eBusiness Risk Management by slappypappy126

VIEWS: 196 PAGES: 31

									eBusiness Enterprise Risk
      Management
         Mark Carey, CPA, CISA
               President
            866.335.2736 x8431
             mark@delcreo.com
             www.delcreo.com
   Enterprise Risk Management Definition

Enterprise Risk Management (ERM) is the
  capability to protect enterprise value by
  managing risk:
  – With a coordinated and systematic approach,
  – Organization-wide, and
  – Across all types of risk.
            Business Risk Profiling: Risk Drivers

      Strategic              Operational          Stakeholder            Financial              Intangible

•   Macro Trends          • Processes         •   Customers        •   Market            •   Knowledge
•   Competitor            • Physical Assets   •   Line Employees   •   Accounting        •   Intellectual Property
•   Economic              • Technology        •   Management       •   Credit            •   Information Systems
•   Resource Allocation     Infrastructure    •   Suppliers        •   Cash Management   •   Databases
•   Program/Project       • Business          •   Government       •   Taxes             •   Information for
•   Organization            Interruption      •   Partners         •   Regulatory            Decision Making
    Structure             • Legal             •   Community            Compliance
•   Strategic Planning    • Human Resources
•   Governance            • Environmental
•   Brand/Reputation      • Hazard
•   Ethics
•   Crisis
•   Partnerships/JVs
             Business Impact Assessment

• Management
  challenges the          Shareholder Value Levers                 Risks That Matter
                                                                                             Risk Management Culture and
                                                                                                    Infrastructure
  numbers                             Growth
   – Make it “real” for   • Accelerate growth in current
                            businesses
                                                             • Customer Facing Business
                                                               Models
                                                                                                 RISK MANAGEMENT CULTURE
                                                                                                    AND INFRASTRUCTURE

     senior               • Drive adoption of next
                            generation appliances, e-
                            services and infrastructure in                                   •    Risk Strategy
     management             high growth markets                                              •
                                                                                             •
                                                                                                  Risk Management Processes
                                                                                                  Technology

   – Typical                  Cost and Efficiency
                                                                                             •
                                                                                             •
                                                                                                  Functions
                                                                                                  Culture and Capability
     approach/            • Value Web and Organizational
                            Efficiency                       • Virtual Supply Chain
                                                             • Partnerships and Alliances
                                                                                             •    Governance

     measures often       • Streamline decentralized
                            operating model
                          • Total Customer experience
                                                             • e-Business Infrastructure         IMPROVEMENT INITIATIVES

     do not line up         approach                                                         • Senior Management Validation and

     with how CEO,                 Capital                   • Venture Capital Investments
                                                                                               Support
                                                                                             • eRisk Rapid Response (eR3)
     CFO, CIO             • Take advantage of
                            strong
                                                             • Human Resource
                                                             • Organizational                  Process

     evaluate their
                                                               Change/Allocation of          • Risk Coverage Mapping
                            balance sheet                      Resources
                                                             • Intellectual Property         • Risk Management Workbench
     business and                                                                            • Detailed Risk Analysis

     make decisions                                                                          • eBusiness Risk Management
                                                                                               Benchmark
                                 Market Variables
                          • Create e-services
                            ecosystems - place HP at
                            the center
            Practical Application: Hewlett-Packard ERM Transformation
              Traditional                                   Transformation                                                    World-Class

                                               Legal
                          EHS                                                                                                            GRM
                                                                                                                          IT                           Internal
   IT
                                                                                                                       Security                        Audit
 Security                                                   •Coordination among risk functions to increase
                                                            risk coverage and decrease cost
                                                            •Enable business initiatives to address risks
                                                                                                                      EHS               ERM                   BCP
                                          Internal          issues quickly to decrease time to market                 Legal
                                           Audit
Physical                                                    •Alignment with business strategies and
Security                                                    objectives
                                                            •Consistent and organization-wide processes
                                                            •World-class risk management tools                                                     Physical
              Insurance             BCP                                                                                       Legal                Security
                                                            •Focus on risks that impact stakeholder value


                                                                                                                                   Risk Strategy
                                                                                                                                  And Framework

