Leading IT Transformation – Workshop 17 (IT Transformation Risks)
The Appleton Greene Corporate Training Program (CTP) for Leading IT Transformation is provided by Ms. Drabenstadt MBA BBA Certified Learning Provider (CLP). Program Specifications: Monthly cost USD$2,500.00; Monthly Workshops 6 hours; Monthly Support 4 hours; Program Duration 24 months; Program orders subject to ongoing availability.
If you would like to view the Client Information Hub (CIH) for this program, please Click Here
Learning Provider Profile
Ms. Drabenstadt is a Certified Learning Provider (CLP) at Appleton Greene and she has experience in Information Technology, Information Governance, Compliance and Audit. She has achieved an MBA, and BBA. She has industry experience within the following sectors: Technology; Insurance and Financial Services. She has had commercial experience within the following countries: United States of America, Canada, Australia, India, Trinidad, and Jamaica. Her program will initially be available in the following cities: Madison WI; Minneapolis MN; Chicago IL; Atlanta GA and Denver CO. Her personal achievements include: Developed Trusted IT-Business Relationship; Delivered Increased Business Value/Time; Decreased IT Costs; Re-tooled IT Staff; Increased IT Employee Morale. Her service skills incorporate: IT transformation leadership; process improvement; change management; program management and information governance.
MOST Analysis
Mission Statement
When it comes to IT transformation, there are a number of risks that organizations need to be aware of. By not taking into account the potential risks, companies can end up making costly mistakes. Companies are looking to grab any technology-driven advantage they can as they adapt to new ways of working, managing employees, and serving customers. They are making bigger moves toward the cloud, e-commerce, digital supply chains, artificial intelligence (AI) and machine learning (ML), data analytics, and other areas that can deliver efficiency and innovation. At the same time, enterprises are trying to manage risk — and the same digital initiatives that create new opportunities can also lead to risks such as security breaches, regulatory compliance failures, and other setbacks. The result is an ongoing conflict between the need to innovate and the need to mitigate risk. While the rewards of a successful IT transformation are clear, there are also risks that businesses must consider and manage carefully. By understanding these risk in digital transformation and taking steps to mitigate them, your organization can confidently move forward with its digital transformation initiative.
Objectives
01. Technology Risks: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
02. Workforce Risks: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
03. Automation Risks: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
04. Compliance Risks: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
05. Cloud Risks: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
06. Cybersecurity Risks: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
07. Resiliency Risks: departmental SWOT analysis; strategy research & development. 1 Month
08. Third Party Risks: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
Strategies
01. Technology Risks: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
02. Workforce Risks: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
03. Automation Risks: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
04. Compliance Risks: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
05. Cloud Risks: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
06. Cybersecurity Risks: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
07. Resiliency Risks: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
08. Third Party Risks: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
Tasks
01. Create a task on your calendar, to be completed within the next month, to analyze Technology Risks.
02. Create a task on your calendar, to be completed within the next month, to analyze Workforce Risks.
03. Create a task on your calendar, to be completed within the next month, to analyze Automation Risks.
04. Create a task on your calendar, to be completed within the next month, to analyze Compliance Risks.
05. Create a task on your calendar, to be completed within the next month, to analyze Cloud Risks.
06. Create a task on your calendar, to be completed within the next month, to analyze Cybersecurity Risks.
07. Create a task on your calendar, to be completed within the next month, to analyze Resiliency Risks.
08. Create a task on your calendar, to be completed within the next month, to analyze Third Party Risks.
Introduction
Digital Transformation Risks and Mistakes
The Coronavirus crisis has accelerated a global digital pivot, forcing businesses to rethink their processes and strategies for a new reality. Analysts from HBR, Gartner, Forrester, McKinsey and more are all saying the same thing – investing in technology will help mitigate the impact of this event, both right now and in the long term.
But what if you’re among the 30% of organizations who haven’t yet made any major digital shifts, even before the pandemic started?
Now that transitioning to digital is not just important but urgent, you could actually be in a better position than some of your competitors, who may be partway through their technology initiatives and must now suddenly shift gears.
You have the opportunity to transition to technologies that reflect where your systems and customers are now, where they’re headed, and the trends that will shape business in the long haul, post-crisis.
But first, you need to be aware of the most common digital transformation risks and mistakes to avoid.
Mistake #1: Shiny object syndrome
Sometimes businesses will embrace a technology trend, such as AI chatbots or automation, whether it’s because they feel compelled to digitize or because the idea intrigues them.
Many businesses are instinctively looking for a quick fix or a solution that just appears out of nowhere to put things back on track, especially in the present climate of uncertainty. But by alone, these single-technology solutions won’t live up to the expectations.
Any use of a new technology must be integrated into a broader strategy for the business and the customer experience, rather than being done only once.
Mistake #2: Staying siloed
The CIO or the IT department are not the only ones who must handle digital transformation. It affects every division of your business, including sales, marketing, finance, and human resources. It’s very likely to fail if you try to implement a change without including all departments.
Top-down cultural issues like transformation necessitate everyone’s comprehension, a change in thinking, and buy-in. And now that transformation is no longer an option but rather a requirement for almost every firm worldwide, it’s critical that everyone in your organization is informed, on board, and equipped to change.
Mistake #3: Doing too much too soon
This may seem contradictory given the pressing need for firms to go digital.
Yes, you must move quickly.
However, you must also approach it in a way that maximizes your chances of success. You might currently be concentrating on your “no fail” tasks, or the crucial business procedures that must continue in order for the organization to survive. This is a fantastic illustration of how the priorities for transformation will be determined by our new normal.
What unexpected needs or expectations do customers (and workers) have today that you are not currently meeting?
Beginning there, move forward in a method that enables you to move fast while remaining safe. This entails experimenting regularly, working slowly, and having the flexibility to pivot as necessary. Because what is required and anticipated in a month or a year from now can be entirely different, and you want to be able to change swiftly.
When moving from plan to implementation, you frequently encounter issues because the company adopted a “big bang” strategy and discovered all of the leaks in the pipes far too late…When they could have learned more quickly and cheaply by doing modest tests.
Another possibility is that they gain a lot of momentum in the beginning but quickly exhaust their leaders and talent due to doing too much too soon. In order to accelerate digital transformation effectively, one must first slow things down.
Start your digital journey by considering the four S’s: When adopting digital, set a SIMPLE goal, ensure that your leaders are behind it, start small, and sustain energy by not overloading leaders, employees, or teams.
Mistake #4: Underestimating the extent of change
It could be tempting to focus your digital initiatives only on pressing requirements like infrastructure security, telecommuting, and supply chain diversification. With this strategy, businesses typically want to keep costs to a minimum, get through the crisis, resume normal operations, and then think about investing more in digital once sales have stabilized a bit.
We firmly believe that this is a mistake, nevertheless. It’s difficult to think that things will ever return to “business as usual,” despite the fact that no one can foretell the future. According to Harvard Business Review,
“Vision is especially urgent during a crisis as global and systematic as this one. Inflections that you might have had five years to anticipate in a normal environment might unfold in a matter of weeks or months.
Trend lines, such as those towards telecommuting, telemedicine, online shopping, and digital media consumption, are suddenly much steeper…Some of the fundamental assumptions underlying your current business model may have been (or may soon be) upended.
In short, the business environment that you land in when the pandemic comes to an end – which could be one to two years from now – may be very different from what it was before the crisis began.
You need to begin preparing for it now.”
Case Study: Why you should design better UIs (and not make your creditors mad)
“if it ain’t broke, don’t fix it” is a common company philosophy when it comes to IT products, and if you’ve ever been involved in a failed upgrade or deployment, you understand why. However, this can lead to some seriously antiquated systems being used in production with UIs that date back to the early days of the software industry, which can lead to usability issues with real-world repercussions.
This trend is well shown by one of Citibank’s back-end systems, which was also the main contributor to a $500 million error. The narrative goes as follows: On behalf of Revlon, one of Citibank’s clients, Citibank was attempting to pay interest to numerous of Revlon’s creditors in the amount of $7.8 million. To calculate the interest properly, Citibank’s employees had to set up a transaction as if they were paying off the entire loan. They then had to check multiple boxes to send the majority of the payment to an internal Citibank account while only the interest portion went to creditors. Doing that in Flexcube, an outdated piece of in-house Citibank software, was a particularly cumbersome process. Even though this deal for Revlon was approved by three different individuals, it proceeded without all the necessary checks being made, and $900 million was distributed, the majority of which wasn’t due to creditors until 2023.
You might be surprised to learn that this kind of blunder is not unheard of and that the party receiving the payment typically returns the incorrectly transmitted funds to the entity that made the error. But this time, things went differently: More than half of the monies distributed went to various hedge funds, who were still irate that the loan’s terms had been altered in a way that favored Revlon. A judge decided last year that they were not required to return the money because they said they saw it as an early payment of the obligation they were owed.
The main takeaway from this is to, at the very least, update your user interfaces to ensure that staff can carry out their tasks efficiently and coherently. Another important takeaway is that, when mistakes aren’t exploited, they can be less painful.
More IT transformation risks you may come across
Faulty digital transformation premises
You may be familiar with this remark from the film The Big Short:
It’s a great summary of the factors that contributed to the 2008 financial catastrophe and the irrational optimism that caused it. It also exemplifies what we observe in big businesses undergoing digital transformation.
For instance, many large businesses are currently undergoing or intend to begin an end-to-end ERP upgrade to the cloud. It is assumed that an ERP upgrade will produce business outcomes that boost profitability and enhance operations.
However, this is absolutely untrue. There is a ton of proof for this. Major ERP provider is implemented by large company. 36 months later, they are still having trouble locating the value.
This isn’t because putting in place an ERP based in the cloud is a terrible idea. It’s really good. However, this usually gives you the capacity to use your data in novel ways, opening up chances for increased profitability and operational efficiency. It cannot complete it on its own.
Without the necessary production deployment skills, driving innovation
Nowadays, chief digital officers are employed by many businesses. Some organizations have innovation teams and even funds for innovation. Design sprints, hackathons, and other innovation-focused events are now being held by even enterprises without a specific innovation governance approach.
These are wonderful possessions. But a lot of the time, what’s lacking is the skill set required to turn the concepts into full-scale operations. Your teams will struggle unless you have a team with experience bringing a wide range of innovative technologies to market from concept to effective user acceptance. This lesson has been painfully learned by a lot of big businesses.
The current IT and development infrastructure is anticipated to carry out many of these efforts. However, the process for these kinds of engagements is usually very different.
It’s ideal to conduct quick, iterative testing with innovation projects. Delivering minimum viable products, testing or piloting them with internal or external stakeholders, then quickly enhancing them as you roll them out to progressively bigger user bases is how you create incremental value.
The problem of technological stacks comes up frequently as well. Although the final product will need to interact with internal systems, you are frequently better off utilizing technology stacks that prioritize deployment speed and simplicity over enterprise systems early on.
The potential to “bring your own language” (BYOL) into build packs that integrate seamlessly with the wider corporate architecture) is something that even companies like SAP have acknowledged.
But there is frequently (understandable) internal resistance to learning those languages and how to use them. Teams try to implement lean startup ideas using legacy or enterprise systems, but these constraints on speed and agility prevent them from being successful.
Going it alone.
“Data is a team sport.”
“There’s no I in team.”
“If you want to go fast go alone. If you want to go far, go together.”
These adages all speak to the same concept. Work as a team if you’re going to innovate.
Although it might make sense in many circumstances, this does not necessarily mean hiring more people and developing internal skill sets. However, it frequently pays off greatly to include outside team members, either for execution or for perspective.
Teams with start-up expertise are aware that combining pre-existing third-party solutions is sometimes the quickest route to market. They prioritize remaining close to the consumer, providing value, and accepting that platform or code debt is a necessary part of the deal. They fully anticipate later replacing and refactoring work. Internal teams frequently lack that point of view.
In a similar vein, those with experience in startups (and to a lesser extent agencies) frequently possess pattern detection skills that internal teams lack. Manifold’s expertise in product strategy stems in part from our own experience creating startups. That perspective is incredibly helpful when trying to make product decisions like:
• Which statistics show risk or success leading indications.
• How to concurrently design for both exterior novice users and inside power users.
• How to cope with the chicken-and-egg issues that come up when dealing with market-based firms.
• How to optimize for adoption and the vital importance of the first-time user experience.
• The methods that can encourage referral and boost supplemental income.
• The best ways to design goods with self-priming growth loops.
• The drawbacks of voice-activated or conversational user interfaces.
Even if your internal team handles most of the work, bringing in an outside team to offer direction and input can be quite beneficial.
Not having mentors.
In a similar vein, the higher level strategic vision is a prevalent weakness. Although internal teams have extensive domain knowledge, they frequently struggle from being too close to the issue or from lacking the ability to recognize patterns across a wide range of businesses and organizations.
Once more, startups serve as a terrific model. The majority of firms with venture capital funding have a board of directors as well as outside consultants. These are crucial tools that may spot future problems and assist in avoiding them, bring fresh ideas from different fields, and set up connections that can completely change a company. They can also offer guidance on how to go through iteration.
Establishing a similar board of advisors, whether at the portfolio or individual initiative level, can frequently mean the difference between success and failure.
Not proving the value.
Harvard Business Review claims that failing to have a specific value creation hypothesis is a widespread mistake.
This oversight frequently results in the funding of initiatives that, despite being well-executed, had little value attached to the victory. For innovation teams and the leaders inside them, allocating resources, fostering team energy, and finishing without demonstrable value creation can frequently spell doom.
Successful innovation projects frequently require time. Additionally, there is a clear requirement for executive level leaders to exercise patience and provide enough air cover for new ideas to develop and find value. However, that doesn’t imply you should begin a project without knowing how, if it succeeds, you’ll extract value at the other end.
To avoid this trap and make sure that successful initiatives truly benefit the organization, it is wise to model out potential avenues for growth and value creation, understand the potential addressable market, and have a hypothesis for “exit” (even if that exit is simply bringing the initiative in-house).
Create plans to mitigate these digital transformation risks
Outlining all the hazards you can perceive and creating mitigation plans for each might be useful as you implement your digital transformation strategy. Perform a “pre-mortem” to try to foresee potential problems and make sure you have the ideal systems, procedures, and partners in place to successfully carry out your digital transformation activities.
Case Study: The Ariane 5 launch became one of the biggest information technology failure
The Ariane 5 rocket Flight 501 was a part of the Ariane project, a Western European initiative started in 1973 that aimed to give Europe a dominant position in the commercial space industry by launching a pair of three-ton satellites with each launch. The project’s completion required ten years and a total investment of $7 billion.
Tuesday, June 4, 1996 saw the launch of Ariane 5 v 501, which disintegrated shortly after. Inside the launcher, two Inertial Reference Systems (IRS) with identical hardware and software were working side by side. The onboard computer would immediately switch to the backup system if it discovered that the active IRS had failed.
The (IRS) featured a built-in computer that it used to measure the launcher’s altitude and space-related advancements. The onboard computer used the data from this system to carry out the flight plan. When the launcher’s computer attempted to convert the data of the rocket’s sideways velocity from a 64-bit format to a 16-bit format, the guidance system for the launcher stopped down 36.7 seconds after the launch. Since the number was too large and Ariane 5’s horizontal acceleration was far higher than Ariane 4’s, an overflow error occurred.
Conversion failed because the input number was larger than 32,767, the maximum integer that can be stored in a 16-bit signed integer. The software was shut down as a result of the system exception management facilities being activated because Ariane 5’s conversion had no related exception handler.
