In a recent survey conducted by Robert Half Management Resources the top two areas of potential vulnerability and concern cited by CFOs are disaster recovery (37%) and the security of information systems (24%). A common theme between these exposures is the need to better identify and understand the full range of risks that companies face today and the need for all organizations to develop new ways to more effectively manage these risks. By developing cross-company approaches for addressing all areas of risk, companies will begin to move toward a systematic, enterprise risk management process that most effectively reduces risk and controls cost.
In a comprehensive enterprise risk management program companies identify and assess potential losses without regard to which department or function they may occur in. Broad categories such as strategic, operational and financial risks are sometimes used to group related exposures. The scope of this exercise is frequently daunting and leads some executives to defer implementation until the board of directors or regulators (such as in the financial industry) requires this overarching approach. However, there is a way to reduce the concern related to IT security and disaster recovery without performing a comprehensive assessment.
Most companies exist to produce goods and services. Doing so requires raw materials, processing and a system of delivery. Underlying these processes are support functions such as accounting and human resources. By thinking of information as one of the raw materials, the scope of the risk management process is simplified. The following ten-step program can be used to initiate a relatively quick risk control program for your critical business functions. After completing these measures you can develop a more comprehensive plan.
1. Divide your business into manageable units. While interactions between divisions shouldn’t be ignored, you are more likely to have a quick success if you divide into smaller units that can be assigned to existing managers.
2. If your business has multiple locations and product lines determine the business units that account for between 60% and 80% of your activity. Other units will be part of later phases.
3. For each of the critical units, draw a flow-chart beginning with the payment of invoices and working backwards to include collections, invoicing, shipping, manufacturing, procurement and order entry. Within the flow chart indicate what information is created and which computer systems are used to store and process the information.
4. Identify the most likely type of disaster to affect your business. This may be a natural disaster such as fire, earthquake or flood, or a man-made problem such as a labor strike. While the approaches will vary depending upon the type of event, focusing on the most likely disaster will increase management’s commitment to the project and will vastly simplify your planning. Many of the lessons will be transferable to other planning scenarios in your future efforts.
5. Within your flow charts, identify how each step will be affected by the selected disaster scenario. For example, if you are considering invoicing and collections, calculate what happens if your accounting systems are damaged. If you are considering manufacturing, identify non-redundant equipment and the related potential loss of production.
6. For each area of potential impact, assign an owner to review potential risk reduction approaches.
7. To incorporate information technology security into this process, for each area of the flow chart where information is stored or exchanged, determine the related computer system. Depending upon the detail of your process flow charts, you may need to supplement this with a list of systems used by support functions such as human resources and payroll. Inclusion of these additional systems should be based upon the sensitivity of the information being stored and the impact on your business if the information system is damaged. A simple "high-medium-low" priority system can be used.
8. For each critical system, assess the impact of the following scenarios: inappropriate access by employees or outsiders, damage to the integrity of the information and lack of availability.
9. Assign a coordinator for overall IT security reviews and a different coordinator for the overall order-to-collection cycle for each business unit. The job of the coordinator is to collect information about exposures and to facilitate a discussion where priorities can be agreed upon
10. Select no more than ten critical risk reductions to be completed during the quarter. Assign tasks, deadlines and resources to specified individuals. Monitor this quarterly.
Most companies will require working on these essential steps for at least one year prior to moving to a more detailed program. Later stages should include, among other things, considering interactions between units, including less significant operations, identifying the impact of losses to third party vendors and customers, development of communication plans and testing of disaster recovery programs.
CFO's are justifiably worried about the areas of disaster recovery and information technology security. In some cases, this concern may inspire the creation of full-time program managers to address these needs. However, even those executives without the resources of a full time Risk Manager can take the above ten steps towards reducing their anxiety and building a safer, more secure and ultimately more successful organization.
In a comprehensive enterprise risk management program companies identify and assess potential losses without regard to which department or function they may occur in. Broad categories such as strategic, operational and financial risks are sometimes used to group related exposures. The scope of this exercise is frequently daunting and leads some executives to defer implementation until the board of directors or regulators (such as in the financial industry) requires this overarching approach. However, there is a way to reduce the concern related to IT security and disaster recovery without performing a comprehensive assessment.
Most companies exist to produce goods and services. Doing so requires raw materials, processing and a system of delivery. Underlying these processes are support functions such as accounting and human resources. By thinking of information as one of the raw materials, the scope of the risk management process is simplified. The following ten-step program can be used to initiate a relatively quick risk control program for your critical business functions. After completing these measures you can develop a more comprehensive plan.
1. Divide your business into manageable units. While interactions between divisions shouldn’t be ignored, you are more likely to have a quick success if you divide into smaller units that can be assigned to existing managers.
2. If your business has multiple locations and product lines determine the business units that account for between 60% and 80% of your activity. Other units will be part of later phases.
3. For each of the critical units, draw a flow-chart beginning with the payment of invoices and working backwards to include collections, invoicing, shipping, manufacturing, procurement and order entry. Within the flow chart indicate what information is created and which computer systems are used to store and process the information.
4. Identify the most likely type of disaster to affect your business. This may be a natural disaster such as fire, earthquake or flood, or a man-made problem such as a labor strike. While the approaches will vary depending upon the type of event, focusing on the most likely disaster will increase management’s commitment to the project and will vastly simplify your planning. Many of the lessons will be transferable to other planning scenarios in your future efforts.
5. Within your flow charts, identify how each step will be affected by the selected disaster scenario. For example, if you are considering invoicing and collections, calculate what happens if your accounting systems are damaged. If you are considering manufacturing, identify non-redundant equipment and the related potential loss of production.
6. For each area of potential impact, assign an owner to review potential risk reduction approaches.
7. To incorporate information technology security into this process, for each area of the flow chart where information is stored or exchanged, determine the related computer system. Depending upon the detail of your process flow charts, you may need to supplement this with a list of systems used by support functions such as human resources and payroll. Inclusion of these additional systems should be based upon the sensitivity of the information being stored and the impact on your business if the information system is damaged. A simple "high-medium-low" priority system can be used.
8. For each critical system, assess the impact of the following scenarios: inappropriate access by employees or outsiders, damage to the integrity of the information and lack of availability.
9. Assign a coordinator for overall IT security reviews and a different coordinator for the overall order-to-collection cycle for each business unit. The job of the coordinator is to collect information about exposures and to facilitate a discussion where priorities can be agreed upon
10. Select no more than ten critical risk reductions to be completed during the quarter. Assign tasks, deadlines and resources to specified individuals. Monitor this quarterly.
Most companies will require working on these essential steps for at least one year prior to moving to a more detailed program. Later stages should include, among other things, considering interactions between units, including less significant operations, identifying the impact of losses to third party vendors and customers, development of communication plans and testing of disaster recovery programs.
CFO's are justifiably worried about the areas of disaster recovery and information technology security. In some cases, this concern may inspire the creation of full-time program managers to address these needs. However, even those executives without the resources of a full time Risk Manager can take the above ten steps towards reducing their anxiety and building a safer, more secure and ultimately more successful organization.
No comments:
Post a Comment