Maturing Business Resilience Through Integrated Risk Management

Sam Abadir, LockPath

Sam Abadir, LockPath

With a new year comes a clear-eyed and optimistic perspective – a clean slate, a new leaf, a fresh start. It’s important to leverage these moments of clarity and opportunity into better planning before we are once again swept up in the muddle and rush of the daily grind.

The punishing disruptions of 2017 — hurricanes, massive data breaches, global ransomware attacks, and revelations of gross misconduct across many industries — should compel executives to focus on business continuity planning as they steer their enterprises into the uncharted waters of 2018. The list of new risk management priorities is already growing: GDPR compliance, cryptocurrency hacking, Shadow Brokers exploits, rapid Internet of Things proliferation, and Meltdown/Spectre vulnerabilities.

The disruptions, outages, and disasters capable of significantly impacting a modern enterprise can originate from many sources — internal and external, cyber and physical. The fallout can include damage to property and infrastructure, financial health, operations, and reputation, often in toxic combinations with cascading and unpredictable effects.

Careful, comprehensive risk assessment and detailed incident response planning are crucial to sustaining operations, revenue, and public trust in such a pressure-cooker environment.

Intelligent Risk Assessment

Business continuity/disaster recovery (BC/DR) planning optimizes the capabilities an organization needs to transition expeditiously from business interruption to business-as-usual. Modern enterprises dependent on a hybrid web of digital technology infrastructure and global supply chains cannot expect to respond and recover efficiently without well-rehearsed procedures and enterprise-wide systems.

The number of companies that have done little to none of this essential risk management work is astonishing; EY reports that 40 percent of businesses that experience a disaster go out of business within five years.

Thanks in part to Shadow Brokers exploits, a record-breaking breach at Equifax, and a cover-up scandal at Uber, board members are more attuned to their IT risks and more focused on BC/DR.

Business and IT leaders need to put data-driven processes in place so they know what to expect when risk becomes reality, and can communicate these insights to stakeholders. It’s important to model a variety of scenarios that include predictions about how long outages will last, how services, products, and revenues will be affected, what remediation will cost, and what the regulatory consequences might be.

Begin by planning around common threats and risks and mapping out possible scenarios specific to your company or industry. Prioritize risks such as hacking, fraud, and vendor failure.

Large-scale threats that are less likely but have potentially devastating consequences should still be addressed, especially if your business is particularly vulnerable to hurricanes or geopolitical strife. Initial efforts to mature business continuity should focus on identifying and planning for risks related to cybersecurity fundamentals, internal threats, and third parties.

Prepare for Things to Get Complicated

How do you plan for the unpredictable? This question goes straight to the core of integrated risk management. Only by acknowledging the complexity and interdependencies of modern enterprises – and implementing comprehensive systems and processes designed to find, define, and mitigate risks on a continuous basis – can we begin to develop greater control and agility.

Business continuity and incident response should be continuously optimized through coordinated planning, testing, and evaluation efforts. Controls should be implemented based on risk assessments and implemented through systematized processes that can be tracked and analyzed.

BC/DR plans should be kept up-to-date, incorporating software, infrastructure, vendor, personnel, and regulatory changes in addition to shifts in enterprise offerings, consumer priorities, and markets. To address third-party risk, include resiliency-oriented planning up front in contracts, negotiations, and acquisitions. Consistently enforce high standards for security-by-design, especially with IoT vendors and implementations.

Finally, when considering how to mitigate the impact of negative events, don’t forget to think through the cascading effects. Business operations depend on an ecosystem comprised of people, process, and technology and controlled internally and externally.

In the midst of executing core BC/DR plans to get operations back to normal, executives and managers will also have to communicate with various stakeholders and resolve issues related to employees, customers, supply chain partners, health and safety, and regulatory compliance.

Resiliency Builds Trust

In times of opportunity, disruption, and disaster, the best outcomes are only possible when everyone pitches in. Resiliency requires vision, leadership, and investment. Because BC/DR program effectiveness impacts everything from the bottom line to brand reputation, initiatives should involve a broad selection of business and operations managers.

