An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

News | Oct. 7, 2024

Understanding the Risk Management Internal Control Program: Strengthening Internal Controls to Enhance Organizations

NCOLCoE

The majority of us come to work every day where operations run smoothly, missions are planned and executed and teams work together seamlessly. Now imagine just beneath the surface, risks are lurking that could mean the difference between mission success and failure. The Risk Management Internal Control (RMIC) program is your first line of defense that ensures no threat, big or small, goes unchecked. Quentin Brown, Director of the Quality Assurance Office at the NCO Leadership Center of Excellence (NCOLCoE) underscores the program’s broader role in fostering collaboration and ensuring that internal controls evolve with the organization’s needs. “At the end of the day, you want everything you are dealing with to be current and relevant,” Brown explains, emphasizing how the program strengthens communication within the organization. The RMIC program is not just a regulatory requirement but a dynamic and collaborative process that delivers organizational assurance by actively safeguarding the Army’s operations and finances. 

The RMIC program consists of five phases: 

Phase 1 – Planning: Identification of potential risks.
Phase 2 – Documentation: Recording processes involved to mitigate risks.
Phase 3 – Testing and Evaluation: Ensuring internal controls are in place and effectively reduce risks.
Phase 4 – Remediation and Validation: Corrective actions are initiated for internal controls to eliminate the root cause of failures. 
Phase 5 – Reporting: Annual reports are submitted with findings and remedial measures taken. 

In today’s digital landscape cyber security is more than just a technical issue, it is a critical aspect of national defense. Many of us have opened a letter or e-mail from a bank, healthcare provider or government agency only to find that our personal, financial or medical information has been exposed in a security breach. Suddenly, the sensitive details about our lives are at risk and vulnerable to exploitation. As a result, our sense of trust and security in the institution is lost. 

Bill Rempfer, Director of the Department of Information and Technology at the NCOLCoE, provides a concrete example of how internal controls function in daily operations. His department adheres to “Army Regulation 25-2 Army Cybersecurity, by having an appointed and trained information system security officer along with ensuring separation of duties.” This means that when personnel in-process with the unit, his team verifies all training requirements are complete and the network user understands their responsibilities. It also safeguards the network, ensuring no single person has complete control over critical systems, reducing risk of unauthorized access or malicious activities. “Our internal controls ensure that when you access our network you are authorized,” added Rempfer.

Brown’s department took ownership of the RMIC program nearly two and a half years ago, overseeing its implementation and ensuring proper monitoring across all areas of the organization. Reflecting on his experience, Brown remarked, “since I have been a part of this program, I have seen three areas with deficiencies and two have been corrected.” Although, the Army Records Information Management System (ARIMS) still faces minor risks, progress continues in the right direction to reduce them further. Personnel are being assigned as records managers and standard operating procedures are being revised to ensure the ARIMS is following current regulations and policies. One challenge that continues to affect the program is time. Rempfer echoed this concern explaining, “the time required to focus on the program is not always adequate. In many organizations, completing the RMIC checklist is an additional duty assigned to the stakeholders.” He emphasized that training personnel and instilling a deep understanding of the program’s significance will help more staff to follow its guidelines with precision. 

The RMIC program is far-reaching, covering multiple domains to mitigate organizational risks. Brown advised, “you have to make sure your internal controls are aligned with what is actually transpiring in that particular domain.” Do not let risk linger in the shadows, whether in logistics, cybersecurity or operations. The RMIC program equips Soldiers and Army civilian professionals with the tools to keep your mission on track and your organization secure.