group Participants 12

Appendix C: Receipt Rate of Mission Risk Profiles 14

Background In 2016, the Office of Management and Budget (OMB) issued an updated Circular A-123, which introduced the concept of Enterprise Risk Management (ERM) as a new tool for agencies to integrate with their internal control systems and Federal Managers’ Financial Integrity Act (FMFIA) certification process. With these revisions, OMB emphasized the management of agency risks1 that challenge an agency’s ability to achieve its strategic objectives. In addition, A-123 seeks to ensure better coordination of ERM with the strategic planning and review process established by the Government Performance Results Act Modernization Act (GPRAMA) and the internal control processes established by FMFIA and the Government Accountability Office’s (GAO) Green Book. USAID began ERM implementation in March 2017 with the release of a Risk Management Discussion Note to generate cross-Agency feedback on a common risk management approach for use in all Operating Units. In June 2017, the Agency submitted an initial Agency Risk Profile to comply with requirements set forth in OMB Circular A-123, and finalized its ERM governance framework with the full revision of mandatory reference ADS 596mab, Governance Charter for Enterprise Risk Management and Internal Control at USAID. In preparation for its 2018 Agency Risk Profile submission, the Bureaus for Management (M) and Policy, Planning and Learning (PPL) issued ERM Implementation Guidance in May 2018 aimed at all Missions, Bureaus, and Independent Offices. It identified the Agency’s goal of overall ERM implementation as a way to “identify, analyze, respond to, and monitor key enterprise-level risks using a structured and systematic approach to better achieve Agency objectives.”2 This approach required all assessable units (i.e., Missions, Bureaus and Independent Offices) to develop risk profiles to identify the major risks faced by each to inform resource and management decisions. Each assessable unit was asked to submit their five to seven top risks to the next management level for consideration. Mission risk profiles were due to Regional Bureaus by July 16, 2018, and Bureau and Independent Office risk profiles were due to the ERM Secretariat on July 30, 2018. While Circular A-123 says an agency’s risk appetite should include the risk assessments and associated response, it does not require agencies to have a documented risk-appetite statement. USAID published its Risk-Appetite Statement on July 11, 2018.

To facilitate process improvements and potential changes, the Office of Management, Policy, Budget, and Performance in the Bureau for Management (M/MPBP) organized an after-action review to solicit feedback on successes and recommendations for improvement of ERM, particularly in relation to the ERM process at the AU level. M/MPBP held 13 focus group meetings from November 26th, 2018, to December 18th, 2018. Participants in the focus groups included representatives from 22 USAID Missions, Bureaus, and Independent Offices.3 The group discussions focused on four key questions, which form the basis of this after-action review:

1. What was the intent behind ERM? 2. What actually happened? 3. What went well, and why? 4. What can be improved, and how?

In addition to holding the after-action review focus groups with the key stakeholders, M/MPBP reviewed ADS 596mab, the Agency’s Risk-Appetite Statement, OMB Circular A-123, and the ERM Implementation Guidance and training materials.

1 OMB A-123 defines risk as the “the effect of uncertainty on objectives.” This neutral definition is meant to include

opportunities as well as threats. 2 See Appendix B for list of focus group participants.

What was the intent?

Per ERM implementation documentation and feedback received in several focus groups, the defined risk assessment process was intended to: 1) develop assessable unit (AU) risk profiles to meet the OMB requirement outlined in Circular A-123; 2) establish a standard, streamlined risk profile development process for collection and submission of risks and FMFIA certifications by AUs leveraging existing bodies to the maximum extent possible; and 3) institute a risk management culture in the Agency. Per the ERM Implementation Guidance updated in May 2018, risk management information was to flow both up and down across the Agency and across its organizational structures to improve knowledge sharing and decision making as depicted in Figure 1 below.

