January 20, 2010

The First and Last Line of Organizational Defense

Business Assurance makes organizations resilient in the face of growing risks from technology advances and global interconnectedness.

Rapid technology advances and the need to deliver goods and services more efficiently means organizations are more vulnerable to systemic shocks and damaging incidents than ever before. Moreover, the increasing interconnectedness of people and systems means these events are no longer isolated. To deal with these challenges, organizations are embracing a ‘business assurance’ construct: integrated risk-management strategies combining physical, information, and IT security controls to effectively manage access to vital information resources, and ensure business continuity and increased resilience, according to a new report by Booz & Company.


Cascading Risks

Systemic shocks like earthquakes, blackouts or terrorist attacks have increased recently, and other technology incidents threaten the operations or livelihoods of companies, governments, and individuals. Growing digitalization, societal interconnectedness, and lean operations cause such events to cascade throughout business operations and society. This is further complicated by “complexity risks,” which affect all traditional domains, such as the protection of critical infrastructures, cyber security, food and water security, and energy security.

“Public- and private-sector mandates for greater efficiency in protecting organizations, although critical to the growth of productivity, add layers of risk,” explained Ramez Shehadi, the Booz & Company partner leading the Technology Practice in the region. “Operations optimization, process automation, and digitalization all expose organizations to significant vulnerabilities.” Technologies that increase the effectiveness of organizations and drive societal interconnectedness also create new risks and may cause greater damage. An estimated US$1 billion has been stolen from financial institutions and corporations in the Middle East by organized cyber criminals, according to a report published in the ISSA Journal, June 2008. In addition, an article published in Computer Weekly in December 2007, reported that in 2007, a Dubai-based gang stole roughly $60 million by accessing consumers’ online credit card information, even from government-services Web sites. These details were then used to make cash withdrawals and to buy gold and diamonds online.

“Potential solutions to such challenges need to include both the technological and the management layers of organizations in “living” system that allows for the adaptability and flexibility necessary to match today’s high-risk environment,” stated Alessandro Gazzini, principal at Booz & Company. The right solutions also all call for the interaction of multiple stakeholders, including public–private partnerships and international collaboration.


The Status Quo Is Inadequate

Traditional security programs are not capable of coping with the new and emerging vulnerabilities of today, despite general progress in advancing security, continuity, and crisis management capabilities. Gains are often limited because they have fostered the development of ‘stovepipes’—when functional capabilities are developed to address specific types of risks or vulnerabilities in isolation from each other. They don’t allow for an integrated and consistent view of risks and lead to unnecessary duplication of activities and potential investments. “This traditional approach often leads to a decrease in efficiency and potency, critical gaps are created, and an unacceptable level of risk is reached,” commented Shehadi. The “stove pipe” reality clashes strongly with the way adversaries operate and with the reality of any natural hazard which impact the company across all functions and departments.

The tendency to spend so much time and attention on establishing physical security controls means organizations ignore critical proprietary information or assets made vulnerable by digitalization. Moreover, organizations’ IT departments are often not represented in board discussions, limiting their ability to increase risk awareness.

“An integrated risk management strategy that takes into account the right physical, information, and IT security controls required to effectively manage access to and use of key company information, is imperative,” said Gazzini.


The Case for a New Approach

While organizations cannot predict or avoid every risk, an organization needs to be able to mitigate and absorb their impact, by establishing and continuously strengthening its ability to maintain operations in the event of an incident; to become organizationally resilient.

Globalization and other pressures have forced organizations to focus on their efficiency and effectiveness in delivering a better product or service for the same investment. They are now examining how resilient their operations are to unforeseen shocks: any disruption to delivery of an organization’s core products or services means it is no longer competitive. “Organizations may even no longer have a reason to exist if the trust of stakeholders is lost,” Shehadi commented.

Leading countries and organizations are beginning to understand the need to build resilient organizations in the face of this emerging and cascading risk environment, something Booz & Company refers to as business assurance.


The Business Assurance Model

The business assurance model aims to ensure protection and continuity of an organization’s core services or business and is based on the development and integration of functional capabilities, enabling factors, and governance capabilities. The model’s first task is to establish an organization’s functional capabilities, which fall under four main categories:

  • Risk analysis: Identifies potential “pain points” and establishes an early-warning system for threats, vulnerabilities, and impacts to critical assets and processes. Extends to business processes across the organization.

  • Integrated security: Reduces the possibility of risks through implementation of protective measures. Takes segregated safety and security capabilities and integrates them across physical, IT-based, and personnel domains.

  • Continuity planning: Reduces the impact of events through the planning, design, and implementation of recovery targets and a continuity strategy. Focuses on critical business processes and assets.

  • Incident response: Prepares an organization to manage events by adopting an “all hazards” approach. Establishes at a minimum an incident response framework and crisis communications protocols.

The four functional capabilities of the business assurance model are supported by enabling factors—the people, infrastructure, and technology that can help an organization recover in the event of an incident. Companies must also put in place the governance capabilities necessary to build and maintain an efficient system.

The integration of functional capabilities, enabling factors, and governance capabilities is vital. They must work together through an operational life cycle—identify, plan, build, execute, and maintain—to help form an ongoing resilience framework in which everything is working together to help deliver the organization’s core products or services. “Through this life cycle, the business assurance model becomes an operational economy with governance, functional, and enabling factors all having a role to play in every phase of the event life cycle,” Gazzini stated.

The integration of these capabilities and factors is driven by both internal and external stimuli and will result in a broad and shared awareness of risks, a reduced chance of overlap or duplication of activities, the optimization of investment and resource allocations, and a single risk and security snapshot for senior leaders across an organization, among other benefits.

The challenge in creating a business assurance program is in striking the right balance between facilitating organizational integration and building capabilities. Some companies may choose to first develop their capabilities—such as those that have recently gone through a major organizational change and are reluctant to undertake another. “Others may choose to emphasize organizational structure first, such as those that have relatively mature capabilities that exist in stovepipes and need to be integrated. To be truly resilient, companies will have to address both domains,” stated Shehadi.

Booz & Company’s business assurance model has now been deployed in multiple client engagements. It has generated significant near-term results, including:

  • Management’s anticipation of and attention to “minor” events before they escalated to “major” status.

  • A centralized view on operational risks across the organization with updated information on and control of incidents across the different business units/countries.

  • Collaboration and communication in case of critical events.

  • An improved overall response capability with emphasis on establishing an active early-warning system.

  • Data-intensive post-event analysis that aided risk evaluations and the company’s investment decisions.

  • Reduction of duplication of resources and investments.


Conclusion

Companies and governments aim to deliver an effective service, but that is compromised when an organization is not capable of managing unforeseen incidents or threats to its business. “In today’s world, those threats are multiplying, and global interconnectedness means that each threat can do far greater damage than before in unexpected ways,” said Gazzini.

This emerging scenario is prompting executives and government leaders to take a fresh look at their ability to identify and mitigate risks. They realize that traditional security approaches are not suited to dealing with these threats in an increasingly digital world. As a result, they are embracing organizational resilience by building the functional capabilities, enabling factors, and governance capabilities required to dramatically improve their ability to weather even the greatest systemic shocks. The business assurance approach lets executives know that whatever may come, their organization will have an answer.