Step 8 - Manage Program Risk
Risk management involves the identification of policies, procedures, and practices, as well as the analysis, assessment, control, and avoidance of threats to the continuing efficiency, profitability and success of program operations. proactive risk management is paramount within an agency‘s ICAM program. This requires the involvement of the entire program management team and active maintenance of issues. Follow the checklist below to learn more about developing and managing your ICAM Risk Management Program.
Checklist
Develop a Risk Management Program. To develop a Risk Management Program, you should identify your agency’s policies, procedures, and practices surrounding Risk Management. You should also consider the assessment, control, and avoidance of threats to ensure the continuance of efficiency, profitability and success of program operations. Being proactive in your risk management program is important to the success of your agency’s ICAM program. Below, we’ve included common characteristics of a Risk Management Program for you to consider during your development.
Characteristics of Risk Management Programs
- Stakeholders at all levels within a project can identify a risk
- Processes exist to analyze, prioritize, and determine mitigation approaches for identified risks
- Procedures are in place for assigning owner(s) of a risk and defining risk ownership responsibilities
- A defined escalation path exists for flagging and resolving risks up to and including executive leadership, as necessary
- There is an ability to track the resolution efforts and their effectiveness
- Report on risk status to organizational leadership
Develop a Risk Management Plan. You should develop a Risk Management Plan that defines the way risks are measured for your agency’s ICAM program. It should provide a process for identification, appropriate response, and assign roles and responsibilities for various stages in the process. Tools are available commercially to help manage and track risks for a program. Your agency may already have risk management tools that you can use within the ICAM program.
Develop Risk Registry. A leading practice in Risk Management is the use of a Risk Registry, or a Risk Log, which will help you manage, assign, and track risk events. The Risk Registry usually includes:
- The description of the risk event
- The date that the event occurred
- How the event was resolved
- Resolution effectiveness
- The owner of the event. Review and updating of the Risk Registry should be incorporated into ongoing management processes.
The table below summarizes some of the common risks faced within an agency ICAM program and sample mitigation approaches.
Common Program Risks
| If agency plans and budgets do not include ICAM activities, adequate funding may not be available for modernization efforts, the agency will not be able to meet requirements and deadlines for the FICAM architecture | • Develop consolidated ICAM business case and funding request to secure funding beginning in FY12 • Communicate funding needs to the agency OCFO and explore existing funding sources within the agency • Determine if internal funding can be routed to ICAM efforts, for example, working capital |
| If the agency’s ICAM transition plan does not gain support and adoption at the Assistant/Deputy Secretary level, including required compliance, the agency will not receive coordination and support from the necessary stakeholders in order to move forward with implementation | • Support institution of governance structure for ICAM (to include the ESC) • Develop and implement Communications Plan |
| If the agency doesn’t meet the scheduled transition activity milestone dates, funding for ICAM and other agency systems may be impacted | Based on agency FICAM architecture analysis, provide realistic completion targets for ICAM activities to OMB in the ICAM Transition Plan template |
| If the bureaus/components fail to adopt enterprise ICAM services in a timely manner, overall agency ICAM implementation and compliance will be delayed | Dedicate ICAM program management resources and program funding to gain stakeholder buy-in and support bureau/component-level implementation requirements and efforts |
| If the agency is unable to staff dedicated resources with the necessary technical knowledge, the agency will be unable to successfully execute technical implementation and the program schedule will lag | • Leverage cross-agency ICAM expertise via working groups and outreach in order to supplement staff knowledge • Incorporate staff augmentation in the ICAM acquisition plan in order to ensure necessary skill sets |
| If the ICAM effort is unable to gain acceptance by the user population, the agency will not be able to meet FICAM requirements and deadlines | Dedicate additional ICAM program management resources and program funding to increase the communication effort and promote awareness. |
| If the ICAM solution vendor(s) goes out of business, the agency may experience program delays or incur additional costs to migrate to new solutions | • Include supply chain risk management in ICAM program Acquisition Plan and identify alternative solution component sources. Where possible, use approved vendors and products from established acquisition vehicles • Include activities for compiled software escrow and source code escrow |
Perform a Security and Risk Management Assessment. Your agency is required to perform a risk assessment on all systems to determine the extent of potential threats associated with it. Risk assessments assist agencies in determining the proper security mechanisms for information systems based on their level of risk. ICAM solutions are capable of supporting innovative approaches for IT risk management. ICAM implementations also offer the ability to support required information system security controls using common services for the entire organization. This will significantly streamline the accreditation process.
Apply the Risk Management Framework. Your agency’s information systems must meet Federal Information Security Management Act (FISMA) requirements. This includes the application of the IT Risk Management Framework (RMF) defined in NIST SP-800-37. The RMF is designed to help you build information security capabilities into your agency’s information systems that will better monitor the real-time security status of those systems, and provide relevant information to agency leadership to enable risk-based decisions associated with their operation.
The six steps in the RMF cycle are summarized below. The RMF framework allows you to move between steps as needed and allocate resources to each step as needed. However, equal emphasis should be placed on each step.
Categorize Information System. Categorize information and information systems based on your agency’s mission and business objectives. Describe each information system, including: full name with acronym, location of the system, version number, types of information held in the system, system owner, and other specific agency requirements. Register the information system within specified program offices.
Select Security Controls. Select the appropriate security controls for the information system and document the controls in the security plan. Develop a continuous monitoring strategy to determine the ongoing effectiveness of security controls and ant changes to information systems. Review the proposed security controls, ensure that the security plan has identified any possible risk to the agency.
Implement Security Controls. Implement security controls from the security plan (created in Select Security Controls). Document the implementation of the security controls in the security plan.
Access Security Controls. Create and approve a security assessment plan of the security controls and ensure assessors follow the documented procedures in the plan. Document any problems or recommendations from the assessment in an assessment report and adjust appropriate security controls, in needed.
Authorize Information Systems. Create a plan of action based on findings from the security assessment report; when completed, submit to the authorizing agency official for review. The authorizing official reviews and determines the risk to the organizational operations, such as mission or assets.
Monitor Security Controls. Review and determine the security impact of any changes to the information system. Make updates to the security plan, security assessment report, and plan of actions as needed during the continuous monitoring process. Following the monitoring strategy set forth, report the security status on a continual basis.
ROI
Implementing proactive security controls, such as those offered by enterprise ICAM services, can save an agency money through risk avoidance. The average organizational cost of a data breach in 2010 was $7.2 million, an average of $214 per compromised account. Proactive measures cost organizations significantly less, with the average cost for detection and escalation being $13 per record and $51 during ex-post response.
FAQ
What is the difference between the Certification and Accreditation (C&A) process and the Risk Management Framework (RMF)?
Implementing proactive security controls, such as those offered by enterprise ICAM services, can save an agency money through risk avoidance. The average organizational cost of a data breach in 2010 was $7.2 million, an average of $214 per compromised account. Proactive measures cost organizations significantly less, with the average cost for detection and escalation being $13 per record and $51 during ex-post response.