Tuesday, October 30, 2018
Note: This is a tentative schedule subject to change.
General Session 1: Welcome & Opening Comments
Plenary Session 1 — Aligning Internal Controls, Risk Management, and ERM: Challenge or Opportunity?
The awareness and acceptance of ERM in the federal government has grown consistently over the past several years. However, as more and more organizations have endorsed ERM, they have done so with sometimes inconsistent terminology and concepts. Given the current absence of a single authoritative standard in the Federal government, this situation is likely to continue and grow. The panel will explore experiences in the private and public sectors and use and discuss recommendations for the federal government.
RIMS CRMP-Fed Recognition
Plenary Session 2 — Innovative Strategies to Address High Risks in the Public Sector: Over-Prescription of Opioids in Government Worker Programs
During the 1-hour session the speakers will discuss the following:
- Using data analytics to identify and mitigate risks associated with the over-prescription of opioids.
- Integrating best practices at the federal, state and local levels and forging partnerships to help address opioid abuse
- Leveraging lessons learned from opioid abuse to mitigate risks before they become a crisis
* BREAK *
Track 1, Session 1A — Elevating Risk Practices in Public Health Response to the Enterprise
The Federal Government supports state and local partners when requested, prepares the nation’s healthcare system, and connects people to real-time public health and medical emergency information. This panel will discuss risk management strategies used to fulfill mission objectives and save lives.
Track 2, Session 2A — The Resilient Leader's Strategies for ERM Success
What key milestones make an ERM Implementation Strategy work? In this session, participants will learn some of the not-so-conventional methods that has and can be used by resiliency in leadership to ensure the staying power of ERM practices in agencies. Methods used over the past seven years will be shared to shed light on the opportunities and challenges associated with program implementation. The session will discuss methods that address the deliverables in the revised A-123 policy (i.e. risk profile, governance, and integration of ERM and Internal Control) from the Department of Commerce perspective.
Track 3, Session 3A — Extended Enterprise Risk Management and the Public Sector
Extended enterprise risk management (EERM) is the practice of anticipating and managing exposures associated with third parties across the organization’s full range of operations as well as optimizing the value delivered by the third-party ecosystem. What does third-party risk look like? While one often thinks of data breaches involving IT providers, the tentacles of third-party risk extend into the farthest corners of the extended enterprise ecosystem.
* LUNCH & AFERM Annual Awards Presentation *
Recognition of the AFERM Leader, Practitioner and Volunteer of the year for 2018 and AFERM Hall of Fame.
Track 1, Session 1B — Integration of Cybersecurity and ERM
Every Federal agency is confronted with the risks associated with cyber. Many of those agencies assign the management of this risk to the technical teams under the CIO or CISO. But cyber vulnerabilities can have much broader implications to the strategic, operational, and reputational risks of the entire agency, requiring broader engagement by senior executives at the enterprise level. This panel will describe how leaders at two Federal agencies are bringing an ERM lens to cybersecurity to do just that.
Track 2, Session 2B — Tools and techniques for facilitating successful executive level conversations about ERM
SES’s don't just “magically” learn how to plan and prepare for difficult leadership conversations about ERM. Learn from successful executives about different tools, techniques, templates, and approaches that can help each of you master conversations about ERM.
Track 3, Session 3B — Quantifying the Impact to Drive Strategic Objectives and Inform Decision Making
Often the first step agencies take in establishing their ERM program involves conducting an enterprise-wide risk assessment, yielding a list of risks to the organization. So what’s next? The real value of ERM comes when there is an increased understanding of how those identified risks impact the strategic goals of the organization. Taking a deep dive into the drivers of the risks can reveal a path toward the most appropriate deployment of resources to address the most significant and controllable core issues. To support the forward momentum of mitigation activities, it is important to set realistic targets or metrics for those efforts to achieve. By quantifying the impact, positive or negative, to the overall mission and strategic objectives that risk has in your organization, you can elevate your ERM program to one that provides significant value and informs decision making across the organization.
* BREAK *
Track 1, Session 1C — Integration as Innovation: How HUD Works Across Federal Agencies and Its Own Offices to Foster ERM/EFRM
Track 2, Session 2C — Communicating the Value of ERM, Culture and Governance: The Positive Impacts of ERM on Morale and How to Achieve Sustainable Motivation
Over the past decade, the ERM community of practice has been making great strides in implementing ERM in the Federal government. As we sustain and improve upon these ERM programs, we can’t lose sight of the importance of motivation. We need to continue to motivate our risk management practitioners as well as our stakeholders. Hear from government leaders on the attitudes, behaviors, tone at the top and corporate values they use in managing risk and how they communicate the value of ERM, culture and governance to motivate their workforce to continue to implement and improve upon their ERM practices.
Track 3, Session 3C — Cyber Risk and the Chief Risk Officer: What CROs Need to Know About the New NIST Risk Management Framework
NIST is doing a major upgrade to one of its flagship security guidelines, Special Publication 800-37, the Risk Management Framework (RMF). The updated RMF 2.0, to be published this Fall, will provide many new features for Cyber Risk Officers and Enterprise Risk Management (ERM) programs. In addition to managing security risk, the RMF 2.0 will also address privacy and supply chain risks and the alignment with key constructs in the Cybersecurity Framework (CSF) as part of a comprehensive and unified ERM approach. The NIST update responds to recent Executive Orders, OMB policies, and Defense Science Board recommendations with the following design objectives to:
- Provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
- Institutionalize critical risk management preparatory activities at all risk management levels to facilitate a more effective, efficient, and cost-effective execution of the RMF;
- Demonstrate how the NIST Cybersecurity Framework can be aligned with the RMF and implemented using established NIST risk management processes;
- Integrate privacy risk management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible;
- Promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST Special Publication 800-160, Volume 1, with the relevant tasks in the RMF;
- Integrate supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and
- Allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST Special Publication 800-53, Revision 5 (to be published in early 2019).