Tom Brandt on Growing Your Career and Organization with ERM

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.   In this episode, Justin interviews Thomas Brandt, Chief Risk Officer of the Federal Retirement Thrift Investment Board (FRTIB) and one of the 2024 RIMS ERM Award of Distinction winners. Thomas shares some of his experiences at the IRS, where he won the 2021 RIMS ERM Award of Distinction, and how he moved from the IRS to join the FRTIB. Tom covers how he successfully integrated strategy and ERM at the FRTIB. He tells how the FRTIB moved from a high-level to a medium-level cyber risk posture, with improved Federal Information Security Modernization Act (FISMA) scores. Tom shares how the FRTIB  works with a managed services model in a way that’s scalable and sustainable. Tom relates his views on risk culture and the portfolio view that a mature ERM program supports.   Listen to learn how to nominate your organization’s ERM Program for the RIMS ERM  Award of Distinction.   Key Takeaways: [:01] About RIMS and RIMScast. [:14] RIMScast is a proud nominee of the 20th Annual People’s Choice Podcast Awards. We are nominated in the category of Government and Organizations, and we would appreciate your support. [:26] Help us win that award by visiting PodcastAwards.com and the link in this episode’s notes.  [:36] About this episode of RIMScast. We will be joined by Thomas Brandt, Chief Risk Officer of the Federal Retirement Thrift Investment Board and one of the 2024 RIMS ERM Award of Distinction winners. [1:05] RIMS-CRMP Workshops! The next Virtual RIMS-CRMP exam prep, co-hosted by Parima, will be held on September 2nd and 3rd. [1:17] The next RIMS-CRMP-FED virtual workshop will be held on November 11th and 12th, and led by Joseph Mayo. Links to these courses can be found on the Certification Page of RIMS.org and through this episode’s show notes. [1:34] RIMS Virtual Workshops! On August 5th, we have a day-long course about “Emerging Risks.” [1:42] RIMS has launched a new course, “Intro to ERM for Senior Leaders.” This is a two-day course. The first two-day course will be held on August 12th and 13th and will be led by former RIMS President, Chris Mandel. [1:56] The course will be held again on November 4th and 5th and will be led by Elise Farnham. RIMS members enjoy deep discounts! [2:05] The full schedule of virtual workshops can be found on the RIMS.org/education and RIMS.org/education/online-learning pages. A link is also in this episode’s notes. [2:17] Mark your calendars for November 17th and 18th for the RIMS ERM Conference 2025 in Seattle, Washington. The agenda is jam-packed with educational sessions that will resonate with risk practitioners at all stages of their careers. [2:38] See the full agenda at RIMS.org/ERM2025. Nominations are open for the RIMS Global ERM Award of Distinction 2025. The nomination deadline is Saturday, August 16th. The award is presented annually at the RIMS ERM Conference. There is a link in this episode’s show notes. [3:05] If your organization’s ERM program or one you know of deserves this recognition, we want to hear about it. Remember to send in that nomination form by August 16th. [3:16] RISKWORLD 2026 will be in Philadelphia, Pennsylvania, from May 3rd through May 6th. RIMS members can now lock in the 2025 rate for a full conference pass to RISKWORLD 2026 when registering by September 30th. [3:31] This also lets you enjoy earlier access to the RISKWORLD hotel block. Register by September 30th, and you will also be entered to win a $500 raffle. Don’t miss out on this chance to plan and score some extra perks. [3:44] The members-only registration link is in this episode’s show notes. If you are not yet a member, this is the time to join us. Visit RIMS.org/membership and build your risk network with us here at RIMS. [3:58] On with the show! Our guest today is one of the winners of the 2024 RIMS ERM Award of Distinction. He is also the Chief Risk Officer for the Federal Retirement Thrift Investment Board (FRTIB). [4:15] Tom Brandt is here to discuss ERM and how it has been a guiding light throughout his risk career, which includes several years at the IRS. He recently participated in the RIMS ERM Q&A Series, and we’re going to extend the dialogue beyond those digital pages, so let’s get to it. [4:35] Interview! Tom Brandt, welcome to RIMScast! [4:42] At long last, Tom Brandt is here on RIMScast! Tom is one of the members of the Strategic and