In a Congress slanted every which way, trying to work equally well with Democrats and Republicans takes a sense of humor, and Theresa Grafenstine laughs a lot.

Speaking at a West Palm Beach, Fla., gathering that included both financial and IT auditors and risk managers, Grafenstine described her job as US House Inspector General as "like internal audit, only with access to firearms." More seriously, in her presentation at the 2014 GRC Conference and in an interview with InformationWeek, Grafenstine advocated for auditors taking a more proactive role in preventing problems, rather than merely categorizing what went wrong after their organization's finances, information security, and reputation have already suffered damage.

"If you don't front-manage risks and they blow up, you pay for it in the long run," she said.

[For effective governance, read Cybersecurity: How Involved Should Boards Of Directors Be?]

It's not Grafenstine's job to participate in audits or investigations of other agencies, but to act as an internal auditor for the US House of Representatives itself, as an institution. The House is an enterprise of about 11,000 people, with 22 staff members for every member of Congress plus all the committee staffs, plus Capitol Police, maintenance and security personnel, and administrative staffers. Her own office has a staff of 24.

Grafenstine plays what is necessarily a strictly non-partisan role, capable of working with leaders on all sides and impartially focusing on concerns that should be equally important to all -- making sure Congress's budget and IT systems are well-managed. "If a hacker wants to hack into us and steal our information, I don't care if the hacker is a D or an R," Grafenstine said. Her role is such that all the Congressional leaders of both parties had to agree, unanimously, on her appointment. "I've had to get them to agree on everything I do for 17 years."

Theresa Grafenstine

She has been walking the non-partisan tightrope since 1998, when she joined the Inspector General's office as an IT auditor. She was appointed to the top job in 2010, only the fourth person to hold the IG job since the creation of the office. Before coming to work for the House, she was an IT auditor at the Department of Defense.

While stressing her non-partisan status, Grafenstine wasn't afraid to mention the launch of HealthCare.gov as one of several examples of where more proactive oversight would have saved a government agency a lot of grief and the public a lot of money. "You have to wonder, where were the auditors there?"

Actually, it's not so mysterious. In some circles, her advocacy of proactive auditing is a controversial proposition -- not because auditors don't want to prevent problems, but because they must stay strictly independent if they are to do their jobs properly. She argues auditors can still sound alarms earlier. "We never make management decisions, we just give them the data," she said.

The line auditors can't cross is taking on operational responsibility, Grafenstine said, because "then you're just a manager." She believes her office strikes the right balance by keeping one team focused on traditional retrospective auditing work, while another concentrates on more forward-looking risks. The more formal discipline of enterprise risk management is something she is working hard to establish as part of the operations of the House.

Grafenstine serves as an international VP of ISACA, the IT-focused audit organization that put on the 2014 GRC Conference in partnership with the Institute of Internal Auditors, which has also been noting the rising importance of IT and cyber security concerns.

Although cyber security and IT operations aren't the only concerns for the House or any other organization, they are hugely important, Grafenstine said. Congress is famously unpopular overall, and there are partisans on both sides -- including partisan hackers who hate their opponents with a white-hot passion. Just imagine the damage one of those people might do given the chance to access an opposing leader's email account or the records of a key Congressional committee. Nor is cyber security the only IT-related risk for the House. What if the electronic system that it uses to record votes were to be wiped out by an electromagnetic pulse, either manmade or natural? There has to be a backup.

Congress also needs to plan for more drastic worst-case scenarios. One of Grafenstine's major projects has been updating a comprehensive plan for "Continuity of Congress," or "if the Capitol building wasn't there anymore, what do you do?" If the building burns down, blows up, or gets caught in a Sharknado, Congress needs a plan to regroup at another location and reconstitute both digital and institutional systems that will allow it to go back to work and address the crisis. Lots of groups within Congress, from IT and the Clerk's office to the Capitol Police, had their own continuity plans, but she needed to ensure that they were all coordinated.

Regulatory compliance is less of an issue for Congress than most organizations -- almost a non-issue because Congress exempts itself from most regulations. "I know that's something that drives a lot of citizens crazy," Grafenstine acknowledges.

Here's the trick, though. As much as everyone complains about regulation, in general those rules were put in place for a reason. That means

Next Page

often the right thing to do is comply with them whether Congress is obligated to or not. A prime example would be all the rules and regulations covering cybersecurity for government organizations.

So another part of Grafenstine's role is to promote self-discipline. While outsiders might think the lack of regulation would make her job easier, actually it makes it harder, she said. "When I was at DOD, I could go to the General and say, 'The DOD regulation says you have to do this,' so we have to do it." Working within Congress "forces you to really understand the underlying risk a regulation is trying to address and sell it on that basis," she said. "By and large, if you make the case, they will do it."

On the other hand, regulatory compliance -- including compliance with rules requiring a risk management assessment -- is no guarantee of anything, she argued, warning of "the risk of the checklist" or "compliance myopia," where the assessment is done by the numbers but with no real energy invested in finding the less obvious risks that may not be on the checklist.

Grafenstine was one of several government speakers on a panel on "Making Risk Management a Core Element of Organizational Success" at the 2014 GRC Conference, although most of the issues they covered would apply to organizations outside of government as well. The others were Doug Webster, a former CFO of the US Department of Labor, former deputy director of the DOD Business Transformation Agency, and co-founder of the Association for Federal Enterprise Risk Management; and Nancy Anne Baugher, who led performance improvement and risk management initiatives at NASA and recently took a similar position with the Department of Energy.

One of their common themes was that risk management is not an end in and of itself but a tool that allows an agency to accomplish its mission. "The people in this room should not be thinking about themselves as risk managers or IT people. They are part of a larger enterprise," Webster said.

To illustrate the relationship between risk and mission, Baugher showed a clip from a NASA Jet Propulsion Labs video, 7 Minutes of Terror. The title refers to the time elapsed between when the Mars Science Laboratory lander began its fiery entry into the atmosphere, when it arrived on the surface, and when JPL would learn whether it had successfully executed a tricky braking maneuver: lowering the Mars rover to the surface via a sky crane cable dangling beneath a hovering rocket. The landing would take 7 minutes, but the speed-of-light transmission delay was 14 minutes. As one engineer explained in the video, "When we first get word vehicle touched the top of the atmosphere, actually the vehicle has been alive or dead on the surface for 7 minutes."

To make this audacious and unproven scheme work, Baugher said, the engineers "had to anticipate what's going to go wrong" and do all they could to mitigate the risks of wrecking a $2.5 billion mission with a crash on the planet's surface. Most auditors and risk managers do more down-to-earth work, but they still play a big role in allowing an agency to accomplish its mission by preserving the public trust and rooting out fraud, she said.

Effective auditors need to understand the mission, as overseeing anything from a space flight to data center operations often means collaborating with specialists who have the technical specialties the auditor lacks. Often, when something is really wrong with an organization -- something likely to lead to a scandal like the Veterans Health Administration patient wait-time delays -- plenty of people within the organization were aware of the problem. But if an auditor can get to the people in the front lines of the organization early enough and make it clear that he or she is willing to listen and make an effort to understand their issues, "the floodgates open up," she said. "Get to understand the mission, and you will understand the other stuff."

Find out how NASA's Jet Propulsion Laboratory addressed governance, risk, and compliance for its critical public cloud services. Get the new Cloud Governance At NASA issue of InformationWeek Government Tech Digest today. (Free registration required.)