01/20/10Hurricane Katrina’s landfall in New Orleans in 2005 delivered a wake-up call not just for state and federal officials in the United States, but for emergency planners the world over. On top of direct catastrophic damage to key infrastructure, extensive refinery damage pushed global oil prices to new highs. Traffic light and telecommunication outages paralyzed critical response teams by compromising their rescue efforts. And many in the region faced restricted access to the financial system because electronic payments were no longer possible and banks imposed limits on cash withdrawals for fear of running out of money.
All together, the storm’s impact illustrated how rapid advances in technology and the need to deliver goods and services more efficiently have made organizations more vulnerable than ever to potentially damaging incidents. In recent years, the number and severity of systemic shocks – earthquakes and tsunamis, blackouts and technology failures, worldwide food shortages, pandemic diseases, and terrorist attacks – have risen precipitously. In addition, the increasing interconnectedness of people and businesses means that these events are no longer isolated; rather, they cascade through society, causing many indirect and at times unforeseen consequences.
Despite the warning signs, many governments and organizations have continued to build traditional security programs that are inadequate to cope with the new and emerging vulnerabilities of today. They have developed functional capabilities to address specific types of risks or vulnerabilities in isolation from each other—for example, the creation of an IT security policy that does not link with the organization’s crisis management policy. These organizations are now prone to a number of critical shortcomings: lack of an enterprise-wide view of risks, lack of accountability in dealing with those risks, and duplicative responses and investments.
The cost of these shortcomings is quickly adding up. For example, experts estimate that a total of US$1 billion has been stolen from financial institutions and corporations in the Middle East by organized cyber criminals employing online transactions. In one high-profile case in 2007, a Dubai-based gang stole roughly $60 million by accessing consumers’ online credit card information, even from Web sites that offer government services. These details were then used by gang members to make cash withdrawals and to buy gold and diamonds online.
Examples such as these highlight the need for companies and government agencies to develop an integrated risk management strategy that takes into account the right physical, information, and IT security controls required to effectively manage access to and use of key company information. Organizations cannot feasibly predict or sidestep every risk, or prevent every risk from maturing into a serious threat. But they can help mitigate and absorb those risks by establishing and continuously strengthening their ability to maintain operations in the event of an incident—an approach that we call “business assurance.”
Well-designed business assurance models ensure the appropriate protection and continuity of an organization’s core services or mission by investing in capabilities in four major areas: risk analysis, integrated security, continuity planning, and incident response.
Risk analysis identifies potential pain points by establishing an early-warning system for threats, vulnerabilities, and impacts to critical assets and processes. Integrated security reduces the possibility of occurrence through the design and implementation of protective measures for people, assets, and information against threats. Continuity planning lessens the impact of events through the planning, design, and implementation of recovery targets and a continuity strategy. Finally, incident response prepares an organization to manage all types of events by adopting an “all hazards” approach.
The four functional capabilities of the business assurance model are supported by what we call “enabling factors”—the people, infrastructure, and technology that can help an organization recover in the event of an incident. Communications systems and crisis response centers to keep people in contact are examples of such factors. Another is operations groups that have received training to respond to specific circumstances.
Lastly, companies must put in place the governance capabilities necessary to build and maintain an efficient system. Developing policies and standards that define the characteristics of a resilient system, as well as the roles and responsibilities of all stakeholders, is but one example. These strategies, policies, and performance management efforts mandate that the organization is consistently controlling and checking that the system is functioning.
The integration of these functional capabilities, enabling factors, and governance capabilities is of paramount importance. They must work together through an operational life cycle—identify, plan, build, execute, and maintain—to help form an ongoing resilience framework in which everything is working together to help deliver the organization’s core products or services. It is through this life cycle that the business assurance model becomes an operational economy and one can see that all capabilities and factors—governance, functional, and enabling—have a role to play in every phase of the life cycle.
Today, leading government agencies are adopting key elements of the business assurance strategy in their efforts to build more resilient organizations. For instance, the British government has developed a nationwide network of resilience councils, coordinated by the Cabinet Office, to conduct a government-wide integrated risk assessment called the National Risk Register, and to generally improve the country’s resilience to all manner of risks. Singapore has taken a similar approach in devising its “Whole of Government—Integrated Risk Management” framework.
At the end of the day, the objective of companies and governments is to deliver a service, but that objective is compromised when an organization is not capable of managing unforeseen incidents or threats to its business. In today’s world, those threats are multiplying, and the interconnectedness of businesses and governments around the world means that each threat can do far greater damage than before.
These new and emerging risks are prompting executives and government officials to take a fresh look at their ability to identify and mitigate them. The business assurance model lets these leaders know that whatever may come, their organization will have an answer.