This study provided a framework for developing an enterprise-wide effort to assess and mitigate threats to the ability of the National Institutes of Health (NIH) to be able to carry out its various research-related missions successfully. Threats or risks include results due to actions/inaction of people, processes, systems, technology, science, or external events. The study provided a basis for prioritizing these risks, identifying where and how they might occur, and providing information needed to better allocate resources to prevent or mitigate risks. The study addressed three questions: what is the best method to use to evaluate risk for scientific, administrative, and financial programs; what is the most economical way to collect data needed to evaluate high risk areas; and what was the existing state of risk preparation/avoidance arrangements?
Researchers concluded that several methods existed and have been used by various organizations to assess risk. But, at NIH, several constraints would make scientific study of risk management methods challenging. These included: the unknowable value of potential losses, non-repeating organizational events, the alteration of circumstances by the very act of assessing risk, and the relatively long lifespan of agency activities. The study resulted in a conceptual design to begin evaluating risks that included: reviewing risk literature and existing risk assessment guidance, exploring risk assessment practices and examining case examples of recent risk assessment, and interviewing agency executives. Senior NIH managers were beginning to engage in emergency risk management processes. Some offices were engaged in systematic risk assessment activities.
There was a clear perception among agency leaders of the importance of enterprise-wide solutions. Researchers made several recommendations. The NIH risk advisory committee should annually review and approve risk management policy. Management should lead an effort to integrate risk management into the NIH culture. Internal and external subject matter specialists should be involved as appropriate in the assessment of risk. Management should determine priorities, taking into account such factors as speed of risk onset, urgency, cost of mitigation compared to expected benefit, degree of difficulty and time required to implement. Lessons learned should be identified and communicated to appropriate personnel on a timely basis. The study concluded that risk assessment and mitigation efforts should be embedded into the regularly occurring NIH strategy, operations, scientific, financial, budgeting, and administrative processes.
Report Title: A Feasibility Study for the Evaluation of NIH's Enhanced Internal Management Control (IMC) Program http://aspe.hhs.gov/pic/fullreports/06/8464.doc
Agency Sponsor: NIH, National Institutes of Health
Federal Contact: Hardy, Karen, 301-402-3510
Performer: Deloitte & Touche; Reston, VA
PIC ID: 8464