Figure 1. Intended ERM Information Flow

The primary channels for ERM communication are the key stakeholder groups listed below. Assessable Units (AU): All Agency Missions, Bureaus, and Independent Offices. Each Bureau and Mission has a Management Council on Risk and Internal Control (MCRIC) that provides management and oversight for ERM and internal control. They also have Risk Management Liaisons (RML) that facilitate the risk assessment process for their respective AUs. ERM Secretariat: The Secretariat is a working group composed of staff from the Bureau for Management (M Bureau), the Bureau for Management’s Office of the Chief Financial, (M/CFO) the Bureau for Policy Planning and Learning (PPL), and other B/IOs as needed to support the Executive Committee on Risk and Internal Controls (EMCRIC), RMC, and all ERM functions. Risk Management Council (RMC): The RMC meets semi-annually and as needed to make decisions about Agency risk. It is composed of Deputy Assistant Administrators (DAAs) from the M Bureau and PPL (as co-chairs), DAAs or Deputy Heads of B/IOs; and Deputies to the Statutory Officers (Deputies to the Chief Financial Officer (CFO), Chief Information Officer) (CIO), and Chief Acquisition Officer/Procurement Executive (CAO) (nonvoting). Executive Committee on Risk and Internal Controls (EMCRIC): The most senior body overseeing ERM, the EMCRIC is chaired by the Deputy Administrator and composed of the Agency Counselor; Assistant Administrators (AAs) of

Bureaus and Heads of Independent Offices; Statutory Officers: CFO, CIO), and CAO; Director, M/MPBP; and Inspector General (IG) (non-voting observer). Per OMB Circular A-123, ADS 596mab, and the ERM Implementation Guidance, the ERM and FMFIA processes are complementary and are not separate from each other. As a result, the risk profile development process, as outlined in the ERM Implementation Guidance, asked AUs to prepare their FMFIA certifications and risk profiles simultaneously as depicted in Figure 2 below.

Figure 2. ERM and FMFIA Certification Process4

As part of the risk assessment portion of the process depicted in Figure 2, the ERM guidance stated AUs should identify, analyze, and evaluate risks; develop alternatives; and respond to them (i.e., identify whether the risk was accepted or should be mitigated). The ERM Secretariat disseminated a risk profile template with the intent of providing AUs a standard means of collecting and submitting the risk profile to the next management level.

4 SAT – Senior Assessment Team

Lastly, the Agency desired a larger change management effort to better institutionalize risk management throughout the Agency. Per focus group participants, Agency senior leaders envisioned continuous monitoring and management of risks at the AU and Agency level, with risk management integrated into USAID’s operations at the Mission, Bureau, and Agency level. In addition, the Agency also desired a culture-shift in the perception of risk. Instead of perceiving risk as a negative to be avoided at all costs, the intent of ERM was to reframe risk in more neutral terms as “the effect of uncertainty on an Agency’s objectives”, as stated in the Agency’s RAS. As such, risk should not be perceived as inherently positive or negative, only as including factors that could threaten or enhance the likelihood of USAID achieving its objectives.

What actually happened? Overall, the risk profile development process was seen as an OMB compliance exercise as is currently communicated, although focus group participants did say they see the value in risk management if integrated with other processes. One hundred percent of AUs present in the focus groups shared that the effort had strong leadership support (i.e., AAs, DAAs, and Mission Directors) and noted their involvement in review and approval of the risk profile during MCRIC meetings. Despite strong leadership support, there was variation as to the strategic importance of the exercise beyond an annual OMB submission, and little discussion occurred within Missions regarding how risks identified in the profile would be monitored over time. Those Missions that considered how they could monitor risks over time said that they would do so in quarterly portfolio reviews. Per focus group participants’ feedback, the desired outcome of risk profile submissions for the majority of AUs was largely fulfilled. Sixty-six of 75 missions completed their risk profile, per a review of the submitted risk profiles by PPL (See Appendix C). One hundred percent of Bureaus and Independent Offices submitted their risk profiles to the ERM Secretariat. There is currently no system in place that would allow M/MPBP to validate whether 100 percent of AUs complied with the requirement to complete a risk profile. However, Washington focus group participants from the ERM Secretariat and the Regional Bureaus stated with confidence that the majority of AUs did complete one using the template provided by the ERM Secretariat. It is worth noting that most Missions and RMLs reported that the roll-out of the Risk-Appetite Statement (RAS) in August 2018 after the initial risk profile guidance and training was highly problematic because the RAS came out too late in the development process for it to be of use. Many Missions reported not understanding what level of risk was acceptable for them to take on, and further elaborated that it would have been helpful to have had the RAS from the beginning so that AUs could have an idea of the Agency’s tolerance for risk in differing contexts. Additionally, the late roll-out of the RAS hindered Missions’ ability to understand why ERM was important and limited the understanding of how ERM is more than a compliance exercise. The ERM Implementation Guidance says that information should “flow both up and down the Agency, and across its organizational structures” (page 4). However, both Mission and Washington B/IO focus group participants indicated that AU risk profiles were submitted without receipt of acknowledgement, nor did they receive constructive feedback as to whether they completed the risk profile template appropriately or that the risks identified met expectations conveyed in the ERM Implementation Guidance. Additionally, participants in 54 percent of the focus

“What we wanted, was to build this larger culture of ERM across the Agency because

people have been talking about it for a long time.”

groups raised issues with the utility of the risk profile template, describing it as unwieldy and difficult to edit.

