Emerging Threats And Countermeasures

/in /by

Chapter 10 discusses situational awareness. Much of the security efforts of the past have been centered around prevention and protection. The increasing sophistication of cyber attacks have shown that no controls are 100% effective, and some compromises do occur. There is a rising realization that in addition to considering prevention and protection, controls that address detection and response are necessary to improve security posture. Please describe how situational awareness is a driver for detection and response controls.

As indicated above, describe how situational awareness is a driver for detection and response controls.

350 words APA format

Cyber At tacks

 

 

“Dr. Amoroso’s fi fth book Cyber Attacks: Protecting National Infrastructure outlines the chal- lenges of protecting our nation’s infrastructure from cyber attack using security techniques established to protect much smaller and less complex environments. He proposes a brand new type of national infrastructure protection methodology and outlines a strategy presented as a series of ten basic design and operations principles ranging from deception to response. The bulk of the text covers each of these principles in technical detail. While several of these principles would be daunting to implement and practice they provide the fi rst clear and con- cise framework for discussion of this critical challenge. This text is thought-provoking and should be a ‘must read’ for anyone concerned with cybersecurity in the private or government sector.”

— Clayton W. Naeve, Ph.D. , Senior Vice President and Chief Information Offi cer,

Endowed Chair in Bioinformatics, St. Jude Children’s Research Hospital,

Memphis, TN

“Dr. Ed Amoroso reveals in plain English the threats and weaknesses of our critical infra- structure balanced against practices that reduce the exposures. This is an excellent guide to the understanding of the cyber-scape that the security professional navigates. The book takes complex concepts of security and simplifi es it into coherent and simple to understand concepts.”

— Arnold Felberbaum , Chief IT Security & Compliance Offi cer,

Reed Elsevier

“The national infrastructure, which is now vital to communication, commerce and entertain- ment in everyday life, is highly vulnerable to malicious attacks and terrorist threats. Today, it is possible for botnets to penetrate millions of computers around the world in few minutes, and to attack the valuable national infrastructure.

“As the New York Times reported, the growing number of threats by botnets suggests that this cyber security issue has become a serious problem, and we are losing the war against these attacks.

“While computer security technologies will be useful for network systems, the reality tells us that this conventional approach is not effective enough for the complex, large-scale national infrastructure. “Not only does the author provide comprehensive methodologies based on 25 years of expe- rience in cyber security at AT&T, but he also suggests ‘security through obscurity,’ which attempts to use secrecy to provide security.”

— Byeong Gi Lee , President, IEEE Communications Society, and

Commissioner of the Korea Communications Commission (KCC)

 

 

Cyber At tacks Protecting National Infrastructure

Edward G. Amoroso

 

AMSTERDAM • BOSTON • HEIDELBERG • LONDON

NEW YORK • OXFORD • PARIS • SAN DIEGO

SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Butterworth-Heinemann is an imprint of Elsevier

 

 

Acquiring Editor: Pam Chester Development Editor: Gregory Chalson Project Manager: Paul Gottehrer Designer: Alisa Andreola

Butterworth-Heinemann is an imprint of Elsevier 30 Corporate Drive, Suite 400, Burlington, MA 01803, USA

© 2011 Elsevier Inc. All rights reserved

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions .

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notices Knowledge and best practice in this fi eld are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

Library of Congress Cataloging-in-Publication Data Amoroso, Edward G. Cyber attacks : protecting national infrastructure / Edward Amoroso. p. cm. Includes index. ISBN 978-0-12-384917-5 1. Cyberterrorism—United States—Prevention. 2. Computer security—United States. 3. National security—United States. I. Title. HV6773.2.A47 2011 363.325�90046780973—dc22 2010040626

British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library.

Printed in the United States of America 10 11 12 13 14 10 9 8 7 6 5 4 3 2 1

 

For information on all BH publications visit our website at www.elsevierdirect.com/security

 

 

CONTENTS v

CONTENTS Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 National Cyber Threats, Vulnerabilities, and Attacks . . . . . . . . . . . . . . . . 4 Botnet Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 National Cyber Security Methodology Components . . . . . . . . . . . . . . . 9 Deception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Separation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Diversity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Consistency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Discretion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Implementing the Principles Nationally . . . . . . . . . . . . . . . . . . . . . . . . 28

Chapter 2 Deception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Scanning Stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Deliberately Open Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Discovery Stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Deceptive Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Exploitation Stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Procurement Tricks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Exposing Stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Interfaces Between Humans and Computers . . . . . . . . . . . . . . . . . . . . 47 National Deception Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

 

 

vi CONTENTS

Chapter 3 Separation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 What Is Separation? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Functional Separation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 National Infrastructure Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 DDOS Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 SCADA Separation Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Physical Separation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Insider Separation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Asset Separation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Multilevel Security (MLS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Chapter 4 Diversity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Diversity and Worm Propagation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Desktop Computer System Diversity . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Diversity Paradox of Cloud Computing . . . . . . . . . . . . . . . . . . . . . . . . . 80 Network Technology Diversity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Physical Diversity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 National Diversity Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Chapter 5 Commonality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Meaningful Best Practices for Infrastructure Protection . . . . . . . . . . . . 92 Locally Relevant and Appropriate Security Policy . . . . . . . . . . . . . . . . 95 Culture of Security Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Infrastructure Simplifi cation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Certifi cation and Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Career Path and Reward Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Responsible Past Security Practice . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 National Commonality Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Chapter 6 Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Effectiveness of Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Layered Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Layered E-Mail Virus and Spam Protection . . . . . . . . . . . . . . . . . . . . . . 119

 

 

