National Institutes of Health: Completion of Comprehensive Risk Management Program Essential to Effective Oversight
GAO-09-687
Published: Sep 11, 2009. Publicly Released: Sep 22, 2009.
Skip to Highlights
Highlights
The National Institutes of Health (NIH), an agency of the Department of Health and Human Services (HHS), is the primary federal agency for supporting medical research. The Office of the Director (OD) is the central NIH office responsible for setting policy and overseeing NIH's 27 institutes and centers (IC). Allegations involving one institute raised questions about areas of oversight by the OD. In light of these questions, GAO examined (1) how NIH makes extramural research funding decisions and OD monitoring of this process, (2) the design of selected internal controls over NIH's travel and personnel appointment processes, and (3) the design of NIH's new risk management program and the program it is replacing. To address these objectives, GAO reviewed relevant NIH policies, procedures, and supporting documentation. GAO also selected 3 institutes that varied in size for in-depth reviews.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status Sort descending |
|---|---|---|
| National Institutes of Health | To ensure effective oversight of extramural funding decisions, the Director of NIH should establish a process for routine monitoring of the extramural funding decisions in which the IC directors use their discretion to skip applications or fund applications as exceptions. |
Closed – Implemented
NIH's Office of Policy for Extramural Research Administration (OPERA) has incorporated this specific review of IC extramural funding decisions into its established Management Control Compliance Model (MCCM), a system of internal control oversight for all policy issuances under the authority of OPERA. The MCCM includes an assessment of risk that determines the frequency and scope of review. The Office of Policy for Extramural Research Administration completed this first review December 19, 2011. The review found that the controls that the ICs have implemented are effective and foster compliance with NIH policies governing out of rank order funding of grant applications, and the resulting report provided information to the Office of the Director related to IC processes associated with the use of their discretion to fund research projects on factors in addition to scientific merit.
|
| National Institutes of Health | To help ensure that NIH has a comprehensive program to effectively address potential risks to the agency's mission, including those related to the monitoring of extramural research funding decisions, travel, and personnel appointments, and to complete the design and implementation of NIH's Enterprise Risk Management Program, the Director of NIH should add key components and related elements needed to achieve comprehensive and effective agencywide risk management to the design of NIH's Enterprise Risk Management Program, including: (1) mission-based strategic goals and objectives as a precondition for risk management and risks to be assessed on the basis of their impact on the achievement of these goals and objectives; (2) the evaluation of risk responses to consider the effect on the likelihood of occurrence and impact of a potential risk and the costs and benefits; (3) the documentation of the rationale for selecting risk responses; (4) additional detail regarding how the assessments of the overall efficiency and effectiveness of the risk management program will be performed; (5) periodic assessments of implemented risk responses; (6) the importance of ethical values; (7) continuous training to maintain the competence of personnel carrying out risk management duties; and (8) communication with relevant external stakeholders. |
Closed – Implemented
NIH has made changes to the risk management program and issued updated risk management guidance in 2011 that includes key components, such as an evaluation of risk responses, documentation of the rationale for selecting risk responses, periodic assessment of implemented risk responses, statements about the importance of ethical values, continuous training of those carrying out risk management duties, and communication with relevant stakeholders.
|
| National Institutes of Health | To help ensure that NIH has a comprehensive program to effectively address potential risks to the agency's mission, including those related to the monitoring of extramural research funding decisions, travel, and personnel appointments, and to complete the design and implementation of NIH's Enterprise Risk Management Program, the Director of NIH should identify major milestones, including a final implementation date, to help ensure that NIH completes and implements the Enterprise Risk Management Program in a reasonable time frame. |
Closed – Implemented
On December 17, 2009, NIH officially implemented the risk management program and formally issued NIH Manual Chapter 1750: Risk Management Program. NIH communicated the schedule of milestones that describe key program activities for the first annual assessment in fiscal year 2010 as well as the fiscal year 2011 assessment in The NIH Risk Management Program: Fiscal Year 2011 Communication Plan.
|
Full Report
Office of Public Affairs
Topics
Agency missionsDocumentationEvaluation methodsFinancial managementFunds managementGovernment job appointmentsInformation resources managementInternal controlsMedical researchMonitoringProgram evaluationResearch program managementRisk assessmentRisk managementStandardsStrategic planningTraining utilizationTravelPeer reviewPolicies and proceduresProgram goals or objectives