Monday, April 26, 2010

Introduction

During disasters like the financial crisis, 9/11 or Hurricane Katrina it was clear that although enterprise risk management policies were in place, they either proved to be ineffective or hazardous themselves. Avoidance or containing of the problem was too late, too poorly managed or the actions taken were simply wrong. But not always are these Black Swans – disasters of major economic impact throughout industries – the focus of risk management, nor should they be. A tighter security could have prevented hackers from stealing 40 million credit card numbers from MasterCard in 2005 [1] and thus reduced the damage their reputation took in its occurrence. Another example would be the data loss by T-Mobile in 2009, when T-Mobile lost personal information, contacts, calendar entries and other information during an incident [2]. This not only damaged their reputation and creating heavily disgruntled Sidekick-users, but also lost customers and subsequently revenue.

In the current wake of the financial crisis, many risk management consultancies come up with new solutions and ideas of how these risks could have been avoided or reduced effectively [3]. But the problem companies are now facing is: How do we know that these technologies and policies are indeed helping in reducing the risks during an incident without waiting for it to happen? How do we know that the money we spent is having a positive Return on Investment?

In this blog, I would thus like to address the issue of Enterprise Risk Management policies, the best practices and regulations that need to be considered and then give an overview of the techniques and applications that can be used in auditing these policies and proof them to add value to the company with an emphasis in the IT environment.
The outline for the Blog is:
  • Disasters, their consequences and how these could have been circumvented with the right policies and technologies
  • Best Practices in designing IT Risk Management Policies
  • Auditing tools and techniques that can help to proof these policies correct

References:

[2] Ars Technica, "T-Mobile and Microsoft/Danger data loss is bad for the cloud", October 12, 2009, http://arstechnica.com/business/news/2009/10/t-mobile-microsoftdanger-data-loss-is-bad-for-the-cloud.ars
[3] A.E. Feldman, "Risk Management Watch: Financial Crisis Big Opportunity for Risk Professionals",  http://blog.aefeldman.com/2009/01/27/risk-management-watch-financial-crisis-big-opportunity-for-risk-professionals/

Enterprise Risk Management policies and their influences: Example 1 - Law Firms and 9/11

A comparison between two law firms that were based in the near area of the World Trade Center and their actions before, during and after the incident of the 9/11 terrorist attacks shows how enterprise risk management policies are playing an important role in the continuing of the business. Many did not only lose colleagues and friends, but their working environments and data that they needed daily during the attacks. In this incident, we can look specifically at two law firms that were involved. The first law firm did not have any business continuity plans, an important part of enterprise risk management policies. The data was saved in the basement of the World Trade Center Towers. Following the attack, the actions by management were disorganized, important data to ongoing lawsuits were not saved in a safe facility and it took months and copying materials from courts and rival law firms to update their data to their last state [1].

On the other hand we have Company B, who did not only have data backed up in a safe facility, but also a disaster recovery plan worked out. Within days, they moved into new rooms, restored their data, established telephone and internet connections and continued their work, thus reducing their monetary losses tremendously. This did not only save them much effort in regaining the data, but even prevented them from filing for bankruptcy [2].

In essence, an early investment in disaster management and checking that the policies regarding the risks can help a company to recover in an extremely shorter time from an incident than without and that testing the steps through an audit can help to identify weaknesses in the policies.


References:

[1] ZDNet, "How 9/11 changed disaster planning", September 11, 2002, http://www.zdnet.co.uk/news/it-strategy/2002/09/11/how-911-changed-disaster-planning-2122113/
[2] BNet, "A disaster plan in action: How a law firm in the World Trade Center survived 9/11 with vital records and employees intact", http://findarticles.com/p/articles/mi_qa3937/is_200305/ai_n9260326/?tag=content;col1

Enterprise Risk Management policies and their influences: Example 2 - Societe Generale

Another incident involving enterprise risk management policies happened in France at Societe Generale during the beginning of 2008. A small trader, Jerome Kerviel, was responsible for losing $7 billion through high-stake bets on the development of major European indices [1].The interesting part in this story is that even though he did not have the authority to make these bets, he was able to mask his trading through his internal knowledge of the security software. Even though he was triggering many security and policy rules, he was able to persuade his managers through fake order request e-mails by supposed customers that everything was conducted according to policies [2]. A further investigation showed that even though compliance officers received over 75 alarms concerning Kerviel’s activities, they “rarely went beyond routine checks and did not inform managers of anomalies, even when large sums were concerned” [3]. In the aftermath, Kerviel was sentenced to only three years in prison since he was not trading for his own benefits and majorly because the company fell short in supervising his actions.

