NIH POLICY MANUAL 1750 – NIH Risk Management Program Release Date: 08/14/14
NIH POLICY MANUAL Chapter 1750 – NIH Risk Management Program NIH POLICY MANUAL 1750 – NIH Risk Management Program Issuing Office: OD/OM/Office of Management Assessment 301-496-1873 Release Date: 08/14/14 1. Explanation of Material Transmitted: This chapter outlines responsibilities for complying with the NIH Risk Management Program. This revision simplifies the NIH Risk Management Methodology enabling IC/OD Offices to focus on the risks that have the greatest potential to affect their ability to achieve their individual missions, objectives, and goals. This revision also eliminates the use of “Assessable Unit” as a previously defined term. 2. Filing Instructions: Remove: NIH Manual Chapter 1750, dated 04/25/12. Insert: NIH Manual Chapter 1750, dated 08/14/14. PLEASE NOTE: For information on: Contents of this chapter, contact the issuing office listed above, or enter this URL: http://oma.nih.gov/RMAL/NIHRM/default/default.aspx (NIH Access Only). NIH Manual System, contact the Division of Management Support (DMS), OMA at (301) 496-4606, or enter this URL: http://oma.od.nih.gov/public/MS/manualchapters/Pages/default.aspx A. Purpose: This chapter outlines responsibilities for complying with the NIH Risk Management Program (RM Program). NIH designed the RM Program to help identify and manage risks, processes, and controls that may negatively affect NIH’s ability to achieve its mission, objectives and strategic goals. The RM Program provides a framework for improving programs and operations within the agency’s extramural, intramural, and administrative components. B. Authority: Page 1 of 8 NIH POLICY MANUAL Chapter 1750 – NIH Risk Management Program The Federal Manager’s Financial Integrity Act (FMFIA) and OMB Circular A-123 require every Federal agency to conduct an annual evaluation of its systems of internal control and to submit an annual report to the President and the Congress on the results of that evaluation and on the adequacy of those systems. OMB Circular A-123 directs agencies to use systematic and proactive measures to: 1. develop and implement appropriate, cost effective management controls for resultsoriented management, 2. assess the adequacy of internal controls in programs and operations, 3. identify needed improvements, and 4. take corresponding corrective action. C. References: 1. Federal Manager’s Financial Integrity Act of 1982 at http://www.whitehouse.gov/omb/financial_fmfia1982/ 2. OMB Circular A-123, Management’s Responsibility for Internal Control (revised), December 21, 2004 at http://www.whitehouse.gov/omb/circulars_a123_rev 3. Government Performance and Results Act of 1993 at http://www.whitehouse.gov/omb/mgmt-gpra/gplaw2m and Government Performance and Results Modernization Act of 2010 at http://www.whitehouse.gov/omb/performance/gprm-act 4. GAO Standards for Internal Control in the Federal Government, dated November 1, 1999 at http://www.gao.gov/special.pubs/ai00021p.pdf 5. HHS Guidance Manual for OMB Circular A-123 Assessment at https://oma.nih.gov/RMAL/NIHRM/default/Shared%20Documents/2014%20HHS% 20A-123%20Guidance.pdf (NIH Access Only) D. Background: Risk management is a continuous process performed by members of an organization, designed to proactively identify and mitigate risks to help promote the achievement of the organization's objectives, strategy, and mission. Risk management activities involve identifying, assessing, managing, monitoring and reporting on risks and associated controls. These activities form a continuous cycle that is embedded in all of the organization’s practices and business processes. Page 2 of 8 NIH POLICY MANUAL Chapter 1750 – NIH Risk Management Program E. Roles and Responsibilities: The RM Program divides NIH into 39 units for purposes of identifying and reporting on risks. Each Institute and Center (IC) is a separate unit. The Office of the Director (OD Office) divides into 12 units. This policy refers to the units collectively as IC/OD Office(s). A list of designated units (NIH Access Only) is available on the OMA website. The NIH Risk Management Guidebook (Guidebook) (NIH Access Only) includes a list of leading practices, summarizes the roles and primary responsibilities of each stakeholder, describes the 6-phase Risk Management Methodology, and outlines the NIH’s overall risk management governance structure. 1. NIH Director – The NIH Director is the Agency Risk Owner and takes ultimate ownership of the full set of risks facing NIH. The NIH Director sponsors the RM Program and provides the NIH Final FMFIA Statement of Assurance to the Department of Health and Human Services. 2. Risk Owners – IC Directors and designated OD Office Directors serve as the Risk Owners for their IC/OD Office. The Risk Owner owns all risks within his or her IC/OD Office, ensures that the RM Program is implemented within his or her organization, and submits a signed annual FMFIA Statement of Assurance to the NIH Director. 