2 FAM 030
ENTERPRISE RISK MANAGEMENT
(Office of Origin: M/SS)
2 FAM 031 DEPARTMENT RISK MANAGEMENT POLICY
a. Advancement of U.S. foreign policy objectives inherently involves diverse types of risk, and the Department recognizes that taking considered risks can be essential to creating value for our stakeholders. It is the Department’s policy that employees and leaders engage in risk management for the decisions and activities within the scope of their duties. All employees of the Department are expected to identify, evaluate, and mitigate any substantial risks to their objectives or to the enterprise in which they are engaged. Department leaders, including Chiefs of Mission, should require the best possible assessment of risk, identification of mitigation measures, and evaluations of any remaining residual risk before making decisions. Decisions should include judgments on whether the benefits of a proposed activity or course of action outweigh the residual risks.
b. Effective risk management is part of an institutional framework that protects people, property, resources, information and interests, and is a key component of leadership. Although it is not possible to eliminate all risk, proactive risk mitigation begins with a rigorous identification of assumptions about risks and benefits, associated with an activity, and an assessment of those assumptions and the impact of cognitive biases such as group think, confirmation bias, narrow framing, and self-serving bias. A good assessment includes a consideration of the number and quality of information sources underpinning the assumption, e.g., questioning assumptions based on anecdotes. Consequently, additional actions may be necessary to mitigate the risk to an acceptable level. This theory of risk applies to any activity, e.g., an international negotiation, determining staffing at a high threat post, or designing a building.
c. All Department leaders have a vital role in risk management, and it is expected that they will engage in both their own risk management activities and in mentoring others on how best to do it. They must create a climate that encourages open discussion of assumptions, including reliability, and be willing to accept alternative viewpoints. Department leaders ensure risk management is a continuous process that is adjusted as conditions change, and incorporated into planning and decision-making in a systematic, appropriate, timely and transparent manner by taking into account uncertainty and the impact on our capabilities to protect people, property, information and other assets. These activities should be collaborative among relevant stakeholders, including various levels within and outside of the organization as appropriate to the situation.
d. A key tenet of leadership at the Department is to lead teams to the best possible assessment of risk, implementation of mitigation measures, and an evaluation of the residual risk that still remains, through sound planning and management. The Department expects leaders to judge whether the benefits of an activity outweigh the residual risk potential and to act accordingly.
2 FAM 032 Enterprise Risk Management Framework
2 FAM 032.1 Purpose
The Enterprise Risk Management framework defines key actors, roles and responsibilities, and governance mechanisms related to Department of State Enterprise Risk Management. This framework is intended to serve as a guiding document and reference tool.
2 FAM 032.2 Scope
a. The Enterprise Risk Management framework serves as a primer for how the Department approaches enterprise risk management and implements associated programs. Enterprise Risk Management, in the context of the Department of State, refers to an overarching governance structure that sets the tone and direction for risk management policies, communications, and training throughout the organization. See 2 FAM Exhibit 032.2.
b. In general, Department bureaus already have risk management built into existing procedures and manage different types of risk in a variety of ways. Some types of risk and examples of mitigation structures include, but are not limited to:
· Foreign policy (e.g., clearance process)
· Program effectiveness (e.g., planning and formal approvals, program design information, performance management, monitoring and evaluation)
· Security (e.g., SCORE, OSPB and ISC standards, Security Directives, Emergency Action Plans, SECCA waivers and/or OSPB exceptions)
· Safety and Health (e.g., OSHA requirements, earthquake preparedness, fire safety)
· Medical (e.g., medical clearances, post medical capabilities)
· Environmental (e.g., air quality monitoring)
· Financial (e.g., management controls, audits, grant and contract procurement requirements)
· Information Security (e.g., cybersecurity measures, PKI Cards)
· Reputational (e.g., supervisory controls, clearance process, human rights vetting, visitor program sponsor and participant vetting)
· Border Security (e.g., consular vetting of passport and visa applicants; investigation of passport and visa fraud; secure design and issuance of travel documents)
· Terrorism financing (e.g., vetting, OFAC licenses)
· Personnel security (e.g., background investigations and pass through review process for certain countries)
· Training (e.g., HTSOS, FACT, IT courses, Management Assurance, etc.)
