National Institutes of Health:

Completion of Comprehensive Risk Management Program Essential to Effective Oversight

GAO-09-687: Published: Sep 11, 2009. Publicly Released: Sep 22, 2009.

Additional Materials:

Contact:

Linda T. Kohn
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The National Institutes of Health (NIH), an agency of the Department of Health and Human Services (HHS), is the primary federal agency for supporting medical research. The Office of the Director (OD) is the central NIH office responsible for setting policy and overseeing NIH's 27 institutes and centers (IC). Allegations involving one institute raised questions about areas of oversight by the OD. In light of these questions, GAO examined (1) how NIH makes extramural research funding decisions and OD monitoring of this process, (2) the design of selected internal controls over NIH's travel and personnel appointment processes, and (3) the design of NIH's new risk management program and the program it is replacing. To address these objectives, GAO reviewed relevant NIH policies, procedures, and supporting documentation. GAO also selected 3 institutes that varied in size for in-depth reviews.

NIH is required by law to make its extramural research funding decisions--funding provided to scientists external to NIH such as those at universities--using a dual peer review system. During the first level, initial peer review groups assess applications and assign a score to them based on their scientific merit. During the second level, advisory councils review the applications and their scores and, on the basis of this review, recommend to the ICs certain applications for funding consideration. IC directors can use their discretion and choose to fund applications based on factors in addition to scientific merit, "skipping" over applications with higher scores or making "exceptions" to fund applications with lower scores. GAO found that in fiscal year 2007, IC directors funded about 19 percent of NIH's applications for a common type of grant based on factors in addition to scientific merit. However, the NIH OD does not monitor the extent to which IC directors use such discretion when making extramural funding decisions--an action that would be consistent with federal internal control standards. The NIH OD has established policies and procedures that incorporate key internal controls into the travel and personnel appointment processes. For example, the processes require multiple levels of review and approval. However, there is not an NIH-wide process for risk-based monitoring of the effectiveness of controls. Without monitoring actual implementation of controls based on assessed risk levels, NIH does not have adequate assurance that controls are operating as intended within those areas that have been identified as posing risks to the agency's ability to achieve its mission. NIH's Management Control Program, a risk management program updated in 2004, did not comprehensively address risks to the agency's overall operations and resulted in a lack of sufficient information for effective oversight and agencywide risk management. Recognizing this, in 2006, NIH began designing a new risk management program, the Enterprise Risk Management Program. Although an improvement over the earlier program, the design of the new program does not fully address the components identified in GAO's framework for effective risk management. For example, the design does not incorporate strategic goals and objectives as a precondition for risk management, the evaluation of alternative responses to address identified risks, or documentation of the rationale for selecting a risk response. Further, NIH's new program is not yet fully implemented, despite an over 3-year effort. According to NIH officials, NIH has experienced delays because of a change in contractors, balancing staff resources with competing demands, and underestimating time needed for implementation.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: NIH's Office of Policy for Extramural Research Administration (OPERA) has incorporated this specific review of IC extramural funding decisions into its established Management Control Compliance Model (MCCM), a system of internal control oversight for all policy issuances under the authority of OPERA. The MCCM includes an assessment of risk that determines the frequency and scope of review. The Office of Policy for Extramural Research Administration completed this first review December 19, 2011. The review found that the controls that the ICs have implemented are effective and foster compliance with NIH policies governing out of rank order funding of grant applications, and the resulting report provided information to the Office of the Director related to IC processes associated with the use of their discretion to fund research projects on factors in addition to scientific merit.

    Recommendation: To ensure effective oversight of extramural funding decisions, the Director of NIH should establish a process for routine monitoring of the extramural funding decisions in which the IC directors use their discretion to skip applications or fund applications as exceptions.

    Agency Affected: Department of Health and Human Services: Public Health Service: National Institutes of Health

  2. Status: Closed - Implemented

    Comments: NIH has made changes to the risk management program and issued updated risk management guidance in 2011 that includes key components, such as an evaluation of risk responses, documentation of the rationale for selecting risk responses, periodic assessment of implemented risk responses, statements about the importance of ethical values, continuous training of those carrying out risk management duties, and communication with relevant stakeholders.

    Recommendation: To help ensure that NIH has a comprehensive program to effectively address potential risks to the agency's mission, including those related to the monitoring of extramural research funding decisions, travel, and personnel appointments, and to complete the design and implementation of NIH's Enterprise Risk Management Program, the Director of NIH should add key components and related elements needed to achieve comprehensive and effective agencywide risk management to the design of NIH's Enterprise Risk Management Program, including: (1) mission-based strategic goals and objectives as a precondition for risk management and risks to be assessed on the basis of their impact on the achievement of these goals and objectives; (2) the evaluation of risk responses to consider the effect on the likelihood of occurrence and impact of a potential risk and the costs and benefits; (3) the documentation of the rationale for selecting risk responses; (4) additional detail regarding how the assessments of the overall efficiency and effectiveness of the risk management program will be performed; (5) periodic assessments of implemented risk responses; (6) the importance of ethical values; (7) continuous training to maintain the competence of personnel carrying out risk management duties; and (8) communication with relevant external stakeholders.

    Agency Affected: Department of Health and Human Services: Public Health Service: National Institutes of Health

  3. Status: Closed - Implemented

    Comments: On December 17, 2009, NIH officially implemented the risk management program and formally issued NIH Manual Chapter 1750: Risk Management Program. NIH communicated the schedule of milestones that describe key program activities for the first annual assessment in fiscal year 2010 as well as the fiscal year 2011 assessment in The NIH Risk Management Program: Fiscal Year 2011 Communication Plan.

    Recommendation: To help ensure that NIH has a comprehensive program to effectively address potential risks to the agency's mission, including those related to the monitoring of extramural research funding decisions, travel, and personnel appointments, and to complete the design and implementation of NIH's Enterprise Risk Management Program, the Director of NIH should identify major milestones, including a final implementation date, to help ensure that NIH completes and implements the Enterprise Risk Management Program in a reasonable time frame.

    Agency Affected: Department of Health and Human Services: Public Health Service: National Institutes of Health

 

Explore the full database of GAO's Open Recommendations »

Dec 23, 2014

Dec 12, 2014

Dec 8, 2014

Dec 3, 2014

Dec 1, 2014

Nov 24, 2014

Looking for more? Browse all our products here