Skip to page navigation
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

OPM.gov / Policy / Enterprise Risk Management Program /
Skip to main content

 

Enterprise Risk Management Program

Welcome to OPM’s Enterprise Risk Management (ERM) program page.  OPM’s Enterprise Risk Management function was re-established in the Office of the Director in September 2025.  This web page will be periodically updated with additional information.  For questions about OPM’s ERM program, to alert OPM to potential risks or mitigation strategies, or to provide other information related to ERM, please contact:

ERM Policy

Purpose

This document sets forth the U.S. Office of Personnel Management’s (OPM) Enterprise Risk Management (ERM) policy. ERM is an agency-wide approach to addressing the full spectrum of significant risks that the agency faces that considers both threats and opportunities as an interrelated portfolio. ERM can help to properly identify and manage risks to performance related to achieving strategic objectives, and improve agency capacity to prioritize efforts, optimize resources, and assess changes in the environment. This ERM policy establishes a framework for risk management across the agency that is integrated into OPM’s culture and operations.

Scope

This policy applies to all OPM activities. It forms part of OPM’s governance framework and applies to all employees and contractors.

Authorities

This policy is issued under the authority of the Federal Managers' Financial Integrity Act (FMFIA) of 1982, as codified in 31 USC 3512, and the Government Performance Results Act Modernization Act (GPRAMA) (Public Law 111-352). It is also issued pursuant to Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, which modernizes existing efforts by requiring agencies to implement an ERM capability coordinated with the strategic planning and strategic review process established by GPRAMA, and the internal control processes required by FMFIA and Government Accountability Office (GAO)'s Green Book.

Additional References and Resources  

  • GAO-14-704G, Standards for Internal Control in the Federal Government, September 10, 2014.
  • GAO GAO-15-593SP, A Framework for Managing Fraud Risks in Federal Programs, July 28, 2015.
  • NIST IR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM), October 2020.
  • OMB Circular A-11, Section 260 – Data-Driven Performance and Strategic Reviews, July 25, 2024.
  • OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, July 15, 2016.
  • OPM Cybersecurity and Privacy Policy, April 2024.
  • OPM Financial Management Manual, Chapter 24 – Fraud Risk Policy, August 2024.
  • Playbook: Enterprise Risk Management for the U.S. Federal Government, November 28, 2022.

Policy

  • OPM shall establish an ERM Framework that is integrated into OPM’s culture and operations, including but not limited to strategic planning and reviews, internal controls, cybersecurity, privacy , antifraud, business continuity, budgeting, and program and project management.
  • OPM shall conduct its decision making and operations in accordance with its Risk Appetite Statement. OPM’s Risk Appetite Statement provides broad-based guidance on the level and type of risk that the agency is willing to accept to achieve the agency’s mission and objectives. The Risk Appetite Statement shall be reviewed and updated on a regular basis.
  • The Risk Management Council (RMC) provides governance of the ERM Program and drives implementation of this policy. This includes review and approval of enterprise risks and risk responses and ensuring that the ERM Framework is established and maintained.
  • Risks that meet one or more of the following criteria shall be reported to the RMC for consideration as to whether the risk should be monitored in an Enterprise Risk Register. This includes risks that could impact:
    • achieving a strategic goal or objective;
    • operations of core or multiple significant programs or mission support functions; and/or
    • achieving OPM’s overall mission.
  • OPM shall maintain an Enterprise Risk Profile that lists the most significant risks that the agency faces. The Enterprise Risk Profile shall be reviewed by the RMC at least annually in coordination with the strategic review process.
  • Each program and mission support office shall participate in routine risk assessment activities as needed and as part of the annual Enterprise Risk Profile update process.
  • OPM has also established standalone Fraud Risk Policy and Cybersecurity and Privacy Policy that are in alignment with this policy.

Roles and Responsibilities

OPM Director 

Sets a tone at the top for the rest of the organization and drives the culture of risk management.

Chief Risk Officer

Chair of the RMC, has the primary responsibility for OPM’s ERM program including the policies, standards and procedures, organizational arrangements, and reporting requirements.

Chief Financial Officer 

Has primary program responsibility for the design, implementation, and leadership of fraud risk management strategies and activities, including the development and execution of the agency’s fraud risk assessment process.

Chief Information Officer

Has primary program responsibility for OPM’s cybersecurity risk management program. While OPM’s cybersecurity risk management policy and strategy are part of OPM’s overall ERM program, individual cybersecurity risks should be managed in accordance with the cybersecurity risk management strategy.

Chief Privacy Officer

As the Senior Agency Official for Privacy, has responsibility and accountability for ensuring compliance with applicable privacy requirements and managing privacy risks at OPM.

