skip navigation
Vol. LVIII, No. 19
September 22, 2006

next story

Not a 'Gotcha!' Program
Risk Management Effort on Upswing at NIH

On the front page...

Say the phrase "risk management" on this campus, and most folks are going to think fence, ID badge, flashing lights and security guards. The more mortgage-minded among us might conjure up images of accountants in green eyeshades, poring over the books, or bankers, worried about overextending their loans.

But risk management — now ascendant as NIH initiates a Risk Management Program that is one of five main elements of the President's management agenda — is actually a bit of both of these. Like a guarded fence, it tries to keep bad things from happening, and like an army of CPAs, it aims to keep those 28 billion bucks in our yearly budget flowing in the proper direction.


But the focus isn't just money, insists Colleen Barros, NIH deputy director for management. Risk, like beauty, is where you find it — in human resources, in large IT systems, in clinical trials, in grants and contracts, travel management, personal property, and — nobody here needs to be reminded — ethics programs.

This fall, NIH will be conducting a major scan of potential vulnerabilities in all ofits business-related and research support functions. Assisted by the consulting arm of the firm Deloitte & Touche, the agency is taking a long look at itself in the mirror.

It's not so much that no one here was paying attention to risk in the past, Barros emphasizes, as that Sarbanes-Oxley legislation (prompted mainly by the collapse of Enron and accounting firm Arthur Andersen) and revisions to OMB Circular A-123, formally require new scrutiny of all vulnerabilities. On top of that, it just makes for good stewardship.

"You'd be crazy not to have it in a large, 21st century operation with a multi-billion dollar budget such as NIH," Barros said.

She noted that the initial interpretation of OMB-mandated risk management was limited to audits and finance, but says NIH director Dr. Elias Zerhouni wanted a broader application of the concept — "a bigger arena."

Last July, he sent an email to employees announcing the debut of the Risk Management Program (RMP). Its goal is to identify, by the end of 2006, NIH's areas of high, medium and low risk. Those in charge of the major business enterprises are to receive training, led by the Office of Management Assessment, in recognizing and minimizing risk.

"Deloitte & Touche has a methodology for this kind of study," Barros said. "The core is a series of interviews with leadership of the various functions, and with IC [institute and center] leadership, to ask where the nexus of risk is in many areas." Next comes a paper review of past audits and congressional hearings. The third and final step is to take all feedback from steps 1 and 2 and define a baseline, or spectrum, of risk, agency-wide.

By late fall, Deloitte & Touche is expected to submit its findings to the NIH director's steering committee, which will pick individual items among the areas of high, medium and low risk for further study in FY 2007.

"We are basically institutionalizing the whole Risk Management Program, rather than doing it on an ad hoc basis as in the past," Barros explained. "Our goal is to become more responsive and proactive than reactive. The consideration of risk needs to become part of our culture and our process. It is not a program based on "Gotchas!" We simply want to strengthen and assure the stability of a huge enterprise."

She continued, "It's not an audit in the sense of ‘We're gonna come and get you.’ It's a way of being more proactive and helpful to our managers."

"We intend to proceed in a systematic way, not randomly," added Suzanne Servis, director of OMA. "We want to encourage people to think about risk more routinely."

In October, OMA will launch a training program geared to senior management, conducted by Management Concepts Inc. "This will be for the owners of our major systems and processes," Servis said.

Top executives will receive an RMP overview of perhaps an hour, she predicted; at its most rigorous, the training might take a full day for less-senior staff. At every step, OMA will provide assistance, Servis said, including a dedicated RMP web site. Risk management officers — RMOs — will be identified in all components of NIH, to serve as additional counsel.

Barros emphasizes the RMP "is a help to the organization, a protective strategy. Our intent is not to strike fear into the hearts of thousands. We want to help identify problems before they become huge issues, and to mitigate weaknesses. We’re not going to send auditors crawling over you with green eyeshades — that’s absolutely not what this is about. We want to instill an awareness of risk on a routine basis, in our daily operations. This is not a once-a-year paper exercise."

Barros said the program has been maturely received by top NIH leadership: "People recognize the need in a big, modern, $28 billion organization [for RMP]. Everybody felt the burn from the conflict of interest controversy…had there been stronger review in place [when that issue arose], we probably could have avoided some of what we ran into." She admits, "RMP isn't fun, exactly, especially in a time when budgets are tight, and it is going to involve work. But we all realize that it's necessary and it's been accepted as such."

More information on the RMP can be found at

back to top of page