CONTENTS vii

Layered Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Layered Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Layered Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 National Program of Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Chapter 7 Discretion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Trusted Computing Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Security Through Obscurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Information Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Information Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Obscurity Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Organizational Compartments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 National Discretion Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Chapter 8 Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Collecting Network Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Collecting System Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Security Information and Event Management . . . . . . . . . . . . . . . . . . 154 Large-Scale Trending . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Tracking a Worm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 National Collection Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Chapter 9 Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Conventional Security Correlation Methods . . . . . . . . . . . . . . . . . . . . 167 Quality and Reliability Issues in Data Correlation . . . . . . . . . . . . . . . . 169 Correlating Data to Detect a Worm . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Correlating Data to Detect a Botnet . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Large-Scale Correlation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 National Correlation Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Chapter 10 Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Detecting Infrastructure Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Managing Vulnerability Information . . . . . . . . . . . . . . . . . . . . . . . . . . 184

 

 

viii CONTENTS

Cyber Security Intelligence Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Risk Management Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Security Operations Centers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 National Awareness Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Chapter 11 Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Pre- Versus Post-Attack Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Indications and Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Incident Response Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Forensic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Law Enforcement Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 National Response Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Appendix Sample National Infrastructure Protection Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Sample Deception Requirements (Chapter 2) . . . . . . . . . . . . . . . . . . . 208 Sample Separation Requirements (Chapter 3) . . . . . . . . . . . . . . . . . . 209 Sample Diversity Requirements (Chapter 4) . . . . . . . . . . . . . . . . . . . . . 211 Sample Commonality Requirements (Chapter 5) . . . . . . . . . . . . . . . . 212 Sample Depth Requirements (Chapter 6) . . . . . . . . . . . . . . . . . . . . . . 213 Sample Discretion Requirements (Chapter 7) . . . . . . . . . . . . . . . . . . . 214 Sample Collection Requirements (Chapter 8) . . . . . . . . . . . . . . . . . . . 214 Sample Correlation Requirements (Chapter 9) . . . . . . . . . . . . . . . . . . 215 Sample Awareness Requirements (Chapter 10) . . . . . . . . . . . . . . . . . 216 Sample Response Requirements (Chapter 11) . . . . . . . . . . . . . . . . . . 216

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

 

 

PREFACE ix

PREFACE

Man did not enter into society to become worse than he was before, nor to have fewer rights than he had before, but to have those rights better secured.

Thomas Paine in Common Sense

 

Before you invest any of your time with this book, please take a moment and look over the following points. They outline my basic philosophy of national infrastructure security. I think that your reaction to these points will give you a pretty good idea of what your reaction will be to the book. 1. Citizens of free nations cannot hope to express or enjoy

their freedoms if basic security protections are not provided. Security does not suppress freedom—it makes freedom possible.

2. In virtually every modern nation, computers and networks power critical infrastructure elements. As a result, cyber attackers can use computers and networks to damage or ruin the infrastructures that citizens rely on.

3. Security protections, such as those in security books, were designed for small-scale environments such as enterprise computing environments. These protections do not extrapo- late to the protection of massively complex infrastructure.

4. Effective national cyber protections will be driven largely by cooperation and coordination between commercial, indus- trial, and government organizations. Thus, organizational management issues will be as important to national defense as technical issues.

5. Security is a process of risk reduction, not risk removal. Therefore, concrete steps can and should be taken to reduce, but not remove, the risk of cyber attack to national infrastructure.

6. The current risk of catastrophic cyber attack to national infra- structure must be viewed as extremely high, by any realistic measure. Taking little or no action to reduce this risk would be a foolish national decision. The chapters of this book are organized around ten basic

principles that will reduce the risk of cyber attack to national infrastructure in a substantive manner. They are driven by

 

 

x PREFACE

experiences gained managing the security of one of the largest, most complex infrastructures in the world, by years of learning from various commercial and government organizations, and by years of interaction with students and academic researchers in the security fi eld. They are also driven by personal experiences dealing with a wide range of successful and unsuccessful cyber attacks, including ones directed at infrastructure of considerable value. The implementation of the ten principles in this book will require national resolve and changes to the way computing and networking elements are designed, built, and operated in the context of national infrastructure. My hope is that the sugges- tions offered in these pages will make this process easier.

 

 

ACKNOWLEDGMENT xi

ACKNOWLEDGMENT

The cyber security experts in the AT&T Chief Security Offi ce, my colleagues across AT&T Labs and the AT&T Chief Technology Offi ce, my colleagues across the entire AT&T business, and my graduate and undergraduate students in the Computer Science Department at the Stevens Institute of Technology, have had a profound impact on my thinking and on the contents of this book. In addition, many prominent enterprise customers of AT&T with whom I’ve had the pleasure of serving, especially those in the United States Federal Government, have been great infl uencers in the preparation of this material.

I’d also like to extend a great thanks to my wife Lee, daugh- ter Stephanie (17), son Matthew (15), and daughter Alicia (9) for their collective patience with my busy schedule.

Edward G. Amoroso Florham Park, NJ September 2010

 

 

This page intentionally left blank

 

 

1 Cyber Attacks. DOI: © Elsevier Inc. All rights reserved.

10.1016/B978-0-12-384917-5.00001-9 2011

INTRODUCTION Somewhere in his writings—and I regret having forgotten where— John Von Neumann draws attention to what seemed to him a contrast. He remarked that for simple mechanisms it is often easier to describe how they work than what they do, while for more complicated mechanisms it was usually the other way round .

