250 likes | 582 Views
The Changing Face of Business Risk University of Houston Information Systems Research Center Dan Starta (Dan.Starta@ATKearney.Com) February 2002 Executive Summary
E N D
The Changing Face of Business Risk University of Houston Information Systems Research Center Dan Starta (Dan.Starta@ATKearney.Com) February 2002
Executive Summary • The recent terrorist attacks on the US has re-focused business leaders and IT managers on business continuance, risk management and disaster recovery • The financial impact of disaster and security events run into the billions of dollars each year with greater than 90% of firms being impacted • Business Continuity and Security (BC&S) will continue as an executive focal point in the foreseeable future • Most enterprises have underinvested in Business Continuity and Security and will be forced to funnel increased funds into enhancing these areas • Investment is now expected to triple between 2000 and 2005 • Strategic BC&S Planning enables organizations to avoid the pitfalls of overspending, protect the business and potentially enable new sources value • BC&S should be a business driven initiative – IT is only part of the solution • A “one size fits all” approach to BC&S will overprotect non-critical assets and leave core business processes under protected • As BC&S spend grows – smart investment can reduce costs while increasing protection to critical aspects of the business • The renewed focus on BC&S will accelerate the development of new technology enablers that have additional value potential for enterprise operations, customers and stakeholders
Topics for Today • The Landscape of Risk • Business Continuity and Security Planning • The Value of Planning • Approach
Our world is changing and creating new, unanticipated risks for businesses and technology Businesses People Countries
In the last ten years, the risk profile of businesses has changed considerably 1850 1900 1950 1970 1980 1990 2000 Timeline(not to scale) New risk profiles Natural Disasters Change in weather patterns caused by global warming More frequent catastrophic weather events: El Nino floods, earthquakes, hurricane Industrialization increases population density Business Climate Larger more concentrated targets Increased concentration in industries Global free trade zones (WTO, NAFTA, EU) Economies of scale begin to be realized through centralized efficient manufacturing processes Pervasive Technology Increased connectivity enabled by the Internet First commercially available computers Information Target Greater risk of independent threats Political and Economic Unrest End of Cold War 2nd and 3rd world political unrest Bio Technologies Fear of the unknown Emergence of bio-technology Terrorists begin to use bio-technology weapons
Reported Source of Computer Attacks 1997-2001 Percentage of Respondents Foreign Governments Foreign Corporations US Corporations Hackers Insiders Source: Computer Security Institute
Worldwide economic damage caused by computer viruses at peak distribution Millions of US$ 1990 “Jerusalem” 1995 “Concept” 1999 “Melissa” 2000 “Love Bug” Source: Richard Power, Tangled Web
A majority of US citizens believe that corporations are too powerful for the good of the country Are US corporations too powerful? No Opinion 7% Disagree 30% Agree 63% Source: ABC News
Most industries fall into likely target categories for disruptive threat Targets for Disruptive Threat Core Producers Automotive Consumer Products Healthcare High Technology Pharmaceuticals Process Industries Visibility Entertainment Gaming Leisure Media Sports Infrastructure Oil & Gas Telecommunications Transportation Utilities
Business Continuity & Security Planning is the response to threats, their impact and reaction Threats Potential Impacts Reaction Cost Increases Revenue Reduction New Opportunities Disasters Regulatory Cyber Customer Demand Operations Shareholder Value Business Continuity & Security Planning Risk Mitigation Event Recovery Cost Management New Opportunities
Business Continuity & Security Planning
Operations Continuity of critical operations Minimize service interruptions Ensure resumption of normal services Assets Preserve information assets Minimize financial loss Reduce risk profile Ensure staff safety Brand Maintain public / customer confidence Business Continuity &Corporate Security can serve to protect the operations, assets and the brand of the enterprise Definitions Objectives Business Continuity Process of developing proactive arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions continue without interruption or essential change Corporate Security Preventative actions that minimize threats and mitigate risks to physical and virtual assets that are critical to ongoing operations
As the level of technology, partnering and operational sophistication have increased; so have points of risk and failure across the business Operational Business Model • Traditional business operations has become increasingly complex and susceptible to failure • System protection has typically not kept pace with business criticality • External connectivity and devices continue to proliferate and provide a point of entry for disruption Critical Administrative HR Finance Legall Training Center Customers Procurement Warehouse Sales Supplier Partner Inventory Systems Warehouse & Logistics Sales Systems Infrastructure POS Devices Portable Devices Web Access
Typical Threats Natural Disasters Fires Floods Tornadoes Hurricanes Earthquakes Ice / Snow Manmade Threats Hackers Viruses Data integrity Digital signatures Legal / regulatory issues around data disruption Terrorism Significant Trends Evolution of the extended enterprise Mergers, Consolidation and Bankruptcy Increasing Globalization Dependency on information Pervasive technology Internet and public access to systems Refinement of e-business regulatory environment Self-service of the customer Current threats and trends are increasing the focus and need for a robust business continuity plan
Business leaders and IT managers have renewed their focus on business continuance, risk management and disaster recovery • Greater than 90% of firms are affected • the financial impact of disaster and security events run into the billions of dollars • Most enterprises have underinvested • Additional budget will be forced to funnel into enhancing these areas in the coming years • Investment is now expected to triple between 2000 and 2005
Business Continuity and Corporate Security should focus on answering the tough questions • Protection and Risk • Is my business at risk? Where? • Can problems in my partners or customers put me at risk? • How do I protect my business … when I don’t know what to protect? • How much protection is enough? • Cost • How much will it cost … When can I stop spending? • Survival • If a disruption does occur will my business continue to operate? And survive? • Will you know what to do if a disruption does occur?
