Simplifying IT Risk Analysis For Small, Medium and Enterprise Organisations

Executive Summary

Regulators such as the UK Information Commissioners Office are baring their teeth and imposing fines that exceed £400k for data losses and data breaches under EU Data Protection legislation. With most organisations depending so heavily on Information Technology (IT) for business operations they would struggle to survive a week without their systems and data. However, many stake their livelihood on 1950’s technology like tape media and fail to use basic protection like encryption to safeguard these critical resources.

Organisations of all sizes rely so much on IT today that the increasing complexity and growing volumes of data being created and being stored cause a disproportionate increase in risk.

We see a toughening regulatory regime in the UK and Europe which is leading to more punitive enforcement, with more demands being placed on limited budgets and human resources. With a less than favourable economic outlook continuing, business executives more than ever are being scrutinised for the investment decisions that they make. This white paper explains why applying a holistic IT risk assessment, with easy to understand recommendations is key to focussing IT investments on mitigating risks that have severe outcomes.

A number of tightly regulated industries such as the Nuclear, Oil & Gas and Transportation sectors have set a high bar in the assessment of risk. The implications for failing to address risk appropriately in these critical infrastructure sectors has devastating consequences for all of us. The demands that these industries have placed on risk assessment has led to the emergence of a systemic and highly accurate methodology for assessing risk in their processes.

Corporate Risk Associates Limited (CRA) have become the UK’s leading analysts in the assessment of risk for the most highly regulated and demanding sectors, and they are now making their methodology available to IT risk professionals and executives so that they may benefit from the rigour and systems that CRA have refined over several decades.

By partnering with the award-winning IT Managed Service Provider OnDemand Recovery, CRA are providing a holistic assessment service to address the four risk areas – Business Continuity, Data Protection, IT Disaster Recovery and effective management of operational cost.

The quantified risk assessment process will help to ensure that the appropriate financial and human resources are applied to achieve the optimum risk reduction. This approach provides information which will reduce guesswork in decision making and help organisations to understand the risks they face and the effect of each investment decision. It will also identify the point at which committing further resources no longer produces significant risk reduction. 

Introduction

Over the last decade, CRA has seen a steady escalation in the level of risks that organisations are facing due to the vulnerabilities of their IT systems. As data volumes and systems complexity have grown, organisations face two IT related significant risks:

• IT business resilience which has in many cases failed to keep pace with growing business complexity and,
• Monetary Penalty Notices (fines) for data loss and data breaches that contravene EU Data Protection regulations.

Examples that are well known include; Nat West Bank online banking system failures, HMRC, NHS and MOD loss of data or records and the relocation of an organisation’s IT due to external factors such as the Buncefield oil depot fire in Hemel Hempstead and Hurricane Sandy that struck New Jersey in 2012.

IT systems are now so complex that many IT departments do not have a true understanding of all the risks facing their business. They tend to operate on a reactive basis rather than be proactive in their approach, by identifying future potential IT threats and developing the necessary response. To assist organisations in becoming more proactive in their response to risk, we are initially focussed on four areas of market concern:

Risk	Description and considerations
Business Continuity	The assessment of risk related to the length of time operations can be disrupted without negatively impacting the bottom line or services
Data Protection	Assessment of Privacy Impact Analysis and Risk Assessment and incorporate a mitigation plan for data loss and breaches
IT Disaster Recovery	Create and test an IT DR (Disaster Recovery)plan based on a Business Impact Analysis and the Recovery Objectives of the organisation
Operational cost increases	Optimising the funds available is a key output from a professional risk assessment

These assessment services will allow organisations to obtain greater insights into the risks facing them and provide a means of ensuring that financial expenditure and human resources are aligned to achieve the maximum reduction of the risks identified. In summary, organisations that apply this risk methodology will be able to:

• Predict possible losses through identified operational inefficiency and failure;
• Target IT expenditure to minimise risk based on organisation-specific parameters;
• Quantify and manage risk across IT systems including the protection and availability of data;
• Raise awareness of IT risk across the organisation;
• Plan and manage Business Continuity and Resilience.

