strategic risk management: beyond the balance sheet 2013... · 2019-03-01 · strategic risk...
Post on 16-Jul-2020
4 Views
Preview:
TRANSCRIPT
Strategic Risk Management: Beyond the Balance Sheet
Security and Business Resiliency Six keys to effective reputational and IT risk management
Judith Purves, Chief Financial Officer, IBM Canada June 6, 2013
Key Business issues driving growth in Risk Investments
People and devices are sharing information more than ever before
The unprecedented
explosion of data growth (90%
of world’s data created over the
last 2 years) has put
exceptional pressures on the
storage capabilities, control, risk
mitigation and management of
Data Centres
Evolving challenges: Internal, External & Compliance
Security Trends: 2011 Targeted attacks
Source: IBM X-Force® 2011 Trend and Risk Report – March 2012
Security Trends: Targeted attacks are increasing - 2012
Source: IBM X-Force 2012 Mid-year Trend and Risk Report, September 2012
Security Trends: Targeted attacks are increasing - 2012 Government/International bodies
Source: IBM X-Force 2012 Mid-year Trend and Risk Report, September 2012
What are the impacts to a organization ?
The impact of lost data or unplanned downtime can be catastrophic, leading to lost revenue, reputation and competitive position.
Lost deals Disruption of cash flow Lost discounts Missed payments Drop in stock price
Company reputation Damaged relationships with:
– Customers – Suppliers – Partners – Lenders – Investors
Direct revenue losses Loss of future revenues Losses due to invoices
that cannot be completed Losses due to investments not
made
Temporary staff needed Travel expenses incurred Equipment rental costs
Employees who cannot perform their jobs
Missed deadlines
Inability to meet compliance requirements
Finances Loss of reputation Revenue
Miscellaneous costs Productivity Regulatory
As a CFO, consider this…
Source: Aberdeen Group: “Datacenter Downtime:
How Much Does it Really Cost?,” March 2012
$110K
2010 2012
$182K
The average cost per hour of system
downtime is increasing as more
business operations become automated
Average cost of one hour of downtime
Source: IBM Global Risk Study
What is driving change ? New challenges face IT, as consumerization of IT continues as forces are emerging that challenge a organization’s speed, agility and resilience.
Sources:1. IBM cloud computing organization estimate. Individual results may vary. 2. Gartner, “Information and the Nexus of Forces: Delivering and Analyzing Data, 26 June 2012. 3. IDC, Digital Universe Study, sponsored by EMC, June 2011.
Some recommendations…. Based on study findings and IBM IT risk management expertise, we recommend six key initiatives
Put someone in
charge
Make the compliance
connection
Reevaluate the impact
of social media
Keep an eye on your
supply chain
Avoid complacency
Fund remediation;
invest in prevention
Six keys to effective reputational and IT risk management
1
2
3
4
5
6
11
Put someone in charge 1 Study findings (2013 data) Study implications
Ultimate responsibility for reputational risk should
rest with one person — but who?
CEOs: multiple responsibilities, little time
CFOs: focused on financial risks, not IT
CROs: do traditional and IT risk responsibilities leave
enough time for reputation risk? 80%
CEO
CFO
34%
CRO
24%
CIO
23%
22%
CMO
Emerging trend:
the Chief Digital Officer
New C-suite role for technology-driven world
Strong business and technology knowledge
Responsible for all aspects of digital presence
Role most accountable for company’s
reputation
12
Make the compliance and reputation connection 2 Study findings (2013 data)
Study implications
Where IT and compliance intersect:
Regulatory requirements for recovery time
from system outages
Legal requirements for data archiving,
retrieval and eDiscovery
Legal and regulatory requirements for
privacy and data protection
87%of banking
respondents say IT failures can
have severe compliance
consequences
Reputational factors very
strongly/strongly affected by IT risk
Customer satisfaction
Brand reputation
Compliance
Profitability
74%
74%
72%
60%
Recommendations:
Integrate compliance requirements into IT
and reputational risk strategies
Measure performance
Identify gaps in protection and mitigation
processes
13
Reevaluate the impact of social media 3
Only 27% provide
Companies are missing the
opportunity to leverage social
media to protect and recover their
reputations
Study findings (2013 data) Study implications
Add a third dimension to risk management
guidelines for employee social
media use during a crisis
Only 19% have incorporated social media into
their disaster recovery plans
Respond swiftly to IT-related reputational
incidents—and use social media as an
informational channel
Build a bank of goodwill—use social media
as a channel for enhancing your
reputation
2
3
1 Likelihood
Impact
Velocity
1 in 7? 1 in 100?
