ICE Office of Policy Enterprise Risk Management ERM - PowerPoint PPT Presentation


PPT – ICE Office of Policy Enterprise Risk Management ERM PowerPoint presentation | free to download - id: 119834-MDdhY


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

ICE Office of Policy Enterprise Risk Management ERM


How ICE would benefit from a fully capable ERM program. Potential Future of ICE ERM ... Risk Assessment in conjunction with the Quadrennial Homeland Security Review. ... – PowerPoint PPT presentation

Number of Views:56
Avg rating:3.0/5.0
Slides: 33
Provided by: consulti1
Learn more at:


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: ICE Office of Policy Enterprise Risk Management ERM

ICE Office of PolicyEnterprise Risk Management
AGA-DC and GWSCPA 8th Annual Conference Briefing
  • Enterprise Risk Management (ERM) Overview
  • DHS Shifting towards risk-based decision-making
  • Current ICE ERM accomplishments
  • Initial ICE gaps and challenges
  • Current ICE gaps and challenges
  • How ICE would benefit from a fully capable ERM
  • Potential Future of ICE ERM
  • Key Dimensions for Successful ERM
  • General Process to Achieve Desired End State

ERM Overview
  • Enterprise Risk Management informs the strategic
    allocation of
  • resources ICE-wide in order to most efficiently
    mitigate risk events to
  • ICEs mission area both in steady-state and
    crisis environments.
  • ERM designed
  • to assist in establishing and executing ICE-wide
    senior leaderships priorities
  • Align risk events to senior leaderships
    strategic goals
  • Inform the link between strategic planning and
    budgeting to improve efficiency and transparency
  • Identify performance metrics focused on increased
    efficiency and best resource allocation across
    all ICE programs
  • Example ERM proposes where, how and how many
    resources should be deployed to best mitigate
    risks of human smuggling and trafficking into the

ERM Overview
  • 2006 No formalized risk management process in
  • 2007 ICE Office of Policy initiated its first
    risk management program (ERM I), working with
    outside consultants and representatives from
    every major ICE program office
  • 2008 ICE concludes first risk management
    program (ERM I) resulting in the identification
  • 31 prioritized risk events
  • Risk definitions and descriptions including
    assessment of adversary threat, ICE
    vulnerabilities and consequences to the Homeland
  • Optimal program strategies to mitigate high and
    medium risks
  • 2009 Conceptualized next generation of risk
    management, ERM II, which includes lessons
    learned, enhanced risk techniques, and improved
    alignment with risk partners from the level of
    risk ownership to federal enterprise architecture
    business lines

