Audit of the NRC’s Implementation of the Enterprise Risk Management Process

ADAMS Accession No: ML24240A239<br />
<br />
Agency Response Dated June 28, 2024: The Office of the Executive Director for Operations (OEDO) staff is working to develop the agency’s risk appetite statement. Upon completion, the staff will implement a process to periodically communicate a consistently understood agency risk appetite. The agency’s risk appetite statement and associated process for periodic communication will be incorporated in the next revision to OEDO Procedure 0960. Target Completion Date: September 30, 2024<br />
OIG Analysis: The proposed actions meet the recommendation’s intent. The OIG will close this recommendation after reviewing the risk appetite statement and verifying that the revised OEDO Procedure 0960, Enterprise Risk Management Reporting Instructions, specifies the agency’s determination, implementation, and communication frequency regarding its risk appetite.<br />
<br />
<br />
Status: Open: Resolved. The Office of the Executive Director for Operations (OEDO) staff is working to develop the agency’s risk appetite statement. Upon completion, the staff will implement a process to periodically communicate a consistently understood agency risk appetite. The agency’s risk appetite statement and associated process for periodic communication will be incorporated in the next revision to OEDO Procedure 0960. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC staff and to update OEDO Procedure 0960. Target Completion Date: September 29, 2023

Agency Response Dated June 28, 2024: The staff is revising agency policy and guidance to designate the official agency risk profile document, remove references of OMB deliverables, and fully address risk profile components and elements in accordance with OMB Circular A-123. The staff completed the revision to Management Directive 4.4 on April 3, 2023 (ML23073A073). The staff will revise OEDO Procedure 0960 as proposed in this recommendation. Target Completion Date: September 30, 2024<br />
OIG Analysis: The proposed actions meet the recommendation’s intent. The OIG reviewed the revised Management Directive 4.4 and confirmed that references to the agency risk profile as an OMB deliverable was removed. The OIG will close this recommendation after reviewing the revised OEDO Procedure 0960, Enterprise Risk Management Reporting Instructions, clarifying the designation of the official agency risk profile document, and detailing the risk profile components and elements in accordance with OMB Circular A-123.<br />
<br />
Status: Open: Resolved. The staff is revising agency policy and guidance to designate the official agency risk profile document, remove references of OMB deliverables, and fully address risk profile components and elements in accordance with OMB Circular A-123. The staff will revise MD 4.4 and OEDO Procedure 0960 as proposed in this recommendation. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC and to update OEDO Procedure 0960 as described in the updated response to Recommendation 1. <br />
Target Completion Date: September 29, 2023.<br />

Agency Response Dated June 28, 2024: The revised Playbook: Enterprise Risk Management for the U.S. Federal Government guidance was issued by OMB in November 2022 and included an unchanged Federal ERM Maturity Model, previously assessed in June 2020. Staff will conduct a follow-up assessment using the Federal ERM Maturity Model and continue making progress with the implementation of this maturity model, including the development of an action plan with milestones to assess current practices and further advance the model. Target Completion Date: September 30, 2024<br />
OIG Analysis: The proposed actions meet the recommendation’s intent. The OIG will close this recommendation after verifying the NRC’s adoption and implementation of an appropriate enterprise risk management maturity model by selecting an appropriate model, assessing current practices per the model, and making progress in advancing the model through the milestones in the maturity model action plan.<br />
<br />
Status: Open: Resolved. The NRC staff anticipated that OMB would revise and issue its primary guidance document for maturity models by late 2021. To date, this guidance document has not been issued, and the staff has not been able to obtain a revised date for publication. However, the staff will use the one-page maturity model that OMB has already developed to draft and implement the NRC’s ERM maturity model. The implementation of this maturity model will include the development of an action plan with milestones to assess current practices and advance the model. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC. Target Completion Date: September 29, 2023.

Agency Response Dated June 28, 2024: The staff plans to update OEDO Procedure 0960 with best practices based on this recommendation, including, but not limited to completion of QPR Dashboard entries, and recordation of all management decisions of risk in the QPR meeting summaries and the Executive Committee on ERM (ECERM) meeting minutes. The NRC staff has continued implementing this recommendation by ensuring that management decisions of risk discussed during the QPR meetings and ECERM meetings are recorded in the meeting minutes. Target Completion Date: September 30, 2024<br />
OIG Analysis: The proposed actions meet the recommendation’s intent. The OIG will close this recommendation when it reviews the revisions to the OEDO Procedure 0960, Enterprise Risk Management Reporting Instructions, and verifies the inclusion of procedures to ensure that QPR practices are fully performed, such as comprehensively completed QPR Dashboard entries and all risk-related management decisions resulting from QPR and ECERM meetings are recorded in the meeting summaries.<br />
<br />
Status: Open: Resolved. The NRC staff has begun implementing this recommendation by ensuring that QPR practices are fully performed by September 29, 2023. The staff plans to update OEDO Procedure 0960 with best practices based on this recommendation, including, but not limited to completion of QPR Dashboard entries, and recordation of all management decisions of risk in the QPR meeting summaries and the Executive Committee on ERM (ECERM) meeting minutes. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC and to update OEDO Procedure 0960 as described in the updated response to Recommendation 1. Target Completion Date: September 29, 2023.

Agency Response Dated June 28, 2024: The OEDO and the OCFO staff worked together to establish and maintain a common business lines structure list. ERM, Internal Control, and Reasonable Assurance guidance was issued on February 6, 2024 (ML24018A217). Enclosure 2 of the guidance provides the business line structure list and identifies the lead and partner offices. OEDO restructured the Quarterly Performance Review meeting starting with the May 7, 2024, FY 2024 Quarter 2 meeting to present the Programmatic Senior Assessment Team risks in order of severity using the heat map in the Strategic Planning Application. The meeting agenda and summary described the change in process. Any future deviations from this business line structure for reasonable assurance or using risk severity for QPR discussions will be identified with written justification in the resulting product. Target Completion Date: Completed<br />
OIG Analysis: The OIG reviewed the ERM, Internal Control, and Reasonable Assurance guidance issued on February 6, 2024, and the meeting agenda and summary provided by the NRC. These documents show that the business lines list has been reconciled and implemented. Therefore, this recommendation is now closed.<br />
<br />
Status: Open: Resolved. The OEDO is working with OCFO to staff to establish and maintain a common business lines structure list. Upon completion, the staff will update ERM-related guidance. Any deviation from this business line structure will be identified with written justification in the resulting product. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC and update the ERM-related guidance. Target Completion Date: September 29, 2023.