Page:M-21-19 Memorandum for Heads of Executive Departments and Agencies.pdf/15

 The following ‘Phases’ require varying degrees of effort; each program is responsible for determining which of the ‘Phases’ it falls into. All programs with annual outlays greater than $10,000,000 will fall into either phase 1 or phase 2.

A. Phase 1: Identify Susceptible Programs and Activities with an IP Risk Assessment Agencies should assess all programs with annual outlays greater than $10,000,000 for IP risk at least once every three years. The purpose of an IP risk assessment is to determine whether the total annual IPs PLUS the UPs for a program are collectively likely to be above or below the statutory threshold for the given year.

If the assessment determines that it is likely that the program’s IPs plus the program’s UPs are above the statutory threshold then, the following year the program should produce a statistically valid estimate of the programs IPs and UPs. If the IP risk assessment demonstrates that the program is not likely to make IPs and UPs above the statutory threshold, then the program will not produce a statistically valid estimate in the following year and instead will conduct another IP risk assessment in three years.

1. IP risk assessments may be qualitative or quantitative in nature. The agency should develop an IP risk assessment methodology that is appropriate to ensure that the result of the IP risk assessment reasonably supports whether the program is or is not susceptible to significant IPs (i.e. likely to have IPs plus Ups that are above or below the statutory threshold).

Additionally, agencies should be mindful that, when evaluating compliance, the Inspector General (IG) will evaluate and take into account the adequacy of the IP risk assessment and the IP risk assessment methodology used. Their compliance evaluation will include whether the audits, examinations, and legal actions of the OIG indicate a higher risk of IPs or actual IPs that were not included in the IP risk assessments. With that in mind, when developing an IP risk assessment methodology, agencies are encouraged to review the results of audits, examinations and legal actions of the OIG and take into account whether they impact the risk of IPs in the program. OMB does not need to approve a program’s IP risk assessment methodology prior to implementation, however, the agency should be able to make the methodology available upon request in the case that OMB wishes to conduct a review.

a) Factors that may impact the level of IPs and UPs within a program and could be considered (if applicable) when conducting a qualitative IP risk assessment. When conducting a qualitative assessment for risk of IPs and UPs, the agency should ensure that proper consideration has been given to relevant factors that would help prove that the program is likely to be above or below the statutory threshold. Examples of factors that could be considered when conducting a qualitative IP risk assessment include but are not limited to: Rh