Information Security in the framework of Enterprise Risk Management (ERM)

Transcription

1 ERM, a widespread practice in Financial Institutions Value based ERM is driven by shareholder value Strategic ERM is driven by the internal control imperative Integral part of sound business management Originally applied in managing insurance portfolios Moves beyond the Financial Risk Agenda and concerns about Strategic and Operational Issues 1

2 Particularly important to Banking ( Basel Committee on Banking supervision, 2003 ) Regulators guide financial institutions by not only suggesting effective Risk Management Techniques but also determining what kind of risks to consider and held accountable for Accountability means setting aside adequate Capital to compensate in accordance with the magnitude of the risks International Bank Capital regulation and Corporate Governace are two areas where ERM practices are observable 2

3 Still ERM is a rather elusive and under specified concept COSO 2003 forms a framework for diverse implementation techniques applied mainly in internal control It requires the prioritization and ordering of the various risk management elements into Manageable Control Cycles and the appointment of Risk Management Officers for impleme-ntation ntation, monitoring and improvement However for any given organization, the Risk Management Practices often form a mix depending on the particularities. 3

4 The ERM Framework is organized by Risk Type Hazard risks: Liability suits (e.g., operations, products, environmental) Fire and other property damage Storms and other natural disasters Theft and other crime Personal injury, disease, disability (including work-related injuries and diseases) Business interruption Financial risks, such as: Price (e.g. asset value, interest rate, foreign exchange, commodity) Liquidity (e.g. cash flow, call risk, opportunity cost) Credit (e.g. default, downgrade). Inflation/purchasing power Hedging/basis risk 4

5 The ERM Framework is organized by Risk Type Operational risks, such as: Business operations (e.g. customer satisfaction, human resources, product development, capacity, efficiency, product/service failure, trademark/brand erosion) Empowerment (e.g., leadership, change readiness) Information technology (e.g. relevance, availability) Integrity (e.g., management fraud, reputation) Information/business reporting (e.g., budgeting and planning, accounting Pension funds, investment evaluation, taxation Strategic risks, such as: Competition Customer wants Demographic and social/cultural trends Technological innovation Capital availability Regulatory and political trends 5

6 Some Risk Management Process steps apply to each Risk Type individually, and some, to all Risk Types according to the following grid Process Step Hazard Financial Operational Strategic Establish Context Identify Risks Analyze Quantify Risks Integrate Risks Assess and prioritize Risks Treat / Exploit Risks Monitor and Review 6

7 For enterprises that use IT to support operations, the impact of IT risks must be evaluated against the significance and the value of the business operations being affected Traditional financial instruments (like Insurance or Hedging) may prove inadequate compensation mechanisms to cover from losses emanating from poor IT security Management of IT Risks is transformed from departmental exercises, to business wide issues The management risk side of a business is integrated into Strategic Planning and Budget in a holistic manner In this respect, Financing of IT Risk Mitigation is optimized and more importantly justified 7

8 Renowned organizations identify the trend often as Convergence The term underlines the necessity for bringing together all components onents that affect an organization s s security The Converged approach enables enterprises to prevent, detect, respond to and recover from various security incidents by cross examining and a bringing together departments, people, processes and technology An alliance between leading Security Organizations like the ASIS International, ISSA and ISACA studied the trend and witnessed growing interest among senior executives that realize its importance The identification of security risks and interdependencies between en business functions and processes within the enterprise will lead to the development d of new managed processes (ASIS( International) The complexity and significance increases if we consider Terrorism, Cyber Attacks, Internet Viruses, Identity Theft, Fraud etc. 8

9 Is this of interest to Greek companies? My experience : Greek companies, listed with U.S.A stock exchanges have recently faced the challenge of addressing Risk Management at the Enterprise Level by seriously taking into account that their business is IT enabled (SOX compliance ) IT risks tend to severely affect the Availability and Continuity of services and resources. and critical ERP systems fall into this category y (e-bookings ) Sharing and exchange of information with critical suppliers is increasing i (logistics ) Confidential international collaboration is developing (e-data rooms ) Integrators that participate in National and International Tenders address the issue of Infromation Security and Confidentiality on their way to the submission deadline dline Full Service, instant Backup Systems are becoming mandatory 9

10 Driving Forces : Enterprises are becoming more complex in a global economy External partners are increasing (Outsourcing) The value of intangible assets and information is increasing in relation to the traditional value of hard assets Physical and Information security should be combined to deliver an holistic result Compliance and Regulatory regimes are growing Pressure to reduce costs is increasing 10

11 Security Professionals and IT Strategists need to collaborate with the Board Process owners Process developers External stakeholders in order to Conceive Strategies for avoiding potential problems Secure Budgets Design, Implement, Deliver, Support and Improve Cost Effective Secure Processes for the Extended Enterprise Educate and Prepare people for emergencies at the Enterprise Level 11

12 Bibliography [1] Enterprise Risk Management in Action. Anette Mikes. London School of Economics. Discussion Paper 35. [2] Convergence of Enterprise Security Organizations. Booz-Allen Allen-Hamilton. [3] Linkage of Risk Management, Capital Management, and Financial Management. Aaron Halpert,, Leslie Marlo Michael A. Vlahakis Dr. Engineering in Informatics - National Technical University of Athens Vgenopoulos & Partners Law Firm, IT Director 12