2 FAM 030
RISK MANAGEMENT
(CT:GEN-540; 02-26-2019)
(Office of Origin: M/PRI)
2 FAM 031 DEPARTMENT RISK MANAGEMENT
POLICY
(CT:GEN-540; 02-26-2019)
a. Advancement of U.S. foreign policy objectives
inherently involves diverse types of risk, and the Department recognizes that
taking considered risks is essential to creating value for our stakeholders.
It is the Departments policy that employees and leaders engage in risk
management for the decisions and activities within the scope of their duties.
All employees of the Department are expected to identify, evaluate,
integrate and mitigate any substantial risks to their objectives. Department
leaders, including Chiefs of Mission, should require the best possible
assessment of risk, identification of mitigation measures, and evaluations of
any remaining residual risk before making decisions. Decisions should
include judgments on whether the benefits of a proposed activity or course of action
outweigh the residual risks.
b. Effective risk management is part of an
institutional framework that protects people, property, resources, information
and interests, and is a key component of leadership. It is incumbent upon
each employee of the Department to evaluate and attempt to acknowledge,
integrate and mitigate the substantial risks of any enterprise in which they
are engaged. Although it is not possible to eliminate all risk, proactive
risk mitigation begins with a rigorous identification of assumptions about
risks and benefits, stated or not, associated with an activity, and an
assessment of those assumptions. A good assessment includes a
consideration of the number and quality of information sources underpinning the
assumption, e.g. questioning assumptions based on anecdotes.
Consequently, additional actions may be necessary to mitigate the risk to an
acceptable level. This theory of risk applies to any activity, e.g. an
international negotiation, determining staffing at a high threat post, or
designing a building.
c. Department leaders, especially Chiefs of Mission
and Deputy Chiefs of Mission, have a vital role in risk management, and it is
expected that they will engage in both their own risk management activities and
in mentoring others on how best to do it. They must create a climate that
encourages open discussion of assumptions, including reliability, and be
willing to accept alternative viewpoints. Department leaders ensure risk management
is a continuous process that is adjusted as conditions change, and incorporated
into decision-making in a systematic, appropriate, timely and transparent
manner; by taking into account uncertainty and the impact on our capabilities
to protect people, property, information and other assets. These
activities should be collaborative among relevant stakeholders, including
various levels within and outside of the organization as appropriate to the
situation. Chiefs of Mission should be cognizant of the risk inherent in
activities of all agencies under their authority and, as appropriate,
mitigation efforts.
d. A key tenet of leadership at the Department is to
guide teams to the best possible assessment of risk, implementation of
mitigation measures, and an evaluation of the residual risk that still remains.
The Department expects leaders to judge whether the benefits of an
activity outweigh the residual risk potential and to act accordingly. It
is the Departments responsibility to establish the appropriate training, tools
and processes necessary for its employees to manage the risk inherent in their
positions.
e. Some types of risk (and examples of mitigation
structures) are:
(1) Security (High Risk Post Review Board, Emergency
Action Plan);
(2) Safety and Health (OSHA Requirements, Earthquake
Preparedness, Fire Safety);
(3) Medical (Malarial Prophylaxis Protocol, Medical
Clearance Preview Tool) ;
(4) Environmental (Air Quality Monitoring, Drinking
Water Treatment);
(5) Financial (Management Controls, Audits, grant and
contract procurement requirements);
(6) Information Assurance (Cybersecurity Training, PKI
Cards);
(7) Policy (Clearance Process);
(8) Reputational (Supervisory Controls, Clearance
Process, human rights vetting, consular vetting for visitor programs);
(9) Program effectiveness (planning and formal
approvals, program design information, performance management, monitoring and
evaluation); and
(10) Terrorism financing (vetting, OFAC licenses).
f. In some areas, statutory or other formal
requirements exist for risk management which must be part of a positions
responsibilities. These include, but are not limited to:
(1) The Federal Information Security Modernization Act (FISMA): (see 5 FAH-11);
(2) The Federal Managers' Financial Integrity Act
(FMFIA): (see 2
FAM 020); and
(3) Critical Environment Contracting requirements The
National Defense Authorization Act (NDAA) for Fiscal Year 2013, Section 846:
(see 14 FAM
241).
(4) Negroponte Guidance on Terrorism and Assistance
Programs.