Actual Risks –Understanding the Real Risks to Your ... · Restoration of the Business. RISK PRIORITIES – ANOTHER WAY TO LOOK AT RISK ... example, numerous companies outsource

© 2019 MHA CONSULTING. ALL RIGHTS RESERVED.

Actual Risks – Understanding the Real Risks to Your Organization

Richard Long, Senior Advisory Consultant, MHA Consulting

March 13, 2019

© 2019 MHA CONSULTING. ALL RIGHTS RESERVED. 2

20-year proven track record of applying

industry standards and best practices

across a diverse pedigree of clients.

A simple mission: Ensure the continuous

operations of our clients’ critical

processes.

60% of revenue comes from Business

Resiliency, 30% from IT Disaster

Recovery, and 10% from SaaS tools.

SaaS Tools: BIA On-Demand, BCM One,

Compliance Confidence, Residual Risk.

SAASCompliance

and risk tools.

CAPABLEComprehensive suite of services.

20Average years

industry experience.

Years inoperation.

GLOBALDiverse, global

client base.

20

Richard LongPractice Leader & Senior Advisory ConsultantPhoenix, Arizona www.mha-it.com

KEY FACTS

SENIOR LEADERSHIP

MHA Consulting’s senior team has an average of over 20 years of industry relevant experience in the areas of Business Continuity, Disaster Recovery, and Project Management.

COMPANY BACKGROUND

http://www.mha-it.com/


HEALTHCARE EDUCATION FINANCIAL INSTITUTIONS

CONSUMER PRODUCTS INSURANCE TRAVEL & ENTERTAINMENT GOVERNMENT/UTILITY

SERVICES

DIVERSE, GLOBAL CLIENT BASE


Business Recovery Strategies & Solutions

Data Center Recovery Strategies

Current State Assessment

Policy & Standards

Business Impact Analysis

Threat & Risk Assessment

BCMMETRICSTM

BIA On-Demand (BIAOD)

BCMMETRICSTM

BCM One (BCM1)

BCMMETRICSTM

Compliance Confidence (C2)

BCMMETRICSTM

Residual Risk (R2)

Training & Awareness

Mock Disaster Exercises

Plan Functional Walkthroughs

Alternate Worksite Exercises

Crisis Management

Business Recovery

IT Disaster Recovery

Update Recovery Plans

Update Current State Assessment

Update Business Impact Analysis & Threat Assessment

Third Party Assessments

EXERCISES MAINTAIN & IMPROVEASSESS THE CURRENT

ENVIRONMENTRECOVERY STRATEGIES &

SOLUTIONSRESPONSE & RECOVERY

PLANS

ROBUST SUITE OF SERVICES


Why Are You Here?

5

How to understand your actual risks by:• Performing a Risk Assessment that addresses:

• Nature• People• Technology• Locations

• Taking a closer look at your:• Supply Chain and Vendor Risk• Staffing• Risk Profile• Physical Security• Insurance


Risk

Resilience

THE BIG PICTURE


S T A N D A R D S I N B U S I N E S S C O N T I N U I T Y

M E A S U R E C O M P L I A N C E I N T H E S E B C M D I M E N S I O N S

• ISO 22301

• FFIEC

• NIST 800

• NFPA 1600

• SEC

• FISMA

• FINRA

• Supply Chain Resiliency Leadership Council

• Program Administration

• Crisis Management

• Business Recovery

• IT Disaster Recovery

• Fire & Life Safety

• Supply Chain Risk Management

• Third Party Management

BCM COMPLIANCE STANDARDS


• Identifies conditions or situations which may cause a business function outage.

• Identifies the probability of the risk occurring.

• Identifies threats and hazards across all areas - human, natural, technology, chemical/biological, etc.

• Identifies internal threats.• Assists in determining how to prevent

impact/outages.• Determines what risk will be mitigated and

what will not.

MDE

RISK MANAGEMENT


OTHER: Catastrophe 1.01%; Casualty Accidents 0.14%; Financial Damage 0.14%; Hostile Takeover 1.64%; Labor Issues 0.14%; Sexual Harassment 0.48%

ICM Annual Crisis Report, 2017. Institute for Crisis Management.

CRISIS SPECTRUM


Life Safety

Incident Stabilization

Property Preservation

Restoration of the Business

RISK PRIORITIES – ANOTHER WAY TO LOOK AT RISK


RISK CULTURE

Risk Culture• Do you acknowledge risk or do you contend

that it’s not that big?• Are you proactive or reactive?• Do you pack on risk until you get hit by audit,

regulators, or a disruption? • Is revealing risks recommended or

discouraged by your management?• Do you ensure proper respect for risk?• Is IT aligned with the business?

