Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.

 

In this episode, Justin interviews Thomas Brandt, Chief Risk Officer of the Federal Retirement Thrift Investment Board (FRTIB) and one of the 2024 RIMS ERM Award of Distinction winners. Thomas shares some of his experiences at the IRS, where he won the 2021 RIMS ERM Award of Distinction, and how he moved from the IRS to join the FRTIB.

Tom covers how he successfully integrated strategy and ERM at the FRTIB. He tells how the FRTIB moved from a high-level to a medium-level cyber risk posture, with improved Federal Information Security Modernization Act (FISMA) scores. Tom shares how the FRTIB  works with a managed services model in a way that's scalable and sustainable. Tom relates his views on risk culture and the portfolio view that a mature ERM program supports.

 

Listen to learn how to nominate your organization's ERM Program for the RIMS ERM 

Award of Distinction.

 

Key Takeaways:

[:01] About RIMS and RIMScast.

[:14] RIMScast is a proud nominee of the 20th Annual People's Choice Podcast Awards. We are nominated in the category of Government and Organizations, and we would appreciate your support.

[:26] Help us win that award by visiting PodcastAwards.com and the link in this episode's notes. 

[:36] About this episode of RIMScast. We will be joined by Thomas Brandt, Chief Risk Officer of the Federal Retirement Thrift Investment Board and one of the 2024 RIMS ERM Award of Distinction winners.

[1:05 ] RIMS-CRMP Workshops! The next Virtual RIMS-CRMP exam prep, co-hosted by Parima, will be held on September 2nd and 3rd.

[1:17 ] The next RIMS-CRMP-FED virtual workshop will be held on November 11th and 12th, and led by Joseph Mayo. Links to these courses can be found on the Certification Page of RIMS.org and through this episode's show notes.

[1:34 ] RIMS Virtual Workshops! On August 5th, we have a day-long course about "Emerging Risks."

[1:42 ] RIMS has launched a new course, "Intro to ERM for Senior Leaders." This is a two-day course. The first two-day course will be held on August 12th and 13th and will be led by former RIMS President, Chris Mandel.

[1:56 ] The course will be held again on November 4th and 5th and will be led by Elise Farnham. RIMS members enjoy deep discounts!

[2:05 ] The full schedule of virtual workshops can be found on the RIMS.org/education and RIMS.org/education/online-learning pages. A link is also in this episode's notes.

[2:17 ] Mark your calendars for November 17th and 18th for the RIMS ERM Conference 2025 in Seattle, Washington. The agenda is jam-packed with educational sessions that will resonate with risk practitioners at all stages of their careers.

[2:38 ] See the full agenda at RIMS.org/ERM2025. Nominations are open for the RIMS Global ERM Award of Distinction 2025. The nomination deadline is Saturday, August 16th. The award is presented annually at the RIMS ERM Conference. There is a link in this episode's show notes.

[3:05 ] If your organization's ERM program or one you know of deserves this recognition, we want to hear about it. Remember to send in that nomination form by August 16th.

[3:16 ] RISKWORLD 2026 will be in Philadelphia, Pennsylvania, from May 3rd through May 6th. RIMS members can now lock in the 2025 rate for a full conference pass to RISKWORLD 2026 when registering by September 30th.

[3:31 ] This also lets you enjoy earlier access to the RISKWORLD hotel block. Register by September 30th, and you will also be entered to win a $500 raffle. Don't miss out on this chance to plan and score some extra perks.

[3:44 ] The members-only registration link is in this episode's show notes. If you are not yet a member, this is the time to join us. Visit RIMS.org/membership and build your risk network with us here at RIMS.

[3:58 ] On with the show! Our guest today is one of the winners of the 2024 RIMS ERM Award of Distinction. He is also the Chief Risk Officer for the Federal Retirement Thrift Investment Board (FRTIB).

[4:15 ] Tom Brandt is here to discuss ERM and how it has been a guiding light throughout his risk career, which includes several years at the IRS. He recently participated in the RIMS ERM Q&A Series, and we're going to extend the dialogue beyond those digital pages, so let's get to it.

[4:35 ] Interview! Tom Brandt, welcome to RIMScast!

[4:42 ] At long last, Tom Brandt is here on RIMScast! Tom is one of the members of the Strategic and Enterprise Risk Management Council and one of the recipients of the 2024 ERM Award of Distinction. There's so much to discuss when it comes to ERM! Tom loves ERM.

[5:18 ] Tom was also a 2021 ERM Award of Distinction recipient for his work at the IRS, where he worked for about 27 years, for the last eight of which, he was their Chief Risk Officer. There, he got into the whole ERM space.

[5:38 ] Then, in late 2021, an opportunity opened at the Federal Retirement Thrift Investment Board (FRTIB), and Tom took on the role of Chief Risk Officer. He enjoys the opportunity to work in a small organization with a different focus.

[5:55 ] The FRTIB is sort of the 401(k) for federal employees and uniformed services. They have a singular mission around that plan.

[6:13 ] Tom was brought into the FRTIB to integrate strategy and ERM. He stresses the importance of linking risk and strategy. When Tom started, the offices of Enterprise Planning and Enterprise Risk had just been brought together.

[6:51 ] They were looking for the first Director of Planning and Risk/CRO. Tom applied and was selected for the role. Even though it's a small agency of 250, those functions had been siloed.

[7:07 ] Tom's first area of focus was getting the staff to know each other and learn more about what each process entailed, and then working with the team to look at how to bring these processes together.

[7:23 ] Tom says, when we're identifying risks and needing to mitigate risks, the next question is, where do we get the resources? When the process is not integrated into your planning and budgeting process, that becomes very challenging.

[7:36 ] As we go through our annual planning process, we work with our business offices, and if they're risk owners, we talk about what risks they are managing or mitigating, and if there are related initiatives or resources needed.

[7:51 ] That information gets captured in the annual plan and becomes an input to the budget process. We're not only raising the risks and talking about them, but also identifying initiatives and getting funding, support, and resources to manage and mitigate those risks.

[8:16 ] Tom's risk group has seven or eight people. They also do internal controls, policies, and procedures. They are the agency's anti-fraud group. They do brand monitoring and run the third-party risk monitoring program. They do work beyond the enterprise risk component.

[8:51 ] The FRTIB moved from a high-level to a medium-level cyber risk posture, which improved Federal Information Security Modernization Act (FISMA) scores. FISMA is an annual cybersecurity audit of federal organizations.

[9:27 ] Years ago, the FRTIB was scoring in the 1s and 2s on most domains in this audit, out of a possible score of 5. That coincided with cybersecurity being one of the FRTIB's high risks. They needed to put in place better governance and protections.

[9:53 ] Because cybersecurity had been one of the FRTIB's high risks, they require any of their enterprise risks that are medium high or higher to have a risk treatment plan. They work with their CISO and the cyber team to develop risk treatment plans each year.

[10:08 ] The risk treatment plans identify resource needs and specific areas of focus. They use the FISMA domains, questions, and assessment criteria to keep in mind where they need to shore things up.

[10:20 ] Justin clarifies that FISMA, the Federal Information Security Modernization Act, is a U.S. Federal law that requires federal agencies to develop a document and implement information security programs to protect government information.

[10:36 ] Tom remarks that as a result of great work done by the CISO and the cyber team, the FRTIB scored a 5 in each domain on their 2024 FISMA audit. That moved the cybersecurity risk score down. It's still at a medium level because the threat landscape continues to evolve.

[10:56 ] Threat actors are always out there, trying to stay one step ahead of you, so you have to stay on your game to get ahead of them.

[11:15 ] The cyber threat is so significant that collectively, we all need