Driving Operational Risk Management Into the Customer/Product Value Chain

Transcription

1 Driving Operational Risk Management Into the Customer/Product Value Chain Eric Staffin, MBCI, CISSP Vice President, Global Head of Product & Infrastructure Risk Management Thomson Reuters, Investment & Advisory

2 The world s leading source of intelligent information for businesses and professionals. We combine industry expertise with innovative technology to deliver critical information to leading decision makers in the financial, legal, tax and accounting, scientific, healthcare and media markets, powered by the world s most trusted news organization. Financial Financial Healthcare Legal Applications used by over half a million professionals globally Media Informs healthcare decisions affecting 150 million lives Scientific Westlaw is relied upon by 98% of the world s major law firms Tax & Accounting Reuters News reaches over one billion people daily Used by more than 20 million researchers worldwide Checkpoint is used by 99 of the top 100 U.S. accounting firms

3 Presentation Outline Introduction Resiliency and Operational Risk Deriving Enterprise Requirements from Stakeholder Requirements Defining and Applying Anchor Specifications Validating Anchor Specifications Q&A

4 Is the Traditional PDLC Good Enough? Key Drivers of Product Competitiveness Product Features / Functionality Client Service / Support Reputation Price Terms and Conditions

5 Is the Traditional PDLC Good Enough? Key Drivers of Product Competitiveness Product Features / Functionality Client Service / Support Reputation Price Terms and Conditions What are we missing?

6 Resiliency Starts at the Front Line Key Drivers of Product Competitiveness Product Features / Functionality Client Service / Support Reputation Price Terms and Conditions Stakeholder Requirements Key Organizational Challenges Increasing Operation Complexity Services are Global Economic Concerns and Constraints Geo-political Threats Changing (and Growing) Regulatory Landscape Legacy Infrastructures

7 Resiliency Starts at the Front Line Key Drivers of Product Competitiveness Product Features / Functionality Client Service / Support Reputation Price Terms and Conditions Stakeholder Requirements Key Organizational Challenges Stakeholders Customers Suppliers Increasing Operation Complexity Services are Global Economic Concerns and Constraints Geo-political Threats Changing (and Growing) Regulatory Landscape Legacy Infrastructures

8 Resiliency Starts at the Front Line Key Drivers of Product Competitiveness External Stakeholders Product Features / Functionality Client Service / Support Reputation Price Terms and Conditions Stakeholder Requirements / Demands Key Organizational Challenges Increasing Operation Complexity Services are Global Economic Concerns and Constraints Geo-political Threats Changing (and Growing) Regulatory Landscape Legacy Infrastructures Customers Regulators Shareholders Community Members Emergency Responders Suppliers Local Government Agencies Internal Stakeholders Employees Dependent Systems Auditors Human Resources Sales Technology Finance Chief Risk Officer Facilities Legal

9 Organizational Certainties SEI/CERT Risk environment will not contract number of risks and complexity will increase Organizations must get better at surviving in uncertainty Knowledge and awareness of risk issues must be pervasive throughout the organization Tradition tools, techniques, and methods may not work in this environment Existing organizational structure may not be agile enough to adapt! SEI/CERT Resiliency Engineering Framework

10 Resiliency Spending Intense competition for resource allocations Continuous pull from Non-Discretionary spending Non-Discretionary Legal Regulatory Compliance Exchanges Corporate Policy Contractual Obligations Discretionary (Deterministic) New Product Development New / Reengineered Business Processes Research & Development Utility & Warranty

11 Resiliency Spending Intense competition for resource allocations Continuous pull from Non-Discretionary spending Non-Discretionary Legal Regulatory Compliance Exchanges Corporate Policy Contractual Obligations Discretionary (Deterministic) New Product Development New / Reengineered Business Processes Research & Development Utility & Warranty What s wrong with this picture?

12 Operational Risk SEI/CERT Event / Condition Human Errors / Failures Infrastructure Failures Internal Process Failures / Flaws External Threat Events Adapted from SEI/CERT Resiliency Engineering Framework

13 Operational Risk SEI/CERT Event / Condition Human Errors / Failures Infrastructure Failures Internal Process Failures / Flaws External Threat Events Likelihood 100% 100% 100% 100% Adapted from SEI/CERT Resiliency Engineering Framework

14 Resiliency Spending Non-Discretionary spending now dominates the equation Organizations must recalibrate their approach to ORM!! Non-Discretionary Legal / Regulatory / Compliance Corporate Policy Contractual Obligations Operational Risk Management Training and Awareness Discretionary (Deterministic) New Product Development New / Reengineered Business Processes Research & Development Process Changes

15 Evolution to Resiliency Long Maturation Process Increased Integration Over Time Sustainability & Repeatability Becomes Embedded in Enterprise Risk Management Framework Availability Performance Security Process Maturity Resiliency Reliability Recoverability Continuity Strategic Obj.

