SUBSCRIBE
Get what you need to know about information technology solutions to improve your agency.
subscribe now »
| » comment |  del.icio.us |
 digg this |
|
 reddit |
|
 rss feeds |
|
| RELATED | MOST POPULAR |
|
Dynamic Network Defense
Top military brass set sights on forging a secure network so that warriors can have safe access to a common operating picture. Anti-Theft Measures
Anti-Theft Measures: Safeguard your computing devices with these theft-deterrent tools. When Disaster Strikes
As WiMAX emerges, does it offer a COOP option for secure communications? Peeling the Onion
Are agencies ready to make the most of data center consolidations? Information Pedigree
A move to a more proactive style of government oversight will require agencies to address data provenance. From the Printed Page
Enterprise scanning stations let agencies capture data and make it immediately available to many users. Trend Micro Enterprise Security Suite
Enterprise Security Suite offers protection at nearly every level of an organization's network. All Locked Up
Troy's MICR 3015 printer can secure sensitive files by controlling access to the trays. Application Delivery Meets Virtualization
Learn how Microsoft App-V can provide a single tool for easy deployment and maintenance of virtualized applications. The Case for Mobile Thin Clients
Federal IT departments save money and increase security with mobile think clients. |
|
Not So Risky Business
Photo: James Kegley
Several agencies have been engaged in risk management activities for some time. NASA and the Agriculture Department’s Risk Management Agency are just a few of the agencies with inherent, risk-oriented missions. Federal CIOs have been grappling with risk management and cybersecurity for quite some time as well. Yet, these have been mainly silo efforts; they don’t look at risk relative to the agency’s efforts as a whole. But that’s changing.
Many events served to raise awareness of risk management within the federal sector. Chief among them was the failure of Enron, which led to the enactment of the Sarbanes-Oxley Act for the private sector and the ensuing revisions to OMB-Circular A-123, “Management’s Responsibility for Internal Control.”
Despite the attention (most of it occurring some five years hence), there is still intense debate surrounding the definition and use of ERM within the federal sector. Rather than more discussion, it’s time for action.
IT at the Vanguard
Federal IT offers the ideal setting for applying ERM on a practical rather than conceptual or theoretical level.
Why? Because system and IT project managers are familiar with some form of risk management already. They address project risks when investing, reducing the chance of data or systems compromise through cybersecurity efforts and by completing risk assessments to comply with mandates such as the Federal Information Security Management Act. But here’s a caveat: These exercises often provide only a stovepipe view of risk, often driven by compliance activities, not necessarily by the performance goals, risk assessments and investment plans of the broader organizations.
To carry out federal ERM, IT professionals must push the envelope and begin to proactively integrate risk management decision-making models and processes into their day-to-day operations across programs, just as systems now span programs or even agencies. This approach will help embed ERM into the organizational culture of government.
For more tips on risk
management, go to
FederalERM.com.
A good way to begin is by reviewing and implementing some of the steps in the Enterprise Risk Management Integrated Framework developed by the Committee of Sponsoring Organizations of the Treadway Commission. These include identifying, prioritizing and assessing events that could have a significant impact on the agency mission, reputation or operations.
Similarly, the role of the CIO must be included in the senior governance structure responsible for managing a portfolio of risks that cut across organizational silos and not just those that impact the IT function alone.
Former Labor Department CFO Doug Webster explains evolutionary use of ERM well: “Considering financial risk [or IT risk] across all organizational departments is not ERM. The term ERM is much more fundamental to basic management. While the tools of traditional risk management are certainly relevant, what is much more fundamental is the need for recognition by all managers that management of risk is an inherent part of all decision making. When decisions across the enterprise consider the key risks associated with those decisions — regardless of whether those risks are strategic, operational, financial, physical — then we are moving to real ERM.”
Dr. Karen Hardy, a senior analyst for the National Institutes of Health’s Enterprise Risk Management Program, is a member of the Federal Executives Steering Group for Enterprise Risk Management and of the FederalERM.com community.
[ Related Articles ]
Home | Contact Us | About Us | Subscribe | Meet The Editors | Privacy | Site Map | Terms and Conditions
Copyright ©2010 CDW LLC | 200 N. Milwaukee Avenue, Vernon Hills, IL 60061