OMB draft strips ERM from Circular A-123

As part of its rewrite of Circular A-123, OMB has removed references to enterprise risk management, folding those concepts back into its internal controls framework— a shift decried by risk practitioners. Experts warn this rollback risks sidelining holistic oversight cultivated since the 2016 update, which many view as crucial in an era of complex operational and cybersecurity threats.

Karen Hardy, president of the Association for Federal Risk Management, told Federal News Network that embedding ERM into A-123 elevated risk discussions to the C-suite, facilitating cross-agency dialogue on emerging challenges. “Risk management becomes a second thought rather than a strategic imperative,” she said.

A government official involved in ERM implementation noted the draft’s tighter focus on internal control processes narrows risk assessments to compliance checklists instead of agencywide risk portfolios. “By folding ERM back into controls, leadership loses a top-down view of critical threats that could evolve into crises,” the official said.

OMB first enshrined ERM in A-123 in its July 2016 revision to align with the Federal Managers’ Financial Integrity Act (FMFIA) and the Government Performance and Results Modernization Act (GPRMA), establishing a formal ERM capability across all CFO Act agencies. Since then, a 2024 survey by the Association for Federal ERM and Guidehouse found that 85 percent of federal organizations maintain formal ERM programs, underscoring broad adoption across government and industry.

Agencies had only one week to comment on the draft and received a one-week extension after stakeholders raised concerns about the accelerated timeline.