On Monday April 16, 2018, the federal risk community came together at the J.W. Marriott, Jr. ASAE Conference Center in Washington D.C. to attend the 2018 ERM Workshop, co-hosted by the Association of Government Accountants (AGA) and the Association for Federal Enterprise Risk Management (AFERM). Enterprise risk management (ERM) subject matter experts and risk practitioners from across the federal government shared experiences and best practices for building, developing, and sustaining ERM programs in government.
Workshop participants were divided into 16 group tables, each with a discussion facilitator and note-taker. Tables were sponsored by a host of firms, including MorganFranklin Consulting, PwC, EY, KPMG, and Deloitte. The MorganFranklin–sponsored table was facilitated by Director Stephanie Irby, with participants from the Department of Education, Department of Housing and Urban Development, U.S. Agency for International Development, U.S. Department of Agriculture, and the National Science Foundation.
The workshop began with a welcome from Ann Ebberts, CEO of AGA, followed by opening discussions from Mark Bussow, policy analyst at the Office of Management and Budget, and Chris Mihm, Managing Director at the Government Accountability Office. ERM discussions focused on driving organizational value and enhancing performance, with three break-out sessions exploring ERM maturity models, ERM integration into organizational strategy and performance, and ERM and cybersecurity. Below are key takeaways from all three discussions.
ERM maturity models: Enhancing capabilities to enable evolvement of the ERM assessment process
- Governance: Establish a governance structure that engages all levels of leadership; make risk management a core competency of leadership and management
- Process: Develop risk data collection and reporting methods and tools to use across the organization
- Culture: Develop a strong risk culture that fosters objective discussion about risks that exist across the organization (i.e., “tone at the top”); develop risk awareness campaigns and ERM training for all levels of the organization
Integrating ERM with strategy and performance
- Address vulnerabilities by embedding ERM into existing internal control, budget, strategic planning, organizational performance management, resourcing, and other key processes; incorporate risk appetite as a best practice in discussions
- Use key risk indicators, key performance indicators, and strategic objectives to optimize achievement of organizational goals
- Include ERM in strategic plans
ERM and cybersecurity
- Embed ERM in human capital and IT procurement planning and decision making
- Remember that cybersecurity is not just a “CIO thing”
- Assess risks for network operations centers and security operations centers
- Implement a framework to assess IT risks—FITARA requires agencies to do a FISMA security scorecard; scorecard can be primary vehicle to communicate IT risks and mitigation strategies
- Bring all lines of business outside IT into risk discussions and planning to better understand their role in strengthening cybersecurity
- Put training and awareness programs in place because employees are the first line of defense for preventing the realization of cybersecurity risks
The workshop was a wonderful opportunity to learn how other agencies are developing and maturing their ERM programs and to network with other risk practitioners and share real-world insights to take back to our agencies and organizations.