Upload
vutruc
View
214
Download
1
Embed Size (px)
Citation preview
Enterprise Risk Management—Creating an Empowered,
Effective, Converged Team Through Organizational
Restructure
Presented By Daniel McGarvey & James Shamess
Who we are
• Air Force Brig Gen (ret) Jim Shamess, CPP, President 5D Pro Solutions, LLC; Member, The Spectrum Group
• Defense Intelligence Senior Executive (ret) Mr. Daniel McGarvey, Director Security Programs, Global Skills Exchange Corp. (GSX)
Objectives
• Transform the convergence dream to reality—transition form skepticism and mistrust to a collaborative, cooperative culture teaming for enterprise-wide success
• Win executive support—converge the myriad of operations and processes and show the boss how you can reduce vulnerabilities and risk to critical government and industry operations
• Show how lean management business tools can convince and compel management along with the entire workforce to action
3
How We Will Do It
• Introduce topic and situation
• Describe implementation
• Describe automated decision support approach
• Q&A
4
What Is ESRM?
Enterprise security risk management (ESRM) is a holistic, integrated approach that works to identify and mitigate all the risk no matter what department is involved—that an organization faces.
What Others Have Said
• ESRM’s value to the business: “It will allow us to be proactive, reduce risk, and provide a marketable “business differentiator” to our customers.”
• ESRM’s value to the business: “it provides management with a consolidated, ranked view of risk to the organization and enables business cases to be made for projects, budgets, and staffing.”
• ESRM’s value to the security professional: “The outcome is that you become much more intelligent about your business and your vulnerabilities—and you’re not relying on FUD to get funding.”
• ESRM’s value to the security professional: “It was a wonderful opportunity to see how things get done in another part of the company on a routine basis.”
• ESRM’s value to the security professional: “I learned more about the way the business was run and how the thought leaders in various business units operated…I could take that experience and apply it to my career.”
So why is ESRM not a standardized expectation of management?
Situational Example • Fragmented management security disciplines/interests
• Fragmented security policy ownership, issuance, implementation and oversight—rice bowls, stovepipes, competition, bonus, profit, reward…
• Difficult-to-measure—difficult-to-present risks and solutions meaningful to leadership
– Rely on anecdotal evidence; little industry-wide incident/impact information
– Little budgetary support in absence of crisis event
• Lack compelling historical and predictive intelligence, measurable risks and countermeasures across disciplines
• Lack intelligence-led, risk-based analytical process and tool, Lack tool to make efficient analysis of complex situations and track decisions
• Lack education, training & experience in risk management
• Lack champion in at the senior level; Seniors doesn’t understand
Oversight—Who, What and How
Oversight: the authority to monitor, review, inspect, investigate, analyze and evaluate management, operation, performance and processes
Organizational structure and leader role
• Corporate position
• Matrix
• Series of responsibilities spread among directorates
• Unknown
10
Current Risk Management Gaps
Executable Enterprise Security Risk Management (ESRM) process Lack consistent framework Ineffective oversight and evaluation processes Lack of meaningful performance measurements
Situational awareness—lack detailed threat and vulnerabilities analysis Flow of information business units-staff inconsistent and incomplete No standardized, comprehensive process for information collection,
analysis, and dissemination Collection and dissemination of information relies on human attention and
intervention—not automated Narrow focus—dwell on administrative compliance vice operational risk
Analysis posture Baseline threat characterization not available No comprehensive system for collection, analysis, and communication of
threat and vulnerabilities—not holistic Education and training
Inadequate advanced education and training for analysis
An Integrated Solution
Management
Metrics/
Risk Management Convergence
Infrastructure
Implementation
Promote Department Understanding of RM
– It’s an essential element of critical infrastructure, not overhead cost
– RM Contributes to ROI Determinations
– Essential to Department Hierarchy of Needs: • Short/Midterm Term Success vs. Survival (Achievement of
Vision/Goals)
• Value of RM to Department Health
• Need to integrate RM into all elements of Department activities
Implementation
Promote Staff’s Understanding of the Value of RM
• Department and Directorate Strategic Planning – Align Vision and Goals – Understand the complexity - Convergence Vs. Integration
– Understand what is required to provide a comprehensive RM approach - Assets, Vulnerabilities, Threats, Metrics
– Convey the need and proposed plan to Seniors
• Understand the role of personnel in all facets of RM
Implementation
“There is no internal or external, it’s all threat.”
