The Federal Retirement Thrift Investment Board’s Office of Enterprise Risk Management has been busy since it was first born about 3 years ago.
The office is maturing and developing on schedule, said Jay Ahuja, FRTIB chief risk officer. But it still has at least 3 years more to go before risk is fully integrated into the board’s culture and strategic decision making.
“We have a lot of the functions of a typical risk management office in place, but to caution, there’s a lot of work that needs to be done,” Ahuja said during the board’s monthly meeting March 29.
The office reached the end of level two in a five-step maturation and development cycle.
Now, the Office of Enterprise Risk Management is looking to the private sector for help in developing best practices on cybersecurity and risk management procedures.
“What we wanted to do was … to get educated on what’s happening as it relates to our peers in the private sector,” he said. “What we want to do is get wise in terms of what’s happening with the Fidelities and the T. Rowe Prices of the world. What do they do to harden their entrance? What are the mechanisms that they have in place? What are the controls that they have in place?”
The goal is to finish the cybersecurity study by mid-May, Ahuja said, so that the board can begin to compare themselves with their private sector peers.
Like nearly all agencies, cybersecurity has been a tough barrier to cross for the FRTIB. Hackers accessed personal information for 123,000 TSP participants through one of the board’s contractors in 2012.
The board has received from criticism since then, from the Labor Department and Congress, for the sluggish progress it’s made in fixing its cybersecurity systems and responding to concerns from outside auditors.
The office helped outside audit organizations with 14 internal audits over the past 5 months, and it plans to support 11 more in the next 11 months. It also finalized 83 policies and procedures and expects to complete 100 of them by the end of the fiscal year, Ahuja said.
But besides responding to audit findings and clearing recommendations, identifying the root causes of risk within the FRTIB will be the key to success, Ahuja said.
The Office of Enterprise Risk Management is also developing a risk training program for the board’s employees, who have yet to embed risk within the agency’s culture and daily thinking.
“Initially, the training program is going to be focused on the audit activity we have, when you need to respond to the DOL [Labor Department] and why that’s important for us,” Ahuja said. “But we can take that body of training and escalate that to the other risk management activities.”
Greg Long, executive director of the board, said he sees both the progress and challenges FRTIB continues to face.
The board is actively building risk management practices into its long-term strategic planning activities, Long said. But FRTIB hasn’t yet thought about how it can build risk management into “the problems that come up tomorrow,” he added. The board still needs to consider how it can embed that kind of thinking into its business decisions that come up suddenly.
“It’s not linear,” he said. “Some days it’s two steps forward, one step back. It’s a challenge, and it’s hard, and it’s trying to change the way we do business. We are meaningfully better than we were. But it’s been a bumpy ride.”