Enterprise Risk Management taking on new dimensions

Transcription

1 Enterprise Risk Management taking on new dimensions October 2006

2 The practice of Enterprise Risk Management (ERM) is becoming more critical and complex every day. There is a growing need for organizations to look beyond individual risk elements to adopt an integrated approach to risk management that incorporates physical, technological, business process and human elements. The series of recent high profile events, such as the SARS outbreak and blackout, have brought the need for an integrated approach to risk management to the forefront in very tangible terms. These events have provided a clear view of the negative impact that business interruptions can bring in terms of revenue, staffing and overall reputation. Interruptions can compromise supply chain integrity, electronic service delivery, transaction processing, database access, premises security, communications services and more. Risk for today s enterprises can assume many forms. A severed communications link in a manufacturing facility, because of construction for example, can compromise just-in-time delivery throughout the supply chain, from sourcing of materials to delivery of finished goods to clients and could take weeks to rectify. A breach of security or unauthorized access to confidential records could have a devastating affect on healthcare service delivery. A disgruntled worker could potentially bring down a corporate network in a matter of minutes. A flu pandemic could potentially cripple the day-to-day operations of a call centre or government agency. Adding to the complexity is the fact that regulatory requirements in connection with emergency preparedness and business recovery are also playing a key role in disaster recovery planning strategies. Organizations need to stay abreast of the ever-evolving and increasingly stringent regulatory environment that is changing the way they manage their business processes.

3 It is becoming increasingly clear that the consequences of not having an integrated approach to risk are far reaching and could have an impact on business performance for months or even years. However, many organizations have not taken the proper measures to protect themselves on all fronts and continue to expose their businesses to unnecessary risk. According to a June 2006 IDC Executive brief on the state of business resilience and disaster recovery: Canadian organizations are lax when it comes to ensuring that revenue, productivity and reputation are properly protected. 1 This paper will look at the concept of Enterprise Risk Management (ERM) as we know it today, the role of convergence in evolving ERM strategies, and how enterprises can develop an ERM framework going forward. Enterprise Risk Management An effective ERM strategy must take into account business, financial, operation and technological risk. What s involved is much more than simply identifying and mitigating each risk factor. Enterprises today must also take into account the degree of each risk and determine the appropriate allocation of resources. For example, auditor functions may be ranked lower than e-commerce services when mapping recovery time objectives. Re-establishing emergency response services such as 911 would have a zero recovery time objective, while days could be allotted for restoring archived statements. In the process of risk mitigation, organizations can adopt a variety of approaches, depending on the priority of the risk and available resources. 1 IDC Executive Brief, Business Resilience and disaster recovery: Challenging Misconceptions, June

4 They can outsource all or portions of their risk management, put in measures to mitigate the risk, or simply accept it as a cost of doing business in cases where mitigation would cost more than the potential loss. Part of the ongoing challenge is to understand when and where each choice is appropriate. An important point to remember is that nothing in risk assessment is static. Any good ERM strategy will include regular assessment in order to track and adjust for changing risk factors and evolving business conditions. The Convergence Challenge The increasing convergence of IT and communications has made ERM more complex for today s security managers. They are now faced with having to integrate the entire computing, networking and communications infrastructure including hardware, software, telecommunications, authentication, access, policy development and more -- into a single risk assessment strategy. The move towards convergence of physical and logical systems is evident within virtually every industry sector, because it brings tangible business benefits to today s enterprises. In the world of manufacturing, for example, it s common place today to exchange and integrate a broad spectrum of information for both internal and external users, ranging from the physical (product scanning, premises security) to the logical (inventory and order management systems). Healthcare operations are moving towards infrastructures that manage access and control (physical card access and online authentication and verification), as well as bedside care data and electronic health records. Within enterprises, the growing business requirement for multiple applications, systems, people and processes represents a potential source 4

5 of entirely new threats to an organization as a whole. In today s converged world, a compromise to a single information asset could potentially compromise a myriad of other assets within an organization. External drivers are also playing a key role in redefining ERM. The demand for increased collaboration with partners and suppliers may extend an enterprise s reach and productivity, but also increase its vulnerability to additional threats. Overall, while it is understood that convergence delivers considerable business value, it also opens the doors to a different level of vulnerability that requires a new, more comprehensive approach to risk management. This challenge can be addressed through a full range or risk management services from Bell. Security Solutions from Bell Bell is a leader in providing integrated ERM solutions to Canadian enterprise clients. These solutions leverage a seven-layer integrated security framework that has been developed to deliver a holistic approach to ERM: 5

6 This seven-layered security model provides the framework for integrating security solutions for enterprise risk management: 1. At the core of this model is the People layer. Identity and authentication are considered the cornerstones of information security today, since they allow organizations to determine who has access to what information and what they can do with it. Bell works with its clients to develop systems and processes to provide appropriate clearance, to educate staff on risk and security related issues, to deliver regular training and to ensure proper procedures are followed to protect people in the event of a crisis. 2. Data layer services are designed to protect confidentiality of identities and integrity of data. Data encryption and digital signature are two critical elements that can be used to protect data against loss, disclosure, tampering and corruption. 3. Application layer services safeguard the privacy of internal and external communications. This includes regular vulnerability assessments at both the device and the application layers. Services also include security event management that enables the correlation of events and vulnerabilities across security devices and advanced reporting and analysis portal capabilities. 4. Host layer services offer protection from intrusion and operating system vulnerability through the use of sophisticated patch management, vulnerability scanning, and anti-virus/antispyware services. 5. Network layer services are designed to develop and support access control policies and to prevent unauthorized entry from hackers and intruders, through network intrusion prevention, vulnerability scanning, anomaly detection and other tools. 6. Perimeter layer protection encompasses enterprise firewall, VPN, anti-virus, anti-spam, anti-spyware, content filtering and compliance management. 7. Bell physical security services provide integrated IP-based solutions for video surveillance, access control, communications and biometrics. 6

7 Getting started In order to develop an effective ERM strategic plan, the first critical step is a comprehensive Threat Risk Assessment (TRA) that encompasses all seven layers of security. This is essential in allowing senior management to make informed decisions and recommend appropriate, timely and costeffective safeguards. A comprehensive TRA takes into account the interdependencies between the different policies and solutions in order to establish the scope of the project, determine the appropriate methodologies, set realistic time frames, identify key players, and determine the allocation of resources. The TRA process consists of five steps: 1. An analysis of what needs to protected 2. A threat assessment to determine what to anticipate and the consequences of the identified risks to business operations, people and processes 3. A risk assessment to determine if existing and proposed safeguards are satisfactory 4. An assessment of potential short and long-term impacts of identified threats on the entire enterprise 5. Recommendations that outline accepted risks as well as a breakdown of what an enterprise needs to do to reduce risks to an acceptable level A TRA should be updated on a regularly scheduled basis, or following an event or occurrence. Scheduled reviews allow enterprises to address changes in technology or market conditions, as well as to assess any new threat risks. The results of the TRA may initiate changes in the established status or treatment of an identified risk. 7

8 Proven track record Bell has a proven track record helping organizations in the public and private sectors address their security and risk management needs. Bell can help organizations develop and implement a cost-effective, fully integrated Enterprise Risk Management solution that spans an entire network security framework from planning and assessment to implementation and follow-up. With a team of more than 300 security professionals, coast-to-coast coverage, and a comprehensive base of vendor partnerships, Bell is the leading provider of network, physical and information security for communications to Canadian business and government. For more information, please contact your account representative or visit 8