LB21: Effective Total Cost of Ownership Strategies for IT LB21: Effective Total Cost of Ownership Strategies for IT Compliance and GovernanceCompliance and GovernanceDavid A. Cass, CISM, CISSP, PMPDavid A. Cass, CISM, CISSP, PMPVice President, GTI Risk ManagementVice President, GTI Risk ManagementJPMorgan ChaseJPMorgan Chase

GTI Risk Management

2

Agenda

Today’s IT Governance and Compliance Landscape

The Need for Total Cost of OwnershipThe Need for GovernanceThe Need for Compliance

Today’s Risk Management Landscape

Business Risk and Resiliency

New Strategic Approaches Are NeededStrategy #1 - The Efficiency/Effectiveness FrameworkStrategy #2 – The Optimized Total Cost of Ownership Strategy #3 - The Resiliency Risk Index (RRI)

Conclusions

GTI Risk Management

3

The Current Landscape

When someone says Governance, Risk and Compliance – What keeps you up at night?

GTI Risk Management

4

Today’s Technology EnvironmentFunctions of Governance, Risk & Compliance are distributed across organizations

Manual processesLack of information sharing

Measuring IT Business Value and Risk remains immatureIT Value Delivery part of good GovernanceAre we doing things right?Are we realizing the benefits?Are we effectively managing Risk?Are we effectively managing Total Cost of Ownership

GTI Risk Management

5

The GoalEffectively define, manage & monitor the business environment

Need to assess the triad of Risk, Resiliency and TCO in a consistent framework with consistent metrics

Need a centralized structure for oversight and still want risk & accountability distributed across the organization where it belongs

Deliver consistency, efficiency, and sustainability

As we define the new structure using a common language we use the RRI as a method for prioritizing based on Value At Risk across the organization

GTI Risk Management

6

The Need for Effective TCOTCO provides a common unifying metric between Business Resiliency, Compliance and Operational Risk.

Effectiveness in these domains typically drive TCO higher

More stringent Recovery Time Objective (4 hours or less) drive Business Resiliency solutions. Example Business Recovery Facilities and Mirrored backup solutions drive TCO higher.

Increased control objectives to reduce operational risk drive TCO higher. Considerations for mitigating obsolescence and data protection also drive TCO.

Strategy :Seek optimal, not lowest TCO balancing risk, compliance and resiliency

GTI Risk Management

7

The Need for GovernanceSustainable risk and resiliency management requires good governance.

Key components:Alignment of IT Strategy with Business StrategyProvide the organizational structure for implementing strategy & goals—Service Oriented Governance Provide an IT control framework that can be broadly implemented

Need for integrated governance strategies, practices and processes

Business Resiliency Compliance

Operational Risk

GTI Risk Management

8

Today’s Governance LandscapeDrivers

Increased Regulatory Requirements

Need for effective Risk Management

Increased Accountability

Issues/Challenges

Defining IT Governance

Distributed OperationsService Oriented Architecture

Distributed Accountability

Global Business Environment

GTI Risk Management

9

Governance FrameworksCOSO - Committee of Sponsoring Organizations

CobiT – Control Objectives for Information and related Technology

Val IT – Framework to realize optimal value from IT enabled business investments

ITIL – IT Infrastructure Library

OCTAVE – Operationally Critical Threat, Asset and Vulnerability Evaluation

Benefits of a framework: Standards & Processes , Ability to objectively measure and optimize

GTI Risk Management

10

The Need for ComplianceTransparency of business performance

Accountability of corporate officers

Key components:Financial ReliabilityInformation PrivacyOperational RiskAlignment of IT Strategy with Business StrategyShareholder confidenceInvestor trust

GTI Risk Management

11

Today’s Compliance LandscapeDrivers

Increased Regulatory Requirements

Need for effective Risk Management

Increased Accountability

Issues/Challenges

IT Governance

Distributed Operations

Change Management

Information Risk

TCO

Outside Service Providers

GTI Risk Management

12

Compliance Landscape – Regulatory Requirements

Increased Regulatory Requirements demonstrate the need for use of Operational Risk Management in the IT Environment.

