Exploring the Maturity of Risk Management Process in Government: An Integrated ERM Model at the U.S. Department of Education

Similar documents
Compliance Program Design Lessons learned from a COSO framework

Why you should adopt the NIST Cybersecurity Framework

IT-CNP, Inc. Capability Statement

Inspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017

MNsure Privacy Program Strategic Plan FY

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Business Continuity An Integral Part of Risk Management At Constellation Energy

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Information Systems Security Requirements for Federal GIS Initiatives

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

Singapore Quick Guide to the COSO. Enterprise Risk Management and Internal Control Frameworks Edition

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

01.0 Policy Responsibilities and Oversight

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

CISM Certified Information Security Manager

REPORT 2015/149 INTERNAL AUDIT DIVISION

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

DHS Overview of Sustainability and Environmental Programs. Dr. Teresa R. Pohlman Executive Director, Sustainability and Environmental Programs

Kansas City s Metropolitan Emergency Information System (MEIS)

National Policy and Guiding Principles

COSO Enterprise Risk Management

Cybersecurity & Privacy Enhancements

Global Statement of Business Continuity

Rethinking Information Security Risk Management CRM002

Cybersecurity in Higher Ed

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Five-Year Strategic Plan

Mapping to the National Broadband Plan

Session 5: Business Continuity, with Business Impact Analysis

Solutions Technology, Inc. (STI) Corporate Capability Brief

INFORMATION TECHNOLOGY CYBERSECURITY CLOUD COMPUTING

Standard for Security of Information Technology Resources

354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2

GAO INFORMATION SECURITY. Veterans Affairs Needs to Address Long-Standing Weaknesses

Fiscal Year 2013 Federal Information Security Management Act Report

Exhibit to Agenda Item #3

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

Putting It All Together:

Legal and Regulatory Developments for Privacy and Security

JSC THE JUSTICE & SAFETY CENTER. Snapshot 2014

Candidate Profile for the Position of Vice President, Education and Certification

NIST Special Publication

NERC Staff Organization Chart Budget 2017

Policies and Procedures Date: February 28, 2012

Written Statement of. Timothy J. Scott Chief Security Officer The Dow Chemical Company

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

COSO Enterprise Risk Management

Annual Report for the Utility Savings Initiative

VII. GUIDE TO AGENCY PROGRAMS

NERC Staff Organization Chart Budget 2017

Homeland Security Institute. Annual Report. pursuant to. Homeland Security Act of 2002

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

Information Technology General Control Review

ACR 2 Solutions Compliance Tools

EMERGENCY MANAGEMENT

Resolution adopted by the General Assembly. [on the report of the Fifth Committee (A/61/592/Add.4)]

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

FISMAand the Risk Management Framework

Cybersecurity and the Board of Directors

NERC Staff Organization Chart Budget 2019

David Missouri VP- Governance ISACA

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

GEORGIA CYBERSECURITY WORKFORCE ACADEMY. NASCIO 2018 State IT Recognition Awards

Management s Response to the Auditor General s Review of Management and Oversight of the Integrated Business Management System (IBMS)

Global Security Consulting Services, compliancy and risk asessment services

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

NERC Staff Organization Chart Budget 2018

Statement of Organization, Functions, and Delegations of Authority: Office of the

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

Federal Government. Each fiscal year the Federal Government is challenged CATEGORY MANAGEMENT IN THE WHAT IS CATEGORY MANAGEMENT?

Energy Assurance Plans

B. To ensure compliance with federal and state laws, rules, and regulations, including, but not limited to:

NERC Staff Organization Chart Budget 2019

Presenter: Ian Musweu FCCA, FZICA, CRA. Head of Risk and Assurance Professional Insurance

GAO INFORMATION SHARING ENVIRONMENT

The Texas A&M University System. Internal Audit Department. Fiscal Year 2014 Audit Plan

LAMOND W. KEARSE Metropolitan Transportation Authority Chief Compliance Officer

FOLLOW-UP REPORT Industrial Control Systems Audit

PD 7: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Defense Security Service. Strategic Plan Addendum, April Our Agency, Our Mission, Our Responsibility

REPORT 2015/186 INTERNAL AUDIT DIVISION

Cybersecurity Risk Management:

Data Governance Central to Data Management Success

Information Collection Request: The Department of Homeland. Security, Stakeholder Engagement and Cyber Infrastructure

Emergency Management BC Update

Subject: University Information Technology Resource Security Policy: OUTDATED

System Chief Business Officer - B. J. Crain The Texas A&M University System Position Description--January 13, 2010

