Why Do Agencies Need Enterprise Risk Management?

As the government’s complete reliance on digital technologies expands, it becomes harder to secure the growing network of new devices, IT systems and cloud solutions. In short, the network is the mission.

It used to be that an agency’s IT infrastructure could fit in a box, literally – that is, all computing took place within the confines of the building. That made containing risks pretty easy. Slap a firewall around the network, teach employees not to click questionable links and continue business as usual.

Now, mobile, cloud and edge computing have revolutionized governments’ IT environments. For the most part, this is a good thing. It makes meeting missions and citizens’ demands easier and increases effectiveness. But there’s a flip side: a potential for greater vulnerability.

As agencies replace existing infrastructures with modern and mobile options, or as they integrate new technologies into their legacy systems, they expand their attack surfaces. Although these upgrades are good for the mission, they also may give hackers and malicious insiders more ways into the network. That’s why IT officials must weigh the pros and cons of each new technology to determine if the risk is worth it and update controls and policies where appropriate to take advantage of new digital technologies.

The reality is that IT risks cannot be completely eliminated, especially in this digital era. They must be managed, and that’s a new task for the chief information officer (CIO) and chief information security officer (CISO) team.

For about 10 years, the Office of Management and Budget (OMB), the Government Accountability Office and agency inspectors general have all found that agencies’ enterprise risk management (ERM) programs do not effectively identify, assess and prioritize actions to decrease cybersecurity risks.

That’s not for a lack of interest or trying. OMB issued Circular A-123 in 1981 to improve accountability in federal programs and operations, and updated it in July 2016 to reflect the growing digital environment. The National Institute of Standards and Technology (NIST) built on that work in December 2018 by issuing a Risk Management Framework that prepares organizations to execute the framework at appropriate risk management levels.

Risk management is top of mind at the state and local government levels, too. It has held the number one spot on the National Association of State CIOs’’ annual top 10 list of priorities for six years in a row.

So, what exactly is risk management? The “ERM for the U.S. Federal Government” playbook defines it as “a coordinated activity to direct and control challenges or threats to achieving an organization’s goals and objectives.” It is effective as an agency-wide approach only when it combines the full spectrum of an agency’s risks into a single portfolio, as opposed to addressing risks in silos. The playbook offers seven steps to get started:

  • Establish context
  • Identify risks
  • Analyze and evaluate
  • Develop alternatives
  • Respond to risks
  • Monitor and review
  • And perform continuous risk identification and assessment

This blog is an excerpt from GovLoop Academy’s recent course, “Managing Risk in Today’s Digital World,” created in partnership with RSA and Carahsoft. Access the full course here.

Leave a Comment

Leave a comment

Leave a Reply