In conclusion to this incident, Societe Generale did have risk management policies, including a tight network of alerts and personnel that supervised the systems, but failed short in recognizing the threat and taking the necessary precautions to reduce the impact. An independent audit of the policies could have led to better training of the persons in charge as well as a faster reaction to the incident.


References:

[1] New York Times, "Former Societe Generale trader had big bets in place as early as June", November 9, 2009, http://www.nytimes.com/2008/02/19/business/worldbusiness/19iht-socgen.5.10203247.html
[2] BusinessWeek, "The lessons of Societe Generale", Unknown date, http://www.actimize.com/index.aspx?page=news119
[3] The Times, "Societe Generale missed 75 warnings on trader Kerviel", http://business.timesonline.co.uk/tol/business/industry_sectors/banking_and_finance/article3407991.ece

Definition of Enterprise Risk Management (ERM) and its components

After making clear that effective Enterprise Risk Management (ERM) policies are needed, we need to define clearly what ERM is and which components and actions are essential to minimize risks in today’s environment.

First, we have to clarify, what is risk and what is risk management? Most organizations and norms define risk in the way of the National Institute of Standards and Technology (NIST) as “a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability and the resulting impact of that adverse event on the organization” [1]. Risks in this context are potentially bad influence on a company’s operations. The management of these risks usually includes the steps of identifying possible risks, assessing their impact on the organization, plan for actions to avoid, reduce, share or retain the risks, and continuously reevaluating the results when the environment changes [1], [2]. Depending on the area in which the risks have to be managed, the definition and the steps may vary slightly.

Prince2 OGC Manual - Risk Management Cycle, p.242

In contrast to the clear definition of Risk and Risk Management, Enterprise Risk Management currently lacks clear and precise components. The definition depends greatly by organizations. For instance, the Casualty Actuarial Society defined it as “linking risk management with the creation of organizational value expressing risk in terms of impact on organizational objectives” and encompasses hazard, financial, operational and strategic risks [3]. Other sources define the areas finer with areas like legal risks, tax risks, regulatory risks, etc. [4]. Other definitions range from “a disciplined approach aligning strategy, processes, people, technology, and knowledge to manage uncertainties as the enterprise creates value” to “the assessment of collective risks that affect value and the implementation of a company-wide strategy to maximize that value” [5].

What all these definitions have in common though, are that Enterprise Risk Management takes a holistic view on the area of risk management [6]. Different risks are not managed by their functional departments, e.g. financial risks are managed by the finance department, but through a committee that is specialized in assessing risks and seeing the “big picture” instead of the narrow view of each department. Risk Management Frameworks like the COSO (explained in the next blog post), combined with Service Management Framework like COBIT or ITIL, give a set of best practices that can be used to control most of the operational and strategic risks that occur in the IT environment. They have several important aspects in common that need to be managed:
  • IT Security, including managing of risks of threats coming from the inside, e.g. knowledgeable employees that are using the IT for their own purposes, as well as outside threats like Hackers or even hostile governments.
  • Data Management, including not only planning for disasters and backing up data in a safe location with recovery tests, but also the management of communication tools like instant messaging [7] or e-mail. This implies also a management of new data storage technologies e.g. within a Cloud.
  • Business Continuity, this is closely linked to other areas and includes not only high impact, but low probability threats (“Black Swans”) like 9/11, but also more likely threats e.g. a power outage and the continuing of business through in-house power generators.
  • Change and Release Management. Many risks can occur through the change of the current systems and the disruption of normal operations through this. Especially in IT, where a seemingly small bug can result in a complete shutdown, a management of these risks is of the utmost importance.
  • Compliance with laws, since the Sarbanes-Oxley-Act, specific processes and guidelines on how risks should be managed and subsequently monitored are required by every company. Non-compliance can not only result in high fines, but in higher regulations from the government [8].
Although there are already established frameworks for managing enterprise risks, the amount of resources necessary to invest in certain parts depends heavily on the business the company participates in. While banks may emphasize IT security and the avoidance of interruptions of IT systems, retailers like Walmart may focus on data management since their business intelligence is their main competitive advantage. With this in mind, a good ERM system always considers the business context it is used in.