The primary factor contributing to this calamity was that when the guidance system stopped down, it transferred control to the backup system that had failed in the exact same way a few milliseconds earlier because it was using the same software. In actuality, the algorithm that contained the error that resulted in this catastrophe served only to align the system prior to launch, serving no further use once the rocket was in the air. It ought to have been turned off, but due to a choice made in earlier Ariane versions, engineers left it on for the first 40 seconds of the flight to make it easier to restart the system in the case of a fleeting breakdown in the countdown system.
The rocket detonated, split into a million pieces, and fell onto the wide field as a result. The failure resulted in an additional expense of $370 million and reduced a sizable, possibly ground-breaking project to a pile of flaming dust.
Avoiding IT transformation risks
Mitigating the hidden risks of digital transformation
As they adjust to new methods of working, managing staff, and providing customer service, businesses are eager to seize any technological edge they can. They are moving more aggressively in the direction of the cloud, e-commerce, digital supply chains, artificial intelligence (AI) and machine learning (ML), data analytics, and other fields that can foster innovation and efficiency.
Enterprises are simultaneously attempting to manage risk, and the same digital initiatives that open up new possibilities can also increase risks like security lapses, failed regulatory compliance, and other setbacks. As a result, the drive to innovate and the need to reduce risk are constantly at odds with one another.
There will always be some friction between managing risk and working on digital transformation projects.
In contrast to conventional business practices, businesses’ pivot to expand the level of digital access provided to customers and workforce members involving personal and business-related information introduces totally new types of risk that must be handled. Different risk management strategies are needed for these new engagement models that the digital transformation has made possible.
Here are four major areas where efforts to implement digital transformation might present risks and how businesses can mitigate them. Throughout this workshop, we will go through these concepts in further detail.
Multicloud or hybrid cloud infrastructures
More businesses are switching to IT platforms supported by a variety of cloud services, frequently from multiple providers. Offerings such as platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS), and software-as-a-service (SaaS) are examples of this.
Hosting crucial data and applications outside of an organization’s own protective perimeter, regardless of the type of cloud being used, entails a significant amount of risk, especially when several locations, services, or vendors are involved. Along with the risk of data loss or theft, businesses may also encounter issues with data protection laws and the potential for cost overruns due to subpar cloud management techniques.
The governance of the cloud environments is one of the most frequent risks we observe here: What cloud service provider? that protocol Thresholds for development environments to maximize use in terms of creation, use, size, etc. As opposed to after deployment, it is far simpler to address governance problems like this early on.
The complexity and disparate management and automation tools that come with a multicloud strategy are often amplified. This intricacy raises the possibility of operational collapse.
Additionally, previously, IT services were purchased from data centers that were owned and maintained by the corporation, with IT overseeing the purchasing procedure. Business customers may now quickly acquire and install cloud services like PaaS without architecture or security evaluations. By managing which services are activated and made accessible to users, IT and business leaders may reduce this risk.
A recommended practice is to make sure that before any desired cloud services are approved for use in the company, they are submitted to appropriate design and security inspections on any IaaS, PaaS, or SaaS vendor platforms. Before any technologies from public cloud vendors can be made available to the company, guidelines and boundaries must be set, along with continual usage monitoring.
According to Smith, IT, cybersecurity, and legal must all collaborate to stay ahead of business customers’ efforts to acquire and employ new cloud services.
Digital supply chains and sales channels
Businesses are rapidly using a range of technologies, such as end-to-end digital connectivity, cloud services, blockchain, robotics, autonomous vehicles, and advanced analytics tools, to improve and manage their supply chains.
The supply chain’s digital transformation may boost productivity and visibility, lower costs and errors, optimize processes, and foster better partner collaboration. Additionally, it poses hazards like data loss.
Parties engaging in business-to-business (B2B) digital services might use a variety of risk reduction strategies. This entails creating thorough business contracts with partners that include all potential risks and obligations. In order to ensure that data transfer and storage are secure, businesses can also set up cybersecurity and data privacy policies.
Businesses often demand that these B2B connections be watched over to make sure that rules and regulations are being followed. Additionally, best practices include conducting regular third-party risk assessments to make sure that all parties in the digital supply chain follow the rules and guidelines for security and privacy.
Additionally, businesses are relying increasingly on online events, mobile applications, email, text messages, and other digital sales channels to connect with consumers and prospects.
Lack of clarity regarding a multichannel strategy or, if switching totally to digital, a lack of a strategy to support the shift by the partner, customer, or consumer on the other end are risks we frequently find here. Organizations risk being in a continual state of shifting priorities where no channel actually advances if the strategy is not thoroughly developed and driving investments.
Some attempts to establish numerous digital channels have even turned into internal conflict. A very key mitigation method to assist prevent this is frequently to have one leadership team be accountable for all of the different channels.
Case Study: Sacre bleu! French bank customers see each other’s accounts
On February 23, 2021, LCL customers discovered they were viewing someone else’s information after logging into their banking app. The information soon gained traction on Twitter, where several people theorized that this might have been the outcome of a cyberattack. However, the bank claims that it was really the result of a technical issue, which was quickly fixed.
These kinds of development blunders are undoubtedly an indication of internal problems in the organizations where they happen, and they are especially unacceptable in the banking sector. The fallout served as an example of the standard dance that occurs after these kinds of errors, with the at-fault corporation downplaying the situation: No personal information was disclosed, consumers could only view the accounts of other customers and could not transfer money, and perhaps only a small number of customers were impacted, according to LCL. Others noted that tens of thousands of users may have been logging in while the problem was active in live code, and that transaction information may have been used to determine the identity of customers. LCL ultimately needed to act quickly to prevent paying a hefty fine to European privacy regulators.
Internet of things (IoT)
IoT technologies are being widely adopted by businesses in the manufacturing, healthcare, retail, and other sectors to track the location of assets, monitor equipment performance, collect information on product usage, and other purposes.
The potential advantages are strong, and they include improved maintenance of machinery and products, improved customer experiences, and cost savings from preventing lost goods. But there are also significant hazards. IoT techniques present various entry points for hacking, including the linked devices themselves, and distributed denial-of-service attacks, for instance, have already been attributed to connected devices.
In an enterprise, connected devices could be anything from HVAC systems to servers and other IT hardware to cars, lighting controls, thermostats, appliances, and more. Organizations must find strategies to secure and reduce the danger posed by networked devices in order to restrict the connections that these devices can make to other devices and, in some situations, to segregate the networks in which they operate.
Additionally, extra care needs to be made to work closely with device manufacturers to make sure that these kinds of devices have the right security controls and are kept up to date for operating system patching.
Other best practices include checking corporate networks for IoT device activity and requiring device manufacturers to provide means to keep devices secure and up to date through contracts.
Analytics and automation
To speed up operations, lower costs, and eliminate errors, businesses are rushing to automate labor-intensive and time-consuming manual processes.
Robotic process automation (RPA) and artificial intelligence (AI) technologies can significantly improve the way business processes are handled by automating data entry activities, but they also carry hazards.
The datasets that data scientists use to train their models and the platforms on which they are created are the main risk factors in analytics, AI, and ML.
Risk reduction techniques include adopting well-written contracts to govern big data collaborations, ensuring that only the bare minimum of data is utilized in data sets, and using anonymized data whenever possible.
Automation risk might include failure to scale quickly enough or satisfy expectations.
The automation ecosystem is now going through a lot of upheaval. Looking back, it started with process outsourcing, moved on to process improvement (Lean, Six Sigma), and ended with RPA. RPA and AI are currently coming together to tackle complicated business problems.
The convergence of AI and RPA is bringing up previously unimaginable opportunities and use cases, such as intelligent document processing with a capacity of 175 billion machine learning parameters or the application of neural networks and deep learning to identify anomalies in transactional data.
To raise awareness of the potential advantages, capabilities, and uses of automation, organizations should establish early expectations for it and involve stakeholders from both the business and IT. Then they should launch quick, modest, and brief pilots that concentrate on the advantages.
Utilize highly qualified personnel as soon as possible by employing staff or consulting firms to set up the governance, frameworks, change management, communication, templates, business engagement, business case creation, and ROI return on investment calculation.
Digital risk mitigation in action
Organizations should collaborate with IT, security, risk management, legal, and other interested parties to thoroughly examine risks connected with any digital transformation program, particularly those related to the technological platforms they will be employing. IT and security leaders can approach transformation programs from this vantage point once they have identified the major threats.
When it comes to these transformation activities, the two biggest risks are information security and data quality. The reduction of these risks is aided by having a comprehensive data strategy that addresses security, role-based privileges, and the identification of single sources of truth.
The majority of businesses are aware that utilizing cloud, AI, IoT, and other technologies can offer significant advantages like improved company agility, higher service scalability, and cost savings. However, in order to enable these revolutionary capabilities, completely new risk management strategies must be put into place.
Case Study: Maine’s ancient HR system limps on
According to the Portland Press Herald, the state of Maine’s payroll and human resources are managed using a “40-year-old system programmed in an outmoded language just one state employee understands how to use.” The system had previously survived a failed attempt to replace it in 2016, and this past March, Workday, the company hired to implement a new cloud-based system for Maine, walked away from the project, causing a third attempt, which was planned to end in 2020, to disintegrate in mutual animosity.
ERP system rollouts and related projects are notoriously disaster-prone, and Maine’s payroll requirements were incredibly complicated (state police were paid differently hourly rates if they carried a weapon, worked with a K9, or wore scuba gear, for instance). A tale that should be familiar to everyone who has worked on a large project like this is at the heart of the argument: Workday claimed that Maine’s data as it was entered into the system was utterly plagued with errors. Maine claims that the system came online with a 50% error rate.
Fundamentally, it appears that Maine was employing personnel for the project who lacked the necessary abilities and that the state was unwilling to pay enough to hire personnel who could pass muster. You’ve got a real IT management nightmare on your hands when you add in some allegations of sexual harassment and nepotism. Maine’s HR system, which is 40 years old, is still in use.
Digitalization means different things for different stakeholders
Source: Deloitte
Beyond Traditional Risk and Security
The foundation of the digital risk strategy must be established for it to be successful. Organizations should take quick action to implement strong cybersecurity safeguards, and the simplest way to do this is to complete standard information security and/or cyber security evaluations of their systems. Are these concerns answered? Are these queries answered? Is the only risk to a digitally equipped firm cybersecurity?
It is crucial to take into account risk areas outside of traditional risk in order for a digital environment to be effective and achieve the intended goal. For instance, social media is increasingly being used in marketing, which poses hazards to the value and reputation of brands. Similar to this, customer profiling is important for improved customer service, but the process of profiling should be coordinated to safeguard client data privacy. Digital resilience is another crucial factor to take into account. Given how heavily we rely on technology, the systems’ availability cannot be negotiated. There are numerous additional scenarios from various operations and industries that span additional risk domains that might be taken into account.
Consider the following 10 risk factors: Strategic, Technology, Operations, Third Party, Regulatory, Forensics, Cyber, Resilience, Data Leakage, and Privacy. Different control measures need to be created in accordance with best practices and industry standards depending on the relevant risk areas for the digital efforts. The nature and degree of digitalization in the operations must be considered when designing the controls because most of these areas are still in the early stages of development and are closely linked to manual or automated processes, making it difficult to implement the controls.
To identify and address all risks to which a business may be exposed in a digital environment, it is essential to have a thorough understanding of the risk categories. All of the risk areas taken into account by the framework are briefly explained in this section. Later on in this workshop, these concerns will be examined in further detail.
Source: Deloitte
Conclusion
Stresses and uncertainties are unavoidable while implementing new technology, particularly when under time constraints.
However, simply being aware of these typical risks associated with digital transformation puts you in a better position to think about your long-term, overarching strategy.
The fast change in the corporate environment brought about by digital transformation across industries presents exponentially more opportunity for new projects and capabilities.
Organizational agility is one of the most important success aspects in this digital era. A well-defined digital strategy, a strong business case, and a unique, flexible approach can help businesses establish a scalable, adaptable digital trip. To get the most out of their digital activities, companies must manage both the risks that are brought into the environment and their effects on the current ecosystem in addition to undergoing digital transformation.
Organizations cannot ignore the opportunities that “moving to digital” brings forth along with the profound impact that it shall have on them despite all the obstacles and hazards that the shifting environment presents.
Case Study: Eating too much of your own dog food
On October 4, 2021, all of the services operated by the business now known as Meta were removed from the internet, making it impossible for users worldwide to access Facebook, Instagram, or WhatsApp. We won’t delve too deeply into the crisis’s real root cause, a Border Gateway Protocol bug that effectively cut off Facebook services from the rest of the DNS infrastructure on the internet. Instead, we want to concentrate on a specific point that could be important to any IT firm, even one that isn’t a part of one of the biggest tech corporations in the world.
Facebook employees were reportedly unable to access the corporate headquarters because their ID badges did not longer operate the doors early in the outage, according to Sheera Frenkel of the New York Times. As a result, technicians were unable to physically reach the servers they required in order to address the larger issue. Unexpectedly, Facebook was the source of power for its electronic door locks. As a result, Facebook’s internal communications system was also down and unable to handle the situation. It appears that Facebook is somewhat preoccupied with running all of its internal services on Facebook’s own infrastructure. Consuming one’s own products is known as “eating one’s own dogfood” in the business world, but Facebook’s mishap proves that you should always have a supply of backup food on hand.
Executive Summary
Chapter 1: Technology Risks
There is frequently a learning curve with any new technology. You’re likely to become aware of a number of new dangers as your company grows acclimated to the new technologies it uses. These concerns may not have been as obvious in the past.
For instance, the potential unavailability of crucial systems due to power outages, dependencies, and incompatibilities can have a direct influence on your company’s operations and staff, occasionally even bringing about a complete shutdown.
To reduce technological risks, make sure your business continuity and disaster recovery plans include any technologies you just can’t live without and specify a backup strategy in case one of them fails. To guarantee that you can still access your most crucial information in the event of a disruption, you should also frequently backup your data in numerous on-site and off-site locations. Ensure that everyone of your staff is trained on any new technologies you implement, including educating them on any possible threats they may present.
5 common technology risks
1. Inadequate data backups – Every year, we come across several instances of businesses having to rely on backups only to discover that they are ineffective or not recent enough. Backups are only possibly as reliable as their most recent test. To provide you peace of mind that you can genuinely rely on them when your organization encounters a failure, recovery from backup should be tested frequently.
2. Old or Inconsistent Hardware and Software – The majority of technological problems you encounter in businesses are a result of outdated or unreliable hardware and software. Although postponing upgrades may result in short-term cost savings, the support and downtime nearly always end up being more expensive. According to Tech Aisle’s research, maintaining contemporary PCs might be up to 150 percent less expensive than maintaining older ones.
3. Inadequate power protection – All but the largest enterprises frequently overlook this area of risk. With recent weather catastrophes becoming more prevalent, we have observed many outages brought on either power spikes or total power losses. Surge suppressors and UPSs that have been placed correctly can help avoid or at least reduce the danger of downtime or data loss. When there is a power outage, you have the opportunity to gracefully shut down servers and computers to prevent data corruption.
4. Weak technical support – Every firm must start off, and frequently, we do so by acting as our own IT department and overseeing a few PCs or laptops. As our company expands, we may hire a neighborhood contractor as needed or even turn to a retail establishment for assistance and advise. The majority of organizations eventually outgrow ad hoc IT support, and they require proactive IT experts who can develop business support strategies and, more critically, shield those strategies from a variety of serious dangers.
