DelCreo, Inc. An Enterprise Risk Management Company 1 Changed World, New Risks Mark Carey, CPA, CISA DelCreo, Inc

DelCreo, Inc. An Enterprise Risk Management Company 2 Risk Management Lessons and Business Applications

DelCreo, Inc. An Enterprise Risk Management Company 3 Office of Homeland Security Government Lesson US faces many new, non-conventional threats: –Terrorism –Proliferation of weapons of mass destruction –Attacks on critical infrastructure –International drug trade –etc. No single department, agency, state, local or private sector entity can handle alone, up to 46 different federal agencies are responsible for addressing the non-conventional threats The Office of Homeland Security was created to “coordinate the executive branch's efforts to detect, prepare for, prevent, protect against, respond to, and recover from terrorist attacks within the United States.” Business Application Businesses also face new, non-conventional and complex conventional threats that require coordinated risk management through an enterprise- wide risk management organization/function

DelCreo, Inc. An Enterprise Risk Management Company 4 Homeland Security Council Government Lesson The Homeland Security Council was established to: –Advise and assist the President with respect to all aspects of homeland security –Ensure coordination of homeland security-related activities of executive departments and agencies –Effective development and implementation of homeland security policies Business Application Consider establishing an enterprise risk council to: –Provide relevant risk information to CXO’s and BOD –Coordinate risk management activities of various functions and business units –Develop and implement corporate risk management policies

DelCreo, Inc. An Enterprise Risk Management Company 5 Silos Government Lesson Silos exist in: –departments and agencies, Federal, state and local Foreign and domestic US, allies and other –Information Systems and Databases –Processes Intelligence gathering and dissemination activities Business Application Create processes, systems and tools to reach across silos to provide the “big picture” Focus corporate risk management resources on what matters the most Leverage the “silo” expertise through better coordination for complex risks

DelCreo, Inc. An Enterprise Risk Management Company 6 Low Cost, High Tech Government Lesson Sophisticated technologies that may be employed as weapons of Mass Destruction –Biological and chemical weapons –Technology Tools that have the ability to inflict massive damage are getting cheaper Business Application Sophisticated tools are increasingly affordable and are being used by competitors, customers, employees, litigation teams, etc. Understand impact there tools may have on your organization

DelCreo, Inc. An Enterprise Risk Management Company 7 Low Tech, High Impact Government Lesson Terrorist have employed low tech weapons to inflict massive physical or psychological damage –Box cutters –Envelopes Business Application Identify assets at risk –Strategic Initiatives –People –Process –Information Systems –Physical Infrastructure –Geography –Organization –Products –Flows (supplies, information, electricity, cash, etc.) Focus risk assessment on how the asset may be impacted Consider best and worst case scenarios (to ensure preparation for best and worst times)

DelCreo, Inc. An Enterprise Risk Management Company 8 Incident Management Government Lesson The Executive Branch lacked a formal terrorist incident management process, coordinator and team The Homeland Security Director will be the individual primarily responsible for coordinating the domestic response in the event of an imminent threat, and during and in the immediate aftermath of a terrorist attack Business Application Define a formal incident management process with pre- incident planning activities, escalation triggers, defined responsibilities and response pathways

DelCreo, Inc. An Enterprise Risk Management Company 9 Early Warning System Government Lesson Silos prevented effective aggregation of early warning signals Local decisions to disregard significant information Lack of appropriate escalation metrics and thresholds Many early warning signals were not deemed credible Business Application Develop and constantly enhance quality of information collected and of early warning tools

DelCreo, Inc. An Enterprise Risk Management Company 10 ERM Definition An consistent and organization-wide approach to develop and implement a comprehensive risk strategy and program in order to: –Provide a baseline level of protection of value creating assets, or –Use risk management strategies and tools to assure success of strategic objectives and improve organizational returns (as defined by key stakeholders)