3. Deputy Director for Management – The Deputy Director for Management serves as the NIH Chief Financial Officer and is responsible for managing the RM Program, overseeing NIH’s FMFIA reporting, and ensuring that reasonable and adequate controls are in place to protect NIH resources from fraud, waste, abuse and mismanagement. 4. Risk Management Officers – Each IC/OD Office has a Risk Management Officer to oversee risk management program activities within their organization. Executive Officers typically fill this role, as do certain designated OD Office Directors. The Risk Management Officer serves as the primary point of contact regarding RM Program activities. 5. Risk Managers – Risk Managers play a critical role in identifying and managing risk within their functional areas. Risk Managers also seek to ensure compliance with applicable laws, regulations and policies. 6. Risk Management Champions – A Risk Management Champion (RMCh) is an individual responsible for facilitating activities that support the RM Program. In general, the individual assigned the role of Risk Management Champion should have a thorough knowledge and familiarity of the IC/OD Office’s mission, challenges, and Page 3 of 8 NIH POLICY MANUAL Chapter 1750 – NIH Risk Management Program personnel. 7. Office of Management Assessment (OMA) – The NIH OMA is responsible for facilitating RM Program activities at the NIH level and providing risk management expertise and RM Program guidance to the IC/OD Offices. 8. NIH Employees – Employees are responsible for executing controls in compliance with laws, regulations, policies, and procedures. Employees are responsible for demonstrating awareness of the RM Program and elevating risk issues to management. F. Policy: All employees are responsible for risk management. The NIH Director, IC/OD Office Directors, Risk Management Officers, Risk Management Champions, and Risk Managers, are required to carry out responsibilities for implementing and maintaining risk management programs and reinforcing a culture of risk management and accountability. Effective risk management cannot be performed in isolation therefore, NIH employs a holistic approach whereby it integrates risk management into NIH’s overall governance structure. The NIH Risk Management Guidebook (NIH Access Only) outlines the NIH RM Program Methodology as well as the roles, responsibilities and processes associated with each required activity outlined below. 1. Execute all phases of NIH’s Risk Management Methodology: a. Phase #1 - Strategize: i. IC/OD Offices will review their respective mission-related strategic plan(s) and understand the associated goals and objectives, and ii. IC/OD Offices will consider the parameters of operating constraints when planning their risk management activities. b. Phase #2 - Identify and Score: i. IC/OD Offices will identify and score risks that have the potential to impact the achievement of the IC/OD Office’s mission, and ii. IC/OD Offices will enter risks into the NIH central risk management data repository and will designate risks as significant when applicable. c. Phase #3 - Assess: i. IC/OD Offices will participate in and support risk assessments conducted by OMA, Page 4 of 8 NIH POLICY MANUAL Chapter 1750 – NIH Risk Management Program ii. IC/OD Offices will conduct assessments to adequately manage their significant risks, and iii. IC/OD Offices will notify OMA immediately upon determination of a potential material weakness as defined within the OMB Circular A-123. OMA will then notify the Chief Financial Officer of the potential material weakness. d. Phase #4 - Manage: i. IC/OD Offices will develop and document appropriate risk responses including action plans, as needed, for their significant risks. e. Phase #5 - Monitor: i. IC/OD Offices will routinely monitor their risk environment, identify and score new risks, review existing risks for continued applicability, and rescore risks based on current circumstances, ii. IC/OD Offices will monitor the status of risk responses, and iii. IC/OD Offices will monitor the effectiveness of internal controls as a normal course of business. Reviews, reconciliations or comparisons of data should be included as part of the regular assigned duties of personnel. In addition, IC/OD Offices should integrate periodic assessments as part of management’s continuous monitoring of internal controls. f. Phase #6 - Report: i. IC/OD Offices will provide OMA with a supporting annual FMFIA Statement of Assurance (See Section G. FMFIA), ii. IC/OD Offices will provide OMA with an annual risk inventory update that summarizes the reassessment of their risk inventories in the NIH central risk management data repository. Authorized users can access the system at http://nbsgrcmprod.nih.gov:22080/oraclegrcmanager/nav/frame.aspx, and iii. IC/OD Offices designated as owners of individual action steps within an NIH-level action plan will provide OMA with periodic status updates on their outstanding actions. 