IBM Business Resilience Consulting Services Achieving Business Goals by Managing IT Risk Arjan Mooldijk, IBM Consulting © 2012 IBM Corporation IBM Global Technology Services – ITS – Business Resilience Consulting The Reputational Risk study revealed three key observations concerning IT s impact on reputational risk. #1 IT risks have a major impact on a company s reputation #2 Companies have rising IT risk concerns related to emerging technology trends #3 Companies are integrating IT risk and reputational risk management, with strongest focus on threats to data and systems IT and reputational risk management and mitigation are… key success factors of our business and must be given due emphasis. C-level executive, Malaysian agriculture and agribusiness company 2 © 2012 IBM Corporation IBM Global Technology Services – ITS – Business Resilience Consulting International best practice such as ISACA, COSO and ISO31000 clearly link operational risk to the business objectives BUT most companies still manage risks based on incurred costs/losses. ISACA – Information Systems Audit & Control Association The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise COSO – Enterprise Risk Management Framework Enterprise risk management, which incorporates Information Risk Management, is defined by COSO as a process, … , to provide reasonable assurance regarding the achievement of entity objectives. 3 ISO 31000 Shifts from an event to the effect risk and risk management have on an organization’s objectives ... and put the emphasis squarely on risk management as a strategic discipline for making risk-adjusted decisions, rather than a compliance-based function. IT Risk Management | Assessment approach | CFO round table - by Corporate Leaders & IBM © 2012 IBM Corporation IBM Global Technology Services – ITS – Business Resilience Consulting IT Risk Spectrum™ To thoroughly identify the business risks associated with the use of IT, the analysis should be extended beyond the “rearview mirror”, by performing a “What if” predictive scenario planning across the “IT Risk SpectrumTM” Accuracy & Timeliness What if IT does not provide accurate data, to the right people, at the right time to make informed business decisions ?" Agility & Appropriateness What if IT does not respond in a timely manner with the correct new or modified IT Service in support of changes in business requirements ? Security & Data Protection Scalability & Performance Availability & Recoverability 4 What if IT does not provide the appropriate access controls while protecting the businessʼ information and resources ? What if IT does not maintain acceptable performance based on business needs and appropriately accommodate changes in business service volume ? What if IT does not keep systems running and, if necessary, recover from interruptions in line with business expectations ? IT Risk Management | Assessment approach | CFO round table - by Corporate Leaders & IBM © 2012 IBM Corporation IBM Global Technology Services – ITS – Business Resilience Consulting Adopting a top down approach is critical to success. By linking quantified strategic business initiatives to execution and measurable KPI’s you can determine how IT risks affect your business performance 1. Identify Business Strategic Initiatives against which to manage and exploit IT capabilities 2. Map strategic initiatives to Business and IT services with measurable indicators and estimated impact to initiatives Align Strategic Goals with Value of IT Services 3. Establish IT performance metrics against the IT Risk Spectrum and Resilience Framework. Strategic Business Initiative (SBI) ($100M revenue impact) Associated Business KPIs 1. 2. 3. Time to market for new product/ service development projects Cost of design and develop products/services Etc. Agile & Timely Recove ry & Avail BC / PG 1 Business Group Increase competitive advantage by introducing new products and services faster than competitors Recove ry & Avail KPI BC / PG 1 BC / PG 2 KPI BC / PG 2 BC / PG 1 BC / PG 2 Agile & Timely KPI KPI 1 Scalabl e& Perform ing Access, Security ,& Impose IT KPIs per SBI and business group Accurat e& Appropr Scalabl Info Access, iate e& Protecti Security Perform on ,& ing Info Protecti on Accurat e& Appropr iate ITKPI Risk Spectrum KPI KPI KPI 2 KPI 3 KPI 4 KPI 5 KPI KPI KPI KPI IT IT IT IT IT KPI KPI KPI KPI KPI KPI KPI KPI KPI KPI IT KPI IT KPI IT KPI IT KPI IT KPI (AD) Average time in months to fulfill a business need with relevant IT solutions Establish measurable IT KRI (S) IT/Bus strategy review = 6 mos (P) Equip purchase = 30 day, (AD) App dev is < = 2 months (S) Security product review cycle <2 wks (T) SAN ports < = 80% (F) DC Capacity < = 90% © 2012 IBM Corporation IBM Global Technology Services – ITS – Business Resilience Consulting IBM has developed industry specific Business Process and KPI maps aligned with the cross-industry APQC’s Process Classification Framework (PCF)TM used by nearly 2000 organizations globally Cross-Industry APQC’s Process Classification Framework (PCF)TM 6 IT Risk Management | Assessment approach | CFO round table - by Corporate Leaders & IBM Industry Specific Business Process and KPI Maps © 2012 IBM Corporation IBM Global Technology Services – ITS – Business Resilience Consulting The benefit of this forward looking risk management approach is twofold: it allows enterprises to anticipate IT risks and keep IT risk management aligned with Strategic Business Initiatives The “Top Down” approach – ensures you remain aligned with Strategic Business Initiatives (SBI), and – improves efficiency to do more with less resources Root Cause Analysis allows to define leading KRI’s, as early warning indicators Scenario Planning allows to mitigate risks by anticipation 7 IT Risk Management | Assessment approach | CFO round table - by Corporate Leaders & IBM © 2012 IBM Corporation IBM Global Technology Services – ITS – Business Resilience Consulting Thank you 8 for your interest IT Risk Management | Assessment approach | CFO round table - by Corporate Leaders & IBM © 2012 IBM Corporation