Leading Change/Transformation John P. Kotter
Harvard Business Review
1. Establish a Sense of Urgency
2. Form a Powerful Guiding Coalition
3. Create a vision
4. Communicate the Vision
5. Empower other to act on the Vision
6. Plan/Create Short-Term Wins
7. Consolidate Improvements/More Change
8. Institutionalize New Approaches
Implementation
Level I – Transactional (upgrading)
Series of small steps.
Level II – Transitional (revision)
A restructuring, organization fundamentals the same
Level III – Transformational (turnaround)
Profound effect on the values, assumptions, beliefs, mindset and attitudes of an individual or groups of individual
Degrees of Change
Implementation
Department Governance
Strategic
Alignment
Human
Capital
Risk
Management
Process/Performance
Measurement
Risk Management
Professionals
Department Success
Infrastructure
Implementation
Performance Learning
Culture
Ta
cti
ca
l
Op
era
tio
na
l
Str
ate
gic
Fo
cu
s
Level I: Day-to-Day Planning Strategy is only implicit
Budget is primary planning tool
Level II: Forecast-Based Planning Looking Over the Horizon
* Use of forecasting models
* Assumes high predictability
Level III: Strategic Thinking Focus on strategic issues
* Apply Effects Based Planning
* Explores multiple futures
Level IV: Strategic Management Wide-spread strategic thinking capability
* Alignment of visions across units and functions
* Integration of strategy and reward system
Level V: Managing Uncertainty Consider multiple futures * Create flexible/innovative strategies * Monitor the Environment
Strategic Alignment
18 Source: Navy Executive Learning Office
Implementation
Human Capital Talent Management
“Companies that invest in human capital, work to develop
and retain valued employees, and measure and hold
people accountable for that investment have a powerful
competitive advantage.”
--J. Randall McDonald, IBM
Implementation
Career Management - assignment
- path planning
Sourcing - recruitment
- selection
Assimilation -on boarding
-orientation
-culture mentoring
Development - training
- coaching
Perf. Mgmt. - appraisal
- goal setting
- feedback
Rewards - pay
- recognition
Engagement - attitudes
- behavior
Retention - turnover
- value prop
BUILDING FUNCTIONALITY
(Desired)
Implementation
Sourcing - recruitment
- selection
Assimilation -on boarding
-orientation
- culture mentoring
Development - training
- coaching
Career Management - assignment
- path planning
Perf. Mgmt. - assessment
- goal setting
- feedback
Rewards - pay
- recognition
Engagement - attitudes
- behavior
Retention - turnover
- value prop
BUILDING FUNCTIONALITY
(Reality)
Source: Ready & Conger (2007)
1 2 3 4 5
Implementation
Security Enterprise PC
Example Career
Path: Security
Branch or Equivalent security
Support GS 9-13 or equivalent
Division or Equivalent Security Support
GS 12-14 or equivalent
Directorate or Equivalent
Support GS 15 or equivalent
Direct/New Hire; Military Accession/0083/0085/0086
Security Program Integration Professional Certification
SES
Security Asset Protection Professional Certification
Security Fundamentals Professional Certification
Security Intern Program
Implementation
Enterprise Security Risk Management (ESRM)
Metrics
Types of metrics in the risk assessment process Steps 1 – 3: Environmental data metrics
– Objective: Commands aboard installation, critical asset inventory, operating environment, activities, missions, etc.
– Qualitative: Criticality of assets, severity of threats (projection)
Step 4: Performance metrics – Control implementation levels
• Presence of controls and degree of implementation • Measureable observations, not subjective, no algorithms
23
Implementation
Step 5: Performance scoring metrics (risk) • Uses algorithms that relate performance and environmental metrics
in a way that generates a risk understanding • Provides scores within risk-based framework & compares score to
performance targets.
Sample ESRM Startup Charter Case for Action:
Risk management is directed by law, executive order, agency and by function. The directions are extensive, overlapping in some areas and leave gaps in others. Together, the variety of functional requirements, methods and approaches for risk management can overwhelm the boss and staff’s abilities to adequately assess, report and mitigate the threat and vulnerabilities. Additionally, it current processes make it too difficult to determine the relative importance of the issues and priority for mitigation. In the absence of an enterprise effort to converge risk management, the situation will continue; management action will be less effective; and risk will increase without a reasonable means to determine and implement effective countermeasures.
Process Owner: Mr. or Ms. Authority (someone with authority to make or influence policy and resourcing decisions
Process Owner’s POC: Business proponent—who has most to gain or lose
Process Stakeholders: Board, CEO, Business Units 1, 2, 3.. Staff entity 1, 2, 3; client 1, 2, 3
Project Description & Scope:
Map risk management processes. Recommend improved process multi-functional, converged process. Review existing government and industry processes, including automated risk management support tools and recommend the best approach. Consider industry and government organizations that have developed computer-assisted methods to support more effective and efficient processes for risk management for an enterprise.
