REVENUE MEMORANDUM ORDER NO. 9-2023 issued on March 20, 2023 prescribes the policies, guidelines and procedures on Enterprise Risk Management (ERM) in the BIR. All risk management activities in the BIR shall be coordinated with the ERM Coordinator (Management Division) and Chief ERM Officer [Assistant Commissioner (ACIR), Planning and Management Service (PMS)]. Risks of the BIR shall be managed by the officials as identified in the “BIR ERM Organizational Structure” (Annex A of the Order). The concerned Deputy Commissioner (DCIR) of each functional group shall designate one (1) ACIR as the Group’s representative in the ERM Committee. The Commissioner of Internal Revenue (CIR) shall designate an official who shall act as Risk Management Sponsor for the Office of the Commissioner. Issuance of the BIR Enterprise Risk Appetite Statement, which provides the nature and exposure of the risk that the BIR is willing to take in pursuit of its strategic objectives or goal/target shall be the responsibility of MANCOM. The ACIR/Regional Director (RD)/Revenue Data Center (RDC) Head as Service/Regional/RDC Level Risk Manager shall be responsible for the Risk Appetite Statement of the Service/Revenue Region (RR)/RDC. The conduct of risk assessment and the development of corresponding mitigation strategies shall be done annually, or whenever deemed necessary, in all Services, RRs and RDCs of the BIR, which shall be the responsibility of the concerned Service/Regional/ RDC Level Risk Manager. The risk assessment and the development of corresponding mitigation strategies shall be initiated by the Head Revenue Executive Assistant/Assistant Regional Director as RM Coordinator of the Service/RR. The RDC Head shall perform dual function as RDC Level Risk Manager and RM Coordinator. All identified risks of Divisions/RDOs/Units shall be consolidated and a shortlist of risks containing the top three (3) priority risks with recommended mitigation strategies of Division/RDO/Units as identified by the risk owners shall be submitted to the Service/Regional/RDC Level Risk Manager for the selection of the top five (5) priority risks. These top five (5) priority risks shall undergo similar process until they reach the RM sponsor for the top five (5) priority risks of the functional group. The Service/Regional/RDC Level Risk Manager, RM Sponsor, ERM Committee and Executive Sponsor may include, as one of their top five (5) priority risks, other risks that must be given serious consideration which are not included in the shortlist of risks. The identified risks and selected top three (3) priority risks, as well as the development and monitoring of the implementation of corresponding mitigation strategies shall be the responsibility of the head of office as Risk Owner while the top five (5) priority risks of the Services, RRs, and RDCs shall be the responsibility of the Service/Regional/RDC Level Risk Managers and for the Functional Group, which shall be the responsibility of the Risk Management Sponsors. The BIR Enterprise Risks shall be announced thru a memorandum signed by the CIR with the directive for concerned Risk Management Sponsors to develop mitigation strategies to address the Enterprise Risks. The status of implementation of the proposed corresponding mitigation strategies of Enterprise Risks shall be monitored by the ERM Coordinator and Chief ERM Officer, in coordination with the respective Risk Management Sponsors. 2 An electronic BIR Risk Information Sheet (BRisk InfoSheet) shall be used to document all the information about risks and their management. The “eRisk Register” format prescribed in the Order shall be the standard Risk Register to be used, maintained and updated by the concerned offices in managing and recording pertinent information about their respective risks as indicated below: Risks Risk Owner Top three (3) priority risks and all the identified risks of the office Division Chiefs, Revenue District Officers and Unit Heads Top five (5) priority risks of the Service/RR/RDC ACIRs of Services, Regional Directors and RDC Heads Top five (5) priority risks of the functional group Deputy Commissioners and Designated Official for the OCIR BIR Enterprise Risks MANCOM* * Encoding of BIR Enterprise Risks in the eRisk Register shall be done by ERM Coordinator (Management Division) An RM Manual containing the necessary information on the management of risks in various BIR offices shall be prepared, maintained and regularly updated by the respective Risk Managers for their exclusive use. An ERM Manual containing the necessary information on the management of the Bureau’s Enterprise Risks shall be prepared, maintained and regularly updated by the ERM Coordinator. The RM and ERM Manuals shall follow the format presented in the “RM Manual Template”. The guidelines and procedures on Risk Assessment and Development of Mitigation Strategies and the Selection of Enterprise Risks and Development of Additional Mitigation Strategies are specified in the Order. The management of risks in the BIR is adopted from International Organization for Standardization (ISO) 31000:2018, which shall serve as foundation of the BIR ERM. The “Enterprise Risk Management Process Flow” presenting the end-to-end process of managing risks as provided under Section V. GUIDELINES AND PROCEDURES of the Order shall be adopted throughout the Bureau. The Summary of Reports to be prepared for RM/ERM shall be as follows: Report Submitted By Submitted To Due Date Status Report on Implemented Mitigation Strategies for identified risks Divisions/ RDOs/ Units ACIR/RD/RDC Heads concerned Copy furnished MD through PMS 5 th day of the month after the end of each quarter Status Report on Implemented Mitigation Strategies for approved Enterprise Risks ACIRs/RDs/ RDC Heads DCIR concerned Copy furnished MD through PMS 10th day of the month after the end of each quarter 3 Evaluation on the Effectiveness of Implemented Mitigation Strategies for approved Enterprise Risks Management Division CIR/ACIR, PMS 15th day of the month after the end of each semester/ and calendar year Status Reports shall be reflected in the eRisk Register by the concerned head of office.