U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Audit of the NRC’s Implementation of the Enterprise Risk Management Process

Report Information

Date Issued
Report Number
OIG-21-A-16
Report Type
Audit
Joint Report
Yes
Participating OIG
Nuclear Regulatory Commission OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

Update policies and guidance to address Management Directive 4.4, Enterprise Risk Management and Internal Control, and Management Directive 6.9, Performance Management, links to the Quarterly Performance Review (QPR) and reasonable assurance processes to accurately reflect that both agency processes address different aspects of enterprise risk management (ERM). This includes, but is not limited to:a. Updating Management Directive 6.9 for the expanded risk responsibilities added to the QPR process;b. Explaining the role of the Programmatic Senior Assessment Team (PSAT) in the QPR process in Management Directive 6.9;c. Specifying the Executive Committee on ERM (ECERM) role in decision-making of PSAT risks and ECERM focus areas in Management Directive 4.4;d. Cross-referencing Management Directive 4.4 to Management Directive 6.9 to clearly show that ERM implementation activities through the QPR process eventually lead to the ERM focus areas and the reporting of ERM in the Integrity Act statement; and,e. Including Management Directive 4.4 and Office of the Executive Director for Operations (OEDO) Procedure - 0960 in Management Directive 6.9, “Section VI. References.”

Agency Response Dated June 28, 2024: The NRC staff is revising the guidance documents as mentioned in this recommendation. The staff completed the revision to Management Directive 4.4 on April 3, 2023 (ML23073A073). The annual reassurance guidance document was issued on February 6, 2024 (ML24018A217). The revised Management Directive 6.9 is to be issued in September 2024. Target Completion Date: September 30, 2024.<br />
OIG Analysis: The proposed actions meet the recommendation’s intent. The OIG previously closed 6.c. The OIG will close this recommendation after review of the revised Management Directive 6.9 for recommendations 6.a, 6.b, 6.d, and 6.e.<br />
<br />
Status: Open: Resolved. The NRC staff is revising the guidance documents as mentioned in this recommendation. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC and update the guidance documents. Target Completion Date: September 29, 2023.

Update policies and guidance to clarify the effective date of the quarterly risks in the Quarterly Performance Review (QPR) process.

Agency Response Dated June 28, 2024: The OEDO is working with OCFO to update policies and guidance to clarify the effective date of the quarterly risks in the QPR process. The staff completed the revision to Management Directive 4.4 on April 3, 2023 (ML23073A073) to state that: “At the end of the fiscal year, including the results of the fourth quarter of the fiscal year to address OIG Audit OIG-21-A-16, recommendation 7, the ECERM assesses the agency’s programmatic operations, financial systems, and internal control over reporting.” Instructions for inclusion of fourth-quarter risks will also be included in the revision to OEDO Procedure 0960. Target Completion Date: September 30, 2024<br />
OIG Analysis: The proposed actions meet the recommendation’s intent. The OIG reviewed the revised Management Directive 4.4 and confirmed that the agency clarified that fourth-quarter risks are to be included in the QPR process.<br />
The OIG will close this recommendation after verifying the agency’s revision to OEDO Procedure 0960, which includes instructions for including fourth-quarter risks.<br />
<br />
Status: Open: Resolved. The OEDO is working with OCFO to update policies and guidance to clarify the effective date of the quarterly risks in the QPR process. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC and update the guidance documents. Target Completion Date: September 29, 2023.

Require enterprise risk management-specific training that addresses U.S. Office of Management and Budget Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control requirements and current best practices, and periodically provide them to NRC personnel with ERM responsibilities.

Agency Response Dated June 28, 2024: The staff is developing ERM training that will address OMB Circular A-123 requirements and best practices. This training will periodically be provided to staff with ERM responsibilities. Additional time to complete this item is necessary to incorporate changes to guidance documents into the training materials and to facilitate further staff collaboration within the NRC to finalize the training. Target Completion Date: December 31, 2024<br />
OIG Analysis: The proposed actions meet the recommendation’s intent. The OIG will close this recommendation after verifying<br />
(1) the ERM training addresses OMB Circular A-123 requirements and current best practices, and (2) the revised policies pertaining to ERM specify the competencies required for the NRC personnel with ERM responsibilities and the ERM training requirement frequency.<br />
<br />
Status: Open: Resolved. The staff is developing ERM training that will address OMB Circular A-123 requirements and best practices. This training will periodically be provided to staff with ERM responsibilities. Additional time to complete this item is necessary to facilitate further staff collaboration within the NRC to finalize the training. Target Completion Date: September 29, 2023.