DHS Shifting towards risk-based decision making
OMB, FY2010 Terminations, Reductions, Savings,
May 7, 2009 The Administration is proposing to
eliminate the Emergency Operations Center (EOC)
Grant Program in the 2010 Budget because the
program's award allocations are not based on risk
February 3, 2009. Secretary Napolitanos letter
to Director OMB For the longer term, I am
also working to increase the Department's ability
to incorporate risk analysis into its budget
development process.
Bottom Line Risk will be used to justify budget
DHS Shifting towards risk-based decision making
Current and Emerging Mandates
HSPD-7, Sect. 14, Critical Infrastructure
Identification, Prioritization, and
Protection The Secretary will establish uniform
policies, approaches, guidelines, and
methodologies for integrating Federal
infrastructure protection and risk management
activities within and across sectors along with
metrics and criteria for related programs and
Homeland Security Act 2002, Sect. 889 The
President shall include in each budgeta
detailed, separate analysis, by budget function,
by agency, and by initiative area(III) the most
recent risk assessment and summary of homeland
security needs in each initiative area.
Integrated Planning Guidance 2011 2015,
December 2008 programs which act in the
incident chain will be asked to answer how
effective their programs are at reducing risk
associated with identified incident sets. To
accomplish this, components, directorates and
offices shall gather or generate evidence to
support these effectiveness judgments. 
Components should be prepared to provide relevant
cost information and anticipate answering
questions about the expected program
effectiveness impact of budget increments or
Recommendations made to Secretary Napolitano, DHS
Tier II Risk Steering Committee, April 29,
2009 Issue a DHS Management Directive
establishing the processes, roles and
responsibilities for achieving integrated risk
management in DHS.
Bottom Line Risk management will move from
optional to required.
DHS Shifting towards risk-based decision making
Continuous Congressional Pressure
GAO Report on TSA use of Risk Assessments, March
2009 In recent years, the President and
Congress have provided that federal agencies with
homeland security responsibilities are to apply
risk management principles to inform their
decision making regarding allocating limited
resources and prioritizing security
activities. FY 2010 Budget of the U.S.
Government, Terminations, Reductions, and
Savings Due to the lack of risk assessments as
recommended by GAO, the Administration is
terminating the Trucking Security Program,
Inter-City Bus Security Grant Program, and
Emergency Operations Center Grant Program.
Bennie Thompson, Chairman of the Committee on
Homeland Security, April 22, 2009 I look
forward to working with President Obama and
Secretary Napolitano to foster a culture at DHS
that meaningfully embraces risk management
principles so that programs and money are
directed to where they are needed most.
Bottom Line Congress will monitor DHS
components progress on risk management
DHS Shifting towards risk-based decision making
Mgt. Directive
Current recommendations to Secretary Napolitano
S1 letter to OMB
2009 Interim IRMF
IPG 2011-2015
2006 NIPP
2009 NIPP
2005 ICE-specific GAO Report on OI
2004 HSPD-10
2003 HSPD-7
2002 Homeland Security Act
GAO-06-462T Better Management Practices Could
Enhance DHSs Ability to Allocate Investigative
Resources NOTE There are also numerous GAO
reports calling on DHS to conduct Risk
Management, such as GAO-09-492 Comprehensive
Risk Assessments and Stronger Internal Controls
Needed to Help Inform TSA Resource
Allocation GAO-06-91 Risk Management Further
Refinements Needed to Assess Risks and Prioritize
Protective Measures at Ports and Other Critical
Infrastructures GAO-05-790 Homeland Security
Actions Needed to Better Protect National Icons
and Federal Office Buildings from
Terrorism GAO-02-208 A Risk Management Approach
Can Guide Preparedness Efforts GAO-02-150T
Homeland Security Key Elements of a Risk
Management Approach
Current ICE ERM accomplishments
  • Established Strategic Management Division within
    Office of Policy
  • Established Risk Working Group with
    representatives from all ICE stakeholder programs
  • Developed preliminary category of risk events
    aligned to draft strategic plan
  • Identified Executive Risk Officers and subject
    matter experts for each risk event
  • Conceptualized Enterprise Risk Management program
    framework over two phases
  • ERM I
  • ERM II

Current ICE ERM accomplishments
  • ERM I Prototype concluded 3/09 (See Appendix A
    for additional detail)
  • Identified 56 risk events prioritized in to high,
    medium and low categories
  • Assessed adversary threats
  • Assessed ICE vulnerabilities
  • Assessed consequences to the Homeland
  • Developed draft strategies to mitigate high and
    medium risks
  • ERM II Framework began development 11/08 (See
    Appendix B for additional detail)
  • Conceptualized next generation of risk management
  • Adversary-based
  • Advanced decision-making platforms
  • Connected sequential risk events (precursors and
  • Enhanced optimization criteria to include more
    than cost-benefit

Current ICE ERM accomplishments
  • According to an analysis done by RMA, ICE is
    among the top
  • 6 of risk programs at DHS that formally consider
    all steps in
  • the risk management cycle.
  • These include
  • ICE Enterprise Risk Management model
  • NPPD National Communications Sector Risk
  • TSA National Transportation Sector Risk Assessment

Initial ICE gaps and challenges
  • ICEs initial decision-making processes included
    the following gaps
  • After extensive research, learned there were no
    known models that fit the needs of ICE law
  • Relevant stakeholders had not been identified
  • Undesirable Events (UDEs) that affect ICEs
    ability to attain goals identified in draft ICE
    Strategic Plan not identified.
  • Risk definitions, risk algorithms, risk
    descriptions including adversary threats, ICE
    vulnerabilities and consequences to the Homeland
    had not been developed.
  • Unclear how risks would be delineated (High,
    Medium, Low???)
  • ICEs ERM program faced the following challenges
  • Funding lines were unclear.
  • Lines of authority were unclear.
  • How does one quantify the unquantifiable.
  • How does one determine which mitigation
    strategies are most viable (cost-benefit,
    national security, leadership individual

Current ICE gaps and challenges
  • ICEs current decision-making processes include
    the following gaps
  • Decisions are currently made without formal risk
    analyses to support them.
  • Decisions are reactive, not proactive.
  • Risk management is not specifically aligned to
    the budget process.
  • Performance measures currently in place do not
    reflect ICE programs risk mitigation
  • ICEs ERM program faces the following challenges
  • ERM needs additional senior leadership support,
    direction, and championship to be effective.
  • The ERM program is currently supported by only 2
  • The ERM program cannot be fully implemented with
    current IT capabilities.