16 Critical Resource Specifications - FFIEC these recovery objectives require management to determine which essential personnel, technologies, facilities, communications systems, vital records, and data must be recovered and what processing sequence should be followed so that activities that fall directly on the critical path receive the highest priority.

17 Critical Resource Specifications - FFIEC these recovery objectives require management to determine which essential personnel, technologies, facilities, communications systems, vital records, and data must be recovered and what processing sequence should be followed so that activities that fall directly on the critical path receive the highest priority People Process Technology Facilities Data

18 Stakeholder Requirements Drive All Other Requirements! Customers Customer #1 Customer #2 Customer #3 Customer #4 Customer # 5 Customer # 6 Products & Services Prod #1 Prod #2 Svc #1 Svc #2 Prod #3 Prod #4 Svc #3 Svc #4 Prod #5 Svc #5 Processes Process #1 Process #2 Process #3 Process #4 Process #5 Sites Site #1 Site #2 People Site #3 Site #4 Process Platforms & Resources Technology Facilities Data Suppliers Supplier #1 Supplier #2 Supplier #3 Supplier #4 Supplier #n Copyright Vigilant Services Group. All rights reserved.

19 Now the Challenging Part!! Optimize Utility * Warranty * Product Risk Cost Maximum Competitiveness Maximum Profitability Maximum Competitiveness Optimal Resiliency Optimize Cost ** Resiliency ** Cost Optimal Product Resiliency Customer Exposure * ITIL Service Management ** Don t Over-Spend or Under-Spend

20 BCM, ORM or Both? Promoting the Art & Science of Business Continuity Management Worldwide The BCI Business Continuity Management (BCM) is not simply a management initiative BCM as part of integrated ORM is an engineering discipline that requires technical engineering and human engineering to look at people, data, systems, and facilities as an ecosystem RTOs and RPOs are no longer just independent variables and they are no longer the ONLY variables!

21 Anchor Specifications Maximum Allowable Downtime (MAD FFIEC Business Continuity Handbook) - the point in time after a significant interruption at which the product or process can no longer be inoperable Maximum Tolerable Period of Disruption (MTPoD BS25999) the point in time after a significant interruption after which an organization s viability will be irrevocably threatened if product and service delivery cannot be resumed Maximum Tolerable Downtime (MTD Sentryx) or Business-as-Usual Time Objective (BTO Vigilant Services Group) - the point in time after a significant interruption at which the product or process returns to a business-as-usual state in consideration of work queues, lost data, etc. (operating as if nothing happened)

22 Anchor Specifications Applied SEI/CERT Event / Condition Human Errors / Failures Infrastructure Failures Internal Process Failures / Flaws External Threat Events Likelihood 100% 100% 100% 100% Integrating MAD and MTPoD (anchor specifications) into organizational policy is critical Economics of design must explicitly follow anchor specifications SLAs usually follow MAD Worst case scenarios follow MTPoD Profitability metrics include penalties and SLA performance

23 Timeline Example Copyright Sentryx (

24 Anchor Specifications in Practice Should the Maximum Tolerable Period of Disruption (MTPoD) only be applied to smoke and rubble scenarios? If not, is it enough to consider MTPoD (by itself) to define our optimal resiliency solution levels?

25 When MTPoD is the ONLY Anchor! Incident Duration (Hours) Commercial Exposure ($ Millions) MTPoD = $15MM Total Product Revenue - $40MM Single Impact Exposure Maximum Tolerable Period of Disruption Exposure ($ Millions) $20 $15 $10 $5 $0 Exposure Duration (Hours) Optimal Resiliency Solution? Single Incident with Duration X MTPoD

26 When MTPoD is the ONLY Anchor! Incident Duration (Hours) Commercial Exposure ($ Millions) MTPoD = $15MM Total Product Revenue - $40MM Single Impact Exposure Maximum Tolerable Period of Disruption Exposure ($ Millions) $20 $15 $10 $5 $0 Exposure Duration (Hours) Optimal Resiliency Solution? Single Incident with Duration X MTPoD

