How do the departmental risk programs of your organization come together under Enterprise Risk?

I'm with a state agency here in Texas, and our risk perspective here is different, and has been for state agencies for many years. DPS was born back in the '30s, but we actually didn't have a risk manager until the late '90s, almost 2000s. In 2008, there was a Deloitte study on the agency by a sunset commission to determine if there was still a need for the agency. Deloitte identified that the agency needed a risk management process. They started an enterprise program management office thinking that they would look at enterprise things and manage risk out of that. It wasn't as successful as we had hoped. So in 2014 they said, "Hey, guess what? You're going to get to help rebuild this like you've rebuilt some other things." Even up until 2014, the risk manager was concentrated on workers' compensation and what went on at headquarters and not really out in the field. We were very siloed. The Continuity of Operations group and enterprise risk management were very divided. IT, Workers' Comp, and law enforcement and intelligence all had their own group but really didn't use the risk terminology. In 2014, we actually put the ERM designation upon the agency and started looking at it as a proactive versus a reactive group. We're very good at reacting to issues and problems and making sure that those don't happen again. But in the last year or so we created a disaster recovery group for our IT, we call it ITDR. ITDR, our Continuity of Operations group, and our risk manager group work together as the three primary groups in those conversations. Now we are adding Cyber and the Intelligence Community. We're starting to cooperate and collaborate together to hopefully break down some of those silos. Our security is actually just a physical security group and they don't even cover the entire agency. I have 858 facilities in Texas and they're spread out into seven different regions but there's no one central security group. We're identifying risk in the programs, processes, and protocols to start the discussions about, "Hey, what's the security risk part of this? So what can we do about that?" It's going to take a long time. In 2014/15 I told the agency I thought it would be a 3-5 year process. We have fallen back a little bit because our emergency management group split off in the last year and now they're their own state agency. So we're regrouping, and I'm looking at probably another 5-7 years just to get that cultural change shift to think proactively from top leadership down and make sure that our internal and external factors are really shaping our context into our objectives.

6 views
4 comments
2 upvotes
Related Tags
Anonymous Author
I'm with a state agency here in Texas, and our risk perspective here is different, and has been for state agencies for many years. DPS was born back in the '30s, but we actually didn't have a risk manager until the late '90s, almost 2000s. In 2008, there was a Deloitte study on the agency by a sunset commission to determine if there was still a need for the agency. Deloitte identified that the agency needed a risk management process. They started an enterprise program management office thinking that they would look at enterprise things and manage risk out of that. It wasn't as successful as we had hoped. So in 2014 they said, "Hey, guess what? You're going to get to help rebuild this like you've rebuilt some other things." Even up until 2014, the risk manager was concentrated on workers' compensation and what went on at headquarters and not really out in the field. We were very siloed. The Continuity of Operations group and enterprise risk management were very divided. IT, Workers' Comp, and law enforcement and intelligence all had their own group but really didn't use the risk terminology. In 2014, we actually put the ERM designation upon the agency and started looking at it as a proactive versus a reactive group. We're very good at reacting to issues and problems and making sure that those don't happen again. But in the last year or so we created a disaster recovery group for our IT, we call it ITDR. ITDR, our Continuity of Operations group, and our risk manager group work together as the three primary groups in those conversations. Now we are adding Cyber and the Intelligence Community. We're starting to cooperate and collaborate together to hopefully break down some of those silos. Our security is actually just a physical security group and they don't even cover the entire agency. I have 858 facilities in Texas and they're spread out into seven different regions but there's no one central security group. We're identifying risk in the programs, processes, and protocols to start the discussions about, "Hey, what's the security risk part of this? So what can we do about that?" It's going to take a long time. In 2014/15 I told the agency I thought it would be a 3-5 year process. We have fallen back a little bit because our emergency management group split off in the last year and now they're their own state agency. So we're regrouping, and I'm looking at probably another 5-7 years just to get that cultural change shift to think proactively from top leadership down and make sure that our internal and external factors are really shaping our context into our objectives.
