Archive

Archive for the ‘IT’ Category

Cyber and reputation risk are dominoes

February 18, 2017 12 comments

Anthony Fitzsimmons recently sent me a review copy of his new book, Rethinking Reputation Risk. He says that it “Provides a new perspective on the true nature of reputational risk and damage to organizations and traces its root causes in individual and collective human behavior”.

I am not sure that there is much that is new in the book, but if you want to understand how human behavior can be the root cause (in fact, it is very often the root cause) of problems for any organization, you may find it of interest.

The authors (Fitsimmons and Professor Derek Atkins) describe several case studies where human failures led to serious issues.

Humans as a root cause is also a topic I cover in World-Class Risk Management.

As I was reading the book, I realized that I have a problem with organizations placing separate attention to reputation risk and its management. It’s simply an element, which should not be overlooked, in how any organization manages risk – or, I should say, how it considers what might happen in its decision-making activities.

The same thing applies to cyber risk and even compliance risk.

They are all dominoes.

dominoes

A case study:

  • There is a possibility that the manager in HR that recruits IT specialists leaves.
  • The position is open for three months before an individual is hired.
  • An open position for an IT specialist who is responsible for patching a number of systems is not filled for three months.
  • A system vulnerability remains open because there is nobody to apply a vendor’s patch.
  • A hacker obtains entry. CYBER RISK
  • The hacker steals personal information on thousands of customers.
  • The information is posted on the Internet.
  • Customers are alarmed. REPUTATION RISK
  • Sales drop.
  • The company fails to meet analyst expectations for earnings.
  • The price for the company’s shares drop 20%.
  • The CEO decides to slash budgets and headcounts by 10% across the board.
  • Individuals in Quality are laid off.
  • Materials are not thoroughly inspected.
  • Defective materials are used in production.
  • Scrap rates rise, but not all defective products are detected and some are shipped to customers.
  • Customers complain, return products and demand compensation. REPUTATION RISK
  • Sales drop, earnings targets are missed again, and …….
  • At the same time as the Quality staff is downsized, the capital expenditure budget is cut.
  • The Information Security Officer’s request for analytics to detect hackers who breach the company’s defenses is turned down.
  • Multiple breaches are not detected. CYBER RISK
  • Hackers steal the company’s trade secrets.
  • Competitors acquire the trade secrets and are able to erode any edge the company may have.
  • The company’s REPUTATION for a technology edge disappears. REPUTATION RISK
  • Sales drop. Earnings targets are not achieved, and……..

It is true that every domino and the source of risk to its stability (what might happen) needs to be addressed.

But, focusing on one or two dominoes in the chain is unlikely to prevent serious issues.

One decision at a low level in the company can have a domino effect.

Consider this slide deck by ERM Strategies, Inc. about the Deep Water Horizon disaster.

I welcome your comments.

Cyber risk and the boardroom

June 5, 2015 7 comments

The National Association of Corporate Directors (NACD) has published a discussion between the leader of PwC’s Center for Board Governance, Mary Ann Cloyd, and an expert on cyber who formally served as a leader of the US Air Force’s cyber operations, Suzanne Vautrinot.

It’s an interesting read on a number of levels; I recommend it for board members, executives, information security professionals and auditors.

Here are some of the points in the discussion worth emphasizing:

“An R&D organization, a manufacturer, a retail company, a financial institution, and a critical utility would likely have different considerations regarding cyber risk. Certainly, some of the solutions and security technology can be the same, but it’s not a cookie-cutter approach. An informed risk assessment and management strategy must be part of the dialogue.”

“When we as board members are dealing with something that requires true core competency expertise—whether it’s mergers and acquisitions or banking and investments or cybersecurity—there are advisors and experts to turn to because it is their core competency. They can facilitate the discussion and provide background information, and enable the board to have a very robust, fulsome conversation about risks and actions.”

“The board needs to be comfortable having the conversation with management and the internal experts. They need to understand how cybersecurity risk affects business decisions and strategy. The board can then have a conversation with management saying, ‘OK, given this kind of risk, what are we willing to accept or do to try to mitigate it? Let’s have a conversation about how we do this currently in our corporation and why.’”

Cloyd: What you just described doesn’t sound unique to cybersecurity. It’s like other business risks that you’re assessing, evaluating, and dealing with. It’s another part of the risk appetite discussion. Vautrinot: Correct. The only thing that’s different is the expertise you bring in, and the conversation you have may involve slightly different technology.”

Cloyd: Cybersecurity is like other risks, so don’t be intimidated by it. Just put on your director hat and oversee this as you do other major risks. Vautrinot: And demand that the answers be provided in a way that you understand. Continue to ask questions until you understand, because sometimes the words or the jargon get in the way.”

“Cybersecurity is a business issue, it’s not just a technology issue.”

This was a fairly long conversation as these things go, but time and other limitations probably affected the discussion – and limited the ability to probe the topic in greater depth.

For example, there are some more points that I would emphasize to boards:

  • It is impossible to eliminate cyber-related risk. The goal should be to understand what the risk is at any point and obtain assurance that management (a) knows what the risk is, (b) considers it as part of decision-making, including its potential effect on new initiatives, (c) has established at what point the risk becomes acceptable, because investing more has diminishing returns, (d) has reason to believe its ability to prevent/detect cyber breaches is at the right level, considering the risk and the cost of additional measures (and is taking corrective actions when it is not at the desired level), (e) has a process to respond promptly and appropriately in the event of a breach, (f) has tested that capability, and (g) has a process in place to communicate to the board the information the board needs, when it needs it, to provide effective oversight.
  • Cyber risk should not be managed separately from enterprise or business risk. Cyber may be only one of several sources of risk to a new initiative, and the total risk to that initiative needs to be understood.
  • Cyber-related risk should be assessed and evaluated based on its effect on the business, not based on some calculated value for the information asset.
  • The board can never have, or maintain, the level of sophisticated knowledge required to assess cyber risk itself. It needs to ask questions and probe management’s responses until it has confidence that management has the ability to address cyber risk.

I welcome your comments and observations on the article and my points, above.

Cybersecurity is broken

April 11, 2015 6 comments

At least, that is what one expert has to say in a provocative piece in SC magazine.

Here are some excerpts, but I recommend you read the short article.

The author, the CEO of a software vendor of cybersecurity products, starts with these points:

…user-driven technology has progressed so rapidly that it has significantly outpaced technology’s own ability to keep data protected from misuse and guarded from cyber vulnerabilities…….

A lack of reliable security is the price we’ve paid for this eruption of amazing new cloud-based services and keeping vital data out of the wrong hands is an uphill battle.

He then spells out a truth that we should all acknowledge:

Anyone who tells you that your data is secure today is lying to you. The state-of-the-art that is cybersecurity today is broken. There must be a better way. But don’t lose hope, there is.

