1. No category

NIH POLICY MANUAL
Chapter 1750 – NIH Risk Management Program
NIH POLICY MANUAL
1750 – NIH Risk Management Program
Issuing Office: OD/OM/Office of Management Assessment 301-496-1873
Release Date: 08/14/14
1. Explanation of Material Transmitted: This chapter outlines responsibilities for
complying with the NIH Risk Management Program. This revision simplifies the NIH
Risk Management Methodology enabling IC/OD Offices to focus on the risks that
have the greatest potential to affect their ability to achieve their individual missions,
objectives, and goals. This revision also eliminates the use of “Assessable Unit” as a
previously defined term.
2. Filing Instructions:
Remove: NIH Manual Chapter 1750, dated 04/25/12.
Insert: NIH Manual Chapter 1750, dated 08/14/14.
PLEASE NOTE: For information on:
Contents of this chapter, contact the issuing office listed above, or enter this URL:
http://oma.nih.gov/RMAL/NIHRM/default/default.aspx (NIH Access Only).
NIH Manual System, contact the Division of Management Support (DMS), OMA at
(301) 496-4606, or enter this URL:
http://oma.od.nih.gov/public/MS/manualchapters/Pages/default.aspx
A. Purpose:
This chapter outlines responsibilities for complying with the NIH Risk Management Program
(RM Program). NIH designed the RM Program to help identify and manage risks,
processes, and controls that may negatively affect NIH’s ability to achieve its mission,
objectives and strategic goals. The RM Program provides a framework for improving
programs and operations within the agency’s extramural, intramural, and administrative
components.
B. Authority:
Page 1 of 8
NIH POLICY MANUAL
Chapter 1750 – NIH Risk Management Program
The Federal Manager’s Financial Integrity Act (FMFIA) and OMB Circular A-123 require
every Federal agency to conduct an annual evaluation of its systems of internal control and
to submit an annual report to the President and the Congress on the results of that
evaluation and on the adequacy of those systems. OMB Circular A-123 directs agencies to
use systematic and proactive measures to:
1. develop and implement appropriate, cost effective management controls for resultsoriented management,
2. assess the adequacy of internal controls in programs and operations,
3. identify needed improvements, and
4. take corresponding corrective action.
C. References:
1. Federal Manager’s Financial Integrity Act of 1982 at
http://www.whitehouse.gov/omb/financial_fmfia1982/
2. OMB Circular A-123, Management’s Responsibility for Internal Control (revised),
December 21, 2004 at http://www.whitehouse.gov/omb/circulars_a123_rev
3. Government Performance and Results Act of 1993 at
http://www.whitehouse.gov/omb/mgmt-gpra/gplaw2m and Government Performance
and Results Modernization Act of 2010 at
http://www.whitehouse.gov/omb/performance/gprm-act
4. GAO Standards for Internal Control in the Federal Government, dated November 1,
1999 at http://www.gao.gov/special.pubs/ai00021p.pdf
5. HHS Guidance Manual for OMB Circular A-123 Assessment at
https://oma.nih.gov/RMAL/NIHRM/default/Shared%20Documents/2014%20HHS%
20A-123%20Guidance.pdf (NIH Access Only)
D. Background:
Risk management is a continuous process performed by members of an organization,
designed to proactively identify and mitigate risks to help promote the achievement of the
organization's objectives, strategy, and mission. Risk management activities involve
identifying, assessing, managing, monitoring and reporting on risks and associated
controls. These activities form a continuous cycle that is embedded in all of the
organization’s practices and business processes.
Page 2 of 8
NIH POLICY MANUAL
Chapter 1750 – NIH Risk Management Program
E. Roles and Responsibilities:
The RM Program divides NIH into 39 units for purposes of identifying and reporting on risks.
Each Institute and Center (IC) is a separate unit. The Office of the Director (OD Office)
divides into 12 units. This policy refers to the units collectively as IC/OD Office(s). A list of
designated units (NIH Access Only) is available on the OMA website.
The NIH Risk Management Guidebook (Guidebook) (NIH Access Only) includes a list of
leading practices, summarizes the roles and primary responsibilities of each stakeholder,
describes the 6-phase Risk Management Methodology, and outlines the NIH’s overall risk
management governance structure.
1. NIH Director – The NIH Director is the Agency Risk Owner and takes ultimate
ownership of the full set of risks facing NIH. The NIH Director sponsors the RM
Program and provides the NIH Final FMFIA Statement of Assurance to the
Department of Health and Human Services.