Missions reported a lack of feedback from RMLs and Agency leadership regarding next steps for ERM at both the Mission and Agency level. This included a lack of information on how to manage risks at the Mission level; what to do with the Mission level risk profiles after submission; how to operationalize ERM at the Mission level as a management tool in terms of its integration with program design, CDCS development, and portfolio reviews; what the Agency intends to do with the Agency-wide risk profile; and next steps for ERM Agency-wide. This lack of follow-through led many at Missions to question the utility of the risk profile development process. For some, ERM felt more like a compliance exercise because of the lack of follow-through. However, others expressed that ERM has value and that Missions have evaluated and discussed risks well before the implementation of ERM, as this is integral to successful development programming. Overall, Missions expressed a desire for further follow through after the submission of their risk profiles.

Specifically related to the risk profile development process itself, staff were unclear regarding how the Agency wished them to proceed with the completion of the ERM and FMFIA processes. Overall, participants in 7 out of 8 Mission focus groups and all RML focus groups expressed that there was a lack of understanding concerning how ERM was intended to relate to FMFIA, and confusion over whether ERM and FMFIA were supposed to be the same or distinct processes. One reason for this was that FMFIA guidance came out separately from ERM guidance. The Agency released FMFIA guidance via Agency Notice on April 23, 2018, and ERM guidance on May 8, 2018. There were also perceived issues with the training on the process. Focus group participants noted that the two-day training was too theoretical and did not address sufficiently the process steps. In some instances, Missions did not receive the training because they were not able to send anyone to Washington, and in many instances created their own training, which may or may not be accurate.

Some Missions reported doing ERM and FMFIA as part of the same process, while others conducted these exercises as separate processes and even at different times, which led to confusion as to whether FMFIA risks should also be duplicated in the risk profile. There was also variation as to who led the risk profile development process. In some Bureaus and Missions, the Controller or Financial Analysts primarily led the risk profile development process with minimal input from the rest of the Mission, as was done with FMFIA. In these instances, Program Office staff reported not understanding how the Program Office should play a role in the development of ERM Risk Profiles since it was considered to be an administrative/support office process similar to FMFIA. In other instances, the risk profile development process was more equitably shared between Controllers/Financial Analysts and the Program Office, with the AUs taking a whole-of-Bureau or Mission approach to risk identification and analysis. Regarding use of existing governance bodies, approximately 93 percent of Missions represented in the focus groups reported that risks were reviewed and approved during MCRIC meetings either during discussions surrounding internal control deficiencies or as part of a separate risks discussion.

“We never received any feedback from Washington, so we didn’t know if what we did [for the risk profile] was adequate or if DC used what we prepared for the Agency Risk Profile.”

“Training was very heavy on what the ERM structure was and how the roll up would work, but nothing about what happens with the information next.”

Participants in half of the Mission focus groups reported that the time between the issuance of the ERM guidance in May 2018 and the due date for the Risk Profile submission on July 15, 2018, was not enough to complete the process adequately, particularly because this timing overlaps with the end of the third quarter. RMLs from Regional Bureaus and Regional Missions also expressed frustration related to workload given they had multiple subordinate AU risk profiles to review in addition to their own. For Regional Bureaus, the timeline was further compressed given there was only two weeks between the time Mission risk profiles were due to them, and the overall Bureau risk profile was due to the RMC. While there were hopes to build a culture of ERM throughout the Agency, change management efforts to do so were limited to training and individual support offered by the ERM Secretariat. A two-day training, developed and conducted by expert ERM contractors with oversight from the ERM Secretariat, was held in Washington from May 16-17, 2018. However, the majority of Missions expressed that an in-person, two-day training in Washington is expensive and impractical for Mission staff to attend. Additionally, while many Mission staff expressed that the webinars were more helpful as a training tool, the majority of Missions said they should have included more specific information on the risk profile development process.

