Day 1 Agenda — 2018 AFERM Summit (Tentative)

Speakers

Sean Vineyard, Chair, 2018 ERM Summit Planning Committee
Peggy Sherry, President, Association for Federal Enterprise Risk Management (AFERM)

The awareness and acceptance of ERM in the federal government has grown consistently over the past several years.  However, as more and more organizations have endorsed ERM, they have done so with sometimes inconsistent terminology and concepts. Given the current absence of a single authoritative standard in the Federal government, this situation is likely to continue and grow.  The panel will explore experiences in the private and public sectors and use and  discuss recommendations for the federal government.

Speakers

Peggy Sherry, President, Association for Federal Enterprise Risk Management (AFERM)
Annette Homan, RIMS COO

Stretch Break

During the 1-hour session the speakers will discuss the following:

• Using data analytics to identify and mitigate risks associated with the over-prescription of opioids.
• Integrating best practices at the federal, state and local levels and forging partnerships to help address opioid abuse
• Leveraging lessons learned from opioid abuse to mitigate risks before they become a crisis

The Federal Government supports state and local partners when requested, prepares the nation’s healthcare system, and connects people to real-time public health and medical emergency information. This panel will discuss risk management strategies used to fulfill mission objectives and save lives.

What key milestones make an ERM Implementation Strategy work? In this session, participants will learn some of the not-so-conventional methods that has and can be used by resiliency in leadership to ensure the staying power of ERM practices in agencies.  Methods used over the past seven years will be shared to shed light on the opportunities and challenges associated with program implementation.  The session will discuss methods that address the deliverables in the revised A-123 policy (i.e. risk profile, governance, and integration of ERM and Internal Control) from the Department of Commerce perspective.

Extended enterprise risk management (EERM) is the practice of anticipating and managing exposures associated with third parties across the organization’s full range of operations as well as optimizing the value delivered by the third-party ecosystem. What does third-party risk look like? While one often thinks of data breaches involving IT providers, the tentacles of third-party risk extend into the farthest corners of the extended enterprise ecosystem.

Recognition of the AFERM Leader, Practitioner and Volunteer of the year for 2018 and AFERM Hall of Fame.

Sponsored by:

Every Federal agency is confronted with the risks associated with cyber. Many of those agencies assign the management of this risk to the technical teams under the CIO or CISO. But cyber vulnerabilities can have much broader implications to the strategic, operational, and reputational risks of the entire agency, requiring broader engagement by senior executives at the enterprise level. This panel will describe how leaders at two Federal agencies are bringing an ERM lens to cybersecurity to do just that.

SES’s don't just “magically” learn how to plan and prepare for difficult leadership conversations about ERM. Learn from successful executives about different tools, techniques, templates, and approaches that can help each of you master conversations about ERM.

Often the first step agencies take in establishing their ERM program involves conducting an enterprise-wide risk assessment, yielding a list of risks to the organization.  So what’s next?  The real value of ERM comes when there is an increased understanding of how those identified risks impact the strategic goals of the organization.  Taking a deep dive into the drivers of the risks can reveal a path toward the most appropriate deployment of resources to address the most significant and controllable core issues.  To support the forward momentum of mitigation activities, it is important to set realistic targets or metrics for those efforts to achieve.  By quantifying the impact, positive or negative, to the overall mission and strategic objectives that risk has in your organization, you can elevate your ERM program to one that provides significant value and informs decision making across the organization.

Over the past decade, the ERM community of practice has been making great strides in implementing ERM in the Federal government. As we sustain and improve upon these ERM programs, we can’t lose sight of the importance of motivation. We need to continue to motivate our risk management practitioners as well as our stakeholders. Hear from government leaders on the attitudes, behaviors, tone at the top and corporate values they use in managing risk and how they communicate the value of ERM, culture and governance to motivate their workforce to continue to implement and improve upon their ERM practices.

NIST is doing a major upgrade to one of its flagship security guidelines, Special Publication 800-37, the Risk Management Framework (RMF). The updated RMF 2.0, to be published this Fall, will provide many new features for Cyber Risk Officers and Enterprise Risk Management (ERM) programs. In addition to managing security risk, the RMF 2.0 will also address privacy and supply chain risks and the alignment with key constructs in the Cybersecurity Framework (CSF) as part of a comprehensive and unified ERM approach. The NIST update responds to recent Executive Orders, OMB policies, and Defense Science Board recommendations with the following design objectives to:

• Provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
• Institutionalize critical risk management preparatory activities at all risk management levels to facilitate a more effective, efficient, and cost-effective execution of the RMF;
• Demonstrate how the NIST Cybersecurity Framework can be aligned with the RMF and implemented using established NIST risk management processes;
• Integrate privacy risk management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible;
• Promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST Special Publication 800-160, Volume 1, with the relevant tasks in the RMF;
• Integrate supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and
• Allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST Special Publication 800-53, Revision 5 (to be published in early 2019).

Speakers

Peggy Sherry, President, AFERM
Tom Brandt, President-Elect, AFERM

Speakers

Peggy Sherry, President, AFERM
Tom Brandt, President-Elect, AFERM