ICE benefit from a fully capable ERM program
  • A fully capable ERM program will help ICE
    identify the best resource allocation solutions
    to mitigate risks, thereby maximizing law
    enforcement coverage with limited resources,
    realizing cost efficiencies, and aligning ICE
    with Secretary Napolitanos commitment to
    transparency and efficiency and One DHS.
  • Efficiency Helps determine optimal allocation of
    resources to mitigate risks in current risk
  • Performance-based Provides capability to analyze
    effectiveness of mitigation strategies and
    individual programs in risk mitigation
  • Transparency Documents risk-based resource
    allocation decisions
  • Preparedness Provides possible crisis response
    plans when needed with full sensitivity and
    outcome analysis
  • One DHS Coordinates with DHS RAPID and component
    agency risk programs

Potential Future of ICE ERM
  • This program will ultimately
  • Integrate into the PPBE process to allow ICEs
    finite resources to be allocated in a transparent
    and efficient manner
  • Monitor agency risk reduction effectiveness to
    increase efficiencies and identify the best
    resource allocation across all ICE Programs
  • Identify best action plans in times of crisis
    including consequences of resource shifts
  • Interface with DHS RAPID
  • ICE infrastructure of the ERM program will be
    aligned so that Risk Champion reports directly
    to Assistant Secretary or their designate.
  • Establish culture of risk management, endorsed
    and championed by senior leadership
  • Continue to engage internal and external risk
    partners/stakeholders to build stronger tool(s)
    from lessons learned both from ICE and other risk

Key Dimensions for Successful ERM
    dimension encompasses the organizations tone at
    the top, risk governance structure, risk and
    compliance roles and responsibilities, risk
    management policies including tolerance of
    specific types of risk.
  • Key Recommended Practices
  • Management annually describes its policy and
    process for risk assessment and risk management
    for all risks that constitute a major exposure.
  • Leadership has established a threshold above
    which all risks must be reported.
  • Risk policies and procedures are effective, well
    disseminated, supported by an effective
    disciplinary system, and updated on a periodic
  • Accountability and authority for risk taking are
    clearly defined throughout the enterprise.
  • Specific executives are assigned
    responsibility and accountability for the
    identification, assessment, prioritization, and
    management of specific risks.
  • Senior leadership is effectively engaged in the
    risk management process, serving as a risk
    oversight and decision-making body.
  • Business units/functions play a key role in the
    risk management process by effectively tracking
    risk information, participating in risk
    assessments, and using risk information to
    mitigate risks and develop business strategies.
  • The enterprise systematically considers risk as
    part of its core decision-making processes.

Key Dimensions for Successful ERM
    dimension involves the processes for identifying
    and assessing potential internal and external
    risks that are relevant to the mission and could
    affect the entity and its key objectives,
    projects, processes, functions and/or systems.
    Interdependencies between risks should be
    considered. Strategic, execution and operational
    risks should be identified and assessed. Risk
    assessment enables the organization to consider
  • (1) The extent to which potential events may
    have an impact on achievement of its objectives,
  • (2) The net exposure of the organization after
    taking into account current risk mitigation and
  • Key Recommended Practices
  • Standardized and robust risk definitions have
    been developed and shared and are updated
  • Tools and techniques (such as self assessments,
    stress tests, sensitivity analysis, and SWOT
    analysis) are effectively used to identify how
    the enterprise might fail to achieve its
  • Assessments are both qualitative and quantitative
    and utilize appropriate tools and techniques
    consistent with the type and complexity of risk.
  • Risk interdependencies are clearly identified and
  • Internal and external subject matter specialists
    are involved in risk assessments.