2 FAM 032.3 Enterprise Risk Governance Mechanisms
a. Office of Management and Budget Circular A-123
In 2016, the Office of Management and Budget (OMB) released an update to Circular A-123, which directed federal agencies to implement an Enterprise Risk Management capability coordinated with the strategic planning and strategic review process established by the Government Performance Results Modernization Act (GPRAMA) of 2010, P.L. 111-352, and the internal control process required by the Federal Managers Financial Integrity Act (FMFIA) and Government Accountability Office (GAO)'s Green Book. This integrated governance structure improves mission delivery, reduces costs, and focuses corrective actions towards key risks. Implementation of this policy engages all agency management. In particular, it requires leadership from the agency Chief Operating Officer and Performance Improvement Officer, and close collaboration across all agency mission and mission-support functions. In Circular A-123, OMB gave latitude to agencies to design their own governance structures and emphasizes the importance of having appropriate risk management processes and systems in place to identify challenges early, to bring them to the attention of State Department leadership, and to develop solutions. 2 FAM 030 serves as the Department’s enterprise risk management policies and procedures in response to Circular A-123.
b. Department policies: 2 FAM 030
The Department’s overarching risk management policies and principles are laid out in 2 FAM 030.
c. Enterprise Governance Board (EGB)
The EGB, which is chaired by the Deputy Secretary and Under Secretary for Management, is a forum for Under Secretaries and other senior leaders to discuss strategic issues and provide input into enterprise-level decisions on a regular basis. The EGB serves as the Department's Enterprise Risk Management Council and reviews the Department’s enterprise risk posture on at least an annual basis at a meeting of the EGB. The EGB approves and reaffirms significant changes to the Department’s risk management policies and procedures found in 2 FAM 030. The EGB also works with the Secretary to set the risk tolerance level and communicate it clearly to staff. In general, the EGB does not make day-to-day decisions regarding risk. Instead, the EGB sets the stage for risk management at all levels of the organization. Bureaus, posts, offices, and working groups are encouraged to use their existing reporting chains (such as the Emergency Action Committee) and relationships to seek decisions regarding risk.
2 FAM 032.4 Department Risk Principles
a. Be risk aware, but not risk averse.
· Advancement of U.S. foreign policy objectives inherently involves diverse types of risk, and the Department recognizes that taking considered risks can be essential to creating value for the American people and our stakeholders.
b. Decide at the appropriate level.
· The Secretary sets the risk appetite and risk tolerance levels and communicates them to staff.
· Department leadership must, within their areas of responsibility, set guidelines for risk tolerance and communicate it clearly to staff.
· Staff should make management aware when risk cannot be mitigated within the tolerance level.
c. Apply risk management continuously.
· Risk management is a continuous process that is adjusted as conditions change and are incorporated into decision-making.
d. Consider the risk of inaction.
· Is an opportunity being missed?
e. Include risk statements in policy documents.
· Risks (both positive and negative) should be referenced when advocating for a particular policy direction.
· Risk statements should provide detail using objective data points, including cost-benefit, constraints, limitations and assumptions.
2 FAM 032.5 Key Definitions
Residual risk: The degree of risk exposure remaining after mitigation factors have been identified and factored in.
Risk: Risk is anything that has the potential to negatively (threats) or positively (opportunities) impact the Department's capability to achieve objectives.
Risk appetite: The articulation of the amount of risk (on a broad, macro level) an organization is willing to accept in pursuit of strategic objectives in order to meet its mission. It is set by the organization’s most senior level leadership and serves as the guidepost to set strategy and select objectives.
Risk management: The practice of identifying and analyzing risk exposures, then taking action steps to minimize the impact they impose.
Risk profile: An analysis of the risks the Department faces in pursuing its strategic objectives arising from its activities and operations that identifies options for addressing significant risks.
Risk response: The action taken to manage or mitigate the risk. There are several types of risk responses:
Acceptance: No action is taken to respond to the risk based on the likelihood or impact of the risk and an assessment of the burden of mitigating the risk compared to the benefit.
Reduction: Action is taken to reduce the likelihood or impact of the risk.
Sharing: Action is taken to transfer or share risks across the entity or with external partners.
Avoidance: Action is taken to stop the process causing the risk, i.e., no risk is taken.
Risk tolerance: The acceptable level of variance in performance relative to the achievement of objectives. It is generally established at the program, objective, or component level.
2 FAM 032.6 Principal Actors: Roles and Responsibilities
a. Secretary of State
(1) Under the Omnibus Diplomatic Security and Antiterrorism Act, as amended (22 U.S.C. 4802), the Secretary of State develops and implements policies and programs, including funding levels and standards, to provide for the security of United States Government operations of a diplomatic nature and foreign government operations of a diplomatic nature in the United States. A number of entities may assist the Secretary with the fulfillment of these responsibilities with regard to daily domestic and overseas operations, including risk management activities. The roles of various officials are discussed within this enterprise risk management framework.