GTI Risk Management

13

Today’s Risk Management LandscapeCurrent Issues:

Reactive responses to presumed needs

Subjective resiliency objectives

Over optimistic projection of recovery objectives

Decision makers need to assess the triad of Risk, Resiliency and Cost and compliance in a consisted framework such as VAL-IT

Risk Resiliency IndexMovement away from single solutions to solutions based on risk appetite

Need for Effective Governance

GTI Risk Management

14

Challenges of Risk Management

Silos

Integrated testing

Limited use of Probability

Uniform/ Consistent Approach

Limited or no use of Quantitative tools

GTI Risk Management

15

Issues with Risk ManagementIntegrated Testing – There is the need to look at testing as a more realistic event.

Limited use of probability analysis in testing

What are the extremes that could happen?

What is the risk of the extremes?

What is management’s appetite for risk? Especially low probability events that have high dollar impact.

Limited use of quantitative tools used in the industry

Need for simulation based tools

GTI Risk Management

16

Business Risk and ResiliencyWhy?

Need to manage in complex environments

Need to understand your potential exposure

Potential source of competitive advantage

Business resilience programs:

Help companies protect their key resourcesPeople SystemsData

Minimize the impact of outages and disruptions

Identify potential disruptions

Adapt when change occurs

GTI Risk Management

17

Risk & Resiliency Drivers - Need for effective Cost Management

Major IT Risks in Financial Services firms:

Business Continuity

Outsourcing

IT Investment Management

Obsolescence

Exposure of sensitive & valuable information

Effective risk management meets the regulatory and governance requirements of your organization and demonstrates fiscal responsibility through the use of TCO.

GTI Risk Management

18

New Strategic Approaches Are Needed

IT Governance and Compliance programs require new frameworks and metrics to truly understand cost benefits and risk

Optimized TCO (O-TCO)

The IT Efficiency/Effectiveness Framework

The Resiliency Risk Index (RRI)

GTI Risk Management

19

Strategy # 1

The IT/Effectiveness Framework– understand the IT Environment

Effective Total Cost of Ownership Strategies for IT Compliance and Governance

GTI Risk Management

20

GTI Risk Management

21

Strategic Questions posed by Val-IT

Are we managing our IT Investments such that:

We realize optimal value from our investments

At an affordable cost

With a known and acceptable level of risk

Source: The Val-IT Framework

GTI Risk Management

22

The IT Efficiency/Effectiveness Framework

RRI

O-TCO

GTI Risk Management

23

Strategy #2

The Optimized TCO Methodology

Effective Total Cost of Ownership Strategies for IT Compliance and Governance

GTI Risk Management

24

Standards Example – CobiTDS 4 – Ensure Continuous Service

“An effective continuous service process minimizes the probability and impact

of a major IT service interruption on key business functions and processes. “

GTI Risk Management

25

Standards Example – Val ITIM4 – Perform Alternative Analysis

“Select the course of action that has the highest potential value, at an acceptable level of risk”

IM7 – Identify Full Life Cycle Costs and Benefits

“Prepare a program budget that reflects the full lifecycle costs and financial and non-financial benefits… “

GTI Risk Management

26

Optimized TCO (O-TCO) Strategy for IT

In today’s environment TCO is a key part of the strategic decision making process at every level and aligned to Governance and Compliance

A robust TCO capability allows for scenario development and forecasting capability

The concept of O-TCO balances Operational Risk, Compliance and Resiliency to find the “best value” solution`

The O-TCO framework makes TCO the most important parameter against which effectiveness and efficiency over the lifecycle is evaluated

O-TCO provides a lifecycle measure of “best value” for strategic decisions

GTI Risk Management

27

Optimized TCO Analysis Model – Framework

The Optimized TCO provides the essential “best value” framework for the strategic decision process

GTI Risk Management

28

Strategy #3

The Resiliency Risk Index (RRI)

Effective Total Cost of Ownership Strategies for IT Compliance and Governance

GTI Risk Management

29

Sustainability and Risk Management

We regularly test our ability to recover the technology

What challenges and concerns do you face when testing your ability to recover the technology infrastructure?

GTI Risk Management

30

Risk Management and CobiTPO 9 – Assess and Manage IT Risks

“Create and maintain a risk management framework.

The framework documents a common and agreed level of IT risks, mitigation

strategies and agreed-upon residual risks. “

GTI Risk Management

31

The Need for a New Metric – The RRICentralized Oversight & Distributed Accountability

Risk should be managed as a portfolio

Objective tool for measuring VaR (exposure)

Ability to Quantify the Likelihood of events

Use of Probability and Impact

Low probability events with High Impact

Use of Simulation to move away from single point estimation

Broader view of your environment

GTI Risk Management

32

The Resiliency-Risk IndexMoving away from single solutions to solutions based on risk appetite.

