OMB Updates Circular A-123: Agencies Can Customize Enterprise Risk Systems

OMB's Circular A-123 update lets federal agencies tailor enterprise risk systems, enhancing flexibility, compliance, and transparency across operations.

The Office of Management and Budget (OMB) has clarified how federal agencies can implement enterprise risk management under Circular A-123. Eric Ueland, OMB's deputy director for management, said the revised guidance now allows agencies to customize how they build and operate an enterprise risk system.

Circular A-123 has long guided internal controls, risk assessment, and accountability across federal programs. Historically, the memorandum emphasized standardized practices to ensure compliance and financial integrity. The recent update shifts toward a more flexible, risk-based approach while preserving core requirements for transparency and oversight.

By permitting customization, Circular A-123 enables agencies to design enterprise risk systems that reflect mission-specific risks, organizational size, and existing control environments. Agencies can prioritize threats, select appropriate technologies, and align governance structures to better detect and mitigate operational, financial, and strategic risks.

The change brings several benefits. Tailored enterprise risk management improves operational resilience, reduces unnecessary compliance burdens, and encourages targeted investments in risk analytics and automation. Greater flexibility can also speed decision-making and help agencies allocate resources where they matter most, strengthening both performance and accountability.

Practical steps for agencies include conducting a baseline risk assessment, mapping existing controls, and defining risk appetite at leadership levels. Agencies should evaluate enterprise risk platforms, data integration options, and reporting tools that support customizable dashboards and metrics. Training, cross-functional collaboration, and clear governance will be essential to turn the updated Circular A-123 into effective practice.

OMB retains oversight responsibilities, and customized systems must still meet reporting and internal control standards. Agencies should document their approaches and be prepared to demonstrate how their enterprise risk system aligns with statutory requirements, performance goals, and audit expectations.

The Circular A-123 update marks a meaningful shift toward modern, adaptable enterprise risk systems across the federal government. Agencies that embrace customization thoughtfully—balancing flexibility with strong governance—can improve risk visibility, optimize resource use, and better protect mission outcomes in an evolving threat landscape.

Back