This Appendix CC describes the Army Contracting Enterprise (ACE) risk management strategy and provides procedures to be used within the Army to establish and manage Army internal control assessments conducted via the Procurement Management Review (PMR) Program. The content in this appendix is consistent with the processes described in Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for Enterprise Risk Management (ERM) and Internal Control, and Army Regulation (AR) 11-2, Managers Internal Control Program (MICP). The functions covered in this appendix are applicable to all FAR-based and non-FAR-based Army acquisition functions. Specific guidance relating to the method and frequency of assessment for the Government-wide Purchase Card (GPC), Army Small Business Program, Other Transactions (OTs), and financial assistance (i.e., Grants/Cooperative Agreements) functions are located in the applicable policy documents for those functions.

As used in this appendix—

“Best practice” means an innovative, novel, or otherwise noteworthy approach or practice used to comply with one or more internal controls.

“Contingency contracting” means a military operation that is designated by the Secretary of Defense as an operation in which members of the armed forces are or may become involved in military actions, operations, or hostilities against an enemy of the United States or against an opposing military force in accordance with 10 USC 101(a)(13)(A) (see also FAR subpart 2.1). The support may be provided in a mature or immature operational environment and may be long term or short term.

“Internal controls” (also known as “internal management controls”) means the rules, procedures, techniques, and devices employed by managers to ensure that what should occur in their daily operations does occur on a continuing basis. For the purposes of this appendix, internal controls include the policies in the FAR, DFARS, and AFARS, and the associated processes and procedures of the contracting activity’s acquisition instruction (see AFARS 5101.304-90).

“Key internal controls” are those internal controls that must be implemented and sustained in daily operations to ensure organizational effectiveness and compliance with legal requirements. The effectiveness of key internal controls is assessed through the PMR Program and other management review processes.

“Lesson learned” means a noteworthy flaw in the design, implementation, or operational effectiveness of one or more internal controls.

“Strategic controls” are those controls that are directly linked to ACE contracting strategic objectives. The primary focus of strategic controls is on operations (i.e., cost, schedule, and performance) objectives.

In accordance with FAR 1.102(b), the ACE defines its operations, reporting, and compliance strategic objectives for contracting as follows:

(1) Operations objectives.

a. Satisfy the customer in terms of cost;

b. Satisfy the customer in terms of quality; and

c. Satisfy the customer in terms of timeliness.

(2) Reporting objective. Conduct business with openness.

(3) Compliance objectives.

a. Minimize administrative operating costs;

b. Conduct business with integrity and fairness; and

c. Fulfill public policy objectives

The ACE views internal control as a critical element for managing risk. The ACE manages risk to its strategic objectives and assesses the effectiveness of its internal controls, using Procurement Management Reviews, Peer Reviews, Independent Management Reviews, audits, training, self-assessments, and other management control activities. The use and periodic evaluation of key internal controls is an integral component of an organization’s management that provides reasonable assurance of the effectiveness and efficiency of the organization. Risk is defined as the effect of uncertainty on objectives. Risk management is a series of coordinated activities to direct and control challenges or threats to achieving an organization’s goals and objectives. Risk management on an enterprise-wide basis is an effective agency-wide approach to addressing the full spectrum of the organization’s external and internal risks by understanding the combined impact of risks across the organization, rather than addressing risks only within a single component of the organization. While agencies cannot respond to all risks related to achieving strategic objectives and performance goals, they must identify, measure, and assess risks related to mission execution. ACE risk management reflects forward-looking management decisions and balancing risks and returns so the ACE enhances its value to the taxpayer and increases its ability to achieve its strategic objectives.

Risk tolerance is the acceptable level of variance in performance relative to the achievement of objectives. The ACE will tolerate a greater level of variance in performance in achieving reporting and compliance strategic objectives relative to the achievement of operations strategic objectives. However, variation in achievement of the non-operations strategic objectives is not tolerated when it negatively impacts the achievement of operations strategic objectives. This strategic guidance is intended to promote initiative and sound business judgment by the Acquisition Team in providing the best value product or service to meet the customer’s needs.

The primary purpose of a risk profile is to provide a thoughtful analysis of the risks an organization faces toward achieving its strategic objectives arising from its activities and operations, and to identify appropriate options for addressing significant risks. It is a prioritized inventory of the most significant risks, from a portfolio perspective, identified and assessed through the risk assessment process versus a complete inventory of risks. The ACE, as the Army body empowered and responsible for the exercise of procurement authority, maintains a risk profile for Army contracting.