presentation - Corporate Leaders

advertisement
IBM Business Resilience Consulting Services
Achieving Business Goals by Managing IT Risk
Arjan Mooldijk, IBM Consulting
© 2012 IBM Corporation
IBM Global Technology Services – ITS – Business Resilience Consulting
The Reputational Risk study revealed three key observations concerning
IT s impact on reputational risk.
#1
IT risks have a major impact on a company s
reputation
#2
Companies have rising IT risk concerns related to
emerging technology trends
#3
Companies are integrating IT risk and
reputational risk management, with strongest
focus on threats to data and systems
IT and reputational risk management
and mitigation are… key success
factors of our business and must be
given due emphasis.
C-level executive,
Malaysian agriculture and agribusiness company
2
© 2012 IBM Corporation
IBM Global Technology Services – ITS – Business Resilience Consulting
International best practice such as ISACA, COSO and ISO31000 clearly
link operational risk to the business objectives BUT most companies still
manage risks based on incurred costs/losses.
ISACA – Information Systems Audit & Control Association
The business risk associated with the use,
ownership, operation, involvement,
influence and adoption of IT within an
enterprise
COSO – Enterprise Risk Management Framework
Enterprise risk management, which
incorporates Information Risk Management,
is defined by COSO as a process, … , to
provide reasonable assurance regarding
the achievement of entity objectives.
3
ISO 31000
Shifts from an event to the effect risk and risk
management have on an organization’s
objectives ... and put the emphasis squarely on
risk management as a strategic discipline for
making risk-adjusted decisions, rather than a
compliance-based function.
IT Risk Management | Assessment approach | CFO round table - by Corporate Leaders & IBM
© 2012 IBM Corporation
IBM Global Technology Services – ITS – Business Resilience Consulting
IT Risk Spectrum™
To thoroughly identify the business risks associated with the use of IT, the
analysis should be extended beyond the “rearview mirror”, by performing a
“What if” predictive scenario planning across the “IT Risk SpectrumTM”
Accuracy &
Timeliness
What if IT does not provide accurate data, to the right people,
at the right time to make informed business decisions ?"
Agility &
Appropriateness
What if IT does not respond in a timely manner with the
correct new or modified IT Service in support of changes in
business requirements ?
Security &
Data Protection
Scalability &
Performance
Availability &
Recoverability
4
What if IT does not provide the appropriate access controls
while protecting the businessʼ information and resources ?
What if IT does not maintain acceptable performance based
on business needs and appropriately accommodate changes in
business service volume ?
What if IT does not keep systems running and, if necessary,
recover from interruptions in line with business expectations ?
IT Risk Management | Assessment approach | CFO round table - by Corporate Leaders & IBM
© 2012 IBM Corporation
IBM Global Technology Services – ITS – Business Resilience Consulting
Adopting a top down approach is critical to success. By linking quantified
strategic business initiatives to execution and measurable KPI’s you can
determine how IT risks affect your business performance
1. Identify Business Strategic
Initiatives against which to
manage and exploit IT capabilities
2. Map strategic initiatives to
Business and IT services with
measurable indicators and
estimated impact to initiatives
Align Strategic Goals
with Value of IT
Services
3. Establish IT performance metrics
against the IT Risk Spectrum and
Resilience Framework.
Strategic Business Initiative (SBI)
($100M revenue impact)
Associated Business KPIs
1. 
2. 
3. 
Time to market for new product/
service development projects
Cost of design and develop
products/services
Etc.
Agile &
Timely
Recove
ry &
Avail
BC /
PG 1
Business
Group
Increase competitive advantage by
introducing new products and services
faster than competitors
Recove
ry &
Avail
KPI
BC /
PG 1
BC /
PG 2
KPI
BC /
PG 2
BC /
PG 1
BC /
PG 2
Agile &
Timely
KPI
KPI
1
Scalabl
e&
Perform
ing
Access,
Security
,&
Impose IT KPIs per SBI and
business group
Accurat
e&
Appropr
Scalabl Info
Access,
iate
e&
Protecti Security
Perform on
,&
ing
Info
Protecti
on
Accurat
e&
Appropr
iate
ITKPI
Risk Spectrum
KPI
KPI
KPI
2
KPI
3
KPI
4
KPI
5
KPI
KPI
KPI
KPI
IT
IT
IT
IT
IT
KPI KPI KPI KPI KPI KPI KPI KPI KPI KPI
IT
KPI
IT
KPI
IT
KPI
IT
KPI
IT
KPI
(AD) Average time in months to fulfill a
business need with relevant IT
solutions
Establish measurable IT KRI
(S) IT/Bus strategy review = 6 mos
(P) Equip purchase = 30 day,
(AD) App dev is < = 2 months
(S) Security product review cycle <2 wks
(T) SAN ports < = 80%
(F) DC Capacity < = 90%
© 2012 IBM Corporation
IBM Global Technology Services – ITS – Business Resilience Consulting
IBM has developed industry specific Business Process and KPI maps
aligned with the cross-industry APQC’s Process Classification Framework
(PCF)TM used by nearly 2000 organizations globally
Cross-Industry
APQC’s Process Classification Framework (PCF)TM
6
IT Risk Management | Assessment approach | CFO round table - by Corporate Leaders & IBM
Industry Specific
Business Process and KPI Maps
© 2012 IBM Corporation
IBM Global Technology Services – ITS – Business Resilience Consulting
The benefit of this forward looking risk management approach is twofold: it
allows enterprises to anticipate IT risks and keep IT risk management
aligned with Strategic Business Initiatives
  The “Top Down” approach
–  ensures you remain aligned with Strategic Business
Initiatives (SBI), and
–  improves efficiency to do more with less resources
  Root Cause Analysis allows to define leading KRI’s, as
early warning indicators
  Scenario Planning allows to mitigate risks by anticipation
7
IT Risk Management | Assessment approach | CFO round table - by Corporate Leaders & IBM
© 2012 IBM Corporation
IBM Global Technology Services – ITS – Business Resilience Consulting
Thank
you
8
for your interest
IT Risk Management | Assessment approach | CFO round table - by Corporate Leaders & IBM
© 2012 IBM Corporation
Download