Embed Size (px)
Citation preview
DelCreo, Inc.An Enterprise Risk Management Company
1
Changed World, New Risks
Mark Carey, CPA, CISADelCreo, Inc.
DelCreo, Inc.An Enterprise Risk Management Company
2
Risk Management Lessons and Business Applications
DelCreo, Inc.An Enterprise Risk Management Company
3
Office of Homeland Security
Government Lesson• US faces many new, non-conventional threats:
– Terrorism– Proliferation of weapons of mass destruction– Attacks on critical infrastructure– International drug trade– etc.
• No single department, agency, state, local or private sector entity can handle alone, up to 46 different federal agencies are responsible for addressing the non-conventional threats
• The Office of Homeland Security was created to “coordinate the executive branch's efforts to detect, prepare for, prevent, protect against, respond to, and recover from terrorist attacks within the United States.”
Business Application• Businesses also face new, non-conventional and complex
conventional threats that require coordinated risk management through an enterprise-wide risk management organization/function
DelCreo, Inc.An Enterprise Risk Management Company
4
Homeland Security Council
Government Lesson• The Homeland Security Council was established to:
– Advise and assist the President with respect to all aspects of homeland security
– Ensure coordination of homeland security-related activities of executive departments and agencies
– Effective development and implementation of homeland security policies
Business Application• Consider establishing an enterprise risk council to:
– Provide relevant risk information to CXO’s and BOD– Coordinate risk management activities of various functions and
business units– Develop and implement corporate risk management policies
DelCreo, Inc.An Enterprise Risk Management Company
5
Silos
Government Lesson• Silos exist in:
– departments and agencies, • Federal, state and local• Foreign and domestic• US, allies and other
– Information Systems and Databases– Processes
• Intelligence gathering and dissemination activities
Business Application• Create processes, systems and tools to reach across silos to provide
the “big picture”• Focus corporate risk management resources on what matters the
most• Leverage the “silo” expertise through better coordination for
complex risks
DelCreo, Inc.An Enterprise Risk Management Company
6
Low Cost, High Tech
Government Lesson• Sophisticated technologies that may be employed as
weapons of Mass Destruction– Biological and chemical weapons– Technology
• Tools that have the ability to inflict massive damage are getting cheaper
Business Application• Sophisticated tools are increasingly affordable and are
being used by competitors, customers, employees, litigation teams, etc. Understand impact there tools may have on your organization
DelCreo, Inc.An Enterprise Risk Management Company
7
Low Tech, High Impact
Government Lesson• Terrorist have employed low tech weapons to inflict massive physical or
psychological damage– Box cutters– Envelopes
Business Application• Identify assets at risk
– Strategic Initiatives– People– Process– Information Systems– Physical Infrastructure– Geography– Organization– Products– Flows (supplies, information, electricity, cash, etc.)
• Focus risk assessment on how the asset may be impacted• Consider best and worst case scenarios (to ensure preparation for best and
worst times)
DelCreo, Inc.An Enterprise Risk Management Company
8
Incident Management
Government Lesson• The Executive Branch lacked a formal terrorist
incident management process, coordinator and team• The Homeland Security Director will be the individual
primarily responsible for coordinating the domestic response in the event of an imminent threat, and during and in the immediate aftermath of a terrorist attack
Business Application• Define a formal incident management process with
pre-incident planning activities, escalation triggers, defined responsibilities and response pathways
DelCreo, Inc.An Enterprise Risk Management Company
9
Early Warning System
Government Lesson• Silos prevented effective aggregation of early warning
signals• Local decisions to disregard significant information• Lack of appropriate escalation metrics and thresholds• Many early warning signals were not deemed credible
Business Application• Develop and constantly enhance quality of
information collected and of early warning tools
DelCreo, Inc.An Enterprise Risk Management Company
10
ERM Definition
• An consistent and organization-wide approach to develop and implement a comprehensive risk strategy and program in order to:– Provide a baseline level of protection of value creating
assets, or– Use risk management strategies and tools to assure
success of strategic objectives and improve organizational returns (as defined by key stakeholders)
DelCreo, Inc.An Enterprise Risk Management Company
11
Business Case: Improve Total Cost of Risk
• Gaps in Risk Coverage and Information– Emerging risk areas– Strategic Planning and Decision Making Processes do not
receive complete, reliable and timely risk information– Programs/Projects with multiple vulnerabilities– Vulnerabilities that require multiple skills, aggregation of
data, etc to mitigate
• Cost of Managing Risks– Poor use of process enabling technology– Knowledge management– Modeling/Data aggregation tools– Coordination and communication between risk functions,
business organizations, and management
DelCreo, Inc.An Enterprise Risk Management Company
12
Disaster Recovery Lessons Learned
DelCreo, Inc.An Enterprise Risk Management Company
13
Business Process and Business Unit Recovery Efforts Overlooked
Lesson• Most disaster planning had revolved around the data center or IT
capabilities of the enterprise. • Back office operations continuity plans put into effect following
the September 11th attacks often overlooked highly paper-centric back office operations business processes.
