bci-presentation risk management - strategic continuity ......bci-presentation risk management.pptx...
TRANSCRIPT
Making the Jump to Risk Management
Jeff Blackmon, FBCI, CISSP, CBCP, ITIL Strategic Continuity Solutions, LLC.
JeffBlackmon,FBCI,CISSP,CBCP,ITIL– StartedBC/DRplanningworkinthemid1980’s
• Financial• Petroleum• ForeignMilitary• Pharmaceutical• Healthcare• U.S.Government
– ContractConsultantbasedinKansasCityarea,buthavebeenworkingremoteforalmostallprojects.
Topics:– RiskCategories– Definitions– InsideRiskManagement(newpartsandpieces)– QualitativeandQuantitativeExposure– BC,SecurityandComplianceinRiskManagement– Discussion?
WhatRiskManagementisNOT:– NOTtheconsolidationofCompliance,SecurityandBCintoasinglefunction
– NOTchanginganyofthefunctionsofCompliance,SecurityorBC
RiskManagementIS:
– MoreCollaborationbetweenCompliance,SecurityandBC
– MoreCommunicationbetweenCompliance,SecurityandBC
RiskCategories:– Compliance– Credit– Liquidity– Market– Operational– Strategic– Other
RiskCategories:– Compliance– Credit– Liquidity– Market– Operational(BusinessContinuityandSecurity)– Strategic– Other
Risk– Ameasureofthepotentialforlossintermsofboththelikelihoodoftheincidentandtheconsequencesoftheincident(ProbabilityandImpact)
RiskAnalysis
– Thedevelopmentofaquantitativeorqualitativeestimateofriskforcombiningestimatesofincidentlikelihoodandconsequences
RiskAssessment– Theprocessbywhichtheresultsofariskanalysisareusedtomakedecisionsthroughrelativerankingofriskreductionstrategies
RiskManagement
– Theplanning,organizing,leadingandcontrollingofanorganization’sassetsandactivitiesinways,whichminimizetheadverseoperationalandfinancialeffectsofaccidentallossesupontheorganization(MitigationandContingency)
RiskResolution:– Takenoactionandaccepttherisk– Deferactionforshortterm– Developactionplan
• Avoidtherisk• Transferrisktothirdparty(suchasinsurance)• Mitigatetherisk
– Preventriskevent• Contingencyifriskeventoccurs
– LessentheImpact
ThreatsandVulnerabilitiesareunlimited.Thefundstomitigatethemarenot.OverallGoals:
– ManageexposuretoRisk– Improveresilience– Controlcosts
ROIfromRiskprogramsisderivedmorefromkeepingandattractingclientsthanitisfromlossavoidance.
Keyelement,Knowyourlosspotentials:– Natural,man-made,technologicalorpoliticallyrelated
– Accidentalversusintentional– Internalversusexternal– Manageablerisksversusthosebeyondthecompany’scontrol
SingleLossExpectancy(SLE)– SLE=AssetValue($$)xImpact
AnnualLoseExpectancy(ALE)– ALE=SLE(fromabove)xyearlyestimates
• $RiskExposure=AssetValue($$)xImpactxyearlyestimates
*NEW*EmergingRiskRegister– Event:Whatcouldhappen?(Threat)– Probability:Howlikelyisittohappen?– Impact:Howbadwillitbeifithappens?– Mitigation:Howcanwereducetheprobability?– Contingency:Howcanwereducetheimpact?– Reduction=MitigationxContingency– Exposure=Risk–Reduction
*NEW*EmergingRiskRegister,alsotoinclude– Riskrecordowner– Mitigationstrategy
• Mitigationcost• Mitigationexpectedlossreturn
– Contingencystrategy• Contingencycost• Contingencyexpectedlossreturn
– Status/datesofactions– NewadjustedRiskExposurerating
RiskImpactRatingAssessment
Low(<20%) Mod(21%-50%) High(51%-80%) Extreme(81%+)
Quality Minordegradation
Obviousdegradation
Majordegradation
EffectivelyUseless
Time <5%timeincrease
5%-10%timeincrease
10%-20%timeincrease
>20%timeincrease
Cost Insignificantcostincrease
<10%costincrease
10%-25%costincrease
>25%costincrease
FindbestassessmentbasedonQuality,TimeandCostImpact
RiskExposureResults(QualitativeExample)Impact Low(<20%) Mod(21%-50%) High(51%-80%) VeryHigh(81%+)
Probability/year>91%(VeryHigh) Moderate High VeryHigh VeryHigh61%-90%(High) Moderate High High VeryHigh21%-60%(Mod) Low Moderate High High<20%(Low) Low Low Moderate High
ImpactxProbability=RiskExposure
ClassificationsabovebaseduponcompanyRiskAcceptanceprofile
RiskExposureResults(PartialQuantitative)Impact Low(<20%) Mod(21%-50%) High(51%-80%) VeryHigh(81%+)
Probability/year>81% Moderate High VeryHigh VeryHigh61%-80% Moderate High High VeryHigh41%-60% Low Moderate High VeryHigh21%-40% Low Moderate High High5%-20% Low Low Moderate High<5% VeryLow Low Moderate Moderate