The article then takes a new direction (at least for me):

CIOs today need to adopt an entirely new security philosophy – one that hinges on the fact that your files and information will be everywhere……..

If we can build a new security approach from the ground up based on the premise that data will escape, and are then able to secure everything no matter where it is, we end up debunking the concept of the “leak” entirely.

I do agree that the traditional, exclusive, focus on preventing an intrusion cannot continue. He says:

That’s why my biggest frustration coming out of the recent Sony and Anthem hacks is companies opting for reactive solutions to fortify firewalls and secure siloed tunnels of information. For example, there was a major uptick in company-wide email-deletion policies in the wake of the Sony attack. Now that’s just dumb. Those are band-aid strategies that fail to address the heart of the problem.

He continues to press his point:

Maintaining a level of security in a boundaryless world means security and policy follow exactly what you’re trying to protect in the first place — the data……

Usable security, where users can choose how they want to access, store and share data, can only be made possible by providing a seamless user experience, so security is integrated into the daily work of everyone. A great user experience is one major obstacle security vendors (and arguably, all enterprise services) have yet to conquer. If we can do it, we will move away from panic-inducing scare tactics used to encourage adoption, and instead empower users with a solution they actually like to secure data…..

In order to be a security company, enterprises need to rethink a few things. First, users have to be in control of their data at any given point in time and should be able to revoke access when they want by utilizing familiar technology. They should have complete peace of mind that their data truly stays theirs. Second, in a cloud and mobile world there are no real controlled end-points anymore, unless we want to take a step back into the stone ages. And third, the firewall model is broken and trying to extend the perimeter out simply doesn’t work anymore. It’s about protecting the information, wherever it is, and not about locking everything down where it’s hard to access, use and share for your employees and partners.

So he is presenting a new cybersecurity world where the security follows the data, using encryption and other methods.

I think that is something that every organization should consider – especially encryption.

But is it enough?

For a start, how secure is encryption in the face of the sophisticated attacker? Maybe it is reasonably secure now, but we cannot be sure it will remain secure. Consider how encryption was broken by researchers, with the story told in this 2013 article.

I think you need at least three levels of protection: prevention, encryption, and detection, followed by response.

We can no longer assume that the bad guys cannot get in, and I am reluctant to assume that my encryption will not be broken if they have time.

So, we need the ability to detect any intruders promptly – so we can shut them down and limit any damage.

Too few have sufficient detection in place. Just look how long hackers were inside JP Morgan, and then how long it took the company to expel them!

I welcome your views.

Understanding and managing cyber risk

March 29, 2015 8 comments

Last week, I participated in an NACD Master Class. I was a panelist in discussions of technology and cyber risk with 40-50 board members very actively involved – because this is a hot topic for boards.

I developed and shared a list of 12 questions that directors can use when they ask management about their organization’s understanding and management of cyber-related business risk.

The set of questions can also be used by executive management, risk professionals, or internal auditors, or even by information security professionals interested in assessing whether they have all the necessary bases covered.

This is my list.

  1. How do you identify and assess cyber-related risks?
  2. Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of IP, compliance risk, and so on) and not just “IT-risk”?
  3. How do you evaluate the risk to know whether it is too high?
  4. How do you decide what actions to take and how much resource to allocate?
  5. How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?
  6. How do you assess the potential new risks introduced by new technology? How do you determine when to take the risk because of the business value?
  7. Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?
  8. How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?
  9. Can you respond appropriately at speed?
  10. What procedures are in place to notify you, and then the board, in the event of a breach?
  11. Who has responsibility for cybersecurity and do they have the access they need to senior management?
  12. Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce new risks by signing up for new cloud services?

I am interested in your comments on the list, how it can be improved, and how useful it is – and to whom.

New information and perspectives on cyber security

March 21, 2015 10 comments

The world continues to buzz about cyber security (or, perhaps we should say, insecurity). Now we have the Chinese government apparently admitting that they have a cyberwarfare capability: not just one unit, but three. Other nations, including the United States, Japan, and some European nations, are talking about their ineffective defenses and the need to develop an offensive capability.

What can the targets, not only any public or private company, but each of us as an individual target (yes, our personal devices are constantly under attack), do about this?

The first step is to get our collective heads out of the sand and understand that we are all, collectively and individually, at risk. The level of successful attacks is enormous (a billion records with personal information were hacked in 2014 according to IBM, as reported here). According to a survey discussed in Fortune, 71% of companies admit they were hacked last year and the majority expects to be hacked this year. However, nearly a quarter, according to Fortune, has not only kept their heads in the sand but do so with unbelievable confidence; they think a successful cyber attack is “not likely” in the next 12 months. The trouble is that very often successful attacks are not detected! It took a long time before JPMorgan Chase found out they had been hacked, and even longer before they knew the extent of damage.

Organizations need to be ready to respond effectively and fast!

The JPMorgan Chase article reports that “The people with knowledge of the investigation said it would take months for the bank to swap out its programs and applications and renegotiate licensing deals with its technology suppliers, possibly giving the hackers time to mine the bank’s systems for unpatched, or undiscovered, vulnerabilities that would allow them re-entry into JPMorgan’s systems.”

All is for naught if successful intrusions are not detected and responses initiated on a timely basis. In the Target case, reports say that the security monitoring service detected suspicious activity but the company did not respond. According to ComputerWeekly.com, many companies make the mistake of “Over-focusing on prevention and not paying enough attention to detection and response. Organisations need to accept that breaches are inevitable and develop and test response plans, differentiating between different types of attacks to highlight the important ones.”

Another insightful article discusses the critical need for pre-planned response capabilities. IT cannot do it all themselves; business executives need to not only be involved but actively work to ensure their operations can survive a successful intrusion.

What else should we do?

We have to stop using passwords like ‘password’, the name of our pet, or our birthday. Password managers are excellent tools (see this article on the top-rated products) and merit serious consideration. I have one (BTW, I don’t plan to replace it with the latest idea from Yahoo of one-time text messages. However, I do like the fingerprint authentication on my iPhone.)

A risk-based approach to cyber security is the right path, in my view. But that does mean that organizations have to continuously monitor new and emerging risks, or new observations about existing risks. An example is a new article on insecure mobile apps – both from in-house developers and from external sources.

Organizations need to allocate resources to cyber and information security commensurate with the risks, and individuals have to take the time to update the software on their personal devices. Internal audit departments should make sure they have the talent to make a difference, providing objective evaluations and business-practical suggestions for improvement.

Companies and individuals, both, need to make sure they apply all the security patches released by software vendors. They address the vulnerabilities most often targeted and when there is a breach, very often it’s because the patches have not been applied.

As individuals, we should have a credit monitoring service (I do), set up alerts for suspicious activity on their bank accounts, and all the anti-virus and spam protection that is reasonable to apply.

