often the right thing to do is comply with them whether Congress is obligated to or not. A prime example would be all the rules and regulations covering cybersecurity for government organizations.
So another part of Grafenstine's role is to promote self-discipline. While outsiders might think the lack of regulation would make her job easier, actually it makes it harder, she said. "When I was at DOD, I could go to the General and say, 'The DOD regulation says you have to do this,' so we have to do it." Working within Congress "forces you to really understand the underlying risk a regulation is trying to address and sell it on that basis," she said. "By and large, if you make the case, they will do it."
On the other hand, regulatory compliance -- including compliance with rules requiring a risk management assessment -- is no guarantee of anything, she argued, warning of "the risk of the checklist" or "compliance myopia," where the assessment is done by the numbers but with no real energy invested in finding the less obvious risks that may not be on the checklist.
Grafenstine was one of several government speakers on a panel on "Making Risk Management a Core Element of Organizational Success" at the 2014 GRC Conference, although most of the issues they covered would apply to organizations outside of government as well. The others were Doug Webster, a former CFO of the US Department of Labor, former deputy director of the DOD Business Transformation Agency, and co-founder of the Association for Federal Enterprise Risk Management; and Nancy Anne Baugher, who led performance improvement and risk management initiatives at NASA and recently took a similar position with the Department of Energy.
One of their common themes was that risk management is not an end in and of itself but a tool that allows an agency to accomplish its mission. "The people in this room should not be thinking about themselves as risk managers or IT people. They are part of a larger enterprise," Webster said.
To illustrate the relationship between risk and mission, Baugher showed a clip from a NASA Jet Propulsion Labs video, 7 Minutes of Terror. The title refers to the time elapsed between when the Mars Science Laboratory lander began its fiery entry into the atmosphere, when it arrived on the surface, and when JPL would learn whether it had successfully executed a tricky braking maneuver: lowering the Mars rover to the surface via a sky crane cable dangling beneath a hovering rocket. The landing would take 7 minutes, but the speed-of-light transmission delay was 14 minutes. As one engineer explained in the video, "When we first get word vehicle touched the top of the atmosphere, actually the vehicle has been alive or dead on the surface for 7 minutes."
To make this audacious and unproven scheme work, Baugher said, the engineers "had to anticipate what's going to go wrong" and do all they could to mitigate the risks of wrecking a $2.5 billion mission with a crash on the planet's surface. Most auditors and risk managers do more down-to-earth work, but they still play a big role in allowing an agency to accomplish its mission by preserving the public trust and rooting out fraud, she said.
Effective auditors need to understand the mission, as overseeing anything from a space flight to data center operations often means collaborating with specialists who have the technical specialties the auditor lacks. Often, when something is really wrong with an organization -- something likely to lead to a scandal like the Veterans Health Administration patient wait-time delays -- plenty of people within the organization were aware of the problem. But if an auditor can get to the people in the front lines of the organization early enough and make it clear that he or she is willing to listen and make an effort to understand their issues, "the floodgates open up," she said. "Get to understand the mission, and you will understand the other stuff."
Find out how NASA's Jet Propulsion Laboratory addressed governance, risk, and compliance for its critical public cloud services. Get the new Cloud Governance At NASA issue of InformationWeek Government Tech Digest today. (Free registration required.)