Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED.
Actual Risks – Understanding the Real Risks to Your Organization
Richard Long, Senior Advisory Consultant, MHA Consulting
March 13, 2019
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 2
20-year proven track record of applying
industry standards and best practices
across a diverse pedigree of clients.
A simple mission: Ensure the continuous
operations of our clients’ critical
processes.
60% of revenue comes from Business
Resiliency, 30% from IT Disaster
Recovery, and 10% from SaaS tools.
SaaS Tools: BIA On-Demand, BCM One,
Compliance Confidence, Residual Risk.
SAASCompliance
and risk tools.
CAPABLEComprehensive suite of services.
20Average years
industry experience.
Years inoperation.
GLOBALDiverse, global
client base.
20
Richard LongPractice Leader & Senior Advisory ConsultantPhoenix, Arizona www.mha-it.com
KEY FACTS
SENIOR LEADERSHIP
MHA Consulting’s senior team has an average of over 20 years of industry relevant experience in the areas of Business Continuity, Disaster Recovery, and Project Management.
COMPANY BACKGROUND
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 3
HEALTHCARE EDUCATION FINANCIAL INSTITUTIONS
CONSUMER PRODUCTS INSURANCE TRAVEL & ENTERTAINMENT GOVERNMENT/UTILITY
SERVICES
DIVERSE, GLOBAL CLIENT BASE
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 4
Business Recovery Strategies & Solutions
Data Center Recovery Strategies
Current State Assessment
Policy & Standards
Business Impact Analysis
Threat & Risk Assessment
BCMMETRICSTM
BIA On-Demand (BIAOD)
BCMMETRICSTM
BCM One (BCM1)
BCMMETRICSTM
Compliance Confidence (C2)
BCMMETRICSTM
Residual Risk (R2)
Training & Awareness
Mock Disaster Exercises
Plan Functional Walkthroughs
Alternate Worksite Exercises
Crisis Management
Business Recovery
IT Disaster Recovery
Update Recovery Plans
Update Current State Assessment
Update Business Impact Analysis & Threat Assessment
Third Party Assessments
EXERCISES MAINTAIN & IMPROVEASSESS THE CURRENT
ENVIRONMENTRECOVERY STRATEGIES &
SOLUTIONSRESPONSE & RECOVERY
PLANS
ROBUST SUITE OF SERVICES
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED.
Why Are You Here?
5
How to understand your actual risks by:• Performing a Risk Assessment that addresses:
• Nature• People• Technology• Locations
• Taking a closer look at your:• Supply Chain and Vendor Risk• Staffing• Risk Profile• Physical Security• Insurance
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 6
Risk
Resilience
THE BIG PICTURE
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 7
S T A N D A R D S I N B U S I N E S S C O N T I N U I T Y
M E A S U R E C O M P L I A N C E I N T H E S E B C M D I M E N S I O N S
• ISO 22301
• FFIEC
• NIST 800
• NFPA 1600
• SEC
• FISMA
• FINRA
• Supply Chain Resiliency Leadership Council
• Program Administration
• Crisis Management
• Business Recovery
• IT Disaster Recovery
• Fire & Life Safety
• Supply Chain Risk Management
• Third Party Management
BCM COMPLIANCE STANDARDS
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 8
• Identifies conditions or situations which may cause a business function outage.
• Identifies the probability of the risk occurring.
• Identifies threats and hazards across all areas - human, natural, technology, chemical/biological, etc.
• Identifies internal threats.• Assists in determining how to prevent
impact/outages.• Determines what risk will be mitigated and
what will not.
MDE
RISK MANAGEMENT
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 9
OTHER: Catastrophe 1.01%; Casualty Accidents 0.14%; Financial Damage 0.14%; Hostile Takeover 1.64%; Labor Issues 0.14%; Sexual Harassment 0.48%
ICM Annual Crisis Report, 2017. Institute for Crisis Management.
CRISIS SPECTRUM
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 10
Life Safety
Incident Stabilization
Property Preservation
Restoration of the Business
RISK PRIORITIES – ANOTHER WAY TO LOOK AT RISK
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 11
RISK CULTURE
Risk Culture• Do you acknowledge risk or do you contend
that it’s not that big?• Are you proactive or reactive?• Do you pack on risk until you get hit by audit,
regulators, or a disruption? • Is revealing risks recommended or
discouraged by your management?• Do you ensure proper respect for risk?• Is IT aligned with the business?
Risk Concepts• Inherent Risk – How big is the risk?• Risk Appetite vs. Risk Tolerance – What will
we accept vs. tolerate? • Mitigating Controls – What keeps the risks in
check?• Residual Risk – What risk is left and what do
we do with it?
