2006 Annual Conference October , Newport, RI

Transcription

1 Integrated Risk Management 2006 Annual Conference October , Newport, RI Converged Enterprise wide Risk Management & Business Continuity MAXIMIZING THE EFFECTIVENESS OF CONTINGENCY AND BUSINES CONTINUITY PLANNING THROUGH INTEGRATING RISK MANAGEMENT, SECURITY AND CONTINGENCY PLANNING ISSUES Javier F. Kuong MANAGEMENT ADVISORY SERVICES & PUBLICATIONS MASP Contingency Planning & Recovery Institute CPR-I Enterprise Governance, Internal Control, Auditing, Security and Business Continuity Ph P. O. Box Wellesley Hills, MA web: inst.com

2 2006 by Management Advisory Services & Publications. All rights reserved. This material is intended for this conference presentation only. Mechanical or electronic reproduction, transmission and dissemination of this material for other purposes is forbidden without prior agreement ement with the copyright owner. MANAGEMENT ADVISORY SERVICES & PUBLICATIONS P. O. Box Wellesley Hills, MA Ph web: 2

3 SESSION OBJECTIVES This session provides ideas and approaches to ensure that your enterprise is well protected in today s complex and global threat environment. Specifically, you will learn: a) How to spot deficiencies in present organizational structures derived from highly segmented plans and practices. b) How to restructure enterprise-wide protection for optimal security and risk minimization by integrating the planning for risk management, security and business continuity. 3

4 CURRENT FRACTIONATED ENVIRONMENT TO DEAL WITH ENTERPRISE RISKS Organizations are addicted to the concept of division of functional responsibilities and dispersion in the assignment of duties along the lines of specialized groups or functional units. This has traditionally stemmed from senior management s perceived need to delegate duties and responsibilities to multiple groups under the division of labor concept. This propensity was further aggravated by the increasingly complex set of specialties required to operate a modern business. 4

5 CURRENT FRACTIONATED ENVIRONMENT TO DEAL WITH ENTERPRISE RISKS Organizations parcelize enterprise protection to several groups thinking that no single unit can master all the necessary knowledge and skills to handle business processes protection. A concept highly favored in internal control theory is to practice segregation of duties. This is especially true when it comes to so-called incompatible functions that may present a conflict of interest or excessive concentration of power vested in one single organizational unit. This is referred to as practicing the checks and balances principle. 5

6 Need for Enterprise-wide Protection Organizations need to protect their corporate assets whether it involves preventing physical or logical access, theft of equipment, mitigating loss from uncontrollable events, human induced events, or loss of business continuity. A key goal is to provide a safe environment for humans (employees/clients), corporate assets, safety from hackers and industrial saboteurs, and protection from failures of resources, applications, databases. Protection for activities resident in key business partners processes and outsourced services is also now required. The intent is to minimize deficiencies derived from today s segmented approach to physical and logical security, risk management and contingency planning, which lack a total and coordinated view. 6

7 DISADVANTAGES OF DISAGGREGATE ENTERPRISE PROTECTION 7

8 Disadvantages of Disaggregate Enterprise Protection Disaggregate enterprise protection programs: Create security gaps Cause organizations to not understand the chain-effect and the interrelatedness of the various protection elements Prevent enterprises from arriving at grass-roots solutions that impact various and benefit multiple interrelated protection areas Are more costly and flawed Waste precious resources and lack the benefit of complementarity of resources. 8

9 ENTERPRISE PROTECTION CONVERGENCE - A DEFINITION 9

10 Enterprise Protection Convergence - A definition: Converged risk management and enterprise wide protection involves the integration of enterprise protection planning to try to incorporate risk management, physical and logical security, emergency preparedness and business continuity into one unified view. This integration enables an organization to establish and manage a single, consolidated risk management plan aimed at centralized planning with decentralized deployment of protection. 10

11 BUSINESS BENEFITS OF ENTERPRISE- WIDE PROTECTION CONVERGENCE 11

12 Business Benefits of Converging Enterprise Protection INTEGRATION One aggregate and panoramic view - Full integration of planning to minimize protection gaps (Avoid Swiss cheese effect) EFFECTIVENESS Coordinated and effective use of limited risk management resources AGGREGATE PLANNING & SOLUTIONS ANALYSIS OF INTERRELATED and INTERDEPENDENT ISSUES Advocates aggregate impact analysis COORDINATION AND COLLABORATION between current isolated functions to align strategies and practices. 12

13 DRIVERS FOR CONVERGED ENTERPRISE PROTECTION 13

14 Drivers for Converged Enterprise Protection New global and massive destruction threats. Need to Manage Risk on an Enterprise-wide Basis. Planning and Architecting an Overall, Effective Enterprise Security and Protection Program Does Not Lend Itself to a Highly Fractionated Approach. Need for Due Diligence Efforts. Demands from Compliance With Regulatory Requirements. Need for more economic and thorough approach to enterprise protection. Need to avoid gaps in protection from fractionated protection models. 14

15 Impact of New Threat Panorama on Enterprise Protection In the real world, the threat panorama can adversely impact multiple enterprise protection issues. These can include: Human resources safety (life and limb) protection Perimeter (physical and network) access violations Physical asset protection Information and logical security Emergency preparedness, contingency planning and business continuity Intellectual capital protection Image and public relation issues Regulatory compliance and legal and statutory issues The interests of a whole array of stakeholders (stockholders, clients, employees, labor unions, creditors, critical supply chain suppliers, the nearby community at large, etc.) 15

16 Literature references 1. Kuong, J. F., How to Maximize Enterprise-wide Protection by Integrating Risk Management, Security and Business Continuity - Restructuring Enterprise Protection and Security Functions, ISBN , 644, Publication MAP-54, Management Advisory Publications, P. O. Box Wellesley Hills, MA web: 2. Kuong, J. F., The Need to Integrate the Internal Control and Contingency Planning ning Programs Into an Aggregate Enterprise Protection Program, COM-SAC, Computer Security, Auditing & Controls (Quarterly), Volume 29, No. 1, 2002, 2, published by Management Advisory Publications, P. O. Box Wellesley Hills, MA web: 16

17 17

18 NEDRIX 18