27 MTPoD, MAD & Cumulative Incident Exposure Incident Duration (Hours) Exposure ($ Millions) Commercial Exposure ($ Millions) MAD = $2.5MM MTPoD = $15MM Total Product Revenue - $40MM $20 $15 $10 $5 $0 SIE SIE SIE MAD SIE SIE SIE Exposure Duration (Hours) MTPoD Use historical incident management data to predict the likelihood of a disruptive event occurring adjust resiliency and recoverability levels ASAP!! Optimal Resiliency Solution? Single Incident with Duration X Cumulative Incident Duration Cumulative Commercial Exposure

28 MAD & MTPoD Are Now Anchors!! Incident Duration (Hours) Commercial Exposure ($ Millions) MAD = $2.5MM MTPoD = $15MM Total Product Revenue - $40MM SIE SIE SIE SIE SIE SIE Exposure MAD MTPoD Exposure ($ Millions) $20 $15 $10 $5 $0 Optimal Resiliency Solution Optimal resiliency solutions MUST incorporate single incident and cumulative incident exposure levels to ensure that MAD and MTPoD thresholds are NOT exceeded. Anchors MUST be established in the definition and planning phases of the SDLC propositions cannot go to market if anchors aren t LOCKED in place. Duration (Hours) Single Incident with Duration X Cumulative Incident Duration Cumulative Commercial Exposure

29 Margin as a Function of Resiliency and Price Price that clients will pay for R BAU of 24 hours ($50) Maximum price that clients will pay for R BAU of 6 hours or less ($60) Price that clients would have to be willing to pay to cover the fixed costs of R BAU of 0 hours 0 Resiliency (Hours) $30 $40 $50 $60 $70 $80 $90 $100 Product Pricing

30 Discretionary Spending as a Function of Resiliency $7MM discretionary spend required for R BAU of 6 hours $5.5MM discretionary spend required for R BAU of 24 hours $11MM discretionary spend required for R BAU of 0 hours 0 Resiliency (Hours) $5 $6 $7 $8 $9 $10 $11 $12 Discretionary Spending ($MM) to Achieve Desired Resiliency Levels insurance

31 MAD vs. RTO Maximum Allowable Downtime (MAD) is the business specified time required to achieve full operational recovery RTOs have historically been applied to the time required to recover a specific technology resource (FFIEC systems & data) RTO as an independent construct does not appropriately describe the recovery of a full process, function, or product that has a number of supporting and dependent resources (FFIEC systems, data, facilities & people) Challenge Issue product and service recoverability is often described with a single RTO if so, have we captured the full exposure to the various SEI/CERT Operational Risk Events

32 Challenge Response Incident Management Timeline What is it? And why look at it? Embedded Operational Risk Management expresses resiliency in the form of aggregated RTOs based on a specific ORM event or condition. SEI/CERT Event / Condition Likelihood Human Errors / Failures Infrastructure Failures Internal Process Failures / Flaws External Threat Events 100% 100% 100% 100% Incident Starts Incident Ends

33 Challenge Response MAD is an aggregated RTO Facilities and people may have individual RTOs which contribute to MAD! these recovery objectives require management to determine which essential personnel, technologies, facilities, communications systems, vital records, and data must be recovered and what processing sequence should be followed so that activities that fall directly on the critical path receive the highest priority Event / Condition Likelihood Human Errors / Failures Infrastructure Failures Internal Process Failures / Flaws External Threat Events 100% 100% 100% 100% Incident Starts Incident Ends

34 Challenges to Embedding ORM into the Organization SEI/CERT ORM is by nature a qualitatively-driven activity Operational resiliency activities are distributed throughout the enterprise and are not coordinated Operational resiliency for system and data assets will likely be insufficient on a standalone or independent basis Is there a calibration of practices, methodologies, and validation principles across security, business continuity, IT operations, service delivery, and facilities management Funding for ORM is often a budgetary expense rather than an investment in the organization s ability to meet strategic objectives Success measures are often difficult to quantify Can the organization sustain an operational resiliency focus Is organizational success tied to the balanced efforts of people, processes, and methods as opposed to just people Do changes in the regulatory climate offer natural opportunities to increase resiliency or are they simply distractions to the product development roadmap Is the organization realistic about its ability to manage through operational risk events Adapted from SEI/CERT Resiliency Engineering Framework