RISK CONCEPTS
BASIC CONCEPTS
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 12
• APPETITE: Broad level of risk an organization will accept.
• TOLERANCE: Specific level of risk for each measurement or action.
RISK APPETITE VS.
RISK TOLERANCE
APPETITE• High insurance deductible or no insurance
• Have financial reserves
• Low likelihood of occurrence
TOLERANCE• $5,000 medical deductible
• No comprehensive coverage on older car – will buy a car if needed
E X A M P L E S
BASIC COMPONENTS
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 13
• RISK ACCEPTANCE: Risk acceptance does not reduce any effects however it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.
• RISK AVOIDANCE: Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. Risk avoidance is usually the most expensive of all risk mitigation options.
• RISK LIMITATION: Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.
• RISK TRANSFERENCE: Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on their core competencies.
RISK MITIGATION
BASIC COMPONENTS
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 14
• HUMAN ERROR: No process or checks will stop mistakes. The beauty and curse of humanity.
• INTENTIONAL: Knowingly taking shortcuts or not following known procedures.
• UNINTENTIONAL: Physical errors or mental or cognitive errors; where you do the wrong thing believing it to be right (i.e., making the wrong decision).
• DATA BREACH/RANSOMWARE: Occur every day.
• BRAND IMAGE/REPUTATIONAL DAMAGE: Examples are airlines, fast food, telecom.
• TECHNOLOGY OUTAGES: Examples are airline issues, cloud-based services, etc.
CURRENT, COMMON RISKS
BASIC COMPONENTS
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 15
ORGANIZATIONAL THREAT & RISK ASSESSMENTMitigating controls are safeguards which reduce effects or occurrence of risks/threats
Fire and Life Safety01Physical Security02
Data Security and Backups03
MITIGATING CONTROLS
Network Resiliency04
Hardware Resiliency05
Business Continuity/Disaster Recovery06
Facilities07
Business and IT Best Practices08
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 16
ORGANIZATIONAL THREAT & RISK ASSESSMENTMitigating controls are safeguards which reduce effects or occurrence of risks/threats
Geography - Localion01Neighboring Companies02
Utilities Stability03
MITIGATING CONTROLS
Considerations
Corporate History04
Weather History05
Pandemic06
Impacts on: People, Business Operations07
Probably of Occurrence08
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 17
• Widespread adoption of “lean” practices.
• The move to off-shore manufacturing and sourcing.
• Outsourcing and reduction in the supplier base.
• Global consolidation of suppliers.
• Centralized production and distribution.
• The biggest risk to business continuity may lie outside the company in the wider supply chain.
• The complexity and inter-connectedness of modern supply chains increases their vulnerability to disruption.
• Environmental risks are outside our control, but systemic risk is created through our own decisions.
WHY SUPPLY CHAIN
ASSESSMENT
SUPPLY CHAIN THREAT & RISK ASSESSMENT
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 18
WHAT ARE SUPPLY CHAIN RISKS?
DEMAND SUPPLY PROCESS NETWORK ENVIRONMENT
DEMAND RISK
• Loss of major accounts
• Volatility of demand• Concentration of
customer base• Short life cycles• Innovative
competitors
SUPPLY RISK
• Dependency on key suppliers
• Consolidation in supply markets
• Quality and management issues arising from off-shore sourcing
• Potential disruption at 2nd tier level
• Length and variability of replenishment lead times
PROCESS RISK
• Manufacturing yield variability
• Lengthy set-up times and inflexible processes
• Equipment reliability• Limited capacity/
bottlenecks• Outsourcing key
business processes
NETWORK/CONTROL RISK
• Asymmetric power relationships
• Poor visibility along the pipeline
• Inappropriate rules that distort demand
• Lack of collaborative planning and forecasts
• Bullwhip effects due to multiple echelons
ENVIRONMENT RISK
• Natural disasters• Terrorism and war• Regulatory changes• Tax, duties and
quotas• Strikes
SUPPLY CHAIN THREAT & RISK ASSESSMENT
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 19
VENDOR THREAT & RISK ASSESSMENT
• Supply chain dependencies, exposure, and redundancies (US and abroad)
• Increasingly impactful man-made, technology and natural disasters
• Globalization – requires focus on global disaster events
• Reputational liability linked with vendors, partners and customers
• High reliance on critical information systems/services, some of which are externally supported/in the cloud/hosted by and linked
• Concentration of critical functions in fewer facilities increases location risk (e.g., outsourced shared services vendors)
• Changes associated with mergers, acquisitions and divestitures can impact vendor resiliency
• Vendor resiliency focuses on both the resiliency of an organization’s vendors as well as an organization’s own resiliency to meet its requirements as a vendor
• Meeting FFIEC Appendix J -Third Party Management standards
WHY VENDOR RISK
ASSESSMENT
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 20
• Have I identified my critical vendors/business partners?