Key Dimensions for Successful ERM
    is management's determination on how best to
    respond to a specific risk or set of risks. This
    includes whether to avoid, accept, mitigate,
    monitor, or transfer risks. Risk response also
    involves the process of prioritizing risks,
    allocating resources, and executing risk response
    plans. The focus of recommended practices in this
    dimension is on developing, evaluating and
    deploying risk mitigation strategies.
  • Key Recommended Practices
  • Effective risk mitigation strategies are
    identified and evaluated for alignment with the
    organizations risk appetite and size and scope
    of the risk exposure.
  • Risk mitigation strategies are designed and
    prioritized to incorporate such factors as speed
    of risk onset, likelihood of occurrence,
    vulnerability, cost of mitigation (compared to
    expected benefit), degree of difficulty, and
    effort to implement.
  • Risk mitigation strategies are aligned with
    organizational and financial objectives through
    the budgeting and planning process.
  • Risk mitigation strategies are integrated and
    communicated to provide effective and timely
    enterprise-wide preparation, response, and
  • Risk mitigation strategies are reviewed to ensure
    they meet compliance requirements (e.g.,
    mandatory disclosures, etc.).
  • Risk owners/managers are supported with tools,
    experienced staff, venues for discussion,
    knowledge-sharing, and advisory services.

Key Dimensions for Successful ERM
    Control activities are the policies, procedures,
    and systems that help ensure that an
    organizations risk mitigation plans are carried
    out. Control activities include approvals,
    authorizations, verifications, reconciliations,
    reviews of operating performance, security of
    assets, and segregation of duties, among others.
    Controls must be periodically tested and verified
    to ensure they are designed appropriately and
    operating as intended.
  • Key Recommended Practices
  • Management has defined and implemented
    appropriate, effective control activities (e.g.,
    preventive, detective, manual, and automated
    controls) to ensure the quality of risk
    mitigation strategies.
  • Controls are effectively tested across key
    processes, systems, and functions throughout the
  • A systematic, independent verification of the
    risk management process (including risk
    assessment, mitigation, and testing) is performed
    on a periodic basis.

Key Dimensions for Successful ERM
    Risk intelligence is the product resulting from
    gathering and analyzing an organizations risk
    information. Pertinent risk intelligence is
    identified, captured, and communicated on a
    timely basis to allow trained people to carry out
    their responsibilities. Personnel are trained to
    make rapid and appropriate decisions using risk
    intelligence provided to them.
  • Key Recommended Practices
  • Risk information is effectively incorporated into
    core business decision-making processes (e.g.,
    strategic planning, capital allocation, etc.).
  • Risk information reporting systems enable
    managers to access, aggregate, analyze, and
    report on relevant risk data.
  • Risk information is shared throughout the
    enterprise, as well as with external
  • Effective risk management training is carried out
    at all levels of the enterprise to ensure that
    personnel have the knowledge and skills to
    perform their risk-related responsibilities.

Key Dimensions for Successful ERM
  • VI. MONITORING ESCALATION Monitoring is the
    periodic or continuous observation of the
    portfolio of risks in order to detect and give
    timely warning of change. Monitoring includes
    supervision, observation, and reporting to
    responsible individuals. Monitoring is an ongoing
    activity embedded into the entity's operations.
    Escalation is a procedure by which risks that
    exceed or are about to exceed specified
    thresholds or triggers are elevated to the
    appropriate level of authority for resolution in
    a timely basis.
  • Key Recommended Practices
  • Thresholds and triggers for escalation to Senior
    Management have been established for all major
  • There is a well defined, effective escalation
    process for major risk events that exceed
    specific thresholds (including timeframes,
    procedures, notification instructions, actions,
  • Early warning systems based on established
    thresholds detect potential adverse events.
  • Validity, completeness, and accuracy of risk
    data/reporting are sufficient to detect
    significant variations and allow corrective
    action to be taken to avoid incidents.

Key Dimensions for Successful ERM
    The risk management process should be
    sustainable, continuously assessed, evaluated,
    and improved over time. Its effectiveness depends
    on the integration, coordination, and capability
    of people, processes, and technology.
  • Key Recommended Practices
  • There are formal, effective processes to review
    and evaluate risk management activities.
  • The organization monitors whether progress is
    being made in managing major risk exposures and
    takes corrective action as necessary.
  • Failures to correctly identify, assess, and
    mitigate risks are investigated and remediation
    efforts implemented.
  • The organization has a successful track record of
    managing large initiatives that require changes
    in people, process, and technology.