References:

[1] National Institute of Standards and Technology, Risk Management Guide for Information Technology Systems, Gary Stoneburner, Alice Goguen, and Alexis Feringa
[2] ISO/IEC 31010 Final Draft
[3] Casualty Actuarial Society, “Overview of Enterprise Risk Management”, Enterprise Risk Management Committee, May 2003
[4] Lisa K. Meulbroek, “Integrated Risk Management for the Firm:  A Senior Manager’s Guide”, Harvard Business School
[5] John J. Hampton, "Fundamentals of Enterprise Risk Management: How Top Companies Assess Risk, Manage Exposures, and Seize Opportunities", AMACOM, 2009
[6] James Lam, "Enterprise Risk Management: From Incentives to Controls", John Wiley & Sons, 2003
[7] Nancy Flynn, "Instant Messaging Rules: A Business Guide to Managing Policies, Security, and Legal Issues for Safe IM Communication", AMACOM, 2004
[8] Anne M. Marchetti, "Beyond Sarbanes-Oxley Compliance: Effective Enterprise Risk Management", John Wiley & Sons, 2005

The COSO ERM Framework

Although there is currently no fixed standard which ERM Framework has to be used, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has established an ERM framework that is not only fully SOX-compliant [1], but touches all necessary areas from different perspectives and is recommended by ACIPA’s Auditing Standards Board. It was first introduced in 1992 with originally focusing not on risk management, but internal control problems that proved to be difficult to enterprises [2]. In response to financial, accounting and auditing scandals like Enron, Tyco and WorldCom, the COSO Framework was republished in an updated version in 2004 to be in compliance with the SOX-Act. It is focusing now on giving a broad understanding of all aspects of enterprise risk management by defining essential components, providing a common language and giving a clear direction and guidance on how risk should be managed, giving the organization a portfolio view on risks [3].

The key issues that are important when using the COSO Framework are [4]:
  • ERM is a process
  • The ERM process is being implemented by people
  • The concept of risk appetite has to be considered
  • ERM is designed to help attain the achievement of objectives
  • ERM provides only reasonable, not complete assurance on objective achievements
The framework can be imagined as a cube, with four objective categories (vertical columns), eight components (rows) and the five business units (3rd dimension).

Institute of Internal Auditors -COSO ERM Framework [3]


References:

[1] Robert R. Moeller, “Sarbanes-Oxley Internal Controls: Effective Auditing with AS5, CobiT, and ITIL”, John Wiley & Sons, 2008
[2] Robert R. Moeller, “COSO Enterprise Risk Management: Understanding the New Integrated ERM Framework”, John Wiley & Sons, 2007
[3] Institute of Internal Auditors, “Applying COSO’s Enterprise Risk Management Integrated Framework”, http://www.ucop.edu/riskmgt/erm/documents/coso_erm_frmwrk.ppt
[4] Anthony Tarantino, “Manager's Guide to Compliance: Sarbanes-Oxley, COSO, ERM, COBIT, IFRS, BASEL II, OMB's A-123, ASX 10, OECD Principles, Turnbull Guidance, Best Practices, and Case Studies”, John Wiley & Sons, 2006