The majority of Missions found the training materials to be too theoretical, and Missions said they did not explain clearly how to use ERM as a management tool at the Mission level or how to operationalize the AU risk profiles. They expressed that seeing ERM as a management tool was difficult primarily because it was not associated with core Agency processes with which they were familiar, such as those associated with the program cycle described in ADS 201.

What went well, and why? Missions cited the ERM Implementation Guidance as useful in gaining a basic understanding of the risk profile development process. Although focus group participants desired more practical training content on the actual risk profile development process, those that could attend the two-day training stated it was helpful for understanding ERM at a high level. In addition, Missions and RMLs reported that the ERM Help Desk (part of the Secretariat) was responsive and helpful in answering questions about the risk profile development process and the difference between FMFIA and ERM. Participation in the risk profile development process was robust. All Bureaus participated and many Missions participated as well, including a 100 percent participation rate from Missions in Africa region. Most Missions and Bureaus reported that they took the risk profile development process and integration of ERM into Mission operations seriously with routine engagement from Mission management, including Mission Directors and Deputy Directors. The ERM Secretariat and members of the RMC cited the robust socialization of ERM by the ERM Secretariat leading up to the risk profile development process as successful, and certain Missions credited ERM socialization for creating Mission Director buy-in.

“It [the process] was confusing because we had never done it before, and we were just given a spreadsheet to fill out and nobody had training on this. Our Mission prepared our own

training on how to do this.”

Members of the RMC and the ERM Secretariat reported Agency-level leadership buy-in into the ERM process as well. The RMC had robust and detailed conversations about risk at the senior leadership level, with members committed to instituting a culture of ERM Agency-wide. Furthermore, the ERM Secretariat reported that ERM champions are emerging in the field, and the ERM Secretariat saw clear interest and engagement from Missions at both the staff and leadership levels. This finding is corroborated by Missions routinely expressing that risk management is highly important in development programming, and is an exercise that many Missions reported already doing before ERM roll-out, particularly through the examination and discussion of risks during the CDCS development process.

What can be improved and how?

USAID identified issues and discussed recommendations based on After-Action Review focus group interviews, in addition to a thorough analysis of ERM policy and the ERM governance structure codified in ADS 596mab, OMB Circular A-123, and the ERM Implementation Guidance and training materials on the Risk Profile submission process.

Issue 1: Training was theoretical, lacked clarity and was inaccessible to Mission staff

The ERM training materials and guidance were too theoretical; lacked clarity in terms of how the risk profile development process worked and how the Agency planned to use ERM at the Agency and individual AU levels; and were not accessible enough for Mission staff, which led to staff being inadequately prepared and inadequately equipped to execute the ERM process effectively. Focus group participants perceived the guidance and training materials as lacking in specific, step-by-step information surrounding how to develop risk profiles and lacked concrete examples of how ERM can be used as a risk management tool or integrated across the program cycle. The two-day ERM training held in Washington was inaccessible to the vast majority of field staff, as Missions cannot afford to send staff overseas for a very short training. Additionally, focus group participants routinely expressed that there were not enough webinars or detailed information in the guidance materials to make up for the fact that they could not attend the in-person training. Without a more effective system to deliver practical training to field staff, many at the AU level were underprepared to execute ERM. This lack of preparation additionally impacted AUs perceived value of the ERM process as a whole. Recommendation 1.1: Enhance existing ERM training content to include: a) an articulation of the Agency’s vision for

risk management at the corporate and individual AU levels; b) how the ERM and FMFIA processes should relate to

each other; c) how USAID integrates ERM across the program cycle; and d) step-by-step task-level guidance on

completing the risk profile development process.

Recommendation 1.2: Leverage M/CFO’s train-the-trainer model to deliver standardized and practical ERM training

content to staff in the field more efficiently and effectively and serve as regional resources during risk profile

development.

Recommendation 1.3: Make training more accessible for Mission staff by including more webinars, online training,

and training tools that Mission Management can use to train their staff on ERM.

Issue 2: Staggered and compressed roll-out of guidance, template, and risk-appetite statement

The roll-out of the ERM Implementation Guidance, the risk profile template, and the Agency Risk-Appetite Statement was staggered, and guidance came out too late to allow AUs adequate time to readily complete their risk profiles.