Edsger W. Dijkstra 1

National infrastructure refers to the complex, underlying delivery and support systems for all large-scale services considered abso- lutely essential to a nation. These services include emergency response, law enforcement databases, supervisory control and data acquisition (SCADA) systems, power control networks, mili- tary support services, consumer entertainment systems, fi nancial applications, and mobile telecommunications. Some national services are provided directly by government, but most are pro- vided by commercial groups such as Internet service provid- ers, airlines, and banks. In addition, certain services considered essential to one nation might include infrastructure support that is controlled by organizations from another nation. This global interdependency is consistent with the trends referred to collec- tively by Thomas Friedman as a “fl at world.” 2

National infrastructure, especially in the United States, has always been vulnerable to malicious physical attacks such as equipment tampering, cable cuts, facility bombing, and asset theft. The events of September 11, 2001, for example, are the most prominent and recent instance of a massive physical attack directed at national infrastructure. During the past couple of decades, however, vast portions of national infrastructure have become reliant on software, computers, and networks. This reli- ance typically includes remote access, often over the Internet, to

1

1 E.W. Dijkstra, Selected Writings on Computing: A Personal Perspective , Springer-Verlag, New York, 1982, pp. 212–213. 2 T. Friedman, The World Is Flat: A Brief History of the Twenty-First Century , Farrar, Straus, and Giroux, New York, 2007. (Friedman provides a useful economic backdrop to the global aspect of the cyber attack trends suggested in this chapter.)

 

 

2 Chapter 1 INTRODUCTION

the systems that control national services. Adversaries thus can initiate cyber attacks on infrastructure using worms, viruses, leaks, and the like. These attacks indirectly target national infra- structure through their associated automated controls systems (see Figure 1.1 ).

A seemingly obvious approach to dealing with this national cyber threat would involve the use of well-known computer security techniques. After all, computer security has matured substantially in the past couple of decades, and considerable expertise now exists on how to protect software, computers, and networks. In such a national scheme, safeguards such as fi re- walls, intrusion detection systems, antivirus software, passwords, scanners, audit trails, and encryption would be directly embed- ded into infrastructure, just as they are currently in small-scale environments. These national security systems would be con- nected to a centralized threat management system, and inci- dent response would follow a familiar sort of enterprise process. Furthermore, to ensure security policy compliance, one would expect the usual programs of end-user awareness, security train- ing, and third-party audit to be directed toward the people build- ing and operating national infrastructure. Virtually every national infrastructure protection initiative proposed to date has followed this seemingly straightforward path. 3

While well-known computer security techniques will certainly be useful for national infrastructure, most practical experience to date suggests that this conventional approach will not be suf- fi cient. A primary reason is the size, scale, and scope inherent in complex national infrastructure. For example, where an enter- prise might involve manageably sized assets, national infrastruc- ture will require unusually powerful computing support with the ability to handle enormous volumes of data. Such volumes

Indirect Cyber Attacks

Direct Physical Attacks

“Worms, Viruses, Leaks”

“Tampering, Cuts,

Bombs”

National Infrastructure

Automated Control

Software

Computers

Networks

Figure 1.1 National infrastructure cyber and physical attacks.

3 Executive Offi ce of the President, Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure , U.S. White House, Washingto

ABM-Based Gaming Simulation For Policy Making

/in /by

Chapter 13 discussed managing complex systems and chapter 15 introduced the advantages of visual decision support. Discuss how you would combine the two concepts to create visualizations for an ABM-Based Gaming simulation for policy making. First, describe what specific policy you’re trying to create. Let’s stick with the SmartCity scenario. Describe a specific policy (that you haven’t used before), and how you plan to use ABM-Based Gaming to build a model for simulate the effects of the policy. Then, describe what type of visualization technique you’ll use to make the model more accessible. Use figure 15.9 and describe what data a new column for your policy would contain.

To complete this assignment, you must do the following:

A) Create a new thread. As indicated above, discuss how you would combine the two concepts to create visualizations for an ABM-Based Gaming simulation for policy making. First, describe what specific policy you’re trying to create. Let’s stick with the SmartCity scenario. Describe a specific policy (that you haven’t used before), and how you plan to use ABM-Based Gaming to build a model for simulate the effects of the policy. Then, describe what type of visualization technique you’ll use to make the model more accessible. Use figure 15.9 and describe what data a new column for your policy would contain.

ITS 832 CHAPTER 15 VISUAL DECISION SUPPORT FOR POLICY MAKING: ADVANCING POLICY ANALYSIS

WITH VISUALIZATION

INFORMATION TECHNOLOGY IN A GLOBAL ECONOMY

DR. JORDON SHAW

 

 

INTRODUCTION

• Background

• Approach

• Case Studies • Optimization

• Social Simulation

• Urban Planning

• Conclusion

 

 

BACKGROUND

• Assessing policy options for societal problems is difficult

• Decision making methods • Data driven

• Model driven

• Visual decision supports helps in evaluating model output

• Information visualization and visual analytics • Makes complex results accessible to many

• Policy analysis • Part of process aimed at solving societal problems

 

 

DATA VISUALIZATION

 

 

POLICY CYCLE

 

 

APPROACH

• Characterization of stakeholders • Policy makers • Policy analysts • Modeling experts • Domain experts

• Public stakeholders

• Bridging knowledge gaps • With information visualization (IV) • Cohesive view of model representation

 

 

VISUAL SUPPORT FOR POLICY ANALYSIS

 

 

APPROACH, CONT’D.

• Synergy effects of applying IV to policy analysis

• Communication – facilitated

• Complexity – reduced

• Subjectivity – reduced

• Validation – improved

• Transparency and reproducibility of results – increased

 

 

CASE STUDIES

• Optimization • Optimization of regional energy plans considering impacts

• Environmental

• Economical

• Social

• Social Simulation • Simulation of the impact of different policy instruments on the adoption of photovoltaic (PV) panels by

homeowners

• Urban planning • Integration of heterogenous data sources in planning activities

 

 

SUMMARY OF CASE STUDIES

 

 

CONCLUSION

• Current model output is often difficult to understand • Not accessible for non-specialists

• Information visualization (IV) • Makes model output more accessible

• This paper applies IV to policy analysis

• Contributions • Defined collaborations

• Identified hurdles

• Defined interface methodology

What Was The Challenge Presented And Some Strengths And Weakness In The Risk Management Approaches.