Myths about Enterprise Risk Management in an IT environment

There are several persistent views on Enterprise Risk Management, especially in the IT area, that are not necessarily close to the real environment. Many of those explain why ERM does not yet receive the recognition as a key function of a well led company. In the following I show some of the most dominant myths and compare them to the reality:
  • IT Risk is mainly IT Security, while some frameworks and publications by organizations like NIST focus nearly entirely on the security factor of IT Risk Mgt [1], a large part of the IT Risk Mgt in an enterprise environment also deals with compliance, performance and availability issues. A study by Symantec showed that although security is a very important part of the Risk Mgt processes, availability and compliance are more or nearly as important [2]. For instance the IT Policy Compliance Group found that “firms spent an average of $100 per lost record in litigation, settlements, restoration, and improvements” [3].

    Importance of IT security in ERM [2]

  • IT Risk is based only on science and a quantitative model is enough to measure risks effectively, while a strong quantitative model is a keystone to a good risk management practice, a single reliance on these models can be devastating. A quantitative model is an abstract view on the real world. Some models are oversimplifying reality and cannot react to unforeseen disasters like the financial crisis. For instance, 49% of respondents to a survey were not satisfied with the Value-at-risk performance measure during the financial downturn [4]. A strong quantitative model along with knowledge about the business context is very important to mange risks effectively.
  • IT Risk can be managed through technology alone. Although many risks can be managed through technology, the most responsible root causes of IT risks are stemming from process issues (53%), environmental configuration (51%) and staff skills (41%) [2]. IT Management Frameworks like ITIL and CoBIT, assisted through technology systems, can improve the risk management much better than a technology-only solution.
In conclusion, there are many traditional beliefs of what and how Enterprise Risk Management is being done. Most of those beliefs are true to some extent, but only grasp a part of the whole field.


References:

[1] National Institute of Standards and Technology, “Guide for Applying the Risk Management Framework to Federal Information Systems”, Department of Commerce, February 2010
[2] Symantec, "IT Risk Management Report 2: Myths and Realities", http://eval.symantec.com/mktginfo/enterprise/other_resources/b-it_risk_management_report_2_01-2008_12818026.en-us.pdf
[3] IT Policy Compliance Group, "Why Compliance Pays: Reputation and Revenues at Risk", http://www.itpolicycompliance.com/research_reports/spend_management/read.asp?ID=10 (July, 2007)
[4] Corporate Executive Board Corp., "Six Risk Managment Myths", http://www.scribd.com/doc/26301480/Six-Risk-Management-Myths

The role of IT Audit in the ERM environment

After speaking about past disasters and their root causes as well as giving an introduction to the standard ERM objectives and components with a clarification about some myths, a key question still remains: After introducing an ERM, how do I know that the policies are correct and the personnel is following the rules? How do I know that the policies, that were once created, are still relevant and up-to-date?

At this moment, an auditing of the policies has to be conducted. Auditing can be defined as an “independent, objective assurance and consulting activity [which] helps organizations accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes” [1]. From a historical point of view, auditing was first developed to aid in controlling accounting and bookkeeping issues and gradually developed in a full business field in the early 1900s. The field of IT auditing developed slowly, starting in the 1950s, but was only fully acknowledged in the late 1970s and early 1980s, when the CISA exam was introduced [2].

There are several types of documents within an organization with different levels of controls and restrictions pertaining business operations that have to be taken into account during an audit [3]:
  • Policies, these are high-level documents, signed by the highest authorities (e.g. Executive Board) that pertain to the most important control objectives. These directions are mandatory for every employee.
  • Standards, these are the next lower-level documents that are ensuring compliance to the policies imposed by either the company itself or external sources e.g. Government laws in Accounting or IT. These directions are mandatory for every employee as well.
  • Guidelines, these can be used if no policy or standard is giving a clear direction pertaining a situation. Most of the times are they giving general information how a situation should be handled. Guidelines can be mandatory, e.g. Code of Conduct, or optional like higher ethical standards.
  • Procedures, these are normally step-by-step programs of how a certain task can be done through Best Practices. Compliance should be mandatory to ensure quality and reliability.
The key functions in an IT audit are [4]:
  • Controlling the adherance of the set policies, standards and procedures, this is a major part of the audit function. Although employees may know the restrictions and standards that should be used, sometimes it would be easier to not follow them in order to simplify activities. Since too many activities occur during a given period, it would be impossible to control everything. With this in mind, many audits are just taking samples in the low percentage area and will only conduct a deeper audit if an incident occurred in the tests.
  • Reviewing the limits and boundaries for all operations, the constant review of set boundaries are important to neither constrict an otherwise more economical outcome nor giving employees too much freedom which could result in high losses.
  • Ensuring segregation of duties. By ensuring that each decision is at least being controlled by a second person, a willful misconduct of power, e.g. a manager is responsible for putting out a request for tender for materials and deciding himself on the company receiving the contract, can be averted. This keeps employees from wielding too much power that could hurt the company.
The auditing process itself is never finished and can be visualized as a cycle of assessment, reviewing and reporting:

Continuous Auditing Process [5]

There are several procedures and techniques that can be used during an audit. Especially the developments of tools, that nearly automatically ensure compliance with the set rules and regulations, can help in not only reducing the amount of time spent on a specific issue, but also increase overall quality. The next blog post will be giving a short overview of the traditional techniques, followed by a post about the recent new developments in the area of Computer-Assisted Audit Tools and Techniques (CAATTs).


References:

[1] The Institute of Internal Auditors, http://www.theiia.org/guidance/standards-and-guidance/ippf/definition-of-internal-auditing/
[2] Michael P. Cangemi and Tommie Singleton, “Managing the Audit Function: A Corporate Audit Department Procedures Guide”, Third Edition, John Wiley & Sons, 2003
[3] David L. Cannon, “CISA: Certified Information Systems Auditor Study Guide”, 2nd Edition, Sybex, 2008
[4] James Lam, "Enterprise Risk Management: From Incentives to Controls", John Wiley & Sons, 2003
[5] Sandra Senft and Frederick Gallegos, “Information Technology Control and Audit”, Third Edition, Auerbach Publications, 2009

Traditional techniques in an IT audit

There are several traditional techniques that can be used during an IT audit. One of them is flow charting. Since many root causes of non-compliance with regulations result from wrong business processes (see Myths about ERM Blog post), an auditor has to be very exact in this area. The problem is that many companies have a great amount of complex processes, touching not only different functional areas, but also a wide variety of different roles of participants. For example, the procurement process can have a great depth, especially with companies in the retail business. A traditional technique used in this area is flowcharting [1]– a mapping of each task to a functional area and defining inputs, outputs and the flow of information from one task to another – giving a visual overview over the processes at hand. By visualizing the information flows, it is possible for the auditor to understand the business processes faster and with fewer misunderstandings.

Another very often used technique is a structured walk-through a business process with a typical incident. With this a process, e.g. a data loss has occurred, is being started and each task that is being described by the policies or procedures will be exactly followed. Especially in IT are these one of the most effective techniques that an auditor can employ. There have been many cases in which a backup of data was conducted to learn afterwards that a restoration was not possible due to a failure in the systems or that they were not backed up at all [2].

A very easy way to establish a continuous auditing of operations is to implement a system of metrics – a combination of different environmental values e.g. customer satisfaction and software quality, reducing the complexity of the situation – to measure the execution of tasks. The auditor can then very swiftly react to a short-term worsening of outputs at any point in the business process. An important point here is that a metric should only be used if the objective has been set beforehand. Otherwise it might lead to a “burying of the organizations in metrics” [3].

There are a couple of more techniques that can be used to aid the IT auditor in his work, but the key point is using those techniques that enhance quality, reliability and speed of an audit.


References:

[1] Sandra Senft and Frederick Gallegos, “Information Technology Control and Audit”, Third Edition, Auerbach Publications, 2009
[2] ZDNet, "How 9/11 changed disaster planning", September 11, 2002, http://www.zdnet.co.uk/news/it-strategy/2002/09/11/how-911-changed-disaster-planning-2122113/
[3] Debra S. Herrmann, “Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI”, Auerbach Publications, 2007

Technologies supporting ERM Audits - Computer-Assisted Auditing Tools and Techniques (CAATTs)

Since many audit departments are relatively small compared to the size of the functional departments, auditors need software to make their assessments more reliable. For this, Computer-Assisted Auditing Tools and Techniques (CAATTs) were developed. Unfortunately, most software tools have to be adjusted to the needs of the company, so that a standard software approach is most likely not possible [1].