5. Insufficient Training – Inadequate training not only contributes significantly to staff attrition, but also accounts for the bulk of user errors in modern software programs. Additionally, this seriously impairs businesses’ general production and efficiency. Utilize every opportunity you have to upskill your employees; the results will be worthwhile.
Chapter 2: Workforce Risks
Despite the fact that businesses rely largely on technology to run their operations, the human aspect of risk will always be a crucial component to take into account. Whether on purpose or accidentally, your employees are always putting your business at risk.
Due to the dynamic nature of the modern workforce and the gig economy, your company may have a number of difficulties while trying to find qualified candidates. Finding workers who are knowledgeable about developing technology is already demanding, but keeping workers who are specialists in their industry might be even more difficult.
Today’s flexible workforce and hybrid working settings mean that employees are likely to make greater demands when it comes to their quality of work life, in addition to talent shortages and high employee turnover. Keeping your employees content will lessen their risk of leaving as well as their possibility of committing negative acts against your business.
Organizations frequently ignore insider dangers because they want to believe in their workers. To lessen the risk they pose to your company, personnel who have access to your most private data should be closely watched.
Provide frequent training for your staff on subjects like cybersecurity, social engineering, internal controls, and an overview of all the digital hazards posed to your company in order to reduce workforce risks. Your staff are less likely to make a mistake the more knowledgeable they are. Whenever you can, you should also put the least privilege principle into practice to make sure that your staff only have access to the data they require to do their duties.
Multi-factor authentication and stringent password regulations are just a couple of the identity and access management techniques that will assist make sure your company is secure both internally and outside. To reduce risks like excessive employee turnover, aim to prioritize your employees’ job satisfaction whenever you can.
Chapter 3: Automation Risks
Although automation is hailed as the future of risk management, it can occasionally have a detrimental effect on business operations. Process optimization and automation can ultimately save you time and money and make scaling easier, but automation also has drawbacks.
As an illustration, some automation systems may unintentionally cause software incompatibilities or increase operational complexity. Having more software also implies having more security holes, which increases the risk of a data breach. It is your responsibility to keep new software updated and secure by downloading patches for any vulnerabilities.
Due to the continually evolving nature of the technology itself, AI-based automation solutions can potentially produce dangers that are frequently challenging to foresee over the long run. This kind of automation can frequently lead to operational setbacks, heightened complexity, and greater susceptibility to cyber threats.
Your IT staff should look into any potential dangers created by automation software and set up tools to manage them in order to avoid automation issues. Make sure any new software you install patches and updates any vulnerabilities, and frequently scan internet databases for any commonly exploited vulnerabilities (CVEs) to see if they might have an impact on your company. In the end, the automation software you employ ought to facilitate your work rather than complicate it. It could be time to choose another approach if one isn’t working for you.
Where is this trend being felt?
• In 2017, a media organization’s automation mechanism automatically released a breaking news item about an earthquake that occurred in 1925, sparking widespread concern and having a significant impact on social media networks.
• During a national emergency, a corporation’s automated pricing algorithm went into effect without contacting the management of the company about how to handle the delicate circumstance. Customers were thus charged exorbitant costs during the incident.
• A manufacturing company automated every step of a process in their assembly line without making any changes to the quality controls intended for manual human evaluation, which resulted in a decrease in product quality and a rise in expenses.
What does this imply for businesses?
• Increased complexity because different types of automation require different types of controls while outdated controls need to be replaced. In background checks, for example, controls for humans conducting them may be replaced with software robot (bot) specific controls for exception handling and outliers.
• Increased fragility as minor changes to source systems require cascading change management across automation tools to maintain consistent operations.
• Amplified damage from cyber incidents as hackers may gain access to an automated system or acquire large quantities of confidential data through bots with excessive access and privileges.
• Implementation challenges due to operational setbacks, such as employee apprehension over working with automated systems, and incompatibility with legacy infrastructure.
• Complexity in testing automation systems driven by difficulty in replicating complex production environments.
• Difficulty in realizing the full potential of automation driven by an excessive focus on reducing costs, often overlooking other benefits such as consistency, quality, and accuracy.
Chapter 4: Compliance Risks
These are compliance-related hazards brought on by new technology and the volume of data that your company is producing. Any time a new technology is introduced, there are frequently accompanying regulations or standards that must be put in place in order to avoid breaking the law about business operations, data retention, and other business practices.
The requirements for compliance vary along with the development of new technology. Because of this, you must ensure that your company is current with compliance in real-time, or you run the danger of facing penalties or even jail time.
However, your perimeter is not where compliance risk starts and ends. Your connections with third parties put you at risk for noncompliance as well, therefore it’s your obligation to ensure that any vendors or service providers you work with throughout the supply chain comply with the rules.
To keep compliance risks at bay: Make a list of all the legal obligations and professional standards that you, as well as your third parties, must adhere to. Consider implementing, monitoring, and measuring the efficacy of your internal controls and any compliance gaps with the aid of a governance, risk management, and compliance (GRC) software solution.
IT Compliance vs. IT Security
Although compliance includes IT security, the two areas of attention are distinct. Cybersecurity, monitoring, and user data protection are the main areas of compliance. Data protection, operational dependability, vulnerability identification, and user education are the main areas of attention for security. Every method for securing the office environment falls under the umbrella of IT security. IT compliance covers particular challenges and mandates that businesses implement a defined infrastructure that safeguards data.
Both types are required to protect data, but compliance is a problem for companies because they must strictly adhere to the regulations or risk paying large fines. Although the compliance standards guidelines are tough, they assist educate firms on the best practices for data privacy and cybersecurity.
IT Compliance Solutions
The proper software and services are necessary to ensure that your firm complies with IT compliance standards. Data discovery and classification are the first steps in any solution. You can utilize software created to carry out the e-discovery phase of compliance, but you must locate an effective and comprehensive program. To assist organization administrators, some programs draw on artificial intelligence and machine learning.
After finding and categorizing data, you need a way to make compliance rules effective. Each compliance standard has its own specifications, thus the application and other outside assistance should concentrate on the rules that are crucial to the organization. Data retention and disposal should be made possible by the solution. Data loss prevention and protection across social media, email, and mobile applications should also be part of the solutions.
Chapter 5: Cloud Risks
There are various particular security concerns and difficulties with cloud computing. Data is kept in the cloud with a third-party supplier and accessed online. This implies that access to and management of that data are constrained. The issue of how it can be effectively secured is also brought up. Everyone must be aware of their own responsibilities as well as the security risks posed by cloud computing.
Cloud service providers view risks and challenges related to cloud security as a shared responsibility. The customer is responsible for the security of the data they store in the cloud, while the cloud service provider is responsible for the security of the cloud itself. Every cloud computing user is always in charge of safeguarding their data from security risks and managing access to it, whether the service is infrastructure-as-a-service (IaaS) like Amazon Web Services (AWS) or software-as-a-service (SaaS) like Microsoft Office 365.
The majority of security threats in cloud computing are connected to cloud data security. Most problems stem from the data that consumers upload to the cloud, whether it be a lack of visibility into data, an inability to regulate data, or data theft in the cloud. The most prevalent cloud security vulnerabilities in SaaS, IaaS, and private cloud are analyzed below, ranked by how frequently they affect enterprise organizations throughout the globe.
Top 10 SaaS Cloud Security Issues
1. Lack of visibility into what data is within cloud applications
2. Theft of data from a cloud application by malicious actor
3. Incomplete control over who can access sensitive data
4. Inability to monitor data in transit to and from cloud applications
5. Cloud applications being provisioned outside of IT visibility (e.g., shadow IT)
6. Lack of staff with the skills to manage security for cloud applications
7. Inability to prevent malicious insider theft or misuse of data
8. Advanced threats and attacks against the cloud application provider
9. Inability to assess the security of the cloud application provider’s operations
10. Inability to maintain regulatory compliance
Since most shared security responsibility models put data and access as the exclusive responsibility of SaaS customers, SaaS cloud security challenges naturally revolve around those two. Every company is accountable for knowing what information is stored in the cloud, who has access to it, and what level of security they (and the cloud provider) have implemented.
It’s also critical to take into account the SaaS provider’s prospective position as a point of access to the organization’s data and operations. Attackers are becoming more aware of the potential of software and cloud providers as a channel to attack more valuable assets, as evidenced by developments like the emergence of the XcodeGhost and GoldenEye ransomware. Attackers are concentrating more on this possible weakness as a result. Make sure you carefully examine the security programs offered by your cloud provider in order to safeguard your company and its data. Establish a standard for shareable reports and predictable third-party auditing, and insist on terms for breach reporting to go along with technological solutions.
Top 10 IaaS Cloud Security Issues
1. Cloud workloads and accounts being created outside of IT visibility (e.g., shadow IT)
2. Incomplete control over who can access sensitive data
3. Theft of data hosted in cloud infrastructure by malicious actor
4. Lack of staff with the skills to secure cloud infrastructures
5. Lack of visibility into what data is in the cloud
6. Inability to prevent malicious insider theft or misuse of data
7. Lack of consistent security controls over multi-cloud and on-premises environments
8. Advanced threats and attacks against cloud infrastructure
9. Inability to monitor cloud workload systems and applications for vulnerabilities
10. Lateral spread of an attack from one cloud workload to another
In IaaS, data security is crucial. Additional hazards are introduced as consumer responsibility expands to apps, network traffic, and operating systems. The current evolution of assaults that go beyond data should be taken into account by organizations as the main source of IaaS risk. In order to mine cryptocurrencies, malicious actors execute hostile takeovers of computational resources. They then reuse those resources as an attack vector against other components of the company infrastructure and outside parties.
It’s crucial to consider your capacity for access control and theft prevention while developing cloud infrastructure. Identifying who can access data in the cloud, monitoring resource changes to spot unusual behavior, securing and hardening orchestration tools, and adding network analysis of both east-west and north-south traffic as a potential signal of compromise are all practices that are swiftly evolving into standard precautions for safeguarding large-scale deployments of cloud infrastructure.
Top 5 Private Cloud Security Issues
1. Lack of consistent security controls spanning over traditional server and virtualized private cloud infrastructures
2. Increasing complexity of infrastructure resulting in more time/effort for implementation and maintenance
3. Lack of staff with skills to manage security for a software-defined data center (e.g., virtual compute, network, storage)
4. Incomplete visibility over security for a software-defined data center (e.g., virtual compute, network, storage)
5. Advanced threats and attacks
The level of granular control offered by private cloud environments is a key consideration when deciding whether to commit resources to a public or private cloud. Additional degrees of security and protection in private clouds can make up for other deployment-related drawbacks and help make the practical switch from monolithic server-based data centers.
However, businesses should keep in mind that retaining precise control adds complexity—at least beyond what the public cloud has become. Currently, infrastructure maintenance is largely handled by cloud providers. Through the abstraction of controls, cloud users can minimize complexity and simplify security administration. This unites physical, virtual, and hybrid environments as well as public and private cloud platforms.
Chapter 6: Cybersecurity Risks
Organizations are increasingly prioritizing cybersecurity risk as they embrace digital transformation and use cutting-edge technology solutions to boost productivity and promote corporate success. Many businesses are also becoming more dependent on third- and fourth-party vendors and programs. These resources can help businesses succeed, but they also bring in new dangers and widen your digital assault surface.
Lack of a thorough knowledge of the underlying risk that organizations assume when using these extra resources is one of the most frequent errors that organizations make. Organizations are better able to proactively manage and reduce risks before they turn into major issues when everyone involved is aware of what to watch out for and what to do in the event of a crisis.
Let’s examine some crucial cybersecurity risk elements that businesses in all sectors should bear in mind as they develop and improve their cybersecurity risk management.
What is cybersecurity risk?
The likelihood of exposure, loss of sensitive information and important assets, or reputational damage as a result of a cyberattack or network breach within an organization is known as cybersecurity risk. Cybersecurity must remain a key concern across all industries, and businesses should work to adopt a cybersecurity risk management strategy to guard against continually developing and changing cyberthreats.
Threats vs vulnerabilities vs consequences
Cybersecurity risk is typically defined by three components – threat, vulnerability, and consequence.
• Threat: Threats can include social engineering attacks, DDoS attacks, and advanced persistent threats, to name a few. Threat actors may be associated with nation-states, insiders, criminal enterprises, and are typically motivated by financial gain or political agendas.
• Vulnerability: In cybersecurity, a vulnerability refers to weakness, flaw, or error that can be exploited by attackers to gain unauthorized access. Vulnerabilities can be taken advantage of in a number of ways, which is why vulnerability management is crucial for staying ahead of criminals.
• Consequence: The consequence is the actual harm or damages that occur as a result of a network disruption. Typically, an organization will incur both direct and indirect consequences as they work to remediate the problem. Depending on the attack, consequences may impact an organization’s finances, operations, reputation, and regulatory compliance status.
Who is responsible for cybersecurity risk in an organization?
Many businesses think that the IT and security teams are the only ones with responsibility for managing cybersecurity risk. An organization-wide understanding of cybersecurity issues is actually necessary for an effective strategy. Businesses should also have an established incident response strategy that describes each employee’s roles, when those roles should be fulfilled, and the precise actions that each user or department should take in the case of an attack. The organization as a whole should use this plan as a road map on how to handle threats. One of the most important stages to safeguarding your network is putting in place a comprehensive incident response plan.
Chapter 7: Resiliency Risks
Resiliency risk is the possibility of a bad thing happening once a new technology is adopted and the challenge of reducing the harm done. This type of risk mostly focuses on business continuity and has to do with the accessibility of your company’s operations.
As previously noted, the adoption of any new technology carries inherent risks for the viability and efficiency of your company. For instance, many of your employees may be unable to carry out their essential job duties if your cloud service provider experiences an outage and you are unable to access data in the cloud. What will you do if, instead, a cyberattack on your operational IT systems completely shuts down your business?
In the end, how adaptable you are will determine how resilient your firm is. It’s possible that relying too heavily on a single technology to do crucial tasks may disturb your business continuity and put your organization’s resilience to the test.
Make a thorough business continuity plan that incorporates a catastrophe recovery plan in order to avoid resilience concerns. Make sure you have backup plans for any technology on which you rely heavily to carry out your core company operations, and ensure that your staff is well-versed in the protocols and procedures that will apply in the event of a business disruption.
IT Disaster Recovery Plan
The majority of business executives don’t like to think about a calamity happening to their company. The effects might be as harmful whether it is a natural or man-made disaster. Disasters of either kind can at the very least result in downtime, harm to your reputation, and financial loss.
Like many business owners, you might just ignore the subject of business continuity and catastrophe recovery because you believe that since you haven’t yet been harmed, you won’t be in the future.
You can also believe that you lack the financial and human resources required to make plans for an uncertain future event.
We’ll lay out a 10-step IT disaster recovery plan in this course manual that you can use with or without assistance. We’ll go through the essential components and what you can do right away to get ready.
Chapter 8: Third-Party Risks
The globe has undergone a huge digital revolution at an incredibly fast rate in recent months. Third-party (also known as supply chain) risk is one area of digital risk that has increased dramatically over the past few years. Despite the fact that third-party partnerships have been present for a while, their quantity and scope have increased. You guessed it—a large portion of it is motivated by digital change.
The advantages of working with a third party are obvious: optimization through increased speed, efficiency and agility through shorter production or delivery periods, and more potential for innovation and creativity. Examples include using managed IT and security service providers, hosting websites and applications, and telecommunications services.