Enterprise Risk Manager 

Provides direct support to the CRO in coordinating the development of the agency’s overall risk management framework and maintaining the agency’s Risk Profile. 

Associate Directors and Office Heads

Establish effective risk management within their business units and ensure staff comply with the enterprise risk management policy and foster a risk aware culture where risks can be identified and escalated.

Managers

Ensure staff comply with the enterprise risk management policy and foster a culture where risks can be identified and escalated. Work with the ERM function to provide regular updates on emerging risks to the agency. 

Risk Management Council 

Provides governance to the ERM program and implementation of this policy. This includes review and approval of key risks and risk responses, the agency’s Risk Profile and Risk Appetite Statement, and ensuring that an appropriate risk management framework is established and maintained. 

Definitions

Enterprise Risk Management

An effective agency-wide approach to addressing the full spectrum of the organization’s significant risks by considering the combined array of risks as an interrelated portfolio, rather than addressing risks only within silos. ERM provides an enterprise-wide, strategically-aligned portfolio view of organizational challenges that provides improved insight about how to more effectively prioritize and manage risks to mission delivery.

Risk

The effect of uncertainty on the achievement of objectives. An effect is a deviation from the desired outcome, which may present positive or negative results.

Risk Appetite

The articulation of the amount of risk (on a broad/macro level) an organization is willing to accept in pursuit of strategic objectives and value to the enterprise.

Risk Assessment

The identification and analysis of risks to the achievement of business objectives. It forms a basis for determining how risks should be managed. Risk assessment involves evaluating the significance and likelihood of a risk, as well as any controls or other measures to manage risk.

Risk Management

A coordinated activity to direct and control challenges or threats to achieving an organization’s goals and objectives.

Risk Profile

A prioritized inventory of an organization’s most significant risks.

Risk Register

A full inventory of all identified risks for a project, program, support function, or enterprise. It contains pertinent information including a description of the risk, assessment of the rating of the risk in terms that include impact and likelihood, risk owner who is responsible for reporting on the status of the risk, and planned risk responses.

Risk Response

Management's strategy for managing (or responding to) a given risk. Risk response strategies include accept, reduce, avoid, pursue, or share (or transfer).
 

Risk Management Council (RMC)

Introduction

To assist the US Office of Personnel Management (OPM) senior leaders in meeting the requirements of Office of Management and Budget (OMB) Circulars A-123 and A-11, a Risk Management Council (RMC) will focus on risk management throughout the agency at an enterprise-level, an organization level, and a program-level. The RMC will be responsible for implementing, directing, and overseeing the implementation of OMB Circular A-123 and all the provisions of a robust process of risk management and internal control.

Background

OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management (ERM) and Internal Control, “emphasizes the need to integrate and coordinate risk management and strong and effective internal control into existing business activities and as an integral part of managing an Agency.” It states that, “ERM as a discipline deals with identifying, assessing, and managing risks. Through adequate risk management, agencies can concentrate efforts towards key points of failure and reduce or eliminate the potential for disruptive events. Internal control is a processes [sic] effected by an entity's oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved.”

In setting the policy for the Federal Government, the Circular states:

“Federal leaders and managers are responsible for establishing goals and objectives around operating environments, ensuring compliance with relevant laws and regulations, and managing both expected and unexpected or unanticipated events. They are responsible for implementing management practices that identify, assess, respond, and report on risks. Risk management practices must be forward-looking and designed to help leaders make better decisions, alleviate threats and to identify previously unknown opportunities to improve the efficiency and effectiveness of government operations. Management is also responsible for establishing and maintaining internal controls to achieve specific internal control objectives related to operations, reporting, and compliance. Management must consistently apply these internal control standards to meet the internal control principles and related components outlined in this circular and to assess and report on internal control effectiveness at least annually. Risk management practices must be taken into account when designing internal controls and assessing their effectiveness.”

Annually, management must provide assurance on internal control effectiveness in its Agency Financial Report (AFR) or Performance and Accountability Report (PAR), along with a report on identified material weaknesses and corrective actions.

The Circular also states that management is responsible for “the establishment of a governance structure to effectively implement, direct, and oversee implementation of the Circular and all the provisions of a robust process of risk management and internal control.”

According to A-11 guidance, ERM is:

“…an effective agency-wide approach to addressing the full spectrum of the organization’s significant risks by understanding the combined impact of risks as an interrelated portfolio, rather than addressing risks only within silos. ERM provides an enterprise-wide, strategically-aligned portfolio view of organizational challenges that provides better insight about how to most effectively prioritize and manage risks to mission delivery. While agencies cannot mitigate all risks related to achieving strategic objectives and performance goals, they should identify, measure, and assess challenges related to mission delivery, to the extent possible.”