ImpactxProbability=RiskExposure
ClassificationsabovebaseduponcompanyRiskAcceptanceprofile
RiskExposureResults(Quantitative)ALE Low Moderate High VeryHigh
TotalRiskCosts <$10,000 $10,000-$100,000
$100,000-$500,000
>$500,000
ImpactxProbability=RiskExposurein$$
ClassificationsabovebaseduponcompanyRiskAcceptanceprofile
Event:CommunicationsLossIf1ofour2fibercablesarecut.Notemajorconstructiontakingplaceonproperty.Effect:Lose50%ofcommunicationbandwidthExpectedLoss:$250,000RiskImpact:HighProbability:10%RiskExposure:RecordOwner:BobSmith,NetworkComms
ExampleforRiskRecord(1)Quantitative
$Risk=AssetValue($$)xImpactxyearlyestimates250,000x.50x.10=$12,500.00=ALEMitigation:Dophysicaltraceoffibercables,markroutesanddocument.Cost=$2,000NewProbability=5%UpdatedRiskExposure:250,000x.50x.05=$6,250.00NewRiskExposurecategory=
ExampleforRiskRecord(2)Quantitative
Event:EncryptionFailureIfStandAlonebankingEncryptionKeyserverweretodoahardcrash.Effect:Lose100%ofACHcashtransferExpectedLoss:$1,250,000RiskImpact:VeryHighProbability:20%RiskExposure:RecordOwner:SamSmith,CFO
ExampleforRiskRecord(3)Quantitative
$Risk=AssetValue($$)xImpactxyearlyestimates1,250,000x1.00x.20=$250,000.00orALEMitigation:ProvideremotelylocatedfailoverserverforEncryption.Cost=$12,000NewProbability=4%UpdatedRiskExposure:1,250,000x1.00x.04=$50,000NewRiskExposurecategory=
ExampleforRiskRecord(4)Quantitative
QuantitativeprocessesgivemuchmoreaccurateAnnualLossExpectancy(ALE),butremember,thenumbersdeterminedforlossandexpectancymustbeaccurate.Otherwiseacompany’sRiskExposurecalculationscanvarywidely.MorecommonforacompanytostartwithQualitative,andmovetoQuantitatively.
SohowdoesRiskManagementCHANGEBusinessContinuity,SecurityandCompliance?Actually,littleifany.BCstilldoesBCworkandisnotgoingaway.ThisisthesameforSecurityandCompliance.RiskManagementisaboutcollaborationandcommunicationbetweenthedepartmentsforbetterintegration.OverallGoals:
– ManageexposuretoRisk– Improveresilience– Controlcosts
RISKMGMT.
COMPLIANCE
BUSINESSCONTINUITY
SECURITY
FRAME
RESPOND
ASSESS
MONITOR
WhyisBusinessContinuityImportanttotheRiskManagementprocess?
MuchoftheinformationusedinRiskManagementcomesdirectlyfromtheBusinessContinuityprocess.Unalteredandunchanged.Justcopiedover.
BusinessContinuity
EmergingRiskRegister– Event:Whatcouldhappen?(Threat)– Probability:Howlikelyisittohappen?– Impact:Howbadwillitbeifithappens?
MuchofthisinformationshouldcomefromtheBCRiskAssessment
BusinessContinuity
EmergingRiskRegister– Mitigation:Howcanwereducetheprobability?– Contingency:Howcanwereducetheimpact?
BothoftheaboveshouldbepartoftheBusinessContinuityplans.NowjustcarriedintoRiskManagement.
BusinessContinuity
$Risk=AssetValue($$)xImpactxyearlyestimatesAssetValueshouldcomefromtheBusinessImpactAnalysis(BIA)
BusinessContinuity
ImportanceofComplianceinRiskManagement– Muchhaschangedindealingwithcomplianceandauditgroupsoverthelast20years
– CFOsdonotspeakRTOs,RPOs,GigabitEthernet,AIXandsoon
– TheyareveryawareofPCI,OCC,FFIEC,Sarbane-Oxleyandmanyothercomplianceregulations
– ConsiderableamountoftheirworkisconsidereddirectRiskManagement
– CompliancegroupsusuallyhavedirectaccesstoC-Levelexecutivesandcanrelayconcernsandissuestothepeoplethatcanprovidetheprioritytogetthemfixed
Compliance
ImportanceofSecurityinRiskManagement– Primarygroupwithinacompanyforriskmitigation
• Firewalls• Intrusiondetection• malwarescan• accesscontrol• andmanymore
NoneofSecurity’sfunctionswillchange
Security
ImportanceofBusinessContinuityinRiskManagement
– PrimarygroupwithinacompanyforContingency• ITRecoveryorderbasedonBIAsandfollow-upstrategies• Managethepeopleaspectofanevent• Determineanddocumentthreat• Determineanddocumentvulnerabilities• andmuchmore
NoneofBusinessContinuity’sfunctionswillchange
BusinessContinuity
Compliance Communicationsto management
Security MitigationBusinessContinuity Contingency
RiskManagement
RiskManagementStandards– ISO31000:2009– NIST800-30– NIST800-37
Questions
001-(913)-971-4081 [email protected] https://www.linkedin.com/in/jeffrey-d-blackmon-
fbci-cissp-cbcp-itil-f-876205
Jeff Blackmon, FBCI, CISSP, CBCP, ITIL