Organizations seek to expand their business, boost profits, or provide customers with a wonderful experience when they interact with third parties. If your company wants to succeed in the Industry 4.0 age and not merely survive, it pretty much has to rely on third-party partnerships. The seemingly unending security breaches and compromises that involve other parties are equally alarming.
Even while they are not new, third-party collaboration challenges do carry a number of fresh dangers. According to a research from the Ponemon Institute from January 2020 (via Security Boulevard), “In the past two years, 53% of organizations have experienced at least one data breach caused by a third party. And a data breach costs an average of $7.5 million to remediate.”
What Constitutes A ‘Third Party’?
All organizations that have business ties with your company are considered third parties, broadly speaking. This comprises, among others, contractors, associates, joint ventures, service providers, middlemen, agents, suppliers, and consultants.
Organizations are exposed to more digital risk as third-party ecosystems grow, become more complicated, and are geographically spread. Collaboration with other parties broadens the organization’s perimeter and increases enterprise risk.
Curriculum
Leading IT Transformation – Workshop 17 – IT Transformation Risks
- Technology Risks
- Workforce Risks
- Automation Risks
- Compliance Risks
- Cloud Risks
- Cybersecurity Risks
- Resiliency Risks
- Third Party Risks
Distance Learning
Introduction
Welcome to Appleton Greene and thank you for enrolling on the Leading IT Transformation corporate training program. You will be learning through our unique facilitation via distance-learning method, which will enable you to practically implement everything that you learn academically. The methods and materials used in your program have been designed and developed to ensure that you derive the maximum benefits and enjoyment possible. We hope that you find the program challenging and fun to do. However, if you have never been a distance-learner before, you may be experiencing some trepidation at the task before you. So we will get you started by giving you some basic information and guidance on how you can make the best use of the modules, how you should manage the materials and what you should be doing as you work through them. This guide is designed to point you in the right direction and help you to become an effective distance-learner. Take a few hours or so to study this guide and your guide to tutorial support for students, while making notes, before you start to study in earnest.
Study environment
You will need to locate a quiet and private place to study, preferably a room where you can easily be isolated from external disturbances or distractions. Make sure the room is well-lit and incorporates a relaxed, pleasant feel. If you can spoil yourself within your study environment, you will have much more of a chance to ensure that you are always in the right frame of mind when you do devote time to study. For example, a nice fire, the ability to play soft soothing background music, soft but effective lighting, perhaps a nice view if possible and a good size desk with a comfortable chair. Make sure that your family know when you are studying and understand your study rules. Your study environment is very important. The ideal situation, if at all possible, is to have a separate study, which can be devoted to you. If this is not possible then you will need to pay a lot more attention to developing and managing your study schedule, because it will affect other people as well as yourself. The better your study environment, the more productive you will be.
Study tools & rules
Try and make sure that your study tools are sufficient and in good working order. You will need to have access to a computer, scanner and printer, with access to the internet. You will need a very comfortable chair, which supports your lower back, and you will need a good filing system. It can be very frustrating if you are spending valuable study time trying to fix study tools that are unreliable, or unsuitable for the task. Make sure that your study tools are up to date. You will also need to consider some study rules. Some of these rules will apply to you and will be intended to help you to be more disciplined about when and how you study. This distance-learning guide will help you and after you have read it you can put some thought into what your study rules should be. You will also need to negotiate some study rules for your family, friends or anyone who lives with you. They too will need to be disciplined in order to ensure that they can support you while you study. It is important to ensure that your family and friends are an integral part of your study team. Having their support and encouragement can prove to be a crucial contribution to your successful completion of the program. Involve them in as much as you can.
Successful distance-learning
Distance-learners are freed from the necessity of attending regular classes or workshops, since they can study in their own way, at their own pace and for their own purposes. But unlike traditional internal training courses, it is the student’s responsibility, with a distance-learning program, to ensure that they manage their own study contribution. This requires strong self-discipline and self-motivation skills and there must be a clear will to succeed. Those students who are used to managing themselves, are good at managing others and who enjoy working in isolation, are more likely to be good distance-learners. It is also important to be aware of the main reasons why you are studying and of the main objectives that you are hoping to achieve as a result. You will need to remind yourself of these objectives at times when you need to motivate yourself. Never lose sight of your long-term goals and your short-term objectives. There is nobody available here to pamper you, or to look after you, or to spoon-feed you with information, so you will need to find ways to encourage and appreciate yourself while you are studying. Make sure that you chart your study progress, so that you can be sure of your achievements and re-evaluate your goals and objectives regularly.
Self-assessment
Appleton Greene training programs are in all cases post-graduate programs. Consequently, you should already have obtained a business-related degree and be an experienced learner. You should therefore already be aware of your study strengths and weaknesses. For example, which time of the day are you at your most productive? Are you a lark or an owl? What study methods do you respond to the most? Are you a consistent learner? How do you discipline yourself? How do you ensure that you enjoy yourself while studying? It is important to understand yourself as a learner and so some self-assessment early on will be necessary if you are to apply yourself correctly. Perform a SWOT analysis on yourself as a student. List your internal strengths and weaknesses as a student and your external opportunities and threats. This will help you later on when you are creating a study plan. You can then incorporate features within your study plan that can ensure that you are playing to your strengths, while compensating for your weaknesses. You can also ensure that you make the most of your opportunities, while avoiding the potential threats to your success.
Accepting responsibility as a student
Training programs invariably require a significant investment, both in terms of what they cost and in the time that you need to contribute to study and the responsibility for successful completion of training programs rests entirely with the student. This is never more apparent than when a student is learning via distance-learning. Accepting responsibility as a student is an important step towards ensuring that you can successfully complete your training program. It is easy to instantly blame other people or factors when things go wrong. But the fact of the matter is that if a failure is your failure, then you have the power to do something about it, it is entirely in your own hands. If it is always someone else’s failure, then you are powerless to do anything about it. All students study in entirely different ways, this is because we are all individuals and what is right for one student, is not necessarily right for another. In order to succeed, you will have to accept personal responsibility for finding a way to plan, implement and manage a personal study plan that works for you. If you do not succeed, you only have yourself to blame.
Planning
By far the most critical contribution to stress, is the feeling of not being in control. In the absence of planning we tend to be reactive and can stumble from pillar to post in the hope that things will turn out fine in the end. Invariably they don’t! In order to be in control, we need to have firm ideas about how and when we want to do things. We also need to consider as many possible eventualities as we can, so that we are prepared for them when they happen. Prescriptive Change, is far easier to manage and control, than Emergent Change. The same is true with distance-learning. It is much easier and much more enjoyable, if you feel that you are in control and that things are going to plan. Even when things do go wrong, you are prepared for them and can act accordingly without any unnecessary stress. It is important therefore that you do take time to plan your studies properly.
Management
Once you have developed a clear study plan, it is of equal importance to ensure that you manage the implementation of it. Most of us usually enjoy planning, but it is usually during implementation when things go wrong. Targets are not met and we do not understand why. Sometimes we do not even know if targets are being met. It is not enough for us to conclude that the study plan just failed. If it is failing, you will need to understand what you can do about it. Similarly if your study plan is succeeding, it is still important to understand why, so that you can improve upon your success. You therefore need to have guidelines for self-assessment so that you can be consistent with performance improvement throughout the program. If you manage things correctly, then your performance should constantly improve throughout the program.
Study objectives & tasks
The first place to start is developing your program objectives. These should feature your reasons for undertaking the training program in order of priority. Keep them succinct and to the point in order to avoid confusion. Do not just write the first things that come into your head because they are likely to be too similar to each other. Make a list of possible departmental headings, such as: Customer Service; E-business; Finance; Globalization; Human Resources; Technology; Legal; Management; Marketing and Production. Then brainstorm for ideas by listing as many things that you want to achieve under each heading and later re-arrange these things in order of priority. Finally, select the top item from each department heading and choose these as your program objectives. Try and restrict yourself to five because it will enable you to focus clearly. It is likely that the other things that you listed will be achieved if each of the top objectives are achieved. If this does not prove to be the case, then simply work through the process again.
Study forecast
As a guide, the Appleton Greene Leading IT Transformation corporate training program should take 12-18 months to complete, depending upon your availability and current commitments. The reason why there is such a variance in time estimates is because every student is an individual, with differing productivity levels and different commitments. These differentiations are then exaggerated by the fact that this is a distance-learning program, which incorporates the practical integration of academic theory as an as a part of the training program. Consequently all of the project studies are real, which means that important decisions and compromises need to be made. You will want to get things right and will need to be patient with your expectations in order to ensure that they are. We would always recommend that you are prudent with your own task and time forecasts, but you still need to develop them and have a clear indication of what are realistic expectations in your case. With reference to your time planning: consider the time that you can realistically dedicate towards study with the program every week; calculate how long it should take you to complete the program, using the guidelines featured here; then break the program down into logical modules and allocate a suitable proportion of time to each of them, these will be your milestones; you can create a time plan by using a spreadsheet on your computer, or a personal organizer such as MS Outlook, you could also use a financial forecasting software; break your time forecasts down into manageable chunks of time, the more specific you can be, the more productive and accurate your time management will be; finally, use formulas where possible to do your time calculations for you, because this will help later on when your forecasts need to change in line with actual performance. With reference to your task planning: refer to your list of tasks that need to be undertaken in order to achieve your program objectives; with reference to your time plan, calculate when each task should be implemented; remember that you are not estimating when your objectives will be achieved, but when you will need to focus upon implementing the corresponding tasks; you also need to ensure that each task is implemented in conjunction with the associated training modules which are relevant; then break each single task down into a list of specific to do’s, say approximately ten to do’s for each task and enter these into your study plan; once again you could use MS Outlook to incorporate both your time and task planning and this could constitute your study plan; you could also use a project management software like MS Project. You should now have a clear and realistic forecast detailing when you can expect to be able to do something about undertaking the tasks to achieve your program objectives.
Performance management
It is one thing to develop your study forecast, it is quite another to monitor your progress. Ultimately it is less important whether you achieve your original study forecast and more important that you update it so that it constantly remains realistic in line with your performance. As you begin to work through the program, you will begin to have more of an idea about your own personal performance and productivity levels as a distance-learner. Once you have completed your first study module, you should re-evaluate your study forecast for both time and tasks, so that they reflect your actual performance level achieved. In order to achieve this you must first time yourself while training by using an alarm clock. Set the alarm for hourly intervals and make a note of how far you have come within that time. You can then make a note of your actual performance on your study plan and then compare your performance against your forecast. Then consider the reasons that have contributed towards your performance level, whether they are positive or negative and make a considered adjustment to your future forecasts as a result. Given time, you should start achieving your forecasts regularly.
With reference to time management: time yourself while you are studying and make a note of the actual time taken in your study plan; consider your successes with time-efficiency and the reasons for the success in each case and take this into consideration when reviewing future time planning; consider your failures with time-efficiency and the reasons for the failures in each case and take this into consideration when reviewing future time planning; re-evaluate your study forecast in relation to time planning for the remainder of your training program to ensure that you continue to be realistic about your time expectations. You need to be consistent with your time management, otherwise you will never complete your studies. This will either be because you are not contributing enough time to your studies, or you will become less efficient with the time that you do allocate to your studies. Remember, if you are not in control of your studies, they can just become yet another cause of stress for you.
With reference to your task management: time yourself while you are studying and make a note of the actual tasks that you have undertaken in your study plan; consider your successes with task-efficiency and the reasons for the success in each case; take this into consideration when reviewing future task planning; consider your failures with task-efficiency and the reasons for the failures in each case and take this into consideration when reviewing future task planning; re-evaluate your study forecast in relation to task planning for the remainder of your training program to ensure that you continue to be realistic about your task expectations. You need to be consistent with your task management, otherwise you will never know whether you are achieving your program objectives or not.
Keeping in touch
You will have access to qualified and experienced professors and tutors who are responsible for providing tutorial support for your particular training program. So don’t be shy about letting them know how you are getting on. We keep electronic records of all tutorial support emails so that professors and tutors can review previous correspondence before considering an individual response. It also means that there is a record of all communications between you and your professors and tutors and this helps to avoid any unnecessary duplication, misunderstanding, or misinterpretation. If you have a problem relating to the program, share it with them via email. It is likely that they have come across the same problem before and are usually able to make helpful suggestions and steer you in the right direction. To learn more about when and how to use tutorial support, please refer to the Tutorial Support section of this student information guide. This will help you to ensure that you are making the most of tutorial support that is available to you and will ultimately contribute towards your success and enjoyment with your training program.
Work colleagues and family
You should certainly discuss your program study progress with your colleagues, friends and your family. Appleton Greene training programs are very practical. They require you to seek information from other people, to plan, develop and implement processes with other people and to achieve feedback from other people in relation to viability and productivity. You will therefore have plenty of opportunities to test your ideas and enlist the views of others. People tend to be sympathetic towards distance-learners, so don’t bottle it all up in yourself. Get out there and share it! It is also likely that your family and colleagues are going to benefit from your labors with the program, so they are likely to be much more interested in being involved than you might think. Be bold about delegating work to those who might benefit themselves. This is a great way to achieve understanding and commitment from people who you may later rely upon for process implementation. Share your experiences with your friends and family.
Making it relevant
The key to successful learning is to make it relevant to your own individual circumstances. At all times you should be trying to make bridges between the content of the program and your own situation. Whether you achieve this through quiet reflection or through interactive discussion with your colleagues, client partners or your family, remember that it is the most important and rewarding aspect of translating your studies into real self-improvement. You should be clear about how you want the program to benefit you. This involves setting clear study objectives in relation to the content of the course in terms of understanding, concepts, completing research or reviewing activities and relating the content of the modules to your own situation. Your objectives may understandably change as you work through the program, in which case you should enter the revised objectives on your study plan so that you have a permanent reminder of what you are trying to achieve, when and why.
Distance-learning check-list
Prepare your study environment, your study tools and rules.
Undertake detailed self-assessment in terms of your ability as a learner.
Create a format for your study plan.
Consider your study objectives and tasks.
Create a study forecast.
Assess your study performance.
Re-evaluate your study forecast.
Be consistent when managing your study plan.
Use your Appleton Greene Certified Learning Provider (CLP) for tutorial support.
Make sure you keep in touch with those around you.
Tutorial Support
Programs
Appleton Greene uses standard and bespoke corporate training programs as vessels to transfer business process improvement knowledge into the heart of our clients’ organizations. Each individual program focuses upon the implementation of a specific business process, which enables clients to easily quantify their return on investment. There are hundreds of established Appleton Greene corporate training products now available to clients within customer services, e-business, finance, globalization, human resources, information technology, legal, management, marketing and production. It does not matter whether a client’s employees are located within one office, or an unlimited number of international offices, we can still bring them together to learn and implement specific business processes collectively. Our approach to global localization enables us to provide clients with a truly international service with that all important personal touch. Appleton Greene corporate training programs can be provided virtually or locally and they are all unique in that they individually focus upon a specific business function. They are implemented over a sustainable period of time and professional support is consistently provided by qualified learning providers and specialist consultants.
Support available
You will have a designated Certified Learning Provider (CLP) and an Accredited Consultant and we encourage you to communicate with them as much as possible. In all cases tutorial support is provided online because we can then keep a record of all communications to ensure that tutorial support remains consistent. You would also be forwarding your work to the tutorial support unit for evaluation and assessment. You will receive individual feedback on all of the work that you undertake on a one-to-one basis, together with specific recommendations for anything that may need to be changed in order to achieve a pass with merit or a pass with distinction and you then have as many opportunities as you may need to re-submit project studies until they meet with the required standard. Consequently the only reason that you should really fail (CLP) is if you do not do the work. It makes no difference to us whether a student takes 12 months or 18 months to complete the program, what matters is that in all cases the same quality standard will have been achieved.
