2 FAM 030
ENTERPRISE RISK MANAGEMENT
(CT:GEN-607; 04-12-2024)
(Office of Origin: M/SS)
2 FAM 031 DEPARTMENT RISK MANAGEMENT POLICY
(CT:GEN-607; 04-12-2024)
a. Advancement of U.S. foreign policy objectives inherently involves diverse types of risk, and the Department recognizes that taking a certain degree of risk is endemic to the conduct of U.S. foreign policy. All employees of the Department are expected to identify, evaluate, and mitigate any substantial risks to their objectives or to the enterprise in which they are engaged, including the risks of inaction. Department leaders, including Chiefs of Mission, should require the best possible assessment of risk, identification of mitigation measures, and evaluations of any remaining residual risk before making decisions. Decisions should include judgments on whether the benefits of a proposed activity or course of action outweigh the residual risks.
b. Effective risk management is part of an institutional framework that protects people, property, resources, information and interests, and is a key component of leadership. Although it is not possible to eliminate all risk, proactive risk mitigation begins with a rigorous identification of assumptions about risks and benefits, associated with an activity, and an assessment of those assumptions and the impact of cognitive biases such as group think, confirmation bias, narrow framing, and self-serving bias. A good assessment includes a consideration of the number and quality of information sources underpinning the assumption, e.g., questioning whether assumptions are insufficiently sourced. Consequently, additional actions may be necessary to mitigate the risk to an acceptable level. This theory of risk applies to any activity, e.g., an international negotiation, determining staffing at a high threat post, or designing a building.
c. All Department leaders have a vital role in risk management, and it is expected that they will engage in both their own risk management activities and mentor others on how best to do it. They must create a climate that encourages open discussion of assumptions, including reliability, and be willing to accept alternative viewpoints. Department leaders must ensure risk management is a continuous process that is adjusted as conditions change, and incorporated into planning and decision-making in a systematic, appropriate, timely and transparent manner while taking into account uncertainty and the impact on our capabilities to protect people, property, information and other assets. These activities should be collaborative among relevant stakeholders, including various levels within and outside of the organization as appropriate to the situation. To advance a culture of learning, Department leaders should also ensure that after-action reports (or hotwashes) are completed at the conclusion of significant events or activities. After-action reports should include a critical analysis and review of all risk management actions and outcomes to determine future best practices, and alterations/revisions to current risk management strategies.
d. A key tenet of leadership at the Department is to lead teams to the best possible assessment of risk, implementation of mitigation measures, and an evaluation of the residual risk that still remains, through sound planning and management. The Department expects leaders to judge whether the benefits of an activity outweigh the residual risk potential and to act accordingly.
2 FAM 032 ENTERPRISE RISK MANAGEMENT FRAMEWORK
2 FAM 032.1 Purpose
(CT:GEN-607; 04-12-2024)
The Enterprise Risk Management framework defines key actors, roles and responsibilities, and governance mechanisms related to Department of State Enterprise Risk Management. This framework is intended to serve as a guiding document and reference tool but is not intended to change or alter Department reporting structures outlined in law, Presidential directive, or other provisions of the FAM.
2 FAM 032.2 Scope
(CT:GEN-607; 04-12-2024)
a. The Enterprise Risk Management framework serves as a primer for how the Department approaches enterprise risk management and implements associated programs. Enterprise Risk Management, in the context of the Department of State, refers to an overarching governance structure that sets the tone and direction for risk management policies, communications, and training throughout the organization but is not intended to change or alter Department reporting structures outlined in law, Presidential directive, or other provisions of the FAM. See 2 FAM Exhibit 032.2.
b. In general, Department bureaus already have risk management built into existing procedures and manage different types of risk in a variety of ways. Some types of risk and examples of mitigation structures include, but are not limited to:
· Foreign policy (e.g., clearance process)
· Program effectiveness (e.g., planning and formal approvals, program design information, performance management, monitoring and evaluation)
· Security (e.g., SCORE, OSPB and ISC standards, Security Directives, Emergency Action Plans, SECCA waivers and/or OSPB exceptions)
· Safety and Health (e.g., OSHA requirements, earthquake preparedness, fire safety)
· Medical (e.g., pandemic responses, medical clearances, post medical capabilities)
· Environmental (e.g., air quality monitoring)
· Financial (e.g., management controls, audits, grant and contract procurement requirements)
· Information Security (e.g., cybersecurity measures, PKI Cards)
· Reputational (e.g., supervisory controls, clearance process, human rights vetting, visitor program sponsor and participant vetting)
· Border Security (e.g., consular vetting of passport and visa applicants; investigation of passport and visa fraud; secure design and issuance of travel documents)
· Terrorism financing (e.g., vetting, OFAC licenses)
· Personnel security (e.g., background investigations and pass through review process for certain countries)
· Training (e.g., Counter Threat Awareness Training (CTAT), FACT, IT courses, Management Assurance, etc.)