/in /by

This week’s chapter readings focused on four mini-case studies with unique challenges presented that are highly relevant in the context of ERM.  Provide a brief summary of each of the four case studies by discussing for each case what was the challenge presented and some strengths and weakness in the risk management approaches. Conclude your discussion, based on the case study from chapter 29 “Transforming Risk Management at Akawini Copper”, by providing your thoughts on risk management transformations, specifically discussing  how we can monitor risk transformation progress and performance.

To complete this assignment, you must do the following:
A) Create a new thread.  Provide a brief summary of each of the four case studies by discussing for each case what was the challenge presented and some strengths and weakness in the approaches. Conclude your discussion, based on the case study from chapter 29 “Transforming Risk Management at Akawini Copper”, by providing your thoughts on risk management transformations, specifically discussing how we can monitor risk transformation progress and performance.

CHAPTER 26  Bim Consultants Inc.

JOHN R.S. FRASER

Senior Vice President, Internal Audit, and former Chief Risk Officer, Hydro One Networks Inc.

Bim Consultants Inc. is a medium-sized consulting firm. It is a corporation with 30 partners who own most of the shares. It has 10 offices across Canada with 3,000 staff, and has been in business for 30 years. Senior staff also own shares and participate in an annual bonus scheme. Salaries are generally on the low side, but bonuses in good years can be quite high. The balance sheet is sound (see Exhibit 26.1).

Bim Consultants Inc.
Summary Balance Sheet
As of December 31, 2014
  2014 2013
Year ended December 31 (Canadian dollars in millions) $ $
Current Assets    
Cash and Short-Term Investments 12 7
Accounts Receivable 175 168
  187 175
Current Liabilities    
Accounts Payable 34 27
Short-Term Loans 100 110
  134 137
Working Capital 53 38
Fixed Assets    
Leasehold Improvements 196 178
Furniture and Equipment 100 94
Less Accumulated Depreciation & Amortization (153) (128)
  143 144
Net Assets 196 181
Share Capital    
Common Shares 100 100
Retained Earnings 96 81
  196 181

Exhibit 26.1  Bim Consultants Balance Sheet

The company has always prided itself on its customer focus. “Customers are number one” has been the mantra from the chairman, Mr. Smooth, for many years. Recently, however, revenue has been stagnant, and the younger partners are getting restless, wondering if the older partners have lost their edge and whether changes are needed to return to the glory days of large bonuses.

At a recent strategic planning meeting of the major partners, the decision was made to continue focusing on customers as number one, but also to explore how to increase revenue from within the existing clientele and to explore what additional services could be provided to enrich the client experience (and revenues). It was agreed that the strength of the firm was in its blue-chip client base and that this high-quality reputation was worth preserving. Some discussions were also held around the idea of selling a minority share of the company at a large multiple, if such a deal was identified. Bim Consultants’ profit and loss and retained earnings are provided in Exhibit 26.2.

Bim Consultants Inc.
Summary Profit and Loss and Retained Earnings
For the Year Ended December 31, 2014
  2014 2013
Year ended December 31 (Canadian dollars in millions) $ $
Revenue 300 290
Expenses    
Salaries 220 207
Other 20 18
Net Profit before Income Tax 60 65
Income Tax Provision 27 29
Net Income after Tax 33 36
Retained Earnings—Beginning of Year 81 65
  114 101
Dividends 18 20
Retained Earnings—End of Year 96 81

Exhibit 26.2  Bim Consultants Profit and Loss and Retained Earnings

Earlier this week, the chairman received a call from the president of the Canadian subsidiary of a U.S.–owned competitor, Bravado International, saying that Bravado was pulling out of Canada and would consider an offer to sell the subsidiary to Bim Consultants Inc. The Bravado subsidiary had 12 offices across Canada and just over 3,500 staff, but had often drawn on its U.S. resources when required for large engagements.

The chairman called an executive meeting and pointed out that making such a purchase would double sales, catapult Bim Consulting into the number one position in major markets in Canada, and provide a strong marketing thrust into previously untapped midtier markets. Based primarily on the persuasiveness of the chairman, the executive committee approved proceeding with the negotiations.

The president of the Bravado subsidiary cautioned Mr. Smooth that it was imperative not to have word of the negotiations leak out, as this could lead to a loss of key staff and possibly clients. Accordingly, he urged Mr. Smooth not to do the normal due diligence in the subsidiary’s offices but to review the necessary records and meet with select senior executives of Bravado at an off-site location. This process seemed to work well, and the Bravado executives were well prepared and very likable. All the information checked out, and the way seemed clear to do a deal.

QUESTIONS

1. What is your assessment of the situation?

2. What advice would you provide to the board of Bim Consultants?

3. What pitfalls should they be concerned with?

ABOUT THE CONTRIBUTOR

John R.S. Fraser is the Senior Vice President, Internal Audit, and former Chief Risk Officer of Hydro One Networks Inc., one of North America’s largest electricity transmission and distribution companies. He is a Fellow of the Ontario Institute of Chartered Accountants, a Fellow of the Association of Chartered Certified Accountants (UK), a Certified Internal Auditor, and a Certified Information Systems Auditor. He has more than 30 years’ experience in the risk and control field, mostly in the financial services sector, including areas such as finance, fraud, derivatives, safety, environment, computers, and operations. In addition to this book, he also served as editor on Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives (John Wiley & Sons, 2010).

 

 

 

 

 

CHAPTER 27  Nerds Galore

ROB QUAIL, BASC

Director, Enterprise Risk Management, Hydro One Networks Inc.

Nerds Galore (NG) is a Canadian service company with 1,000 employees working out of offices in 12 Canadian cities; the head office is in Edmonton, Alberta. NG provides full-service information technology (IT) support to small and medium-sized Canadian businesses, including help desk, on-site troubleshooting, security, network setup and support, backup services, wireless networks, hardware and software procurement, and website design and hosting solutions.