Risk Concepts• Inherent Risk – How big is the risk?• Risk Appetite vs. Risk Tolerance – What will

we accept vs. tolerate? • Mitigating Controls – What keeps the risks in

check?• Residual Risk – What risk is left and what do

we do with it?

RISK CONCEPTS

BASIC CONCEPTS


• APPETITE: Broad level of risk an organization will accept.

• TOLERANCE: Specific level of risk for each measurement or action.

RISK APPETITE VS.

RISK TOLERANCE

APPETITE• High insurance deductible or no insurance

• Have financial reserves

• Low likelihood of occurrence

TOLERANCE• $5,000 medical deductible

• No comprehensive coverage on older car – will buy a car if needed

E X A M P L E S

BASIC COMPONENTS


• RISK ACCEPTANCE: Risk acceptance does not reduce any effects however it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.

• RISK AVOIDANCE: Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. Risk avoidance is usually the most expensive of all risk mitigation options.

• RISK LIMITATION: Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.

• RISK TRANSFERENCE: Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on their core competencies.

RISK MITIGATION

BASIC COMPONENTS


• HUMAN ERROR: No process or checks will stop mistakes. The beauty and curse of humanity.

• INTENTIONAL: Knowingly taking shortcuts or not following known procedures.

• UNINTENTIONAL: Physical errors or mental or cognitive errors; where you do the wrong thing believing it to be right (i.e., making the wrong decision).

• DATA BREACH/RANSOMWARE: Occur every day.

• BRAND IMAGE/REPUTATIONAL DAMAGE: Examples are airlines, fast food, telecom.

• TECHNOLOGY OUTAGES: Examples are airline issues, cloud-based services, etc.

CURRENT, COMMON RISKS

BASIC COMPONENTS


ORGANIZATIONAL THREAT & RISK ASSESSMENTMitigating controls are safeguards which reduce effects or occurrence of risks/threats

Fire and Life Safety01Physical Security02

Data Security and Backups03

MITIGATING CONTROLS

Network Resiliency04

Hardware Resiliency05

Business Continuity/Disaster Recovery06

Facilities07

Business and IT Best Practices08


ORGANIZATIONAL THREAT & RISK ASSESSMENTMitigating controls are safeguards which reduce effects or occurrence of risks/threats

Geography - Localion01Neighboring Companies02

Utilities Stability03

MITIGATING CONTROLS

Considerations

Corporate History04

Weather History05

Pandemic06

Impacts on: People, Business Operations07

Probably of Occurrence08


• Widespread adoption of “lean” practices.

• The move to off-shore manufacturing and sourcing.

• Outsourcing and reduction in the supplier base.

• Global consolidation of suppliers.

• Centralized production and distribution.

• The biggest risk to business continuity may lie outside the company in the wider supply chain.

• The complexity and inter-connectedness of modern supply chains increases their vulnerability to disruption.

• Environmental risks are outside our control, but systemic risk is created through our own decisions.

WHY SUPPLY CHAIN

ASSESSMENT

SUPPLY CHAIN THREAT & RISK ASSESSMENT


WHAT ARE SUPPLY CHAIN RISKS?

DEMAND SUPPLY PROCESS NETWORK ENVIRONMENT

DEMAND RISK

• Loss of major accounts

• Volatility of demand• Concentration of

customer base• Short life cycles• Innovative

competitors

SUPPLY RISK

• Dependency on key suppliers

• Consolidation in supply markets

• Quality and management issues arising from off-shore sourcing

• Potential disruption at 2nd tier level

• Length and variability of replenishment lead times

PROCESS RISK

• Manufacturing yield variability

• Lengthy set-up times and inflexible processes

• Equipment reliability• Limited capacity/

bottlenecks• Outsourcing key

business processes

NETWORK/CONTROL RISK

• Asymmetric power relationships

• Poor visibility along the pipeline

• Inappropriate rules that distort demand

• Lack of collaborative planning and forecasts

• Bullwhip effects due to multiple echelons

ENVIRONMENT RISK

• Natural disasters• Terrorism and war• Regulatory changes• Tax, duties and

quotas• Strikes

SUPPLY CHAIN THREAT & RISK ASSESSMENT


VENDOR THREAT & RISK ASSESSMENT

• Supply chain dependencies, exposure, and redundancies (US and abroad)

• Increasingly impactful man-made, technology and natural disasters

• Globalization – requires focus on global disaster events

• Reputational liability linked with vendors, partners and customers

• High reliance on critical information systems/services, some of which are externally supported/in the cloud/hosted by and linked

• Concentration of critical functions in fewer facilities increases location risk (e.g., outsourced shared services vendors)

• Changes associated with mergers, acquisitions and divestitures can impact vendor resiliency

• Vendor resiliency focuses on both the resiliency of an organization’s vendors as well as an organization’s own resiliency to meet its requirements as a vendor

• Meeting FFIEC Appendix J -Third Party Management standards

WHY VENDOR RISK

ASSESSMENT


• Have I identified my critical vendors/business partners?

