Maturity Model Approach to ERM Recommended by Office of Management and Budget (OMB​ Circular A-123​)

Steven Minsky | Aug. 17, 2016

Washington’s Office of Management and Budget, an Executive Office of the President of the United States, recently published a circular titled “Management’s Responsibility for Enterprise Risk Management and Internal Control.” OMB Circular A-123 lays out “management’s responsibilities for enterprise risk management (ERM) and internal control.”

Additionally, the circular elaborates on “the need to integrate and coordinate risk management and strong and effective internal control into existing business activities.”

This development – when considered in combination with increasing penalties and requirements from regulators like the CFPB and SEC – is yet another indicator that robust risk management isn’t just recommended, it’s required.

Why is a Maturity Model Approach Needed?

Enterprise risk management is a rapidly evolving industry. The business environment is never static; operations must adapt to changing regulations, external threats like advanced cyberattacks, and a host of other risks. This constantly changing risk environment is reflected by COSO’s proposed framework update, Enterprise Risk Management – Aligning Risk with Strategy and Performance. To learn more about Aligning Risk with Strategy and Performance, view my comments on the framework.

According to OMB Circular A-123 is responsible for “establishing goals and objectives around operating environments, ensuring compliance with relevant laws and regulations, and managing both expected and unexpected or unanticipated events.”

These events are also known as surprises, and in the business world, surprises (even good ones, like unexpectedly high demand) can lead to major issues. A maturity model approach is the best way to evaluate your organization’s ability to prevent surprises before they happen. The key to successful ERM in any industry, including government organizations, is identifying trends (and designing responses) before a loss event actually occurs. As stated in the circular, “risk management practices must be forward-looking and designed to help leaders make better decisions.” LogicManager, by helping organizations Manage Tomorrow’s Surprises Today®, also helps them achieve this goal. Use a best-practice maturity model assessment to determine what areas of your program need the most attention.

OMB Circular A-123 Identifies RIMS Risk Maturity Model as an Example Maturity Model Approach

“Management’s Responsibility for Enterprise Risk Management and Internal Control” emphasizes the importance of a robust governance structure. Companies must leverage existing processes to mitigate risk, rather than designing entirely new processes, which requires significant time and resources. The same applies to monitoring the effectiveness of internal controls.

In order to do all of the above as effectively as possible, the OMB recommends “agencies should develop a maturity model approach to the adoption of an ERM framework.” Specifically, the circular identifies the RIMS Risk Maturity Model as an example approach.

The RIMS Risk Maturity Model (RMM) is a free best-practice assessment tool designed to provide a foundation for sustainable enterprise risk management. By means of a short, easy-to-complete risk maturity assessment, the RMM scores your program against 25 proven competency drivers and their underlying readiness indicators.

It then generates a report with a roadmap for improvement, ensuring you can focus your resources toward the attributes of ERM that drive the most bottom-line value. Doing so will allow you to meet the requirements outlined by the OMB circular.

OMB Circular A-123 names the RIMS Risk Maturity Model for good reason. The RMM has helped thousands of organizations streamline their ERM programs, and companies with “mature” risk management practices – as identified by the RMM – experience a 25% market valuation premium over those without.