Finally, as individuals and as organizations, we need to make sure we and our people are alert to the hackers’ attempts through malware, social engineering, and so on. It is distressing that so many successful intrusions start with somebody clicking where they should not be clicking.

Here are a couple of articles worth reading and a publication by COSO (written by Deloitte) on how their Internal Control Framework can be used to address cyber risks.

Cybersecurity in 2015: What to expect

Cybersecurity Hindsight And A Look Ahead At 2015

COSO in the cyber age

As always, I welcome your comments.

The risk of an ineffective CIO

February 28, 2015 1 comment

According to McKinsey, “executives’ current perceptions of IT performance are decidedly negative”. An interesting piece, Why CIOs should be business-strategy partners, informs us that the majority of organizations are not benefitting from an effective CIO, one who not only maintains the infrastructure necessary to run the business but also works with senior management to drive new business strategies.

Why worry about the “big” risks on the WEF or Protiviti list when the “small” risks that let your business survive and thrive are huge?

For example, the survey behind the report found that:

  • “..few executives say their IT leaders are closely involved in helping shape the strategic agenda, and confidence in IT’s ability to support growth and other business goals is waning”.
  • “IT and business executives still differ in their understanding of the function’s priorities and budgets. Nearly half of technology respondents see cost cutting as a top priority—in stark contrast to the business side, where respondents say that supporting managerial decision making is one of IT’s top priorities.”
  • “In the 2012 survey on business and tech­nology, 57 percent of executives said IT facilitated their companies’ ability to enter new markets. Now only 35 percent say IT facilitates market entry, and 41 percent report no effect.”

With respect to the effectiveness of traditional IT functional processes, few rated performance as either completely or very effective:

  • Managing IT infrastructure – 43%
  • Governing IT performance – 26%
  • Driving technology enablement or innovation in business processes and operations – 24%
  • Actively managing IT organization’s health and culture (not only its performance) – 22%
  • Introducing new technologies faster and/or more effectively than competitors – 18%

There was a marked difference when the CIO is active. “Where respondents say their CIOs are very or extremely involved in shaping enterprise-wide strategy, they report much higher IT effectiveness than their peers whose CIOs are less involved.” McKinsey goes on to say:

“We know from experience that CIOs with a seat at the strategy table have a better understanding of their businesses’ near- and longer-term technology needs. They are also more effective at driving partnerships and shared accountability with the business side. Unfortunately, CIOs don’t play this role of influential business executive at many organizations. The results show that just over half of all respondents say their CIOs are on their organizations’ most senior teams, and only one-third say their CIOs are very or extremely involved in shaping the overall business strategy and agenda.”

The report closes with some suggestions. I like the first one:

“The survey results suggest that companies would do well to empower and require their CIOs and other technology leaders to play a more meaningful role in shaping business strategy. This means shifting away from a CIO with a supplier mind-set who provides a cost-effective utility and toward IT leadership that is integrated into discussions of overall business strategy and contributes positively to innovating and building the business. Some ways to encourage such changes include modifying reporting lines (so the CIO reports to the CEO, for example, rather than to leaders of other support functions), establishing clear partnerships between the IT and corporate-strategy functions, and holding both business and IT leaders accountable for big business bets.”

Is your CIO effective, both in supplying the infrastructure to run the business and in working in partnership with business leaders to enable strategic progress?

Is this a risk that is understood and being addressed?

I welcome your comments.

New E-Book on Segregation of Duties: A Review

November 12, 2014 1 comment

I congratulate Larry Carter for his new e-book, published by Compliance Week, on the topic “Segregation of Duties and Sensitive Access: Leveraging System-Enforced Controls”.

This is a timely discussion and explanation of a difficult topic and it includes useful information on the differences between manual and automated controls, preventive and detective controls, and more.

I believe it will be a useful read for internal auditors and application developers who are relatively new to the area, and a reminder to more experienced individuals of some of the key points to consider when designing automated controls to prevent individuals from having more access than they need – which can lead not only to fraud, but disruption, errors, and accidents.

For example, when I was leading the internal audit and SOX programs at Maxtor Corporation, the external auditor asked for access so he could examine some of the SAP configurations as part of his control testing. IT inadvertently provided him not only with the access he requested, read-access to the tables involved, but the ability to change the accounting period. Without realizing what he was doing, the auditor closed the accounting period while our financial team was still posting quarter-end journal entries!

Larry makes the excellent point that we need to consider not only inappropriate combinations of access privileges (i.e., Segregation of Duties, or “SOD”) but inappropriate access to a single capability. He calls this latter Sensitive Access, although the more common term is Restricted Access (“RA”).

As he points out, it is good business practice to limit everybody to the access they need to perform their job. Although it may be easier to establish the same access ‘profile’ (a set of access privileges) for several people, care has to be taken to ensure that nobody has more access than they need. If they do, that creates a risk that they may deliberately or inadvertently use that access and create a problem.

Some years ago, my internal auditors found that an individual in Procurement had the ability to create a vendor in the system and approve payment, as well as approve a purchase order. This creates a risk of fraud. The IT manager said there was a control: “We don’t tell people what access they have”. As you might imagine, we didn’t accept that argument.

This brings me to the critical topic of risk.

Larry makes the excellent and key point that you need to design your controls to address risk. You don’t design and operate controls for any other reason. With SOD, the primary reason for limiting inappropriate combinations of access is to prevent fraud. As he says, it is important to perform a fraud risk analysis and use that to identify the SOD controls you need.

When it comes to controls relating to sensitive or restricted access, the controls you need should also be determined by risk. For example, you will probably want to ensure that only a limited number of people have the ability to approve a journal entry, not only because of the risk of fraud but because you want an appropriate review and approval process to occur before they are posted. Similarly, you will want expenditures over a certain value to be approved by a more senior manager, and that is enforced through a restricted access control.

While Larry makes it clear that risk should drive the determination of what controls you need, I wish that had been how he designed his process for identifying necessary SOD and RA controls. Instead he identifies the total population of potential controls and only then considers (although it is less clear than it should be) whether the risk justifies having a control.

In fact, sometimes there are other controls (other than automated SOD or RA controls) that mitigate or even eliminate the risk. When the design of internal controls is based on a risk assessment that considers all the available controls, you are more likely to be able to design a more efficient combination of controls to address important risks. For example, let’s say you have a risk that individuals with inappropriate access to the spare parts inventory might use that to steal materials critical to manufacturing. At first blush, a control to ensure only authorized people have access might seem mandatory – and it would certainly be good practice. But, if the manager of the warehouse had an inventory taken of that area of the warehouse twice each day, the personnel working there could be relied upon to challenge anybody entering the space, and cameras detected any access, the value of an automated RA control is significantly diminished.

A related issue that Larry unfortunately doesn’t mention is the need to limit the access capabilities of the IT staff – not only to functions within applications, but to functions within IT business processes. For example, you need to limit who can change application code or bypass all your controls using “superuser” capabilities.

