Want To Manage Risks? Let The Experts Educate
In government, there are few things more devastating than when an avoidable risk becomes an unavoidable reality. Whether it’s the loss of personally identifiable information linked to 22 million federal employees, unintentional mishandling of data by well-intentioned officers, or neglecting to properly vet contractor-provisioned firewalls for vulnerabilities, the last several years have witnessed exponential growth in the number of damaging attacks on government data infrastructures.
In light of these findings, and in order to understand the gravity of challenges agencies face when improving their risk management, Government Business Council (GBC) conducted a flash poll in June 2016 on the following question:
GBC received responses from 105 project or program managers operating in the federal government. According to the data, budget constraints (16%) and training/education of employees (16%) lead the list of challenges agencies face when trying to improve their risk management processes. Cultural resistance (14%) and outdated risk management strategies (12%) are not far behind in the rankings.
Interestingly, while 16% consider risk management training of employees to be the greatest challenge, only 4% rank technical expertise as their agency’s top challenge in risk management. This finding may indicate that while departments have the specialized personnel to handle information risks, they are more concerned about the challenge of relaying this level of risk awareness to employees elsewhere in the organization.
In light of these poll results, agencies can empower their employees and risk managers by providing further guidance on how to implement the training process. The National Institute of Standards and Technology (NIST) emphasizes the importance of educating employees in risk management, but leaves it up to each agency’s discretion to tailor and delegate the various training responsibilities appropriately. Just last year, the Office of Management and Budget (OMB) identified risk awareness and education of employees as vulnerable areas in the White House’s Comprehensive National Cybersecurity Initiative, and sought to remedy this by providing risk management e-courses through its USALearning website, accessible to all civilian employees at the federal, state, and local level.
While the task of overcoming budget constraints requires the consent of legislators, training and educating employees in risk management is a different matter. By taking stock of the technical expertise they already have, organizations will be in a better position to relay fundamental risk management techniques to their employees, ultimately facilitating a healthier, mutual understanding of the risks ahead.