enterprise information technology resource management presentation

1. IT Risk

2. IT Risk
• What ? potential for an unplanned event
involving a failure or misuse of IT
• Impact ? to threaten an enterprise
objective
• Impact sphere : no longer confined to a
company’s IT department or data center.
• potential to produce substantial business
consequences that touch a wide range of
stakeholders.
• IT risk matters—now more than ever !!.

3. ComAir
• Date: 24 Dec 2004
• Problem :
– crew rescheduling s/w <= 32 k/month
• Impact/Loss:
– Reputation
– Financial = $ 20 M (=~ $26M
profits of Q2)
– ComAir President resigns
• Reason for problem:
– s/w not upgraded on time
– No BCP/DR
• Biz Risk View:
– Prob, severity : <low, high>
• Regular opns:29 Dec 2004

4. Tektronix
• Electronics mftg
• System: Very integrated {fin +mftg
processes}
• Difficult to spin off an unit
• Reason:
– duplicating process + data
– Long term agility VS short term benefits
• Biz Risk View:
– Prob, severity : <low, low>

5. Year Company Problem Impact
2005 CardSyste
ms Solution
breached • 40 M credit users
data compromised
• VISA + Mastercard
terminated business
1996 FoxMeyer ERP
implementation
• Bankrupt
• SAP + Accenture
asked to repay
$500 M as loss
through legal suit
2003 UK Inland
Revenues
(Tax
Credits)
Testing
reduced from
20 to 4 weeks
2 billion pounds

6. Learnings from IT risk incidents
1. failure of IT systems or controls on IT processes
coz significant harm to constituencies:
 inside and outside the enterprise
2. Public disclosure, resulting in:
– reputation damage and regulatory scrutiny.
– amplifies the consequences of IT risk,
– (subsequent consequences) >= (initial economic losses.)
3. failure of general management, not just IT
management
– expose failure to account for potential business
consequences in managing IT risks

7. Causes of IT Risk

8. 1) Ineffective IT governance
• “specifying the decision
rights and accountability
framework to encourage
desirable behavior in using
IT.”
1. Locally optimized
decisions create
enterprise risks.
2. Without business
involvement, IT managers
can make incorrect
assumptions about which
risks matter most to the
business.

9. 2) Uncontrolled Complexity
• haphazardly complex environments
demand :
– a great deal of knowledge and attention
– to manage effectively,
– those resources are scarce.
• Result : increased risk.
• Cars of 1960 vs cars of 2012
– KPI: safety, reliability, quality

10. 3) Inattention to Risk
• Missing or inadequate knowledge.
– Layoffs,
– retiring personnel,
– promotions, and
– reliance on external consultants
• reduce an enterprise’s core knowledge and
• open the door to risk.
• Poor infrastructure management.
– Inadequate device management and
– refusal to retire old, unreliable technologies
• lead to high costs and failure rates and
• to long recovery times.

11. 3) Inattention to Risk
Employee ignorance, negligence, or malfeasance.
– Employees who do not know or care how to avoid risk
and
– Employees bent on destructive or criminal acts
• create failures and breakdowns of security
and privacy.
Systems that are blind to dangerous activities.
– Systems that fail to detect or prevent dangerous
activities
– abet management inattention by
• removing a potential layer of automated warning
and protection.
Automated controls are particularly important
– when the enterprise allows key employees
– considerable authority to act autonomously.
Example : Barrings Bank, Nick Leeson

12. Learning
IT risk management capabilities incorporating two key
elements:
1. Adopt an integrated view of IT risk that allows to make
rational, informed trade-offs about IT risk in business
terms.
2. place careful emphasis on three core disciplines for
managing risk:
a. simplifying the IT foundation,
b. creating a risk governance process, and
c. fostering a risk-aware culture.

13. Business Risk vs IT Risk

14. BCP/DR
Traits Insurance Firm Chemical Company
IT Support 16 hrs/day 24 x 7
Maintain In house Outsource
Biz Principle Low Cost Fast response
Downtime/Change
Request
2 hours 15 min
Proposed Outsourcing Continue Outsourcing
Proposed downtime Few minutes 12hrs
Biz Principle Channel for distribution Business impact low
IT Principle Techno solution Techno risk
Savings Yes Yes (3% of IT Budget)
Before
After

15. BCP/DR
BFSI company Utility Company
BCP plan 30 min quick
IT prospective IT infra prepared for BCP No plan
Business prospective Office space missing Office infra planed

16. System down ….then?
• Orders :Lost ?
• Employee :idle ?
• Customer : angry ?
• Market : loss?
• Legal :implications ?
• Regulatory :implications ?