Recommendation• An enterprise-wide approach to continuity planning must include
attention not only to the data center, IT and network communications issues, but those of time-critical business processes wherever they might flow through the organizational structure.
DelCreo, Inc.An Enterprise Risk Management Company
14
Geography
Lesson• Many recovery plans and arrangements were
based on the assumption that local hot sites and alternate workspaces would be available.
• Other companies had a difficult time accessing their hot sites and alternate workspaces when air travel was stopped.
Recommendation • Geographic factors should be fully considered in
the threat and vulnerability assessment, assumptions used in planning, and during the development of the recovery plans.
Source: Mckinsey & Company, “Impact of Attack on New York Financial Services”, Nov, 2001
DelCreo, Inc.An Enterprise Risk Management Company
15
Single Points of Failure
Lesson • Transportation, telecommunications and power elements of
the infrastructure had several key “single points of failure”. • Many business processes today take place outside of an
organizations boundaries. Many supply chains have key participants that are critical single points of failure outside the operational control of an individual organization.
Recommendation• Infrastructure, process and other third party providers
should be included in the continuity planning process.
Source: Mckinsey & Company, “Impact of Attack on New York Financial Services”, Nov, 2001
DelCreo, Inc.An Enterprise Risk Management Company
16
Trained Personnel Is Critical
Lesson• Personnel is the critical key to success• For one company impacted, 100% of the people who had
participated in the hotsite disaster recovery testing were killed in the September 11th attacks
Recommendations• In this instance, people who had to assist in the recovery were
unfamiliar with the continuity plans and actions necessary to expedite recovery operations. Organizations should incorporate cross-training and rotation of recovery plan testing and maintenance responsibilities.
DelCreo, Inc.An Enterprise Risk Management Company
17
Mix of Threats and Vulnerabilities Has Changed
Lesson• Terrorism threats have increased significantly in US and
worldwide and will likely continue into at least the short-term future
Recommendations• Fundamental BCP concepts have remained the same, but
terrorism threats and vulnerabilities have increased in importance, especially for Fortune 500 companies and public and private civil infrastructure organization’s people and facilities. Organizations should consider themselves at risk from a physical terrorist attack in order to improve readiness.
DelCreo, Inc.An Enterprise Risk Management Company
18
Desktop Software Offsite Backup
Lesson• The World Trade Center offices did not contain many, if any,
mainframe computers. Almost all of the systems affected were distributed client-server type implementations. Many organizations did not store current versions of their desktop client-server software so that desktop networks can be rebuilt at an alternative site if necessary.
Recommendation• To avoid delays in rebuilding desktop configurations, companies
should step up their programs for storage and maintenance of desktop configuration software at appropriate offsite locations as well as to train operations personnel involved in recovery efforts in the most effective and efficient ways to rapidly rebuild time-critical desktop environments.
DelCreo, Inc.An Enterprise Risk Management Company
19
Unforeseen Indirect Threats and Vulnerabilities Demand Attention
Lesson• The collateral impacts of the terrorist attacks has significantly
affected almost all organizations in terms of airline shut downs, economic downturns in the U.S. and world economies, etc., and the ripple effects of these impacts.
Recommendation• Business continuity planning impact assessments should
thoroughly consider value web and supply chain issues