ASSEMBLY, No STATE OF NEW JERSEY. 217th LEGISLATURE INTRODUCED FEBRUARY 4, 2016

Risk Assessment: Key to a successful risk management program

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

REPORT Bill Bradbury, Secretary of State Cathy Pollino, Director, Audits Division

REPORT 2015/010 INTERNAL AUDIT DIVISION

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Transcription:

Exploring the Maturity of Risk Management Process in Government: An Integrated ERM Model at the U.S. Department of Education FEDERAL STUDENT AID ENTERPRISE RISK MANAGEMENT GROUP Cynthia Vitters

1. ERM in the Federal Government 2. Drivers for Risk Management in Government 3. Risk Management in Federal Agencies 4. FSA A Performance Based Organization 5. ERM Drivers at FSA 6. FSA s ERM Organization 7. FSA s ERM Program & Strategy 8. Current State of FSA ERM Program 9. Next Steps 10. Lessons Learned/Strategies to Consider Slide 1

Risk Management is not a new concept within federal government Need to integrate RM into strategic and decision making process Need to abandon outdated practices of managing risks in solos and stovepipes Few success stories, best practices, and a standard methodology in and across the federal sector Problems aren t unique to federal sector Slide 1

New Legislation & Regulations Requiring Better Management of Risk & Improved Controls American Recovery & Reinvestment Act Revised OMB Circular A-123 Federal Managers Financial Integrity Act (FMFIA) of 1982 Improper Payments Information Act of 2002 Federal Information Security Management Act (FISMA) of 2002 Slide 1

Health Risk - Food and Drug Administration, Center for Disease Control Security Risks - Department of Defense, Homeland Security Financial Risks Government National Mortgage Association, Securities and Exchange Commission Transportation and Safety Risks National Transportation Safety Board External Risks United States Postal Service Slide 1

An Integrated ERM Model at the U.S. Department of Education Office of Federal Student Aid

Federal Student Aid (FSA) is the largest program office in the U.S. Department of Education (ED) Administers programs that provide the nations largest source of student aid Responsible for administration and oversight of Federal financial aid programs (Pell Grants, Stafford Loans, PLUS Loans and Campus- Based programs) Has approximately 1,000 employees (augmented by 6,000 contractors) across the county at its headquarters in Washington, D.C, and at 10 regional offices throughout the U.S. Slide 2

Annual budget of approximately $690 million in FY 09 Administers approximately $100 billion of financial aid a year to college students Directly manages or oversees more than $575 billion in outstanding loans representing almost 95 million student loans to more than 30 million borrowers Is led by the Chief Operating Officer who is appointed by the Secretary of Education Slide 3

In 1998, Congress established Federal Student Aid as the first Performance-Based Organization (or PBO) in the Federal Government As a PBO, FSA operates under a congressional mandate to achieve concrete results while improving performance FSA is required to plan and report its operational and portfolio performance in administering the federal student financial assistance programs Slide 4

GAO High Risk List Designation Regulatory and reporting requirements (e.g., A-123, Improper Payments Act, President s Management Agenda, etc.) Increasing external threats (i.e., terrorism, pandemics, natural disasters, privacy and/or data security breaches, etc.) Desire to reduce Fraud, Waste, and Abuse More proactive approach to addressing risk Desire for improved risk management information across the organization Slide 5

Includes the Enterprise Risk Management Group (ERMG) and ERM Committee The ERMG was formally established in May 2006 and is headed by FSA s Chief Risk Officer (CRO) The CRO reports to the General Manager of Enterprise Performance Management Services (EPMS) with a dotted line to FSA s Chief Operating Officer FSA s ERM Committee is comprised of five executives: Chief Financial Officer, Chief Information Officer, Chief Business Operations Officer, Chief of Staff to the COO, and the CRO Slide 7

Chief Operating Officer Enterprise Performance Management Services Enterprise Risk Management Group Chief Risk Officer Risk Analysis & Reporting Division Internal Review Division Risk Analysis Data Analysis Internal Review Audit Liaison Slide 9

The Enterprise Risk Management Group (ERMG): Provides risk management oversight & guidance to Federal Student Aid Is responsible for driving enterprise risk strategy and implementing FSA s ERM Program Performs internal reviews and risk assessments Is organized into two main areas: Risk Analysis & Reporting Division Internal Review Division Slide 10