Four of the, in my opinion, most useful software classes are:
  • Flowcharting software, taking into account that many tasks of business processes have sub-processes and sub-sub-processes, the complexity can be too high to step through every task manually. To ease the burden of the auditing department as well as to enhance quality and reliability of business process audits, flowcharting software can help in this area. By automatically testing the segregation of duties and the control of information, changes in the business processes can be tested for compliance before they are being introduced in the company. An example would be the Compliance Monitoring Software by ComplianceTrack [2].
  • Computer-Aided Software Engineering Tools, these are tools that are mainly used to control the way programmers plan and implement software to increase the quality of the resulting code. They can be used to generate program code from workflows, control the structure of the implementation of code (e.g. comments, declaration of variables, etc.) or even automatically generate a full documentation. Since 70-80% of the total costs of software are maintenance costs, a large amount of money can be saved through generating easier to maintain code. Higher quality program code decreases the risks of system failures during and after the introduction of the new applications. With the increase in quality and costs, a constant auditing of the programming policies can be established without the need of an auditor to control the code after a change. A review of the policies as well as test samples would then be enough to control this potential risk area. Examples of these CASE tools could be MagicDraw [3] or Astade [4].
  • Disaster simulations, testing a disaster recovery plan at the time of implementation as well as a periodic check if it is still appropriate to the situation is of the utmost importance. Unfortunately, it is nearly impossible to test the recovery plans during normal operations without risking a loss of data and interruption of tasks. For this reason, disaster simulations have been invented. They simulate how humans react to certain threats, displaying shortages of resources and how certain technical failures could lead to a shutdown of the systems. Although these systems are still in their early development and are rather used in real disasters, like terrorist attacks or physical security assessments, some attempts have been made to use them in the corporate world, too [5], [6].
  • Network security Frameworks, since security issues are still a very large portion of IT risk management, more versatile network security auditing tools have emerged. They range from network security scanners – tools that are scanning a range of IP addresses for open ports and display the applications that might be vulnerable – like Nessus to nearly fully automatic frameworks like the Metasploit Framework, which enable a user not only scanning, but exploitation of the vulnerabilities [7]. The automation can not only find computers that are not complying with security policies, but also test Intrusion Detection Systems that are being deployed in the company.


Video: Using the Metasploit Framework

In conclusion, without the help of these Software tools, IT auditing would not only be very hard to conduct, but also too costly or too low in quality. Many other types of CATT-Software exist and we will see a more thorough development in the future, when more and more standards will emerge in this field.


References:

[5] BusinessWeek, "Simulation Software vs. Terrorists", May 25, 2004, http://www.businessweek.com/technology/content/may2004/tc20040525_7827_tc148.htm
[6] Wired.com, "Videogame Technology Helps With Disaster Planning", February 2, 2009, http://www.wired.com/software/coolapps/news/2009/02/disaster_modeling

Conclusion

After implementing a Risk Management Framework in a company, it is necessary to constantly revise the IT risk management policies on their effectiveness and efficiency. As we have seen, if this is not done properly, the damages inflicted during an occurrence of a risk can range between high financial losses to a near discontinuing of the business. Although enterprise risk management frameworks are providing us with guidelines and policies how risks should be managed to stay in compliance with laws and best practices, employees tend to ignore precautions or boundaries of these if the reward is estimated to be high enough or simply to reduce the burden of compliance during operations. At this moment, an auditor has to make sure through the use of the traditional techniques and technology that employees adhere to the rules. The latest developments and continuous automatization of software can and will help auditors in the future to simply their task of controlling and revising the boundaries, incentives and segregation of duties.
Subscribe to: Posts (Atom)