Cyber-ERM Community of Interest: Merging Strategy and Decision-Making for Government Cybersecurity

Government Risk Awareness Week 2024

Cyber-ERM Community of Interest: Merging Strategy and Decision-Making for Government Cybersecurity

As cyber threats become more sophisticated and pervasive, the federal government faces increasing pressure to align strategic decision-making with comprehensive cybersecurity risk management. To address these challenges, the integration of Enterprise Risk Management (ERM) with cybersecurity practices is crucial. The Cyber-Enterprise Risk Management Community of Interest (Cyber-ERM COI), an interagency group affiliated with the Association for Federal Enterprise Risk Management (AFERM), is leading this critical integration.

Comprised of 175 members from 53 federal agencies, the Cyber-ERM COI brings together federal ERM and IT practitioners to bridge communication between agency-level ERM and cybersecurity risk management functions. The Cyber-ERM COI enhances strategic decision-making across federal agencies by embedding cybersecurity risk management into the core of governmental operations, thereby improving the U.S. Government’s ability to respond to a dynamic and evolving cyber threat landscape with resilience and confidence.

Introduction to the Cyber-ERM COI

The Cyber-ERM COI is a collaborative interagency community that brings together federal agencies to explore and navigate cybersecurity risk management challenges. By promoting communication and cooperation between ERM and cybersecurity functions, the COI supports efforts to align strategies and address emerging risks, helping agencies better prepare for evolving threats.

Strategic Importance of the COI’s Present and Past Work

To support AFERM priority themes, including the 2024 theme focusing on the intersection of government decision-making and strategy, and previous themes such as weaving cyber into the fabric of the federal government, the COI has elevated cybersecurity as a core priority withing governmental operations. By promoting a culture of continuous learning and collaboration, the COI provides federal leaders with the tools and knowledge necessary to enable and protect their agencies’ missions effectively.

To address the complexity of cybersecurity and ERM integration, the Cyber-ERM COI has created three specialized working groups, each targeting key areas of risk management crucial for federal resilience: The Cyber Risk Register (CRR) Working Group, the Risk Appetite and Tolerance Frameworks Working Group, and the Tools & Technology Working Group. Each group and their subgroups play a vital role in aligning cybersecurity risk management practices with the strategic objectives of federal agencies.

Cyber Risk Register Working Group

The Cyber Risk Register Working Group is focused on developing a comprehensive, hybrid risk register template that considers existing templates. This new template will address diverse system and agency-specific needs by providing customizable and scalable options for risk registers that accommodate different business decisions and reporting levels.

The new hybrid template created by this working group combines the best aspects of other frameworks, with system-focused details to provide flexibility and encourage creative use. The goal is to help agencies better capture, categorize, and manage risks, ensuring a clearer understanding of potential impacts and appropriate mitigation strategies.

By integrating elements from respected frameworks, the new hybrid template offers a standardized yet flexible approach to risk management that can be tailored to each agency’s unique requirements. This helps align risk management efforts with broader strategic priorities, enhancing resilience in an unpredictable cyber environment.

Risk Appetite and Tolerance Working Group

The Risk Appetite and Tolerance Working Group is essential for developing risk appetite and tolerance sample statements, templates, and best practices that guide federal decision- makers in balancing risk and opportunity. These statements help foster a culture of informed risk-taking and decision-making across federal agencies.

In 2023, 54% of federal organizations reported having a defined risk appetite statement, maintaining the same rate as in 2022 but significantly higher than 39% in 2021. Additionally, there was an increase in the communication of these statements across organizations, with 23% of respondents integrating them into strategy and decision-making processes, up from 18% in the previous year. This represents the highest rate since this data was first collected in 2017, underscoring the growing recognition of risk appetite statements as essential tools for navigating complex challenges.

Moreover, organizations with longer-duration ERM programs are more likely to have risk appetite statements, with 68% indicating they have one, compared to 30% of organizations with shorter-duration programs. Furthermore, 85% of ERM programs rated as “managed or optimized” had risk appetite statements, compared to just 44% at an “initial or developing” maturity level.

These findings highlight the importance of maturity in risk management practices, demonstrating that well-established ERM programs are better positioned to articulate and implement risk appetite statements effectively.

Tools and Technology Working Group

The Tools and Technology Working Group seeks to address opportunities presented by various technology options to advance risk analysis, improve efficiency and effectiveness of ERM programs, and help to further integrate enterprise risk analysis with domain-specific risk management activities within an agency. This includes activities in the information communications technology arena as well as other critical inputs to ERM programs such as audit results, governance and policies requirements, and technology innovation. The subgroups explore various aspects of tools and technology in ways that can benefit agencies.

Subgroups include:

  • The Governance, Risk, and Compliance (GRC) Tools Considerations for Enterprise Risk Management (ERM) Subgroup provides considerations for agencies pursuing technology solutions at the enterprise level to inform build-or-buy decisions. The considerations are outlined in a helpful guidance document and are intended to inform decision-making and cybersecurity-ERM integration. The document includes benefits at the ERM program and agency levels, roles and responsibilities, and a decision tree followed by a process overview and additional considerations.
  • Artificial Intelligence (AI) Comparative Analysis and Questionnaire Subgroup analyzes the implications of artificial intelligence on cybersecurity and governance. It provides actionable insights on leveraging AI for strategic advantage, aligning with the National Institute of Standards and Technology (NIST)’s guidance on adopting a proactive approach to AI risk management (NIST.AI.600-1, Section 1.3, 2, and 2.3). This subgroup helps federal leaders understand AI’s potential risks and benefits, supporting informed decision-making and strategic adaptation.

Driving Strategic Decision- Making Through Cyber-ERM Integration

As cyber threats continue to evolve, integrating cybersecurity risk management and ERM is crucial for federal government resilience. The Cyber-ERM COI is uniquely positioned to drive this integration, enabling federal leaders to make informed strategic decisions that enhance both security and resilience.

By engaging with the Cyber-ERM COI, federal agencies can leverage shared expertise and adopt best practices, ensuring they are prepared to navigate the ever-changing threat landscape and fulfil their mission objectives.

We encourage all federal practitioners and stakeholders to become active participants in this vital community, contribute to its efforts, and help shape the future of cybersecurity strategy within the federal government.

Together we can build a more resilient government capable of meeting today’s challenges and anticipating tomorrow’s threats!

Take Charge of Cyber Futures: Join the Cyber-ERM COI and shape Our Strategic Defense!

The Cyber-ERM COI invites all federal employees working in risk-related fields who are interested in developing their skills in ERM and cybersecurity. Non-federal employees can join if they have a federal sponsor and receive approval from the Chairperson(s). If you would like to join, please contact us through:
Communities of Interest/Practice – AFERM – Association for Federal Enterprise Risk Management