the changing face of business risk l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
The Changing Face of Business Risk PowerPoint Presentation
Download Presentation
The Changing Face of Business Risk

Loading in 2 Seconds...

play fullscreen
1 / 25

The Changing Face of Business Risk - PowerPoint PPT Presentation


  • 274 Views
  • Uploaded on

The Changing Face of Business Risk University of Houston Information Systems Research Center Dan Starta (Dan.Starta@ATKearney.Com) February 2002 Executive Summary

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'The Changing Face of Business Risk' - andrew


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the changing face of business risk

The Changing Face of Business Risk

University of Houston

Information Systems Research Center

Dan Starta

(Dan.Starta@ATKearney.Com)

February 2002

executive summary
Executive Summary
  • The recent terrorist attacks on the US has re-focused business leaders and IT managers on business continuance, risk management and disaster recovery
    • The financial impact of disaster and security events run into the billions of dollars each year with greater than 90% of firms being impacted
    • Business Continuity and Security (BC&S) will continue as an executive focal point in the foreseeable future
  • Most enterprises have underinvested in Business Continuity and Security and will be forced to funnel increased funds into enhancing these areas
    • Investment is now expected to triple between 2000 and 2005
  • Strategic BC&S Planning enables organizations to avoid the pitfalls of overspending, protect the business and potentially enable new sources value
    • BC&S should be a business driven initiative – IT is only part of the solution
    • A “one size fits all” approach to BC&S will overprotect non-critical assets and leave core business processes under protected
    • As BC&S spend grows – smart investment can reduce costs while increasing protection to critical aspects of the business
    • The renewed focus on BC&S will accelerate the development of new technology enablers that have additional value potential for enterprise operations, customers and stakeholders
topics for today
Topics for Today
  • The Landscape of Risk
  • Business Continuity and Security Planning
  • The Value of Planning
  • Approach
our world is changing and creating new unanticipated risks for businesses and technology
Our world is changing and creating new, unanticipated risks for businesses and technology

Businesses

People

Countries

in the last ten years the risk profile of businesses has changed considerably
In the last ten years, the risk profile of businesses has changed considerably

1850

1900

1950

1970

1980

1990

2000

Timeline(not to scale)

New risk profiles

Natural Disasters

Change in weather

patterns caused by global warming

More frequent catastrophic weather events: El Nino

floods, earthquakes, hurricane

Industrialization increases population density

Business Climate

Larger more concentrated targets

Increased concentration in industries

Global free trade zones (WTO, NAFTA, EU)

Economies of scale begin to be realized through centralized efficient manufacturing processes

Pervasive Technology

Increased connectivity enabled by the Internet

First commercially available computers

Information Target

Greater risk of independent threats

Political and Economic Unrest

End of Cold War

2nd and 3rd world political unrest

Bio Technologies

Fear of the unknown

Emergence of bio-technology

Terrorists begin to use bio-technology weapons

reported source of computer attacks 1997 2001
Reported Source of Computer Attacks 1997-2001

Percentage of

Respondents

Foreign

Governments

Foreign

Corporations

US

Corporations

Hackers

Insiders

Source: Computer Security Institute

worldwide economic damage caused by computer viruses at peak distribution
Worldwide economic damage caused by computer viruses at peak distribution

Millions of US$

1990

“Jerusalem”

1995

“Concept”

1999

“Melissa”

2000

“Love Bug”

Source: Richard Power, Tangled Web

a majority of us citizens believe that corporations are too powerful for the good of the country
A majority of US citizens believe that corporations are too powerful for the good of the country

Are US corporations too powerful?

No Opinion

7%

Disagree

30%

Agree

63%

Source: ABC News

most industries fall into likely target categories for disruptive threat
Most industries fall into likely target categories for disruptive threat

Targets for Disruptive Threat

Core Producers

Automotive

Consumer Products

Healthcare

High Technology

Pharmaceuticals

Process Industries

Visibility

Entertainment

Gaming

Leisure

Media

Sports

Infrastructure

Oil & Gas

Telecommunications

Transportation

Utilities

business continuity security planning is the response to threats their impact and reaction
Business Continuity & Security Planning is the response to threats, their impact and reaction

Threats

Potential Impacts

Reaction

Cost Increases

Revenue Reduction

New Opportunities

Disasters

Regulatory

Cyber

Customer Demand

Operations

Shareholder Value

Business Continuity & Security Planning

Risk Mitigation

Event Recovery

Cost Management

New Opportunities

slide12

Business Continuity &

Security Planning

slide13
Operations

Continuity of critical operations

Minimize service interruptions

Ensure resumption of normal services

Assets

Preserve information assets

Minimize financial loss

Reduce risk profile

Ensure staff safety

Brand

Maintain public / customer confidence

Business Continuity &Corporate Security can serve to protect the operations, assets and the brand of the enterprise

Definitions

Objectives

Business Continuity

Process of developing proactive arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions continue without interruption or essential change

Corporate Security

Preventative actions that minimize threats and mitigate risks to physical and virtual assets that are critical to ongoing operations

slide14

As the level of technology, partnering and operational sophistication have increased; so have points of risk and failure across the business

Operational Business Model

  • Traditional business operations has become increasingly complex and susceptible to failure
  • System protection has typically not kept pace with business criticality
  • External connectivity and devices continue to proliferate and provide a point of entry for disruption

