ML22336A172
| ML22336A172 | |
| Person / Time | |
|---|---|
| Issue date: | 12/02/2022 |
| From: | Virkar H NRC/OIG/AIGA |
| To: | Marissa Bailey, Dan Dorman NRC/EDO/AO |
| References | |
| OIG-21-A-16 | |
| Download: ML22336A172 (1) | |
Text
MEMORANDUM DATE: December 2, 2022 TO: Daniel H. Dorman Executive Director for Operations Marissa G. Bailey Assistant for Operations FROM: Hruta Virkar, CPA /RA/
Assistant Inspector General for Audits
SUBJECT:
STATUS OF RECOMMENDATIONS: AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS (OIG-21-A-16)
REFERENCE:
ASSISTANT FOR OPERATIONS MEMORANDUM DATED SEPTEMBER 27, 2022 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated September 27, 2022.
Based on this response, recommendations one through eight from this report are open and resolved. Please provide an updated status of the open, resolved recommendations by October 1, 2023.
If you have any questions or concerns, please call me at 301.415.1982 or Paul Rades, Acting Corporate Support Audits Team Leader, at 301.415.6228.
Attachment:
As stated cc: J. Jolicoeur, OEDO RidsEdoMailCenter Resource OIG Liaison Resource EDO_ACS Distribution NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 www.nrcoig.oversight.gov
Audit Report RESULTS OF THE AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16)
Recommendation 1: Develop and implement a process to periodically communicate a consistently understood agency risk appetite.
Agency Response Dated September 27, 2022: The Office of the Executive Director for Operations (OEDO) staff is working to develop the agencys risk appetite statement. Upon completion, the staff will implement a process to periodically communicate a consistently understood agency risk appetite. The agencys risk appetite statement and associated process for periodic communication will be incorporated in the next revision to OEDO Procedure 0960. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC staff and to update OEDO Procedure 0960.
Target Completion Date: September 1, 2022 New Target Completion Date: September 29, 2023 Point of
Contact:
Araceli Billoch Colon, 301.415.3302 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation after reviewing the risk appetite statement and verifying that the revised OEDO Procedure 0960, Enterprise Risk Management Reporting Instructions, specifies the agencys in the determination, implementation, and frequency of communication of its risk appetite.
Status: Open: Resolved.
2
Audit Report RESULTS OF THE AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16)
Recommendation 2: Revise agency policies and guidance to:
- a. Designate the official agency risk profile document and remove references to it as a U.S. Office of Management and Budget (OMB) deliverable in Management Directive 4.4, Enterprise Risk Management and Internal Control and Office of the Executive Director for Operations Procedure 0960, Enterprise Risk Management Reporting Instructions.
- b. Fully address the risk profile components and elements in accordance with OMB Circular A-123, Managements Responsibility for Enterprise Risk Management and Internal Control.
Agency Response Dated September 27, 2022: The staff is revising agency policy and guidance to designate the official agency risk profile document, remove references of OMB deliverables, and fully address risk profile components and elements in accordance with OMB Circular A-123. The staff will revise MD 4.4 and OEDO Procedure 0960 as proposed in this recommendation. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC and to update OEDO Procedure 0960 as described in the updated response to Recommendation 1.
Target Completion Date: March 31, 2023 New Target Completion Date: September 29, 2023 Point of
Contact:
Araceli Billoch Colon, 301.415.3302 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the OIG reviews the revised MD 4.4, Enterprise Risk Management and Internal Control, and OEDO Procedure 0960, Enterprise Risk Management Reporting Instructions, and verifies the designation of an official agency risk profile document and removes references to the risk profile being a deliverable to the OMB, as well as fully addresses the 3
Audit Report RESULTS OF THE AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16)
Recommendation 2 (continued):
components and elements of the risk profile in accordance with OMB Circular A-123.
Status: Open: Resolved.
4
Audit Report RESULTS OF THE AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16)
Recommendation 3: Implement an enterprise risk management maturity model approach by selecting an appropriate model, assessing current practices per the model, and making progress in advancing the model.
Agency Response Dated September 27, 2022: The NRC staff anticipated that OMB would revise and issue its primary guidance document for maturity models by late 2021. To date, this guidance document has not been issued, and the staff has not been able to obtain a revised date for publication. However, the staff will use the one-page maturity model that OMB has already developed to draft and implement the NRCs ERM maturity model. The implementation of this maturity model will include the development of an action plan with milestones to assess current practices and advance the model. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC.
Target Completion Date: September 1, 2022 New Target Completion Date: September 29, 2023 Point of
Contact:
Araceli Billoch Colon, 301.415.3302 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation after verifying the NRCs adoption and implementation of an appropriate enterprise risk management maturity model by selecting an appropriate model, assessing current practices per the model, and making progress in advancing the model through the milestones in the maturity model action plan.
Status: Open: Resolved.
5
Audit Report RESULTS OF THE AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16)
Recommendation 4: Establish and monitor implementation of procedures to ensure that Quarterly Performance Review (QPR) practices are fully performed, such as completion of the QPR Dashboard entries, and recordation of all management decisions of risk in the QPR meeting summaries and the Executive Committee on Enterprise Risk Management meeting minutes.