Another area that is often overlooked is the need to limit ‘read-only’ access to confidential information. Access privileges that allow unauthorized individuals to view customer or employee’s personal information, or confidential corporate information, may be required to comply with laws and regulations as well as to address the risk of theft or misuse of that information.

Overall, this is an e-book with a lot of useful information and it is an easy read.

Norman Marks is a semi-retired internal audit executive, author of World-Class Internal Audit and How Good is your GRC? (both are available on Amazon), and a frequent blogger on the topics of governance, risk management, internal audit, and the effective use of technology in running the business. He can be reached at nmarks2@yahoo.com.

Information Security and Risk

October 24, 2014 4 comments

Should information security (or cyber, if we follow the latest fad) be based on risk? What is that risk, is it risk to the information or other IT resources, or is it risk to the business?

I congratulate John Pironti and Dark Reading for the intelligent perspective in a short video interview.

Two points stand out for me:

  1. The investment in information security/cyber should be based on the risk to the business and the achievement of business objectives.
  2. Information security professionals need to talk to the business in the language of the business – which is risk and performance. That means that the CISO and team need to understand the business objectives and how a failure in cyber might impair the ability to achieve them.

Information security professionals will be able to get and retain the attention of executives when they are able to explain how investments in information security help managers and the business as a whole succeed.

While information security professionals should continue to advance their understanding of technical issues, most need to upgrade their understanding of the business and business risks. Risk management guidance, such as the ISO 31000:2009 global risk management standard, should be required reading in addition to business and technical journals.

I welcome your comments.

Leading the 21st century organization

October 6, 2014 1 comment

I have been a fan of Tom Peters (author of “In Search of Excellence” and many more books) for more than 20 years.

While CAE at Tosco Corporation, I attended a presentation by him on something he called Wow! The concept, which I not only wrote about for the Internal Auditor magazine in 2001 but tried to incorporate into my internal audit practice, is to turn every project into something that you would tell your grandchildren about (Wow! indeed).

Tom is now 71 but hasn’t slowed down. He is amazingly actively presenting all over the world, writing books, and on Twitter (where we interact from time to time).

Recently, he was interviewed by McKinsey and I recommend reading the full piece. Here are some excerpts.

“My real bottom-line hypothesis is that nobody has a sweet clue what they’re doing. Therefore you better be trying stuff at an insanely rapid pace. You want to be screwing around with nearly everything. Relentless experimentation was probably important in the 1970s—now it’s do or die.”

“…the secret to success is daydreaming.”

“If you take a leadership job, you do people. Period. It’s what you do. It’s what you’re paid to do. People, period. Should you have a great strategy? Yes, you should. How do you get a great strategy? By finding the world’s greatest strategist, not by being the world’s greatest strategist. You do people.”

“We’re in the big-change business, aren’t we? Isn’t that the whole point? I mean, any idiot with a high IQ can invent a great strategy. What’s really hard is fighting against the unwashed masses and pulling it off—although there’s nothing stupider than saying change is about overcoming resistance. Change is about recruiting allies and working each other up to have the nerve to try the next experiment. You find allies. You encircle the buggers.”

“I’m more than willing to say that today’s two year old is going to deal with his or her fellow human beings differently than you or I do. But the reality is it’s 2014, not 2034, and I would argue that for the next 20 years, we’re still safe believing in the importance of face-to-face contact. I’m not arguing against virtual meetings, but I’m telling you that if I’m running IBM, I want to be on the road 200 days a year as much in 2014 as in 2004 or in 1974. It has nothing to do with the value of the tools, but I’ve got to see you face to face now and then; I don’t think I can do it all screen to screen.”

“At some deep level, people are people, and so I believe passionately that there is no difference between leading now and leading then. What I certainly believe is that anybody who is leading a sizable institution who doesn’t do what I did and take a year off and read or what have you, and who doesn’t embrace the new technology with youthful joy and glee, is out of business.”

This last is 100% consistent with the quote from another McKinsey Quarterly issue I used in Management for the Next 50 Years:

“Those who understand the depth, breadth, and radical nature of the change and opportunity that’s on the way will be best able to reset their intuitions accordingly, shape this new world, and thrive.”

Do you agree?

Management for the next 50 years

October 3, 2014 3 comments

An article in McKinsey’s Quarterly Journal that I strongly recommend is on the topic of Management intuition for the next 50 years. My only quibble is that title implies that there is time to act; I believe organizations that prepare now for the changes described in the article will thrive immediately and their competitive advantage grow in the next decade let alone 50 years.

I recommend a careful read of the entire piece. Here are some key excerpts to whet your appetite (emphasis added):

“We stand today on the precipice of much bigger shifts…., with extraordinary implications for global leaders. In the years ahead, acceleration in the scope, scale, and economic impact of technology will usher in a new age of artificial intelligence, consumer gadgetry, instant communication, and boundless information while shaking up business in unimaginable ways. At the same time, the shifting locus of economic activity and dynamism, to emerging markets and to cities within those markets, will give rise to a new class of global competitors. Growth in emerging markets will occur in tandem with the rapid aging of the world’s population—first in the West and later in the emerging markets themselves—that in turn will create a massive set of economic strains.”

Any one of these shifts, on its own, would be among the largest economic forces the global economy has ever seen. As they collide, they will produce change so significant that much of the management intuition that has served us in the past will become irrelevant. The formative experiences for many of today’s senior executives came as these forces were starting to gain steam. The world ahead will be less benign, with more discontinuity and volatility and with long-term charts no longer looking like smooth upward curves, long-held assumptions giving way, and seemingly powerful business models becoming upended.”

The article discusses three key trends while acknowledging that there are many more:

  • Dynamism in emerging markets
  • Technology and connectivity
  • Aging populations

This is what it says about technology and connectivity:

“As information flows continue to grow, and new waves of disruptive technology emerge, the old mind-set that technology is primarily a tool for cutting costs and boosting productivity will be replaced. Our new intuition must recognize that businesses can start and gain scale with stunning speed while using little capital, that value is shifting between sectors, that entrepreneurs and start-ups often have new advantages over large established businesses, that the life cycle of companies is shortening, and that decision making has never had to be so rapid fire.”

I think this is very well said! They go on to say:

Emerging on the winning side in this increasingly volatile world will depend on how fully leaders recognize the magnitude—and the permanence—of the coming changes and how quickly they alter long-established intuitions.”

“It will be increasingly difficult for senior leaders to establish or implement effective strategies unless they remake themselves in the image of the technologically advanced, demographically complex, geographically diverse world in which we will all be operating.”

Technology is no longer simply a budget line or operational issue—it is an enabler of virtually every strategy. Executives need to think about how specific technologies are likely to affect every part of the business and be completely fluent about how to use data and technology…… Technological opportunities abound, but so do threats, including cybersecurity risks, which will become the concern of a broader group of executives as digitization touches every aspect of corporate life.”

