What OIG Evaluated:
The objective of this audit was to determine the adequacy of the Library’s enterprise risk management policies and procedures including compliance with those procedures.
What OIG Found:
- As the Library implements a more mature Enterprise Risk Management, it should form a governing body to ensure proper oversight and “tone at the top.”
- The Library would benefit from a more integrated budget and resource allocation process.
- To ensure successful implementation of enterprise risk management, Strategic Planning and Performance Management Office should establish a risk appetite statement and/or risk tolerance for the Library and service Unit levels - The Library would benefit from having a portfolio view of risks as part of its overall risk identification process.
- The Library would benefit from implementing a fraud risk framework that aligns with its overall risk management efforts.
What OIG Recommends:
- The Strategic Planning and Performance Management Office add the establishment of an Enterprise Risk Management governing body to its Integrated Risk Management and Internal Controls Improvement Plan and maturity model.
- The Library establish the Enterprise Risk Management governing body during the integrated stage of maturity and prior to reaching enterprise-level of maturity.
- The Library designate a Chief Risk Officer to lead Enterprise Risk Management efforts and to work closely with an Enterprise Risk Management governing body to further the movement towards enterprise-level of maturity.
- The Library incorporates risk considerations into its budgeting and resourcing approach.
- Strategic Planning and Performance Management Office provide guidance to the service Unit's on risk appetite and risk tolerance, as well as update the Strategic Planning and Performance Management Office Guidance accordingly, even while Strategic Planning and Performance Management Office’s future-state efforts regarding risk appetite and risk tolerance are developing. - Strategic Planning and Performance Management Office work with the service Unit's to gain a further understanding of risks not being reported into COMPASS, in order to achieve a broader application of a portfolio view of internal and external risks.
- Strategic Planning and Performance Management Office revisit LCRs or LCDs to ensure any adjustments made to risk identification in the system be captured.
- Strategic Planning and Performance Management Office revisit the concept of “Out of Scope risks” in the context of the draft maturity model as of August 2020, which indicates an enterprise-level approach towards risk management as a key milestone between Fiscal Years 2020 and 2021.
- Strategic Planning and Performance Management Office define a path in its Integrated Risk Management and Internal Controls Improvement Plan regarding how to Identify Fiscal Year Library-wide risks in the context of the draft maturity model as of August 2020, which indicates an enterprise-level approach towards risk management as a key milestone between Fiscal Years 2020 and 2021.
- Strategic Planning and Performance Management Office use the Government Accountability Office Fraud Risk Framework components as a guide for creating an internal fraud risk framework.
- Strategic Planning and Performance Management Office incorporate a fraud risk framework into their existing Integrated Risk Management and Internal Controls program.
- Strategic Planning and Performance Management Office revisit the future-state dashboard and determine how to incorporate the dashboard.
