Analyzing and Managing Risk Taking the plunge into Business Continuity Management Dawn Simpson, CBCP VP of Market Development January 23, 2014

Objectives

• Defining the Business Impact Analysis

• Examining risk:

o Data supporting business risks and the

role of IT

o Financial and other impacts of risk

o Examining “Reputational Risk”

o Making the IT and Reputational Risk

connection

o Steps to take to strengthen your position

• Resources and References

What is a BIA (Business Impact Analysis)

The BIA should provide data to assess the organization's ability to:

• Eliminate or reduce the potential for injuries or the loss of human life.

• Create awareness of unique business threats.

• Develop a continuity action plan to bring the firm to “New Normalcy.”

• Upon completion of the initial BCP, immediately deliver real benefits to

the organization.

The BIA helps you document and define the critical business functions, determine your unique threats, how and what IT supports your critical business functions so that you can prioritize and plan to mitigate the greatest risks first.

Compliance and regulatory failure costs

Reputation and brand damage

Lost revenue due to system availability problems

Lost productivity from downtime or system performance

Forensics to determine root causes

Technical support to restore systems

Cost Categories

Third-party failure of continuity or IT security

Natural or manmade disaster

Human error

IT system failure

Cyber security or data breach/data theft

Data loss from backup or restore failure

Threats

IBM surveyed 2,316 business continuity and IT security professionals on the following list of common cost categories and threats for respondents to evaluate

Results

Respondents apportioned total cost across the six cost categories, using a 100-point scale

Compliance and regulatory failure costs

Reputation and brand damage

Lost revenue due to system availability problems

Lost productivity from downtime or system performance

Forensics to determine root causes

Technical support to restore systems

Minor ($1M) Moderate ($4.3M)

Event-related impact

100 points 100 points 100 points

35

25

28

2

4

5

36

20

17

11

12

4

15

9

7

37

22

10

Duration-related impact

Substantial ($14.3M)

Examining a Common Threat: Reputational Risk

The economic value of a company’s reputation declines 29% as a result of an IT breach of customer data*

*Reputation Impact of a Data Breach: US Study of Executives & Managers, *Sponsored by Experian® Data Breach Resolution Ponemon Institute, November 2011.

-29% The Mitigation of reputational risk has a definable value

• Can IT functionality (i.e., loss of email or data) or a security breach

affect your brand value?

• How do you protect your brand reputation?

• Have you established strong integrated risk management (Business

Continuity and Security) programs?

Here’s what the BIG guys are saying…

IBM 2011 Annual Report – Item 1A “Risk Factors”

The company's products, services, and systems may affect critical third party operations or involve the storage, processing and transmission of proprietary and sensitive or confidential data, including personal information of employees, customers and others. Breaches of security could expose the company, its customers or others to risk of loss… resulting in litigation and potential liability for the company, as well as the loss of existing or potential customers and damage to the company's brand and reputation. IBM has one of the strongest brand names in the world, and its brand and overall reputation could be negatively impacted by many factors… If the company's brand image is tarnished by negative perceptions, our ability to attract and retain customers could be impacted.

Cybersecurity and Privacy Considerations could impact the Company's Business:

Source: http://www.ibm.com/annualreport/2011/bin/assets/2011_ibm_sec10k.pdf

Human error 58%

IT system failure 67%

Cyber security or data breach/data theft 47%

Data loss from backup or restore failure 42%

Natural or manmade disaster 23%

Third-party continuity or IT security failure 19%

Making the reputation and IT risk connection Incidents over the past 24 months that affected

reputation and brand value Percentage of “yes” responses

“IT risk management is reputation management.”

– IT security supervisor, US telecom company

Relating it to the BIA

Example: IBM identified a trend that has become a threat to a critical business function – i.e. Brand Reputation

Funding to protect reputation is required for success

IT is a key safeguard to protecting against reputational harm

The financial and reputational impact of the threat was determined and deemed a priority

1

2

3

4

Upon identifying the functional priorities and the IT support in place, the company can determine if there are gaps to be mitigated based on financial and risk based data and organizational goals

5

0-6 months

71%

6-12 months

12%

12+ months

68% 8%

68% 14% 10%

64% 14% 10%

54% 22% 10%

56% 20% 11%

58% 13%

59% 16% 13%

56% 19% 12%

59% 18% 11%

6%

15%

15%

Website outage

System failure

Mobility (BYOD)

Data loss

Inadequate continuity plans

Insufficient DR measures

New technology

Data breach

Compliance failure

Poor IT skills / tech support

Source: 2013 IBM Reputational Risk and IT Study, IBM and Economist Intelligence Unit

In your estimation, how long on average has it taken for your organization’s reputation to recover from damage caused by the following IT risk factors?

Reputation Recovery

Barriers to achieving highly effective business continuity and IT security management programs

Three key issues for organizational leadership to address

30%

37% 28%

Lack of strategy

Inadequate funding

No clear ownership

of respondents say their organizations do not have a strategy for business continuity or IT security management

say lack of funding is the leading barrier to success, followed by disruptive technologies and lack of expert or knowledgeable staff

say the CIO has overall responsibility for ensuring that IT operations are not disrupted, followed by business unit leader (20%) and “no one person”(11%)

What can you do now to address IT and reputational risk?

Be proactive — and be prepared to invest in IT controls

Create a collaborative environment — encourage executives, risk management specialists, and IT managers to work together

Use reputational risk as a justification for IT investment — and build a business case

Assess risk across the supply chain and confirm partners’ compliance with your standards

Consider outside help for an unbiased view of perception versus the reality of your risk exposure

6 Simple Steps

How well are you doing? Find out with the

IBM Reputational Risk Index

Read the study findings report ibm.com/services/riskstudy

Scan the code or go to www.ibmriskindex.com

Read the IBM point of view ibm.com/services/riskstudy

Your score

129 out of 200

Engage with a consultant to discuss your risk exposures

Visit these websites: www.DRII.org www.drj.com

Resources and references used in this presentation

Thank you Dawn Simpson, CBCP VP of Market Development Trivalent Group 3145 Prairie St. | Grandville, MI 49418 616.301.6406 | dsimpson@trivalentgroup.com