Our digitally transformed economy relies on public trust. Vulnerabilities evolve and overlap, attackers grow more sophisticated, and the public becomes wary (and weary) as headlines highlight dangers around every Internet corner.

As partners and consumers become more aware and discerning, they begin to see insufficient risk management, sloppy security protocols, and non-compliance with industry standards as willful negligence.

There’s a lot of work to be done. Business resiliency start with good governance practices. Governance, risk management, and compliance (GRC) initiatives may not be perceived as exciting, but they are essential. We use automation and advanced analytics to enhance marketing, R&D, infrastructure management, logistics, and so much more.

We must similarly support GRC and IT security teams by investing in intelligent, flexible software platforms that streamline and centralize the systematic assessment, tracking, and remediation of risk across the enterprise.

Data and digital systems are critical to business operations. To keep everything running, we have to achieve levels of visibility and control that are only feasible through a combination of technology support, responsible leadership, and an enterprise-wide commitment to maturing resilient response and recovery capabilities.

Sam Abadir is the vice president of Industry Solutions at Lockpath, a leading provider of compliance and risk management software


Are your risk management and control measures working?

By John Verver, CPA CA, CISA, CMC, advisor to ACL

Being able to review a reliable assessment of the risk and control universe is a great starting point, but your enterprise resource planning (ERP) system simply isn’t designed to help you here. The next essential (but often missing) step is to get insight into what is actually happening: what is working well and what is in reality a problem. It is here that ERP systems really start to let you down.

acl third ad

Traditionally, your internal auditors and other internal control specialists review procedures, perform walk-throughs and test sample transactions occasionally. You could also be asked to confirm that the controls you are responsible for are effective.

Data analytics transforms risk assessment

The new basic concept is not complicated: Use data analysis software to examine every transaction in an entire population of data (e.g., every recorded activity thing that took place within a financial or business process) to determine whether:

  1. The transaction complies with the control procedures that should be in place.
  2. There are indications that there are risks and problems for which no effective control is in place.

This is achieved by testing every transaction in multiple ways. For example, a payment amount to a vendor can be examined to determine that:

  • the vendor is a valid one, properly approved, and not duplicated in the vendor master file; not included in a list of excluded individuals/entities, or do-not pay list; or in a FCPA politically exposed persons database
  • the payment matches to an invoice, which matches to goods received records, which matches to a properly approved purchase order (PO) and that there have been no attempts to circumvent approval controls by splitting PO payments into smaller amounts just under an approval threshold
  • payments have not been duplicated due to erroneous or deliberate changes in invoice number details.

Best-in-class leaders apply dozens of similar automated tests across transactions in each business process area on a regular basis to get insight into their process health.

Using data to find unusual trends

Another important form of data analysis and monitoring is to examine all the transactions that took place within a given business process in search of problems and opportunities to improve. Your data is very telling in response to questions like:

  • Why are overtime payments, or travel expenses, unusually high in one specific office?
  • Why is one vendor paid twice as much as other vendors for the same type of item?
  • Why is a previously dormant account suddenly used for a series of journal entries?
  • What trends indicate a problem that’s consistently worsening?
  • Or what turns out to be far less of an actual problem than was originally thought?

Why not rely on the ERP system?

It is a fair question. In an ideal world, every business process application would have built-in controls that prevent any erroneous, invalid or suspicious transactions from taking place.

Unfortunately, the reality is that no control is perfect or foolproof. And adding more controls isn’t necessarily the answer: the more controls that are in place, the more likely that processes become unacceptably slow and cumbersome—spurring employees to come up with innovative ways to bypass controls just to get their work done. Furthermore, you may not be able to easily have your ERP configured to match your process, especially when it’s a shared service across multiple organizations and your change may have several unforeseen downstream impacts.

When data analysis and transaction monitoring is performed after the fact, it is relatively simple to determine where the primary control weaknesses are occurring. Problem transactions can be quickly identified and addressed. Control weaknesses that allowed the problem to occur can be strengthened to prevent a recurrence. And no one has to stay late jumping through hoops.

And, big bonus: transaction analysis and monitoring can actually become an additional level of control, both reinforcing those controls that are already in place and compensating for those ERP-based controls that are either not working effectively or not in place at all.