Nerds Galore was formed in 2000 in the garage of its founder, Jeeves Stobes. NG has enjoyed strong growth in its segment and has an excellent reputation with its customers. In the beginning, NG focused on a particular customer subsegment, small start-up businesses, especially on low-tech businesses such as boutique services. Lately its strategy has shifted more to midsize customers (which have deeper pockets and less chance of going broke) with more sophisticated technology needs.

Recently there have been problems for NG.

There has been steady decline in customer satisfaction, as shown in Exhibit 27.1.

images

Exhibit 27.1  Nerds Galore Customer Satisfaction

Following a thorough investigation and follow-up with many of NG’s key customers, the Executive Team has concluded that the main cause of this has been high internal staff turnover, leading to gaps in customer services and service continuity.

Indeed, staff retention has been an issue, as shown in Exhibit 27.2.

images

Exhibit 27.2  Nerds Galore Employee Turnover

To continue to provide strong customer service, it is critical that team members are competent in the latest technology, and yet turnover has approached 20 percent in three recent years. This is a particular problem for NG because of its high focus on customer service; new staff receive extensive and costly training in NG’s customer service and cross-selling approaches. The company’s pay package is competitive but not at the very top; instead NG uses its reputation for excellent customer relationship and staff development to attract motivated staff. Note that it’s well known that one of NG’s competitors was recently raided by a large systems integration firm and lost most of its network management technical staff in a single quarter. NG has been having a particularly difficult time retaining staff in the larger urban centers and other technology hubs in Canada where there are more competitors and the competitors generally pay more.

Despite the fact that customer satisfaction has been declining, the Executive Team did note that revenue numbers have not suffered; in fact, they have continued to climb year over year, as shown in Exhibit 27.3. It was concluded that this lack of a drop in revenues is due to two factors:

1. Many current customers have multiyear contracts with Nerds Galore.

2. Very small businesses that have made up the bulk of NG’s customer base are generally tolerant of minor service hitches and less focused on optimal technology performance.

images

Exhibit 27.3  Nerds Galore Financial Performance

Recently, the company suffered a major shock when one of its employees was killed in a head-on car crash while rushing to a customer site during a snowstorm in Rimouski, Quebec. The employee who was killed was a well-known and much admired member of the team, and many staff thought at the time that NG’s Executive Team didn’t respond properly to this event. In fact, the Globe and Mail ran a story on workplace tragedy and its impact on morale and used Nerds Galore as a case study on how notto manage sudden trauma, and, while the company’s customers didn’t seem to notice, NG did experience a sudden jump in staff departures and some difficulty in recruiting replacements.

Also, there is a sense that staff efficiency is not what it should be; in particular, scheduling technicians for on-site technical work has been a problem. Small business customers tend to have diverse and unique technology needs, and finding specialists who can work in multiple areas such as network support and voice over Internet Protocol (VoIP) while working with a single customer is difficult; most of the propeller-heads (as NG affectionately terms its technicians) are specialists in a few areas, and the company has found that its specialists are spending a lot of time behind the wheel traveling from site to site dealing with point solutions to individual technical problems. NG’s founder and CEO, Jeeves Stobes, freely admits that the company’s own internal technology has not really kept pace with the growth of the company. NG lacks a customer/account management program and relies on whiteboards and e-mail managed by the company’s small core of four senior work schedulers (long-service employees who work out of a war room in Edmonton and know the company’s customers and staff well) to schedule employees to customer sites. In addition, while the company has placed a premium on developing staff, this has been through informal mentoring and apprenticeships rather than formal development based on identified customer needs, and this approach has been difficult to sustain given the scrambles created by sudden staff departures.

As shown in Exhibit 27.4, CEO Stobes has set targets of 15 percent revenue growth year over year (which is close to recent rates of growth) and a net income target of 15 percent of annual revenues, which will be a stretch (recent years have yielded margins of 8 to 10 percent). Stobes has set a target of 95 percent customer satisfaction going forward.

  Actual Targets
  2013 2014 2015 2016 2017 2018    
Revenues ($M) (target is 15% year-over-year growth) 100 115 132 152 175 201    
Net Income ($M) (target is 15% of revenues) 10 17 20 23 26 30    
Customer Satisfaction (% “very satisfied”) (target is 95%) 83 95 95 95 95 95    
Staff levels 1,000 1,100 1,200 1,300 1,400 1,500    

Exhibit 27.4  Strategic Targets

Gil Bates, NG’s vice president of human resources (HR), recently recruited from the competitor Propell-O-Rama, is concerned about not only the employee turnover rates but HR management in general. He has come forward with a five-point strategy for improved HR management, but has encountered stiff resistance from the rest of the Executive Team. The strategy is:

1. Attract the best talent. Do this by offering a positive and flexible work environment with flexible hours and a work-at-home culture.

2. Retain good people. Do this by offering employee recognition programs, providing multiskilling/cross-training (which will have the added benefit of greater customer satisfaction), and ensuring that compensation stays at or near the 75th percentile of competitors or comparators.

3. Manage talent. Put in place a formal talent management program so that high-potential employees are identified, developed, and mentored.

4. Optimize the use of people. Do this by purchasing and implementing a fully integrated customer management and workforce management tool, to allow greater scheduling and tracking of employee effort on customer accounts.

5. Rely on outsourcers to handle overflow of business requests that have highly volatile work volumes, or in areas where retaining internal capability and know-how is prohibitively expensive.