Brief Description of Current Process: The following describes examples of the major process shortfalls:
- 8+ risk management processes; each is accomplished separately without regard to the others.
- Risk management assessments, and self-inspections are presented separately for management consideration and action. Threat and mitigation actions are reviewed separately.
- Little automation of the process, causing excessive time for administration, leaving little time for effective risk assessment.
Expected Outcomes: - Meaningful cross-functional map of the current and desired future states for risk management. Improved process for management to assess the situation & decide best value mitigation actions. Core Team Members: Business unit managers 1, 2, 3; Engineering, Security, HR, Finance, Information Technology
Implementation
25
Implementation Example: Charter Objectives
Purpose is to assess administrative (information, personnel,
industrial) security policy within the Department from policy
level management to installation level execution. The strategic
objectives are:
1) An effective and efficient security infrastructure for the Dept. including
development and implementation of policy, training and oversight
2) Streamlined administrative security policy functions consistent with
Performance initiatives
3) Viable recommendations that, if approved, can be incorporated into
Department Management Level Headquarters Program Action Document
Phases:
I - Focus on policy-setting process for all, including Sr. Staff/service/org
II - Focus on improved Sr. Staff structure, process to develop,
manage/implement
III - If desired, review and recommend improvement at lower echelons
Implementation
9/28/2012 3:34 PM 26
Implementation Example: Guiding Principles
• Consolidation of all security entities in a single organization is neither the goal nor desirable – look for ways to leverage strengths of various security disciplines & maintain legal authorities and responsibilities
• Stay focused--seek to improve effectiveness (less risk) for protection of information as well as to increase efficiency
• Strive to gain corporate view and consensus on current situation and
desired end-state
• Get the processes right first -- defining organization is secondary • Supervisors need a well coordinated, effective and efficient security
environment and readily available, expert advice on security equities
Implementation
9/28/2012 3:34 PM 27
Implementation Example: Guiding Principles (cont.)
• No expectation for gaining additional resources
• Cross-cutting issues/functions, enterprise-wide, offer greatest opportunity for improvement: – Oversight – Training – Resources (primarily manpower) – Implementation/execution
• Gain Department level support to institutionalize across the enterprise
Implementation
28
Implementation Example: Conclusions • Responsibilities of the Senior Security Official must be strengthened
and codified in a policy directive. Furthermore, commanders need to establish a senior security advisor at the Department and installation levels.
• Varying models and structures exist to execute security responsibilities; need to follow a model that makes sense for the Department
• A senior level policy board at the Director’s level, that represents all security equities, offers a tremendous opportunity to provide a single voice to the Top 4 on all security related matters
• An enterprise-wide approach to security policy development, oversight, and implementation will eliminate confusion and offer the best opportunity to mitigate current & future risks
• Short term decisions and commitment to pursue process improvements and any attendant organization changes are critical for putting the security “house” in order
Bottom line: We must do better to support our Leaders
Implementation
Transformation
Decision
SECURITY
Directorate
Created
CONOPS
Signed
CORE
Policy
Directives
Dept. Instructions
CONSOLIDATION
Dept. Instructions
CONSOLIDATION
DIVISION
DIRECTORATE
DIVISION
OFFICES
BRANCH
STAFFING
FY11 POM
STAFFING
REORGANIZATION of
Career Field management
IP DIR Career Field
Focal Point
CERTIFICATION
DEVELOPMENT
CERTIFICAITON
SOFT LAUNCH
CERTIFICATION
OPERATIONALIZED
2006
2007
2008
2009
2010
2011
Policy Structure Career Field
Professional
Development
Design
Career Path
Structure
Approved
STANDARDIZED
AF Position
Descriptions
CAREER FIELD
SUSTAINMENT
REALIZED
Mission Impact
Example: Security Chronology
FY12 POM
STAFFING
29
Implementation
Current State of Risk Automation Current Benefits:
• Provides a standardized, repeatable method for assessing the risks
and impacts of the numerous threats facing an organization’s assets.
• Allows the organization to track and task risk mitigation
countermeasures, providing an architecture for ensuring security of
physical and digital assets.
Current Risk Mitigation Automation focuses on compliance with applicable
standards and best practices, protection of assets, and the use of
countermeasures against relevant threats.
