Federal Student Aid: Efforts to Implement Enterprise Risk Management Have Not Included All Elements of Effective Risk Management

The objective of our audit was to determine the extent to which Federal Student Aid (FSA) had implemented its enterprise risk management (ERM) framework. FSA did not implement all elements of its ERM framework or implement all elements characteristic of effective ERM. FSA developed an ERM framework, established a risk management office, and created a risk management committee. However, FSA did not fully implement the following elements characteristic of effective ERM.(1) Internal Environment: FSA did not define and retain records of management’s risk management philosophy, risk appetite, or risk tolerance.(2) Information and Communication: FSA did not communicate management’s risk management philosophy, risk appetite, or risk tolerance; FSA’s ERM framework; or information about FSA’s enterprise-level risks to internal and appropriate external stakeholders.(3) Objective Setting: FSA did not ensure that objectives and risk responses were aligned with management’s risk appetite.(4) Event Identification: FSA did not identify and assess risks in a way that ensured that it had a complete risk profile (set of enterprise-level risks) to evaluate. (5) Monitoring: FSA did not annually evaluate ERM efforts to assess whether FSA was achieving its ERM objectives or reducing risks to be within the level management was willing to accept.Because FSA management did not ensure that all elements of FSA’s ERM framework and all elements characteristic of effective ERM were fully implemented, it did not have reasonable assurance that ERM efforts helped management achieve its ERM objectives and reduced enterprise-level risks to be within the level that management was willing to accept.