CHAPTER 5 ________________________________
Minimizing Risk to Recovery: Avoiding Fraud, Waste, and Abuse in Federal Recovery Project Spending

Remember Hurricane Katrina? Devastated communities needed federal assistance immediately. The U.S. Congress and the Bush administration pushed federal disaster agencies to quickly spend a lot of money and get recovery activity on the ground. Taxpayers, however, needed to know that the government was spending public dollars effectively and with minimal waste, fraud, and abuse. At the time, the U.S. Office of Management and Budget (OMB) did what it could to balance these competing goals, but with scant success.¹ Unfortunately, massive waste occurred. ²

The current economic crisis is similar in some ways to the Hurricane Katrina situation, but it is far larger in scale. The recently passed American Recovery and Reinvestment Act (known as the Recovery Act) is the largest U.S. government response to a national emergency, with funding levels that dwarf anything in our country’s history. This time, OMB has issued explicit guidance on managing the spending of Recovery Act funds and has built specific controls into the process to maximize results.

With obligations of almost $800 billion, federal agencies are responsible for an incredible amount of new spending, some on old programs, some on new ones. In any case, such an increase in funding presents major challenges. Congress and the American people want Recovery Act dollars spent on projects that will create jobs in the near term, and agencies must ensure the distribution process is transparent and fair.

Pressure from the administration to spend Recovery Act dollars quickly will inevitably create risk. The U.S. Government Accountability Office (GAO) noted in a recent report to Congress that “the risk of fraud, waste, and abuse grows when billions of dollars are going out quickly, eligibility requirements are being established or changed, new programs are being created, or a mix of these characteristics [exist].”³ External scrutiny will be intense, with oversight responsibilities spread across the Recovery Accountability and Transparency Board, GAO, agency-level inspectors general, the White House, and ultimately, citizens, through www.recovery.gov (see Figure 5-1).

Recovery Act Goals

The Recovery Act lays out five clear goals:

• To preserve and create jobs and promote economic recovery

• To assist those most affected by the recession

• To make investments needed to increase economic efficiency by spurring technological advances in science and health

• To invest in transportation, environmental protection, and other infrastructure that will provide long-term economic benefits

• To stabilize state and local government budgets, in order to minimize or avoid reductions in essential services and counterproductive state and local tax increases.⁴

Taking a lesson from Katrina, OMB has provided detailed guidance on the reporting required of agencies and programs responsible for the success of Recovery Act spending. OMB, to enhance the chances of Recovery Act success, defines five accountability goals for its efforts:

• Funds are awarded and distributed in a prompt, fair, and reasonable manner.

• The recipients and uses of all funds are transparent to the public, and the public benefits of these funds are reported clearly, accurately, and in a timely manner.

• Funds are used for authorized purposes and potential for fraud, waste, error, and abuse is mitigated.

• Projects funded under this act avoid unnecessary delays and cost overruns.

• Program goals are achieved, including specific program outcomes and improved results on broader economic indicators.⁵

Measuring Risk and Performance

Performance benchmarks abound for agencies to gauge their success. OMB’s guidance enumerates requirements for agencies to show that they are spending Recovery Act dollars wisely and with good results. So how should agencies, already stretched thin by copious audit, investigation, and reporting requirements, go about tackling these new and ambitious responsibilities?

OMB invites agencies to assess the risks to successful Recovery Act implementation and apply appropriate controls to mitigate those risks. In its April 2009 guidance, OMB asks agencies to assess those areas in which successful Recovery Act implementation is at greatest risk; apply appropriate controls to mitigate those risks; and periodically monitor and report progress. OMB developed a risk management framework (see Figure 5-2) to help agencies develop risk mitigation strategies and decide at what stages to employ and monitor specific controls.

The framework divides risk mitigation strategies into three major implementation areas:

• Strategic: Meeting high-level goals

• Operations: Effectively and efficiently using resources

• Reporting compliance: Meeting applicable reporting requirements.

The framework further defines the periods of performance during which specific controls should be employed. For example, programs should ensure controls are in place to minimize fraud throughout the performance period, but should monitor obligation rates only until the performance period of a particular project begins.

Managing Internal Controls

OMB’s provision for risk assessment is not a new requirement. Federal internal controls guidance has long emphasized understanding and addressing risk. GAO recently highlighted the need for internal controls to ensure that federal, state, and local governments use Recovery Act funds appropriately.⁶ GAO had previously published standards for internal controls that addressed five key areas: the control environment, risk assessment, control activities, information and communication, and monitoring.⁷

• The control environment establishes clear accountability goals and reporting authorities to achieve established program outcomes.

• Risk assessments within internal controls include determining the probability of risks and their potential impact on a program.

• Control activities are essentially mitigation actions to prevent or address known risks.

• Information and communication enable responsible officials to make informed decisions on how best to apply resources to carry out their responsibilities.

• Program officials should structure monitoring activities to create a systematic review process whereby responsible officials not only receive but act on ongoing performance data.

OMB’s direction is consistent with these guidelines.

Conducting a Gap Analysis

So where does an overwhelmed agency or program begin? First, it should conduct a gap analysis by taking the Recovery Act requirements and comparing them with the existing program capabilities. For example, the Recovery Act requires each agency to report job creation numbers directly linked to Recovery Act investments. If a program has never had to report this data, then a gap exists.

