E-mail a link to this directive

Enterprise Risk management

Number: DAO 216-20
Effective Date: 2014-03-13


.01   This Order sets forth the policy for the Department of Commerce’s (the "Department") Enterprise Risk Management (ERM).  The ERM program provides a framework for proactively identifying, managing and treating risk in achieving the Department’s strategic objectives and mission; and seeks to integrate risk management into operations in order to improve organizational effectiveness.  The Department defines risk as the effect of uncertainty on objectives.  The Department and its operating units work collaboratively to identify and manage risks across the Department.  The ERM program establishes a structure to help the Department:

a.   Increase the likelihood of successfully delivering on the Department’s and bureaus’ goals and objectives;

b.   Encounter fewer unanticipated outcomes;

c.   Better identify, assess, and treat risks;

d.   Clearly describe to customers and other stakeholders what the Department is doing to manage its risks; and

e.   Reduce redundancy and improve integration among risk management methods and ensure cost-effective implementation.

.02   This Order establishes the basis for an integrated, comprehensive approach to identify, measure and manage risk throughout the Department.

.03   The policies in this directive apply to all operating units and Departmental offices.

SECTION 2. Authority.

.01   The Federal Managers’ Financial Integrity Act of 1982 (FMFIA) and the Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for Internal Control, requires every Federal agency to conduct an annual evaluation of its systems of internal control and to submit an annual report to the President and the Congress on the results of that evaluation and the adequacy of those systems.

The OMB Circular A-123 stipulates that “Federal managers must carefully consider the appropriate balance between controls and risk in their programs and operations.  Internal control is a means of managing the risk associated with Federal programs and operations.  Managers should define the control environment and then perform risk assessments to identify the most significant areas within that environment in which to place or enhance internal control.  Management should also identify internal and external risks that may prevent the organization from meeting its objectives.”

.02   The Office of Program Evaluation and Risk Management’s (OPERM) authority is delegated through DOO 10-5, Chief Financial Officer and Assistant Secretary for Administration, dated
January 5, 2011.

.03   The Department’s Chief Risk Officer’s authority is delegated through DOO 20-30, Director for Program Evaluation and Risk Management, dated January 7, 2011.


.01   Government Performance and Results Modernization Act of 2010

.02   Chief Financial Officer Act of 1990

.03   International Organization for Standardization 31000 Risk Management Standard

.04   Government Accountability Office Risk Management Framework

.05   Department of Commerce Enterprise Risk Management Guidebook

.06   Government Accountability Office Standards for Internal Control in the Federal Government


The Department’s ERM policy is as follows:

.01   An enterprise risk management process shall be applied across the Department.  Unifying efforts across the Department will ensure that strategies and actions are informed by a common understanding of risk, which is an essential requirement to inform priorities and allocate resources.

.02   Risk management practices at all levels shall be integrated into informed decision making and priority setting.  Ensuring that risk information and analysis are incorporated into strategic and operational decision-making is fundamental to both the Department and bureau success.  Identification of potential risks and avoidance or mitigation of those risks is a critical management responsibility to have informed business decisions.

.03   Emerging risks to Department and Bureau objectives shall be dynamically identified and managed.  Using risk information and analysis will make the Department program assumptions more transparent, strengthen processes, encourage innovation, and provide the basis for more informed, defensible decisions, made with the best available tools and information for the best achievable outcomes.

.04   Consistent and disciplined consideration and treatment of risk shall be part of day-to-day processes.  Enterprise risk management must be a visible and integral part of the Department culture allowing the Department to fulfill its mission and goals more effectively.


.01   The Department shall establish an executive governance committee composed primarily of senior level representatives from the Department that provides (1) policy and management oversight and advice regarding ERM implementation and operations, (2) facilitates ERM governance and consideration of risk as an element of the Department decision-making, and (3) informs Departmental management of progress towards ERM system maturity and efficacy of current policy.

.02   The Department shall establish a Risk Management Council that makes recommendations and advises on the development and implementation of processes for identifying, assessing, treating, monitoring and reporting organizational risks; and to foster sound risk management practices throughout the Department. 


.01   Bureau Heads shall:

a.   Appoint a Risk Management Officer (RMO). 

b.   Ensure the bureau implements ERM in accordance with this policy.

c.   Ensure timely submission of annual Assurance Statements required by FMFIA.

.02   The RMO shall:

a.   Serve as the champion for overseeing the implementation, integration and management of the ERM framework within the bureau.

b.   Serve on the Department’s Risk Management Council. 

c.   Update the bureau Risk Inventory annually and elevate common or Department-level risks to OPERM as needed.

d.   Work with the bureau’s Senior Assessment Team (SAT) to address risk as appropriate.

e.   Oversee, assess and report on bureau ERM maturity annually.

.03   Bureaus and Departmental Offices shall carry out risk management processes and integrate into day-to-day operations as a means of institutionalizing risk management across the Department.

.04   Office of Program Evaluation and Risk Management (OPERM) leads the Department in increasing knowledge and understanding of risk, coordinating risk management efforts; and monitoring execution of enterprise risk policy across the Department.

.05   Office of Financial Management (OFM) oversees, assesses and tests the internal controls over financial reporting (ICOFR) as part of the requirements outlined in Appendix A of OMB Circular A-123. OFM works with the bureau SAT in leading this effort.

.06   Managers and Supervisors ensures that those with risk management responsibilities are properly trained and that employees are aware of and follow sound risk management policies and practices.

.07   Employees are responsible for managing risk within their area of responsibility.


Continuous improvement of the ERM program will be conducted to incorporate lessons learned and best practices.  Every five (5) years, an independent review of the ERM Framework and program will be performed on behalf of the Department for the purpose of evaluating the program’s effectiveness.

Signed: Chief Financial Officer and Assistant Secretary for Administration

Office of Primary Interest: Office of Program Evaluation and Risk Management

Office of Privacy and Open Government
Office of the Chief Financial Officer and Assistant Secretary for Administration
U.S. Department of Commerce

Send questions and comments about this page to webmaster@doc.gov

Page last updated: March 18, 2014