At a management discussion, it was agreed that the Executive Team would meet for a risk workshop to explore the following HR-related risks and to help the exectives evaluate the situation and decide on whether to invest in Bates’s strategy:

· Inability to recruit people with needed skills

· Loss of staff with key internal knowledge

· Uncompetitive labor productivity

· Increased departures of skilled technical staff

· Loss of key business know-how

QUESTIONS

1. This is a relatively brief case study, yet the problems faced are quite complex. In your workshop, how did you handle uncertainty in the information you have been given and how does this translate into real-world workshops where not all the answers can necessarily be given at the table?

2. What were some of the risk sources that emerged repeatedly in evaluating the risks? How is this helpful?

3. How would this risk assessment aid in the decision on whether or not to proceed with the new HR strategy?

ABOUT THE CONTRIBUTOR

Rob Quail, BASc, is Director of Enterprise Risk Management at Hydro One Networks Inc. Rob has had a leadership role in enterprise risk management (ERM) at Hydro One since 2000, and developed much of Hydro One’s pioneering ERM methodology. He has successfully applied ERM techniques to a diverse range of business problems and decisions, including annual business and investment planning; major transformational, infrastructure, customer, and technology projects, as well as acquisitions, partnerships, divestitures, downsizing, and outsourcing. Rob was a contributing author to Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives, edited by John Fraser and Betty J. Simkins (John Wiley & Sons, 2010), and is guest lecturer for the Schulich School of Business Masters Certificate in Business Performance and Risk Management program at York University, Toronto. He is a popular speaker at risk management conferences, and performs as a musician in clubs in the Toronto area in his spare time. He is an industrial engineering graduate of the University of Toronto.

 

 

 

 

 

CHAPTER 28  The Reluctant General Counsel

NORMAN D. MARKS, CPA, CRMA

Fellow of the Open Compliance and Ethics Group, and Honorary Fellow of the Institute of Risk Management

Business Software Corporation (BSC) is a global software company headquartered in the Silicon Valley of California, with annual revenues of over $1 billion. It is listed on major North American stock exchanges. The head of the Internal Audit function, Jason Garnelas, has been asked by the board to lead the establishment of an enterprise risk management (ERM) function. Top management, led by the chief executive officer (CEO), John Black, and the chief financial officer (CFO), Jim Toll, have indicated their support for this important initiative. The plan is for Jason to run the program for the first year, at which point management and the board will consider whether it is necessary and appropriate to hire a full-time risk officer.

Jason is grateful for the support of both the board and top management, because it is unusual for an entrepreneurial technology company to recognize the value of risk management and dedicate both time and resources to its implementation. In fact, at a meeting of the executive leadership, John Black explains that he holds his direct reports individually and collectively responsible for the management of risks to the business. He sees the role of the risk officer, currently Jason Garnelas on a part-time basis, as a facilitator to the leadership team. Jason will lead the development of a framework and process, and will facilitate the identification, assessment, and treatment of risk, but all decisions are a management responsibility.

Jason holds a series of one-on-one meetings with each of the CEO’s and CFO’s direct reports to understand, with them, the more significant risks to the organization. Most of them engage actively and with energy into the discussions, as they can see that the process will contribute to their and the company’s success. Due to their travels, Jason is initially unable to meet with the executive vice president (EVP) of development (responsible for all the software developers) and the general counsel. But he is able to develop a preliminary list and assessment of the more significant areas.

The preliminary assessment is reviewed with the executive leadership team, and the CEO expresses his appreciation for the work that has been performed, but he is concerned that several of his direct reports identified the same areas of risk with significantly different evaluations of both potential impact and likelihood. He decides to assign each area of risk to individual executives who will own them and be responsible not only for monitoring the risk levels and assessing the potential impact and likelihood, but also for ensuring that actions are taken as and when necessary to bring the risk levels in line with acceptable limits established by the CEO and the board.

As everybody leaves the meeting, Jason chats briefly with the EVP of development and the general counsel, George French. The EVP quickly agrees to meet later in the week for an hour to review the risks in his assigned areas. But the general counsel asks Jason to step into his office.

The general counsel tells Jason that while he agrees that a risk management program is fine in theory, he has strong reservations. His concerns fall into two general areas.

First, the company, like every technology company, is routinely engaged in multiple lawsuits. Some lawsuits, particularly those concerned with the protection of intellectual property, involve potential settlements in the hundreds of millions of dollars—both in favor of and against BSC. These lawsuits have been identified as areas of risk that should be addressed by the new risk management program, but any formal assessment is discoverable by the opposition attorneys and could be used against BSC both in negotiations and at trial.

George understands that Jason needs his and his team’s input to identify the potential impact of both favorable and adverse results to current and future lawsuits, and the likelihood of those results. But, because of the risk to the company that would be created by a formal risk assessment of the lawsuits, he has decided he cannot participate.

Second, BSC is listed on some U.S. exchanges and is subject to all U.S. Securities and Exchange Commission (SEC) filing requirements. The quarterly and annual filings have to include a discussion of the significant risks facing the organization.

The general counsel is concerned that BSC’s competitors could gain an unnecessary advantage from a risk management program. His reading of the SEC rules is that the discussion in the filings has to be consistent with any formal discussion of risks by management and the board. So, if the internal discussion is too detailed and includes specific likelihood and potential effects for each risk area, that would lead to excessive and unnecessary disclosures to the company’s disadvantage.

George believes that participation by the legal department will constitute formal risk discussions. Discussion of risk by the rest of the management team is a normal part of running the business, but when he and his team join the discussion it raises risk management from informal discussions to a formal process that should influence the risk disclosures in the company’s SEC filings.

George tells Jason that he commends him for the initiative but cannot support it by contributing legal advice to the risk assessment and evaluation process. That should be the responsibility of the executive leadership team, with Jason’s assistance. The involvement of the legal department represents, itself, too great a risk.

