Courage: A Necessary Ingredient for Any Effective Enterprise Risk Management Strategy

The word courage is rarely (if ever) used in a Risk Management Framework (RMF) discussion or its associated literature. Frankly, I have seen too many incidents where the failure to raise the full risk of a situation (e.g., cyber resilience, operations, staffing) has allowed the preventable to happen.   

Identifying the staffing, knowledge management and resiliency gaps in an organization is critical for any enterprise risk management strategy. Courage and deep understanding are needed to find and address those gaps. Yet, mustering that courage can be easier said than done, especially when exposing resiliency gaps can bruise some egos and have short-term consequences, like retaliation. 

The goal of this discussion is to show the importance of courage to a risk management strategy. In this context, I will use a limited definition of courage: professional intestinal fortitude. It is not the courage of combat or by first responders. Rather it is the will to: 

• Allow for dissent and documentation of it (professional disagreement)
• Dig to uncover single points of failure, and perhaps make people uncomfortable 
• Speak truth to power in a respectful manner when the situation arises 
• Seek to understand someone’s position even though you may never agree 

Incorporating the Latest in NIST 

When it comes to any risk management strategy, it’s essential to highlight the NIST Risk Management Framework for Information Systems and Organizations (Publication 800-37 Revision 2). This framework and its recent update should be considered for any enterprise strategy.  

The addition of the “Prepare” step to the NIST RMF R2 is one of the key changes. The Prepare step’s goal is to achieve more effective, efficient, and cost-effective security and privacy risk management processes. The RMF Prepare step lists (Table E-1) a list of responsibilities and supporting roles. They include: the Agency Head, CIO, Senior Official for Privacy, Senior Accountable Executive for Risk Management, Mission/Business Owner, and Senior Agency Information Security Officer.   

These roles will obviously have interlocked and sometimes conflicting agendas. I know from personal experience that ample courage (a.k.a., Professional Intestinal Fortitude) will be needed to identify and resolve the various friction areas between these roles. 

Courage in Action 

As I previously stated, courage is easier said than done. During my time as CIO at the Virginia Information Technologies Agency (VITA), I accomplished an important staff restructuring.  

It was expected that I fill headcount and seats right away, but my instincts told me it would be better to wait. Looking back, I took a lot of pointed questions on why I was delaying filling open billets and using support contractors instead. Then and now, I felt it crucial (in building a successful workforce culture) that I solidify my new direct reports first and then, in turn, let them hire and fill out their own staffs.  

Our team was able to develop a more effective plan for the restructuring at net zero cost to the Commonwealth because I pursued courage in the form of honesty and intestinal fortitude. This approach had the intended additional benefit of setting up a culture of high performance and management ownership.  

Based on personal experience, here are some examples where the business-outcome risk was not realized by senior executives even though an Enterprise RMF was in place.   

• One agency repeatedly missed the opportunity to change its technical approach to cloud-based and subsequently optimize its staffing organization. As a result, its antiquated technology was limited in capacity, and associated business processes were unable to meet surging citizen demand during the pandemic. This resulted in tens of millions of dollars lost in fraud. 

• Another agency repeatedly insisted it could stand alone against cyber threats instead of consolidating under an industry standard enterprise cybersecurity risk framework. As one would expect, the agency was severely hacked to the point of being take totally offline for several weeks.  

Creating a Culture of Intestinal Fortitude 

Here are some critical steps leaders can take to create a culture of honesty, open feedback, and courage: 

• Enforce the definition and goals of the Enterprise Risk posture (who owns the risk). 
• Conduct detailed tabletops with formal deliverables to senior executives.
• Have a laser focus on roles and actions assigned to each role. 
• Ensure executives acknowledge the results. 
• Acknowledge weaknesses and shortcomings, and encourage the identification of single points of failure without recriminations or repudiation.  
• Establish the communication policy of “seek to understand each other’s position, even though agreement may never be achieved.” 
• Have a clear signal when the debate is over. I used the phrase “This is the play I am calling” if there was not a full consensus for action. 
• Have the motto, “Never be afraid to do the right thing.” As public servants, we know this is at the core of what we do. 

In closing, I wish I had a pristine record of having courage as part of the risk framework strategy. I did not.  

Let me first say, I accept full accountability for any shortcoming or failure while I was in any leadership role. That’s the job. Upon reflection, I realize now much more could have happened at the enterprise level and perhaps it would have prevented many of the larger incidents on my watch.  

The torch has been passed and the challenge is for the next set of leaders to learn from previous mistakes. My final word of advice is to seize the opportunity to be better. The public sector has a unique role in driving innovation. It takes courage to take the digital transformation journey, especially when there is much to consider for cybersecurity.  

There is clear, growing emphasis on ensuring business outcomes and an accelerating drive for cyber resiliency. The environment to addressing critical risk questions is upon us and, with courage, we can achieve the highest level of effective Enterprise Risk Management. 

Want to learn more about promoting a culture of courage? Check out this brief, “Three Strategies and ‘The Secret Sauce’: How to empower cross-functional teams in government.”  

Nelson Moe is the Strategy Principal for SLED at Iron Bow Technologies. He formerly served as the CIO of the Commonwealth of Virginia and Agency Head for the Virginia Information Technologies agency. There, Nelson managed the IT enterprise infrastructure for the entire Virginia executive branch of 63 agencies and over 60,000 state employees. He led an IT staff of 200 FTEs and manages multiple IT infrastructure contracts totaling over $360M per year spend. Under his leadership, the team successfully migrated the IT services amounting to $360M/annual IT spend to a multi-supplier contract model. Nelson was responsible for the state IT vision, strategy, day-to-day operations, Cyber posture, Business Continuity/ Disaster Recovery (BC/DR), Cloud Brokerage Service and investment controls for the state’s executive branch information technology efforts. He was also in charge of approving all Virginia executive branch IT Procurements in excess of $1M (about $425M per year) as well as RFP, contract and project approvals.