2. Use risk management data and information for decision-making: a. IC/OD Offices will use risk management data and information as an integral part of the decision-making process at all levels within NIH, and Page 5 of 8 NIH POLICY MANUAL Chapter 1750 – NIH Risk Management Program b. IC/OD Offices will maintain documentation that supports the rationale for management decisions involving risks that have the potential to significantly impact the achievement of the IC/OD Office’s mission. 3. IC/OD Offices will ensure that employees who are responsible for risk management activities are trained. G. FMFIA: NIH management is responsible for establishing and maintaining effective internal control and financial management systems that meet the objectives of the FMFIA and OMB Circular A-123. These objectives are to ensure 1) effective and efficient operations, 2) compliance with applicable laws and regulations, and 3) reliable financial reporting. OMB Circular A-123 requires NIH to evaluate its internal controls and financial management systems annually. As such, IC/OD Offices must provide annual assurance to the NIH Director on the state of their internal controls. IC/OD Offices will: 1. provide OMA with an annual Statement of Assurance signed by the IC/OD Office Director and enter supporting data on risk management activities for the current fiscal year into the NIH central risk management data repository, 2. maintain documentation supporting their annual Statement of Assurance, 3. conduct internal control reviews within their organization to ensure internal controls are operating effectively and efficiently, and 4. provide information and documentation to support the Office of Financial Management efforts to review internal controls over financial reporting. H. Special Studies and Reviews: Periodically, the NIH Director, Principal Deputy Director or Congress directs OMA to perform internal control or management reviews of NIH Institutes and Centers. In these instances, OMA will: 1. perform ad-hoc internal control or management reviews, 2. provide a copy of the Draft Internal Control or Management Review Report to the Page 6 of 8 NIH POLICY MANUAL Chapter 1750 – NIH Risk Management Program subject of the review for comment on findings and recommendations, and 3. disseminate a Final Internal Control or Management Review Report to the NIH Director and Principal Deputy Director upon finalizing the review. I. Definitions: Control: A control is a policy, procedure or mechanism to prevent or reduce the likelihood of a risk occurring, or an activity to reduce the impact of a risk should it occur. Risk Inventory: A risk inventory is a portfolio of risks that serves as a reference for further risk management activities. Risk: A risk is the possibility that an event or condition may occur that would negatively impact an organization. Risk Response: A risk response designates an organization’s approach to addressing identified risks. J. Records Retention and Disposal: All records (e-mail and non-e-mail) pertaining to this chapter must be retained and disposed of under the authority of NIH Manual 1743, Keeping and Destroying Records, Appendix 1, NIH Records Control Schedule, Section 1700, Item 1700-A-12 "Management Control Records" (a – f). Refer to the NIH Chapter for specific disposition instructions at http://oma1.od.nih.gov/manualchapters/management/1743/ NIH e-mail messages, including attachments that are created on NIH computer systems or transmitted over NIH networks that are evidence of the activities of the agency or have informational value are considered Federal records. These records must be maintained in accordance with current NIH Records Management guidelines. All e-mail messages are considered Government property, and, if requested for a legitimate Government purpose, must be provided to the requester. Employees’ supervisors, NIH staff conducting official reviews or investigations, and the Office of Inspector General may request access to or copies of the e-mail messages. All e-mail messages must also be provided to Congressional oversight committees if requested and are subject to Freedom of Information Act requests. Back-up files are subject to the same requests as the original messages. K. Internal Controls: The purpose of this manual issuance is to outline responsibilities for complying with the NIH Page 7 of 8 NIH POLICY MANUAL Chapter 1750 – NIH Risk Management Program Risk Management Program. 1. The Office Responsible for Reviewing Internal Controls Relative to this Chapter: Office of Management Assessment, NIH. 2. Frequency of Review: Ongoing review. 3. Method of Review: An overall agency-wide evaluation of compliance with this policy, including conducting periodic reviews of IC/OD Office risk management activities. 4. Review Reports: OMA will send reports to the affected IC/OD Directors, Risk Management Officers, and the Deputy Director for Management. Manual Chapters Main Menu Browse Search Back to OMA Home Page NIH Page 8 of 8
© Copyright 2024