QUESTIONS

1. What are Jason’s options? Can he accept a risk management program that does not involve the legal department?

2. Do you agree with George’s arguments? Are they valid?

3. How would you proceed, if you were the risk officer?

ABOUT THE CONTRIBUTOR

Norman D. Marks, CPA, CRMA has been the chief audit executive of major global corporations for more than 20 years, and is one of the most highly regarded thought leaders in the global professions of internal auditing and risk management. He has been profiled as an innovative and successful internal auditing leader, and is a Fellow of the Open Compliance and Ethics Group and an Honorary Fellow of the Institute of Risk Management. Norman has been a motivational keynote speaker at conferences around the world and across the United States. In addition, he is a prolific blogger about internal audit, risk management, governance, and compliance.

 

 

 

 

 

 

 

 

 

 

CHAPTER 29  Transforming Risk Management at Akawini Copper

GRANT PURDY

Associate Director, Broadleaf Capital International

This case study describes how the approach to managing risk can be transformed and enhanced in a company. The case study is based on a hypothetical mining company, Akawini Copper, that has recently been acquired by an international concern, United Minerals. Akawini has a rudimentary approach to risk management (RM) that must be improved if the new owners are to realize the level of return claimed in the business case that was used to justify the acquisition. Akawini owns a single mine and concentrate plant approximately 50 kilometers from the coast. It ships the concentrate using trucks to a nearby port for export. The company earns revenue of $774 million a year from the sale of concentrate and employs a total of 1,500 people at the mine site and port.

THE ACQUISITION AND DUE DILIGENCE

United Minerals has developed and implemented a framework for managing risk based on ISO 31000 (ISO 2009). In particular, this has enabled it to properly integrate the risk management process into its approach to making decisions on major projects and investment decisions and also into the way it develops, plans, and executes projects.

During due diligence prior to the acquisition, the risk management team for United Minerals reviewed the current approach to risk management at Akawini and, from a cursory examination of documents, was able to determine that the approach was very limited and was unlikely to yield much real value. The team found, for example, that:

· A process for formal risk assessment was applied only to what were described as “business risks.” This occurred only once a year as part of a risk review that updated the current risk register so that it could be reported to an Audit Committee.

· There was a different process applied for safety risks that actually did not consider risks as such but generated a risk rating using a matrix system only for hazards.

· No systematic process for assessing and treating risks was used in support of major decisions. In particular, project management did not include any form of explicit risk management process.

· The Akawini risk manager mostly dealt with insurance matters and asked the company’s external audit provider to offer a facilitator for the annual risk review.

· The annual internal audit plan did not seem to be based on the outcomes of the risk assessment and did not focus on assuring many of the critical controls.

· The risk criteria systems used for both “business risks” and “safety risks” covered only detrimental consequences and seemed to be based on five levels of consequences and consequence types that were not associated in any meaningful way with the company’s objectives.

· Both systems used the term probability to estimate likelihood and did not consider the frequency or return period for consequences.

· In both systems, risks were analyzed incorrectly by combining the likelihood of an event with what was described as “the plausible worse-case consequences.” This produced many “extreme” risks, which were then being discounted by managers as implausible.

· Once risk registers were created on spreadsheets, they were kept on separate personal computers and were rarely considered until the next yearly review. Any risk treatment actions decided on were not followed up or closed out.

· Critical controls were not identified and were not assigned to individuals for ongoing monitoring and periodic review.

· There was no coherent process that defined and captured learnings from successes and failures.

The risk management team signaled its concerns to the acquisition team, and the need for improvement of Akawini Copper’s approach to risk management to bring it into line with ISO 31000:2009. Then, the United Minerals framework was placed on the transformation plan and given a high priority.

THE TRANSFORMATION PROCESS

Once the acquisition had been completed, the risk management team followed the stepwise process in  Exhibit 29.1  to transform the approach to risk management at Akawini.

images

Exhibit 29.1  Risk Management Transformation Process Steps

The starting point was a structured analysis of Akawini’s current approach to managing risks, to identify where changes had to be made and then to assign a priority to particular tasks. This was conducted in two parts:

1. A full desk-based review of Akawini’s risk management documentation

2. A complementary set of interviews with Akawini management

The second activity was particularly important because it was the experience of the United Mineral risk management team that it was vital to observe and review how risk management takes place in practice. This was particularly true if there might be any discontinuity of practice across Akawini or inconsistent processes and systems. It was also important to test out Akawini management’s perceptions of the current approach to risk management to see if it was currently viewed as effective and if managers perceived it as likely to satisfy their future needs.

The risk management team conducted a series of structured interviews with senior management from Akawini so that the team could draw objective conclusions on:

· The suitability of the current approach to manage risk associated with an organization of the size and complexity of Akawini, its risk profile, 1  and its risk attitude 2

· The drivers of that attitude, based on what were recognized as the key success factors and growth objectives for the organization

· The perceived usefulness of the current risk management process and its degree of integration into key decision-making processes

· The strengths and limitations of the other risk-type specific approaches to risk management that coexisted in the company 3 —specifically, whether the tools and methods currently being used were capable of providing Akawini with a current, correct, and comprehensive understanding of its risks and informing it whether the risks were within its risk criteria 4

· The level of understanding of senior management about aspects of the risk management culture

· An outline of the perceived risk profile of Akawini and whether this varied from that reported to the board in the past

Questions asked included:

· What is your definition of risk? How, in your view, do risk and its management relate to the company’s objectives?

· What is the purpose of risk assessment? How often should risk assessment take place? What triggers it in your area?

· As a practical matter, how do you gain assurance that the critical controls that your part of the company relies on are in place, are effective, and work when required?

The risk management team members consolidated their findings and compared them with the elements of the existing United Minerals risk management framework and the requirements of ISO 31000. They particularly mapped what they found by comparing it with the principles for effective risk management in Clause 3 and the attributes in Annex A of the Standard.