Data Protection and IT investment strategy can be defined through the profiling and analysis of risk and its mitigation, thereby validating the business case for IT expenditure.

Risk Analysis Framework

Over many years, CRA have developed integrated Risk Analysis models for mission critical industries. The risk assessment separates a process into its logical parts and ensures that the optimal expenditure is identified in order to reduce risk to an acceptable level.

The successful outcome of any process will be dependent on the performance of a number of variables including human beings, automated systems (electrical and mechanical), IT systems and the physical environment. This model will take into account all relevant internal and external dependencies.

The risk assessment applies industry and client specific data to quantify the likelihood of the process failing. Significant insights can be obtained from the model such as:

1. Risks ranked according to the overall likelihood of the process failing;
2. Optimisation of the inter-dependency between human, hardware (mechanical and electrical), and IT systems in the process to reduce failures;
3. Identifying where expenditure will have the largest impact in reducing risk.

The risk assessment process will ensure that the appropriate financial and human resources are applied to achieve the optimal risk reduction. It will further confirm the point at which committing further financial and human resources will no longer significantly reduce a particular risk.

Building the Risk Model

The risk assessment method that has been developed ensures that a consistent and high quality risk analysis is carried out irrespective of an organisation’s size and complexity. A systemic approach, underpinned by exactly the same risk methodology for enterprise organisations is now available for small and medium sized organisations, all delivered in a cost effective manner.

The processes to be assessed need to be understood and the risk model is constructed accordingly. A process map is then developed, followed by modeling of the failure events. Undesirable failure consequences, such as those resulting in a financial loss, will then be analysed and risk reduction measures identified. Reduction measures can include procedural changes, process changes, employee training and system modifications. Hidden options with their respective risk reduction responses may also be found. With increased system complexity and the resulting high level of human interactions, such a holistic approach guarantees that all necessary variables are taken into account.

The risk assessment is tailored to the size and type of organisation: from Small or Medium sized organisations to Enterprise and Public Sector.

To assess risk and compliance relating to EU Data Protection, a Privacy Impact Analysis (PIA) is critical, the UK Information Commissioners Office (ICO) include a PIA within their best practice guidelines for risk assessment. ICO has criticised data controllers who had not rolled out a framework for carrying out PIAs. More importantly, the absence or presence of a risk assessment is a determining factor in ICO’s decision on whether to take enforcement action or not.

To assess risk regarding IT disaster recovery we would review and test the Business Impact Analysis and recovery testing of systems and solutions. We would also assess the risk of human intervention in the Disaster Recovery (DR) plan and where human involvement, IT software, systems and services are inter-dependent on the recovery outcome. IT DR plans that are not tested, or not tested against a benchmark present a high risk to the organisation as a false sense of security prevails.

Summary

We are moving to a more regulated legal compliance regime in the UK. Enforcement now carries substantial penalties, and the consequences of not minimising risk is becoming increasingly more visible and well publicised.

In many cases taking mitigating action before an event, for example undertaking a risk assessment, selecting and implementing an appropriate IT security or data protection solution, can prevent the consequences or, at least, lessen the subsequent penalties significantly.

Examples of relevant monetary penalty notices issued by the ICO and mitigating circumstances in the defendants’ favour include:

• Monetary Penalty Notice was issued against Welcome Finance for £150K, for the loss of data held on two unencrypted back-up tapes. One mitigating factor was that the personal data can only be accessed using specialist IT equipment.
• Monetary Penalty Notice was issued against Jala Transport Ltd., for £5k, for loss of customer details stored on a hard drive stolen from the owner’s car. The fine was reduced from £70k after taking into account the limited financial resources of the company.

