Enterprise Risk Management

On July 15, 2016, the Office of Management and Budget (OMB) released guidance that requires federal agencies to implement enterprise risk management (ERM). ERM extends beyond compliance and financial risk by using a comprehensive approach to view risks across five categories: compliance, financial, operational, reputational, and strategic.

The ERM framework promotes a holistic view of risk, including proactive risk assessment and management as well as a more transparent, risk-aware culture. Benefits of ERM include:

  • Standardizing risk information to inform strategic decision-making
  • Identifying crosscutting risks and root causes
  • Mitigating risks proactively to avoid or reduce impact on business objectives
  • Empowering employees at all levels to manage risk

Risk Philosophy

CDC embraces intelligent risk management—obtaining risk data, applying analytics, and producing actionable risk information to guide decision-making—as a means to fulfill its public health mission of protecting the nation’s health security. Organizations cannot survive, much less thrive, if they avoid risk altogether. Embracing a culture of risk awareness across CDC—with supporting risk mitigation through management systems and processes—provides the foundation for intelligent risk management. A solid framework encompassing a common risk language, integrated risk assessments and response system, and frequent risk monitoring and risk communication ensures that risk intelligence is considered and continuously available to decision-makers. The world in which CDC operates is dynamic and requires action, and CDC’s ERM framework should reflect this.

Risk Appetite

CDC works 24/7 to protect America from health, safety and security threats, both foreign and in the U.S. CDC recognizes that it is neither desirable nor practical to avoid all risk in pursuit of this mission. It is necessary for CDC to accept some risk in alignment with its risk appetite.

Risk appetite is defined as the level and type of risk an organization is willing to accept in pursuit of its objectives. Risks have both positive and negative consequences. CDC will seek to balance its risk portfolio so that no single risk or aggregate risks—whether within a specific category or across the entire agency—exceed the level deemed acceptable by senior leadership. Risk appetite may shift due to a variety of factors, and CDC will adjust its risk appetite as conditions change.

As part of its ERM framework and governance structure, CDC expects management to exercise discretion within broad guidelines in applying risk appetite to decision-making. CDC will exercise caution when accepting risks that have the potential to negatively impact the public’s trust and confidence. Certain risks have limited upside but significant downside, particularly legal, compliance, safety, and scientific integrity risks. Therefore, CDC is unlikely to accept risks in these areas. CDC will accept greater levels of risk in mission-critical areas, including during public health emergencies or when the cost to reduce the risk is greater than the combined consequence and likelihood of the risk occurring. Acceptance of any specific risk may be contingent upon implementing risk controls and monitoring.

CDC has and will continue to develop, implement and update policies and procedures that reflect its appetite for risk in pursuit of its mission.


Email ERM@cdc.gov.