Is the cloud the next stop for enterprise risk management?
- By Shawn McCarthy
- Mar 03, 2014
Could enterprise risk management become a common cloud-based service at most government agencies? It's an idea being explored by other industries, especially within the financial management and manufacturing sectors. There's a good chance that the idea could take root in the public sector too.
Once an organization assesses its potential safety and economic risks, specific rules can be then be set to help mitigate those risks. Historically organizations have not always taken an enterprisewide approach to risk management. More often solutions were done piecemeal, such as requiring locks on certain doors or passwords on specific machines. As risk management became more formalized, it slowly became an evaluation process to be followed, a set of formal decisions to be made and a way to track and enforce specific rules.
A risk-management system often is used not only to track risk but to document decisions made on how the risk should be addressed. This system can include coordinating resources to minimize risk, monitoring risk-related activity, and managing the short- or long-term impact of known risks.
Such systems fall under the general heading of governance, risk and compliance (GRC), and many government agencies already have systems in place to help them manage their approach to risk. The key word here, though, is "systems" (plural). Agencies can find it difficult to integrate a truly enterprisewide view of how risk is managed. Too often GRC systems have been built ad-hoc at the sub-agency level to deal with local issues.
Further, government has unique needs. Risk management is not the same for government as it is for an insurance company that is working to manage risk and assure profits across thousands of insurance policies and investments. Government also tends to focus heavily on risk associated with project management. Getting program or project governance properly aligned helps ensure success for the program itself, and it also reduces long-term risk from other internal and external factors.
There are popular GRC solutions available from enterprise software vendors such as Oracle and SAP. Some organizations have created their own customized risk-management solutions, and other companies have risk-management solutions that are targeted at a specific issue, such as compliance with the Federal Information Security Management Act or the Homeland Security Presidential Directive (HSPD) 12.
We've also seen compliance monitoring and enforcement systems that address data privacy, cyber-threat protection, configuration management rules and monitoring as well as network monitoring. The Federal CIO Council even mentioned these types of systems as leading priorities for 2014. Individual government lines of business are influencing an ever greater number of investment decisions related to GRC initiatives.
So there's a critical mass of interest in these types of solutions. That’s because agencies are under pressure to take an enterprisewide approach to GRC. They need to upgrade systems in order to make that happen, and there are always new rules hitting them that affect what their risk-management systems must track. In fact, big data and analytics draw the most attention for risk and innovation, and both are key expansion areas for government agencies. Meanwhile, we have an increasingly mobile workforce and onset of new cyber threats. Thus, security and risk has become a key government business function that relies on technology as a cornerstone to its success.
Cloud-based GRC solutions are a logical step for agencies that need to address new rules, consolidate systems and serve their mobile workforce. Most enterprise software vendors offer cloud-hosted versions of their risk management solutions, and it's worth talking to them to see if this is a logical place for an agency to migrate.
Government can offer help too. Last year the National Institute of Standards and Technology published a Draft Cloud Computing Security Document that introduced a "cloud-adapted Risk-Management Framework for applications and/or services migrated to the cloud." Back in 2010 NIST also established a guide for applying the Risk-Management Framework to federal IT systems. GSA also offers a set of solutions under a blanket purchase agreement related to Risk-Management Framework and associated services (though it's not clear how much of this is available via cloud.)
What all of this means is that there is a growing focus on risk-management solutions in general — and GRC solutions in particular. It can be difficult for agencies to tackle all that is required for compliance, while still meeting the needs of their mobile workforce. Cloud solutions seem to offer the best potential right now, but they may not offer total compatibility with all government systems and individual agency requirements.
But the trend is clear, and taking risk management to the cloud should definitely be part of the discussion at most agencies.