Need for an objective tool to measure Value-At-Risk (VaR) or exposure

Legal / Regulatory Risk

Financial Risk

Reputation (customer) Risk

Need to consider the probability of an event occurring – and low probability events that have huge impact such as Hurricane Katrina.

Need to use simulation to enhance the Recovery Time Objective (RTO) methodology – Test RTO vs. Real World Impact

Develop a more realistic view of exposure during a real recovery eventVa

lue

At R

isk

GAP Analysis

Risk Analysis

Testing

Recovery Tim

e

Objective

GTI Risk Management

33

Incorporating Probability Into Risk Assessment

GTI Risk Management

34

Why Add Risk Analysis to RTO?

Uncertainty is inherent in the testing process in relation to actual events

RTOs are derived from BIAs that are themselves estimates

Reliance on a single point RTO estimate is risky

The probability of a single point RTO estimate occurring is virtually zero

We need to consider the range of probabilities

GTI Risk Management

35

RTO Established Risk Assessment

Reactive Methodologyto actual events exceeding RTO

Must understand the risk associated with potential actual events

Develop a profile of risk –and your risk tolerance

Highest Expected RTO

Testing Established RTO

BIA Established RTO

GTI Risk Management

36

Incorporating Probability Into Risk Assessment

GTI Risk Management

37

Working with the RRIOnce a risk threshold index is selected (e.g., VaR with probabilities over 60% not acceptable), then decision makers can determine mitigation plans

Most common mitigation is to increase resiliency to reduce risk and recovery time

Requires a methodology to assess the cost of current the system plus added changes/modifications for resiliency

Simulated VaR vs. Probability

VaR $700K

The RRI can quantifies exposure (gap) if actual events exceed RTO

GTI Risk Management

38

Developing The Index - ExampleThe Index is based on the confidence level of the established Value at Risk

The confidence levels are set in advance and will vary depending on tolerance to risk

Red/Amber/Green ratings assigned to the confidence levels

Using the index, the Value At Risk established by the Business Impact Analysis is plotted on the cumulative probability curve

The associated probability from the curve is the confidence level for the VaR

Simulated VaR vs. Probability

VaR $0 VaR $1,500KVaR $700K

GTI Risk Management

39

Extending the RRI – Cost Management of Resiliency

Gaps identified by the RRI require additional resiliency measures in IT Systems.

Good cost management practices require estimating and calculating ROI to add resiliency

A consistent methodology for modeling current IT infrastructure

Cost modeling must have the ability to assess:

“As-Is vs. “To-Be” visualization

System of Systems Integration costs

Hardware and Software costs

Maintenance and Installation costs

Each estimated configuration is then tied to a VaR figure of merit to assess the cost impactRequires a Cost Model to assess the Total Cost of Ownership

for each Resiliency Option

GTI Risk Management

40

RRI and TCO Toolset – Applications

Implementation of RRI algorithms and Total Cost of Ownership Estimating can be done with several different tools:

MS EXCEL

MathCad

TruePlanner

Risk Analysis

Crystal Ball,

@RISK,

Phoenix Integration Model Center 7.0

TruePlanner

Engineous iSIGHT

Optimization

MS Solver

Phoenix Integration Model Center 7.0

Engineous FiPER

GTI Risk Management

41

Conclusions

Understand the IT Framework that you are applying

IT Effectiveness/Efficiency Framework

The concept of O-TCO balances Operational Risk, Compliance and Resiliency to find the “best value”solution

RRI allows you to quantify the risk tolerance of your organization.

Move away from single point testing

Confidence Interval gives you the likelihood of meeting the BIA generated RTO

Use of VaR allows you to prioritize investments based on exposure

Enterprise view of technology risk enhances the resiliency of the organization

GTI Risk Management

42

Thank you

David A. Cass, CISM, CISSP, PMPDavid A. Cass, CISM, CISSP, PMP

Vice President, GTI Risk ManagementVice President, GTI Risk Management

JPMorgan ChaseJPMorgan Chase

EE--mail: mail: david.a.cass@jpmchase.comdavid.a.cass@jpmchase.com

Phone: (646) 510Phone: (646) 510--36423642