Critical Administrative

HR

Finance

Legall

Training

Center

Customers

Procurement

Warehouse

Sales

Supplier

Partner

Inventory

Systems

Warehouse &

Logistics

Sales

Systems

Infrastructure

POS

Devices

Portable

Devices

Web

Access

current threats and trends are increasing the focus and need for a robust business continuity plan
Typical Threats

Natural Disasters

Fires

Floods

Tornadoes

Hurricanes

Earthquakes

Ice / Snow

Manmade Threats

Hackers

Viruses

Data integrity

Digital signatures

Legal / regulatory issues around data disruption

Terrorism

Significant Trends

Evolution of the extended enterprise

Mergers, Consolidation and Bankruptcy

Increasing Globalization

Dependency on information

Pervasive technology

Internet and public access to systems

Refinement of e-business regulatory environment

Self-service of the customer

Current threats and trends are increasing the focus and need for a robust business continuity plan
slide16
Business leaders and IT managers have renewed their focus on business continuance, risk management and disaster recovery
  • Greater than 90% of firms are affected
    • the financial impact of disaster and security events run into the billions of dollars
  • Most enterprises have underinvested
    • Additional budget will be forced to funnel into enhancing these areas in the coming years
  • Investment is now expected to triple between 2000 and 2005
business continuity and corporate security should focus on answering the tough questions
Business Continuity and Corporate Security should focus on answering the tough questions
  • Protection and Risk
    • Is my business at risk? Where?
    • Can problems in my partners or customers put me at risk?
    • How do I protect my business … when I don’t know what to protect?
    • How much protection is enough?
  • Cost
    • How much will it cost … When can I stop spending?
  • Survival
    • If a disruption does occur will my business continue to operate? And survive?
    • Will you know what to do if a disruption does occur?
slide19
A fundamental issue in BC&SP is understanding the balance between costs, likelihood of a disruption and business impact

Disruption

Occurs

  • Likelihood
  • Magnitude

Event

Recovery Cost

Resume

Ops

  • Recovery Performance
  • Time to Recover
  • Scope of Recovery
  • Crisis Management

Normal

Ops

Protection Investment

  • Risk / Impact Profile
  • Service Requirements
  • Prevention / Preparation
  • Plan and response development
  • Scope of protection
  • Ongoing Incremental Expense

Business Impact

  • Lost Revenue
  • Customer / Partner Confidence
  • Regulatory / Legal Issues
slide20
By preventing risk through mitigation or by preparing for interruption you can lower the business’ risk profile

Risk Profile

High Impact

High Risk

Reduces the likelihood of risk by proactively enhancing protection or redundancy

Prevention

Business

Impact

Preparation

Reduces the business impact by providing recovery options in the event of disruption

Likelihood of Risk

keys to achieving value from a business continuity and security plan
Keys to achieving value from a Business Continuity and Security Plan
  • Develop a plan and implement priority changes
    • With no tested plan 40% fail immediately, 8% survive 5 years
    • Cybercrime increased by a factor of 6 in the last 4 years
  • Prevent and mitigate problems in critical areas
    • Design business operations with interruptions in mind
    • Develop alternatives and redundancy where appropriate
  • Increase Preparedness Reaction
    • People must recognize the “signals” that failure is occurring
    • Training is key as people must know how to react
    • Plan development and crisis management preparedness are first steps
    • Communication and senior management support are key factors
slide23
Our approach examines the critical elements of risk and the value of business continuity to develop a balanced approach to preparedness

Business Continuity Program Management

Plan Development

Risk and Business Impact Analysis

Plan

Implementation

Plan

Testing

Extended Enterprise

Preparedness

Security plan

Assess strategic value of business continuity & appropriate investment

Develop a pragmatic approach to preparedness and change

Validate and approve the plan

Deploy the plan

slide24

An initial assessment phase will result in an evolved understanding by the firm’s leaders of the strategic value of business continuity and security

Risk and Business Impact Analysis (6-8 Weeks)

Obligations & Dependencies

Business Impact Analysis

  • Assess customer, partner and supplier business obligation & dependencies
  • Review existing agreements
  • Assess regulatory requirements
  • Quantified impact
  • Interdependencies
  • Prioritized functions

Solution Strategy Report

Current Readiness

Prioritized Mission Critical Business Processes

Strategic

Priorities

  • Current readiness
  • Future state
  • Business Case
  • Improvement recommendations
  • Required continuity plans
  • Executive / leadership workshops
  • Review existing business continuity plans
  • Assess current plans
  • Determine initial gaps
  • Map strategic priorities to processes
  • Identify mission critical processes
  • Prioritize critical processes
  • Determine components and dependencies

Risk Assessment Mission Critical Business Processes

Alternate Solution Selection

  • Identify risk elements
  • Assess impact and likelihood of risk
  • Identify alternative methods for continuing critical functions
  • Assess strategic alternatives
slide25
A mix of business and technical resources are required to develop a comprehensive approach to BC&SP that focuses on business value
  • Business driven approach to business continuity and security
  • Combination of strategy, operations and technology expertise
  • Explore areas of privacy, security, fraud and risk management
  • Adopt a Life-cycle approach providing protection from ever-changing threats and vulnerabilities
  • Imbed business continuity into new process and technology design

Business Continuity Program Management

Plan Development

Plan

Implementation

Plan

Testing

Risk and Business Impact Analysis

Extended Enterprise

Preparedness

Security plan

Business Focus

Technical Focus