A fundamental issue in BC&SP is understanding the balance between costs, likelihood of a disruption and business impact Disruption Occurs • Likelihood • Magnitude Event Recovery Cost Resume Ops • Recovery Performance • Time to Recover • Scope of Recovery • Crisis Management Normal Ops Protection Investment • Risk / Impact Profile • Service Requirements • Prevention / Preparation • Plan and response development • Scope of protection • Ongoing Incremental Expense Business Impact • Lost Revenue • Customer / Partner Confidence • Regulatory / Legal Issues
By preventing risk through mitigation or by preparing for interruption you can lower the business’ risk profile Risk Profile High Impact High Risk Reduces the likelihood of risk by proactively enhancing protection or redundancy Prevention Business Impact Preparation Reduces the business impact by providing recovery options in the event of disruption Likelihood of Risk
Keys to achieving value from a Business Continuity and Security Plan • Develop a plan and implement priority changes • With no tested plan 40% fail immediately, 8% survive 5 years • Cybercrime increased by a factor of 6 in the last 4 years • Prevent and mitigate problems in critical areas • Design business operations with interruptions in mind • Develop alternatives and redundancy where appropriate • Increase Preparedness Reaction • People must recognize the “signals” that failure is occurring • Training is key as people must know how to react • Plan development and crisis management preparedness are first steps • Communication and senior management support are key factors
Our approach examines the critical elements of risk and the value of business continuity to develop a balanced approach to preparedness Business Continuity Program Management Plan Development Risk and Business Impact Analysis Plan Implementation Plan Testing Extended Enterprise Preparedness Security plan Assess strategic value of business continuity & appropriate investment Develop a pragmatic approach to preparedness and change Validate and approve the plan Deploy the plan
An initial assessment phase will result in an evolved understanding by the firm’s leaders of the strategic value of business continuity and security Risk and Business Impact Analysis (6-8 Weeks) Obligations & Dependencies Business Impact Analysis • Assess customer, partner and supplier business obligation & dependencies • Review existing agreements • Assess regulatory requirements • Quantified impact • Interdependencies • Prioritized functions Solution Strategy Report Current Readiness Prioritized Mission Critical Business Processes Strategic Priorities • Current readiness • Future state • Business Case • Improvement recommendations • Required continuity plans • Executive / leadership workshops • Review existing business continuity plans • Assess current plans • Determine initial gaps • Map strategic priorities to processes • Identify mission critical processes • Prioritize critical processes • Determine components and dependencies Risk Assessment Mission Critical Business Processes Alternate Solution Selection • Identify risk elements • Assess impact and likelihood of risk • Identify alternative methods for continuing critical functions • Assess strategic alternatives
A mix of business and technical resources are required to develop a comprehensive approach to BC&SP that focuses on business value • Business driven approach to business continuity and security • Combination of strategy, operations and technology expertise • Explore areas of privacy, security, fraud and risk management • Adopt a Life-cycle approach providing protection from ever-changing threats and vulnerabilities • Imbed business continuity into new process and technology design Business Continuity Program Management Plan Development Plan Implementation Plan Testing Risk and Business Impact Analysis Extended Enterprise Preparedness Security plan Business Focus Technical Focus