by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : March 2014
COULD ENTERPRISE RISK management become a com- mon cloud-based service at most government agencies? It s an idea being explored by other industries, especially within the financial management and manufacturing sectors. There s a good chance that the idea could take root in the public sector too. Once an organization as- sesses its potential safety and economic risks, specific rules can be then be set to help miti- gate those risks. Historically organizations have not always taken an enterprisewide ap- proach to risk management. More often solutions were done piecemeal, such as requiring locks on certain doors or pass- words on specific machines. As risk management became more formalized, it slowly became an evaluation process to be fol- lowed, a set of formal decisions to be made and a way to track and enforce specific rules. A risk-management system often is used not only to track risk but to document decisions made on how the risk should be addressed. This system can include coordinating resources to minimize risk, monitoring risk-related activity and manag- ing the short- or long-term impact of known risks. Such systems fall under the general heading of governance, risk and compliance (GRC), and many government agen- cies already have systems in place to help them manage their approach to risk. The key word here, though, is "systems" plural. Agencies can find it IS THE CLOUD THE NEXT STOP FOR ENTERPRISE RISK MANAGEMENT? INTERNAUT BY SHAWN McCARTHY di cult to integrate a truly enterprisewide view of how risk is managed. Too often GRC systems have been built ad-hoc at the sub-agency level to deal with local issues. Further, government has unique needs. Risk manage- ment is not the same for government as it is for an insur- ance company that is working to manage risk and assure prof- its across thousands of insur- ance policies and investments. Government also tends to focus heavily on risk associated with project management. Getting program or project governance properly aligned helps ensure success for the program itself, and it reduces long-term risk from other internal and exter- nal factors. There are popular GRC solu- tions available from enterprise software vendors such as Oracle and SAP. Some organi- zations have created their own customized risk-management solutions, and others have risk- management solutions that are targeted at a specific issue, such as compliance with the Federal Information Security Management Act or the Home- land Security Presidential Directive (HSPD) 12. So there s a critical mass of interest in these types of solu- tions. That s because agencies are under pressure to take an enterprisewide approach to GRC. They need to upgrade systems in order to make that happen, and there are always new rules hitting them that a ect what their risk-man- agement systems must track. In fact, big data and analytics draw the most attention for risk and innovation, and both are key expansion areas for government agencies. Mean- while, we have an increasingly mobile workforce and onset of new cyber threats. Thus, secu- rity and risk has become a key government business function that relies on technology as a cornerstone to its success. Cloud-based GRC solutions are a logical step for agencies that need to address new rules, consolidate systems and serve their mobile workforce. Most enterprise software vendors o er cloud-hosted versions of their risk management solu- tions, and it s worth talking to them to see if this is a logical place for an agency to migrate. Government can o er help too. Last year the National In- stitute of Standards and Tech- nology published a draft cloud computing security document that introduced a "cloud- adapted Risk-Management Framework for applications and/or services migrated to the cloud." In 2010 NIST also established a guide for apply- ing a risk management frame- work to federal IT systems. GSA also o ers a set of solutions under a blanket purchase agreement related to risk management associated services (though it s not clear how much of this is available via cloud.) What all of this means is that there is a growing focus on risk-management solutions in general --- and GRC solutions in particular. It can be di cult for agencies to tackle all that is required for compliance, while still meeting the needs of their mobile workforce. Cloud solutions seem to o er the best potential right now, but they may not o er total compat- ibility with all government systems and individual agency requirements. But the trend is clear, and taking risk management to the cloud should definitely be part of the discussion at most agencies. • --- Shawn McCarthy is research director for IDC Government Insights. Cloud-based risk management solutions are a logical step for agencies that need to address new rules, consolidate systems and serve their mobile workforce. 14 GCN MARCH 2014 • GCN.COM