UNCLASSIFIED (U)

2 FAM 030†

RISK MANAGEMENT

(CT:GEN-540;†† 02-26-2019)
(Office of Origin:† M/PRI)

2 FAM 031 †DEPARTMENT RISK MANAGEMENT POLICY

(CT:GEN-540;†† 02-26-2019)

a. Advancement of U.S. foreign policy objectives inherently involves diverse types of risk, and the Department recognizes that taking considered risks is essential to creating value for our stakeholders.  It is the Departmentís policy that employees and leaders engage in risk management for the decisions and activities within the scope of their duties.  All employees of the Department are expected to identify, evaluate, integrate and mitigate any substantial risks to their objectives. Department leaders, including Chiefs of Mission, should require the best possible assessment of risk, identification of mitigation measures, and evaluations of any remaining residual risk before making decisions.  Decisions should include judgments on whether the benefits of a proposed activity or course of action outweigh the residual risks.

b. Effective risk management is part of an institutional framework that protects people, property, resources, information and interests, and is a key component of leadership.  It is incumbent upon each employee of the Department to evaluate and attempt to acknowledge, integrate and mitigate the substantial risks of any enterprise in which they are engaged.  Although it is not possible to eliminate all risk, proactive risk mitigation begins with a rigorous identification of assumptions about risks and benefits, stated or not, associated with an activity, and an assessment of those assumptions.  A good assessment includes a consideration of the number and quality of information sources underpinning the assumption, e.g. questioning assumptions based on anecdotes.  Consequently, additional actions may be necessary to mitigate the risk to an acceptable level.  This theory of risk applies to any activity, e.g. an international negotiation, determining staffing at a high threat post, or designing a building.

c.† Department leaders, especially Chiefs of Mission and Deputy Chiefs of Mission, have a vital role in risk management, and it is expected that they will engage in both their own risk management activities and in mentoring others on how best to do it.  They must create a climate that encourages open discussion of assumptions, including reliability, and be willing to accept alternative viewpoints.† Department leaders ensure risk management is a continuous process that is adjusted as conditions change, and incorporated into decision-making in a systematic, appropriate, timely and transparent manner; by taking into account uncertainty and the impact on our capabilities to protect people, property, information and other assets.  These activities should be collaborative among relevant stakeholders, including various levels within and outside of the organization as appropriate to the situation.  Chiefs of Mission should be cognizant of the risk inherent in activities of all agencies under their authority and, as appropriate, mitigation efforts.

d. A key tenet of leadership at the Department is to guide teams to the best possible assessment of risk, implementation of mitigation measures, and an evaluation of the residual risk that still remains.  The Department expects leaders to judge whether the benefits of an activity outweigh the residual risk potential and to act accordingly.  It is the Departmentís responsibility to establish the appropriate training, tools and processes necessary for its employees to manage the risk inherent in their positions.

e. Some types of risk (and examples of mitigation structures) are:

(1)† Security (High Risk Post Review Board, Emergency Action Plan);

(2)† Safety and Health (OSHA Requirements, Earthquake Preparedness, Fire Safety);

(3)† Medical (Malarial Prophylaxis Protocol, Medical Clearance Preview Tool) ;

(4)† Environmental (Air Quality Monitoring, Drinking Water Treatment);

(5)† Financial (Management Controls, Audits, grant and contract procurement requirements);

(6)† Information Assurance (Cybersecurity Training, PKI Cards);

(7)† Policy (Clearance Process);

(8)† Reputational (Supervisory Controls, Clearance Process, human rights vetting, consular vetting for visitor programs);

(9)† Program effectiveness (planning and formal approvals, program design information, performance management, monitoring and evaluation); and

(10) Terrorism financing (vetting, OFAC licenses).

f.† In some areas, statutory or other formal requirements exist for risk management which must be part of a positionís responsibilities. These include, but are not limited to:

(1)† The Federal Information Security Modernization Act (FISMA): (see 5 FAH-11);

(2)† The Federal Managers' Financial Integrity Act (FMFIA): (see 2 FAM 020); and

(3)† Critical Environment Contracting requirements The National Defense Authorization Act (NDAA) for Fiscal Year 2013, Section 846: (see 14 FAM 241).

(4)††† Negroponte Guidance on Terrorism and Assistance Programs.

UNCLASSIFIED (U)