Strategic Risk Management: Beyond the Balance Sheet

Security and Business Resiliency Six keys to effective reputational and IT risk management

Judith Purves, Chief Financial Officer, IBM Canada June 6, 2013

Key Business issues driving growth in Risk Investments

People and devices are sharing information more than ever before

The unprecedented

explosion of data growth (90%

of world’s data created over the

last 2 years) has put

exceptional pressures on the

storage capabilities, control, risk

mitigation and management of

Data Centres

Evolving challenges: Internal, External & Compliance

Security Trends: 2011 Targeted attacks

Source: IBM X-Force® 2011 Trend and Risk Report – March 2012

Security Trends: Targeted attacks are increasing - 2012

Source: IBM X-Force 2012 Mid-year Trend and Risk Report, September 2012

Security Trends: Targeted attacks are increasing - 2012 Government/International bodies

Source: IBM X-Force 2012 Mid-year Trend and Risk Report, September 2012

What are the impacts to a organization ?

The impact of lost data or unplanned downtime can be catastrophic, leading to lost revenue, reputation and competitive position.

Lost deals Disruption of cash flow Lost discounts Missed payments Drop in stock price

Company reputation Damaged relationships with:

– Customers – Suppliers – Partners – Lenders – Investors

Direct revenue losses Loss of future revenues Losses due to invoices

that cannot be completed Losses due to investments not

made

Temporary staff needed Travel expenses incurred Equipment rental costs

Employees who cannot perform their jobs

Missed deadlines

Inability to meet compliance requirements

Finances Loss of reputation Revenue

Miscellaneous costs Productivity Regulatory

As a CFO, consider this…

Source: Aberdeen Group: “Datacenter Downtime:

How Much Does it Really Cost?,” March 2012

$110K

2010 2012

$182K

The average cost per hour of system

downtime is increasing as more

business operations become automated

Average cost of one hour of downtime

Source: IBM Global Risk Study

What is driving change ? New challenges face IT, as consumerization of IT continues as forces are emerging that challenge a organization’s speed, agility and resilience.

Sources:1. IBM cloud computing organization estimate. Individual results may vary. 2. Gartner, “Information and the Nexus of Forces: Delivering and Analyzing Data, 26 June 2012. 3. IDC, Digital Universe Study, sponsored by EMC, June 2011.

Some recommendations…. Based on study findings and IBM IT risk management expertise, we recommend six key initiatives

Put someone in

charge

Make the compliance

connection

Reevaluate the impact

of social media

Keep an eye on your

supply chain

Avoid complacency

Fund remediation;

invest in prevention

Six keys to effective reputational and IT risk management

1

2

3

4

5

6

11

Put someone in charge 1 Study findings (2013 data) Study implications

Ultimate responsibility for reputational risk should

rest with one person — but who?

CEOs: multiple responsibilities, little time

CFOs: focused on financial risks, not IT

CROs: do traditional and IT risk responsibilities leave

enough time for reputation risk? 80%

CEO

CFO

34%

CRO

24%

CIO

23%

22%

CMO

Emerging trend:

the Chief Digital Officer

New C-suite role for technology-driven world

Strong business and technology knowledge

Responsible for all aspects of digital presence

Role most accountable for company’s

reputation

12

Make the compliance and reputation connection 2 Study findings (2013 data)

Study implications

Where IT and compliance intersect:

Regulatory requirements for recovery time

from system outages

Legal requirements for data archiving,

retrieval and eDiscovery

Legal and regulatory requirements for

privacy and data protection

87%of banking

respondents say IT failures can

have severe compliance

consequences

Reputational factors very

strongly/strongly affected by IT risk

Customer satisfaction

Brand reputation

Compliance

Profitability

74%

74%

72%

60%

Recommendations:

Integrate compliance requirements into IT

and reputational risk strategies

Measure performance

Identify gaps in protection and mitigation

processes

13

Reevaluate the impact of social media 3

Only 27% provide

Companies are missing the

opportunity to leverage social

media to protect and recover their

reputations

Study findings (2013 data) Study implications

Add a third dimension to risk management

guidelines for employee social

media use during a crisis

Only 19% have incorporated social media into

their disaster recovery plans

Respond swiftly to IT-related reputational

incidents—and use social media as an

informational channel

Build a bank of goodwill—use social media

as a channel for enhancing your

reputation

2

3

1 Likelihood

Impact

Velocity

1 in 7? 1 in 100?

