Effectiveness of TVA's Enterprise Risk Management Program

The OIG assessed the effectiveness of the Enterprise Risk Management (ERM) organization's role within TVA's overall risk management program. To aid in our assessment, we compiled the results of prior relevant audits and evaluations to identify common themes that bear on the ERM organization's effectiveness.We found TVA has made improvements in its ERM program since a 2008 OIG inspection was completed. However, we made the following observations in our recent review: (1) risks were not aligned to strategic objectives that support TVA's mission, (2) TVA had not established and communicated a risk appetite or risk appetite statement, (3) the risk management culture was not fully embedded throughout the organization, (4) risk tolerances reported by SBUs/BUs could be improved, and (5) multi-point risk assessments were not used as part of the risk assessment process. Also, the current application used to collect and analyze risks limits the effectiveness and efficiency of the ERM program, and information in and the process for reviewing TVA's risk management program guidelines and policy could be improved.We made six recommendations for improving the effectiveness of the ERM program. Prior to our issuing the final report, TVA addressed the deficiencies in its risk management policy and guidelines. Management generally agreed with the remaining findings and recommendations. Summary Only