The key to better enterprise risk management
Back to Blog

The key to better enterprise risk management

March 22, 2023
Triveni Patel, Mark Lerner, Cynthia Vitters, John Basso, Larry Koskinen, Ryan Murphy, Eliza Clark, Mark Stofanak

This blog draws from a Feb. 6 event hosted by the Partnership for Public Service and Deloitte & Touche LLP that featured two panelists:

  • Jason Bruno, director of the Bureau of Trust Funds Administration’s Office of Trust Risk, Evaluation and Compliance.
  • Dr. Tracy Davis Bradley, executive director for the Office of Integrity and Compliance of the Veterans Health Administration.

Read our blog posts, “Seating third parties at the risk table“ and “How agencies can use enterprise risk management to implement new legislation,” for recaps of the previous two working sessions in this series.

In 2016, the Office of Management and Budget directed agencies to improve the way they serve the public by integrating their risk management functions with their internal controls—internal processes designed to help agencies effectively and efficiently achieve their objectives. The revised policy instructs agencies to expand and grow the practice of leveraging internal controls beyond financial reporting to address a broader array of risks.

At our recent event on enterprise risk management and internal controls hosted with Deloitte & Touche LLP, Jason Bruno of the Bureau of Trust Funds Administration and Dr. Tracy Davis Bradley of the Veterans Health Administration discussed how they overcame the challenge of integrating these two functions and the benefits of doing so.

Methods for integrating controls with enterprise risk management

Bruno shared that the Bureau of Trust Funds Administration overcame longtime challenges in expanding its internal controls beyond financial reporting by housing its compliance and control teams directly within its enterprise risk management function.

Dr. Bradley shared that the Veterans Health Administration made progress by using enterprise risk management practices to prioritize its highest risk areas and focusing its use of internal controls on those risks—including longer-term systemic risks where controls can address root causes, such as those identified by the Government Accountability Office’s High Risk List.

As a result of these practices, both leaders said that their agencies improved their overall accountability, transparency and performance measurement.

Leading practices

Agencies may employ five leading practices to integrate their internal controls and enterprise risk management functions.

  1. Align with the agency’s larger strategy. Focus on risks that are tied to the full scope of the agency’s mission and prioritize the use of controls on the highest priory risks.
  2. Consider organizational structure. Establish strong relationships between the risk functions, internal control functions and other programs. Where possible, place risk and internal control functions within the same office.
  3. Integrate the Statement of Assurance process with risk management. As noted by the Office of Management and Budget, the Statement of Assurance “represents the agency head’s informed judgment as to the overall adequacy and effectiveness of internal control within the agency.” The process of developing the Statement of Assurance complements risk management practices, and integration of these processes promotes common goals for stakeholders.
  4. Educate leadership. It is crucial to familiarize newly hired leaders with the purpose, processes and value associated with integrated risks and controls. This familiarity strengthens—and enables executives to set the tone for—agencies’ overall risk management culture.
  5. Respond to risk evolution and root causes. Risks are constantly evolving, so the internal control environment and mitigations should evolve too. Organizations should look to address systemic root causes in both of these functions.

By integrating risk management and controls, agencies can create a structure that supports active management of risks, reduces risk exposure and improves services to the public.

For more information on this blog post, contact: Cynthia Vitters, managing director, at, or John Basso, managing director, at

This blog was co-authored by the Partnership for Public Service (Triveni Patel and Mark Lerner) and Deloitte & Touche LLP (Cynthia Vitters, John Basso, Larry Koskinen, Ryan Murphy, Eliza Clark and Mark Stofanak)

Leave a Reply