                                                                                                                                                                  Risk
                                                                                                             Risk 1                   RM Process
                            Risk                                                                                                                               Management
                                          Risk                                           Revenue             Risk 2               Assess Risk                     Tools

                   Risk            Risk                                                                      Risk 3                                               Knowledge
                                                     Risk                                                                             Treat Risk                   Sources
  Risk      Risk                                                                                             Risk 4
                                                                                             Assurance                                Monitor &
                                                                                                                                       Report
                                                                                                             Risk 5                                                 RiskWeb
                                                                                                             Risk 6
                                                                       Cost
              Risk Management Process                                                                                         Metrics and Reporting




Source: Hewlett-Packard – Used with
permission
                   eBusiness: So What?
•   “The „telephone‟ has too many shortcomings to be seriously considered a means of
    communication.”
     – Western Union Internal Memo, 1876

•   “This wireless music box has no imaginable commercial value. Who would pay for a
    message sent to nobody in particular?”
     – David Sarnoff‟s associates in response to his urgings for investment in Radio in the
         1920‟s

•   “Who the hell wants to hear actors talk ?”
     – Harry M. Warner, Warner Bros, 1927

•   “There is no reason for any individuals to have a computer in their home.”
     – Ken Olsen, President, Chairman and Founder of DEC, 1977

•   “Heavier-than-air flying machines are impossible.”
     – Lord Kelvin, President, Royal Society 1895

•   “Airplanes are interesting toys but of no military value.”
     – Marshall Ferdinand Foch, Professor of Strategy, Ecole Superiure de Guerre
               eBusiness Trends

•   Real Time Enterprise
•   Low Tech, High Impact
•   High Tech, Low Cost
•   Cyber-Activism
                                     “Real Time” Enterprise
       •     “Ciscoize” and “Dellize” Every Business
       •     Adaptive architecture, evolvable applications
       •     Federation NOT integration
       •     Architecture to connect architectures
       •     Rapid , incremental implementation
       •     Instantaneous “financials”, metrics, supply chain, customer
             support.…


                            “Spontaneous transaction flow and information
                            transparency throughout the extended enterprise”
Customized from presentation “TECH WRECK
or TECH TREND: Perspectives on Technology Investing”,
Vinod Kholsa, Kleiner Perkins Caufield & Byers, September, 2001
                       Low Tech, High Impact
•   Terrorists have employed low tech weapons to inflict massive physical or
    psychological damage
     – Box cutters
     – Envelopes
•   Infrastructure is vulnerable to unsophisticated attacks
•   Identify assets at risk
     –   Strategic Initiatives
     –   People
     –   Process
     –   Information Systems
     –   Physical Infrastructure
     –   Geography
     –   Organization
     –   Products
     –   Flows (supplies, information, electricity, cash, etc.)
•   Focus risk assessment on how the asset may be impacted
               High Tech, Low Cost
• Sophisticated technologies/tools that may be employed
  as weapons of Mass Destruction/Interruption
   – Biological and chemical weapons
   – Technology
• Technologies/tools that have the ability to inflict massive
  damage are getting cheaper every day
• Sophisticated tools are increasingly affordable and are
  being used by competitors, customers, employees,
  litigation teams, etc.
                   Cyber Activism

• The Internet: “a powerful tool for
  communicating and coordinating action.”
  –   Collection
  –   Publication
  –   Dialogue
  –   Coordination of action
  –   Direct lobbying of decision makers
               eRisks….Just a Few

•   Cyber terrorism
•   Hactivism
•   Data Privacy
•   Critical Infrastructure Failure
•   Intangible Property
•   Third Parties
                    Cyber terrorism
• “The convergence of terrorism and cyberspace”
• Definition
   – “Unlawful attacks and threats of attack against computers,
     networks, and information stored therein when done to
     intimidate or coerce a government or its people in furtherance of
     political or social objectives” – FBI Definition
• Tamil guerrillas send 800 emails a day to Sri Lankan
  embassies to “disrupt communications”
• NATO computers hit with e-mail bombs and denial-of-
  service attacks during 1999 Kosovo conflict
• Pro-Palestinian and pro-Israeli deface Israeli and
  Palestinian sites over a one month period in October,
  2000.
                    Hacktivism