Vision To create the premier Enterprise Risk Management Program in the Federal government. One that provides for an integrated view of risk across the entire Federal Student Aid organization; aligns strategic risks with the organization s goals and objectives; ensures that risk issues are integrated into strategic decision making process; and manages risk to further the achievement of performance goals. Slide 11

Mission To enhance the ability of Federal Student Aid to identify, assess and manage risk across the enterprise Slide 12

Strategy Involves Top Down and Bottom Up Approaches ERM Program is multi-phased effort Implementing a COSO-Based ERM framework Current Timeline & Project Plan Contractor assistance Slide 13

Top Down Approach = High Level Risk Assessment (Targeted effort to identify & assess high-level, or strategic risks at Federal Student Aid) Bottom Up Approach = Detailed Risk Assessment Activities (Comprehensive effort to identify & assess risks across the organization s 28 business units) Slide 14

PHASE I Creation of ERM Organization Development of Strategic Plan for ERM Program Adoption of Common Risk Language and Categories High-Level Risk Assessment PHASE II Adoption of COSO-Based ERM Framework Development of Risk Assessment Methodology Implementation of Risk Technology Solutions Conduct of Initial COSO-Based Risk Activities Slide 15

PHASE III Completion of Initial COSO Framework activities Use of Risk Tracking System to develop ERM reports for executive management Development of Key Risk Indicators (KRI s), trending reports and other means of risk monitoring Methodology, planning and completion of remaining framework activities: Risk Response, Control, Information, Communication, and Monitoring Slide 16

COSO ERM Integrated Framework The COSO ERM CUBE Slide 17

FSA s ERM Framework is based on the ERM framework issued by Committee of Sponsoring Organizations of the Treadway Commission (COSO) in September 2004 The COSO ERM Integrated Framework consists of eight interrelated components and four objective categories applied across an entity s units The COSO Framework was developed with a focus on stockholder owned, for profit institutions FSA is conducting activities based on the COSO framework, but utilizing additional practices, measures and approaches to maximize value in a government, PBO setting FSA s ERM Framework also includes consideration of concepts and/or guidance from other Risk Management Frameworks (e.g., ISO 31000 and AZ/NZ 4360) Slide 18

Creation and staffing of ERMG Organization Development of ERM Strategy and Program Adoption of COSO-Based ERM Framework Development of risk tools & resources (e.g., common risk vocabulary, categories and definitions) Development & implementation of Risk Tracking System (RTS) Conduct of High-Level (Strategic) Risk Assessments Slide 19

Risk Activities complete in over half of FSA s business units Over 600 business unit risks inventoried and assessed Associated risk information entered into Risk Tracking System Development of Enterprise and Strategic Level Risk Reporting Slide 20

FSA (Source: U.S. Postal Office) Slide 21

Documentation of Business Unit objectives Facilitated Risk Discussions Risk identification and categorization Cross-walk risks with A-123 and project risks Risk Ratings (Significance & Likelihood) and Aggregate Risk Scoring Heat Map Summary Report Slide 22

Risk Identification, Categorization & Scoring Slide 23

Heat Map 5 16 10 4 11 12 1 Aggregate Risk Scores Critical (>10) - Likelihood 3 28 17 18 20 5 19 21 22 7 6 8 2 High (9-10) - Medium (7.0-8.5) - 2 29 26 13 3 27 14 15 4 Moderate (5-6.5) - Low (1-4.5) - 1 24 23 25 9 1 2 3 4 5 Significance Slide 24

ERM fully integrated into strategic planning and decision-making process All major risk types for FSA incorporated into ERM Program (i.e., business unit, project, program, and portfolio risks) Advanced risk monitoring, modeling, and trending capabilities Executive-level and comprehensive risk management organization Key risk functions fall under ERM umbrella Slide 25

Implementing ERM is a cultural change that takes time, resources and executive level support Assign ERM responsibility to a dedicated risk executive with direct access to the highest levels in your organization Institutional/organizational knowledge can be invaluable A separate risk organization with adequate risk resources will significantly increase chances for successfully implementing ERM Slide 26

Most ERM efforts, even mature ones, are works-in-process. Some flexibility is key to successfully implementing your ERM Program. ERM is a dynamic process that continues to evolve The real value of ERM is realized when it becomes a regular part of everyday business. Slide 27

Thank You We appreciate your feedback and comments. Cynthia Vitters cynthia.vitters@ed.gov (202) 377-4264 U.S. Department of Education Federal Student Aid Enterprise Risk Management Group

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback