|
Good afternoon,
Welcome to the first issue of the Risk, Assessment & Compliance division monthly newsletter!
We are excited to introduce important topics for each of the divisions. In this issue, you’ll find information on rule changes for Risk Management; a spotlight on Sole Source flags generated in Celonis for the Assessment team; and from the Compliance team, information on Internal Purchasing Procedure requirements and annual IT security risk assessments.
We would also like to introduce you to our team over the next several months and hope you enjoy getting to know them. We are starting with Wednesday Shafer of the Compliance team.
As always, please reach out to our teams anytime we can be of service.
Sincerely,
Janet Morrow
Director
Risk, Assessment and Compliance
Risk Management rule changes
Rules for Risk Management have been updated effective Sept. 11, 2023. Below are excerpts of the two most significant changes. For additional rule changes, visit the Oklahoma Administrative Code webpage.
Old: 260:70-9-1(3)(H) Any driver of a motor vehicle, while functioning as an agent of the State, that is involved in two at-fault accidents in a twenty four (24) month period shall, in addition to paragraph G, be declared uninsurable by the Risk Management Administrator for a period of three (3) months following the second accident.
New: 260:70-9-1(2)(H) Any driver of a motor vehicle, while functioning as an agent of the State, that is involved in two at-fault accidents in a twelve (12) month period shall, in addition to paragraph G, be declared uninsurable by the Risk Management Administrator for a period of three (3) months following the second accident.
Old: 260:70-11-2(f)(3) The loss must be reported to Risk Management immediately upon learning of the occurrence of a loss. Failure to report a loss in a timely manner may negatively impact your recovery or result in denial of coverage.
New: 260:70-11-2(d)(3) The loss must be reported to Risk Management within seven (7) days of learning of the occurrence of a loss. Failure to report a loss will result in denial of coverage.
>> Back to Top
OMES RAC sole source flag spotlight
A sole source acquisition is when a product or service can only be provided by one supplier. The goal of flagging sole source purchases by RAC is identifying and communicating opportunities when product(s) or service(s) are available on an existing statewide contract.
Currently, in fiscal year 2024, 15 POs totaling $25.8 million were flagged as sole sources and reviewed for contract potential. Additional flags can be located on the RAC FAQ webpage.
  >> Back to Top
Internal purchasing procedures
74 O.S. §85.39 and OAC 260:115-5-7 require state agencies to have internal purchasing procedures (IPPs) approved by the state purchasing director and include minimum requirements to be addressed in the IPPs. Approved IPPs are also one of the statutory requirements for an agency to receive or retain an approved purchasing threshold above $25,000 (fair and reasonable).
Governor’s Executive Order 2023-4 includes a directive for OMES to evaluate agency purchasing procedures that have been submitted pursuant to the Central Purchasing Act and work with each relevant agency on ways to improve their procedures. The LOFT report also makes a recommendation for policy consideration to require that internal purchasing procedures be approved by the state purchasing director every two years and create penalties for violations in statute.
Please review your agency’s IPPs and, if there have been any revisions or if it is nearing time for recertification, submit them to omesprocurement.internalprocedures@omes.ok.gov.
>> Back to Top
Annual Risk Assessments due Nov. 30
Oklahoma law requires each agency with an information technology system to complete an annual security risk assessment. OMES sent the standard security risk assessment to directors of 142 state agencies on Oct. 2, 2023. The reporting period covered in the assessments is from July 1, 2022, through June 30, 2023. Please make sure to include your name, agency and contact information when completing the form. The results are shared with the Legislature as required by Oklahoma Statute, used to inform future cybersecurity risk investments and insurance premiums, and are needed to provide areas of focus for business and security risk mitigation.
Think you missed it? Look for the bulletin sent on Oct. 2 with the subject line **UPDATED LINK** Annual Risk Assessment due Nov. 30 and select the blue Assessment button to complete the form.
>> Back to Top
Annual security audits
Oklahoma law requires state agencies with an information technology system that is not consolidated to have an information security audit based on the most current version of the NIST Cyber-Security Framework. The audit must be conducted by a firm approved by OMES Information Services. Approved firms can be found by visiting the link for Statewide Contract 1042. To submit your audit reports, use the link for statutory and regulatory reporting or email them directly to iscompliance@omes.ok.gov.
>> Back to Top
|
