Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
LB21: Effective Total Cost of Ownership Strategies for IT LB21: Effective Total Cost of Ownership Strategies for IT Compliance and GovernanceCompliance and GovernanceDavid A. Cass, CISM, CISSP, PMPDavid A. Cass, CISM, CISSP, PMPVice President, GTI Risk ManagementVice President, GTI Risk ManagementJPMorgan ChaseJPMorgan Chase
GTI Risk Management
2
Agenda
Today’s IT Governance and Compliance Landscape
The Need for Total Cost of OwnershipThe Need for GovernanceThe Need for Compliance
Today’s Risk Management Landscape
Business Risk and Resiliency
New Strategic Approaches Are NeededStrategy #1 - The Efficiency/Effectiveness FrameworkStrategy #2 – The Optimized Total Cost of Ownership Strategy #3 - The Resiliency Risk Index (RRI)
Conclusions
GTI Risk Management
3
The Current Landscape
When someone says Governance, Risk and Compliance – What keeps you up at night?
GTI Risk Management
4
Today’s Technology EnvironmentFunctions of Governance, Risk & Compliance are distributed across organizations
Manual processesLack of information sharing
Measuring IT Business Value and Risk remains immatureIT Value Delivery part of good GovernanceAre we doing things right?Are we realizing the benefits?Are we effectively managing Risk?Are we effectively managing Total Cost of Ownership
GTI Risk Management
5
The GoalEffectively define, manage & monitor the business environment
Need to assess the triad of Risk, Resiliency and TCO in a consistent framework with consistent metrics
Need a centralized structure for oversight and still want risk & accountability distributed across the organization where it belongs
Deliver consistency, efficiency, and sustainability
As we define the new structure using a common language we use the RRI as a method for prioritizing based on Value At Risk across the organization
GTI Risk Management
6
The Need for Effective TCOTCO provides a common unifying metric between Business Resiliency, Compliance and Operational Risk.
Effectiveness in these domains typically drive TCO higher
More stringent Recovery Time Objective (4 hours or less) drive Business Resiliency solutions. Example Business Recovery Facilities and Mirrored backup solutions drive TCO higher.
Increased control objectives to reduce operational risk drive TCO higher. Considerations for mitigating obsolescence and data protection also drive TCO.
Strategy :Seek optimal, not lowest TCO balancing risk, compliance and resiliency
GTI Risk Management
7
The Need for GovernanceSustainable risk and resiliency management requires good governance.
Key components:Alignment of IT Strategy with Business StrategyProvide the organizational structure for implementing strategy & goals—Service Oriented Governance Provide an IT control framework that can be broadly implemented
Need for integrated governance strategies, practices and processes
Business Resiliency Compliance
Operational Risk
GTI Risk Management
8
Today’s Governance LandscapeDrivers
Increased Regulatory Requirements
Need for effective Risk Management
Increased Accountability
Issues/Challenges
Defining IT Governance
Distributed OperationsService Oriented Architecture
Distributed Accountability
Global Business Environment
GTI Risk Management
9
Governance FrameworksCOSO - Committee of Sponsoring Organizations
CobiT – Control Objectives for Information and related Technology
Val IT – Framework to realize optimal value from IT enabled business investments
ITIL – IT Infrastructure Library
OCTAVE – Operationally Critical Threat, Asset and Vulnerability Evaluation
Benefits of a framework: Standards & Processes , Ability to objectively measure and optimize
GTI Risk Management
10
The Need for ComplianceTransparency of business performance
Accountability of corporate officers
Key components:Financial ReliabilityInformation PrivacyOperational RiskAlignment of IT Strategy with Business StrategyShareholder confidenceInvestor trust
GTI Risk Management
11
Today’s Compliance LandscapeDrivers
Increased Regulatory Requirements
Need for effective Risk Management
Increased Accountability
Issues/Challenges
IT Governance
Distributed Operations
Change Management
Information Risk
TCO
Outside Service Providers
GTI Risk Management
12
Compliance Landscape – Regulatory Requirements
Increased Regulatory Requirements demonstrate the need for use of Operational Risk Management in the IT Environment.