• Definition
  – Operations that exploit computers in ways that are
    unusual and often illegal to further social causes.
• Methods
  –   Virtual Sit-Ins and Blockades
  –   E-Mail Bombs
  –   Web Hacks and Computer Break-Ins
  –   Computer Viruses and Worms
                     Data Privacy

•   Credit card information
•   Identity theft
•   Bio-Metrics
•   Differences in Regulations
    –   United States
    –   Canada
    –   European Union
    –   Other
          Critical Infrastructure Failure
• Today‟s business system
   – Complex
   – Tightly coupled
   – Heavily dependent on infrastructure
• Interconnectivity of infrastructure
   –   Telecommunications
   –   power generation and distribution
   –   Transportation
   –   Medical care
   –   National defense
   –   Other critical government services
• Ripple effects of infrastructure failure
             Intangible Property

• Mismanagement
  – Lost or theft by competitors
  – Inability to profit
  – Sharing without compensation
• Poor use of risk management techniques
  – Insurance
  – Continuity planning
  – Business Controls
• Complicated by increase in # of third parties and
  “virtual” supply chain
                 Third Parties

• Risk appetite, strategy and sophistication
  variances
• Brand/reputation inequity
• Regulatory compliance complications
• Intangible property
• Contingency planning
         eBusiness Risk Management

•   Risk Strategy
•   Risk Committees
•   Risk, Incident and Crisis Management
•   Risk Management Intranet Portals
•   Enterprise Risk Management
                       Risk Strategy
• Accept Risk: Management decides to continue operations as is
  with a consensus to accept the inherent risks
• Transfer Risk: Management decides to transfer the risk from (for
  example) from one business unit to another or from one business
  area to a third party (i.e.. insurer)
• Eliminate Risk: Management decides to eliminate risk through the
  dissolution of a key business unit or operating area
• Acquire Risk: Management decides that the organization has a
  core competency managing this risk, and seeks to acquire additional
  risk of this type.
• Reduce Risk: Management decides to reduce current risks
  through improvement in controls and processes
• Share Risk: Management attempts to share risk through
  partnerships, outsourcing, or other risk sharing approaches
                                     Silos
• Silos exist in:
    – Functions and Business Units:
        • Corporate and operations
        • Foreign and domestic
    – Information Systems and Databases
    – Processes
        • Risk management
        • Strategic planning
        • Legal
• Create processes, systems and tools to reach across silos to provide
  the “big picture”
• Focus corporate risk management resources on what matters the
  most
• Leverage the “silo” expertise through better coordination for
  complex risks
              Risk Committees
• Informal Groups      Roles and Responsibilities
                       • Provide risk management program
• Enterprise Risk         leadership, strategy and
  Council                 implementation direction
• Board of Directors   • Develop risk classification and
                          measurement systems
   – Audit Committee   • Develop and implement escalation
   – Risk Committee       metrics and triggers
                       • Develop and monitor early
                          warning systems, based on
                          escalation metrics and triggers
                       • Develop and deliver organization
                          wide risk management training
                       • Coordinates risk management
                          activities – some functions may
                          report to CRO, while others will be
                          coordinated
          What is Incident and Crisis
                Management?
Event - An internal or external action or occurrence that
may or may not impact the organization‟s stakeholders,
processes, technology, infrastructure, brand or intangible
property

Incident - An unexpected, negative event involving
potential damage to organization‟s stakeholders, processes,
technology, infrastructure, brand, or intangible property

Crisis - An unexpected, negative event that threatens the
lives of stakeholders or could materially impairs the
organization and it‟s ability to operate
 Example: Objectives of an Incident &
     Crisis Management Program
The incident and crisis management process is designed
enhance our interactions with our customers.
The following areas will be addressed:
  –Identify clear roles and responsibilities
  –Develop a consistent and coordinated approach
  –Improve communication to all stakeholders and media
  –Reduce incident reporting, verification and response time
  –Enable timely and efficient management of incidents
  –Leverage learnings and ensure process improvement
Risk, Incident and Crisis Management
  Impact




                             Crises
                                                Monitor & resolve the
                                                “critical few” with the crisis
                                                management team