DelCreo, Inc. An Enterprise Risk Management Company 11 Business Case: Improve Total Cost of Risk Gaps in Risk Coverage and Information –Emerging risk areas –Strategic Planning and Decision Making Processes do not receive complete, reliable and timely risk information –Programs/Projects with multiple vulnerabilities –Vulnerabilities that require multiple skills, aggregation of data, etc to mitigate Cost of Managing Risks –Poor use of process enabling technology –Knowledge management –Modeling/Data aggregation tools –Coordination and communication between risk functions, business organizations, and management

DelCreo, Inc. An Enterprise Risk Management Company 12 Disaster Recovery Lessons Learned

DelCreo, Inc. An Enterprise Risk Management Company 13 Business Process and Business Unit Recovery Efforts Overlooked Lesson Most disaster planning had revolved around the data center or IT capabilities of the enterprise. Back office operations continuity plans put into effect following the September 11 th attacks often overlooked highly paper-centric back office operations business processes. Recommendation An enterprise-wide approach to continuity planning must include attention not only to the data center, IT and network communications issues, but those of time-critical business processes wherever they might flow through the organizational structure.

DelCreo, Inc. An Enterprise Risk Management Company 14 Geography Lesson Many recovery plans and arrangements were based on the assumption that local hot sites and alternate workspaces would be available. Other companies had a difficult time accessing their hot sites and alternate workspaces when air travel was stopped. Recommendation Geographic factors should be fully considered in the threat and vulnerability assessment, assumptions used in planning, and during the development of the recovery plans. Source: Mckinsey & Company, “Impact of Attack on New York Financial Services”, Nov, 2001

DelCreo, Inc. An Enterprise Risk Management Company 15 Single Points of Failure Lesson Transportation, telecommunications and power elements of the infrastructure had several key “single points of failure”. Many business processes today take place outside of an organizations boundaries. Many supply chains have key participants that are critical single points of failure outside the operational control of an individual organization. Recommendation Infrastructure, process and other third party providers should be included in the continuity planning process. Source: Mckinsey & Company, “Impact of Attack on New York Financial Services”, Nov, 2001

DelCreo, Inc. An Enterprise Risk Management Company 16 Trained Personnel Is Critical Lesson Personnel is the critical key to success For one company impacted, 100% of the people who had participated in the hotsite disaster recovery testing were killed in the September 11 th attacks Recommendations In this instance, people who had to assist in the recovery were unfamiliar with the continuity plans and actions necessary to expedite recovery operations. Organizations should incorporate cross-training and rotation of recovery plan testing and maintenance responsibilities.

DelCreo, Inc. An Enterprise Risk Management Company 17 Mix of Threats and Vulnerabilities Has Changed Lesson Terrorism threats have increased significantly in US and worldwide and will likely continue into at least the short-term future Recommendations Fundamental BCP concepts have remained the same, but terrorism threats and vulnerabilities have increased in importance, especially for Fortune 500 companies and public and private civil infrastructure organization’s people and facilities. Organizations should consider themselves at risk from a physical terrorist attack in order to improve readiness.

DelCreo, Inc. An Enterprise Risk Management Company 18 Desktop Software Offsite Backup Lesson The World Trade Center offices did not contain many, if any, mainframe computers. Almost all of the systems affected were distributed client- server type implementations. Many organizations did not store current versions of their desktop client-server software so that desktop networks can be rebuilt at an alternative site if necessary. Recommendation To avoid delays in rebuilding desktop configurations, companies should step up their programs for storage and maintenance of desktop configuration software at appropriate offsite locations as well as to train operations personnel involved in recovery efforts in the most effective and efficient ways to rapidly rebuild time-critical desktop environments.

DelCreo, Inc. An Enterprise Risk Management Company 19 Unforeseen Indirect Threats and Vulnerabilities Demand Attention Lesson The collateral impacts of the terrorist attacks has significantly affected almost all organizations in terms of airline shut downs, economic downturns in the U.S. and world economies, etc., and the ripple effects of these impacts. Recommendation Business continuity planning impact assessments should thoroughly consider value web and supply chain issues