Text

MEMORANDUM DATE: November 6, 2023 TO: Daniel H. Dorman Executive Director for Operations FROM: Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS (OIG-21-A-16)

REFERENCE:

ASSISTANT FOR OPERATIONS MEMORANDUM DATED SEPTEMBER 19, 2023 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated September 19, 2023.

Based on this response, recommendations one through eight remain open and resolved.

Please provide an updated status of the open, resolved recommendations by June 1, 2024.

If you have any questions or concerns, please call me at 301.415.1982 or Paul Rades, Team Leader, at 301.415.6228.

Attachment:

As stated cc: M. Bailey, OEDO M. Meyer, OEDO J. Jolicoeur, OEDO OIG Liaison Resource EDO_ACS Distribution NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov

Audit Report AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16)

Recommendation 1: Develop and implement a process to periodically communicate a consistently understood agency risk appetite.

Agency Response Dated September 19, 2023:

The Office of the Executive Director for Operations (OEDO) staff is working to develop the agencys risk appetite statement. Upon completion, the staff will implement a process to periodically communicate a consistently understood agency risk appetite. The agencys risk appetite statement and associated process for periodic communication will be incorporated in the next revision to OEDO Procedure 0960. Additional time to complete this item is necessary to facilitate further staff collaboration within the U.S. Nuclear Regulatory Commission (NRC) staff and to update OEDO Procedure 0960.

New Target Completion Date: September 30, 2024 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation after reviewing the risk appetite statement and verifying that the revised OEDO Procedure 0960, Enterprise Risk Management Reporting Instructions, specifies the agencys determination, implementation, and frequency of communication of its risk appetite.

Status: Open: Resolved.

2

Audit Report AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16)

Recommendation 2: Revise agency policies and guidance to:

a. Designate the official agency risk profile document and remove references to it as a U.S. Office of Management and Budget (OMB) deliverable in Management Directive 4.4, Enterprise Risk Management and Internal Control and Office of the Executive Director for Operations Procedure 0960, Enterprise Risk Management Reporting Instructions.

b. Fully address the risk profile components and elements in accordance with OMB Circular A-123, Managements Responsibility for Enterprise Risk Management and Internal Control.

Agency Response Dated September 19, 2023:

The staff is revising agency policy and guidance to designate the official agency risk profile document, remove references of OMB deliverables, and fully address risk profile components and elements in accordance with OMB Circular A-123. The staff completed the revision to Management Directive 4.4 on April 3, 2023 (ML23073A073). The staff will revise OEDO Procedure 0960 as proposed in this recommendation. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC and to update OEDO Procedure 0960 as described in the updated response to Recommendation 1.

New Target Completion Date: September 30, 2024 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG reviewed the revised Management Directive 4.4 and confirmed that references to the agency risk profile as an OMB deliverable were removed.

As a result, the OIG is partially satisfied with the agencys response to recommendation 2.a.

3

Audit Report AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16)

Recommendation 2 (continued):

The OIG will close this recommendation after reviewing the revised OEDO Procedure 0960, Enterprise Risk Management Reporting Instructions, clarifying the designation of the official agency risk profile document, and detailing the risk profile components and elements in accordance with OMB Circular A-123.

Status: Open: Resolved.

4

Audit Report AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16)

Recommendation 3: Implement an enterprise risk management maturity model approach by selecting an appropriate model, assessing current practices per the model, and making progress in advancing the model.

Agency Response Dated September 19, 2023: The revised Playbook: Enterprise Risk Management for the U.S. Federal Government guidance was issued by OMB in November 2022. The implementation of this maturity model will include the development of an action plan with milestones to assess current practices and advance the model. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC.

New Target Completion Date: September 30, 2024 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation after verifying the NRCs adoption and implementation of an appropriate enterprise risk management maturity model by selecting an appropriate model, assessing current practices per the model, and making progress in advancing the model through the milestones in the maturity model action plan.

Status: Open: Resolved.

5

Audit Report AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16)

Recommendation 4: Establish and monitor implementation of procedures to ensure that Quarterly Performance Review (QPR) practices are fully performed, such as completion of the QPR Dashboard entries, and recordation of all management decisions of risk in the QPR meeting summaries and the Executive Committee on Enterprise Risk Management meeting minutes.

Agency Response Dated September 19, 2023: The staff plans to update OEDO Procedure 0960 with best practices based on this recommendation, including, but not limited to completion of QPR Dashboard entries, and recordation of all management decisions of risk in the QPR meeting summaries and the Executive Committee on ERM (ECERM) meeting minutes. The NRC staff has begun implementing this recommendation by ensuring that management decisions of risk discussed during the QPR meetings and ECERM meetings are recorded in the meetings minutes. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC and to update OEDO Procedure 0960 as described in the updated response to Recommendation 1.

New Target Completion Date: September 30, 2024 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the OIG reviews the revisions to OEDO Procedure 0960, Enterprise Risk Management Reporting Instructions, and verifies the inclusion of procedures to ensure that QPR practices are fully performed such as QPR Dashboard entries are comprehensively completed and all risk-related management decisions resulting from QPR and ECERM meetings are recorded in the meeting summaries.