GTI Risk Management
13
Today’s Risk Management LandscapeCurrent Issues:
Reactive responses to presumed needs
Subjective resiliency objectives
Over optimistic projection of recovery objectives
Decision makers need to assess the triad of Risk, Resiliency and Cost and compliance in a consisted framework such as VAL-IT
Risk Resiliency IndexMovement away from single solutions to solutions based on risk appetite
Need for Effective Governance
GTI Risk Management
14
Challenges of Risk Management
Silos
Integrated testing
Limited use of Probability
Uniform/ Consistent Approach
Limited or no use of Quantitative tools
GTI Risk Management
15
Issues with Risk ManagementIntegrated Testing – There is the need to look at testing as a more realistic event.
Limited use of probability analysis in testing
What are the extremes that could happen?
What is the risk of the extremes?
What is management’s appetite for risk? Especially low probability events that have high dollar impact.
Limited use of quantitative tools used in the industry
Need for simulation based tools
GTI Risk Management
16
Business Risk and ResiliencyWhy?
Need to manage in complex environments
Need to understand your potential exposure
Potential source of competitive advantage
Business resilience programs:
Help companies protect their key resourcesPeople SystemsData
Minimize the impact of outages and disruptions
Identify potential disruptions
Adapt when change occurs
GTI Risk Management
17
Risk & Resiliency Drivers - Need for effective Cost Management
Major IT Risks in Financial Services firms:
Business Continuity
Outsourcing
IT Investment Management
Obsolescence
Exposure of sensitive & valuable information
Effective risk management meets the regulatory and governance requirements of your organization and demonstrates fiscal responsibility through the use of TCO.
GTI Risk Management
18
New Strategic Approaches Are Needed
IT Governance and Compliance programs require new frameworks and metrics to truly understand cost benefits and risk
Optimized TCO (O-TCO)
The IT Efficiency/Effectiveness Framework
The Resiliency Risk Index (RRI)
GTI Risk Management
19
Strategy # 1
The IT/Effectiveness Framework– understand the IT Environment
Effective Total Cost of Ownership Strategies for IT Compliance and Governance
GTI Risk Management
20
GTI Risk Management
21
Strategic Questions posed by Val-IT
Are we managing our IT Investments such that:
We realize optimal value from our investments
At an affordable cost
With a known and acceptable level of risk
Source: The Val-IT Framework
GTI Risk Management
22
The IT Efficiency/Effectiveness Framework
RRI
O-TCO
GTI Risk Management
23
Strategy #2
The Optimized TCO Methodology
Effective Total Cost of Ownership Strategies for IT Compliance and Governance
GTI Risk Management
24
Standards Example – CobiTDS 4 – Ensure Continuous Service
“An effective continuous service process minimizes the probability and impact
of a major IT service interruption on key business functions and processes. “
GTI Risk Management
25
Standards Example – Val ITIM4 – Perform Alternative Analysis
“Select the course of action that has the highest potential value, at an acceptable level of risk”
IM7 – Identify Full Life Cycle Costs and Benefits
“Prepare a program budget that reflects the full lifecycle costs and financial and non-financial benefits… “
GTI Risk Management
26
Optimized TCO (O-TCO) Strategy for IT
In today’s environment TCO is a key part of the strategic decision making process at every level and aligned to Governance and Compliance
A robust TCO capability allows for scenario development and forecasting capability
The concept of O-TCO balances Operational Risk, Compliance and Resiliency to find the “best value” solution`
The O-TCO framework makes TCO the most important parameter against which effectiveness and efficiency over the lifecycle is evaluated
O-TCO provides a lifecycle measure of “best value” for strategic decisions
GTI Risk Management
27
Optimized TCO Analysis Model – Framework
The Optimized TCO provides the essential “best value” framework for the strategic decision process
GTI Risk Management
28
Strategy #3
The Resiliency Risk Index (RRI)
Effective Total Cost of Ownership Strategies for IT Compliance and Governance
GTI Risk Management
29
Sustainability and Risk Management
We regularly test our ability to recover the technology
What challenges and concerns do you face when testing your ability to recover the technology infrastructure?
GTI Risk Management
30
Risk Management and CobiTPO 9 – Assess and Manage IT Risks
“Create and maintain a risk management framework.
The framework documents a common and agreed level of IT risks, mitigation
strategies and agreed-upon residual risks. “
GTI Risk Management
31
The Need for a New Metric – The RRICentralized Oversight & Distributed Accountability
Risk should be managed as a portfolio
Objective tool for measuring VaR (exposure)
Ability to Quantify the Likelihood of events
Use of Probability and Impact
Low probability events with High Impact
Use of Simulation to move away from single point estimation
Broader view of your environment
GTI Risk Management
32
The Resiliency-Risk IndexMoving away from single solutions to solutions based on risk appetite.