Enterprise Risk Management Council and one of the recipients of the 2024 ERM Award of Distinction. There’s so much to discuss when it comes to ERM! Tom loves ERM. [5:18] Tom was also a 2021 ERM Award of Distinction recipient for his work at the IRS, where he worked for about 27 years, for the last eight of which, he was their Chief Risk Officer. There, he got into the whole ERM space. [5:38] Then, in late 2021, an opportunity opened at the Federal Retirement Thrift Investment Board (FRTIB), and Tom took on the role of Chief Risk Officer. He enjoys the opportunity to work in a small organization with a different focus. [5:55] The FRTIB is sort of the 401(k) for federal employees and uniformed services. They have a singular mission around that plan. [6:13] Tom was brought into the FRTIB to integrate strategy and ERM. He stresses the importance of linking risk and strategy. When Tom started, the offices of Enterprise Planning and Enterprise Risk had just been brought together. [6:51] They were looking for the first Director of Planning and Risk/CRO. Tom applied and was selected for the role. Even though it’s a small agency of 250, those functions had been siloed. [7:07] Tom’s first area of focus was getting the staff to know each other and learn more about what each process entailed, and then working with the team to look at how to bring these processes together. [7:23] Tom says, when we’re identifying risks and needing to mitigate risks, the next question is, where do we get the resources? When the process is not integrated into your planning and budgeting process, that becomes very challenging. [7:36] As we go through our annual planning process, we work with our business offices, and if they’re risk owners, we talk about what risks they are managing or mitigating, and if there are related initiatives or resources needed. [7:51] That information gets captured in the annual plan and becomes an input to the budget process. We’re not only raising the risks and talking about them, but also identifying initiatives and getting funding, support, and resources to manage and mitigate those risks. [8:16] Tom’s risk group has seven or eight people. They also do internal controls, policies, and procedures. They are the agency’s anti-fraud group. They do brand monitoring and run the third-party risk monitoring program. They do work beyond the enterprise risk component. [8:51] The FRTIB moved from a high-level to a medium-level cyber risk posture, which improved Federal Information Security Modernization Act (FISMA) scores. FISMA is an annual cybersecurity audit of federal organizations. [9:27] Years ago, the FRTIB was scoring in the 1s and 2s on most domains in this audit, out of a possible score of 5. That coincided with cybersecurity being one of the FRTIB’s high risks. They needed to put in place better governance and protections. [9:53] Because cybersecurity had been one of the FRTIB’s high risks, they require any of their enterprise risks that are medium high or higher to have a risk treatment plan. They work with their CISO and the cyber team to develop risk treatment plans each year. [10:08] The risk treatment plans identify resource needs and specific areas of focus. They use the FISMA domains, questions, and assessment criteria to keep in mind where they need to shore things up. [10:20] Justin clarifies that FISMA, the Federal Information Security Modernization Act, is a U.S. Federal law that requires federal agencies to develop a document and implement information security programs to protect government information. [10:36] Tom remarks that as a result of great work done by the CISO and the cyber team, the FRTIB scored a 5 in each domain on their 2024 FISMA audit. That moved the cybersecurity risk score down. It’s still at a medium level because the threat landscape continues to evolve. [10:56] Threat actors are always out there, trying to stay one step ahead of you, so you have to stay on your game to get ahead of them. [11:15] The cyber threat is so significant that collectively, we all need to be working as hard as we can to maintain our defenses. Tom says the CISO community is working together to integrate the latest technology and developments and understand where the threat is. [11:49] The CISO community is staying on top of what’s happening in the AI space to be able to share good practices across agencies and ensure that our posture government-wide is as strong as possible in