• Does my internal supply chain management group understand the criticality of specific vendors to the organization?
• Has a system of prioritizing (critical, important, etc.) been established?
• Will a critical vendor’s crisis become an issue for my organization?
• Have I informed my critical vendors of their prioritization status and what will be expected of them during emergencies?
• Will my organization’s additional needs during a crisis be supported by its vendors? How flexible are my critical vendors to changing situations and accompanying response & recovery strategies and tactics?
• Can the vendor prove that it can survive a crisis and be flexible to help my organization through their crisis?
VENDOR THREAT & RISK ASSESSMENT
BASIC COMPONENTS
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 21
VENDOR THREAT & RISK
ASSESSMENT
BASIC COMPONENTS
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 22
• Identify Single Points of Failure
• Identify what staff or teams are critical
• Identify minimal staffing for each processes/department
• Pandemic planning
• Family/Dependent needs may impact staffing
• Loss of key staff – non emergency
• Public visibility of staff and leadership
STAFFING/PEOPLE
SPECIFIC COMPONENTS
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 23
• Appropriate access based on function and risk
• Appropriate evacuation capability and procedures
• Building risks
• Blind spots
• Security presence
• Building location
• Organizational culture
• Social presence
• Organization primary function or social stance on issues
• Does that increase the risk of demonstrations/emotional response
• High Profile Employees
• Employees with high risk personal issues (court cases, garnishments, custody, etc.)
PHYSICAL SECURITY
SPECIFIC COMPONENTS
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 24
• What insurance is in place (this may be Risk Department responsibility)
• Reporting/Notification requirements per policy
• Cyber Insurance
• A single event can cause multiple millions of dollars of impact
• Business Interruption
• Increase costs (supplies, staffing, transportations, etc.)
• Lost/Delayed revenue; cash flow
• Liability
INSURANCE
SPECIFIC COMPONENTS
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 25
• Residual Risk is defined as the remaining risk after controls have been implemented and monitored and the effect of their findings considered.
• Residual Risk considers the inherent risk (risk before controls) that exists prior to assessing the mitigating controls.
• Identifies the Risk Tolerance or level of willingness to accept risk. Low Risk Tolerance = tighter, more stringent controls, more expense and vice versa.
• Process assesses and evaluates the state of mitigating controls that are designed to mitigate effects of the inherent risk.
• Determines if remaining Residual Risk is within or outside of the agreed upon Risk Tolerance based on the state of the mitigating controls.
RESIDUAL RISKW H A T I S I T ?
ADDITIONAL COMPONENTS
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 26
RESIDUAL RISKE X A M P L E
MALWAREW E H A V E A R I S K O F I N T R O D U C I N G M A L W A R E I N
T H E O R G A N I Z A T I O N . W E N E E D T O I D E N T I F Y T H E
R E S I D U A L R I S K B A S E D O N C U R R E N T S T A T E
RESIDUAL RISKT H E B A S I C C A L C U L A T I O N I N C L U D E S
T H E F O L L O W I N G S T E P S :
• CONCERN – Prevent malware from being introduced in the environment.
• INHERENT RISK– What is the risk from malware?
• RISK TOLERANCE – What level of risk are we willing to accept?
• IDENTIFY POTENTIAL MITIGATING CONTROLSo People training o Monitoring toolso Anti Virus toolso DMZ/Network Isolation
Step 1 – What is the Inherent Risk for Potential Harm?Step 2 – What is the Maximum Risk Tolerance We Will Accept?Step 3 – What is the State of Our Mitigating Controls?Step 4 – What is Our Residual Risk ?
• Determine state of our mitigating controls • Subtract mitigating control state from our risk tolerance• The remainder is the minimum score controls must meet• We are either within tolerance or out of tolerance
Step 5 - Now What Do We Do• Which controls will we fully implement? Outsource?• Which controls will we leave as is and accept the risk?• What other controls could minimize remaining risk?
ADDITIONAL COMPONENTS
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 27
W H A T F I R S T ?
• Categorize risks
• Acceptance
• Transference
• Avoidance
• Limitation
WHERE TO FOCUS
© 2019 MHA CONSULTING. ALL RIGHTS RESERVED.
MHA CONSULTING, INC.
T H A N K Y O U
www.mha-it.com
(888) 689-2290
(602) 370-1864
Richard Long, Senior Advisory Consultant