Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:

July 31, 2025 TO:

Michael F. King Acting Executive Director for Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits & Evaluations

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS (OIG-21-A-16)

REFERENCE:

ASSOCIATE DIRECTOR FOR OPERATIONS, OFFICE OF THE EXECUTIVE DIRECTOR FOR OPERATIONS, MEMORANDUM DATED JULY 25, 2025 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated July 25, 2025. Based on this response, recommendations 1,2,3,4,6,7, and 8 remain open and resolved.

Recommendation 5 was previously closed. Please provide an updated status of the open, resolved recommendations by January 30, 2026.

If you have any questions or concerns, please call me at 301.415.1982 or Paul Rades, Team Leader, at 301.415.6228.

Attachment:

As stated cc: J. Martin, ADO D. Lewis, DADO E. Deeds, OEDO OIG Liaison Resource EDO ACS Distribution

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16) 2 Recommendation 1:

Develop and implement a process to periodically communicate a consistently understood agency risk appetite.

Agency Response Dated July 25, 2025:

The staff, with oversight by the U.S. Nuclear Regulatory Commissions (NRC) Programmatic Senior Assessment Team (PSAT), is working to develop the agencys risk appetite statement. Upon completion, the Office of the Executive Director for Operations (OEDO) staff will revise OEDO Procedure 0960, Enterprise Risk Management Reporting Instructions, to specify the agencys determination, implementation, and communication frequency regarding its risk appetite. Additionally, the OEDO communicated the agencys posture with regard to risk appetite in NUREG/KM-0016, Be riskSMART: Guidance for Integrating Risk Insights into NRC Decisions, March 2021.

Target Completion Date: December 31, 2025 OIG Analysis:

The proposed actions meet the intent of this recommendation. The OIG will close this recommendation after reviewing the updated guidance and verifying agency plans to implement it.

Status:

Open: Resolved

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16) 3 Recommendation 2:

Revise agency policies and guidance to: a. Designate the official agency risk profile document and remove references to it as a U.S. Office of Management and Budget (OMB) deliverable in Management Directive 4.4, Enterprise Risk Management and Internal Control and Office of the Executive Director for Operations Procedure 0960, Enterprise Risk Management Reporting Instructions. b.

Fully address the risk profile components and elements in accordance with OMB Circular A-123, Managements Responsibility for Enterprise Risk Management and Internal Control.

Agency Response Dated July 25, 2025:

The staff is revising OEDO Procedure 0960, Enterprise Risk Management Reporting Instructions, to clarify the designation of the official agency risk profile document and fully address the risk profile components and elements in accordance with OMB Circular A-123.

Target Completion Date: December 31, 2025 OIG Analysis:

The proposed actions meet the intent of this recommendation. The OIG will close this recommendation after reviewing the updated guidance and verifying that it addresses OMB Circular A-123 requirements.

Status:

Open: Resolved

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16) 4 Recommendation 3:

Implement an Enterprise Risk Management (ERM) maturity model approach by selecting an appropriate model, assessing current practices per the model, and making progress in advancing the model.

Agency Response Dated July 25, 2025:

The staff, with oversight by the PSAT, are selecting an appropriate model, assessing current practices per the model, and developing an action plan with milestones to assess current practices and further advance the model.

OIG Analysis:

The proposed actions meet the intent of this recommendation. The OIG will close this recommendation after reviewing the agencys ERM maturity model and verifying efforts to implement it.

Status:

Open: Resolved

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16) 5 Recommendation 4:

Establish and monitor implementation of procedures to ensure that Quarterly Performance Review (QPR) practices are fully performed, such as completion of the QPR Dashboard entries, and recordation of all management decisions of risk in the QPR meeting summaries and the Executive Committee on Enterprise Risk Management meeting minutes.

Agency Response Dated July 25, 2025:

Staff plans to update OEDO Procedure 0960 with best practices based on this recommendation and to ensure that QPR practices are fully performed, such as comprehensively completed QPR Dashboard entries and all risk-related management decisions resulting from QPR and the Executive Committee on ERM (ECERM) meetings are recorded in the meeting summaries.

OIG Analysis:

The proposed actions meet the intent of this recommendation. The OIG will close this recommendation after reviewing the updated guidance and verifying agency actions to implement QPR best practices.

Status:

Open: Resolved

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16) 6 Recommendation 6:

Update policies and guidance to address Management Directive 4.4, Enterprise Risk Management and Internal Control, and Management Directive 6.9, Performance Management, links to the QPR and reasonable assurance processes to accurately reflect that both agency processes address different aspects of ERM. This includes, but is not limited to: a. Updating Management Directive 6.9 for the expanded risk responsibilities added to the QPR process; b.

Explaining the role of the PSAT in the QPR process in Management Directive 6.9; c. Specifying the ECERM role in decision-making of PSAT risks and ECERM focus areas in Management Directive 4.4 (Closed (ML23073A073)); d.

Cross-referencing Management Directive 4.4 to Management Directive 6.9 to clearly show that ERM implementation activities through the QPR process eventually led to the ERM focus areas and the reporting of ERM in the Integrity Act statement; and, e. Including Management Directive 4.4 and OEDO Procedure - 0960 in Management Directive 6.9,Section VI. References.

Agency Response Dated July 25, 2025:

Staff is revising Management Directive 6.9 as mentioned above in this recommendation.

OIG Analysis:

The proposed actions meet the intent of this recommendation. The OIG will close this recommendation after verifying that the updated version of Management Directive 6.9 aligns with Management Directive 4.4 and addresses specific issues identified in the audit finding and recommendation.

Status:

Open: Resolved

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16) 7 Recommendation 7:

Update policies and guidance to clarify the effective date of the quarterly risks in the QPR process.

Agency Response Dated July 25, 2025:

The OEDO is working with the Office of the Chief Financial Officer (OCFO) to update policies and guidance to clarify the effective date of the quarterly risks in the QPR process. The staff completed the revision to Management Directive 4.4 on April 3, 2023 to state that: At the end of the fiscal year, including the results of the fourth quarter of the fiscal year to address OIG Audit OIG-21-A-16, recommendation 7, the ECERM assesses the agencys programmatic operations, financial systems, and internal control over reporting.

Instructions for inclusion of fourth-quarter risks will also be included in the revision to OEDO Procedure 0960.

OIG Analysis:

The proposed actions meet the intent of this recommendation. The OIG will close this recommendation after reviewing the updated guidance and verifying that it addresses quarterly risk reporting issues in alignment with Management Directive 4.4.

Status:

Open: Resolved

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16) 8 Recommendation 8:

Require enterprise risk management-specific training that addresses U.S. Office of Management and Budget Circular A-123, Managements Responsibility for Enterprise Risk Management and Internal Control requirements and current best practices and periodically provide them to NRC personnel with ERM responsibilities.

Agency Response Dated July 25, 2025:

The staff is developing ERM training focused on specific competencies required for personnel with ERM responsibilities. The staff plans to work through the agencys Human Capital Council to establish the ERM training requirement frequency.

OIG Analysis:

The proposed actions meet the intent of this recommendation. The OIG will close this recommendation after verifying implementation of ERM training.

Status:

Open: Resolved