“New priorities in this environment include ensuring that companies are using machine intelligence in innovative ways to change and reinvent work, building the next-generation skills they need to drive the future’s tech-led business models, and upskilling and retraining workers whose day-to-day activities are amenable to automation but whose institutional knowledge is valuable.”

McKinsey closes with a reiteration of the problem that is also an opportunity for those prepared to take the risk and embrace the need for change:

“Those who understand the depth, breadth, and radical nature of the change and opportunity that’s on the way will be best able to reset their intuitions accordingly, shape this new world, and thrive.”

I welcome your comments.

Dynamic, iterative, and responsive to change

August 23, 2014 4 comments

One of the principles for effective risk management in the ISO 31000:2009 global risk management standard is that risk management should be “dynamic, iterative, and responsive to change”.

I really like that. It captures a number of key ingredients for the effective management of uncertainty and risk.

Dynamic” implies that risk management operates at the speed of the business. It is far more than the occasional, even if regular, assessment of a list of so-called top risks. “Dynamic” is when the consideration and management of risk is part of the fabric of the organization, and an element in daily decision-making and operations of the organization. It is active and essential.

Iterative” is about a reliable set of processes and systems for identifying, assessing, evaluating, and treating risk. It means that when management makes decisions, based in part on risk information, there are proven processes and the information is reliable.

Finally, “responsive to change” is essential when risk changes at speed. Every day there is a potential surprise, a new or changed situation to which the organization should at least consider responding. It could be a shift in exchange rates, a change in the government of a nation where you do business, a flood that affects the supply of a critical component, the decision in a court case that affects you directly (because you are a party) or indirectly (because it creates a new interpretation of a regulation with which you must comply), the loss of a key customer, a new product from a competitor, the loss of a key employee, or so on.

Stuff happens and it changes or creates risk.

The organization must be responsive to change, nimble and agile in modifying strategy and execution.

All of this applies not only to risk management but also to internal audit (and to finance and the rest of the organization, in truth).

Is your internal audit function “dynamic, iterative, and responsive to change“?

For that matter, do IT, Finance, Operations, and so on meet the principle behind that phrase?

Or are they slow, scattered, and stubbornly reluctant to change?

Is that a risk to which we must respond?

I welcome your comments.

Understanding Governance Risks

July 14, 2014 4 comments

How many boards, let alone risk officers, think about the risks to their organization if the governance by the board and top management is ineffective?

Certainly, people talk about the potential for the wrong tone at the top. Frankly, I doubt that members of the board will be able to detect those situations where top executives talk a good game but walk to a different tune; where they put the interests of their pockets ahead of the reputation and long-term success of the organization; where they are prepared to take risks with the organization’s resources without risk to their own..

But governance risks extend well beyond that

Failures to have the time to question and obtain insight in how the organization actually works can leave the enterprise without effective risk management, information security, internal auditing, and more.

Failures to provide the board the information it needs when it needs leaves the directors blind, although they may think they can see.

The governance committee of the board should, in my opinion, consider risks related to governance processes every year. It should engage both the risk and internal audit teams to ensure a quality assessment is performed. Legal counsel should also be actively engaged as issues might have consequences if they are not handled well; for example, any assessment that the board has gaps in director knowledge, experience, or ability to challenge the executive team cannot be communicated outside the firm.

Do you agree? I welcome your comments.

Guidance for Directors on Disruptive Change

July 7, 2014 3 comments

Every organization needs to be able to not only anticipate and address the inevitability of change that might disrupt its business, but be prepared to take advantage of the opportunities that will present themselves.

We talk about risk as if every uncertainty has a downside.

We talk about opportunity as if it is something that we choose to seize or not, and do little to ensure we identify and take full advantage. How do we expect to optimize our performance when we are cavalier about moving quickly to take advantage of opportunities that may rise and disappear quickly?

We talk about resilience as if we should stand tall, like a wall, in the face of disruptive change. Perhaps we should move, either out of the way or to align ourselves to benefit from the movement (think Aikidao).

In fact, all of these come into play. Situations and events can have multiple possible effects, some good and some bad, and are not limited to one outcome at a time. As a simple example, the loss of one employee is the opportunity to hire somebody with different skills, reorganize the function, and so on.

What distinguishes our times from years past is the pace of change.

Deloitte recently published Directors’ Alert 2014: Greater oversight, deeper insight: Boardroom strategies in an era of disruptive change. Here are some excerpts:

“Sometimes, changes occur that are more dramatic. In the past, disruptive changes usually happened only periodically and resulted in a sustained plateau – the automated assembly line, for example, which revolutionized industry in the early twentieth century, continues to be a central feature of modern manufacturing. Today, however, disruptive change has become a perpetual occurrence in which one change instantly sparks a chain of others. What’s more, these changes are being generated by a variety of factors – digital disruption created by continuing technological advances, regulatory reforms, economic turmoil, globalization, and shifting social norms and perceptions.”

“In this environment, everything and anything may change at any time as category boundaries are blurred, supply chains are disrupted, and long-standing business models become obsolete. With change, however, comes opportunity. Technological advances enable organizations to generate new revenues by targeting new customers, new sectors, and access new geographies while more fully automating back office activities and divesting of declining assets to reduce costs. The challenge for organizations is to recognize when disruptive change is occurring and to act quickly and decisively when it does.”

“In this environment of ongoing, tumultuous change, organizations and their management and boards of directors must respond quickly and adeptly if they are to effectively address all the disruptive changes that surround and affect them. For boards of directors, this often requires greater oversight – expanding their scope to include activities and areas that were not traditionally part of their mandate. At the same time, boards must ensure that management provides them with deeper insights into the organization’s activities so directors can clearly understand all of the potential opportunities and risks.”

Deloitte takes each area of major change (such as strategy, technology, taxation, regulatory compliance and so on) and includes questions for directors to use in discussions with management.

I am working with ISACA on guidance for directors and executives on how disruptive technology might affect corporate strategy. I came up with a few questions of my own that directors and top executives might use:

  1. How does the organization identify the new or maturing technologies that might be of value and merit consideration in setting or adjusting strategies, objectives, and plans?
  2. Who is responsible for the assessment process?
  3. Who determines whether existing strategies, objectives, or plans should be adjusted?
  4. Does the assessment consider the potential for value to be created in multiple areas of the organization, or does each functional area act on its own?
  5. Does the assessment consider, with inclusion in the process of related experts, potential compliance and other risks?
  6. Does the assessment consider the potential actions of competitors, suppliers, customers, and regulators?
  7. Does the board discuss the potential represented by new or maturing technology on a regular basis and as part of its discussions of enterprise strategy?

Do you think these are the right questions? How would your organization fare?

I welcome your comments.