Support Process
Please forward all of your future emails to the designated (CLP) Tutorial Support Unit email address that has been provided and please do not duplicate or copy your emails to other AGC email accounts as this will just cause unnecessary administration. Please note that emails are always answered as quickly as possible but you will need to allow a period of up to 20 business days for responses to general tutorial support emails during busy periods, because emails are answered strictly within the order in which they are received. You will also need to allow a period of up to 30 business days for the evaluation and assessment of project studies. This does not include weekends or public holidays. Please therefore kindly allow for this within your time planning. All communications are managed online via email because it enables tutorial service support managers to review other communications which have been received before responding and it ensures that there is a copy of all communications retained on file for future reference. All communications will be stored within your personal (CLP) study file here at Appleton Greene throughout your designated study period. If you need any assistance or clarification at any time, please do not hesitate to contact us by forwarding an email and remember that we are here to help. If you have any questions, please list and number your questions succinctly and you can then be sure of receiving specific answers to each and every query.
Time Management
It takes approximately 1 Year to complete the Leading IT Transformation corporate training program, incorporating 12 x 6-hour monthly workshops. Each student will also need to contribute approximately 4 hours per week over 1 Year of their personal time. Students can study from home or work at their own pace and are responsible for managing their own study plan. There are no formal examinations and students are evaluated and assessed based upon their project study submissions, together with the quality of their internal analysis and supporting documents. They can contribute more time towards study when they have the time to do so and can contribute less time when they are busy. All students tend to be in full time employment while studying and the Leading IT Transformation program is purposely designed to accommodate this, so there is plenty of flexibility in terms of time management. It makes no difference to us at Appleton Greene, whether individuals take 12-18 months to complete this program. What matters is that in all cases the same standard of quality will have been achieved with the standard and bespoke programs that have been developed.
Distance Learning Guide
The distance learning guide should be your first port of call when starting your training program. It will help you when you are planning how and when to study, how to create the right environment and how to establish the right frame of mind. If you can lay the foundations properly during the planning stage, then it will contribute to your enjoyment and productivity while training later. The guide helps to change your lifestyle in order to accommodate time for study and to cultivate good study habits. It helps you to chart your progress so that you can measure your performance and achieve your goals. It explains the tools that you will need for study and how to make them work. It also explains how to translate academic theory into practical reality. Spend some time now working through your distance learning guide and make sure that you have firm foundations in place so that you can make the most of your distance learning program. There is no requirement for you to attend training workshops or classes at Appleton Greene offices. The entire program is undertaken online, program course manuals and project studies are administered via the Appleton Greene web site and via email, so you are able to study at your own pace and in the comfort of your own home or office as long as you have a computer and access to the internet.
How To Study
The how to study guide provides students with a clear understanding of the Appleton Greene facilitation via distance learning training methods and enables students to obtain a clear overview of the training program content. It enables students to understand the step-by-step training methods used by Appleton Greene and how course manuals are integrated with project studies. It explains the research and development that is required and the need to provide evidence and references to support your statements. It also enables students to understand precisely what will be required of them in order to achieve a pass with merit and a pass with distinction for individual project studies and provides useful guidance on how to be innovative and creative when developing your Unique Program Proposition (UPP).
Tutorial Support
Tutorial support for the Appleton Greene Leading IT Transformation corporate training program is provided online either through the Appleton Greene Client Support Portal (CSP), or via email. All tutorial support requests are facilitated by a designated Program Administration Manager (PAM). They are responsible for deciding which professor or tutor is the most appropriate option relating to the support required and then the tutorial support request is forwarded onto them. Once the professor or tutor has completed the tutorial support request and answered any questions that have been asked, this communication is then returned to the student via email by the designated Program Administration Manager (PAM). This enables all tutorial support, between students, professors and tutors, to be facilitated by the designated Program Administration Manager (PAM) efficiently and securely through the email account. You will therefore need to allow a period of up to 20 business days for responses to general support queries and up to 30 business days for the evaluation and assessment of project studies, because all tutorial support requests are answered strictly within the order in which they are received. This does not include weekends or public holidays. Consequently you need to put some thought into the management of your tutorial support procedure in order to ensure that your study plan is feasible and to obtain the maximum possible benefit from tutorial support during your period of study. Please retain copies of your tutorial support emails for future reference. Please ensure that ALL of your tutorial support emails are set out using the format as suggested within your guide to tutorial support. Your tutorial support emails need to be referenced clearly to the specific part of the course manual or project study which you are working on at any given time. You also need to list and number any questions that you would like to ask, up to a maximum of five questions within each tutorial support email. Remember the more specific you can be with your questions the more specific your answers will be too and this will help you to avoid any unnecessary misunderstanding, misinterpretation, or duplication. The guide to tutorial support is intended to help you to understand how and when to use support in order to ensure that you get the most out of your training program. Appleton Greene training programs are designed to enable you to do things for yourself. They provide you with a structure or a framework and we use tutorial support to facilitate students while they practically implement what they learn. In other words, we are enabling students to do things for themselves. The benefits of distance learning via facilitation are considerable and are much more sustainable in the long-term than traditional short-term knowledge sharing programs. Consequently you should learn how and when to use tutorial support so that you can maximize the benefits from your learning experience with Appleton Greene. This guide describes the purpose of each training function and how to use them and how to use tutorial support in relation to each aspect of the training program. It also provides useful tips and guidance with regard to best practice.
Tutorial Support Tips
Students are often unsure about how and when to use tutorial support with Appleton Greene. This Tip List will help you to understand more about how to achieve the most from using tutorial support. Refer to it regularly to ensure that you are continuing to use the service properly. Tutorial support is critical to the success of your training experience, but it is important to understand when and how to use it in order to maximize the benefit that you receive. It is no coincidence that those students who succeed are those that learn how to be positive, proactive and productive when using tutorial support.
Be positive and friendly with your tutorial support emails
Remember that if you forward an email to the tutorial support unit, you are dealing with real people. “Do unto others as you would expect others to do unto you”. If you are positive, complimentary and generally friendly in your emails, you will generate a similar response in return. This will be more enjoyable, productive and rewarding for you in the long-term.
Think about the impression that you want to create
Every time that you communicate, you create an impression, which can be either positive or negative, so put some thought into the impression that you want to create. Remember that copies of all tutorial support emails are stored electronically and tutors will always refer to prior correspondence before responding to any current emails. Over a period of time, a general opinion will be arrived at in relation to your character, attitude and ability. Try to manage your own frustrations, mood swings and temperament professionally, without involving the tutorial support team. Demonstrating frustration or a lack of patience is a weakness and will be interpreted as such. The good thing about communicating in writing, is that you will have the time to consider your content carefully, you can review it and proof-read it before sending your email to Appleton Greene and this should help you to communicate more professionally, consistently and to avoid any unnecessary knee-jerk reactions to individual situations as and when they may arise. Please also remember that the CLP Tutorial Support Unit will not just be responsible for evaluating and assessing the quality of your work, they will also be responsible for providing recommendations to other learning providers and to client contacts within the Appleton Greene global client network, so do be in control of your own emotions and try to create a good impression.
Remember that quality is preferred to quantity
Please remember that when you send an email to the tutorial support team, you are not using Twitter or Text Messaging. Try not to forward an email every time that you have a thought. This will not prove to be productive either for you or for the tutorial support team. Take time to prepare your communications properly, as if you were writing a professional letter to a business colleague and make a list of queries that you are likely to have and then incorporate them within one email, say once every month, so that the tutorial support team can understand more about context, application and your methodology for study. Get yourself into a consistent routine with your tutorial support requests and use the tutorial support template provided with ALL of your emails. The (CLP) Tutorial Support Unit will not spoon-feed you with information. They need to be able to evaluate and assess your tutorial support requests carefully and professionally.
Be specific about your questions in order to receive specific answers
Try not to write essays by thinking as you are writing tutorial support emails. The tutorial support unit can be unclear about what in fact you are asking, or what you are looking to achieve. Be specific about asking questions that you want answers to. Number your questions. You will then receive specific answers to each and every question. This is the main purpose of tutorial support via email.
Keep a record of your tutorial support emails
It is important that you keep a record of all tutorial support emails that are forwarded to you. You can then refer to them when necessary and it avoids any unnecessary duplication, misunderstanding, or misinterpretation.
Individual training workshops or telephone support
Please be advised that Appleton Greene does not provide separate or individual tutorial support meetings, workshops, or provide telephone support for individual students. Appleton Greene is an equal opportunities learning and service provider and we are therefore understandably bound to treat all students equally. We cannot therefore broker special financial or study arrangements with individual students regardless of the circumstances. All tutorial support is provided online and this enables Appleton Greene to keep a record of all communications between students, professors and tutors on file for future reference, in accordance with our quality management procedure and your terms and conditions of enrolment. All tutorial support is provided online via email because it enables us to have time to consider support content carefully, it ensures that you receive a considered and detailed response to your queries. You can number questions that you would like to ask, which relate to things that you do not understand or where clarification may be required. You can then be sure of receiving specific answers to each individual query. You will also then have a record of these communications and of all tutorial support, which has been provided to you. This makes tutorial support administration more productive by avoiding any unnecessary duplication, misunderstanding, or misinterpretation.
Tutorial Support Email Format
You should use this tutorial support format if you need to request clarification or assistance while studying with your training program. Please note that ALL of your tutorial support request emails should use the same format. You should therefore set up a standard email template, which you can then use as and when you need to. Emails that are forwarded to Appleton Greene, which do not use the following format, may be rejected and returned to you by the (CLP) Program Administration Manager. A detailed response will then be forwarded to you via email usually within 20 business days of receipt for general support queries and 30 business days for the evaluation and assessment of project studies. This does not include weekends or public holidays. Your tutorial support request, together with the corresponding TSU reply, will then be saved and stored within your electronic TSU file at Appleton Greene for future reference.
Subject line of your email
Please insert: Appleton Greene (CLP) Tutorial Support Request: (Your Full Name) (Date), within the subject line of your email.
Main body of your email
Please insert:
1. Appleton Greene Certified Learning Provider (CLP) Tutorial Support Request
2. Your Full Name
3. Date of TS request
4. Preferred email address
5. Backup email address
6. Course manual page name or number (reference)
7. Project study page name or number (reference)
Subject of enquiry
Please insert a maximum of 50 words (please be succinct)
Briefly outline the subject matter of your inquiry, or what your questions relate to.
Question 1
Maximum of 50 words (please be succinct)
Maximum of 50 words (please be succinct)
Question 3
Maximum of 50 words (please be succinct)
Question 4
Maximum of 50 words (please be succinct)
Question 5
Maximum of 50 words (please be succinct)
Please note that a maximum of 5 questions is permitted with each individual tutorial support request email.
Procedure
* List the questions that you want to ask first, then re-arrange them in order of priority. Make sure that you reference them, where necessary, to the course manuals or project studies.
* Make sure that you are specific about your questions and number them. Try to plan the content within your emails to make sure that it is relevant.
* Make sure that your tutorial support emails are set out correctly, using the Tutorial Support Email Format provided here.
* Save a copy of your email and incorporate the date sent after the subject title. Keep your tutorial support emails within the same file and in date order for easy reference.
* Allow up to 20 business days for a response to general tutorial support emails and up to 30 business days for the evaluation and assessment of project studies, because detailed individual responses will be made in all cases and tutorial support emails are answered strictly within the order in which they are received.
* Emails can and do get lost. So if you have not received a reply within the appropriate time, forward another copy or a reminder to the tutorial support unit to be sure that it has been received but do not forward reminders unless the appropriate time has elapsed.
* When you receive a reply, save it immediately featuring the date of receipt after the subject heading for easy reference. In most cases the tutorial support unit replies to your questions individually, so you will have a record of the questions that you asked as well as the answers offered. With project studies however, separate emails are usually forwarded by the tutorial support unit, so do keep a record of your own original emails as well.
* Remember to be positive and friendly in your emails. You are dealing with real people who will respond to the same things that you respond to.
* Try not to repeat questions that have already been asked in previous emails. If this happens the tutorial support unit will probably just refer you to the appropriate answers that have already been provided within previous emails.
* If you lose your tutorial support email records you can write to Appleton Greene to receive a copy of your tutorial support file, but a separate administration charge may be levied for this service.
How To Study
Your Certified Learning Provider (CLP) and Accredited Consultant can help you to plan a task list for getting started so that you can be clear about your direction and your priorities in relation to your training program. It is also a good way to introduce yourself to the tutorial support team.
Planning your study environment
Your study conditions are of great importance and will have a direct effect on how much you enjoy your training program. Consider how much space you will have, whether it is comfortable and private and whether you are likely to be disturbed. The study tools and facilities at your disposal are also important to the success of your distance-learning experience. Your tutorial support unit can help with useful tips and guidance, regardless of your starting position. It is important to get this right before you start working on your training program.
Planning your program objectives
It is important that you have a clear list of study objectives, in order of priority, before you start working on your training program. Your tutorial support unit can offer assistance here to ensure that your study objectives have been afforded due consideration and priority.
Planning how and when to study
Distance-learners are freed from the necessity of attending regular classes, since they can study in their own way, at their own pace and for their own purposes. This approach is designed to let you study efficiently away from the traditional classroom environment. It is important however, that you plan how and when to study, so that you are making the most of your natural attributes, strengths and opportunities. Your tutorial support unit can offer assistance and useful tips to ensure that you are playing to your strengths.
Planning your study tasks
You should have a clear understanding of the study tasks that you should be undertaking and the priority associated with each task. These tasks should also be integrated with your program objectives. The distance learning guide and the guide to tutorial support for students should help you here, but if you need any clarification or assistance, please contact your tutorial support unit.
Planning your time
You will need to allocate specific times during your calendar when you intend to study if you are to have a realistic chance of completing your program on time. You are responsible for planning and managing your own study time, so it is important that you are successful with this. Your tutorial support unit can help you with this if your time plan is not working.
Keeping in touch
Consistency is the key here. If you communicate too frequently in short bursts, or too infrequently with no pattern, then your management ability with your studies will be questioned, both by you and by your tutorial support unit. It is obvious when a student is in control and when one is not and this will depend how able you are at sticking with your study plan. Inconsistency invariably leads to in-completion.
Charting your progress
Your tutorial support team can help you to chart your own study progress. Refer to your distance learning guide for further details.
Making it work
To succeed, all that you will need to do is apply yourself to undertaking your training program and interpreting it correctly. Success or failure lies in your hands and your hands alone, so be sure that you have a strategy for making it work. Your Certified Learning Provider (CLP) and Accredited Consultant can guide you through the process of program planning, development and implementation.
Reading methods
Interpretation is often unique to the individual but it can be improved and even quantified by implementing consistent interpretation methods. Interpretation can be affected by outside interference such as family members, TV, or the Internet, or simply by other thoughts which are demanding priority in our minds. One thing that can improve our productivity is using recognized reading methods. This helps us to focus and to be more structured when reading information for reasons of importance, rather than relaxation.
Speed reading
When reading through course manuals for the first time, subconsciously set your reading speed to be just fast enough that you cannot dwell on individual words or tables. With practice, you should be able to read an A4 sheet of paper in one minute. You will not achieve much in the way of a detailed understanding, but your brain will retain a useful overview. This overview will be important later on and will enable you to keep individual issues in perspective with a more generic picture because speed reading appeals to the memory part of the brain. Do not worry about what you do or do not remember at this stage.
