Like many agencies, the Federal Retirement Thrift Investment Board is more aware of their enterprise risks than ever before. Whether it’s cybersecurity or the hiring and training of its workforce or mitigating potential fraud in employees’ TSP accounts, the FRTIB is scoring and managing these and about a dozen areas in a more standardized way.
Thomas Brandt, the chief risk officer at the Federal Retirement Thrift Investment Board, said the agency is ensuring it is more resilient in the face of current and future risks.
“We’ve always had the conversation around one of the value ads of ERM is, it can help organizations be more resilient in addressing a risk should it occur. But maybe it was harder to perhaps convince people or show people concretely what that look like until the pandemic hit. And then we saw, right in front of us and all too real, those organizations that were able to pivot pretty quickly and adapt to changes in work environment, and still be able to deliver their products and services in a largely remote environment. Then we saw other organizations that were more challenged in their resilience,” Brandt said in an interview with Federal News Network. “In order for risk management to work in any organization, everybody has to have a role. Everybody needs to be attuned to risk. They also need to understand or be aware of kind of what do I do if I identify risk. Is there someplace to go? Is there somebody that can help? What are some of the tools that are available to me to help get a handle on kind of what are the key risks of my organization? How might I raise these and get assistance from other parts of the organization? That’s why we and other organizations are focusing on risk.”
Brandt said at the end of the day, the FRTIB is trying to get ahead of its risks as much as it can and minimize any exposure to potential risks.
“I think the one of the biggest challenges that we face, and it’s probably not unique to the federal sector, is minimizing the consequences if a risk should manifest and downplaying what the impact could be, or also maybe becoming overconfident or complacent because, well, nothing has happened here. So since it hasn’t happened, maybe we can reduce the controls that we’ve got in place, maybe we can lessen the monitoring, and I get it because we’re resource constrained,” he said. “We’re always trying to look at where we can shift resources. But what we’ve seen too often is that when we look at some of the underlying causes behind crises that have happened in government and other sectors, you can often trace that back to somebody that discounted a risk. We’ve reduced controls. We relaxed oversight or we dismissed the risk and said, ‘this hasn’t happened so it’s not something that we need to be worried about.’ Those are the areas and those the times probably our antenna need to go up and say, we actually probably need to be putting more attention here to avoid kind of that risk manifestation.”
To guard against the complacency and try to get ahead of real or potential risks, the FRTIB has created seven risk treatment plans. They focus on:
Supply chain management
Human capital management
Each treatment plan has a statement of risk, who the owner is, a risk score and a risk treatment status.
Brandt said the risk treatment plans helps the FRTIB make choices about where to invest and better explain why that investment is needed.
“What’s your response to risk going to be? There’s some risk we clearly are going to accept. There’s others where we may be uncomfortable with perhaps the likely consequences of a risk should it manifest. Oftentimes, you will hear conversations around risk likelihood and risk impact as agencies are scoring their risks,” he said. “If we go back to the cyber example, we all know all organizations are constantly being pinged and tested to see what their defenses are so there is a high likelihood that there’s going to be an effort to try to compromise an organization. So if there was a compromise, what’s the impact? You have to look at that across any type of risks that the organization is considering.”
The treatment plans try to answer a host of questions about the specific risk:
What are the actions we’re going to take in the year ahead?
What resources do we need?
What are the dependencies?
What are some of the key risk indicators that we’re going to be looking at and tracking to help tell us whether this risk is getting better?
Is it getting worse?
Do we need to pivot and change course in any direction?
“We’re at least updating and reviewing our risk treatment plans on a quarterly basis. But I think any organization is going to have a mechanism to also address those on a more ad hoc basis if something significant happens in the environment,” Brandt said. “If there’s a significant change in our internal or external environment, that’s going to change the way in which the risks might affect the organization or introduce new risks that may be a reason for us to revisit our risk treatment plan.”
Brandt said he provides the FRTIB board of directors regular updates on their risk treatment plans to both demonstrate progress, as well as bring concerns to their attention.
The whole concept of enterprise risk management continues to grow across the government, particularly after the Office of Management and Budget updated Circular A-123 in 2016. Brandt, who also serves as the chairman of the planning committee for the Association of Federal Enterprise Risk Management (AFERM), said the annual summit in November will address many of the issues FRTIB and other agencies deal with every day.
In the meantime, Brandt said the annual AFERM survey, which closes Aug. 25, will provide one of the best updates on the maturity of the state of ERM across government.
“The nice thing about AFERM is that it’s a resource for the federal community for ERM practitioners or managers, anybody really, that’s got a role or wants to know more to learn more about managing risks and addressing risks, and the federal sector can go to AFERM for help,” he said. “We’re sharing best practices. We bring other networks together with additional capabilities that can support through various organizations. What we’ve seen is that Treasury has been hosting an ERM community of practice that’s got more than 60 agencies that participate, and several hundred people that are part of the community of practice. We’ve got really good reach and an ability again to bring in speakers and share successes, and then talk about things maybe that didn’t quite work so well and what were some of the lessons learned.”
Brandt said the results from the survey will come out at the summit in November, which features a keynote from IRS Commissioner Danny Werfel.
“In order for risk management to work in any organization, everybody has to have a role. Everybody needs to be attuned to risk. They also need to understand or be aware of what do I do if I identify a risk. Is there someplace to go? Is there somebody that can help? What are some of the tools that are available to me to help get a handle on what are the key risks of my organization? How might I raise these and get assistance from other parts of the organization? That’s the intent of this summit and AFERM more generally,” he said. “At the end of the day when we’re mitigating risk, we often have to rely on folks throughout the organization to work together and partner with us in coming up with those strategies, those tactics and those techniques that are going to help us minimize kind of risk exposure and hopefully reduce the risk likelihood. To boost resiliency, everybody’s got a role in helping their agencies be more resilient to risk.”