17. Holistic view of IT Risk
• IT managers: miss market opportunities
• Business managers : miss business
implication of IT Risk

18. IT organization
• Based on technical risk factors alone
• IT Risk Grouped into:
– Infrastructure
– Application development
– Vendor management
• Objective: Techno should work 24 X 7

19. 4A framework

20. 4A framework
• Availability :Keep the systems
running and recover from
interruptions.
• Access: Ensure appropriate access
to data and systems so the right
people have access they need and
the wrong people don’t.
• Accuracy : Provide correct, timely,
and complete information.
• Agility : The capability to change
with managed cost and speed

21. Biz View: 4A framework
Biz
Problems
Availability Access Accuracy Agility
Downtime
impact on
Factory
HR
- - -
Wrong
access of
data
- Leakage - -
Compliance
failure
- - SCM
SOX
-
Strategic
change
- - - slow

22. 4A framework :Implementation

23. Availability
Executive Level Operational Level
Which of our business
processes are most
dependent on IT?
What is the cost of a
particular process being
down for
(i) an hour,
(ii) a day?
What consequences are
likely if the systems are
unavailable?
What are our procedures to
recover from interruption?

24. Access
Executive Level Operational Level
What categories of info
would be most damaging if
released?
Ex, what is the likely
impact of loss or theft of
(i) customer data,
(ii) Product data?
How do we control, protect
and monitor access to these
types of info?
What categories of info
are most important for our
firm’s daily success or
failure?
How can we ensure that the
right people get access to
this info as needed (and
then lose access when

25. Accuracy
Executive Level Operational Level
Which processes and categories of
info carry the highest consequences
for inaccuracy (e.g., inventory,
financial, etc.)?
What would the firm lose if it could
not maintain Sox certification ?
How can we improve the way
that we gather or manage
these types of info?
What constraints has inaccurate or
incomplete info placed upon the
organization?
How can we create or
obtain valuable new
types of info?
What could the firm do if it had
better info in some area?
Ex:, how much would the company save
if it had better info on global
customers?

26. Agility
Executive Level Operational Level
How well does IT currently
deliver on new projects, and
what does that mean for what
the firm is able to do in the
future?
How can managers in IT
and business units improve
project definition and
delivery?
What major strategic changes
(new product launches, new
geographies, M & A, global
cost-cutting, etc.) are
foreseeable?
What processes, skills and
supporting systems are
needed to support those
changes?
What opportunity costs are
entailed in missing a product
launch (or other strategic
move) by a month due to IT
How should the IT
foundation change to
improve agility?

27. 4A guide to IT Risk Mgmt
• Risk tolerance <A,A,A,A> of Top mgmt
• CIO to be part of discussion <A,A,A,A>
• Risk decisions specific to enterprise

28. Analyze Risk Tradeoff

29. Risks of buying a non standard package
Standard
package
Non Standard
package
Causes of risk
Required BPR Not aligned with
techno arch
Access No Yes Integrate with security
process
Availability No Yes Downtime + support
Accuracy No Yes Integration with other
processes
Agility No Yes Modification not so easy
Biz impact :
• TCO =Lo ,
• Compliance with
Regulation
• ROI

30. M & A
Integration of
systems
How ?
Alignment must
Access Yes Integrate with the existing techno stack
Availability Yes Downtime + support
Accuracy Yes Integration with other processes, else
accuracy reduces
Agility Yes Modification is easy if integration is
done
Biz impact :
• Spin-off easier
• Replace the techno of the acquired company

31. Rapid growth VS Control
Controls Rapid Growth How ?
Access No Yes Security policy;
Pwd proliferate; systems get
complex
Availability No No
Accuracy No Yes Processes, data and output defined
in different ways
Agility No Yes Modification becomes difficult as
applns get complex and lack of
documentation
Biz impact :
• Time-to-Market =Lo
• Launch of new apps/ biz ideas
• Product mgmt., development and Quality group: needed,

32. Resolve Biz-IT Disagreements

33. VSI /Medical Transcription
CFO CIO How ?
Solution Internet based VPN based
Biz model • Easy access
• Outsourcing
X
Access Yes No Security
Availability Yes No
Accuracy Yes No
Agility No Yes Modification becomes easy
if the strategy changes