ICE Current Versus Desired
Descriptors of Risk States
  • 1 - Trailing No evidence of formal adoption of
    recommended risk management practices. Practices
    followed tend to be ad hoc, inconsistent, or
    reactive in nature.
  • 2 - Emerging Limited evidence of recommended
    practices. There are significant improvement
    opportunities for creating a more integrated and
    strategically aligned risk management capability.
    There is growing understanding of the importance
    of applying improved risk management practices,
    but no formalized plans are in place.
  • 3 - Maturing Meeting some recommended
    practices, particularly in more specialized risk
    functions. The importance of building a stronger
    risk management capability is generally accepted
    in the organization and key areas of improvement
    are recognized by management. There is evidence
    of incorporating fundamental risk management
    practices into planning and performance aspects
    of the core mission.
  • 4 - Sustaining Meeting most recommended
    practices. The organization has or is
    implementing many recommended risk management
    practices. There are dedicated resources and
    executive commitment focused on maintaining and
    improving existing risk management processes,
    systems, and specialized risk management
  • 5 - Leading Fully meeting or exceeding
    recommended practices. The organization has
    implemented and is sustaining risk management
    practices that are consistent with those
    prescribed by authoritative sources. There is
    evidence that risk management practices are
    recognized as a key factor in the achievement of
    strategic, operational, and compliance
    objectives. The organization is also striving to
    develop innovative risk management strategies
    that provide tangible strategic benefits. Others
    recognize the organization as a leader in
    integrated, enterprise-wide risk management
    capability and strive to emulate its practices.

General Process to Achieve Desired State
  • The following can occur simultaneously and/or
    sequentiallydepends on funding, timing,
  • Conduct ICE ERM Capability Assessment
  • Development of a Sustainable Enterprise Risk
    Assessment Process.
  • Establish ERM Organizational Structure and
  • Establish ERM Operational Policy and Framework
  • Integrate Strategic and Business Planning
  • Conduct ERM Training
  • Develop an Executive Dashboard / Reporting Tool
  • Implementation Roadmap Development

(No Transcript)
Background Slides
Risk Management Overview
  • Risk is the potential for an unwanted outcome
    from an incident or event.
  • Example The risk of a bomb exploding in a
    federal facility is the potential for human lives
    lost, damage to federal property, and damage to
    the governments ability to function.
  • A Risk Event is the event or incident that leads
    to the unwanted outcome.
  • Example The risk event is the bomb exploding in
    a federal facility.
  • The Measure of Risk is a function of threat,
    vulnerability, and consequence.

DHS increasing focus on Risk Management
Last slide from DHS Tier II Risk Steering
Committee meeting (April 29, 2009)
  • Below is the complete list of recommendations to
    the Secretary
  • Approve and sign the Integrated Risk Management
    Framework as the Departments keystone doctrine
    and guidance for integrated risk management.
    This document will build on the already published
    Interim Integrated Risk Management Framework, and
    provide the opportunity for the Departments new
    leadership to guide the development of, and
    publicly endorse, the Departments vision for
    integrated risk management.
  • Pursue the issuance of a Homeland Security
    Presidential Directive on risk management
    defining a nation-wide program.
  • Issue a DHS Management Directive establishing the
    processes, roles and responsibilities for
    achieving integrated risk management in DHS,
    consistent with the existing delegation of
    authorities to the Under Secretary for National
    Protection and Programs.
  • Form a Federal interagency working group to
    develop the Homeland Security National Risk
    Assessment in conjunction with the Quadrennial
    Homeland Security Review.
  • Provide additional resources to improve the
    Departments risk analytic capability, including
    the development of a Risk Analysis Cell, and a
    Risk Knowledge Center to support DHS and,
    ultimately, State and local partners in better
    assessing, analyzing and managing risk to the

Slide 56
DHS increasing focus on Risk Management
  • Secretary Napolitano issued Action Directive on
    January 21st
  • Two directive focused on two questions
  • What is the status of risk analysis metrics and
    what is the plan and time frame for setting up a
    full-blown system to govern the establishment of
    critical infrastructure programs, the priorities
    among national planning scenarios, and the
    distribution of grants to state, local, and
    tribal entities?
  • How can DHS enhance risk management as the basis
    of decision making?
  • Coordinated response was provided on February 27

DHS increasing focus on Risk Management
February 3, 2009. Secretarys letter to Director
OMB For the longer term, I am also working to
increase the Department's ability to incorporate
risk analysis into its budget development
Current ICE ERM Alignment to Strategic
Planning ICEs ERM program identifies risk
events that could impact our ability to achieve
our objectives and develops mitigation strategies
to reduce these risks.
High Risks (to those Goals)
Goals (from draft ICE Strategic Plan)
Goal 1 (Strategic) Goal 2 (Strategic)
Goal 3 (Strategic) Goal 4 (Enabling)
Goal 5 (Enabling)