(2) The Secretary establishes goals and objectives around operating environments, ensures compliance with relevant laws and regulations, and manages both expected and unexpected or unanticipated events. The Secretary, acting generally through delegations of authority, is responsible for implementing management practices that identify, assess, respond, and report on risks. Bureaus, offices, posts, and working groups are encouraged to use their existing reporting chains and structures (such as the Emergency Action Committee) to seek decisions regarding risk.
b. Deputy Secretary of State
The Deputy Secretary co-chairs the Enterprise Governance Board with the Under Secretary for Management. In general, the Deputy Secretary does not make day-to-day decisions regarding risk. Bureaus, offices, posts, and working groups are encouraged to use their existing reporting chains (such as the Emergency Action Committee) to seek decisions regarding risk.
c. Under Secretary of State for Management
The Under Secretary for Management co-chairs the Enterprise Governance Board with the Deputy Secretary. The Under Secretary for Management supervises the Office of Management Strategy and Solutions (M/SS), which manages the Department’s overall enterprise risk management program. As appropriate, bureaus, offices, posts, and working groups are encouraged to use their existing reporting chains and structures (such as the Emergency Action Committee) to seek decisions from the Under Secretary for Management regarding risk.
d. Office of Management Strategy and Solutions
The Office of Management Strategy and Solutions (M/SS) serves as the secretariat to the Enterprise Governance Board. M/SS also manages the Department’s overall enterprise risk management program and works with relevant bureaus and stakeholders, including Risk Liaisons, to review overarching Department risk management policies, procedures, principles, communications materials, and training tools, and update them on at least an annual basis. M/SS is responsible for compiling the annual risk profile required by OMB Circular A-123. M/SS also manages the Department’s Risk Liaison program, which includes maintaining a roster of liaisons, working with them to compile the Department’s annual risk profile directed by OMB Circular A-123, and conducting regular meetings to discuss best practices and determine ways to inculcate them into Department culture. M/SS works with senior Department leaders to develop, articulate, and communicate Department-wide guidelines for risk appetite and risk tolerance.
e. Risk Liaisons
All Department bureaus and posts may designate at least one Risk Liaison. The Risk Liaison is responsible for communicating risk guidance throughout the bureau or post and contributing to Department-wide risk-related activities (such as contributing to the risk profile), as needed. Depending on the size of a bureau or post, several Risk Liaisons at various levels may be useful. Risk Liaisons have a clear understanding of the bureau or post's risks, share best practices and concerns, and feed into larger Department-wide enterprise risk management activities. The Department’s Risk Liaison program will be managed by the Office of Management Strategy and Solutions (M/SS).
f. Other Under Secretaries, Assistant Secretaries, and other Senior Leaders
Exercising broad judgement within their areas of responsibility, senior-level officials set guidelines for risk tolerance and promote good risk management practices. Senior leaders balance U.S. interests, policy priorities, and program objectives against evolving threats, reputational risks, etc. Leaders consider the risks associated with both action and inaction when making informed decisions, and create a climate that encourages open discussion of assumptions and disagreements. Per 2 FAM 031(c), Department leaders play a vital role in risk management, and it is expected that they will engage in their own risk management activities and in mentoring others on how best to do it. Senior Department leaders may rely on their organization’s Risk Liaisons to develop internal risk management practices. As appropriate, bureaus, offices, posts, and working groups are encouraged to use their existing reporting chains and structures (such as the Emergency Action Committee) to seek decisions from Under Secretaries, Assistant Secretaries, and other senior leaders regarding risk.
g. Chiefs of Mission (COM)
The COM sets the risk tolerance level at post and communicates it clearly to staff. In addition, the President’s Letter of Instruction to COMs explicitly requires each COM to take direct and full responsibility for the security of the U.S. mission and all United States government personnel on official duty abroad and their accompanying dependents, other than those personnel under the command of a Geographic Combatant Commander, on the staff of an international organization, Voice of America correspondents on assignment, or the authorized dependents of any of these categories of personnel, unless an agreement between the Secretary of State and head of another agency provides otherwise. Security responsibility entails establishing and implementing appropriate policies and standards. COMs may rely on their organization’s Risk Liaisons to develop internal risk management practices.
h. All Department Employees
Each Department employee is responsible for safeguarding Federal assets and the efficient delivery of services to the public. All Department employees should make management aware when risk cannot be mitigated within the tolerance level, and should be aware of what risk decisions they can or cannot make within their area of work. Employees should be made aware of security threats, procedures, regulations, and issues in their area of responsibility. In addition to serving as a good role model for others, mid-level and senior employees must monitor and address changes that impact risk management, decisions, and actions.
2 FAM Exhibit 032.2
Enterprise Risk Management Overview