Board Oversight of Cyber-Risks

June 29, 2014 4 comments

Over the last few years, “cyber” has moved from science fiction to business reality. I am not sure why we changed from talking about information security to cyber, but I am told (yet not convinced) that there is a difference.

In any event, boards and top management need to be concerned with cyber-risks because of the potential harm an adverse incident can cause to the organization’s reputation and trust, intellectual property, and compliance with applicable laws and regulations – and the business disruption can be even greater.

But how much should boards get involved? Should we expect directors to ask for and inquire about details, or should they instead ask probing questions and satisfy themselves that management has appropriate mechanisms in place?

Cyber Risk Oversight, a publication of the National Association of Corporate Directors (NACD), in collaboration with AIG and the Internet Security Alliance, takes the position that directors should ask questions. (The executive summary is free, but the detailed questions are in appendices that are only free to members).

I like their five principles, especially the first two:

  1. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
  2. Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
  3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
  4. Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
  5. Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.

While some would like to see information security (a.k.a. cybersecurity) as an issue that merits attention all by itself, the potential effect on the entire business and its ability to achieve its objectives justifies cyber being recognized as a business and not “just” an IT issue.

In fact, the level of risk associated with any cybersecurity failure should be measured like any risk, in terms of its effect on the achievement of enterprise objectives. This means that the interrelationship between cyber and revenue generation, customer satisfaction, and so on all need to be considered.

In addition, the investment the organization makes in cybersecurity should be commensurate with the level of risk and balanced against competing needs for capital from other aspects of the business.

Should there be an IT committee of the board? Should the board have several cyber experts who can understand and provide effective oversight? I think the answer is “it depends” – on the level of risk that cyber represents to the organization and whether the board can use the services of experts (such as within risk management and/or internal audit) to fill any knowledge gaps.

I agree with the NACD that the board should ensure it has sufficient information and expertise to ask the right questions of management at regularly scheduled board meetings. I believe they should demand both internal audit and risk management assistance in assessing cyber-risk and the adequacy of management’s programs for managing it.

Do you agree?

 

Related articles

How Good is your GRC? My book now available in paperback and soft copy

June 17, 2014 Leave a comment

Background

Anyone who has been reading my posts should know that I have concerns about the way people are misusing the term GRC. In my April post, I closed with:

So here’s my recommendation to all: stop talking about GRC and start talking the language of the business. Let’s talk about how we can increase value to stakeholders, address potential obstacles and seize opportunities to excel, act with integrity and remain in compliance with current and anticipated regulations, and manage the organization to success.

So how do we move forward?

It is important to get each part of the business working well. But it is also important that they work together. We don’t want fragmented operations that operate in silos.

How can an organization’s board, executives, or internal auditors determine whether their different activities (such as strategy, performance, and risk management) are working together, in harmony, for the optimization of performance while acting with integrity?

 

The Book

I have a new e-book, How Good is your GRC? Twelve Questions to Guide Executives, Boards, and Practitioners. It consolidates my thinking about what GRC means and the business problem it represents (the failure to have the various pieces work together in harmony). I include twelve questions, with discussion, that you can use within your organization in a discussion or assessment process.

 

How and Where is it Available?

If you want a soft copy to read on your PC, tablet, or eReader, a Kindle version is available from Amazon. If you want to read it on your PC, first download the free Kindle for PC app; for the iPad or iPhone, download the free Kindle app from the Apple App Store; and for an Android device, there is a free app on Google Play. Then go to Amazon to purchase the ebook.

A paperback version is now available from Amazon or (my preference) the CreatesSpace e-store.

The SOX State of the Nation

June 7, 2014 4 comments

Each of the last few years, Protiviti has conducted a survey to understand and then report on the state of SOX compliance programs. They recently published their 2014 Sarbanes-Oxley Compliance Report.

The Protiviti survey and analysis is interesting, useful, and valuable. If you contact them, they may be able to give you detail customized to your situation.

Not surprisingly, Protiviti has a major focus on how companies are adopting the 2013 update to the COSO Internal Controls – Integrated Framework.

I am surprised, as are the authors, that a large number of organizations “have yet to begin work on gaining an understanding of and implementing” COSO 2013. I join Protiviti in urging every organization subject to SOX to figure out their plan and discuss it with the external auditors a.s.a.p.

I am less surprised, even encouraged, that the majority of those who say they understand COSO 2013 are not anticipating a major increase in the level of work required for SOX compliance in 2014 and beyond. Here, I part ways with Protiviti who seem to believe that the external auditors will require organizations to do a lot more. That, in my opinion, would be a mistake.

Companies need to continue to take a top-down and risk-based approach to SOX, even in the face of COSO 2013, and this need not lead to an increase in the number of key controls included in scope (please see this post and the quotes from Jim DeLoach of Protiviti, Ray Purcell of Pfizer, and Marie Hollein of FEI).

For more on applying a top-down and risk-based approach (as required by PCAOB and SEC) to the COSO 2013 update, please see my May post on the topic. I cover it in detail in my SOX book for the IIA.

Protiviti reports that a large number of companies have, presumably with Audit Committee approval, asked the internal audit team to provide SOX project management and leadership. That is consistent with my reading of the market, from my SOX training classes and interactions on social media.

Protiviti did not address how many internal audit departments are performing SOX testing on behalf of management. My reading is that the majority of organizations is doing this, but in contrast with the early years of SOX now have sufficient resources to do both SOX testing and their normal internal audit work.

Protiviti also did not address the extent of external auditor reliance on management testing, especially where performed by internal audit. They pointed out that the PCAOB, in their October 2013 report, criticized the external audit firms for failing to document their reasons for assessing management testing to be sufficiently competent and objective for them to place reliance. Protiviti seems to assume that as the firms address this issue they will tend to reduce reliance on management testing. I fail to follow their logic.

I am pleased to report that I am now finding a number of companies where the external auditors are placing reliance on management testing for as much as 80% of the key controls work.

Another area where I tend to disagree with Protiviti is in the value of automating controls. Protiviti sees this as a significant opportunity, presumably because automated controls only need to be tested once instead of the multiple tests required of manual controls. But, this argument overlooks both the high cost of testing automated controls and the fact that they bring into scope more IT general controls risks.

However, overall Protiviti has continued to provide valuable insights into the state of SOX compliance and their report is a useful read.

I welcome your comments.

Missing the boat on IT and technology

March 29, 2014 8 comments

When you look at surveys of CEOs, such as the ones by PwC in 2014, McKinsey in 2013 and IBM in 2012, they reflect what we should all know: that the innovative use of technology is one of, if not the primary, enabler of business innovation these days. Whether it’s connecting with the customer (as referenced by IBM), obtaining market insights (through analytics including Big Data analytics – see this discussion of a McKinsey report), or simply finding new ways to deliver products and services to customers, technology is a critical driver of business success.