Current technological capabilities support:
Work Assignment/Tasking Cost Benefit Analysis
Comparative Analysis Roll-up Analysis
Locational Sorting/Tracking Incident Tracking
Flexible Characterization Conditional Access
Risk/Vulnerability/Threat Analysis
Common Operations in current industry state
Compliance Culture: The current risk automation field remains driven by
the ongoing need of organizations to meet compliance standards and
industry best practices for certification, insurance purposes, or compliance
with government or international mandates.
• NIST 800-53
• ISO 27002
• HIPAA
• ADA
• FEMA 426/428
DoD Origins: Industry development has mirrored requirements of first
adopters, leading to a focus on compliance with government standards
and use for regional level analysis instead of enterprise level analysis.
Subjectivity: Generally valuation of assets and characterization of threat
levels has been subjective. While this does allow for calculation of risk
levels without historical data, it does allow for personal biases and a lack
of technical knowledge to decrease the effective of risk assessment
results.
Industry Direction
The complexities and needs innate with large enterprises are putting
increasing demands on risk managers. These large Enterprises require
management of risks across facilities/sites/regions/nations .
• Nodes as a System
• Reactive Systems incorporating live data
• Valuation breakdown subjectively, cost, throughput, public outlook
• Visual Analysis incorporating facility and regional views, and indications
of risk reported visually
• Integration with active security measures (CCTV, Fences, Threat Levels)
• Integration of all security disciplines within one automation system
Data Volume
Security Complexity / Importance
Number of Assessment sites
Complexity Driven Need for Automation
Info to prepare for automation
1. Lists
– Facilities with addresses, POCs, etc,
– Assets
2. Guidelines
– Policies
– Compliance/risk frameworks
– Standards
3. Records of threats/incidents/losses
4. Corporate ‘goals’ for the program
Benefits to Security Manager
• Ability to view risks with desired level of granularity • Comparative analysis of countermeasures (CBA) • Work tasking management • Transitioning from security department being
compliance/safety focused to a value adding aspect of organization
• ability to assess security at one site or a conglomeration of sites
• Supports presentation of complex relationships to non technical personnel or management
• Reduced time required for inspections and risk assessments • Analyze risks based on the causal threat, system
vulnerabilities, or value of the asset as a loss or obstruction to normal operation in a process.
Step 4:
Assess
Vulnerabilities
Step 6:
Identify & Implement
Countermeasures
Step 5:
Assess
Risk Step 7:
Evaluate Effectiveness
& Reassess
Example—ESRM Flow Chart
Step 1:
Define
Scope
Step 2:
Assess
Assets
Step 3:
Assess Threats
What you can give the boss
• Projection of what assets are most at risk
– By whom/what
• Prioritization of remediation actions
– By benefit, cost, or cost-to-benefit
• List of existing measures that may not be the best use of resources
• One-stop-shop for all security-related information, on demand
Concluding Comments Objective: Create a collaborative and cooperative culture for enterprise wide success with executive involvement & the use of lean management business tools • Current Situation (fragmented, reactive) • Enterprise Security as a Solution • Benefits of Metrics (Environmental, Performance) • Integrated Solution
• Governance • Holistic Integrated Approach • Risk Management • Frameworks and Standards
• Risk Automation • Current State • Industry Direction • Benefits
ASIS International Guideline available: “General Security Risk Assessment”
Strategy is essential
“However beautiful the strategy, you
should occasionally look at the results”
Winston Churchill
“Everyone has a strategy, until they
punch you in the mouth”
Iron Mike Tyson
Oversight of Protection Equities
• Functional or interest area ________________ (e.g., information, physical, cyber)____________ • Assessment Title________________________ • Assessment Level ____________________ (e.g., corporate, division, business unit) • OPR: ____________________________ (organizational title) Individual: _________ • Shared responsibility with other functional or interest area: yes/no If yes, identify ___________ • Assessment conducted by ___________________ (organization, office) • Requirement established by: _________________________ (organization by name) • Requirement established in publication: ____________ ___________(title & date) • Methodology of assessment ______________________ (survey conducted remotely via Q&A;
survey on site; evaluation with administrative orientation; evaluation with performance orientation; evaluation with compliance orientation; mix, specify characteristics)
• Formal reports delivered to: _________________________ (e.g., Board, CEO, President, VP) • Results aggregated: yes/no If yes, at what echelon? ________________ • Metrics or measurement system instituted: yes/no If yes, describe: _______________________ • Share or crossfeed results to others: yes/no • Integration of results into lessons learned: yes/no If yes, describe/name system: _____________ • Influences policy and process changes: yes/no If yes, plan for changes • Potential for scheduling and conducting evaluation/assessment as part of a collaborative team or
for a team to expand its responsibilities and orientation