Content reading
Once you have speed read everything, you can then start work in earnest. You now need to read a particular section of your course manual thoroughly, by making detailed notes while you read. This process is called Content Reading and it will help to consolidate your understanding and interpretation of the information that has been provided.
Making structured notes on the course manuals
When you are content reading, you should be making detailed notes, which are both structured and informative. Make these notes in a MS Word document on your computer, because you can then amend and update these as and when you deem it to be necessary. List your notes under three headings: 1. Interpretation – 2. Questions – 3. Tasks. The purpose of the 1st section is to clarify your interpretation by writing it down. The purpose of the 2nd section is to list any questions that the issue raises for you. The purpose of the 3rd section is to list any tasks that you should undertake as a result. Anyone who has graduated with a business-related degree should already be familiar with this process.
Organizing structured notes separately
You should then transfer your notes to a separate study notebook, preferably one that enables easy referencing, such as a MS Word Document, a MS Excel Spreadsheet, a MS Access Database, or a personal organizer on your cell phone. Transferring your notes allows you to have the opportunity of cross-checking and verifying them, which assists considerably with understanding and interpretation. You will also find that the better you are at doing this, the more chance you will have of ensuring that you achieve your study objectives.
Question your understanding
Do challenge your understanding. Explain things to yourself in your own words by writing things down.
Clarifying your understanding
If you are at all unsure, forward an email to your tutorial support unit and they will help to clarify your understanding.
Question your interpretation
Do challenge your interpretation. Qualify your interpretation by writing it down.
Clarifying your interpretation
If you are at all unsure, forward an email to your tutorial support unit and they will help to clarify your interpretation.
Qualification Requirements
The student will need to successfully complete the project study and all of the exercises relating to the Leading IT Transformation corporate training program, achieving a pass with merit or distinction in each case, in order to qualify as an Accredited Leading IT Transformation Specialist (ALITTS). All monthly workshops need to be tried and tested within your company. These project studies can be completed in your own time and at your own pace and in the comfort of your own home or office. There are no formal examinations, assessment is based upon the successful completion of the project studies. They are called project studies because, unlike case studies, these projects are not theoretical, they incorporate real program processes that need to be properly researched and developed. The project studies assist us in measuring your understanding and interpretation of the training program and enable us to assess qualification merits. All of the project studies are based entirely upon the content within the training program and they enable you to integrate what you have learnt into your corporate training practice.
Leading IT Transformation – Grading Contribution
Project Study – Grading Contribution
Customer Service – 10%
E-business – 05%
Finance – 10%
Globalization – 10%
Human Resources – 10%
Information Technology – 10%
Legal – 05%
Management – 10%
Marketing – 10%
Production – 10%
Education – 05%
Logistics – 05%
TOTAL GRADING – 100%
Qualification grades
A mark of 90% = Pass with Distinction.
A mark of 75% = Pass with Merit.
A mark of less than 75% = Fail.
If you fail to achieve a mark of 75% with a project study, you will receive detailed feedback from the Certified Learning Provider (CLP) and/or Accredited Consultant, together with a list of tasks which you will need to complete, in order to ensure that your project study meets with the minimum quality standard that is required by Appleton Greene. You can then re-submit your project study for further evaluation and assessment. Indeed you can re-submit as many drafts of your project studies as you need to, until such a time as they eventually meet with the required standard by Appleton Greene, so you need not worry about this, it is all part of the learning process.
When marking project studies, Appleton Greene is looking for sufficient evidence of the following:
Pass with merit
A satisfactory level of program understanding
A satisfactory level of program interpretation
A satisfactory level of project study content presentation
A satisfactory level of Unique Program Proposition (UPP) quality
A satisfactory level of the practical integration of academic theory
Pass with distinction
An exceptional level of program understanding
An exceptional level of program interpretation
An exceptional level of project study content presentation
An exceptional level of Unique Program Proposition (UPP) quality
An exceptional level of the practical integration of academic theory
Preliminary Analysis
Online Article
“The Biggest Risk To Digital Transformation? Underestimating The Human Factor
By David Mounts,
Forbes Technology Council
While referred to as “digital” transformation, the human factor involved in this process presents the greatest risk to what is perhaps the priciest investment most organizations will make in the coming decade. What catches many leaders off guard? The degree to which humans will impact its success or failure — humans who don’t all occupy technology roles as well as those who work outside their organization. Without an understanding of this risk to any digital transformation initiative and a deliberate effort to counter it, true digital transformation and the dollars invested in it are at risk.
For decades, we’ve heard doomsday predictions that technology will replace humans. If applied correctly, it will ultimately free humans to do what machines can’t. Humans are the connectors, those who must learn to ask the right questions, form the right relationships, break down artificial barriers and enable a new level of cooperation and trust that maximizes efficiency and is mutually beneficial for all involved. When humans truly grasp this mindset and our role in digital transformation, we’ll actually arrive in the tech age.
The transformation of any business, digital or otherwise, is done for one reason, optimization, which includes four critical elements: an original process, analysis, change and feedback. While technology can certainly enable change, without analysis and feedback, it’ll most often be less than optimal. This basic tenet has important ramifications on the digital transformation of complex workflows:
• Humans having been part of the original or current process means, of course, that the optimal solutions will include humans in the transition and very likely the ultimate outcome.
• Technologies that can be applied with knowledge (a model) and can learn after implementation are preferable to those that can’t.
• Machine learning today depends heavily upon access to maximum volume and variety of data, while learning will profit from velocity.
Technology platforms that bring access to the widest input of data and near-unlimited compute power will be the tool of choice to transform workflows in the 21st century. These platforms, however, will do nothing without the services that enable their application. Often the opportunity to leverage AI to make human decision-making faster or more accurate gets lost. When humans use technology built on AI, there’s more agility in process and workflow.
Companies expecting to thrive will need this agility to refocus their efforts. Consumers demonstrated the adaptive nature of the human spirit by turning to technology for their very existence during the pandemic. Their expectations changed, and they aren’t going back. They want a personalized experience and to be known across channels, whether retail, healthcare, grocery or government. They want to be met and known wherever they are. Digital transformation and the alignment of trading partners through neutral parties hold the promise of a future state of commerce that operates at the speed of trust, freeing companies to meet the rapid pace of change.
Through blockchain technology, which can provide a single, transparent source of truth, trading partners can operate and cooperate with trust — the lack of which slows transactions through redundant workflows and costs companies millions of dollars on wasted processes. Those found dollars can then be reallocated to areas that truly add value. AI allows platforms to be used for multiple industries and purposes. Consider delivery software powered by AI as an example. If it can be used to predict delivery times for a particular vertical, it can also be used for another vertical with completely different inputs, dependencies and workflows. The need to rebuild for each vertical limits scalability and is wasted effort.
One can easily get lost in projecting an impact on business by analyzing technology. It’s paramount that any transformation effort begins with a desired goal and backs into the optimal solution by using innovative applications of known technology building blocks to drive effort. The risk inherent in complexity is losing sight of this goal. Focusing industry experts on a problem and partnering with key orchestrators enables innovation that will deliver transformational impact. No technology has ever solved a problem by its mere existence. Humans matter.
The millions of professionals working on information technology today are producing incredible output. To apply this output to the millions of workflows built over decades of business requires that they cooperate like never before in an aggregate fashion to focus the “rays of technology light” on the “point of impact” to achieve the highest outcome. Success in this environment demands a mindset that functions much like a neural network, taking in the complex problem and its components on one side and joining it with technologists on the other side. Each has a role to play in separating technology from hype and activity from impact.
Why transform at all? To improve the human experience. To spend more time doing things of higher value and to move humans up the value chain. By focusing on relevant, personalized and optimized interactions that allow for richer experiences, we can reduce the friction and noise that result from the “stupid systems” that result if digital transformation is left to fall short.”
If you would like to view the original article, please visit: www.forbes.com
Online Article
“Scale Digital Transformation With Risk Management
By Tammy Whitehouse, senior writer, Deloitte Insights in the Wall Street Journal, Nov. 12, 2021
As humans leverage machines to drive organizations’ strategic outcomes, internal audit and risk management can help navigate the evolving risk landscape with a focus on promoting discipline and fostering trust.
“AI technologies—machine learning, robotic process automation, and natural language processing, among others, are helping organizations abstract data, detect anomalies, and gain new insights,” says Adam Regelbrugge, a partner with Deloitte Risk & Financial Advisory, Deloitte & Touche LLP. “Risk management and internal audit leaders can deploy their capabilities and resources to help organizations accelerate adoption of digital technologies while also highlighting a focus on realizing value from digital transformations.”
As digital transformation accelerates, a growing number of organizations are focusing on developing greater digital fluency and skills to support and drive implementation efforts, says Geoffrey Kovesdy, a principal with Deloitte Risk & Financial Advisory, Deloitte & Touche LLP. These initiatives suggest an increasing importance for the role of internal audit and risk management, he says. Yet during a November 2020 webcast, only 23% of approximately 3,000 participants indicated their organizations’ internal audit teams audit the risks associated with advanced digital capabilities.
“While many enterprises expect digital technologies to become increasingly important to their strategies and are focused on modernizing data infrastructure, some organizations have concerns about ethical risks that could affect strategy, raising questions about organizational readiness to adopt advanced technologies,” says Kovesdy. For example, in a September 2020 webcast, 71% of approximately 2,500 global participants indicate they expect to increase their investment in digital technologies, but only one-quarter of participants say they have an executive in charge of automation and AI risks.
“These circumstances highlight a need for organizations to leverage the advisory capabilities of internal audit and risk management to evaluate risks related to digital technologies,” says Kovesdy. Risk leaders, for example, are often in a position to emphasize the importance of adopting technologies based on an identified business need and a well-developed implementation strategy to promote positive outcomes.
Foundation for Digital Risk Management
With the growth in digital investment, organizations can develop a forward-looking approach to digital risk, says Michael Koppelmann, a senior manager with Deloitte Risk & Financial Advisory, Deloitte & Touche LLP. “Internal auditors and risk management teams can evaluate governance structures, including committees, chains of command, and internal controls that govern digital environments and assets,” he says. “They can also evaluate business processes, automation strategies, and many other aspects of the digital technology life cycle, such as development, testing, and deployment.”
Advanced technologies introduce additional risks in many areas of the business within traditional risk categories, including:
Technology, cyber. A rise in data processes may lead to increased cyber risk, and inconsistencies in development can lead to long-term support issues.
Operational. Disparate or inconsistent application of digital technology to meet business objectives can lead to operational complexity.
Financial. Investments may fail to achieve their intended returns, and increased uses of digital technology may carry tax implications. Errors in technology can result in financial losses.
Organizational. Improper implementations and insufficient training to support digital transformation can introduce errors and discourage adoption.
Strategic. Digital-related business initiatives can result in strategic missteps, and lack of metrics can lead to missed goals. Overreliance on digital tools can introduce new strategic risks.
Regulatory. Requirements may not be properly or transparently reflected in technology implementations, leading to an unclear compliance environment. For example, an automated process may be collecting and storing sensitive information subject to regulation.
AI. Algorithms may be used beyond intended parameters or may be hampered by poorly controlled feedback. Algorithm development could lead to bias, intentionally or unintentionally.
However, organizations can identify, address, and mitigate these and other risks through the combined efforts of internal audit and risk management. Leaders in these functions can, for example, develop their strategy for evaluating digital technology risk by examining areas such as governance and oversight, strategic initiatives, risk and controls, development policies and standards, planning and alignment, and the programs for engaging the organization. Effective risk evaluations often begin with trustworthy metrics.
Fostering Trust in Metrics, Technology
As technology becomes an increasingly important driver of engagement with internal and external stakeholders, many organizations are expanding the KPIs they use to measure financial, strategic, and operational health and to identify opportunities, says Ryan Hittner, managing director with Deloitte Risk & Financial Advisory, Deloitte & Touche LLP.
Regulators are also increasing their focus on how organizations use and disclose KPIs and related metrics. For example, the SEC released interpretive guidance in February 2020 to indicate organizations should consider providing a clear definition of KPIs that are included in the management discussion and analysis section of corporate annual reports and descriptions of how those indicators are calculated. Disclosures should also describe why a metric is useful to investors, how management uses the metric, and how metric calculations change from period to period.
“Many organizations have adopted robust frameworks for reporting financial KPIs in financial statements, but discipline is still developing in applying the same level of rigor to nonfinancial KPIs with appropriate controls and monitoring procedures,” says Hittner.
The evolving risk landscape with respect to digital transformation is placing a heightened focus on the importance of fostering trust in uses of technology, Hittner adds. “Internal audit and risk management leaders can evaluate many technology-related risks that can lead to financial losses and harm an organization’s reputation. Such risk assessments can provide valuable insights to the business and help guide leaders toward proactive mitigation strategies,” he says.
Issues can arise for many reasons, such as inadequate governance or data protection mechanisms, lack of training or experienced talent, data bias, breakdowns related to models, and complexity of implementation. Proactive measures to mitigate technology-related risks and foster trust in technology can go beyond helping safeguard the enterprise; these measures can also lead to benefits such as acquiring new customers, retaining employees, improving data quality, and improving organizational decision-making.
Organizations that commit to fair, transparent, responsible uses of technology may position themselves to gain the trust of customers and employees. Internal audit and risk management can have a role in promoting healthy uses of technology by evaluating and highlighting rapidly evolving digital risks to help foster resilience in organizations.”
If you would like to view the original article, please visit:www.deloitte.wsj.com
Online Article
“Digital Transformation – is cyber threat really the greatest risk of all?
By Owe Lie-Bjelland,
Director – Program Management GPRC,
Corporater
Having worked with governance, risk and compliance from a technology and business perspective across different industries and countries for more than 20 years, I have witnessed and been part of the birth of the cloud, the success of SaaS, the maturation of cybersecurity, and the exponential growth in technology outsourcing. This evolution has triggered a seismic shift in the mindset of enterprises when it comes to information – and cybersecurity, compliance, governance, and assurance. Among business leaders, we have seen a shift from ignorance to fear, we are witnessing a shift from fear to awareness, and now we would like to see a shift from awareness to confidence.
No doubt, technology will continue as a trendsetter in the outsourcing market, businesses will continue the digitalization trend, cyber threats will not vanish, many companies will rise and fall, and industries and markets are becoming more and more regulated. The question I wish to answer in this article is this:
In a myriad of new risks, which is the number one most significant risk related to digital transformation?
Introduction
In the late ‘90s, cyber and information security was in its infancy. So was I, I was in my mid-twenties and my aspiration was to leverage the new web technology to deliver enterprise -grade applications over the internet. I was the technology guy and the co-founder of one of the first SaaS providers in Norway.
As a SaaS provider handling some of the most business-critical information for the global oil & gas industry, information and cybersecurity were paramount to building our business due to the risk of negative reputation and legal consequences that obviously would have caused great loss and possibly bankruptcy for our boutique SaaS business. This is not to mention the ethical responsibility we took on to protecting our customer’s data. I remember my partner once said, “if we get hacked, the financial consequences are so big we can just go home, and we don’t even have to lock the door behind us”.
I started working on what would turn out to become a success, and what would give me great insight. It was hard work; however, my main challenges were not related to the complexity of establishing and maintaining an internal management system or keeping up with regulatory and legal requirements. My main challenges were firstly to make the board understand the potential loss and ROI for our negative and positive risks, resulting in dollars in my budget, and secondly to make the internal and external auditors understand our digital business.