As PwC says:

“CEOs told us they think three big trends will transform their businesses over the next five years. Four-fifths of them identified technological advances such as the digital economy, social media, mobile devices and big data. More than half also pointed to demographical fluctuations and shifts in economic power.”

“The smartest CEOs are concentrating on breakthrough, or game-changing, innovation. They’re explicitly incorporating it in their strategies. And they’re using technology not just to develop new products and services, but also to create new business models, including forging complete solutions by combining related products and services. In fact, they don’t think in terms of products and services so much as outcomes, because they recognise that products and services are simply a means to an end.”

“Breakthrough innovation can help a company rewrite the rules and leapfrog long-established competitors.”

Organizations that fail to leverage new technology are likely to be left behind by customers and competitors. In an ISACA report on Big Data, the point was made that failing to take a risk with new technology is very often a greater risk than any risks created by the new technology.

(Please see these earlier posts on IT Risk and Audit, Deloitte says mid-market companies are  using new technology to great advantage, and Digital Transformation.)

Now we get a couple of reports and discussion documents that indicate that companies, executives, and consultants that aim to guide them are all missing the boat!

A new report from McKinsey, IT Under Pressure, says that dissatisfaction with IT’s effectiveness is growing. They start the report with:

“More and more executives are acknowledging the strategic value of IT to their businesses beyond merely cutting costs. But as they focus on and invest in the function’s ability to enable productivity, business efficiency, and product and service innovation, respondents are also homing in on the shortcomings many IT organizations suffer. Among the most substantial challenges are demonstrating effective leadership and finding, developing, and retaining IT talent.”

McKinsey points out that in their survey only 49% felt IT was effective when it came to helping the organization introduce new products and 37% said IT was effective in helping enter new markets.

Even IT executives said that they were failing when it came to driving the use of technology and innovation: just 3% were fully effective and only 10-17% very effective in related areas.

Fully 28% of IT executives and 13% of other executives came clean and said the best way to fix the problem was to fire current IT leadership!

I suggest reading the entire McKinsey piece and considering how it relates to your organization.

Deloitte’s prolific thought leadership team has weighed in with advice for the CFO, who often has IT within his organization. Evaluating IT: A CFO’s perspective starts with some good points:

“Ask finance chiefs about their frustrations with information technology (IT), and you are bound to get an earful. Excessive investments made. Multiple deadlines missed. Little return on investment (ROI) achieved. The list goes on.

“To complicate matters, many CFOs simply do not know if chief information officers (CIOs) are doing a good job. What exactly does a good IT organization look like anyway? How should IT be evaluated? And what are the trouble signs that the enterprise is not prepared for the future from a technology standpoint?”

But then they stray from the need to get IT to drive the effective use of new technology for both strategic and tactical advantage. Instead, they focus on “IT is typically the largest line item in selling, general, and administrative expense.”

This is the attitude, managing cost at the potential expense of the business, which gives CFOs a deservedly bad name!

I will let you read the rest of this paper, but when the first question it suggests for CFOs to use in assessing IT performance is “Have you tested your  disaster plan”, I am more prepared to fire the CFO who asks that as his first question than I am to fire the poor CIO who reports to him.

My first question for the CIO is “How are you enabling the organization to innovate and succeed?”

PwC asks some good questions as well:

  •          What are you doing to become a pioneer of technological innovation?
  •          Do you have a strategy for the digital age? And the skills to deliver it?
  •          How are you using ‘digital’ as a means of helping customers achieve the outcomes they desire – rather than treating it as just another channel?

Risk and internal audit professionals should consider whether the risk of missing the technology boat is at an unacceptable level in their organization.

Board members should ask how the leaders of IT are working with the business to understand and use technology for success.

CFOs should worry less about the cost of IT and worry more about the long-term viability and success of the organization if they become barriers to strategic investment.

I welcome your comments.

The continuing failure of the risk appetite debate to focus on desired levels of risk

March 22, 2014 12 comments

I have written often and with passion about the concepts of “risk appetite” and “risk tolerance”. In order of date, from earliest to latest:

I am drawn to write about this flawed concept yet again by two developments. First, a respected risk practitioner told me that he has found that in many banks (and presumably other financial services companies) the board agrees on risk limits and appetite statements with management, but those limits are not shared with everybody that has day-to-day responsibility for running the business and staying within desired levels of risk.

This is the primary area with which I have a problem when it comes to the idea of a risk appetite statement. Something that satisfies the needs of the board and top management to establish and monitor aggregate risk across the enterprise fails if it does not direct the actions of those people who are taking risk every day, not only in transactions but in decision-making.

Then, my good friend (and that is an honest statement with which that I believe he will agree) Jim DeLoach of Protiviti penned a piece on risk appetite and tolerance for Corporate Compliance Insights.

Jim shares some truths:

“Risk levels and uncertainty change significantly over time. Competitors make new and sometimes unexpected moves on the board, new regulatory mandates complicate the picture, economies fluctuate, disruptive technologies emerge and nations start new conflicts that can escalate quickly and broadly. Not to mention that, quite simply, stuff happens, meaning tsunamis, hurricanes, floods and other catastrophic events can hit at any time. Indeed, the world is a risky place in which to do business.”

“Value creation is a goal many managers seek, and rightfully so, as no one doubts that successful organizations must take risk to create enterprise value and grow. The question is, how much risk should they take? A balanced approach to value creation means the enterprise accepts only those risks that are prudent to undertake and that it can reasonably expect to manage successfully in pursuing its value creation objectives.”

But then the discussion veers towards the too-common misperception that the only limit that should be set on risk is the upper level – a constraint that stops management from taking too much risk.

In fact, as Jim points out, companies will only succeed if they take risk: “a company may choose to drive growth through extending more credit to its customers, entering certain third-world markets or investing in a completely different line of business”.

So, it is important to ensure that not only does management not take on too much risk, but they do not act timidly and fail to take on the risk that will drive performance and value creation.

I know Jim well and have total confidence that he appreciates that companies need not only ceilings but floors on the levels of risk they should take (and not limit their risk criteria to quantitative factors) to ensure they are taking the right risks.

I just wish his paper focused less on the negative (with comments like “What ceilings are placed on capital expenditures, M&A activity, R&D and other investments? In what areas are there policy restrictions (e.g., avoidance of certain markets and use of certain financial instruments)?”) and helped organizations recognize when to take more risk.

I also wish that Jim brought into his pieces a greater appreciation of the perspective on risk and uncertainty reflected in the ISO 31000:2009 global risk management standard, instead of limiting himself to the concepts (some of which, like risk appetite, I believe to be flawed) of COSO ERM.

I welcome your comments.

Please see this related story about an internal auditor that recommended that the company consider taking on more risk.

Risk Officers on the Front Lines of the Big Data Analytics Revolution

March 8, 2014 4 comments

I was intrigued to read that when McKinsey gathered together “eight executives from companies that are leaders in data analytics …. to share perspectives on their biggest challenges”, they included not only chief information officers and marketing executives, but the chief risk officer from American Express.