detecting and preventing the cyber threat. [12:06] One of the strategic goals for FRTIB is the managed services model. Tom speaks about assessing and monitoring third-party and vendor risks in a way that’s scalable and sustainable. [12:18] When Tom moved into his position, in December 2021, the agency was about six months away from implementing that managed services model for their record-keeping service. Record keeping is a huge part of the FRTIB’s work. They have almost 7.5 million participants. [12:36] Managing participant transactions and keeping their information is a core responsibility for the agency. They were moving to a managed service model. [12:48] When you shift to that type of model, you don’t give up accountability and responsibility for the program. You work with a provider. The Agency needed to look at what its mechanism for oversight was, to manage and understand third-party risk. [13:06] The Agency had some capabilities in place for vendor monitoring and supply chain risk management. Tom’s area of focus was to build up the third-party risk management program. [13:18] Tom did a maturity assessment to compare what they were doing to good practices and look for opportunities to enhance their capabilities. He brought in some services from external providers to help with access to data about the performance of third-party services. [13:42] Quarterly, Tom reports to the FRTIB board on their top vendors, their overall operations, whether there are any risks he has concerns about, and if so, what is being done to address those risks. That has helped to put in place a strong third-party risk management program. [14:03] When Tom joined the FRTIB, his predecessor had already built a strong, mature ERM program. There was a repeatable process in place with a risk register and a risk profile. [14:22] The opportunity was in integrating risk with planning and looking at how to enhance the program and bring it to the next level of maturity and build out that third-party risk management monitoring capability.  [14:42] RIMS Events! The very first RIMS Texas Regional Conference will be held from August 4th through August 6th in San Antonio at the Henry B. González Convention Center. Public registration is open. The full conference agenda is live, so you can start planning. [15:00] Don’t miss the post-conference workshop, the RIMS-CRMP Exam Prep course available on-site. This event is open to any RIMS chapter member. [15:10] If you are local to the area, you might consider becoming a RIMS member today so you can get all the benefits and begin networking with your new RIMS Texas peers. Visit RIMS.org/TexasRegional. [15:22] Just a month later, we will be up North for the RIMS Canada Conference 2025, which will be held from September 14th through the 17th in Calgary. Registration is open. Visit RIMSCanadaConference.ca and lock in those favorable rates. We look forward to seeing you! [15:41] On September 18th, the 10th Annual Chicagoland Risk Forum will be held at The Old Post Office in Chicago. Register at ChicagoRIMS.org. [15:52] Also on September 18th, the Spencer Educational Foundation will host the 2025 Funding Their Future Gala at the Cipriani 42nd Street. Visit SpencerEd.org. [16:03] On October 1st through the 3rd, the RIMS Western Regional Conference will be held in North San Jose at the Santa Clara Marriott. The agenda is live. It looks fantastic! Visit RIMSWesternRegional.com and register today! [16:20] Let’s Return to My Interview with RIMS 2024 ERM Award of Distinction Winner, Tom Brandt! [16:37] Shortly after Tom won the 2021 ERM Award of Distinction, along with Melissa Reynard, for his work with the IRS, he left to go to the FRTIB. Tom talks about the switch. [16:57] Tom had a great career with the IRS. He had a range of different roles and responsibilities. For his last eight years with the IRS, he was the CRO. [17:23] Tom was ready to make a change. He learned about the opportunity at FRTIB to help them bring risk and strategy programs into one department. He was happy to be selected and see the value of having risk and strategy come together. [18:12] Tom was the second CRO at the IRS. In 2013, the IRS had a crisis, so they brought in a CRO from the GAO for about a year. Tom had been doing risk work in one of the business units of the IRS. He was chosen for the CRO position in 2014. [18:50] The IRS crisis in 2013 related to concerns about how the agency had been handling applications