The Consumer Financial Protection Bureau started its enterprise risk management program four years ago by taking the path less travelled by many agencies.
While many agencies and private sector organizations focus on operational risks, the CFPB decided another approach made more sense.
Marianne Roth, the chief risk officer at the Consumer Financial Protection Bureau, said this different course is paying off to let the CFPB mitigate risks more quickly and effectively.
“We are working to embed risk-based decision making into our culture. Specifically, a lot of IT organizations will focus on operational risks when they’re building an ERM program, and we really took a different approach. We focused specifically on our mission risks and strategic risks, and built our program around that so that then we can more easily expand it through the organization and build more buy in,” Roth said on Ask the CIO sponsored by Galvanize, a Diligent company. “I’ve found that stakeholders within the organization are much more responsive to our ERM program because they see how they fit into it, and they see how their direct work is impacted by risk and how their direct work mitigates risk.”
Insight by Okta: This exclusive e-book highlights how identity and access management will continue to evolve as agencies face more aggressive cyber threats while keeping data and systems accessible.
CFPB says its ERM program reached a maturity level 3 under the ISO 3001 standard, developed by the Defense Department and Carnegie Mellon University. Achieving a level 3 maturity means CFPB is managing risk organizationwide with a collaborative process for identifying, categorizing, assessing and communicating risk, and managing risks within and across organizational siloes.
The Office of Management and Budget updated Circular A-123 in 2016 to put more emphasis on enterprise risk management. OMB required agencies to embed risk management across all program and mission areas.
Roth said a good example of the bureau’s maturity is how they approach data and cybersecurity. Without a doubt, data is at the center of CFPB’s mission success and how they secure that data is an important factor.
“We intake data so that we can evaluate the effectiveness of rules and regulations, so that we can identify violators or companies that have violated consumer financial protection laws, and so that we can evaluate the effectiveness of our financial education programs,” she said. “That means that we have a lot of data risk, not only in terms of the security of the data, but also the integrity of the data. Through our ERM program, we have really been able to extend expand an understanding of how this is a mission critical risk, and how it impact all facets of the organization. Everyone has a part to play in securing our information and ensuring its integrity and reliability going forward.”
By maturing its ERM effort over the last four years, Roth said the bureau can more easily shift to increase its focus on racial and economic equity, as well as ensuring there is an equitable recovery from the COVID pandemic.
“We are actively examining the various markets that we’re responsible for, such as credit cards, debt collection, auto loans and mortgage servicing. We are really looking at what are the emerging risks to consumers in those areas, not only in the next six months, but over the next five years. Where should we be positioning ourselves so that we can be most nimble and helpful to consumers and ensure that their rights are protected?” she said.
Roth said another sign of maturity is the creation of an enterprise risk steering committee, which monitors risks and ensures they are shared across the agency mission areas. Just recently, CFPB also established a new enterprise risk monitoring council to stay on top of challenges at the staff level, so that they can escalate real or potential problems to leadership more quickly.
“We established a senior level governance body, which we call the executive steering committee for enterprise risk management. It is comprised of all the senior leaders in the organization. Each head of our division within the bureau is a member, and it’s chaired by our chief of staff. We have high level visibility and high level participation or senior level participation in the in the governance group,” she said. “With regard to our Enterprise Risk Monitoring Council, we have found that although executive buy-in so incredibly important, there’s a lot of risk management that has to occur at a lower level in the organization, and the more the day to day risk management. We are establishing a new council that will do just that, that will focus on how we can better anticipate changes in the risks that we have, and the effectiveness of our mitigation activities in real time.”
The councils are important to CFPB’s ability to successfully manage and mitigate risks because Roth doesn’t own any of the risks. The mission areas do.
“We have been focused on developing key performance indicators and key risk indicators for each of the most significant risks that the bureau faces. We are really trying to quantify, what are those vulnerabilities that we face are, as well as the potential impact of those vulnerabilities to the organization,” she said. “We want to do this in a structured way so that we can compare the data over time and analyze changes in the data, as well as be more proactive in our responses to changes in our environment. This is an ongoing project, but we’ve made a lot of traction in terms of developing key risk indicators. I find that to be a challenge for most federal agencies to develop key risk indicators because they’re supposed to be very proactive, they’re supposed to be the alarm on your car when when your tire pressure is running low. That’s what a key risk indicator is supposed to do. So developing that for the complex environment in which we operate is very challenging. But it’s also very rewarding once we have these measures established, and then we can regularly share that information with our senior leaders.”
CFPB’s challenge to develop key risk indicators is common across the government, but it’s not the biggest obstacle to maturing ERM. A 2020 survey by the Association of Federal Enterprise Risk Managers found culture barriers remain a major issue.
One way to overcome those risks is through technology. Roth said she works with the agency’s chief information officer and chief information security officer to ensure systems and data are available and secure.
Additionally, Roth said she is spending more time with the bureau’s chief data officer to think about what are the security implications of incorporating, purchasing and leveraging new data sources.
“We really want to be able to be nimble and adaptive to the various changes that are happening in the technology so quickly. We don’t want to be tied down and lock ourselves into a particular system that then is not going to meet our needs three years from now,” she said. “The role of the chief risk officer at the bureau is more to connect the dots, to be a facilitator of existing information. But I’m also a very active member of our data governance board, which is a governance body of senior leaders across the bureau. We advise the chief data officer on the risks and opportunities associated with our data initiative, everything from procuring new data to maintaining the security of data to releasing data. We are involved in all of those decisions.”
Roth added while her day-to-day job is focused on helping CFPB manage and mitigate potential and real risks, her bigger focus is ensuring organizational resilience.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
“I’m really focused on building out our key performance and key risk indicator capability, and really using data to more effectively analyze the risks that we’re facing, and also become better at measuring the impact of our mitigation efforts,” she said. “I found that many times an organization will implement a mitigation strategy and then they think they’re done. There’s no look back at, did this really decrease the risk, did this really have the desired impact? We’re really trying to build that capability into our risk management program, and then extend that throughout the organization by building a more risk aware culture.”