GAINING SENIOR MANAGEMENT OWNERSHIP FOR TRANSFORMATION

For effective management, it was regarded as critical that senior management at Akawini appreciated and could comment on and contribute to the findings and conclusion of the review so that this would lead to ownership of the transformation plan. The risk management team therefore presented its findings and recommendations at a meeting with senior managers that covered:

· Fundamentals of risk and best practice risk management

· Overall findings and assessment of the benchmarking review

· Suggested improvements and enhancement strategies

· Draft enhancement plan

The risk management team elicited feedback and acceptance of the conditions it found and prompted a discussion on the desired situation. In this way the team helped managers identify what needed to change. The diagram of the desired framework architecture given in  Figure 29.2  was used to demonstrate the strengths and weaknesses in the current approach.

images

Exhibit 29.2  Desired Framework Architecture

✓ Indicates that the element is present and effective, □ means that it is not present or is ineffective.

To demonstrate the desired outcomes, the risk management team explained that the primary purpose of risk management in United Minerals was to act in a dynamic fashion to support decisions and that the company framework had been designed to ensure that:

· Assumptions and preconceptions were properly challenged before decisions could be made.

· Appropriate actions were then taken to reduce the uncertainty that objectives would be achieved.

· Early warnings were provided if key controls were not in place or were not fully effective, so that preemptive action could be taken.

· The organization learned in a systematic way from its successes and failures, at a fundamental level so that learnings would lead to lasting changes.

To help the organization as a whole improve its ability to manage risk, the company had adopted 10 performance requirements that it called its “standards.” These were, in outline:

1. The risk management process will be integrated into all key decision making processes.

2. The risk management process will be integrated into strategic, business, and project planning processes.

3. Key controls will be identified and allocated to owners for monitoring.

4. After every major decision, event, or change or at the conclusion of all plans, the organization will learn lessons from successes and failures using root cause analysis.

5. The same, consistent methodology will be used for analyzing risks and for evaluating control effectiveness.

6. The significance of risks will be evaluated using one set of risk criteria.

7. Viable options for treating risks will always be considered, and those options will be implemented where there is a net benefit to the business.

8. Accountability for managing risk will be allocated in a manner that is fully consistent with the management of the business and with the delegations of authority system.

9. Only one database system will be used to hold and manage all forms of risk management information.

10. Sites will plan how they will implement these standards and will report on the progress with this implementation and the effectiveness of risk management as part of the company’s governance processes.

THE TRANSFORMATION PLAN

The Akawini management team was then encouraged to discuss and compare options and to suggest major actions for the enhancement plan. The actions were allocated to members of the management team, and completion dates were agreed. These agreements were recorded and became the risk management plan that described the transformation process for managing risk at the sites. The management team was also asked to commit on a review and reporting process for the transformation plan.

QUESTIONS

1. If you were conducting interviews of the Akawini management team so that you could draw objective conclusions for the review described in the chapter, what questions would you ask?

2. What would you expect to see in the first year risk management transformation plan? What would be the typical tasks?

3. You have been asked to advise the Akawini management team on how they should promote and monitor the transformation of risk management in their business. What performance measures would you recommend they use so that they can monitor progress and performance?

NOTES

1  A risk profile is a description of a set of risks. In this case, it is that which represents the major risks the company faces. 2  The term risk attitude (defined as the organization’s approach to assess and eventually pursue, retain, take, or turn away from risk) is used in ISO 31000 rather than the term risk appetite for two reasons—it is a wider term (risk appetite is defined in ISO Guide 73 as the amount and type of risk that an organization is willing to pursue or retain) and also translates better into some other languages, a necessary consideration in the drafting of ISO 31000. 3  These are the outcome tests for effective risk management given in Annex A of ISO 31000. 4  Risk criteria provide both the means to determine and express the magnitude of risk, and to judge its significance against predetermined levels of concern. They comprise internal procedural rules selected by the organization for analyzing and then evaluating the significance of risk, and are also used when selecting between potential risk treatments.

REFERENCE

1. ISO. 2009. International Standard ISO 31000:2009, “Risk Management—Principles and Guidelines.” Geneva, Switzerland: International Organization for Standardization.

ABOUT THE CONTRIBUTOR

Grant Purdy is Associate Director, Broadleaf Capital International. He has specialized in the practical application of risk management for more than 38 years, working across a wide range of industries and in more than 25 countries. He works with many types of organizations, helping them develop and enhance ways to manage risk in support of the decisions they make. This involves mentoring, training, and giving advice, predominantly to senior managers and boards. Grant is an accomplished trainer and speaker and has had more than 100 papers, books, and articles published. He has been a member of the Standards Australia and Standards New Zealand Joint Technical Committee on Risk Management for more than 12 years and was its chair for seven. He is coauthor of the 2004 version of AS/NZS 4360 and also of AS/NZS 5050, a standard for managing disruption-related risk, and has also written many other risk management handbooks and guides. He was the nominated expert for Australia on the working group that prepared ISO 31000 and Guide 73 and subsequently head of delegation for Australia on ISO PC 262, Risk Management.

Diversity And Commonality

/in /by

Let us consider a company EnergyA that is a global leader in producing energy from diversified fuel sources for the U.S and U.K consumer markets with approximately 8.9 million electricity and gas consumers worldwide. Recently, the company’s website was under attack from a botnet titled fringe47. The company is under major scrutiny and is under pressure from several sources.

Discuss how the security principles that we learned this week Diversity and Commonality can help to prevent Botnet attacks against EnergyA.  Ensure to discuss why the concept of diversity and commonality is paradoxical Discuss the challenges that are involved in implementing diversity and commonality at the national infrastructure level.. Please provide examples to support your discussion.

 

Post deliverable length is about 250 – 300 words.  All sources should be cited according to APA guidelines.

I’ve also added the textbook for reference from chapter 4&5 Diversity and Commonality