2 FAM 032.3 Enterprise Risk Governance Mechanisms
(CT:GEN-607; 04-12-2024)
a. Office of Management and Budget Circular A-123
In 2016, the Office of Management and Budget (OMB) released an update to Circular A-123, which directed federal agencies to implement an Enterprise Risk Management capability coordinated with the strategic planning and strategic review process established by the Government Performance Results Modernization Act (GPRAMA) of 2010, Public Law 111-352, and the internal control process required by the Federal Managers Financial Integrity Act (FMFIA), Public Law 97-255, and Government Accountability Office (GAO)'s Green Book. This integrated governance structure improves mission delivery, reduces costs, and focuses corrective actions towards key risks. Implementation of this policy engages all agency management. In particular, it requires leadership from the agency Chief Operating Officer and Performance Improvement Officer, and close collaboration across all agency mission and mission-support functions. In Circular A-123, OMB gave latitude to agencies to design their own governance structures and emphasizes the importance of having appropriate risk management processes and systems in place to identify challenges early, to bring them to the attention of State Department leadership, and to develop solutions. 2 FAM 030 serves as the Department’s enterprise risk management policies and procedures in response to Circular A-123.
b. Department policies: 2 FAM 030
The Department’s overarching risk management policies and principles are laid out in 2 FAM 030.
c. Enterprise Governance Board (EGB)
The EGB, which is chaired by the Deputy Secretary or Deputy Secretary for Management and Resources, is a forum for Under Secretaries and other senior leaders to discuss strategic issues and provide input into enterprise-level decisions on a regular basis. The EGB serves as the Department's Enterprise Risk Management Council and reviews the Department’s enterprise risk posture on at least an annual basis at a meeting of the EGB. The EGB approves and reaffirms significant changes to the Department’s risk management policies and procedures found in 2 FAM 030. The EGB also works with the Secretary to set the risk tolerance level and communicate it clearly to staff. In general, the EGB does not make day-to-day decisions regarding risk. Instead, the EGB sets the stage for risk management at all levels of the organization. Bureaus, posts, offices, and working groups are encouraged to use their existing reporting chains (such as the Emergency Action Committee) and relationships to seek decisions regarding risk. The EGB may elect to review enterprise-level risks on a case-by-case basis.
2 FAM 032.4 Department Risk Principles
(CT:GEN-607; 04-12-2024)
a. Be risk aware, but not risk averse.
· Advancement of U.S. foreign policy objectives inherently involves diverse types of risk, and the Department recognizes that taking considered risks can be essential to creating value for the American people and our stakeholders.
b. Decide at the appropriate level.
· The Secretary sets the risk appetite and risk tolerance levels and communicates them to staff.
· Department leadership must, within their areas of responsibility, set guidelines for risk tolerance and communicate it clearly to staff.
· Staff should make management aware when risk cannot be mitigated within the tolerance level.
c. Apply risk management holistically and continuously.
· Risk management, including coordination of policy, program, and management dimensions with all stakeholders, is a continuous process that is adjusted as conditions change and are incorporated into decision-making.
· Continuous monitoring of risks is critical to enabling a thorough risk analysis and appropriate risk management.
· Risks are not always static, therefore it is crucial to continuously monitor risks to ensure a thorough risk analysis so that appropriate risk management steps are pursued.
d. Consider the risk of inaction.
· Is an opportunity being missed?
e. Include risk statements in policy documents.
· Risks (both positive and negative) should be referenced when advocating for a particular policy direction.
· Risk statements should provide detail using objective data points, including cost-benefit, constraints, limitations, and assumptions.
2 FAM 032.5 Key Definitions
(CT:GEN-579; 02-09-2022)
Enterprise-level risk: A threat that could keep the Department, as a whole, from meeting its overarching strategic goals. Conversely, an enterprise risk could also be an opportunity, that, if taken, could significantly advance the Department’s goals.
Residual risk: The degree of risk exposure remaining after mitigation factors have been identified and factored in.
Risk: Risk is anything that has the potential to negatively (threats) or positively (opportunities) impact the Department's capability to achieve objectives.
Risk appetite: The articulation of the amount of risk (on a broad, macro level) an organization is willing to accept in pursuit of strategic objectives in order to meet its mission. It is set by the organization’s most senior level leadership and serves as the guidepost to set strategy and select objectives.
Risk management: The practice of identifying and analyzing risk exposures, then taking action steps to minimize the impact they impose.
Risk profile: An analysis of the risks the Department faces in pursuing its strategic objectives arising from its activities and operations that identifies options for addressing significant risks.