2. Risk Owners – IC Directors and designated OD Office Directors serve as the Risk
Owners for their IC/OD Office. The Risk Owner owns all risks within his or her IC/OD
Office, ensures that the RM Program is implemented within his or her organization,
and submits a signed annual FMFIA Statement of Assurance to the NIH Director.
3. Deputy Director for Management – The Deputy Director for Management serves as
the NIH Chief Financial Officer and is responsible for managing the RM Program,
overseeing NIH’s FMFIA reporting, and ensuring that reasonable and adequate
controls are in place to protect NIH resources from fraud, waste, abuse and
mismanagement.
4. Risk Management Officers – Each IC/OD Office has a Risk Management Officer to
oversee risk management program activities within their organization. Executive
Officers typically fill this role, as do certain designated OD Office Directors. The Risk
Management Officer serves as the primary point of contact regarding RM Program
activities.
5. Risk Managers – Risk Managers play a critical role in identifying and managing risk
within their functional areas. Risk Managers also seek to ensure compliance with
applicable laws, regulations and policies.
6. Risk Management Champions – A Risk Management Champion (RMCh) is an
individual responsible for facilitating activities that support the RM Program. In
general, the individual assigned the role of Risk Management Champion should have
a thorough knowledge and familiarity of the IC/OD Office’s mission, challenges, and
Page 3 of 8
NIH POLICY MANUAL
Chapter 1750 – NIH Risk Management Program
personnel.
7. Office of Management Assessment (OMA) – The NIH OMA is responsible for
facilitating RM Program activities at the NIH level and providing risk management
expertise and RM Program guidance to the IC/OD Offices.
8. NIH Employees – Employees are responsible for executing controls in compliance
with laws, regulations, policies, and procedures. Employees are responsible for
demonstrating awareness of the RM Program and elevating risk issues to
management.
F. Policy:
All employees are responsible for risk management. The NIH Director, IC/OD Office
Directors, Risk Management Officers, Risk Management Champions, and Risk Managers,
are required to carry out responsibilities for implementing and maintaining risk
management programs and reinforcing a culture of risk management and accountability.
Effective risk management cannot be performed in isolation therefore, NIH employs a
holistic approach whereby it integrates risk management into NIH’s overall governance
structure. The NIH Risk Management Guidebook (NIH Access Only) outlines the NIH RM
Program Methodology as well as the roles, responsibilities and processes associated with
each required activity outlined below.
1. Execute all phases of NIH’s Risk Management Methodology:
a. Phase #1 - Strategize:
i. IC/OD Offices will review their respective mission-related strategic plan(s)
and understand the associated goals and objectives, and
ii. IC/OD Offices will consider the parameters of operating constraints when
planning their risk management activities.
b. Phase #2 - Identify and Score:
i. IC/OD Offices will identify and score risks that have the potential to impact
the achievement of the IC/OD Office’s mission, and
ii. IC/OD Offices will enter risks into the NIH central risk management data
repository and will designate risks as significant when applicable.
c. Phase #3 - Assess:
i. IC/OD Offices will participate in and support risk assessments conducted
by OMA,
Page 4 of 8
NIH POLICY MANUAL
Chapter 1750 – NIH Risk Management Program
ii. IC/OD Offices will conduct assessments to adequately manage their
significant risks, and
iii. IC/OD Offices will notify OMA immediately upon determination of a
potential material weakness as defined within the OMB Circular A-123.
OMA will then notify the Chief Financial Officer of the potential material
weakness.
d. Phase #4 - Manage:
i. IC/OD Offices will develop and document appropriate risk responses
including action plans, as needed, for their significant risks.
e. Phase #5 - Monitor:
i. IC/OD Offices will routinely monitor their risk environment, identify and
score new risks, review existing risks for continued applicability, and
rescore risks based on current circumstances,
ii. IC/OD Offices will monitor the status of risk responses, and
iii. IC/OD Offices will monitor the effectiveness of internal controls as a normal
course of business. Reviews, reconciliations or comparisons of data
should be included as part of the regular assigned duties of personnel. In
addition, IC/OD Offices should integrate periodic assessments as part of
management’s continuous monitoring of internal controls.
f. Phase #6 - Report:
i. IC/OD Offices will provide OMA with a supporting annual FMFIA Statement
of Assurance (See Section G. FMFIA),
ii. IC/OD Offices will provide OMA with an annual risk inventory update that
summarizes the reassessment of their risk inventories in the NIH central
risk management data repository. Authorized users can access the
system at
http://nbsgrcmprod.nih.gov:22080/oraclegrcmanager/nav/frame.aspx, and
iii. IC/OD Offices designated as owners of individual action steps within an
NIH-level action plan will provide OMA with periodic status updates on
their outstanding actions.