The McKinsey Quarterly report that reviews the discussion doesn’t have any ground-breaking revelations. They say what has been said before, although it is still important for all of us to understand the enormous potential of Big Data Analytics.

One key point is that the existence of Big Data by itself has very limited value. It’s the ability to use emerging technology (from companies like SAP, Oracle, and IBM) to not only mine the data but deliver insights at blinding speed (using in-memory technology) that will bring amazing results.

But I was looking for more, which I explain after these quotes.

Big-data analytics are delivering an economic impact in the organization… The reality of where and how data analytics can improve performance varies dramatically by company and industry.

Companies need to operate along two horizons: capturing quick wins to build momentum while keeping sight of longer-term, ground-breaking applications. Although, as one executive noted, “We carefully measure our near-term impact and generate internal ‘buzz’ around these results,” there was also a strong belief in the room that the journey crosses several horizons. “We are just seeing the tip of the iceberg,” said one participant. Many believed that the real prize lies in reimagining existing businesses or launching entirely new ones based on the data companies possess.

New opportunities will continue to open up. For example, there was a growing awareness, among participants, of the potential of tapping swelling reservoirs of external data—sometimes known as open data—and combining them with existing proprietary data to improve models and business outcomes.

Privacy has become the third rail in the public discussion of big data, as media accounts have rightly pointed out excesses in some data-gathering methods. Little wonder that consumer wariness has risen.

Our panelists presume that in the data-collection arena, the motives of companies are good and organizations will act responsibly. But they must earn this trust continually; recovering from a single privacy breach or misjudgment could take years. Installing internal practices that reinforce good data stewardship, while also communicating the benefits of data analytics to customers, is of paramount importance. In the words of one participant: “Consumers will trust companies that are true to their value proposition. If we focus on delivering that, consumers will be delighted. If we stray, we’re in problem territory.”

To catalyze analytics efforts, nearly every company was using a center of excellence, which works with businesses to develop and deploy analytics rapidly. Most often, it includes data scientists, business specialists, and tool developers. Companies are establishing these centers in part because business leaders need the help. Centers of excellence also boost the organization-wide impact of the scarce translator talent described above. They can even help attract and retain talent: at their best, centers are hotbeds of learning and innovation as teams share ideas on how to construct robust data sets, build powerful models, and translate them into valuable business tools.

What I was disappointed in was a lack of reference to how Big Data Analytics could and should be a fantastic opportunity for risk officers and internal audit executives.

All practitioners should be familiar with the concept of Key Risk Indicators (KRI). A useful paper by COSO defines KRI:

“Key risk indicators are metrics used by organizations to provide an early signal of increasing [ndm: they should have said ‘changing’] risk exposures in various areas of the enterprise. In some instances, they may represent key ratios that management throughout the organization track as indicators of evolving risks, and potential opportunities, which signal the need for actions that need to be taken. Others may be more elaborate and involve the aggregation of several individual risk indicators into a multi-dimensional score about emerging events that may lead to new risks or opportunities.”

Some vendors (including MetricStream, IBM, and SAP) are showing us the way in which Big Data Analytics can be used to produce KRIs that are more powerful and insightful than ever before.

However, I am not convinced that practitioners are seizing the opportunity.

I fear that they are concerned about the risks as their organizations embrace Big Data Analytics to drive performance while remaining blind to the opportunity to develop KRIs so that business executives can take the right risks.

I would appreciate your views. Is it a matter of cost? Or are happy simply unaware of the potential?

ISACA releases white paper on Big Data

January 31, 2014 1 comment

ISACA has just released a new paper on Big Data that I like and recommend. (Full disclosure: I reviewed and provided feedback on a draft and I am quoted in the press release).

What I like the most is the title: “It May Be Riskier to Ignore Big Data Than Implement It”. It captures my belief that the value that can be obtained by the intelligent and creative use of analytics against the massive data sets that are available to every organization far outweighs both the cost of the effort and any associated risk.

Most organizations recognize that there is value, although in practice that value is usually limited by their ability to define the critical business questions that can be answered by the use of the wonderful new tools available today against Big Data.

They are also limited by their belief that they are constrained by inadequacies in their corporate systems.

My view is that almost any organization, no matter what size or type it is, not only can but should be taking advantage of the immense possibilities. Not to do so indicates that they lack both imagination and resolve.

Internal auditors, information security practitioners, risk professionals, and executives should be blinded to the great values and possibilities by the risks of moving forward.

Here are a few excerpts from the paper:

“New analytics tools and methods are expanding the possibilities for how enterprises can derive value from existing data within their organizations and from freely available external information sources, such as software as a service (SaaS), social media and commercial data sources. While traditional business intelligence has generally targeted “structured data” that can be easily parsed and analyzed, advances in analytics methods now allow examination of more varied data types.”

“Information security, audit and governance professionals should take a holistic approach and understand the business case of big data analytics and the potential technical risk when evaluating the use and deployment of big data analytics in their organizations.”

“For information security, audit and governance professionals, lack of clarity about the business case may stifle organizational success and lead to role and responsibility confusion.”

“By looking at how these analytics techniques are transforming enterprises in real-world scenarios, the value becomes apparent as enterprises start to realize dramatic gains in the efficiency, efficacy and performance of mission-critical business processes.”

“Understanding this business case can help security, audit and governance practitioners in two ways: It helps them to understand the motivation and rationale driving their business partners who want to apply big data analytics techniques within their enterprises, and it helps balance the risk equation so that technical risk and business risk are addressed. Specifically, while some new areas of technical risk may arise as a result of more voluminous and concentrated data, the business consequences of not adopting big data analytics may outweigh the technology risk.”

My friends and former colleagues at SAP have chimed in with an emphasis on the increased value when more sophisticated tools, especially ‘predictive analytics”, are used to mine and produce information from Big Data.

The SAP paper on this topic, “Predicting the future of Predictive Analytics” makes the point well. Here are some wise thoughts from James Fisher, an SAP executive, that focus on the risk of using analytics and Big Data without making sure that the information you are using to run the business is reliable:

“The opportunity of big data is huge, and the biggest analytical opportunity I see within that is the use of predictive analytics. The data shows companies favor taking advantage of the opportunities in front of then rather than minimizing risk.  Technology is playing a role here and making predictive capabilities even easier to use, embedding them in business processes, automating model creation. SAP is of course in a position to deliver all this.  The added question however to ask (and this is really my view) is that this does introduce an inherent risk that people don’t know what they are looking at and blinding follow what the data says…. When you read a weather forecast you immediately sanity check what it says by looking out the window, is everyone doing the same with data?”

You can read more from James on his blog.

My question to you is this:

Are you so risk averse when it comes to the use of analytics and Big Data that you are a barrier to the success of the organization?