Risk response: The action taken to manage or mitigate the risk. There are several types of risk responses:
Acceptance: No action is taken to respond to the risk based on the likelihood or impact of the risk and an assessment of the burden of mitigating the risk compared to the benefit.
Reduction: Action is taken to reduce the likelihood or impact of the risk.
Sharing: Action is taken to transfer or share risks across the entity or with external partners.
Avoidance: Action is taken to stop the process causing the risk, i.e., no risk is taken.
Risk tolerance: The acceptable level of variance in performance relative to the achievement of objectives. It is generally established at the program, objective, or component level.
2 FAM 032.6 Principal Actors: Roles and Responsibilities
(CT:GEN-607; 04-12-2024)
a. Secretary of State
(1) Under the Omnibus Diplomatic Security and Antiterrorism Act (22 U.S.C. 4802), the Secretary of State develops and implements policies and programs, including funding levels and standards, to provide for the security of United States government operations of a diplomatic nature and foreign government operations of a diplomatic nature in the United States. A number of entities may assist the Secretary with the fulfillment of these responsibilities with regard to daily domestic and overseas operations, including risk management activities. The roles of various officials are discussed within this enterprise risk management framework.
(2) The Secretary establishes goals and objectives around operating environments, ensures compliance with relevant laws and regulations, and manages both expected and unexpected or unanticipated events. The Secretary, acting generally through delegations of authority, is responsible for implementing management practices that identify, assess, respond, and report on risks. Bureaus, offices, posts, and working groups are encouraged to use their existing reporting chains and structures (such as the Emergency Action Committee) to seek decisions regarding risk.
b. Deputy Secretary of State or Deputy Secretary for Management and Resources
The Deputy Secretary or the Deputy Secretary of State for Management and Resources chairs the Enterprise Governance Board. In general, neither the Deputy Secretary nor the Deputy Secretary of State for Management and Resources makes day-to-day decisions regarding risk. Bureaus, offices, posts, and working groups are encouraged to use their existing reporting chains (such as the Emergency Action Committee) to seek decisions regarding risk.
c. Under Secretary of State for Management
The Under Secretary for Management is alternate chairperson of the EGB in the Deputy Secretary’s absence. The Under Secretary for Management supervises the Office of Management Strategy and Solutions (M/SS), which manages the Department’s overall enterprise risk management program. As appropriate, bureaus, offices, posts, and working groups are encouraged to use their existing reporting chains and structures (such as the Emergency Action Committee) to seek decisions regarding risk.
d. Office of Management Strategy and Solutions
The Office of Management Strategy and Solutions (M/SS) serves as the secretariat to the Enterprise Governance Board. M/SS also manages the Department’s overall enterprise risk management program and works with relevant bureaus and stakeholders, including Risk Liaisons, to review overarching Department risk management policies, procedures, principles, communications materials, and training tools. M/SS is responsible for compiling the annual risk profile required by OMB Circular A-123. M/SS works with and on behalf of senior Department leaders to develop, articulate, strategize, and communicate; policies, processes, engagement, and information on risk topics.
e. Other Under Secretaries, Assistant Secretaries, and other Senior Leaders
Exercising broad judgement within their areas of responsibility, senior-level officials set guidelines for risk tolerance and promote good risk management practices. Senior leaders balance U.S. interests, policy priorities, resource and program objectives against evolving threats, reputational risks, etc. Leaders consider the risks associated with both action and inaction when making informed decisions and create a climate that encourages open discussion of assumptions and disagreements. Per 2 FAM 031(c), Department leaders play a vital role in risk management, and it is expected that they will engage in their own risk management activities and in mentoring others on how best to do it. As appropriate, bureaus, offices, posts, and working groups are encouraged to use their existing reporting chains and structures (such as the Emergency Action Committee) to seek decisions from Under Secretaries, Assistant Secretaries, and other senior leaders regarding risk.
f. Chiefs of Mission (COM)
The COM sets the risk tolerance level at post and communicates it clearly to staff. See 1 FAM 013 and 2 FAH 2 H-100 for a full description of COM authority, COM security responsibility, and overseas staffing.
g. All Department Employees
Each Department employee is responsible for safeguarding Federal assets and the efficient delivery of services to the public. All Department employees should make management aware when risk cannot be mitigated within the tolerance level, and should be aware of what risk decisions they can or cannot make within their area of work. Employees should be made aware of security threats, procedures, regulations, and issues in their area of responsibility. In addition to serving as a good role model for others, mid-level and senior employees must monitor and address changes that impact risk management, decisions, and actions.
2 FAM Exhibit 032.2
Enterprise Risk Management Overview
(CT:GEN-570; 04-14-2021)