This Appendix CC describes the Army Contracting Enterprise (ACE) risk management strategy and provides procedures to be used within the Army to establish and manage Army internal control assessments conducted via the Procurement Management Review (PMR) Program. The content in this appendix is consistent with the processes described in Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for Enterprise Risk Management (ERM) and Internal Control, and Army Regulation (AR) 11-2, Managers Internal Control Program (MICP). The functions covered in this appendix are applicable to all FAR-based and non-FAR-based Army acquisition functions. Specific guidance relating to the method and frequency of assessment for the Government-wide Purchase Card (GPC), Army Small Business Program, Other Transactions (OTs), and financial assistance (i.e., Assistance Awards) functions are located in the applicable policy documents for those functions. For additional information on the PMR Program, please reference the Office of the Deputy Assistant Secretary of the Army (Procurement) (ODASA(P)) PMR Guidebook, located on the PMR SharePoint.

As used in this appendix—

“Answer” means a reply to a specific review question. Any “No” answer shall also include a “Deficiency” that helps to categorize why the response was “No”.

“Best Practice” means an innovative, novel, or otherwise noteworthy approach or practice used to comply with one or more internal controls.

“Checkpoint” means a moment during the corrective action process where Organizations shallprovide ODASA(P) with status updates at 90-day increments (i.e. calendar days).

“Contingency Contracting” means a military operation that is designated by the Secretary of Defense as an operation in which members of the armed forces are or may become involved in military actions, operations, or hostilities against an enemy of the United States or against an opposing military force in accordance with 10 USC 101(a)(13)(A) (see also FAR subpart 2.1). The support may be provided in a mature or immature operational environment and may be long term or short term.

“Contract Execution Review (CER)” means a contract review that can be conducted automated or manually. CER generally refers to an automated contract review (i.e. contract/order/modification) within a Review Event in the VCE-PMR Assistant application.

“Corrective Action” means the actions taken by an organization to improve the findings associated with Non-compliance. Corrective action is the activity of reacting to a process problem, improving it, and ensuring internal controls are in place to reduce the likelihood of reoccurrence.

“Corrective Action Plan (CAP)” means a report or document that provides an organization with systemic deficiencies to complete corrective action to strengthen an organization’s internal control environment for contract operations.

“Deficiency” means a categorization of why the question was answered with a “No”.

“Finding” means the explanation why a particular question was deficient to warrant taking corrective action.

“Internal Controls” or also known as “internal management controls” means the rules, procedures, techniques, and devices employed by managers to ensure that what should

occur in their daily operations does occur on a continuing basis. For the purposes of this appendix, internal controls include the policies in the FAR, DFARS, and AFARS, and the associated processes and procedures of the contracting activity’s acquisition instruction (see AFARS 5101.304-90).

“Key Internal Controls” means the internal controls that must be implemented and sustained in daily operations to ensure organizational effectiveness and compliance with legal requirements. The effectiveness of key internal controls is assessed through the PMR Program and other management review processes.

“Lesson Learned” means a noteworthy flaw in the design, implementation, or operational effectivenessof one or more internal controls.

“Toolkit” means a collection of questions that is managed for a PMR Program ManagementReview or Non-Contract Review.

“Question” means a specific review question included in a question set. For CERs, a questionwill be included in a Review based on specific question categorizations/filters (e.g. Competitive/Non-competitive, MOD type, SME Review). For SME Reviews, all questions associated with the Subject will be included. A question can have a Yes/No or Yes/No/N/A answer.

“Question Set” means a collection of questions that is managed by a PMR Administrator or Subject Matter Expert (SME) and selected for use in Review Events. The Internal Control (IC) Question Set will be the default Question Set for all Contract Execution Reviews (CERs). The IC Question Set and any supplemental Question Sets are managed by PMR System.

“Root Cause Analysis” means an administrator or Subject Matter Expert (SME) and selected for use in Review Events. The Internal Control (IC) Question Set will be the default Question Set for all Contract Execution Reviews (CERs). The IC Question Set and any supplemental Question Sets are managed by PMR System.

“Strategic Controls” means those controls that are directly linked to ACE contracting strategic objectives. The primary focus of strategic controls is on operations (i.e., cost, schedule, and performance) objectives.

“Virtual Contracting Enterprise (VCE)” means a suite of web-based contracting tools used by its employees and their customers in the performance of their daily duties acquiring supplies and services for the US Army.

“Self-Assessment” means any review other than an official PMR that internally assesses either organizational or individual compliance.

“Procurement Management Review (PMR)” means an official review that assesses the effectiveness of internal controls, key internal controls, and strategic controls to mitigate risks to the ACE strategic objectives.

“Risk” means the probable or potential adverse effects from inadequate internal controls that may result in the loss of government resources through fraud, error, or mismanagement Risk Management A series of coordinated activities to direct and control challenges or threats toachieving an organization’s goals and objectives.

“Risk Tolerance” means the acceptable level of variance in performance relative to the achievement of objectives.

In accordance with FAR 1.102(b), the ACE defines its operations, reporting, and compliance strategic objectives for contracting as follows:

(1) Operations objectives.

a. Satisfy the customer in terms of cost;

b. Satisfy the customer in terms of quality; and

c. Satisfy the customer in terms of timeliness.

(2) Reporting objective. Conduct business with openness.

(3) Compliance objectives.

a. Minimize administrative operating costs;

b. Conduct business with integrity and fairness; and

c. Fulfill public policy objectives

The ACE views internal control as a critical element for managing risk. The ACE manages risk to its strategic objectives and assesses the effectiveness of its internal controls, using Procurement Management Reviews, Peer Reviews, Independent Management Reviews, audits, training, self-assessments, and other management control activities. The use and periodic evaluation of key internal controls is an integral component of an organization’s management that provides reasonable assurance of the effectiveness and efficiency of the organization. Risk is defined as the effect of uncertainty on objectives. Risk management is a series of coordinated activities to direct and control challenges or threats to achieving an organization’s goals and objectives. Risk management on an enterprise-wide basis is an effective agency-wide approach to addressing the full spectrum of the organization’s external and internal risks by understanding the combined impact of risks across the organization, rather than addressing risks only within a single component of the organization. While agencies cannot respond to all risks related to achieving strategic objectives and performance goals, they must identify, measure, and assess risks related to mission execution. ACE risk management reflects forward-looking management decisions and balancing risks and returns so the ACE enhances its value to the taxpayer and increases its ability to achieve its strategic objectives.

Risk tolerance is the acceptable level of variance in performance relative to the achievement of objectives. The ACE will tolerate a greater level of variance in performance in achieving reporting and compliance strategic objectives relative to the achievement of operations strategic objectives. However, variation in achievement of the non-operations strategic objectives is not tolerated when it negatively impacts the achievement of operations strategic objectives. This strategic guidance is intended to promote initiative and sound business judgment by the Acquisition Team in providing the best value product or service to meet the customer’s needs.