Overview
The primary goals of an Enterprise Risk Management (ERM) program are to help an organization incorporate risk awareness into the process of daily decision-making. The objectives of an ERM framework include the following:
- Strategic – Understanding how an agency’s risk environment impacts the ability to achieve its business objectives across all departments.
- Reporting – Identifying key risks by creating risk profiles and systems that allow for easy risk identification and sharing.
- Operations – Prioritizing resources in alignment with desired outcomes, which includes mitigating losses and advancing opportunities.
- Compliance – Building capabilities to detect, mitigate, and respond to risks that are presented at any point in time.
Risk Appetite Statement
The Office is responsible for examining and researching the risk practices of the Executive Office of Technology Services and Security (EOTSS) and producing a Risk Appetite Statement (RAS). A RAS is a concise document or statement that clearly lays out a strategic framework for addressing risk in an organization, including the amount and kinds of risks an organization is willing to take on to achieve its objectives.
Vendor Risk Management
The Vendor Risk Management Program conducts risk assessments on third-party vendors who want to do business with the Commonwealth to safeguard the security of the state’s systems. These assessments involve answering a series of questions about cybersecurity and operational business practices. The answers are used to produce a Risk Report and a Risk Score.
Risk Response
The Office recommends four responses to identified risks: accept, transfer, mitigate, and avoid.
- Accept: No action taken, risk is acceptable
- Transfer: Action taken to decrease risk severity by either implementing controls or sharing risk
- Mitigate: Action taken to reduce the probability or impact of risk
- Avoid: Action taken to do something different because of the existing risk; so the risk is eliminated