How to Transition the Managers’ Internal Control Program (MICP) to a Fully Integrated Risk Management and Internal Control (RMIC) Program

In 2016, the Office of Management and Budget (OMB) revised the OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, to require implementation of an Enterprise Risk Management (ERM) capability that is coordinated with strategic planning, strategic review and internal control processes.

To facilitate alignment with updates to OMB Circular No. A-123, the United States Department of Defense (DOD) RMIC program is evolving beyond the historical regulation-based checklists to include an integrated risk-based approach for traditional internal controls testing with an emphasis placed on proactive enterprise risk assessments.

Risk assessments are considered proactive when process owners conduct reviews of their key controls on an annual basis to assess if the risk rating for each control is low, medium or high. Based on the rating determined, the processes can require testing annually for high-risk ratings or as infrequently as every three years for low-risk ratings. The ongoing monitoring of internal controls is pivotal to providing reasonable assurance that controls are properly designed and operating effectively.

How Can Your Organization Transition to a Fully Integrated and Proactive Risk Management Approach?

DOD agencies can mature their internal controls program to meet the expectations of OMB Circular No. A-123 by integrating risk management into day-to-day operations and streamlining risk reporting processes. To make this transition, organizations could consider the adoption of principles from The Institute of Internal Auditors (IIA) ‘Three Lines Model’ (previously referred to as the ‘Three Lines of Defense’) to help with the RMIC program transition and to strengthen internal control processes and stakeholder roles. 

Figure 1 below depicts The IIA’s Three Lines Model,  including objectives for roles and responsibilities that exist at each level. By implementing an integrated risk program with a focus on the enterprise risk portfolio, agencies can align internal controls and governance with a top-down and bottom-up perspective on risk management. To achieve these objectives, leadership should prioritize governance, reporting and communication. 

How Can Your Organization Begin to Implement the Three Lines Model? 

The Three Lines Model applies to all organizations and helps identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management. 

The Three Lines Model principles include: 

1. Governance
2. Governing body roles
3. Management and first and second line roles
4. Third line roles
5. Third line independence
6. Creating and protecting value

For more details about the specifics regarding each principle, refer to The IIA’s Three Lines Model referenced in the footnote. The IIA position paper is a valuable resource that includes the framework on how any-sized organization can implement the Three Lines Model.

Considerations for organizations to get started with understanding the ‘as-is,’ current state for your RMIC program include: 

Does an organization-wide internal control and ERM governance structure exist? 
The Government Accountability Office (GAO) suggests organizations adopt a formal governance structure to streamline communications. The three categories of an effective governance structure include:

• The oversight body
• Management
• Personnel

By establishing an effective governance structure, organizations can build the foundation for a strong and effective internal control and risk management program. The RMIC program governance structure typically includes leadership (i.e., senior assessment team) who provides oversight and accountability for the organization’s internal control program. From a risk perspective, this team oversees the establishment of the organization risk profile, conducts routine assessment of risks and develops an appropriate risk response for reporting purposes. 

Is there an existing integrated risk-based approach for internal control evaluation? 
Organizations should take a risk-based approach for internal control evaluation. A true risk-based internal control evaluation approach starts with an assessment of the organization’s top risks. In doing so, organizations can understand the most important risks to them and design and implement relevant internal controls to mitigate those risks. This approach can be a key differentiator as organizations grow and evolve. 

As part of this process, organizations should consider internal review, audit and inspection reports issued by agencies such as the GAO, Office of Inspector General (OIG), Internal Review (IR) and/or Independent Public Accounting (IPA) firms. During the internal control evaluation planning process, stakeholders can incorporate reviews of findings identified to aid in risk identification and prioritization. 

Are there processes identified for implementation of automation and data analytics? 
Automation and data analytics help to enhance the audit process and internal control environment by improving testing outcomes and insights for key controls. Automated controls help to reduce the burden of manual processes and help avoid human error. Organizations can save time, improve data integrity, save on resources and develop tools to improve business processes by implementing effective cost-saving measures.  

Is risk management embedded into day-to-day operations and have reporting processes been streamlined?
Key stakeholders can influence the organization control environment daily by ensuring effectiveness and efficiency of operations within the business processes, which increases reliability for reporting. Management should communicate organization objectives often to ensure a vested interest from stakeholders. This helps to promote a culture of continuous improvement and data transparency needed to support risk-based decision making.   

The RMIC program is about much more than compliance with OMB Circular No. A-123 or audit sustainment. The program is the front line for evaluating the current state of your operations (both good and bad), the knowledge of which supports future-state decision making. We must move past looking at risk management programs, like the RMIC program, as a check-the-box exercise and, instead, look at these programs as key tools to drive efficiency, build confidence in organizational business processes and support effective decision making.

BDO Public Sector practice offers an array of services that can help, ranging from financial management, audit readiness and sustainability to data management, policy analysis and continuous process improvement with your organization’s RMIC program. We are committed to helping the DOD achieve a fully optimized and matured RMIC program. 

For more information on our service offerings, visit www.bdo.com/defense or send us an email with any questions you may have on how your organization might benefit from our insights into RMIC.

 ¹ As reported by The IIA in their 2020 position paper, “The IIA’s Three Lines Model: An update of the Three Lines of Defense”, https://www.theiia.org/en/content/position-papers/2020/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense/.