for tax-exempt status. It led to Congressional hearings and IRS leadership changes. [19:04] Before going to the FRTIB, Tom was contacted by a recruiter. Someone in the risk community knew of the position and suggested Tom for it. He’s thankful he was contacted because it has turned out to be an excellent opportunity. [19:35] Through RIMS, Tom connects with public and private sector colleagues. He sees a lot of similarities. The public sector has been practicing ERM for just under a decade. [20:16] The most essential ingredient in ERM is leadership support. Tom has support at FRTIB from leadership and the Board. Without leadership support, ERM is a compliance exercise. If ERM is truly leveraged, it can add a lot of value. [20.42] Tom thinks we’re seeing too many instances where organizations have not had robust risk programs and have had risk events that could have been prevented or had the impact lessened, had they had a risk program.  [21:02] Tom thinks the challenge in the public sector is that there isn’t much room for government error. Anything that doesn’t go according to plan tends to get attention. [21:22] That oversight creates an environment that tends to be more risk-averse. That’s not the way we want to run our risk program, because we want to take advantage of the opportunity that risk prevents, but it’s a factor of the environment we operate in. [21:44] Part of what led to the establishment of the IRS ERM program was the 2013 crisis and an after-event assessment of what went wrong. Bad news didn’t make it to the top quickly enough. Information that leadership should have been made aware of didn’t get there in time. [22:05] As a result, issues and problems were allowed to fester and go out of control. In the IRS, people took a lot of pride in fixing and solving their problems. Sometimes you don’t have a lot of time to fix an issue before it goes sideways. [22:41] A real benefit from sharing information is that often you can find other parts of the organization that can help because they’ve experienced a similar type of issue. They might have additional resources. Ignoring or hiding the problem doesn’t make it go away. [23:01] The key value of ERM is creating a culture where people are willing to speak up, information gets escalated quickly, and you’re able to bring the right people and resources together to work collectively to manage and mitigate those risks. [23:15] At FRTIB, Tom focuses on creating an environment where people feel comfortable speaking about risk, where it’s part of the regular way they operate. [23:32] Since starting in risk many years ago and working with his teams, Tom’s approach has been doing risk with offices and not doing risk to offices. He wanted to meet them where they were, understand where they needed help, and nudge them, rather than drag them, along. [24:00] Tom says take time to understand the organization, the unique needs of each office, and work with them to help manage and mitigate a risk, versus trying to force something on them. [24:18] A Quick Plug! If you tuned in to the recent episode featuring James Lam, you will know he is hosting a new six-module workshop for us, the “RIMS-CRO Certificate in Advanced Enterprise Risk Management”. [24:33] The inaugural summer course is completely sold out! We are filled to the virtual capacity! Don’t worry, in the Fall, the bi-weekly course will begin on October 9th. Registration closes on October 2nd. A link is in this episode’s notes. Check it out and register today! [24:52] If you’re getting inspired by Tom Brandt and his ERM Award of Distinction win, remember that nominations are now open for the ERM Award of Distinction 2025. Be sure to listen closely for the tips that he offers about what makes a strong nomination! [25:10] The link to the nomination form is in this episode’s show notes. Good luck! [25:13] Let’s Return to the Conclusion of My Interview with Tom Brandt! [25:18] Before becoming the CRO at the IRS, Tom was the Director of Planning and Research for the Large Business and International Division with responsibility for case selection, determining risk on corporate and international tax returns, and which ones should be selected for audit. [25:52] This was a compliance risk experience. That provided the stepping stone to take on a more strategic, operational view of risk within the division. When the broader CRO opportunity became available at the IRS, he was considered and