History of risk assessment for information security management
In the early days of information and cyber risk, back in the era of ISO 27001:2005, risk assessments were conducted focusing on the infrastructure components and the deployed software. Consequence and probability were assessed using a qualified approach, also considering the component’s vulnerability to calculate the risk level. This approach was good enough for the IT department to reduce the risk to a perceived acceptable level, however, it only got us so far. Problems arose when trying to enhance security further as we realized we painted ourselves into a corner. The work we produced was great for communicating internally among peers who understood the technical and security-related domain, however, it was not something we could easily share with top management to argue for doubling the security budget in the coming year.
With ISO 27001:2013, we saw a shift to align information security management more with enterprise risk management and the insistence on understanding the business context for correct implementation. This, along with digitization, led to a shift to place more emphasis on the assets i.e. actual information and information containers. The risk assessment methodology was enhanced to a semi-quantitative approach where intervals were used to decide the consequence. This was a step in the right direction, however, due to the nature of an interval scale, you cannot do any calculations when trying to aggregate and consolidate risks across departments and up the chain. This approach was still not optimal for communicating effectively outside an IT and security context. The challenges so far were very much related to digitization. However, when a company wants to disrupt its business model through digital transformation, new risks are introduced.
Digital transformation comes with greater risk exposure
Digital transformation results in a merger of business context and digital context. The two worlds meet causing a reaction on bringing the new knowledge into the board room, blended with the expectation from the board that assurance and operations will add additional value to the business.
Where is the value?
Let’s start with a common denominator; any business needs to properly manage its assets. With digital transformation comes the need to assess and manage a business’ digital assets. These assets are the same assets security staff are protecting and enabling.
However, assets are still very much out of sight or given less priority as initiatives, processes, infrastructure, cloud, and applications. Reading risk and assurance reports, I seldom see anybody focusing on assets. In a press release from 2017 i , Gartner says that “the value of an organization’s information generally cannot be found anywhere on the balance sheet”. In the same press release, analyst Douglas Laney says that “anyone properly valuing a business in today’s increasingly digital world must make note of its data and analytics capabilities, including the volume, variety, and quality of its information assets”. Further, Gartner predicts that “by 2022, organizations will be valued on their Information portfolios”. If you think about it, how big a proportion of your company’s assets are digital? You might be surprised to learn that they could easily add up to over 80%.
With digital assets becoming a vital part of the business, it is a key figure when assessing the value of the business in an M&A setting, and it is increasingly important in an insurance context. The CFO office includes the current value of business-assets on the balance sheet ii, but what about the digital assets? Digital companies’ M&A valuation is currently not reflected on their balance sheet, but this does not change the fact that a digital asset has a value. Have you ever stopped to consider the relationship between the inherent risk of a digital asset and the cyber insurance value? Surely, that’s one good reason to keep track of the inherent risk.
Digital transformation comes with greater risk exposure and requires proper governance, management, and protection. Greater risk also means a greater risk of opportunities, not only the negative consequence of risk. A positive risk will potentially add value to your business – that is why we pursue the opportunity risk of digital transformation. Strategy, tactics, operation, and data must be seamlessly integrated and holistically governed to understand the real value of the business on its journey through digital transformation.”
If you would like to continue reading this article, please visit: www.corporater.com
Course Manuals 1-8
Course Manual 1: Technology Risks
Defining Technology Risk in FAIR Terms
The Factor Analysis of Information Risk (FAIR™) standard is used to quantify cyber and technological risk in terms of money, allowing organizations to prioritize, justify, and communicate security investments.
In FAIR terms, risk is defined as the Probable Frequency and Probable Magnitude of Future Loss
The starting point for FAIR quantitative analysis is a risk scenario or risk statement that addresses a technology problem the business needs to solve. The format is:
“(Threat Actor) impacts (Confidentiality, Integrity, Availability) of (an Asset) via (Some Method)”
For example:
“Analyze the risk associated with an external threat actor establishing a foothold on the network through a trusted security vendor’s application resulting in a breach of sensitive data in our crown jewel asset.”
Based on the organization’s experience or industry data, the FAIR standard demonstrates how to break down the scenario into elements to evaluate the likely occurrence and impact of such an event.
The FAIR model is highly flexible, and still valid with less cyber-centric scenarios.
What Is an IT Risk Assessment?
The words “risk analysis” and “risk assessment” are also frequently used synonymously but with a key distinction. A risk assessment provides a broader look at risk across scenarios to support corporate decision-making, particularly to justify, prioritize, and communicate security investments. A risk analysis may focus on a single scenario. Technology or IT risk assessments come in a variety of forms:
Rapid risk assessment: Perform a series of short risk studies to compile and compare results, for example, to rank the top risks for action based on the likelihood of a monetary loss.
Understand and quantify the organization’s overall potential loss exposure to information technology in the aggregate risk assessment. Identify which threat communities or asset types pose the greatest risk to the organization by examining multiple scenarios. You can also identify which business units carry the most lost exposure. This information is useful for a CISO (chief information security officer) when deciding how and where to focus defenses.
Risk assessments should be provided with risk treatment alternatives for the risks identified in order to fully support business choices.
A risk treatment analysis
• Creates a baseline for loss exposure based on the current circumstance
• Compares the risk reduction (in financial terms) from the existing state that alternative proposed controls process improvements could achieve by running “what-if” scenarios.
• May compare the price of new security investments to their impact on risk reduction in a cost-benefit or return-on-investment (ROI) study.
What Is IT Risk Management or Information Technology?
Risk management is a comprehensive process that requires organizations to: (i) frame risk (i.e., establish the context for risk-based decisions); (ii) assess risk; (iii) respond to risk once determined; and (iv) monitor risk on an ongoing basis using effective organizational communications and a feedback loop for continuous improvement in the risk-related activities of organizations.
– National Institute of Standards and Technology (NIST) Special Publication 800-39: Managing Information Security Risk
The first step in risk management, as recommended by NIST, is to “frame” risk, or establish a common terminology and measurement system. Ideally, this system should be based on a standard like FAIR, which normalizes risk vocabulary, as well as on quantitative analysis, which measures risk in the financial terms used to communicate across the enterprise and is also the output of FAIR analysis. Through a risk dashboard, a business can “react” with risk treatment analysis and “monitor” with continual risk assessments.
Compliance with IT Risk Management Frameworks
By concentrating on framework compliance and treating publications like NIST 800-39 that recommend various security practices or controls as checklists, many organizations make information risk management a less than “comprehensive” process. This is because they believe that the more controls that are implemented, the lower the risk. But without quantitative risk measurement, that’s just a supposition.
The frameworks serve as solid building blocks for security programs. They cannot, however, fully link their purely technical approach to cybersecurity with business requirements, such as deciding on security investments or explaining to the company the need for budget based on ROI.
Types of Risk Management Frameworks
Control Frameworks
• The SANS CIS Controls is a basic list of cybersecurity controls that should mitigate 80% of attacks. NIST 800-53 is an extensive list of controls that, practically speaking, no organization would ever implement in entirety.
Program Frameworks
• ISO 27001 brings in business requirements to a controls list but doesn’t prescribe a specific approach to analyzing risk. The popular NIST CSF maps specific controls to each cybersecurity function for a good technical overview of a risk management program.
Neither the controls frameworks nor the program frameworks can answer the basic questions for business decision-making, such as “if we invest in one security control or another, how much less risk will we have?” FAIR complements the frameworks by providing the missing quantitative risk analysis.
A large drug wholesaler failed large implementation of ERP
With $5 billion in yearly sales and around 500,000 items supplied each day, healthcare services provider FoxMeyer was the fifth-largest drug wholesaler in the US in the beginning of the 1990s.
FoxMeyer need a system that could make difficult supply chain decisions while dealing with cost pressure because of the intense competition. In order to obtain real-time information, automate, and incorporate inventory systems into a special system, FoxMeyer determined that an ERP would be the best option. The business anticipated removing pointless or redundant tasks, establishing suitable stock levels, and implementing more responsive client services.
The multi-million dollar IT system was the first of its kind to be introduced in the pharmaceutical sector. The ERP system was expected to save FoxMeyer around $40 million annually, with the SAP implementation cost predicted at $65 million.
The budget included:
• $4.8 million client/server computer system from HP
• $4 million for the software
• Several millions of dollars for consulting fees
• $18 million for a new 340,000-square-foot computerized warehouse
This failure was the result of poor planning and implementation.
Planning:
1. Poor selection of the ERP
2. No consideration of other consultants’ advice
3. Lack of contingency planning
4. No end user involvement
Implementation:
1. No restructuring of the business process
2. Insufficient testing
3. Overly ambitious project scope
4. Dominance of IT specialists’ own interest
5. Poor management support
6. Lack of end-user cooperation
Unfortunately, the project was a complete failure for FoxMeyer, costing a total of $100 million to implement the ERP. FoxMeyer only managed to save half of what was anticipated, forcing the business to declare bankruptcy a few months later.
Business continuity planning, technology risk, and resilience
To understand the relationships between the processes that power the business and the likely results of outages caused by man-made or natural disasters that could seriously disrupt operations, large organizations frequently prepare a business impact analysis statement (BIA). To minimize the impact of an outage on the organization, business continuity strategies for information technology should prioritize IT resources. However, standard off-the-shelf BIAs possess the same flaw as other non-quantitative risk assessments: they are unable to convey risk in terms of business.
Ransomware: Where Cyber Risk, Technology Risk, Operational Risk and Enterprise Risk Converge
Recent ransomware assaults on JBS USA, a meat processor, and Colonial Pipeline, a distributor of fuel, two owners of essential infrastructure, quickly crossed the increasingly blurred lines between risk disciplines.
After ransomware infected their corporate systems in the Colonial Pipeline case, the company decided to halt fuel shipments. It’s unclear at this time whether the ransomware infected JBS USA’s operating systems or the company just shut down manufacturing lines out of caution.
In either case, a cyber risk swiftly increased from a technical risk to an operational risk to a danger to the enterprise, potentially having a meaningful impact on the financial results, as well as reputational risk, legal risk, and possibly regulatory risk.
To help businesses deal with this new risk reality, the National Institute of Standards and Technology recently published Integrating Cybersecurity and Enterprise Risk Management (NISTIR 8286). As a suggested technique to “better prioritize risks or prepare more accurate risk exposure projections” in a risk register, the magazine singled out FAIR. Numerous FAIR analysis best practices, such as risk prioritization, risk scenario modeling, Monte Carlo simulations, and, of course, the quantification of cyber risk in monetary terms, were also recommended by NISTIR 8286.
5 Reasons Business Technology Fails And How To Break The Cycle
For your company to run effectively and efficiently, you need technology. Systems that operate at peak efficiency and offer the functionality required by your users are essential for competing in today’s digitally driven market.
Your company is now more dependent on technology than ever as a result of new solutions that have eliminated barriers, increased production, and improved efficiency. This reliance, though, has several drawbacks.
Excuses mean little when you can’t work because when your technology malfunctions, it negatively affects your ability to function.
Understanding the causes of technology failure and what steps you can take to reduce this risk are essential given the significant role that technology plays in your company.
Finding the common reasons for technology failure can help to a great extent in ensuring that your systems are robust and deliver the performance you require. A successful fusion of people, process, and technology is necessary for a successful enterprise IT ecosystem. It might be challenging to pinpoint the root cause of an IT failure.
However, when a system fails, it is typically due to a problem with one of these components.
1 – Poor implementation
A badly implemented technical solution may have profound effects on the I.T. environment of a business.
Modern system architectures are interconnected and integrated, thus a problem in one system can negatively impact other systems that depend on it.
As a result, when building a particular service, businesses need to pay close attention to the effect and dependence a system has on other systems.
A mismatch between the technology and the business demand is at the root of the problem. Therefore, an impact analysis should not only focus on the technical details of system integrations but also include an evaluation of the affected individuals and IT processes.
2 – Poor maintenance
In addition to resulting in subpar system performance, failure to maintain the IT applications and services that power your company could ultimately bring down your entire environment.
Maintaining your IT infrastructure on a daily, weekly, and even monthly basis is crucial to its proper operation.
Therefore, it is crucial to execute frequent continuing IT administration and maintenance tasks like data backups, system updates, and responding to any system-generated alarms or crises.
Once more, failing to maintain an IT environment requires failing in the people and process components of the IT ecosystem rather than being a problem with technology.
3 – Over-utilization
Modern technology environments are enormous, and overworked internal IT personnel are frequently too busy maintaining existing infrastructure and responding to support events to adequately handle every task.
Your technology might not operate as it should as a result of this capacity issue, which would ultimately affect how well your business might function. It is crucial to spend time and money bolstering your IT team with extra resources as your business’s reliance on technology increases and other systems go online to fulfill your needs.
To maintain the optimal performance and maximum effectiveness of your IT environment, your company needs these specialist talents.
4 – Complexity
Businesses are being significantly impacted by the speed at which technology is not just inventing but also reshaping society and commerce.
Although future technologies like blockchain and artificial intelligence have the potential to further disrupt businesses, cloud services and mobility have long been commonplace in business.
You need to invest in talents that can integrate these technologies and re-engineer your IT processes if you want to make sure that your business solutions stay technically relevant.
If these new solution platforms are not fully utilized or the appropriate resources are not allocated to their effective deployment, your technology may not be able to deliver the functionality and performance that your company requires.
5 – Misalignment
When integrating technology, one of the basic mistakes businesses make is not matching the chosen solution to their unique business needs.
IT systems are unable to fulfill the requirements set forth by the company if this misalignment takes place. Therefore, it is crucial that any technological implementation follow the guidelines established in a thorough business requirement specification.
In this approach, the development of the functional specification and actual deployment of the solution will live up to the standards defined and produce the outcomes that the business is looking for.
How to fix your technology problem
As already mentioned, a technical implementation that is successful combines people, process, and technology. When your systems don’t function as they should, it’s usually because one or more of these factors were poorly implemented.
However, adopting a strategic mindset can enable you to both unleash the hidden potential of your current IT systems and reduce the risks of technology failure.
Assess
Any IT strategic plan must begin with a preliminary evaluation of the state of your technological environment. An assessment of the maturity level of each of your IT services should be part of this initial assessment of the state of your IT systems.
Your I.T. maturity level for that particular service would be poor, for instance, if you regularly respond to events with your I.T. team and use manual processes.
On the other hand, your maturity level would be considered high if your assessment shows that your closely connected systems have a high level of automation.
The necessity to evaluate each IT service on an individual basis in addition to considering your environment as a whole must be kept in mind, though.
For instance, you might find that your identity and access management scores very poorly while your disaster recovery scores really well.
You can identify weak areas in your surroundings and take appropriate action by breaking it down into these separate parts.
Plan
The next phase is to create a technical program to carry out the necessary changes in your people, processes, and technology after you have finished your evaluation and identified areas within your IT environment that need to be addressed.
It’s crucial to keep in mind that the plan for deploying technology must be sufficiently detailed to describe the intended design in order to guarantee success.
It should also consider any consequences that the proposed change may have on the people, systems, and overall IT environment.
Implement
The recommended plan must be put into action after the planning phase is finished. Only after the assessment and the creation of the proposed design are complete should this step be put into action.
As previously said, poorly implemented solutions are frequently to blame when technology fails to produce the desired business outcomes. The risk is in the execution, though, whether the proper due diligence has been done. As a result, it is crucial that you make an investment in learning the necessary skills to support the implementation of the technological or process change in your environment.
