FORT BELVOIR, Virginia –
The Defense Logistics Agency is embracing mandates of the Office of Management and Budget Circular A-123 with a new DLA Headquarters team that will integrate enterprise risk management and internal controls efforts across the agency.
Circular A-123 emphasizes including risk management and internal controls in existing business practices as an essential part of managing federal agencies. ERM focuses on identifying, assessing and managing risks while internal controls are processes designed to reduce or eliminate those risks. Though DLA has used both to achieve its mission, independent auditors have identified gaps in DLA’s risk management and internal controls that make it vulnerable to threats ranging from compromises in cybersecurity to fraud, said Air Force Col. Scott Ritzel, DLA’s chief risk officer and head of what will become a 14-person team under the DLA chief of staff.
“Our goal going forward is to establish a methodology for identifying our risks and prioritizing them so we can determine the best ways to reduce or mitigate them,” he said, adding that cybersecurity is “hands-down DLA’s biggest threat.”
Some level of risk must be accepted in today’s environment of dwindling budgets and resources, he continued.
“We can’t control all the uncertainty within our environment, so we’re going to have to accept risk somewhere. That needs to be done at an enterprise level as opposed to a major subordinate command or DLA Headquarters directorate level, which is how we’ve been doing it in the past,” Ritzel said.
The effort will ensure agency resources are applied to the most critical areas of business and operations, and that leaders are aware of existing risks when making decisions.
After risk identification and prioritization, internal controls will be created with continuous testing and monitoring, said Kelleye Elmore, DLA’s Enterprise Risk Management Program manager and Internal Control Program coordinator. Documenting those controls, ensuring they comply with laws and regulations, and updating DLA policies are part of the process.
“For example, when auditors close out our Notice of Findings and Recommendations, testing and monitoring can’t stop. Those efforts should transition into the A-123 Program so we can continue to mitigate risks and capture controls in DLA policy,” Elmore said. The same goes for internal controls not associated with NFRs and Corrective Action Plans that are part of DLA’s audit.
Elmore and Ritzel stressed that ERM is a separate function from DLA’s audit efforts although audit results are a direct reflection of the agency’s progress in ERM.
“The audit is a measuring rod for A-123. If we’re complying with our own laws, regulations and policies, if we know the objectives we’re trying to meet and continuously monitoring and testing our processes, then completing the audit should be as simple as handing over our information to the auditor and letting them do their evaluation,” Elmore said, adding that A-123 efforts will continue long after the agency achieves a clean audit.
“By getting ERM right, we’re going to have positive results in supply chain operations. We’ll see it in the financials,” Ritzel added. “It’s also important to realize this is not a ‘let’s do this one time and we’re done’ thing. Environments change so there’s an ongoing need to reassess our risk and controls to ensure we’re addressing new threats or vulnerabilities in our complex business cycles.”
Three A-123 workshops have been presented via video teleconference to process owners and functional area managers throughout the agency, and more will follow as Ritzel’s team works to educate DLA employees on the importance and principles of ERM and internal controls. Elmore developed the workshops by getting input on managers’ knowledge of ERM practices. Many requested instruction on end-to-end process mapping and help identifying assessable units, which are subdivisions of end-to-end processes.
Ritzel is optimistic that each small step DLA takes toward strengthening its focus on A-123 principles will yield exponential progress.
“The first time we show the true value of ERM, I think the workforce is going to crave it,” he said. “Right now, the goal is to set a foundation in place so we can go through an entire annual cycle to find out what works for us and what doesn’t.”