Discussion about how GAO’s High Risk List relates to ERM programs, using ERM and performance governance structures to address issues on the List, and working across agencies on multiagency risks.

As with other enterprise risks, effective cybersecurity risk management embeds when: senior management has well understood and prioritized the key cybersecurity risks for the organization, the cybersecurity team is focused on prevention and mitigation of these risks and employees are well informed and incentivized to sustain cybersecurity awareness. Unfortunately, the complexity and highly technical nature of cybersecurity has frequently resulted in its implementation being the exclusive domain of specialized professionals. Insufficient engagement of senior management and regular employees exacerbates practically all cybersecurity risks, increasing their likelihood and potential severity. Consequently, finding and deploying ways to positively engage them represents an important effort in managing cyber risk. Our session empowers risk managers who are not IT experts to get actively involved in cybersecurity and facilitate engagement of both their organization’s senior management and other non-technical employees. We will present an intuitive cybersecurity risk categorization, which represents an easy-access way to introduce key types of cybersecurity risk to all non-expert employees. For each cybersecurity risk category, we provide a real-life example of where the risk occurred, including how the organization in question dealt with it and the consequences.

A panel of CROs/heads of ERM discuss:

• Which skillsets they feel are important in effective ERM teams and in CROs,
• What they look for when interviewing ERM professionals, and
• What different backgrounds can bring to ERM (legal, accounting, performance, organizational dynamics, change management, etc.)

ERM integrating with strategy and performance.

The human element is increasingly recognized as the biggest vulnerability in cybersecurity and the largest contributor to operational risk yet no risk frameworks effectively quantifies or assesses human factor risks. These findings are the subject of collaborative research with leading Ivy league universities and the Cognitive Risk Institute. This session goes beyond internal controls, audit and compliance to present a framework that integrates risk governance, cybersecurity and ERM practice in novel ways based on evidence-based scientific research.

This session will discuss the journey that Intermountain Healthcare has taken to design and implement a third-party supplier risk management program using Enterprise Risk Management principles. Our goal is to create an infrastructure for identifying, assessing, prioritizing, and mitigating the following nine risk categories-location risk, sourcing risk, labor risk, financial stability risk, compliance risk, logistics risk, quality assurance risk, sustainability risk, and technology risk that could cause a potential disruption to our supply chain.

This breakout discussion will address how ERM is currently applied in organizations and agencies and how it could be applied at the broader government level. This broader level might necessitate a CRO for the United States.

Governance, Risk and Compliance (GRC) technologies and data analytics are helping organizations automate manual processes, improve data quality, and gain insights into their data in new ways. This session will explore the criticality of GRC technology to managing risk portfolios with a lens on connecting data points to inform key strategic, operational, budgetary and acquisition decisions for an agency. The panel discussion will address the foundational elements, such as governance, people and process, needed within ERM and risk management programs to recognize technology benefits that have helped organizations improve insights into their data, mature and sustain their programs, and gain ERM adoption.

• How can we communicate the need for ERM to new leadership and gain their buy-in?
• How do we articulate ERM successes and demonstrate the value of ERM?
• How do we continue to mature ERM capabilities and sustain organization-wide engagement?

Current events demonstrate the potential for severe disruptions to services and product streams that we all rely on. Cybersecurity and Cyber Supply Chain Risk Management continue to be front-of-mind for federal agencies and risk managers. This session will highlight key strategies and tools presented in recent guidance issued by the National Institute of Standards and Technology (NIST) on these subjects to support effective risk reporting and integration with enterprise risk management efforts, and will provide lessons learned from practitioners.