                   Crisis Management Process
                                                Monitor & resolve quickly at
                                                most appropriate level
                  Incident Management Process   using existing structure and
                                                processes


                           Incidents



           Risk Management and Business Controls




                                                Assess potential impact of
  Events                                        events and implement
                                                appropriate risk
                                                management & business
                                                controls
            Practical Application: Hewlett-Packard ERM Transformation
              Traditional                                   Transformation                                                    World-Class

                                               Legal
                          EHS                                                                                                            GRM
                                                                                                                          IT                           Internal
   IT
                                                                                                                       Security                        Audit
 Security                                                   •Coordination among risk functions to increase
                                                            risk coverage and decrease cost
                                                            •Enable business initiatives to address risks
                                                                                                                      EHS               ERM                   BCP
                                          Internal          issues quickly to decrease time to market                 Legal
                                           Audit
Physical                                                    •Alignment with business strategies and
Security                                                    objectives
                                                            •Consistent and organization-wide processes
                                                            •World-class risk management tools                                                     Physical
              Insurance             BCP                                                                                       Legal                Security
                                                            •Focus on risks that impact stakeholder value


                                                                                                                                   Risk Strategy
                                                                                                                                  And Framework

                                                                                                                                                                  Risk
                                                                                                             Risk 1                   RM Process
                            Risk                                                                                                                               Management
                                          Risk                                           Revenue             Risk 2               Assess Risk                     Tools

                   Risk            Risk                                                                      Risk 3                                               Knowledge
                                                     Risk                                                                             Treat Risk                   Sources
  Risk      Risk                                                                                             Risk 4
                                                                                             Assurance                                Monitor &
                                                                                                                                       Report
                                                                                                             Risk 5                                                 RiskWeb
                                                                                                             Risk 6
                                                                       Cost
              Risk Management Process                                                                                         Metrics and Reporting




Source: Hewlett-Packard – Used with
permission
        RiskWeb: Risk Function Collaboration




Source: Hewlett-Packard – Used with
permission
                       RiskWeb: Knowledge Base




Source: Hewlett-Packard – Used with
permission
                       RiskWeb: Resource Center




Source: Hewlett-Packard – Used with
permission
                    RiskWeb: Discussion Forums




Source: Hewlett-Packard – Used with
permission
                                           ERM Framework
Business Objectives       Risk Drivers           Strategy                                       Capability
                                                                             Risk Functions                  Organization
                                                                                 Internal                    • Enterprise Risk
                                                                                  Audit                        Committee
                                                                                             Risk            • CRO or ERM
                                                                     BCP                     Mgmt              Manager
                                                                                  ERM

                                                                     Legal                     IT
                                                                                            Security

                                                                                  EH&S                       Culture
Manage Growth                                                                                                •   Knowledge Mgmt
                                                                                                             •   Metrics
                      Risks                                                                                  •   Training
                      •   Strategic                                                                          •   Communication
                      •   Operational                               Risk Management Process
                      •   Stakeholder
                      •   Financial
                      •   Intangible
                                                                             Risk Strategy                   Tools
                                             Risk Strategy                    & Appetite                     • RiskWeb
Drive Innovation                             • Appetite                                                      • Early Warning
                                             • Prioritize                                                      System
                                             • Treatment Approach
                                                                                                             • Assessment and
                                                                                                               Quantification tools
                                                                              Assess Risk

                                             Program
                      Capability             Strategy                                                        Enterprise-wide
Control Cost          • Functions            • Develop                                                       Integration
                                             • Deploy                          Treat Risk
                      • Process                                                                              •   Strategic Planning
                                             • Continuously
                      • Organization           Improve                                                       •   Programs/PMO
                      • Culture                                                                              •   Processes
                      • Tools                                                                                •   Functions
                      • Enterprise-                                            Monitor &
                        Wide Integration
                      • Risk Attributes                                         Report
 Allocation of                                                                                               Risk Attributes
    Capital                                                                                                  •   Lifecycle
                                                                                                             •   Individual
                                                                                                             •   Portfolio
                                                                                                             •   Qualitative
                                                                                                             •   Quantitative

								
To top