Status: Open: Resolved.

6

Audit Report AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16)

Recommendation 5: Reconcile the business lines structure with the Office of the Chief Financial Officer to have a common business lines structure list. (Deviations from the common business lines structure list for either the Quarterly Performance Review or reasonable assurance processes may be clarified with applicable justification noted).

Agency Response Dated September 19, 2023: The OEDO is working with OCFO staff to establish and maintain a common business lines structure list for the Quarterly Performance Review process. Upon completion, the staff will update ERM-related guidance. Any deviation from this business line structure will be identified with written justification in the resulting product. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC and update the ERM-related guidance.

New Target Completion Date: September 30, 2024 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the OIG reviews the revised enterprise risk management-related guidance for the inclusion of a common business lines structure list that identifies all business lines in the agency, as well as oversight responsibility, and written justification for any deviation from this common business lines structure list for the Quarterly Performance Review or reasonable assurance processes.

Status: Open: Resolved.

7

Audit Report AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16)

Recommendation 6: Update policies and guidance to address Management Directive 4.4, Enterprise Risk Management and Internal Control, and Management Directive 6.9, Performance Management, links to the Quarterly Performance Review (QPR) and reasonable assurance processes to accurately reflect that both agency processes address different aspects of enterprise risk management (ERM). This includes, but is not limited to:

a. Updating Management Directive 6.9 for the expanded risk responsibilities added to the QPR process;

b. Explaining the role of the Programmatic Senior Assessment Team (PSAT) in the QPR process in Management Directive 6.9;

c. Specifying the Executive Committee on ERM (ECERM) role in decision-making of PSAT risks and ECERM focus areas in Management Directive 4.4;

d. Cross-referencing Management Directive 4.4 to Management Directive 6.9 to clearly show that ERM implementation activities through the QPR process eventually lead to the ERM focus areas and the reporting of ERM in the Integrity Act statement; and,

e. Including Management Directive 4.4 and Office of the Executive Director for Operations (OEDO) Procedure -

0960 in Management Directive 6.9,Section VI.

References.

Agency Response Dated September 19, 2023: The NRC staff is revising the guidance documents as mentioned in this recommendation. The staff completed the revision to Management Directive 4.4 on April 3, 2023 (ML23073A073). Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC and update the guidance documents.

New Target Completion Date: September 30, 2024 8

Audit Report AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16)

Recommendation 6 (continued):

OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG reviewed the revised Management Directive 4.4 and confirmed the ECERMs role in decision-making of PSAT risks and ECERM focus areas are included in the directive and corresponding handbook.

As a result, the OIG is satisfied with the agencys response to recommendation 6.c.

The OIG will close this recommendation after review of the revised Management Directive 6.9 and the annual reasonable assurance guidance document for recommendations 6.a, 6.b, 6.d, and 6.e.

Status: Open: Resolved.

9

Audit Report AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16)

Recommendation 7: Update policies and guidance to clarify the effective date of the quarterly risks in the Quarterly Performance Review (QPR) process.

Agency Response Dated September 19, 2023: The OEDO is working with OCFO to update policies and guidance to clarify the effective date of the quarterly risks in the QPR process. The staff completed the revision to Management Directive 4.4 on April 3, 2023 (ML23073A073) to state that: At the end of the fiscal year, including the results of the fourth quarter of the fiscal year to address OIG Audit OIG-21-A-16, recommendation 7, the ECERM assesses the agencys programmatic operations, financial systems, and internal control over reporting. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC and update the guidance documents.

New Target Completion Date: September 30, 2024 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG reviewed the revised Management Directive 4.4 and confirmed the agency clarified that fourth quarter risks are to be included in the QPR process. As a result, the OIG is partially satisfied with the agencys response to the recommendation.

The OIG will close this recommendation after verification the agencys revision to OEDO Procedure 0960, which includes instructions for the inclusion of fourth-quarter risks.

Status: Open: Resolved.

10

Audit Report AUDIT OF THE NRCS IMPLEMENTATION OF THE ENTERPRISE RISK MANAGEMENT PROCESS Status of Recommendations (OIG-21-A-16)

Recommendation 8: Require enterprise risk management-specific training that addresses U.S. Office of Management and Budget Circular A-123, Managements Responsibility for Enterprise Risk Management and Internal Control requirements and current best practices, and periodically provide them to NRC personnel with ERM responsibilities.

Agency Response Dated September 19, 2023: The staff is developing ERM training that will address OMB Circular A-123 requirements and best practices. This training will periodically be provided to staff with ERM responsibilities. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC to finalize the training.

New Target Completion Date: September 30, 2024 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation after verifying (1) the ERM training addresses OMB Circular A-123 requirements and current best practices, and (2) the revised policies pertaining to ERM specify the competencies required for the NRC personnel with ERM responsibilities and the ERM training requirement frequency.

Status: Open: Resolved.

11