2. Use risk management data and information for decision-making:
a. IC/OD Offices will use risk management data and information as an integral part
of the decision-making process at all levels within NIH, and
Page 5 of 8
NIH POLICY MANUAL
Chapter 1750 – NIH Risk Management Program
b. IC/OD Offices will maintain documentation that supports the rationale for
management decisions involving risks that have the potential to significantly
impact the achievement of the IC/OD Office’s mission.
3. IC/OD Offices will ensure that employees who are responsible for risk management
activities are trained.
G. FMFIA:
NIH management is responsible for establishing and maintaining effective internal control
and financial management systems that meet the objectives of the FMFIA and OMB
Circular A-123. These objectives are to ensure
1) effective and efficient operations, 2) compliance with applicable laws and regulations, and 3) reliable financial reporting.
OMB Circular A-123 requires NIH to evaluate its internal controls and financial management
systems annually. As such, IC/OD Offices must provide annual assurance to the NIH
Director on the state of their internal controls.
IC/OD Offices will:
1. provide OMA with an annual Statement of Assurance signed by the IC/OD Office
Director and enter supporting data on risk management activities for the current fiscal
year into the NIH central risk management data repository,
2. maintain documentation supporting their annual Statement of Assurance,
3. conduct internal control reviews within their organization to ensure internal controls
are operating effectively and efficiently, and
4. provide information and documentation to support the Office of Financial Management
efforts to review internal controls over financial reporting.
H. Special Studies and Reviews:
Periodically, the NIH Director, Principal Deputy Director or Congress directs OMA to
perform internal control or management reviews of NIH Institutes and Centers. In these
instances, OMA will:
1. perform ad-hoc internal control or management reviews,
2. provide a copy of the Draft Internal Control or Management Review Report to the
Page 6 of 8
NIH POLICY MANUAL
Chapter 1750 – NIH Risk Management Program
subject of the review for comment on findings and recommendations, and
3. disseminate a Final Internal Control or Management Review Report to the NIH
Director and Principal Deputy Director upon finalizing the review.
I. Definitions:
Control: A control is a policy, procedure or mechanism to prevent or reduce the likelihood
of a risk occurring, or an activity to reduce the impact of a risk should it occur.
Risk Inventory: A risk inventory is a portfolio of risks that serves as a reference for further
risk management activities.
Risk: A risk is the possibility that an event or condition may occur that would negatively
impact an organization.
Risk Response: A risk response designates an organization’s approach to addressing
identified risks.
J. Records Retention and Disposal:
All records (e-mail and non-e-mail) pertaining to this chapter must be retained and disposed
of under the authority of NIH Manual 1743, Keeping and Destroying Records, Appendix 1,
NIH Records Control Schedule, Section 1700, Item 1700-A-12 "Management Control
Records" (a – f). Refer to the NIH Chapter for specific disposition instructions at
http://oma1.od.nih.gov/manualchapters/management/1743/
NIH e-mail messages, including attachments that are created on NIH computer systems or
transmitted over NIH networks that are evidence of the activities of the agency or have
informational value are considered Federal records. These records must be maintained in
accordance with current NIH Records Management guidelines.
All e-mail messages are considered Government property, and, if requested for a legitimate
Government purpose, must be provided to the requester. Employees’ supervisors, NIH
staff conducting official reviews or investigations, and the Office of Inspector General may
request access to or copies of the e-mail messages. All e-mail messages must also be
provided to Congressional oversight committees if requested and are subject to Freedom
of Information Act requests. Back-up files are subject to the same requests as the original
messages.
K. Internal Controls:
The purpose of this manual issuance is to outline responsibilities for complying with the NIH
Page 7 of 8
NIH POLICY MANUAL
Chapter 1750 – NIH Risk Management Program
Risk Management Program.
1. The Office Responsible for Reviewing Internal Controls Relative to this Chapter:
Office of Management Assessment, NIH.
2. Frequency of Review: Ongoing review.
3. Method of Review: An overall agency-wide evaluation of compliance with this policy,
including conducting periodic reviews of IC/OD Office risk management activities.
4. Review Reports: OMA will send reports to the affected IC/OD Directors, Risk
Management Officers, and the Deputy Director for Management.
Manual Chapters Main Menu
Browse
Search
Back to OMA Home Page
NIH
Page 8 of 8