USAID develop a comprehensive risk management policy for assessing and mitigating risk for PIO awards. The policy should inform staff on risk tolerances and risk categories; provide a framework and guidance on how and when to assess risks, develop risk responses, and assign mitigating controls based on risks; and clearly communicate roles and responsibilities for carrying out risk management across the Agency.
USAID establish a dedicated, centralized entity with the authority and resources to assess and address (1) PIO performance, (2) PIO internal oversight effectiveness, (3) other crosscutting PIO oversight methods, and (4) oversight units operating across multiple organizations, using information from across the Agency.
USAID develop a comprehensive policy that outlines (1) what authority—for example, other transaction authority—will be used to make each PIO award and (2) what corresponding rules and regulations apply, to include the roles and responsibilities for individuals and offices responsible for award management.
USAID direct the Office of Foreign Disaster Assistance to (1) review and define its processes for making awards to PIOs to carry out work in long-term crisis environments and (2) update policies to ensure they include standards of internal control related to documenting the internal control system, analyzing risks, designing control activities, and documenting transactions by retaining records.
USAID direct the Office of Food for Peace to (1) review and define its processes for making awards to PIOs to carry out work in long-term crisis environments and (2) update policies to ensure they include standards of internal control related to documenting the internal control system, analyzing risks, designing control activities, and documenting transactions by retaining records.
USAID Establish requirements for PIOs to notify USAID of suspected and identified serious criminal misconduct in activities funded by USAID to include unlawful actions taken by employees, subpartners, subcontractors, vendors, or other parties. The requirements should specify the process for reporting and criteria for what to report.