rule will serve as a red flag for mines that repeatedly fail to meet safety requirements and will force them to correct problems before workers are allowed to return to the work site. And finally, we learn that contingency plans for continuity of operations must be sufficient to reasonably ensure the safety of the general public. After a fire in the engine room disabled the Carnival Triumph cruise ship, more than 4,200 passengers and crew were left adrift without power in the Gulf of Mexico. Passengers were forced to sleep in hallways, and food supplies ran low before the ship was finally towed to port in Mobile, Alabama.
But we also learn to recognize how the proactive management of risk can have a positive impact. GAO’s audit of the National Archives and Records Administration (NARA) identified several opportunities for the agency to improve its management of key risks through electronic records archiving. As a result, the nation will be positioned to have a stellar records management system in place, saving billions of dollars in management systems over time. Likewise, the National Institutes of Health, through a GAO audit of its Risk Management Program, is better positioned to support science administratively, as risk is managed through a process that meets specific framework criteria.
The approval of the American Recovery and Reinvestment Act (ARRA) was intended to infuse the U.S. economy with desperately needed funds. The risks associated with issuing multimillion-dollar grants and contracts as required by ARRA in such a short period of time were great; however, the opportunity to stimulate the economy and make economic gains was projected to outweigh the risks. State and local governments were able to use stimulus funds to repair major transportation systems and boost local economies as well. This in turn created grants that were extended to small businesses to help support these initiatives, boosting economic development at the micro level.
These are just a few examples of the activities the federal government has proactively launched to manage the positive aspects of risk. Others include creation of the GAO High Risk List.
TOP GOVERNMENT RISKS
In 1990, GAO began a program to report on government operations that it identified as “high risk.” Since then, generally coinciding with the start of each new Congress, GAO has reported on the status of progress to address high-risk areas and updated the High Risk List. In 2013, the GAO removed the high-risk designation from two areas – Management of Interagency Contracting and IRS Business Systems Modernization – and designated two new high-risk areas: Limiting the Federal Government’s Fiscal Exposure by Better Managing Climate Change Risks and Mitigating Gaps in Weather Satellite Data. These changes brought GAO’s 2013 High Risk List to a total of thirty areas.
The GAO High Risk List is particularly useful to risk managers, chief risk officers, and agency executive leadership in general because it serves as an independent review for flagging risk areas in government that may be missed by agencies. Overall, GAO’s high-risk program has served to identify and help resolve serious weaknesses in areas that involve substantial resources and provide critical services to the public. Since the high-risk program began, the government has taken high-risk problems seriously and has made long-needed progress toward correcting them. In a number of cases, progress has been sufficient for GAO to remove the high-risk designation. A summary of changes to GAO’s High Risk List over the past twenty-three years is shown in Table I.2.
Table I.2 Changes to GAO’s High Risk List, 1990–2013
Source: www.GAO.gov.
CRITERIA
When legislative, administration, and agency actions result in significant progress toward resolving a high-risk area, GAO removes the high-risk designation. Key to determining whether the high-risk designation can be removed are the following five elements: (1) a demonstrated strong commitment to, and top leadership support for, addressing problems; (2) the capacity to address problems; (3) a corrective action plan; (4) a program to monitor corrective measures; and (5) demonstrated progress in implementing corrective measures.
To determine which federal government programs and functions should be designated high risk, GAO considers whether the program or function is of national significance or is key to performance and accountability. GAO also considers which of the following the risk represents:
• An inherent problem, such as may arise when the nature of a program creates susceptibility to fraud, waste, and abuse
• A systemic problem, such as may arise when the programmatic, management support, or financial systems, policies, and procedures established by an agency to carry out a program are ineffective, creating a material weakness
Further, GAO considers qualitative factors, such as whether the risk
• Is a matter of public health or safety, service delivery, national security, national defense, economic growth, or privacy or citizens’ rights
• Could result in significant impaired service, program failure, injury or loss of life, or significantly reduced economy, efficiency, or effectiveness
In addition, GAO also considers the exposure to loss in monetary or other quantitative terms. At a minimum, $1 billion must be at risk in areas such as the value of major assets being impaired; revenue sources not being realized; major agency assets being lost, stolen, damaged, wasted, or underutilized; improper payments; and contingencies or potential liabilities.
Before making a high-risk designation, GAO also considers corrective measures planned or under way to resolve a material control weakness and the status and effectiveness of these actions. To determine which federal government programs and functions should be designated high risk, GAO uses the self-titled guidance document Determining Performance and Accountability Challenges and High Risks.
In February 2011, GAO detailed thirty high-risk areas. Sufficient progress has been made to remove the high-risk designation from the following two areas:
• Management of Interagency Contracting. Improvements include (1) continued progress made by agencies in addressing identified deficiencies, (2) establishment of additional management controls, (3) creation of a policy framework for establishing new interagency contracts, and (4) steps taken to address the need for better data on these contracts.
• Internal Revenue Service Business Systems Modernization. The IRS made progress in addressing significant weaknesses in information technology and financial management capabilities. The IRS delivered the initial phase of its cornerstone tax processing project and began the daily processing and posting of individual taxpayer accounts in January 2012. This enhanced tax administration and improved service by enabling faster refunds for more taxpayers, allowing more timely account updates and faster issuance of taxpayer notices. In addition, IRS has put in place close to 80 percent of the practices needed for an effective investment management process, including all of the processes needed for effective project oversight.
Although these two areas have been removed from the High Risk List, GAO will continue to monitor them.
GAO has added two areas in 2013:
• Limiting the Federal Government’s Fiscal Exposure by Better Managing Climate Change Risks. Climate change creates significant financial risks for the federal government, which (1) owns extensive infrastructure, such as defense installations; (2) insures property through the National Flood Insurance Program; and (3) provides emergency aid in response to natural disasters. The federal government is not well positioned to address the fiscal exposure presented by climate change; it needs a government-wide strategic approach with strong leadership to manage related risks.
• Mitigating
