|
By Brian Davey, senior consultant, Teed Business Continuity
UPDATED WITH READER COMMENTS
As we all know, when analysing threats to an organisation we need to calculate the risk each threat poses. Risk is comprised of two elements – probability and impact.
The negative impacts which would result from a threat materialising can be determined fairly accurately through an assessment process such as the business impact analysis (BIA) and the costs of such impacts (due to loss of revenue, lost business opportunity, breach of legislation and/or regulation, customer dissatisfaction, negative brand impact, loss of market share etc) can be explored with relevant business representatives to arrive at a likely cost to the organisation should the threat materialise. This process then results in a risk score, where high probability, high impact risks have the highest risk score and low probability, low impact risks, have the lowest risk score.
Based on the risk score the organisation then usually agrees the course of action to manage the threat i.e. to accept, transfer, treat or avoid the risk.
The problem is that the scoring of probability is inherently flawed.
Let me explain. How high would you rate the probability of your home being broken into? You may say that the probability is ‘very low’ given your low crime neighbourhood, security locks, burglar alarm and history of no burglaries in your street in the last ten years.
Now what if I say to you that a professional burglar has just rented the house next door to you and add that he has taken a liking to the expensive home entertainment system he has caught sight of through your window? I would guess that the probability rating has just moved up a notch or two.
If we had put the world’s top 100 risk managers in a room on 10th September, 2001 and asked them to rate the probability of the twin towers being destroyed with around 3,000 lives lost within the next 24 hours, how many of them would have said “the likelihood rating is off the top of the scale – in fact it’s a sure thing”?
How many times have fraud investigators heard a remark along the lines of “I would never have believed that Fred could have stolen money from the firm. He always seemed such a nice chap.”? (Many times this is the answer).
Basically the problem with probability is that it is based on subjective judgement and an analysis of the facts as we know them at that time. If we are not aware of all of the facts then it follows that our risk assessment is flawed. Also the majority of people are optimists and hence don’t believe that bad things will happen to them. This view transfers to the organisational setting as well. In my experience senior management teams seem to have endless optimism (as they need to in order to overcome hurdles, keep the company moving forward and beat the competition).
Ask yourself the following question and answer it honestly:
The fact that a serious security threat to the organisation hasn’t materialised so far is down to
a) sound management and controls,
b) luck or
c) we haven’t been targeted as yet.
So what am I getting at? Well the way I see it, we always need to assume the worst case scenario i.e. that the threat will materialise no matter how ultra low we may think the probability is. Hence, if we have calculated for any threat that the resultant negative impacts on the organisation would be at an unacceptable level then we need to plan for just such a situation arising otherwise we are not discharging our duty as business continuity managers with responsibility for trying to keep the organisation safe from harm.
Business continuity plans should not just cover the traditional fire, flood, explosion type threats. In a world where information is power, and technology and automated systems are critical business enablers, we must also cover the response to serious information security related threats. Regardless of the controls we have in place to protect the organisation from physical or virtual security threats we must also have an agreed fallback plan to invoke should a threat materialise. In other words we need information security controls to try and prevent the serious breaches but we must also have a business continuity plan, including technology and systems recovery, which will provide us with a fallback strategy, response and recovery back to the ‘business as usual’ state, should a serious breach occur. Information security management and business continuity management must dovetail.
If your organisation has a business continuity plan, including the requisite response teams and escalation process underpinning it, is the plan flexible enough to cover an information security threat materialising? One way to check this is to test it through a straightforward tabletop exercise. Get the primary response team in a meeting room and provide them with a scenario to manage such as “You have just been informed that our main competitors have a copy of our confidential business plans” or “A new virus has just got through our defences and is running loose on our network” or “An employee has just confessed to embezzling £500,000 from the company over the last 5 years.” Each of these scenarios requires not just an initial response to investigate and contain the situation but will also require effective stakeholder communication and possibly damage limitation, areas which demand senior management level involvement and decision making plus input from subject specialists such as HR, Legal, PR etc. A well prepared business continuity plan should already cover the senior management and expert involvement required for these scenarios.
Such an exercise will help to understand whether or not the business continuity plan is appropriate to handle information security related threats materialising. The plan should also test that an escalation process exists and is appropriate to serious information security breaches. If it isn’t then can I be so bold as to suggest that you update it as a priority? After all, you never really know what the true probability is that a serious breach will occur very, very soon. Do you?
MAKE A COMMENT
http://www.teed.co.uk/index.shtml
Teed Business Continuity will be exhibiting at Business Continuity – The Risk Management Expo 2007. Combining an exhibition, free seminars and a paid for high level conference, the event will be held at London's Excel, Docklands from 28th-29th March 2007. To register please visit www.businesscontinuityexpo.co.uk
I agree totally with Brian’s article although he could have gone further. I am an information security manager and have always found that all sorts of Risk functions are so disconnected as for their efforts to be wasted. Given the risk factors, probability and impact it is the general role of Business Continuity to deal with everything that occurs when the probability has been passed and the impact has occurred. I am constantly surprised that most BCP theory jumps straight from BIA to Planning, with very little attention given to preventative measures. And, in truth, in most businesses little attention is given to the BIA as the BCP is generally seen as a rather complicated fire evacuation plan.
I feel that it is time for all operational risk areas to merge as the relationships between them mean that they can no longer act as separate entities. Certainly all areas of fraud, operational risk, the business, data protection and compliance depend on a framework which reduces the likely impact of a risk to the business (information security) and an equally important framework that helps the business survive should the impact occur (business continuity). Both of these efforts need to be based on a realistic business impact analysis which will help determine the use of limited resources to best benefit.
Ron Foynes
Information security manager
Mr. Davey is correct that the risk analysis is subjective and therefore more prone to error than if it were objective. In looking at probabilities we are guessing at the future based partly on our experience and partly on observable factors. If we are experienced professionals in business continuity management or risk management and if we have kept up our training, our subjective judgement (guess) should be as good or better than others.
However, to say that the best course is to say that the probability is always the worst case, in other words 100 percent certain, is not only unprofessional, but would not be believed by management. The goal is not to accurately guess the exact probability. That is not a reasonable goal. The purpose of a risk analysis is to rank order identified risks for management. We should also recommend mediation actions for the most likely risks. Management then decides how much money they can afford to spend and puts that toward them most dangerous risks.
It does not matter if I rate risk A at a probability of 4 on a scale of 1 to 5 and rate risk B as a 2. When someone else rates risk A as a 3, and risk B as a 1. What matters is that we both identify risk A higher than risk B.
Mel Curtis, MBCP
Lead BCP
The process described is a risk assessment not a business impact analysis. The article has neatly made at least half the case for why most BCM practitioners use a BIA rather than RA in developing a BCM strategy. The other half is that impacts are not fixed in magnitude but increase at varying rates over time.
Ian Charters, FBCI
Continuity Systems Limited
•Date: 10th November 2006• Region: UK/World •Type: Article •Topic: ISM
Rate this article or make a comment - click here
UPDATED 14TH NOVEMBER
|