Purpose

The purpose of the OPM’s RMC is to develop, implement, and lead an enterprise-wide risk management program, including the strategies, policies, procedures, and systems established by management to identify, assess, measure, and manage the major risks facing the agency. The Council will also have responsibility for ensuring the establishment and maintenance of an effective system of internal control.

The RMC shall assist the RMC Chairperson by: 1) providing input and oversight for all risk management-related activities with regard to the overall mission and strategic goals and objectives; 2) enhancing understanding of the overall risk in accomplishing the agency’s strategic goals and objectives; and 3) reviewing the agency’s risk assessment methodologies to obtain reasonable assurance of the completeness and accuracy of mitigation strategies and their effectiveness in reducing the risk.

Responsibilities

The RMC shall have the following authority and responsibilities:
  1. Oversee the development, maintenance, and periodic update of an enterprise risk management program for governing, framing, assessing, valuing, mitigating, monitoring, and responding to enterprise risk;
  2. Champion a risk management culture and support the enhancement of risk management practices throughout the agency;
  3. Integrate risk reporting and management strategies into existing performance management structures, including Performance Dashboards, regular Results OPM meetings, and regular meetings of the Senior Executive Team (i.e., Senior Management Huddles);
  4. Establish requirements for reporting risks;
  5. Provide oversight of fraud risk management activities;
  6. View risks from an enterprise and program level and share all types and sources of risk related information among key stakeholders;
  7. Review significant issues raised by internal and external reports, audits, and reviews;
  8. Drive effective application of general Federal Managers’ Financial Integrity Act (FMFIA) and OMB Circular A-123 requirements at OPM;
  9. Recommend approval of the OPM Director’s annual FMFIA assurance statement;
  10. Provide oversight and accountability regarding OPM’s internal controls;
  11. Approve the overall results of internal control assessments, including any material weaknesses and or significant deficiencies;
  12. Assist management in implementing an internal control framework and fostering an organizational environment to support an on-going awareness of internal controls; and
  13. Advocate for an appropriate level of funding and resources to support ERM and internal control functions.

Membership

The RMC shall be chaired initially by Noah Peters, Senior Advisor to the Director, and will include the following members:
  1. Director, Office of Personnel Management
  2. Chief Financial Officer
  3. Chief Human Capital Officer
  4. Chief Information Officer
  5. Chief Information Security Officer
  6. Enterprise Risk Manager
  7. Senior Agency Official for Privacy
  8. General Counsel
The Enterprise Risk Manager will serve as Executive Secretary to the RMC. The RMC Chairperson, with the assistance of the Executive Secretary, will be responsible for:
  1. Establishing Board meeting frequency and schedules;
  2. Planning the meetings, including determining the focus of each meeting, preparing the agenda and determining the subject matter experts that will be needed;
  3. Chairing the meetings;
  4. Maintaining the agency’s Risk Profile; and
  5. Maintaining minutes of the meetings, recording decisions, and tracking action items.

Operating Procedures

The following guidelines apply to RMC actions:
  1. The RMC will generally meet on a monthly basis, but no less than quarterly.
  2. As needed, the RMC may establish subcommittees or other task teams to assist in carrying out its responsibilities.
  3. The RMC will address a broad range of risk management related issues, activities, and initiatives.
  4. Decisions required of the Council will be subjected to a vote of the members present. A quorum of the membership is required in order for the Council to conduct a vote. A quorum represents more than one-half of the Council members.
  5. A simple majority of the members present is required for acceptance or rejection of issues brought before the Council that require a vote. Members may designate a representative or assign a proxy for voting.
  6. The Council reserves the right to hold private meetings and executive sessions, as necessary.
The RMC’s responsibilities under this charter shall complement (not preempt, reduce, or otherwise alter) the responsibilities of the agency’s Office of the Inspector General, or any other agency governance committee, with the exception of those specifically related to managing risks, nor shall they be construed to relieve agency leaders of their primary responsibilities.

ERM Key Authorities

To understand how federal agencies manage risk effectively, it’s important to start with the policies that guide them. The following laws and directives form the foundation of Enterprise Risk Management (ERM) in the U.S. government, shaping how agencies plan strategically, maintain accountability, and ensure operational integrity.

ERM Key Authorities

Office of Management and Budget (OMB) Circular A-123
This is the cornerstone directive, updated in July 2016, that requires federal agencies to establish and integrate an ERM capability into their operations.

Government Performance and Results Act (GPRA) Modernization Act
This act requires agencies to link their strategic planning, strategic review processes, and risk management activities.

Federal Managers Financial Integrity Act (FMFIA) of 1982
This act establishes the requirement for effective internal control systems, which ERM processes help to achieve and enhance.
 
Control Panel