Building a Risk Profile, USAFE-AFAFRICA Style.
Some of the ways US Air Forces Europe--Air Forces Africa, Financial Management and Comptroller (USAFE-AFAFRICA/FM) manages risk include:
* answering Management Internal Control Toolset (MICT) questions;
* working Financial Improvement and Audit Remediation (FIAR) initiatives;
* developing statements of assurance and related Managers' Internal Control Program tasks;
* preparing for inspections (whether or not we should be "preparing");
* answering to Headquarters (HQ) and Major Command (MAJCOM)-level reviews;
* providing analysis on budget risk; and
* determining sufficient manpower levels.
There must be areas of overlap or connection. We must find a way to still accomplish all of these required and valuable tasks, but more efficiently, more effectively, and in a way that will lead to positive change throughout our Command and the Air Force. We believe we have found a solution that allows us to see the strengths and weaknesses within the organization, to provide leadership with situational awareness to adjust strategy, to make informed decisions, and to know where we can take some risk, and where we can't: Enterprise Risk Management (ERM).
ERM is by no means a new subject, but is something we have underused in the Air Force. Particularly in the private sector, ERM has become such a popular topic that articles and even books have been written about it. Entire conferences are dedicated to discussing the implementation of ERM frameworks, ERM successes and challenges, and businesses that boast their ERM models as the benchmark. There must be a reason. Simply put, ERM is a framework that allows us to look holistically at all of the risk management activities we are already accomplishing as individual, unrelated exercises. The Office of Management and Budget (OMB) has also noticed the positive aspects of ERM. The Director of OMB distributed a memo to the heads of Executive Departments and Agencies regarding changes to the OMB Circular No. A-123, Management's Responsibility for Enterprise Risk Management and Internal Control. (1) In it, he stated:
"The policy changes in this Circular modernize existing efforts by requiring agencies to implement an Enterprise Risk Management (ERM) capability coordinated with the strategic planning and strategic review process established by GPRAMA [Government Performance and Results Modernization Act], and the internal control processes required by FMFIA [Federal Managers' Financial Integrity Act] and Government Accountability Office (GAO)'s Green Book. This integrated governance structure will improve mission delivery, reduce costs, and focus corrective actions towards key risks."
The Committee of Sponsoring Organizations (COSO) defines ERM as "a process, effected by an entity's board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." (2) Although it is a start, had COSO stopped there, we don't think anyone would have adopted ERM. Let's break down that mouthful in terms of how we see ERM unfolding for the Air Force:
* an unceasing development spearheaded within USAFE-AFAFRICA, but needs to continue to grow throughout the Air Force to link our processes together
* a framework whose success will be determined by all Air Force personnel at every level
* an approach that needs to be handled strategically to maintain its holistic sense
* in the short-term, allow for a USAFE-AFAFRICA level portfolio view of risk, and in the long-term, an Air Force-level portfolio view of risk
* enable us to identify risks capable of affecting the Air Force mission, and the ability to manage those risks at an acceptable level
* provide assurance to Air Force leadership and the US taxpayer that risks are being identified, monitored, and resolved as necessary
Because ERM has been so widely adopted, there are many models available to assist agencies/organizations in implementing a framework. Figure 1 is the example presented in the OMB Circular No. A-123. (3)
If we look at this model from the outside ring and move inward, we transfer from areas where we have less control to more control. The outer ring, Risk Environment/Context, represents items we cannot directly affect, but must be aware of and able to respond. We have only slightly more control over the risks arising from the next ring, Extended Enterprise. These risks arise from partnerships we have and require with entities such as state and local governments, and employee bargaining groups. That leads us to the real "meat" of the ERM model ... the innermost blue ring and the blue hexagons. These elements are the most commonly used in developing an ERM framework, but vary in meaning based on the organization. By combining the structure and goals of this model, we developed our own ERM framework model for USAFE-AFAFRICA (Figure 2).
The outer, gray ring of Figure 2 is the same as the OMB Circular No. A-123 model. As a public sector entity, these are particularly relevant for the Air Force. The changes start as we move inward. For example, our Wings and Directorates are represented, as well as foreign governments and employee bargaining groups. As a MAJCOM touching two continents, 104 countries, and the differing cultures, languages, currencies, employment practices, and traditions that come with this type of operating environment, these elements are particularly important for USAFE-AFAFRICA, and must be considered in everything we do. We have chosen to use the inner ring and hexagons to represent the core risk management functions we accomplish daily at USAFE-AFAFRICA.
At the center of our model is the Wing Integration Brief, a process we use as an open communication tool with each of our Squadrons. The brief includes monthly internal discussions between each section of USAFE-AFAFRICA/FM, as well as communication with the Air Force Installation and Mission Support Center, the Wing Comptrollers, and Comptroller Squadron personnel. We cannot overstate the importance of our Comptroller Squadrons in the ERM profile, and without them the Wing would not have the resources, nor the support to carry out their mission. General David Goldfein, the Chief of Staff of the Air Force, said it best, "The squadron is the beating heart of the United States Air Force; our most essential team. We succeed or fail in our missions at the squadron-level because that is where we develop, train, and build Airmen." (4) By discussing topics such as best practices, training, risk to operations, and areas of improvement, we are able to develop solutions and respond to risk areas timely and effectively across the FM enterprise. Above all, ERM has allowed us, as a MAJCOM, to understand and remove the roadblocks hindering us from moving full steam ahead to success.