Agency Response Dated September 27, 2022: The NRC staff has begun implementing this recommendation by ensuring that QPR practices are fully performed by September 29, 2023. The staff plans to update OEDO Procedure 0960 with best practices based on this recommendation, including, but not limited to completion of QPR Dashboard entries, and recordation of all management decisions of risk in the QPR meeting summaries and the Executive Committee on ERM (ECERM) meeting minutes. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC and to update OEDO Procedure 0960 as described in the updated response to Recommendation 1.
Target Completion Date: September 1, 2022 New Target Completion Date: September 29, 2023 Point of
Contact:
Araceli Billoch Colon, 301.415.3302 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the OIG reviews the revisions to OEDO Procedure 0960, Enterprise Risk Management Reporting Instructions, and verifies the inclusion of procedures to ensure that QPR practices are fully performed such as QPR Dashboard entries are comprehensively completed and all risk-related management decisions resulting from QPR and ECERM meetings are recorded in the meeting summaries.
Status: Open: Resolved.
6
Audit Report RESULTS OF THE AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16)
Recommendation 5: Reconcile the business lines structure with the Office of the Chief Financial Officer to have a common business lines structure list. (Deviations from the common business lines structure list for either the Quarterly Performance Review or reasonable assurance processes may be clarified with applicable justification noted).
Agency Response Dated September 27, 2022: The OEDO is working with OCFO to staff to establish and maintain a common business lines structure list.
Upon completion, the staff will update ERM- related guidance. Any deviation from this business line structure will be identified with written justification in the resulting product. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC and update the ERM-related guidance.
Target Completion Date: September 1, 2022 New Target Completion Date: September 29, 2023 Point of
Contact:
Araceli Billoch Colon, 301.415.3302 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the OIG reviews the revised enterprise risk management-related guidance for the inclusion of a common business lines structure list that identifies all business lines in the agency, as well as oversight responsibility, and written justification for any deviation from this common business lines structure list for the Quarterly Performance Review or reasonable assurance processes.
Status: Open: Resolved.
7
Audit Report RESULTS OF THE AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16)
Recommendation 6: Update policies and guidance to address Management Directive 4.4, Enterprise Risk Management and Internal Control, and Management Directive 6.9, Performance Management, links to the Quarterly Performance Review (QPR) and reasonable assurance processes to accurately reflect that both agency processes address different aspects of enterprise risk management (ERM). This includes, but is not limited to:
- a. Updating Management Directive 6.9 for the expanded risk responsibilities added to the QPR process;
- b. Explaining the role of the Programmatic Senior Assessment Team (PSAT) in the QPR process in Management Directive 6.9;
- c. Specifying the Executive Committee on ERM (ECERM) role in decision-making of PSAT risks and ECERM focus areas in Management Directive 4.4;
- d. Cross-referencing Management Directive 4.4 to Management Directive 6.9 to clearly show that ERM implementation activities through the QPR process eventually lead to the ERM focus areas and the reporting of ERM in the Integrity Act statement; and,
- e. Including Management Directive 4.4 and Office of the Executive Director for Operations (OEDO) Procedure -
0960 in Management Directive 6.9,Section VI.
References.
Agency Response Dated September 27, 2022: The NRC staff is revising the guidance documents as mentioned in this recommendation. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC and update the guidance documents.
Target Completion Date: March 31, 2023 New Target Completion Date: September 29, 2023 8
Audit Report RESULTS OF THE AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16)
Recommendation 6 (continued):
Point of
Contact:
Araceli Billoch Colon, 301.415.3302 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the OIG reviews the revised Management Directive 4.4, Enterprise Risk Management and Internal Control, and Management Directive 6.9, Performance Management, and verifies that the QPR and reasonable assurance processes address different aspects of enterprise risk management in those management directives.
Status: Open: Resolved.
9
Audit Report RESULTS OF THE AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16)
Recommendation 7: Update policies and guidance to clarify the effective date of the quarterly risks in the Quarterly Performance Review (QPR) process.
Agency Response Dated September 27, 2022: The OEDO is working with OCFO to update policies and guidance to clarify the effective date of the quarterly risks in the QPR process. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC and update the guidance documents.
Target Completion Date: September 1, 2022 New Target Completion Date: September 29, 2023 Point of
Contact:
Araceli Billoch Colon, 301.415.3302 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation after verifying the revised policies and guidance include clarification on the effective date of the quarterly risks in the QPR process to ensure the data resulting from quarter 4 of the fiscal year is considered in the same fiscal year-end reasonable assurance statement.
Status: Open: Resolved.
10
Audit Report RESULTS OF THE AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16)
Recommendation 8: Require enterprise risk management-specific training that addresses U.S. Office of Management and Budget Circular A-123, Managements Responsibility for Enterprise Risk Management and Internal Control requirements and current best practices, and periodically provide them to NRC personnel with ERM responsibilities.
Agency Response Dated September 27, 2022: The staff is developing ERM training that will address OMB Circular A-123 requirements and best practices.
This training will periodically be provided to staff with ERM responsibilities. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC to finalize the training.
Target Completion Date: September 1, 2022 New Target Completion Date: September 29, 2023 Point of
Contact:
Araceli Billoch Colon, 301.415.3302 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation after verifying (1) the ERM training addresses OMB Circular A-123 requirements and current best practices, and (2) the revised policies pertaining to ERM specify the competencies required for the NRC personnel with ERM responsibilities and the ERM training requirement frequency.
Status: Open: Resolved.
11