It is estimated that most large companies spend between 2% and 4% of their IT budget on IT Disaster Recovery planning, with the aim of avoiding larger losses in the event that the business cannot continue to function due to loss of IT infrastructure and data. Of companies that had a major loss of business data, 43% never reopen, 29% close within two years, and only 6% will survive long-term. The Henley Management Centre found in UK SME research that 40% of businesses suffer a terminal failure as a result of an IT disaster or business continuity incident, but the research also showed that some UK SMEs operate effective DR plans beyond a basic dependence on backup tapes.

In this ever rapidly changing and complex world, CRA’s risk analysis methodology has many benefits. Fundamentally risk analysis identifies and targets expenditure and resources to mitigate risk. The benefits can be summarised as:

1. Risks can be prioritised by probable loss size and probability of occurrence;
2. Applying the model provides the necessary focus on quantifying the achievable;
3. Costs are reduced through increasing resilience of processes and equipment leading to fewer and smaller losses;
4. The cost benefit analysis is transparent and fully auditable for strengthening investment decisions;
5. Business continuity and resilience can be planned and managed and accurate recovery time lines can be identified, tested and implemented.

CRA expertise is derived from our multi-disciplinary team’s wide ranging experience and diverse set of skills in Process Modeling and Risk Management, encompassing Operational, Technical and Managerial disciplines across a broad range of sectors. When this is combined with acknowledged leaders in the legal risk and IT disaster recovery sectors, clients can gain unparalleled insight regarding where financial and personnel resources should be deployed to reduce risk in the most efficient way. For further information

For further information about how CRA can help analyse and reduce your IT risk please contact Azhar Mohd-Hashim ahashim@c-risk-a.co.uk or call 01372 860846.

About CRA

Founded in 2000, Corporate Risk Associates (CRA) has developed into a key player in delivering quantified risk analyses to the mission critical industries – Energy including Nuclear, Oil and Gas, Transportation, Defence, Finance and Data Centre. CRA is the largest integrated Operational Probabilistic Risk Analysis consultancy in the UK.

Innovators in the world of risk, the CRA team members have been involved in Operational Risk Analysis, Enterprise risk and due diligence since the late seventies. In recent times, CRA have created a Probabilistic Risk Analysis framework to cover all aspects of Operational Risk Analysis from Process Mapping, Risk Identification and Quantification, Risk Mitigation through to Post Loss Event Analysis. Risk ranked insights are derived using the As Low As Reasonably Practicable (ALARP) concept combined with Real Options Analysis. CRA firmly believe that this approach which is already well established in oil and gas, and nuclear power industries, is unmatched by any other quantified technique in the market place. CRA is ISO9001 and ISO14001 certified.

Please contact Azhar Hashim at ahashim@c-risk-a.co.uk or call CRA on 01372 860 846 for more information about how CRA can assess and help you reduce your risk.

About On Demand Recovery

OnDemand Recovery are an Asigra Hybrid Partner, providing Cloud Backup and Recovery as Public, Private and Hybrid Cloud services. We help our clients improve recovery outcomes, simplify backup, reduce their capital expenditure and ongoing costs through the provision of services that automate processes and remove human intervention wherever possible. OnDemand Recovery were honoured as Asigra Partner of the Year 2013. In both 2012 and 2013 we were also recognised for our work in social media to help organisations understand more about innovative, Enterprise Cloud Backup and Recovery services.

Our key staff that have worked closely with Asigra since 2005 and there is a direct trading relationship between Asigra and OnDemand Recovery. Our Technical staff have actively participated in beta testing programmes since 2008 and in 2013 we were invited onto the Asigra European Partner Advisory Council, an invitation-only forum that connects Asigra executives to a select group of focussed Asigra cloud service providers.

We have developed an enviable global client base in the energy, telecoms, finance, healthcare, IT software development, data centre, manufacturing, professional services and not-for-profit sectors. For further information please look at www.ondemandrecovery.com or call 0330 088 3160.