• Does my internal supply chain management group understand the criticality of specific vendors to the organization?

• Has a system of prioritizing (critical, important, etc.) been established?

• Will a critical vendor’s crisis become an issue for my organization?

• Have I informed my critical vendors of their prioritization status and what will be expected of them during emergencies?

• Will my organization’s additional needs during a crisis be supported by its vendors? How flexible are my critical vendors to changing situations and accompanying response & recovery strategies and tactics?

• Can the vendor prove that it can survive a crisis and be flexible to help my organization through their crisis?

VENDOR THREAT & RISK ASSESSMENT

BASIC COMPONENTS


VENDOR THREAT & RISK

ASSESSMENT

BASIC COMPONENTS


• Identify Single Points of Failure

• Identify what staff or teams are critical

• Identify minimal staffing for each processes/department

• Pandemic planning

• Family/Dependent needs may impact staffing

• Loss of key staff – non emergency

• Public visibility of staff and leadership

STAFFING/PEOPLE

SPECIFIC COMPONENTS


• Appropriate access based on function and risk

• Appropriate evacuation capability and procedures

• Building risks

• Blind spots

• Security presence

• Building location

• Organizational culture

• Social presence

• Organization primary function or social stance on issues

• Does that increase the risk of demonstrations/emotional response

• High Profile Employees

• Employees with high risk personal issues (court cases, garnishments, custody, etc.)

PHYSICAL SECURITY

SPECIFIC COMPONENTS


• What insurance is in place (this may be Risk Department responsibility)

• Reporting/Notification requirements per policy

• Cyber Insurance

• A single event can cause multiple millions of dollars of impact

• Business Interruption

• Increase costs (supplies, staffing, transportations, etc.)

• Lost/Delayed revenue; cash flow

• Liability

INSURANCE

SPECIFIC COMPONENTS


• Residual Risk is defined as the remaining risk after controls have been implemented and monitored and the effect of their findings considered.

• Residual Risk considers the inherent risk (risk before controls) that exists prior to assessing the mitigating controls.

• Identifies the Risk Tolerance or level of willingness to accept risk. Low Risk Tolerance = tighter, more stringent controls, more expense and vice versa.

• Process assesses and evaluates the state of mitigating controls that are designed to mitigate effects of the inherent risk.

• Determines if remaining Residual Risk is within or outside of the agreed upon Risk Tolerance based on the state of the mitigating controls.

RESIDUAL RISKW H A T I S I T ?

ADDITIONAL COMPONENTS


RESIDUAL RISKE X A M P L E

MALWAREW E H A V E A R I S K O F I N T R O D U C I N G M A L W A R E I N

T H E O R G A N I Z A T I O N . W E N E E D T O I D E N T I F Y T H E

R E S I D U A L R I S K B A S E D O N C U R R E N T S T A T E

RESIDUAL RISKT H E B A S I C C A L C U L A T I O N I N C L U D E S

T H E F O L L O W I N G S T E P S :

• CONCERN – Prevent malware from being introduced in the environment.

• INHERENT RISK– What is the risk from malware?

• RISK TOLERANCE – What level of risk are we willing to accept?

• IDENTIFY POTENTIAL MITIGATING CONTROLSo People training o Monitoring toolso Anti Virus toolso DMZ/Network Isolation

Step 1 – What is the Inherent Risk for Potential Harm?Step 2 – What is the Maximum Risk Tolerance We Will Accept?Step 3 – What is the State of Our Mitigating Controls?Step 4 – What is Our Residual Risk ?

• Determine state of our mitigating controls • Subtract mitigating control state from our risk tolerance• The remainder is the minimum score controls must meet• We are either within tolerance or out of tolerance

Step 5 - Now What Do We Do• Which controls will we fully implement? Outsource?• Which controls will we leave as is and accept the risk?• What other controls could minimize remaining risk?

ADDITIONAL COMPONENTS


W H A T F I R S T ?

• Categorize risks

• Acceptance

• Transference

• Avoidance

• Limitation

WHERE TO FOCUS


MHA CONSULTING, INC.

T H A N K Y O U

www.mha-it.com

(888) 689-2290

(602) 370-1864

[email protected]

Richard Long, Senior Advisory Consultant

Documents

Actual Risks –Understanding the Real Risks to Your ... · Restoration of the Business. RISK PRIORITIES – ANOTHER WAY TO LOOK AT RISK ... example, numerous companies outsource