What should you ask?
What questions should executive management or non-executive directors ask of the risk manager? How do you create an opening? They are presented with the risk framework for the company and given all the reasons why they should adopt it – so they normally do. They set the risk appetite of the company, but that’s a process largely based on experience, the past, things which are known. They are presented with a risk register that categorises the various risk sources and as far as they are able to ask questions and turn over stones, they agree with its reasonableness and adopt it – again a document essentially based on past experience. Then they address the business continuity management documentation. If they are sharp, they will look at the business impact analysis schedule and study how closely it aligns with the risk register – if there seems to be a high degree of commonality, they will probably adopt it.
What is a guarantee worth?
What about all those systems on which the company depends: firewall protection, anti-viral protection, unusual transaction detection, large downloads of data, sudden bursts of email to foreign sites or ISPs with which the company does not do business? What are the guarantees that these systems and others will not fail? The truth is that no one is going to give that sort of guarantee and the consequences may be minor and temporary – or they could be catastrophic. So, how do you find out?
Two approaches commend themselves: one is to put the various key ‘risk’ specialists on the spot and ask them ‘what is your nightmare scenario?’ and how they would remediate or mitigate it. You need to get beyond the neat conclusions and graded consequences that are set out in ‘the plan’. The other is to reflect more specifically on key areas where risk has corporate impact. It’s not very helpful to say risk touches everything, so in this piece we will take just two risk areas:
Your information
• Networks – the first and most crucial aspect is intrusion detection: a combination of firewall architecture, active monitoring and investigation by the information security managers and the diligent application of ‘patches’ as soon as they are advised. How do you test this is regularly happening?
• What redundancy is built into the network design – will it take account of the scenarios that lay behind the consequence analysis in the business impact analysis or did budget cuts constrain this?
• How effective are the access controls to the hardware of the system? Are they audited? Are they independently reviewed?
• Access control to the system and the buildings – investigation of lost key cards, correct authorisation of access to key areas;
• Classification system for business critical information, the loss of which would seriously threaten the operation of the company, create difficulties with regulatory authorities or cause a slump in the share price – is there such a system and is it backed by a monetary impact valuation;
• Are there clear policies and procedures in place for the information systems and are these current – e.g. do they take account of social media?
• Is there regular audit of the system for compliance and the investigation of anomalies? Is that at arm’s length?
• Are applications managed? Who credentials people for access, on what basis and are there procedures for cutting access as soon as the requirement no longer exists?
• Who reviews and culls the list of access privileges; what criteria are they given; to whom do they report; what happens after that?
Your people
• How reliable are the background checks you undertake on prospective staff members and, in some case, on prospective sub-contractors or consultants. The extent of these will vary with the access you propose to give them to business critical information, but the time to do them is before any probationary period of employment finishes;
• Investigations: we are talking here both about pro-active investigations and reactive investigations. The latter tend to be occasioned when assets are found to be missing, fraud or misrepresentation is suspected or the company is affected adversely in some way. The former are just as important and, like audits, should be undertaken on a periodic or rolling basis to provide board and management with assurance, identify areas with further training or education may be required and provide focus for closer supervision by line managers;
• Code of conduct, which not only encapsulates the company’s or institution’s values, but also clearly defines boundaries for staff. If you do not spell these out, you cannot expect people to guess them;
• Information security: as noted earlier in this piece, the automatic systems on the network provide first and second line protection, but their responses are all pre-programmed. How current is the skill set of those monitoring your systems? How often have they refreshed? How energetic are they understanding the profile and origin of attacks on your fire wall? It may be worth your peace of mind to have an audit run in this area, rather than commission another round of penetration testing;
• Misconduct poses a risk to the company’s reputation and should prompt a raft of ‘how’ questions. Is the ‘culture program’ less embedded than would have been hoped; is the Code of Conduct too generalised; is line management impacting in these areas; is the behaviour individual, confined to a work area or systemic in the company? If there is not analysis, learning and rectification when required, then the abnormal becomes the norm;
• Exit program – is there a thorough program in place that reminds separating staff of confidentiality obligations and has them sign such an undertaking (mirroring the process on recruitment); recovers company property, especially access cards, codes, PDAs, tablets, etc.; removes their access to property and systems; affords them an opportunity to record any observation on their period of employment with the company;
• Workplace violence – programs around this threat protect the individual, the customer and the company. Like OH&S, when it comes to an inquiry after an ‘incident’, there will be a clear expectation that front-line staff have had training; procedures and back-up support are in place; all are familiar with them; and reporting of all incidents is both mandatory and investigated.
What to do?
The questions you ask after reading and listening to reports on these areas of corporate activity are the key to developing an informed picture of the risks faced by your company or institution. Keep this by your hand to get you started. The questions need to be developed and focused.
Gerard Walsh
Gerard Walsh is a business risk and resilience management consultant with over 25 years security experience, including Corporate Security with global responsibility for AMP and former Deputy Director-General of ASIO.
Disclaimer
All reasonable care has been taken in the research and preparation of this assessment. However, G P Walsh & Associates (GPW) is not responsible for any non-disclosure by the client, its agents or contractors or by government websites, regulatory authorities or other persons GPW has interviewed or consulted in the preparation of this assessment. By commissioning a report, the client acknowledges all such reports require accurate information to inform the detailed assessments and GPW is neither responsible nor liable for any omission or error in its reporting, unless professional negligence is proven. Furthermore, no such inquiry is definitive and GPW can only make an assessment for further consideration of its clients.