Severe Moderate
Mild
14
“A major deliverable was on a
contractor’s laptop, and it was
stolen. We missed an important
client deadline and lost the
source files for all the work.”
Chief marketing officer, American education
company
*Average
Keep an eye on your supply chain 4 Study findings (2013 data) Study implications
Two aspects of vulnerability
Security: Sensitive data shared with third
parties can be compromised
Continuity: Supplier downtime can disrupt
production and product availability
are “very strenuously” requiring their
vendors, partners and supply chain
to match levels of risk control*
Only 28% of companies
Recommendations
Identify outside sources that your company
relies on
Require partners to meet your levels of IT
and reputational risk management
Verify compliance through regular auditing
and reporting
15
Avoid complacency 5
82% rate reputation as
excellent or very
good
18% rate ability to
manage IT risk
as very strong
Recommendations
Ensure that foundational IT risk management tools
are in place
Map IT and reputational risk strategy to concrete,
measurable tactics
Perform regular gap analysis
Stay ahead of new technology and changing threats
There is room for
improvement in
almost every
organization
Perception/ reality gap
Study implications
Study findings (2013 data)
16
Companies are overlooking many of the security controls that can proactively protect their reputations before harm happens
Firewall management
Identity/access controls
Network /endpoint protection
Security threat intelligence
Penetration testing
Encryption
Vulnerability scanning
Mobile device security
66% Very confident/confident
about protection against
Data breach
Security controls in place
Confidence level
70%
5
Study findings (2013 data)
17
Companies have continuity basics in place, but are missing IT fundamentals that provide additional protection
68% Systems failure Data loss 73% Backup/restore testing
Fully documented DR plan
Automated backup processes
Change management
24x7 software tech support
Testing includes business users
Continuity controls in place
Very confident/confident
about protection against Very confident/confident
about protection against
Confidence level
76%
69%
69%
5
Study findings (2013 data)
18
Fund remediation; invest in prevention 6 Study findings (2013 data) Study implications
say IT risk management funding is
adequate to protect reputation
Only 56% of companies
increased spending on IT related to
reputational risk over the past 12 months
54% of companies have
increase spending on IT related to
reputational risk over the next 12 months
55% of companies will
Recommendations
Include the CIO in reputation risk
management
Evaluate the cost of inadequate funding
Treat IT as a core business asset, not a cost
center
Base IT spend on risks and outcomes, not
revenue or sales
The cost of system downtime*
$181,770 per hour
The cost of data center downtime
$418,017 per event
The cost of a business interruption event
*“Datacenter Downtime: How Much Does It Really Cost?” Aberdeen Group, February 2012.
19
Going forward, new technologies and social media will help fuel increased focus on reputational risk
68% will increase focus on reputational risk compared
to five years ago
New technology/
social media, 43%
Previous event harmful to
competitor/industry, 20%
Previous event harmful
to company, 18%
Board of directions/
C-suite mandate, 10%
Other, 7% Shareholder pressure, 3%
Why
increase?
“Technology is an
amplifier in all it
touches, for better
and worse. If we
use it, we must
manage it
rigorously.” CIO, Barbados
professional
services firm
Study findings (2013 data)
Thank YOU and Additional Resources
Download the full
study report ibm.com/services/riskstudy
Download the IBM
point-of-view ibm.com/services/riskstudy
Engage with an
IBMer to discuss your
reputational risk
exposures
Visit these websites:
ibm.com/services/security
ibm.com/services/continuity
ibm.com/services/techsupport
The IBM Canada Leadership Data Centre in Barrie, Ontario showcases
the best of IBM’s global data centre practices for Computing and
Recovery environments. Tour this exciting new facility and gain valuable
insights on managing risk and reducing costs through the adoption of
innovative technologies such as cloud computing, advanced virtualization
and energy management.
For more information or to register for an upcoming event please contact an IBM sales team representative
Managing Risk: Business Resiliency and Security - Discover the benefits of IBM’s holistic approach to addressing risk in the areas of security, business resilience and compliance. Held at IBM’s newest Data Centre in Barrie. www.ibm.com/ibmcanadaleadershipdatacentre
June 12, 2013 Also
top related