Note that a gap analysis need not be cumbersome or time-consuming. A simple inventory of Recovery Act and OMB guidance requirements—which can be done by surveying program managers—will help determine whether an agency is able to respond to either or both sets of requirements. Second, the gaps should be arrayed by factor to illustrate which areas pose the greatest risk to successful Recovery Act implementation. Factors may include the size or the age of the program, its significance with regard to the administration’s recovery priorities, or whether an audit has found that problems are affecting the program’s performance. OMB’s guidance provides examples of some of the factors agencies might use to assess risk.⁸

Figure 5-3 illustrates one approach for performing a risk analysis to establish a clear risk mitigation approach. Based on this analysis, agencies and programs can better decide where to focus the most attention to mitigate risks. GAO suggests that control activities appropriate for Recovery Act funds include establishing policies, procedures, and guidelines that enforce management’s directives and achieve effective internal controls over specific program activities. GAO provides examples of such policies and procedures that are particularly relevant to Recovery Act spending, including proper execution and accurate and timely recording of transactions and events, controls to help ensure compliance with program requirements, establishment and review of performance measures and indicators, and appropriate documentation of transactions and internal controls.⁹

Identifying Common Risks

It is simply not possible to give equal attention to all program areas and eliminate all threats to successful Recovery Act implementation. Doing so would bring activities to a halt—exactly the opposite of what is intended with the Recovery Act. That is why OMB invites agencies to take a reasonable approach to ascertaining where the greatest risks lie and applying mitigation strategies accordingly. This exercise is not just for the sake of compliance (though the documentation created is important evidence to show auditors and investigators when they come knocking); it is critical to the success of an agency’s Recovery Act program.

Figure 5-4 identifies common risks associated with programs receiving stimulus funding, the impact of those risks, and best practice approaches for risk mitigation.

Keep in mind that if a program is small, with little expectation of job creation or retention, an agency or program may not need to devote significant resources to getting the most accurate estimates from the program. On the other hand, if it is a large, nationwide construction program with broad impact, then determining the probability of risk for key programmatic and financial elements and ensuring job creation is critical. In this case, the agency should invest whatever it takes to get the measurement right.

Final Thoughts

A comprehensive risk management plan should correctly prioritize program risks based on the probability and impact of each risk. Risk mitigation plans should likewise identify specific actions to reduce risk, the responsible parties for risk mitigation, a timeline for action planning, and specific expectations for risk-avoidance compliance reporting. GAO and other oversight bodies are actively working to identify and communicate such issues to OMB.¹⁰ In the meantime, agencies should be prepared to propose a reasonable, achievable approach to documenting the effects of the stimulus.

Agencies are reeling from Recovery Act requirements. Responsible executives should leverage existing activities to minimize the burden. Most agencies already have a senior management council or equivalent whose job it is to ensure controls are in place and programs are working as intended. Agencies should employ such oversight mechanisms to drive compliance and address Recovery Act risks. Likewise, responsible program managers can use existing performance measures and reporting systems to report much or most of the data required by the Recovery Act, and financial and performance management professionals should track stimulus spending within existing systems. Agencies are not required to create duplicative systems or procedures for activities underway just to meet the requirements of the Recovery Act.

The ultimate goal of this endeavor is to accelerate the nation’s economic recovery. OMB’s guidance is a thoughtful and serious effort to mitigate known risks to the successful implementation of the act. While the requirements may seem overly prescriptive, agency executives can minimize the burden they pose if they approach the requirements in a methodical but reasonable way. That is all Congress, OMB, and other oversight entities require. During the Katrina response, surge funding lacked appropriate controls, fostering fraud, waste, and abuse. As we comply with the new Recovery Act requirements, we should all “remember Katrina.”

Notes

1. U.S. Office of Management and Budget, “Eligibility Verification Requirements for Delivery of Benefits to Victims of Hurricanes Katrina and Rita,” (Washington, D.C., October 13, 2005), http://www.whitehouse.gov/omb/financial/fia/hurricanes_katrina_rita_10-13-05.pdf (accessed September 18, 2009).

2. United States Senate, Committee on Homeland Security and Governmental Affairs, “Hurricane Katrina: A Nation Still Unprepared,” S. Rept. 109-322 (Washington, D.C., 2006), http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=109_cong_reports&docid=f:sr322.pdf (accessed September 18, 2009).

3. U.S. Government Accountability Office, “Recovery Act: GAO’s Efforts to Work with the Accountability Community to Help Ensure Effective and Efficient Oversight,” GAO-09-672T, (report on testimony before the Subcommittee on Investigations and Oversight, Committee on Science and Technology, U.S. House of Representatives, May 5, 2009), http://www.gao.gov/new.items/d09672t.pdf?source=ra.4 (accessed November 24, 2009).

4. The American Recovery and Reinvestment Act of 2009, Public Law 111-5, 111th Cong., 1st sess. (January 6, 2009), http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h1enr.txt.pdf (accessed September 18, 2009).

5. Peter R. Orzag, U.S. Office of Management and Budget, “Updated Implementing Guidance for the American Recovery and Reinvestment Act of 2009,” (memorandum for the Heads of Departments and Agencies, M-09-15, Washington, D.C., April 3, 2009).

6. U.S. Government Accountability Office, “Recovery Act: As Initial Implementation Unfolds in States and Localities, Continued Attention to Accountability Issues Is Essential,” GAO-09-580 (Washington D.C., April 2009).

7. U.S. Government Accountability Office, “Standards for Internal Control in the Federal Government,” GAO/AIMD-00-21.3.1 (Washington, D.C., November 1999).

8. See note 5.

9. See note 6.

10. See note 3.