But dealing with risk only begins with understanding its scope. Because not all risks are equal, it’s up to leadership to identify the most potent risks and allocate risk mitigation resources to them, while not wasting time and money on remote risks. That process is known as risk management – and it’s something that federal managers are required to do.
Risk management happens when leaders gather the required people and functions together; for example, finance, human resources, program management, and IT. This group – and it should tend towards inclusiveness rather than exclusivity – operates in a way that everyone understands their jobs in how to communicate and mitigate risks.
For finance it means ensuring the right financial controls are in place according to Green Book standards issued by the Government Accountability Office to help compliance with the Federal Managers Financial Integrity Act. For a chief information officer is means ensuring the cybersecurity controls in place conform to the guidance from the National Institute of Standards and Technology pursuant to the Federal Information Security Management Act as revised.
In short, stewardship and management of the federal government’s many missions requires a sound approach to governance, risk and compliance, or GRC.
To explore how to understand and apply GRC, Federal News Radio convened a panel of subject matter experts:
• Jason Malmstrom, assistant inspector general in the Audit Division at the Justice Department
• Jim Dalkin, director of financial management assurance at the Government Accountability Office
• Ilanko Subramaniam, GRC practice leader at Optiv Security Inc.
• David Walter, vice president of Archer, the GRC arm of RSA.
The group outlined why you’ll be hearing more about governance, risk and compliance and the need for an enterprise-wide approach to it. They explained why understanding uncertainty, including all the stakeholders, and knowing the relevant statutes and policies form the foundation for an effective GRC program. They also discussed some of the commercial best GRC practices and where the government has an opportunity for improvement.
Tom Temin, Federal News Radio
Tom Temin has been the host of the Federal Drive since 2006. Tom has been reporting on and providing insight to technology markets for more than 30 years. Prior to joining Federal News Radio, Tom was a long-serving editor-in-chief of Government Computer News and Washington Technology magazines. Tom also contributes a regular column on government information technology.
Jason Malmstrom, Assistant Inspector General, Audit Division, DOJ Office of Inspector General
Jason R. Malmstrom is the Assistant Inspector General for the Audit Division at the U.S. Department of Justice Office of Inspector General (OIG). Mr. Malmstrom joined the OIG in June 2002 as a Program Analyst in the Chicago Regional Audit Office, contributing to and leading performance audits concerning the Department’s international law enforcement efforts and its evolution and expansion in areas of national security. Following his field experience, Mr. Malmstrom was promoted in 2008 to Program Manager in the Office of Operations and in 2010 to Senior Policy Advisor in the Immediate Office of the Assistant Inspector General for Audit, where he was responsible for overseeing the OIG’s audit strategy and efforts concerning FBI and national security-related matters. In 2014, Mr. Malmstrom was selected as the Deputy Assistant Inspector General for Audit, and in February 2015 Inspector General Horowitz appointed Mr. Malmstrom the Assistant Inspector General for Audit. For his contributions and leadership, Mr. Malmstrom has received numerous awards from the OIG and the larger IG community. He holds a Bachelor of Arts in Political Science from Aurora University and a Master of Public Administration from Northern Illinois University.
Jim Dalkin, Director of Financial Management Assurance, Government Accountability Office
James R. Dalkin is a Director in the Financial Management and Assurance Team with the U.S. Government Accountability Office (GAO). He serves as a member of the AICPA’s Auditing Standards Board (ASB) and the International Auditing and Assurance Board (IAASB) Consultative Advisory Group (CAG). He is an observer on the COSO Advisory Board. Mr. Dalkin has responsibility for directing GAO’s work to develop and maintain government auditing standards (the Yellow Book); internal control standards for the federal government (the Green Book); and, GAO’s work with the accounting and auditing profession. He is also responsible for the audits of the Securities Exchange Commission and the Federal Deposit Insurance Corporation (FDIC) Statement. Prior to joining the GAO, Mr. Dalkin served at a global firm and audited a wide range of organizations ranging from commercial health care entities to governmental agencies. Mr. Dalkin is a frequent speaker at national auditing conferences for AICPA and other professional organizations. He has also authored articles for publications including the Journal of Accountancy. He has contributed to the profession through his involvement with the AICPA Task Force on Performance Audits and chairs the International Disclosures Task Force. Mr. Dalkin serves as an adjunct accounting faculty at Georgetown University. Mr. Dalkin has a Master’s Degree in Business Administration from the George Washington University and a Bachelor of Science in Accounting from the University of Virginia.
Ilanko Subramaniam, GRC Practice Leader, CISSP, CISM, Optiv
Ilanko is a Principal and leads the GRC Practice for Optiv Security, focused on delivering risk and compliance services and platform implementation to support Fortune 500 organizations.
Previously, Ilanko was the Senior Strategist at Microsoft, where he managed the Enterprise Risk Management program. Ilanko also has worked with KPMG and lead several critical projects across public and private sectors. He has earned multiple degrees and certifications and is an adjunct instructor at the University of Washington.
David Walter, Vice President, RSA Archer
David Walter is Vice President, RSA Archer, responsible for the RSA Archer product and business globally. During David’s eleven years with Archer, he has served in many capacities such as Global Go To Market Lead, General Manager of GRC in EMEA, Director of Product Marketing and Strategy, and Director of Product Management. As a public accountant (CPA) and former CFO and internal auditor, he has been responsible for developing many of the solutions in the RSA Archer GRC suite. He was also a customer of the RSA Archer GRC suite having purchased it at the Washington Post Companies to manage Sarbanes-Oxley compliance. David has a true passion for enabling companies to manage business risk and inspiring everyone within an organization to own risk.
Every day, and for over 30 years, RSA's singular mission has been to help our more than 30,000 customers around the world protect their most vaulable digital assets. RSA is driven by its uncompromising belief that organizations should not have to accept getting breached or hacked as an unavoidable consequence of operating in a digital world. In fact, RSA believes that organizations must become aggressive defenders of their right to operate securely and that no other company is in a better position to help them.
RSA's Intelligence Driven Security solutions help organizations reduce the risks of operating in a digital world. Through visibility, analysis, and action, RSA solutions give customers the ability to detect, investigate and respond to advanced threats; confirm and manage identities; and ultimately, prevent IP theft, fraud, cyber-espionage, and cybercrime.
RSA Federal Solutions is the premier provider of intelligence-driven security solutions to the Federal government, serving every cabinet level agency, each military service, and the intelligence community. For more information, please visit federal.rsa.com.
Optiv is a market-leading provider of end-to-end cyber security solutions. We help clients plan, build and run successful cyber security programs that achieve business objectives through our depth and breadth of cyber security offerings, extensive capabilities and proven expertise in cyber security strategy, managed security services, incident response, risk and compliance, security consulting, training and support, integration and architecture services, and security technology. Optiv maintains premium partnerships with more than 350 of the leading security technology manufacturers.