Severe Moderate

Mild

14

“A major deliverable was on a

contractor’s laptop, and it was

stolen. We missed an important

client deadline and lost the

source files for all the work.”

Chief marketing officer, American education

company

*Average

Keep an eye on your supply chain 4 Study findings (2013 data) Study implications

Two aspects of vulnerability

Security: Sensitive data shared with third

parties can be compromised

Continuity: Supplier downtime can disrupt

production and product availability

are “very strenuously” requiring their

vendors, partners and supply chain

to match levels of risk control*

Only 28% of companies

Recommendations

Identify outside sources that your company

relies on

Require partners to meet your levels of IT

and reputational risk management

Verify compliance through regular auditing

and reporting

15

Avoid complacency 5

82% rate reputation as

excellent or very

good

18% rate ability to

manage IT risk

as very strong

Recommendations

Ensure that foundational IT risk management tools

are in place

Map IT and reputational risk strategy to concrete,

measurable tactics

Perform regular gap analysis

Stay ahead of new technology and changing threats

There is room for

improvement in

almost every

organization

Perception/ reality gap

Study implications

Study findings (2013 data)

16

Companies are overlooking many of the security controls that can proactively protect their reputations before harm happens

Firewall management

Identity/access controls

Network /endpoint protection

Security threat intelligence

Penetration testing

Encryption

Vulnerability scanning

Mobile device security

66% Very confident/confident

about protection against

Data breach

Security controls in place

Confidence level

70%

5

Study findings (2013 data)

17

Companies have continuity basics in place, but are missing IT fundamentals that provide additional protection

68% Systems failure Data loss 73% Backup/restore testing

Fully documented DR plan

Automated backup processes

Change management

24x7 software tech support

Testing includes business users

Continuity controls in place

Very confident/confident

about protection against Very confident/confident

about protection against

Confidence level

76%

69%

69%

5

Study findings (2013 data)

18

Fund remediation; invest in prevention 6 Study findings (2013 data) Study implications

say IT risk management funding is

adequate to protect reputation

Only 56% of companies

increased spending on IT related to

reputational risk over the past 12 months

54% of companies have

increase spending on IT related to

reputational risk over the next 12 months

55% of companies will

Recommendations

Include the CIO in reputation risk

management

Evaluate the cost of inadequate funding

Treat IT as a core business asset, not a cost

center

Base IT spend on risks and outcomes, not

revenue or sales

The cost of system downtime*

$181,770 per hour

The cost of data center downtime

$418,017 per event

The cost of a business interruption event

*“Datacenter Downtime: How Much Does It Really Cost?” Aberdeen Group, February 2012.

19

Going forward, new technologies and social media will help fuel increased focus on reputational risk

68% will increase focus on reputational risk compared

to five years ago

New technology/

social media, 43%

Previous event harmful to

competitor/industry, 20%

Previous event harmful

to company, 18%

Board of directions/

C-suite mandate, 10%

Other, 7% Shareholder pressure, 3%

Why

increase?

“Technology is an

amplifier in all it

touches, for better

and worse. If we

use it, we must

manage it

rigorously.” CIO, Barbados

professional

services firm

Study findings (2013 data)

Thank YOU and Additional Resources

Download the full

study report ibm.com/services/riskstudy

Download the IBM

point-of-view ibm.com/services/riskstudy

Engage with an

IBMer to discuss your

reputational risk

exposures

Visit these websites:

ibm.com/services/security

ibm.com/services/continuity

ibm.com/services/techsupport

The IBM Canada Leadership Data Centre in Barrie, Ontario showcases

the best of IBM’s global data centre practices for Computing and

Recovery environments. Tour this exciting new facility and gain valuable

insights on managing risk and reducing costs through the adoption of

innovative technologies such as cloud computing, advanced virtualization

and energy management.

For more information or to register for an upcoming event please contact an IBM sales team representative

Managing Risk: Business Resiliency and Security - Discover the benefits of IBM’s holistic approach to addressing risk in the areas of security, business resilience and compliance. Held at IBM’s newest Data Centre in Barrie. www.ibm.com/ibmcanadaleadershipdatacentre

June 12, 2013 Also