In November 2023, the National Institute of Standards and Technology (NIST) issued NIST Special Publication NIST SP 800-221 (SP). The publication is entitled “Enterprise Impact of Information and Communications Technology Risk: Governing and Managing ICT Risk Programs Within an Enterprise Risk Portfolio. (1) This SP provides a guide for integrating ICT Risk Management with the larger Enterprise Risk Management (ERM) framework.

While this is a guide, under directions from several Presidential Executive Orders, (May 2017 Strengthening the Cyber security of Federal Networks and Critical Infrastructure, October 2023, Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,) NIST’s guides are mandates for U.S. federal agencies. Consequently, they need to be understood and taken seriously by any organization which has contracts with or receives money from the U.S. federal government. This is because federal agencies will eventually incorporate the guides into their rules, contracts, and grant requirements.

This piece looks at the rationale behind the SP and the ways NIST integrates ICT Risk with ERM.

ERM Framework

NIST’s ERM push is not new. In NIST’s August 8, 2023, initial public draft of Cybersecurity Framework 2.0, it stressed that the Framework should:

“Identify, organize, and prioritize action for reducing cybersecurity risks that align with the organization’s mission, legal and regulatory requirements, and risk management and governance expectations.” (2)

This push to integrate ICT risk management with ERM is the recognition that ERM is designed to operate at the enterprise level, where ICT provides the information and technology upon which the enterprise depends. Thus, while ICT risk management is critical to the performance of the organization, ERM sets the parameters and general directions for risk management and the degree of risk that is acceptable in any given area of operation and activity.

“ERM provides the umbrella under which risks are aggregated and prioritized so that all risk can be evaluated and “stovepipe” risk reporting can be avoided. ERM also provides an opportunity to identify operational risk – a subset of enterprise risks that is so significant that potential losses could jeopardize one or more aspects of operations.” (3)

On page 10 of the special report, NIST compares the dominant ERM guides and the GAO Green Book (auditor’s guide). The guides are: ERM Playbook – the U.S. federal government ERM guide, COSO ERM, ISO 31000:2018, OMB A-123 and GAO Green Book.  The Playbook is the result of the OMB A-123 revision which mandated U.S. federal agencies adopt ERM. COSO ERM is the guide used predominantly by the private sector. ISO 31000:2018 is used by governments in the British Commonwealth. Because NIST is a U.S. federal agency and is guided by OMB A-123, the special report’s approach to ERM is guided by the Playbook.

Integrating ICT

ICT in the SP covers the following activities: privacy, supply chain, cybersecurity, and Artificial Intelligence. This list includes items beyond the activities covered under the traditional information technology classification. This is because of the increasing integration of government activities related to and reliant upon operational technologies and the Internet of Things. In short, inert items like toasters, thermostats, street lighting, traffic signals are becoming smart with the inclusion of computer chips and linked via the internet. This linkage allows governments and households to become more cost efficient. However, the linkage of so many items also allow cyber criminals multiple avenues to attack the linked system.

Because ICT is increasingly being integrated into the entire enterprise’s operational activities, it is important that ICT risks be integrated into ERM. Further, it is important that ICT risk management (ICTRM) be consistent in approach and guided by ERM.

The enterprise governance body directs the strategy and methods that ICTRM and other risk managers in such areas or risk categories as Finance, Human Resources, Reputation, and Mission must use. Given this guidance, each category or activity risk managers develops a risk register which contains a list of identified risks and provides a document of those risks. ICTRM risks are derived from system level assessments within and between departments and agencies. Once the risk registers are developed, and the risks scored for impact and likelihood, they are used to create an enterprise-level risk register. This risk register identifies the risks considered to be sufficiently impactful to the organization, that the Governing Body, CEO, and the Risk Management Committee need to continually monitor these risks. This risk register is often called the Enterprise Risk Profile (ERP)

OMB A-123 requires that the ERP include four kinds of objectives. These are strategic, operational, reporting and compliance. While it is recognized that there will be overlap between these objectives, understanding the risks and how they interact is key to effectively and efficiently managing the organization.

ICT risks are thus developed at the lower levels of the organization and integrated into the ERM and ultimately the ERP.

ICT Risk Register Development

The SP lists the six steps that should be used in the development of an ICT Risk Register. The register is a list of the risks, a scoring of their potential impact, the mitigative efforts to be used to minimize any adverse impact, who is responsible for managing and monitoring the risks and how often the information is to be communicated to upper-level management. As noted in the earlier section, the risk register for the corporation incorporates information from each ICT element – supply chain, cyber security, privacy, and AI, into the ERP.

Because the steps listed are consistent with those used in ISO 31000:2018, (My book Enterprise Risk Management in Government: Implementing ISO 31000:2018 provides a step-by-step guide to this process with examples from governments around the world.) and discussion of each step is provided in the SP, the steps will be listed with limited explanation.

1. Identify the context.
2. Identify the risks.
3. Analyze (qualify) the risks.
4. Prioritize the risks.
5. Plan and execute risk response strategies.
6. Monitor, evaluate, and adjust risk management.

It must be remembered that each risk category manager will be using the same six step process, regardless of whether the category or area is Human Resources, Finance, Reputation or Supply Chain. The context is the specific risk area, Supply Chain for instance, or Finance.  Within these areas all the risks will be listed. (Step 2) The listed risks will then be examined as to how impactful they might be. (Step 3) They are then prioritized from most impactful to least. The priority will depend on the analysis and the level of risk tolerance established by upper-level management and the governing body. (Step 4) Based on the risks and their priority, mitigative action is determined. In some cases, management may decide that they have a high tolerance for the adverse impact of a risk. In which case, no or minimal mitigative action needs to be taken. In other cases, there may be a low tolerance for the risk and mitigative action is required. (Step 5) Finally, a process is set in place to monitor, report on, and adjust the mitigative actions as necessary. (Step 6)

Summary

The NIST Special Publication 800-221 Enterprise Impact of Information and Communication Technology Risk shows how to integrate ICT Risk Management into an organization’s ERM process. While the SP is focused on the federal government and is essentially a mandate for them, its reach is larger. As the federal agencies further integrate ICT with their ERM process, the ICT Risk Management and ERM integration will become incorporated into their rules, contracts, and grant requirements. Thus, it is important that both private and public sector administrators understand the integration process and the ERM model being used by federal agencies.

Endnotes

1. NIST, 2023, Enterprise Impact of Information and Communications Technology Risks, November, http://doi.org/10.6028/NIST.SP.800-221.
2. NIST, 2022, The NIST Cybersecurity Framework 2.0, Initial Public Draft, August 8, page
3. NIST, 2023, Enterprise Impact of Information and Communications Technology Risks, page 2.

James J. Kline has worked for federal, state, and local government. He has over ten year’s supervisory and managerial experience in both the public and private sector.  He has consulted on economic, quality and workforce development issues for state and local governments.  He has authored numerous articles on quality and risk management. His book “Enterprise Risk Management in Government: Implementing ISO 31000:2018” is available on Amazon.  He is the editor of “Quality Disrupted’ which is available on Amazon.