ultimately selected for that position. [26:14] Tom’s view of risk has evolved. Within a business unit, he focused on the day-to-day operational and compliance risk. He didn’t take a view of the whole organization or what choices he made for his unit ight create risk for another part of the organization. [26:51] It’s a real value for ERM to have a portfolio view of the most critical risks across the organization, and understanding how actions to address risks in one area could create or exacerbate a risk somewhere else. [27:08] Tom tells of reputational risk. Sometimes decisions don’t factor in how they will be perceived. Tom helped people at the IRS understand reputational risk and the stakeholders they may need to engage to help them understand why particular decisions are made. [28:22] Tom shares advice for nominating an ERM Program for the ERM Award of Distinction. What are the results? What are the outcomes that the program accomplished that you can talk about? How did ERM help the organization? What value did it bring? [29:07] Take an example of something you can share, and explain how ERM was able to surface the risk and bring the right people together to help with that risk and help the organization. [29:24] It’s critical to have letters of recommendation. At the IRS, Tom had two Deputy Commissioners write letters about what they saw as the value that ERM brought to the agency. [29:42] At FRTIB, Tom had letters from the Executive Director and a member of its Board, who had served for over a decade and had historical knowledge of how ERM had helped the Agency. [30:04] Tom notes that the process of going through the application is a great learning opportunity to reflect on accomplishments as well as areas of remaining opportunity. [30:17] If you are fortunate enough to be selected to receive recognition, it’s a great way to recognize the team. Tom used the Awards to recognize his teams at the IRS and at FRTIB, who are the ones who make all of this possible. The recognition turns out to be great kudos for them. [30:41] You can learn more about Tom’s achievements through the links on this episode’s show notes, which feature his recent ERM Q&A from 2025. I’ve also included one with his former coworker from the IRS, Melissa Reynard, from 2022. [30:58] This should give you a great sense of not just the great work that Tom has done but also, what it takes to have your nomination seen and heard and get the recognition that you deserve. [31:13] Tom, it’s been great getting to know you these past few years, and I look forward to seeing you in Seattle. Thank you for joining us here on RIMScast! [31:32] Special thanks again to Tom Brandt for joining us here on RIMScast. Be sure to check out the links in this episode’s show notes for recent ERM Q&A interviews about his work with the FRTIB. [31:46] Tom is a recipient of the RIMS ERM Award of Distinction. The Call for Nominations is open through August 16th. Check this episode’s show notes for the link and details. [32:00] The Awards will be presented at the RIMS ERM Conference 2025, November 17th and 18th in Seattle. A link to that event is also on this page. [32:08] Plug Time! You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in the show notes. [32:36] RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let’s collaborate and help you reach them! Contact pd@rims.org for more information. [32:54] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information. [33:12] Risk Knowledge is the RIMS searchable content library that provides relevant information for today’s risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more. [33:29] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management. [33:43] Justin Smulison is the Business Content Manager at RIMS. You can email Justin at Content@RIMS.org. [33:50] Thank you all for your continued support and engagement on social media channels! We appreciate all your kind words. Listen every week! Stay safe!   