Date post: | 23-Jan-2015 |
Category: |
Business |
Upload: | dawn-simpson |
View: | 139 times |
Download: | 0 times |
Analyzing and Managing Risk Taking the plunge into Business Continuity Management Dawn Simpson, CBCP VP of Market Development January 23, 2014
Objectives
• Defining the Business Impact Analysis
• Examining risk:
o Data supporting business risks and the
role of IT
o Financial and other impacts of risk
o Examining “Reputational Risk”
o Making the IT and Reputational Risk
connection
o Steps to take to strengthen your position
• Resources and References
What is a BIA (Business Impact Analysis)
The BIA should provide data to assess the organization's ability to:
• Eliminate or reduce the potential for injuries or the loss of human life.
• Create awareness of unique business threats.
• Develop a continuity action plan to bring the firm to “New Normalcy.”
• Upon completion of the initial BCP, immediately deliver real benefits to
the organization.
The BIA helps you document and define the critical business functions, determine your unique threats, how and what IT supports your critical business functions so that you can prioritize and plan to mitigate the greatest risks first.
Compliance and regulatory failure costs
Reputation and brand damage
Lost revenue due to system availability problems
Lost productivity from downtime or system performance
Forensics to determine root causes
Technical support to restore systems
Cost Categories
Third-party failure of continuity or IT security
Natural or manmade disaster
Human error
IT system failure
Cyber security or data breach/data theft
Data loss from backup or restore failure
Threats
IBM surveyed 2,316 business continuity and IT security professionals on the following list of common cost categories and threats for respondents to evaluate
Results
Respondents apportioned total cost across the six cost categories, using a 100-point scale
Compliance and regulatory failure costs
Reputation and brand damage
Lost revenue due to system availability problems
Lost productivity from downtime or system performance
Forensics to determine root causes
Technical support to restore systems
Minor ($1M) Moderate ($4.3M)
Event-related impact
100 points 100 points 100 points
35
25
28
2
4
5
36
20
17
11
12
4
15
9
7
37
22
10
Duration-related impact
Substantial ($14.3M)
Examining a Common Threat: Reputational Risk
The economic value of a company’s reputation declines 29% as a result of an IT breach of customer data*
*Reputation Impact of a Data Breach: US Study of Executives & Managers, *Sponsored by Experian® Data Breach Resolution Ponemon Institute, November 2011.
-29% The Mitigation of reputational risk has a definable value
• Can IT functionality (i.e., loss of email or data) or a security breach
affect your brand value?
• How do you protect your brand reputation?
• Have you established strong integrated risk management (Business
Continuity and Security) programs?
Here’s what the BIG guys are saying…
IBM 2011 Annual Report – Item 1A “Risk Factors”
The company's products, services, and systems may affect critical third party operations or involve the storage, processing and transmission of proprietary and sensitive or confidential data, including personal information of employees, customers and others. Breaches of security could expose the company, its customers or others to risk of loss… resulting in litigation and potential liability for the company, as well as the loss of existing or potential customers and damage to the company's brand and reputation. IBM has one of the strongest brand names in the world, and its brand and overall reputation could be negatively impacted by many factors… If the company's brand image is tarnished by negative perceptions, our ability to attract and retain customers could be impacted.
Cybersecurity and Privacy Considerations could impact the Company's Business:
Source: http://www.ibm.com/annualreport/2011/bin/assets/2011_ibm_sec10k.pdf
Human error 58%
IT system failure 67%
Cyber security or data breach/data theft 47%
Data loss from backup or restore failure 42%
Natural or manmade disaster 23%
Third-party continuity or IT security failure 19%
Making the reputation and IT risk connection Incidents over the past 24 months that affected
reputation and brand value Percentage of “yes” responses
“IT risk management is reputation management.”
– IT security supervisor, US telecom company
Relating it to the BIA
Example: IBM identified a trend that has become a threat to a critical business function – i.e. Brand Reputation
Funding to protect reputation is required for success
IT is a key safeguard to protecting against reputational harm
The financial and reputational impact of the threat was determined and deemed a priority
1
2
3
4
Upon identifying the functional priorities and the IT support in place, the company can determine if there are gaps to be mitigated based on financial and risk based data and organizational goals
5
0-6 months
71%
6-12 months
12%
12+ months
68% 8%
68% 14% 10%
64% 14% 10%
54% 22% 10%
56% 20% 11%
58% 13%
59% 16% 13%
56% 19% 12%
59% 18% 11%
6%
15%
15%
Website outage
System failure
Mobility (BYOD)
Data loss
Inadequate continuity plans
Insufficient DR measures
New technology
Data breach
Compliance failure
Poor IT skills / tech support
Source: 2013 IBM Reputational Risk and IT Study, IBM and Economist Intelligence Unit
In your estimation, how long on average has it taken for your organization’s reputation to recover from damage caused by the following IT risk factors?
Reputation Recovery
Barriers to achieving highly effective business continuity and IT security management programs
Three key issues for organizational leadership to address
30%
37% 28%
Lack of strategy
Inadequate funding
No clear ownership
of respondents say their organizations do not have a strategy for business continuity or IT security management
say lack of funding is the leading barrier to success, followed by disruptive technologies and lack of expert or knowledgeable staff
say the CIO has overall responsibility for ensuring that IT operations are not disrupted, followed by business unit leader (20%) and “no one person”(11%)
What can you do now to address IT and reputational risk?
Be proactive — and be prepared to invest in IT controls
Create a collaborative environment — encourage executives, risk management specialists, and IT managers to work together
Use reputational risk as a justification for IT investment — and build a business case
Assess risk across the supply chain and confirm partners’ compliance with your standards
Consider outside help for an unbiased view of perception versus the reality of your risk exposure
6 Simple Steps
How well are you doing? Find out with the
IBM Reputational Risk Index
Read the study findings report ibm.com/services/riskstudy
Scan the code or go to www.ibmriskindex.com
Read the IBM point of view ibm.com/services/riskstudy
Your score
129 out of 200
Engage with a consultant to discuss your risk exposures
Visit these websites: www.DRII.org www.drj.com
Resources and references used in this presentation
Thank you Dawn Simpson, CBCP VP of Market Development Trivalent Group 3145 Prairie St. | Grandville, MI 49418 616.301.6406 | [email protected]