In the aftermath of Edward Snowden's revelations, the National Security Agency has "reached a point where a single individual can cause catastrophic harm," said NSA's first chief risk officer, Anne Neuberger.
Named CRO last September, Neuberger described the philosophy behind NSA's nascent risk management framework during a conference in Washington on Monday. It's a system that measures the risks of each decision and each program, she explained.
The agency has been developing its own framework over the past several months, and "building a common definition of what low, medium and high risk means" and that the value of a program's mission "always exceeds that risk."
The framework could include principles such as not putting an employee's life at risk "without X approval, without Y value determinant," she said. It could also help employees assess, and potentially mitigate, the risk of sharing sensitive information.
Being transparent with employees about that kind of framework shows employees "the way we as an enterprise value you, the value of your work, [and] how we approach that value."
The agency should then continually assess, and re-assess that framework, Neuberger said.
For instance, if the agency determines a program has a high risk and could be potentially damaging to national security if exposed, it might reduce the number of people who know about it, she said.
A risk management framework might also pay more attention to risk indicators that could tip them off to potential problems, Neuberger said. She noted, for instance, an influx of letters to Congress about the Department of Veterans Affairs -- mostly from veterans complaining about extended wait times and lack of care -- indicated that some programs were at risk of failing.
Risk management frameworks are common in the private sector, she said, but risky decisions are generally measured against a financial bottom line. At NSA, "Our bottom line . . . is the security of the country," Neuberger said.