Links: 20th Annual People’s Choice Podcast Awards! Vote for RIMScast (Gov’t & Organizations) To vote for RIMScast, please sign up with your email, then select RIMScast on the pulldown under Government and Organizations. Thank you! RIMS ERM Conference 2025 — Nov. 17‒18 | RIMS Global ERM Award of Distinction 2025 Nominations Open Through Aug. 16 “Embedding ERM Into One of the World’s Largest Retirement Programs.” — RIMS Interview with Tom Brandt (2025) RIMS Texas Regional 2025 — August 3‒5 | Registration open. RIMS-CRMP In-Person Workshop in Texas Aug. 6 & 7 RIMS Canada 2025 — Sept. 14‒17 | Registration open! 10th Annual Chicagoland Risk Forum — Sept. 18 | Registration open! RIMS Western Regional — Oct 1‒3 | Bay Area, California | Registration open! RISKWORLD 2026 — Members-only early registration! Register through Sept 30! RIMS-Certified Risk Management Professional (RIMS-CRMP) The Strategic and Enterprise Risk Center Spencer Educational Foundation 2025 Funding Their Future Gala — Sept. 18, 2025, in NYC! RIMS ERM Conference 2025 — Nov 17‒18 in Seattle! [Save the Date!] RIMS-CRO Certificate in Advanced Enterprise Risk Management — Featuring Instructor James Lam! Summer course sold out! | Next bi-weekly course begins Oct 9. RIMS Diversity Equity Inclusion Council RISK PAC | RIMS Advocacy | RIMS Legislative Summit SAVE THE DATE — March 18‒19, 2026 RIMS Risk Management magazine | Contribute RIMS Now RIMS Webinars: RIMS.org/Webinars   Upcoming RIMS-CRMP Prep Virtual Workshops: RIMS-CRMP Exam Prep Virtual Workshop — Sept 2‒3, 2025 | Presented by RIMS and PARIMA RIMS-CRMP-FED Exam Prep Virtual Workshop — November 11‒12 Full RIMS-CRMP Prep Course Schedule “Emerging Risks” | Aug 5 | Instructor: Joe Mayo “Intro to ERM for Senior Leaders” | Aug. 12‒13 | Instructor: Chris Mandel “Intro to ERM for Senior Leaders” | Nov. 4‒5 | Instructor: Elise Farnham See the full calendar of RIMS Virtual Workshops RIMS-CRMP Prep Workshops   Related RIMScast Episodes: “Risk and Clarity with Huw Edwards, RIMS Texas Keynote” “James Lam on ERM, Strategy, and the Modern CRO” “ERM, Retail, and Risk with Jeff Strege” “Bigger Risks with the Texas State Office of Risk Management” | Sponsored By Hillwood “ERMotivation with Carrie Frandsen, RIMS-CRMP” “Live from the ERM Conference 2024 in Boston!” “Risk Quantification Through Value-Based Frameworks”   Sponsored RIMScast Episodes: “The New Reality of Risk Engineering: From Code Compliance to Resilience” | Sponsored by AXA XL (New!) “Change Management: AI's Role in Loss Control and Property Insurance” | Sponsored by Global Risk Consultants, a TÜV SÜD Company “Demystifying Multinational Fronting Insurance Programs” | Sponsored by Zurich “Understanding Third-Party Litigation Funding” | Sponsored by Zurich “What Risk Managers Can Learn From School Shootings” | Sponsored by Merrill Herzog “Simplifying the Challenges of OSHA Recordkeeping” | Sponsored by Medcor “Risk Management in a Changing World: A Deep Dive into AXA's 2024 Future Risks Report” | Sponsored by AXA XL “How Insurance Builds Resilience Against An Active Assailant Attack” | Sponsored by Merrill Herzog “Third-Party and Cyber Risk Management Tips” | Sponsored by Alliant “RMIS Innovation with Archer” | Sponsored by Archer “Navigating Commercial Property Risks with Captives” | Sponsored by Zurich “Breaking Down Silos: AXA XL’s New Approach to Casualty Insurance” | Sponsored by AXA XL “Weathering Today’s Property Claims Management Challenges” | Sponsored by AXA XL “Storm Prep 2024: The Growing Impact of Convective Storms and Hail” | Sponsored by Global Risk Consultants, a TÜV SÜD Company “Partnering Against Cyberrisk” | Sponsored by AXA XL “Harnessing the Power of Data and Analytics for Effective Risk Management” | Sponsored by Marsh “Accident Prevention — The Winning Formula For Construction and Insurance” | Sponsored by Otoos “Platinum Protection: Underwriting and Risk Engineering's Role in Protecting Commercial Properties” | Sponsored by AXA XL “Elevating RMIS — The Archer Way” | Sponsored by Archer   RIMS Publications, Content, and Links: RIMS Membership — Whether you are a new member or need to transition, be a part of the global risk management community! RIMS Virtual Workshops On-Demand Webinars RIMS-Certified Risk Management Professional (RIMS-CRMP) RISK PAC | RIMS Advocacy RIMS Strategic & Enterprise Risk Center RIMS-CRMP Stories — Featuring RIMS President Kristen Peed!   RIMS Events, Education, and Services: RIMS Risk Maturity Model®   Sponsor RIMScast: Contact sales@rims.org or pd@rims.org for more information.   Want to Learn More? Keep up with the podcast on RIMS.org, and listen on Spotify and Apple Podcasts.   Have a question or suggestion? Email: Content@rims.org.   Join the Conversation! Follow @RIMSorg on Facebook, Twitter, and LinkedIn.   About our guest: Thomas Brandt, Chief Risk Officer at the Federal Retirement Thrift Investment Board   Production and engineering provided by Podfly.