35 Timeline Decomposition Lifecycle Approach RPO Interruption Incident Starts Incident Ends Permanent Restoration

36 Validating Anchor Specifications ERM* and Product Risk Management Strategic / Market Risk Product Risk (not discussed here) Operational Risk Product Resiliency Financial / Credit Risk Customer SLAs Financial Strategic Operational * Enterprise Risk Management see COSO (Committee of Sponsoring Organizations)

37 SLA Management Reactive Reactive A major product experiences a significant disruption One or more significant penalties are assessed based on SLA triggers that have been tripped Sales, Product, and Development Teams are brought in to manage client expectations and define reactive remediation and communications strategies Efforts are made to reduce the penalties and immediately improve product resiliency Discovery that risk controls cannot be implemented in the short term Commercial releases are cancelled or delayed in order to implement newly defined / developed solutions

38 SLA Management Proactive Reactive A major product experiences a significant disruption One or more significant penalties are assessed based on SLA triggers that have been tripped Sales, Product, and Development Teams are brought in to manage client expectations and define reactive remediation and communications strategies Efforts are made to reduce the penalties and immediately improve product resiliency Discovery that risk controls cannot be implemented in the short term Commercial releases are cancelled or delayed in order to implement newly defined / developed solutions Proactive Establish client and market warranty requirements as part of the product development lifecycle Standardize SLAs, as much as possible, in advance decouple from MSAs Match penalties and price warranties to the product infrastructure(s) don t over or under-engineer resiliency solutions Establish tie-ins between service level management, performance management, and capacity management functions drive homogenous solutions across accountable infrastructures, dependent infrastructures, and 3 rd parties Ensure that Infrastructure Owners are at the table with the client and have intervention rights - Gatekeepers! Provide complete transparency to the client Only accept SLAs that match the organizational model and enterprise risk / resiliency strategies

39 Proactive Approach to Customer & Supplier SLAs Limited Revenue Impact Moderate Revenue Impact Critical Brand or $ Exposure Customer and supplier warranty requirements are integrated into product design Ensure that performance guarantees extend to key internal and external suppliers BCM/RM people are at the table with clients and suppliers and have intervention rights - Gatekeeper! Incorporate Supplier RTOs into the Incident Management Timeline Only sign or accept SLAs that match the organizational model and risk / resiliency strategies Reassess annually with comprehensive supplier questionnaires

40 Summary and Conclusion Programmatically incorporate an operational risk management model into the product development lifecycle Better understand and assess threats and vulnerabilities, and the likelihood of these vulnerabilities being exposed Understand, measure, and capture commercial risk and exposure - RTOs and RPOs are the legacy specifications of BCM dating back to the days of the mainframes Establish a preventive approach to identify, assess and measure operational and product risk factors More specifications are required to fully articulate the requirements of today s more complex technology architectures and critical interdependent supporting resources FFIEC - technology, people, data, and facilities Selectively control the factors which could lead to any negative impact on revenue, profitability, and/or structural assets Anchor key requirements and specifications Continuously re-validate the program Drive execution!

41 Questions & Answers

42 Speaker Biographical Details Eric Staffin Eric Staffin, MBCI, CISSP Vice President, Global Head of Product & Infrastructure Risk Management Thomson Reuters, Investment & Advisory Eric received his Bachelor of Arts degree in Economics from the University of Michigan and his Masters Degree in Business Administration in Finance and Corporate Strategy from New York University's Stern School of Business. His twenty year career includes senior management roles driving new product development, business resilience, program management, business continuity, information security, product management, acquisition due diligence, and client engagement management. Eric is currently responsible for managing a global, cross-functional process, project, and engineering team with a span of control that includes the risk management, oversight, and execution of business resiliency and reliability initiatives for more than seventy (70) discrete infrastructures, and the negotiation and management of technical client Service Level Agreements (SLAs). Prior to joining Thomson Reuters (formerly Thomson Financial) in 2003, Eric held senior management roles at Citigroup, where he was Vice President and Business Head of Citigroup's Internet Tools and Services Group, and Bankers Trust, where he served as Principal and Director of Bankers Trust's Global Institutional Services Internet Management Group. Eric holds the MBCI (Member) certification from the Business Continuity Institute (BCI), the CISSP certification from (ISC) 2, and the Business Resilience Auditor, Business Resilience Manager, and Business Resilience Professional certifications from the Business Resilience Certification Consortium International (BRCCI). Eric is currently serving as a Board Member for the BCI-USA Chapter.