The RAS was released after the ERM Implementation Guidance which decreased its utility in the risk profile development process, as many AUs reported that they had already begun developing their risk profiles by the time the RAS came out. In addition to the non-concurrent timing for the release of the entirety of the guidance materials, the timeline for the development of AU risk profiles was too short. The compressed timeline for risk profile submission led some AUs to feel rushed and overworked when developing their risk profiles. Recommendation 2.1: Issue annual risk profile guidance to the Agency earlier (i.e. no later than mid-April) to allow for adequate time for the development of AU-level risk profiles.

Issue 3: Risk-appetite statement purpose and value not consistently understood across AUs The RAS purpose and value is not understood consistently across AUs. This limits its utility in the development of the risk profile and undermines its importance in the Agency’s overall ERM framework. When AUs do not understand how to use the RAS or why the RAS can be a useful tool in the risk profile development process, the RAS becomes obsolete in the ERM process and does not meet its stated intent of providing USAID staff with guidance on the amount and type of risk the Agency is willing to accept.

Recommendation 3.1: Include messaging regarding risk-appetite statement purpose and benefits in annual Risk

Profile Implementation Guidance to AUss and in a webinar.

Issue 4: Lack of understanding of relationship between the ERM and FMFIA processes in some AUs While AUs could understand the relationship between FMFIA and ERM at a high level, it was not clear to them if or how the Agency wanted AUs to execute the two processes in a combined fashion or separately. It was also not clear as to where they should reflect financial risks or those related to internal control deficiencies if they were determined to be of strategic importance (i.e., with FMFIA risks, on the AU risk profile or in both places). Recommendation 4.1: Create ADS 596 help documents that include a process map on how the ERM and FMFIA processes interrelate, a table with the differences between the ERM and FMFIA processes, and guidance on how AUs can successfully and accurately complete both processes. Recommendation 4.2: In annual ERM Risk Profile Implementation Guidance to AUs, strongly recommend a process co-led by financial analysts and program officers to clarify the intent that ERM is a holistic approach to identifying and managing risk beyond internal controls and to facilitate a more strategic cross-operating unit approach to the risk profile development process.

Issue 5: Lack of integration of the ERM process with existing program and management operations As part of a larger culture shift to institutionalize ERM, a stated intent of ERM was to institute a change management plan to integrate the ERM process with existing USAID program, strategy, and management operations; this integration did not materialize. The absence of this limits staff understanding as to how they can use the risk profile as a management tool, and compromises the Agency’s ability to institutionalize the ERM process. It is not clear how ERM fits in with the program cycle, and current policy lacks guidance on how AUs can and should integrate ERM. Without a clear understanding of how ERM influences both Mission-level and Agency-wide programming, operations, and strategy, ERM’s value is diminished.

Recommendation 5.1: Revise ADS 201 and ADS 597 to include guidance on how the Agency will integrate ERM across USAID’s programmatic and operational frameworks, and how AUs should leverage risks identified throughout the Program Cycle to develop the risk profile. Recommendation 5.2: Execute a change management plan that: a) emphasizes how the Agency will integrate ERM across the program cycle; b) leverages a change champions model with program and management office participation to create buy-in; and c) includes communications messages that highlight the case for change, benefits to the individual operating units, and clarifies Agency expectations on AU roles and responsibilities.

Issue 6: Insufficient guidance on use of risk profile as an AU business management tool While the Agency desired for AUs to leverage the risk profile as a business management tool, there was nothing in the guidance shared with staff that articulated that desired outcome, nor was there guidance as to how AUs should do so in a way that would benefit the AU and the Agency overall. Neither ADS 596mab nor the ERM Implementation Guidance articulated that as a purpose of the risk profile, which diminished its perceived value to staff because the practical use of risk profiles in AU programing and operations is absent. Recommendation 6.1: Create a new ADS chapter for Enterprise Risk Management that clearly articulates the Risk-Appetite Statement’s intended usage at each level of risk profile development (Agency, Bureau and Mission). Recommendation 6.2: Subsequent to recommendation 6.1, create supplemental help documents for a new ERM ADS chapter that provide various examples of how AUs can use risk profiles at each stage of the program cycle, during acquisition and assistance planning, and other Agency operations. Recommendation 6.3: Leverage an existing Agency knowledge management or document management platform where Assessable Units can share their risk profiles, best practices and experiences with risk management in order to create a community of practice around ERM focused at the field level (e.g, ProgramNet or Huddle).

