Diagnosing Risk in the Modern Organization
Deconstructing Organizational Risk
In the previous installment of my ongoing Enterprise Architecture series, I discuss the concept of Enterprise Resilience and its importance to triaging the enterprise in the event of a cyber-attack or a disaster that interferes with or prohibits the operation of revenue-generating assets. Enterprise Resilience is now understood to be “the ability of an organization to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions in order to survive and prosper.”[1] Disciplines within the practice of Enterprise Architecture (EA) can provide the framework to strengthen this capability by ensuring all foundational issues are considered from the onset and that the organization can steadily expand the analysis to address more and more issues and concerns.
Organizational Risk Management and Resilience
I am particularly alarmed by the ever-increasing rate of successful ransomware attacks, especially on municipalities, healthcare, and non-profits. While some analysts in the technology media have equated a willingness to pay the ransom with a lack of preparedness and a comprehensive restoration plan, I think it is more indicative of the confusion (and panic) that comes from a deficiency in understanding all of the elements of the enterprise, both human and IT, and the exact role each part performs.
In my previous article, I raised the argument that the problem with Emergency Restoration plans (or Continuity of Operations Plans – COOPs) was that they were, and still are premised on an all-in approach. They are designed to execute an orderly restoration of everything. Unfortunately, the plan is rarely built with “triage” in mind.
Enterprise Resilience is both a strategic and tactical obligation for any organization to thrive and grow in a fast-paced, dynamic, globally-connected market or environment. Resilience planning cannot be a one-time assignment; it must be implemented in phases and long-term success can be achieved over time. It cannot be realized alone, as EA practitioners supporting Enterprise Resilience must also integrate the precepts of Organizational Risk Analytics. Resilience has a symbiotic relationship with risk.
Risk is as pervasive to the enterprise as bacteria in the human body. Some are beneficial, some are benign, and some are detrimental (even deadly). A critical challenge is to not only determine which is which but more precisely which elements of the enterprise are vulnerable to which risk(s) and under what circumstances.
Traditional risk management practices are a stable and mature discipline, but while risk management is a key tool for Program Managers, it is not well suited for IT planners. The analysis is focused on the practical implications of specific resources and schedules, thus residing at a more intangible level. The standard options – avoidance, reduction, sharing, and retention – are thoughtful, but insufficient considerations for operational planners and managers in both business and IT.
Proper execution of Enterprise Resilience identifies which processes and supporting facets are critical to enterprise operations and which activities are critical to the process(es). Enterprise Resilience reaches beyond risk management by delivering a comprehensive view of business welfare and operational success. Organizational Risk Analytics does what risk management cannot; it is designed to reverse engineer the critical activities to unveil all resources (facets) required for successful operations.
Understanding the Complexity of Organizational Risk
Risk is certainly not a new topic for the Enterprise. In a recent article,[2] Rob Pegoraro describes a critical issue that underpins the need for the field of Organizational Risk Analytics—complexity:
For the past decade, information technology and cloud computing vendors have increasingly pushed the virtualization and abstraction of every possible part of IT infrastructure further and further, turning what used to be things you bought and paid for into services that you subscribe to. First there was software as a service, and then compute and infrastructure as a service, then platforms as a service, and now even storage and databases as a service. The “private cloud” brought the same models into enterprise data centers. And the “hybrid cloud” blew the data center walls out and mixed everything together. But managing each decoupled element of this brave new world of randomly distributed infrastructure has become increasingly complex. Arguably, it hasn’t really changed the business of running enterprise IT as much as it has made things complex in new ways.
This new complexity and the splintering of the enterprise’s core components will substantially increase the exposure of critical processes and activities to destructive risks that cannot be anticipated. In the cloud, boundaries are random and ephemeral with unknown vulnerabilities and attacks (risks) hovering at the edges. How does the enterprise protect critical business activities and identify risks it does not cause, cannot see, or even anticipate? This requires a fundamental shift in how stakeholders define and identify risk.
Changes in Organizational Risk Analytics
A significant paradigm shift advocated in ISO 31000 was an implied change in how risk is conceptualized and defined. Under both ISO 31000:2009 and ISO Guide 73, the definition of “risk” was no longer “chance or probability of loss”, but the “effect of uncertainty on objectives” … thus causing the word risk to encompass a broader range of uncertainty, beyond purely negative ones associated with budget and schedule. A similar definition was adopted in ISO 9001:2015 (Quality Management System Standard), in which risk was defined as the “effect of uncertainty.” Additionally, a new risk-related requirement, “risk-based thinking,” was introduced there. I am proposing the implementation of Organizational Risk Analytics as the methodology for executing risk-based thinking as an EA practice. Because of the patulous nature of information captured and analyzed by EA practitioners, it is the ideal platform to work from.
Organizational Risk Analytics is not a completely new concept, but it is a specialized methodology providing a consistent (documented), repeatable technique for analysis and identification of information system-related risks. Organizational Risk Analytics is the everyday EA work accomplished to realize the objectives of Risk IT. Risk IT, published in 2009 by ISACA, is a set of guiding principles for effective management of IT risk. IT risk is defined as a part of business risk, specifically, “the business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise.” It consists of IT-related events that could potentially impact the business. It can occur with both uncertain frequency and magnitude, manifesting in challenges to meeting strategic goals and objectives. Risk IT is built around two core principles: 1) Always align with business objectives and 2) Align the management of IT-related business risk with overall enterprise risk management. Risk IT states that “management of business risk is an essential component of the responsible administration of any organization. Due to IT’s importance to the overall business, IT risk should be treated like other key business risks.”[3]
Organizational Risk Analytics is complementary to Risk IT—if Risk IT is the philosophy and design, then Organizational Risk Analytics is the tool chest needed to do the daily work. It will provide the details and analysis required to examine and understand the patchwork inherent to decentralized management of disparate stove-piped processes and systems. This understanding is vital to realize the mature enterprise with a unified environment of integrated, interoperable business processes and technology services. It will do this by providing an end-to-end, comprehensive view of all risks, operational and systemic, related to the use of information technology. Risks will be identified, prioritized and mitigated through a thorough exercise that links process management, examining the strategy and context inculcated by the boardroom and leadership suites, to operational processes threaded throughout the enterprise down to the activities and services that achieve daily/hourly objectives.
How to Mitigate Costs with Risk Analytics
Recent industry reporting estimates cyber-security insurance premiums paid by companies are expected to increase from $2.5 billion in 2015 to $7.5 billion in 2020[4] and potentially escalate to $20 billion in 2025.[5] Risk and resilience-based triage should be the foundation for providing decision quality information up and down the chain-of-command. By understanding the critical components and the processes they support, the enterprise can more quickly rebound from a cyber-attack. Less downtime equals less revenue lost and a decreased chance of panic to pay out to resolve ransomware.
EA can reclaim an important role in understanding what components are vulnerable and what the “cost” of losing that component could be. Implementing new skills in Enterprise Resilience and Organizational Risk Analytics will move the application of EA efforts from its legacy roots of the big picture, “big iron” software development to a nimbler, business influenced analytic skill set. EA practitioners need to revisit what they can do for the enterprise and rethink what and how they work. EA must become less historical and exhaustive documentation focused and more investigative, analytic, and results-oriented. Like any scientific or medical study/analysis, it is essential that it be well understood, repeatable, and verifiable.
References
1. BSI. What is Organizational Resilience?
2. Pegoraro, Rob. (2019, September 10)
3. ISACA. The Risk IT Framework.
4. PwC. Insurance 2020 & beyond: Reaping dividends of cyber resilience.
5. CBInsights. The $20B+ Opportunity For Cyber Insurance.