Taking a step back, the hexagons surrounding the Wing Integration Brief include areas of internal and external review that build our risk profile. Each area provides insiqht and indicators of how a unit is performing. Most of the areas are common across organizations and government agencies such as recurring inspections, reviewing manpower levels, establishing metrics, audits by external entities, and status of funding and resources. However, these functions still left us with gaps in our risk profile so we chose to add other functions we accomplish routinely, molding the pieces to complete our ERM puzzle.
Creating new products was not the name of the game when developing our ERM profile. We set out to enhance existing processes and requirements to sync daily functions to risk. Our first focus was attacking our inability to assess progress within MICT. The problem: data in MICT is updated only semiannually and required reviews and follow-ups were sporadic, at best. An example bringing this risk gap to light was a unit inspection by the Inspector General. They identified serious disconnects between the unit's reports and how they were actually performing their processes and procedures. This resulted in a failed inspection. Our solution: formalizing the feedback loop using a Continuous Evaluation Process (CEP). Our USAFE subject matter experts leverage MICT and other focus areas to review current processes and supporting data providing feedback based on expertise, policy, and regulation. The CEP allows Wings to improve mission effectiveness, deliver top notch FM support, and develop a more capable and effective Wing. It also allows us to identify trends, take action on negative trends, and improve the quality of FM operations across the MAJCOM. The result: a formal communication tool to evaluate and validate if a unit is on track, which in one instance turned a failure into a pass during re-inspection.
A MAJCOM process to assess base performance each quarter from a functional perspective highlighted another risk gap. The problem: assessments were communicated a quarter after the data was compiled, placing organizations in a reactive posture. Our internal problem was the subjective justification for ratings which became hard to stand by with no solid data to back them. Our solution: establishing objective scoring based on key accounting and budget data called the Wing Assessment and providing responsive and proactive feedback. Every month our accounting team builds an assessment based on already established accounting and quality assurance measures. Each measure has been given a weight of importance impacting the risk rating. The team also compares data in MICT with the metrics core risk management function in our ERM model determining whether current processes are effective and status is being reported correctly. Does the comparison sound like it could influence another area in our risk profile? If you said "yes," you are correct. The Wing Assessment directly influences focus areas reviewed during our CEP. We no longer look at our core functions through a narrow view, but step back and see how we can weave our efforts to minimize drag and maximize effectiveness. Work smarter, not harder.
In the Air Force we say, "Flexibility is the key to airpower." Well, in risk management you could say, "ERM is the key to flexibility." ERM allows us to see the strengths and weaknesses within the organization, to provide leadership with the situational awareness to adjust strategy, to make informed decisions, and to know where we can take some risk, and where we can't. We have made tremendous strides in building our risk profile and we don't plan on stopping. ERM is an unceasing effort filled with continuous risk identification, assessment, and flexibility in responding to changes within the risk environment. We are excited about the possibilities ahead as this approach matures within our organization and throughout the Air Force. Try on ERM, USAFE-AFAFRICA/FM style, and see how it fits!
The authors thank Col George W. Tombe, IV, HQ USAFEAFAFRICA/FM, and Col Trevor L. Williams, HQ USAFEAFAFRICA/FMA, for their leadership, helpful information, and review of this article.
(2) Enterprise Risk Management--Integrated Framework, Executive Summary, September 2004
(3) OMB. Circular A-123, Management's Responsibility for Internal Control, July 15, 2016.
(4) Chief of Staff United States Air Force. General David L. Goldfein. "Letter to Airmen." August 2016.
Caption: Figure 1
Caption: Figure 2
Caption: This article was written as a group effort by the Financial Analysis and Integration team at HQ USAFE-AFAFRICA/FMAI located at Ramstein AB, Germany. The team is comprised of military, US civilian, and local national employees. Eight of the nine authors belong to the AMSC Rheinland-Pfalz Chapter.
Front row (left to right): Capt Christopher Lester, Sara Connolly-Somich, Tanisha Sansbury, Gervacio Moreno, Kimberly Burnett. Back row (left to right): Arsene Buchheit, Capt Matthew Daniels, MSgt Michael S. Adams, Roland Kawig. Members of the Financial Analysis Integration Team, HQ USAFE-AFAFRICA/FMAI at Ramstein AB, Germany.
|Printer friendly Cite/link Email Feedback|
|Author:||Connolly-Somich, Sara D.; Daniels, Matthew R.; Moreno, Gervacio P.; Kawig, Roland; Lester, Christoph|
|Publication:||Armed Forces Comptroller|
|Date:||Mar 22, 2018|
|Previous Article:||Key Performance Indicators: What Can They Do for You?|
|Next Article:||PDI: Twelve Questions to Make the Most of It (or any Travel).|