Issue 7: Lack of risk profile feedback post submission The absence of risk profile feedback between Regional Bureaus and Missions, and between B/IOs and the RMC led to staff frustration during the risk profile development process and hampered learning around enterprise risk management overall. This compromises the Agency’s ability to institutionalize ERM going forward. Recommendation 7.1: Expand RML responsibilities outlined in ADS 596mab and a new ERM ADS chapter (see recommendation 6.1) to include provision of feedback and suggestions to Missions that facilitates learning related to the risk profile development process and alignment with Agency expectations. Recommendation 7.2: Improve communication surrounding the risk profile development process by instituting a feedback loop that facilitates acknowledgement of Mission and Bureau level risks and identifies how they contribute to the Agency level Risk Profile.

Issue 8: Lack of clear, cross-Agency consensus on the purpose and desired outcomes of ERM Without a clear articulation of the vision for ERM purpose and desired outcomes, it is difficult for AUs to understand ERM’s value or how it strengthens Agency operations.

Recommendation 8.1: In the new ADS chapter created as part of recommendation 6.1, articulate clearly the Agency’s vision for risk management at the corporate and individual AU levels and its value in strengthening Agency operations.

Conclusion USAID instituted ERM and the risk profile development process to meet the OMB requirement in Circular A-123 and to create a culture of holistic risk management Agency-wide. While the Agency achieved the objective of meeting the OMB requirement, the culture of operationalizing risk management did not fully materialize. The recommendations contained in this report are designed to further the goal of institutionalization by strengthening the ERM policy, improving the efficiency of the risk profile submission process to ease staff burden, and promoting Agency learning in the identification and management of risks that may impede the successful implementation of Agency programs that support our partners’ journeys to self-reliance.

Appendix A: Governance Structure for ERM and Internal Control Systems

Appendix B: List of Focus Group Participants

Participants B/IO

Aaron Bishop USAID/India

Abigail Awadey-Dunyo USAID/West Africa

Alberto Nhampossa USAID/Mozambique

Allan Grines HCTM

Bret Campbell USAD/Guatemala

Carissa Page PPL

Catherine Hayford USAID/West Africa

Cheryl Klein OCRD

Chris Hynak USAID/Madagascar

Christopher Akugre USAID/West Africa

David Young USAID/Egypt

Deo Dushimumukiza USAID/Rwanda

Eddy Lebelon USAID/Haiti

Elena Iskandarova ME

Elena Tretelnikova USAID/Iraq

Francis Mwapasa USAID/Malawi

Gagik Melkumyan USAID/Caucasus

George Appiah USAID/West Africa

George Shoufani USAID/WBG

Godwin Gampson USAID/West Africa

Ibrahim Baroudy USAID/Lebanon

Irene Nordjo USAID/West Africa

Jamshed Zuberi USAID/Egypt

Jennifer Caceros USAID/Guatemala

Jerry Fevrin USAID/Haiti

John Sahn USAID/Rwanda

Joshua Albert M/AA

Kathy Body M/CFO

Kevin Fitzpatrick USAID/MERP

Participants B/IO

Lisa Whitley PPL

Liz Palmer USAID/MERP

Lourenco Manghanela USAID/Mozambique

Luis Revera M/OAA

Lydia Nylander M/CFO

Margaret Strong M/MPBP

Marina Marzook USAID/Iraq

Maria Cruz M/CFO

Mariam Khalyat USAID/Morocco

Mark Johnson M/CIO

Matt Cohen GC

Meer Susey M/CFO

Megan Powell M/CFO

Michael Ganter AFR

Ngoc Clark ME

Nuno Pale USAID/Mozambique

Oleksandra Price USAID/MERP

Pamela Appeadu-Mensah USAID/West Africa

Paul Markovs AFR

Richard Opoku-Sarkodie USAID/West Africa

Robin Sharma USAID/Mozambique

Samuel Jack GC

Sarah Muwanga USAID/West Africa

Terry Youngblood USAID/Malawi

Appendix C: Receipt Rate of Mission Risk Profiles

In total, 66/75 Missions submitted Risk Profiles to RMLs in their respective Regional Bureaus. The summary is as follows:

● Africa Region - Received 100% (28/28) risk profiles ● Middle East Region - Received 100% (11/11) risk profiles ● OAPA - Received 100% (2/2) risk profiles ● Latin America and Caribbean Region - Received 100% (10/10) risk profiles ● Europe & Eurasia Region - Received 72% (8/11) risk profiles ● Asia Region - Received 53% (7/13) risk profiles