0 upvotes
Anonymous Author
I come from the enterprise risk management side. When I started at my current employer, they said, "Okay, you're going to come and help set up IT risk management and then we'll get to enterprise risk management." I said, "No. We're going to set up enterprise risk management as the umbrella that provides the framework for how we look at all the different risks." Our organization is lucky in that it's a very operational company and so we know how to manage risks around employee health & safety,  physical security,fraud, compliance. All the typical things that you would find in many organizations. One of the challenges I had was trying to make sure that people understood the language around NIST CSF (National Institute of Standards & Technology Cyber Security Framework).  The CSF borrows or uses a lot of the risk language, but means something slightly different. And we're talking about so many different types of risks. For me, it is about having a common framework. I will always want people to just stop and think about what they are solving for, how much of a risk this is to our organization, what our risk appetite is around that, etc. Take health and safety for example. We have zero appetite for injuries. We have programs in place. We want everyone to go home in better condition than when they come to work. That's very mature. And the policies support the risk appetite statement. And then I talk about the methodology, which would be any OSHA standards, any requirements to implement that program. I try to give flexibility. So for cyber it might be NIST CSF, for safety it might be OSHA, and then physical security would be NFPA and all those other different requirements. I try to build consistency across roles, responsibility, and governance. You have to be clear about who's responsible for what and how you raise that up through the governance structure. How do you escalate issues? I'm a team of one and I don't lead any of these programs but I try to influence all of them. I report up through the chief risk officer to the board and to senior management, and I'm trying to get them to think strategically as well because, sure we know what risks are out there today and they're pretty mature, but every year I want them to stop and look out the window and say, "What's on the horizon. What have we not thought about?" That way we bubble up really cool things like extreme climate or geopolitical risk. We may not be able to control it but at least we can see it and we know what's coming.
0 upvotes
Anonymous Author
When I was in healthcare, we were grappling with the problem where everybody had a different lens. Each lens had its own span of control. Don't cross into my space and expect to have ownership. We ended up creating a principle based governance model. So the principle is no one's allowed to own anything outside of their span of control. And then at the table we got the council together. The council had a charter and we had principles and then we said, "At that table when you're making a decision, each lens will default to the expert in that area." So if it's a legal matter with a little security added in there, legal and security would take the lead and they would have to collaborate to make the decision. What was happening for us at the time was, by having those different lenses, the IT project PMO office was literally having to go around at every meeting to get approvals to launch projects and upgrade systems. It was costing a lot of time and money. Worst of all, the risk decisions weren’t integrated. So you had one lens, highly conservative, that would issue directions that were tight, and another lens, a little less conservative, that would issue risk guidance. It was all over the place. Teams were executing and the risk guidance wasn't integrated and that created an absolute mess. So that Information Risk Governance Council, which is what we founded, brought all those lenses together and enabled them to make decisions based on these principles. There was decision-making structure in that framework too, so that we could route through decisions quickly. The first year was fantastic. We made all kinds of decisions, helped execute things, moved things along. Second year, forget it, it fell apart.
0 upvotes
Anonymous Author
I'm the CSO for Travis County. That's in Austin, Texas. Risk management is a little strange where I'm at. The County isn’t mandated to do security by any specific laws outside of HIPAA, PCI and CJIS. An elected official in Texas answers to the public so counties are usually decentralized with many leaders.  I report under the  Commissioner's court, which is four commissioners, and the County judge. There are 50 other elected officials that are the same organizational level as my management (Clerks, judges, Constables, Justice of the Peace. We don't have clearly defined roles. We don't have ownership and accountability and it's extremely difficult.   My goal is to explain to elected officials, “that's your program and you own that program.” even if you outsource a business function you still own the program. you have to answer all the questions and at the end of the day, the news article is going to say, your program had X, Y, and Z. So what are we going to do about it? It's all about protecting the brand, it's all about protecting yourself. And so just the diversity of the organization makes it extremely difficult to manage.
0 upvotes