Need for an objective tool to measure Value-At-Risk (VaR) or exposure
Legal / Regulatory Risk
Financial Risk
Reputation (customer) Risk
Need to consider the probability of an event occurring – and low probability events that have huge impact such as Hurricane Katrina.
Need to use simulation to enhance the Recovery Time Objective (RTO) methodology – Test RTO vs. Real World Impact
Develop a more realistic view of exposure during a real recovery eventVa
lue
At R
isk
GAP Analysis
Risk Analysis
Testing
Recovery Tim
e
Objective
GTI Risk Management
33
Incorporating Probability Into Risk Assessment
GTI Risk Management
34
Why Add Risk Analysis to RTO?
Uncertainty is inherent in the testing process in relation to actual events
RTOs are derived from BIAs that are themselves estimates
Reliance on a single point RTO estimate is risky
The probability of a single point RTO estimate occurring is virtually zero
We need to consider the range of probabilities
GTI Risk Management
35
RTO Established Risk Assessment
Reactive Methodologyto actual events exceeding RTO
Must understand the risk associated with potential actual events
Develop a profile of risk –and your risk tolerance
Highest Expected RTO
Testing Established RTO
BIA Established RTO
GTI Risk Management
36
Incorporating Probability Into Risk Assessment
GTI Risk Management
37
Working with the RRIOnce a risk threshold index is selected (e.g., VaR with probabilities over 60% not acceptable), then decision makers can determine mitigation plans
Most common mitigation is to increase resiliency to reduce risk and recovery time
Requires a methodology to assess the cost of current the system plus added changes/modifications for resiliency
Simulated VaR vs. Probability
VaR $700K
The RRI can quantifies exposure (gap) if actual events exceed RTO
GTI Risk Management
38
Developing The Index - ExampleThe Index is based on the confidence level of the established Value at Risk
The confidence levels are set in advance and will vary depending on tolerance to risk
Red/Amber/Green ratings assigned to the confidence levels
Using the index, the Value At Risk established by the Business Impact Analysis is plotted on the cumulative probability curve
The associated probability from the curve is the confidence level for the VaR
Simulated VaR vs. Probability
VaR $0 VaR $1,500KVaR $700K
GTI Risk Management
39
Extending the RRI – Cost Management of Resiliency
Gaps identified by the RRI require additional resiliency measures in IT Systems.
Good cost management practices require estimating and calculating ROI to add resiliency
A consistent methodology for modeling current IT infrastructure
Cost modeling must have the ability to assess:
“As-Is vs. “To-Be” visualization
System of Systems Integration costs
Hardware and Software costs
Maintenance and Installation costs
Each estimated configuration is then tied to a VaR figure of merit to assess the cost impactRequires a Cost Model to assess the Total Cost of Ownership
for each Resiliency Option
GTI Risk Management
40
RRI and TCO Toolset – Applications
Implementation of RRI algorithms and Total Cost of Ownership Estimating can be done with several different tools:
MS EXCEL
MathCad
TruePlanner
Risk Analysis
Crystal Ball,
@RISK,
Phoenix Integration Model Center 7.0
TruePlanner
Engineous iSIGHT
Optimization
MS Solver
Phoenix Integration Model Center 7.0
Engineous FiPER
GTI Risk Management
41
Conclusions
Understand the IT Framework that you are applying
IT Effectiveness/Efficiency Framework
The concept of O-TCO balances Operational Risk, Compliance and Resiliency to find the “best value”solution
RRI allows you to quantify the risk tolerance of your organization.
Move away from single point testing
Confidence Interval gives you the likelihood of meeting the BIA generated RTO
Use of VaR allows you to prioritize investments based on exposure
Enterprise view of technology risk enhances the resiliency of the organization
GTI Risk Management
42
Thank you
David A. Cass, CISM, CISSP, PMPDavid A. Cass, CISM, CISSP, PMP
Vice President, GTI Risk ManagementVice President, GTI Risk Management
JPMorgan ChaseJPMorgan Chase
EE--mail: mail: [email protected]@jpmchase.com
Phone: (646) 510Phone: (646) 510--36423642