Case Study: A $2 billion air traffic control system failed due to insufficient computer memory
Due to a flaw in the En Route Automation Modernization (ERAM) system, all computers at LAX crashed on April 30, 2014, resulting in the cancellation or delay of hundreds of flights.
A U-2 spy plane that was passing through the area is what caused the system to fail. The $2.4 billion Lockheed Martin Corp. system cycled on and off in an effort to correct the issue, which was brought on by a lack of altitude information in the flight plan for the aircraft. The algorithm analyzed all feasible flight paths after an air traffic controller submitted an estimated altitude for the plane to make sure it wasn’t headed directly toward other aircraft. However, as a result of that process, the system ran out of memory and terminated all other flight processing operations. Fortunately, there were no recorded accidents or injuries.
Because it restricts the amount of data each plane may send, the ERAM system failed. Most aircraft have straightforward flight plans, so they stay inside that range. The U-2 in service that day, however, had a convoluted flight plan that nearly pushed the system to its breaking point.
Course Manual 2: Workforce Risks
There have always been dangers related to fraud, bribery, and corruption. Unfortunately, the risks have only grown and there is more and more pressure to take preventative action. During International Fraud Awareness Week, there is a chance to raise important queries.
We will go through key ideas to pay attention to, how the epidemic has changed priorities, and the most typical errors you should stay clear of.
How has the pandemic impacted fraud risks in company operations?
Moving a staff to remote work shouldn’t come as a surprise, especially in the midst of a crisis like the one caused by COVID-19, which makes fraud in business operations more likely. In what is known as the “fraud triangle,” three components are said to come into alignment when fraud occurs. First, there must be an incentive or pressure to commit fraud, which is frequently brought on by personal financial strain or professional constraints. Second, they must justify the deceit. This covers both justification for the fraud (such as thinking they deserve more money) and the conviction that the business won’t catch the scam. Finally, they require the chance to execute their plans. All three of these things may be brought on by the COVID-19 problem.
• Motivation
– Financial stress may have given some people a new incentive to perpetrate fraud. For instance, medical expenses associated with COVID-19 or a decrease in income if they or another worker in their household was furloughed or laid off as a result of COVID-19
– Employers might be under more pressure from businesses to make up for lost revenues brought on by the recession. In order to make up for personnel reductions, businesses may also assign employees with new duties or obligations.
• Rationalization
– Remote work limits an employer’s capacity to oversee employees’ daily behavior. This could give potential fraudsters the impression that the business won’t catch them in the process, making it simpler for them to justify their actions.
– Similar to motivation, employees may use the need to protect their family or cover high medical costs as an excuse for deception. Due to working remotely and/or the economic slump, they may also grow dissatisfied with their job duties, hourly demands, or other changes in their employment.
• Opportunity
– As was already mentioned, houses are far less secure than work settings and can present a variety of new opportunities for fraud. Working from home may now give access to company data, files, or software that was previously only available when employees were present in the office and within a supervisor’s line of sight. Similarly, it might be challenging to keep tabs on employees’ arrivals and departures throughout the course of the day, which raises the possibility of time entry and payroll fraud.
The good news is that these dangers can be reduced in a variety of ways. Employers should keep an eye out for employee fatigue and unhappiness. They ought to be aware of any company divisions that might be applying more pressure to their staff in order to make up for losses or subpar performance brought on by the recession. Additionally, businesses should ensure that they have the capacity to monitor their operations for common fraud types, such as inflated time entry records, incorrect invoicing, misuse of corporate resources, and account theft. Relevant employees should be informed about these controls and the value of compliance and ethical behavior in a clear and consistent manner.
Case Study: The Danish Concept of Arbejdsglaede
Arbejdsglde, a term meaning workplace happiness, has become widely used in Denmark.
Arbejde means work and glæde means happiness, so arbejdsglæde is “happiness at work.” According to Alexander Kjerulf, author of “Happy Hour Is 9 to 5”, the word is used in the other Nordic languages but is uncommon in all other languages.
Kjerulf, a native Dane, describes how arbejdsglde mirrors Danish views on labor in a Fast Company piece.
“Danish employers have a long history of aiming to make their employees happy, hence there is a phrase for it in Danish. Most Danes view their jobs as more than just a means of earning a living; we fully anticipate enjoying our employment, he adds.
In the United States, Kjerulf faced a different mentality.
Many Americans think it’s completely natural to despise their employment. Similar to this, he argues, “many American organizations do little to nothing to promote pleasure among employees, adhering to the tenet that “If you’re having fun, you’re not working hard enough.”
Happiness at work is genuinely a cultural commitment! Does your workplace culture promote and celebrate genuine workplace happiness, or does it have a “case of the Mondays”?
What are the three most common gaps in compliance programs?
1. Proactive and Effective Risk Assessments—Far too frequently, businesses fail to undertake risk assessments at all or do so without a comprehensive framework in place.
2. Ongoing Training and Communication—Training and communication on compliance shouldn’t end with onboarding. Recurring compliance messaging in a range of formats, such as email campaigns, in-person dialogues, newsletters, and urgent notifications from senior leadership, are all part of effective compliance programs. Regular training should also be given to make sure that important compliance topics are remembered and understood.
3. Ongoing Oversight/Monitoring and Reporting—Companies that lack whistleblower reporting mechanisms, such as anonymous reporting hotlines and accompanying “Speak Up” training, are missing out on a significant source of information about compliance problems.
Since many people have made the switch to a more remote workforce, what kinds of threats do we need to be on the watch for?
Due to a lack of direct supervision and visibility, loss of connection and in-person communication, reliance on potentially insecure networks or workplace equipment, among other factors, remote workforces can intensify a variety of dangers.
For instance, according to research from BITSIGHT, home networks are 3.5 times more likely than business networks to have at least one malware family.
And that’s just one example. Chief compliance risks research companies foresee include:
• Fraud
– This may involve dishonesty on the part of third parties, staff members, or criminals preying on corporate executives who work from home. The pandemic’s economic effects may increase the pressure on businesses and employees to perform, which might encourage fraud and other types of compliance-related wrongdoing at all levels. In reality, we have seen higher levels of fraud and non-compliance during previous economic downturns, including financial fraud and reluctance to report problems even among managers and executives.
• Misuse of Company Resources
– Without constant supervision, certain dishonest people can feel empowered to misuse business resources, such as computers or other technology, for improper uses including personal usage, fraud, or illegal activities.
• Data Security
– The risk of data breaches, notably from phishing and smishing, a form of phishing through text/SMS message, has increased as employees rely more on virtual workplaces or potentially unsafe home networks. Working from home increases the risk of someone misusing or unintentionally revealing personal information.
• Corruption and bribery
– As openness and ground visibility decline, the risk of corruption and bribery may rise, especially among third parties and in supply chains. Particularly in foreign operations, this is true. In addition to global corruption, official initiatives put forth in response to the epidemic may come under heightened scrutiny.
• Effectiveness of Compliance Communications
– Even with video conferencing and internet communications, it can be challenging to communicate compliance messages to remote employees, which may reduce the efficacy of a company’s compliance program.
• Support and Outreach
– Compliance specialists can interact with staff members through brief conversations and office visits. Employees may find it more difficult to seek support and for compliance specialists to offer it if there are no face-to-face encounters.
• Speak Up Culture
– In-person gatherings for meetings, lunches, and social events are crucial for establishing and preserving a company’s culture, including its Speak Up and compliance philosophies. Businesses will need to use creativity and smart thinking to maintain their culture, especially for new hires.
• Charitable Donations/Corporate Social Responsibility
– Some dishonest people have tried to take advantage of the rise in corporate donations related to COVID-19 relief by setting up phony organizations or asking for bribes and kickbacks in exchange for “donations” to particular charities. Before making any donations, it is important to properly investigate all organizations.
When rolling out new policies to the remote workforce, how should businesses ensure employees understand those policies?
When implementing new regulations among a remote workforce, communication is essential. The compliance team and senior leadership should communicate clearly during policy rollouts about the purpose and history of the new policy. To ensure knowledge of modifications to important compliance policies and procedures like conflicts of interest, anti-bribery, or insider trading, training may be required. Making sure that remote workers can contact the compliance team for inquiries and concerns, however, is as crucial. Make sure that staff members confirm or attest to receiving, comprehending, and adhering to the new policies in order to ensure a thorough and successful rollout. Follow up with personnel as necessary until all pertinent personnel have answered and keep track of certifications and attestation requests.
The return to the workplace risk assessment imperative
Should a risk analysis be performed prior to reopening a location? What does it mean for the company, if so?
Yes. Companies should do risk analyses for each location as they begin to reopen in order to determine the best way to reduce COVID-19-related hazards to employee health. Upon reopening, risk evaluations should take a variety of government directives and specifications into account. Assessing potential high-risk environments, such as shared workspaces, as well as your capacity to reduce those risks, may be part of this.
From a compliance perspective, businesses should make sure workers feel secure and at ease returning to work and that they have the freedom to voice any problems or concerns they may have.
Companies should generally continue with compliance risk assessment reviews. In situations like this, businesses frequently stop undertaking proactive risk assessments in order to deal with the crisis. However, companies must make sure they’re analyzing and addressing both the risks indicated above and compliance issues beyond those raised by COVID-19 in order to successfully identify and address compliance risks. This should involve an examination of the laws and regulations that normally apply to businesses in their sector. Organizations should pay special attention to conducting assessments in high-risk areas where they have lost track of operations at this time.
What knowledge should a company draw upon if it wishes to undertake an internal risk assessment?
Internal risk assessments must include individuals from compliance or legal, human resources, training/learning/development teams, internal audit, finance and accounting, data analytics, and IT, as necessary, outside of a focused, return to work-type risk assessment. Companies should be sure to interact with business units like government relations, sales teams, and others who may have compliance-related obligations to identify potential hazards from their operations.
Even businesses that perform risk assessments internally may want to think about hiring outside consultants to help and review the procedure while the assessment is being conducted in order to get a better understanding of industry best practices and governmental requirements. Similar to this, businesses should hire outside consultants to check their internal risk assessment procedure on a regular basis.
What function may risk analyses serve in minimizing misconduct?
Organizations can use risk assessments to pinpoint the ways in which their processes, procedures, or other operations pose hazards to them. The company can then assess how to lessen such risks while doing so. A risk analysis might discover, for instance, that a business faces bribery or fraud risks as a result of charity contributions made to unreliable groups. The organization can establish due diligence and approval processes once this risk has been discovered in order to mitigate it.
What will be the largest challenge when firms resume regular operations and have additional obligations to protect their customers and employees?
Returning to regular company operations will be difficult due to a lack of openness and visibility into global activities. The pandemic’s economic impact may also result in resource restrictions or reallocations, which might make it harder for businesses to protect their clients and staff while maintaining strong compliance strategies. Utilizing an external compliance expert who can offer additional support to supplement these constrained resources temporarily is one possible choice.
Managing three dangers associated with the hybrid workplace in the future of work
Organizations are assessing post-pandemic working patterns and the actual return to work as countries around the world gradually reopen. Many firms, especially those made up primarily of knowledge employees, were obliged to switch to a remote model as a result of the COVID-19 dilemma. A clear strategy or plan is still lacking in 68 percent of firms, despite the optimism surrounding the return of some in-person engagement in the workplace. We identify three danger areas as firms implement distant hybrid work that demand cautious consideration.
• The breakdown of social cohesiveness and organizational culture. According to recent research by Mckinsey, employees who perceive a lack of clarity in the operating model’s future direction are approximately three times more likely to express moderate to severe burnout symptoms. However, simply communicating a distinct perspective is insufficient. Additionally, a strong justification must be provided. The method for bringing back their staff is one of the crucial issues that firms must address. Nearly 30% of workers said they would be inclined to switch employment if forced to fully resume on-site work, demonstrating the need of taking employee preferences and well-being into account before opting to return to the office. Organizations need to consider their requests for their workers to return, including how, when, and why.
• It is the responsibility of organizational leaders, in particular managers, to determine who must report to the office and why. For onboarding and team-based projects that demand intensive collaboration, managers should place a high priority on being there in person. The possibility that employees will learn about the business culture is increased by physical attendance at those events, which also creates in-person routines linked to improved social cohesiveness and encourages team-based creativity. Managers must discover ways to asynchronously engage team members who cannot attend in person in order to foster innovation.
• A drop in productivity. Numerous productivity advantages were discovered during the impromptu experiment with widespread remote working during the pandemic. According to Mckinsey’s research, 45 percent of workers said they were more productive a few months into the pandemic. Unfortunately, that progress was paid for by a muddled work-life balance and an uptick in sadness, anxiety, and burnout symptoms.
• Businesses now recognize that our social fabric needs to be repaired in person. Many are attempting to counteract some of the negative consequences by implementing additional HR procedures and people-centered policies. However, they are also worried that the new hybrid approach may reduce productivity. Organizations can avoid this by emphasizing outcomes measurement rather than just inputs like staff hours logged, both at the individual and team levels. Additionally, they can create specific performance indicators for every role and function.
• The inability to try new things and improve. How to manage people and processes to support employees who may be present physically or virtually on any given day is the fundamental difficulty of the hybrid model. Not effectively addressing the issue could have a detrimental effect on productivity, employee engagement, and well-being, as well as, in extreme cases, drive more employee turnover.
Organizations must use a test-and-learn strategy to avoid this. This makes it possible to carry out plans and advance while being flexible enough to shift course as necessary. When the context changes, 16 percent of firms with high productivity continuously iterate and adjust their procedures; this tendency is entirely lacking in organizations with low productivity.
Success does not involve avoiding risk; rather, it requires correctly managing it. Organizations that want to adopt a long-term hybrid model must prioritize maintaining their culture, bolstering their people and talent management systems, and continuously improving how they respond to this “new normal.”
Case Study: Cross-Functional Collaboration
In Omaha, Nebraska, Farm Credit Services of America has a well-established reputation as a premier employer. Since 2003, it has received two Sustained Excellence Awards and seven times has been named one of Omaha’s Best Places to Work.
According to the ebook “3 Stories from America’s Best Places to Work” by Quantum Workplace, one of the main factors contributing to the company’s high employee happiness is the way it solves problems and makes choices. Farm Credit Services uses 40 to 50 cross-functional teams, or groups of workers from many departments, at any given time to work on company-wide choices like how to use office space or which employee welfare programs to put into place.
“Cross-functional teams are one of the absolute strengths of this organization that get us to both culture and business results that we have,” Vice President of HR Kurt Kline tells Quantum Workplace. “The power of that is bringing in diversity of thought and getting buy-in. It’s a little slower, it’s a little harder, but we believe it gets us to the best outcome.”
Why having happy employees matters
American culture places a premium on the pursuit of pleasure, and modern employees are no exception. People in the modern workforce, regardless of generation, feel more empowered to pursue pleasure both at work and at home—and to change occupations if necessary in order to do so.
Here is a breakdown of why your employees’ happiness is so crucial and what your business can do to increase their job satisfaction:
1. Happy employees are far more productive than unhappy ones
Numerous research studies have amply demonstrated the connection between employee satisfaction, engagement, and performance.
• More engaged workers are happier workers. Additionally, employees that are engaged at work are more productive and absent from work less frequently.
• A healthy workplace is important. A friendly workplace environment promotes employee relationships, enhances personal wellbeing, and ultimately boosts productivity. Through improved working relationships, it promotes employee creativity and problem-solving skills while also expanding their resources and skills.
• Having a sense of belonging at work is crucial. Employees are more able to overcome obstacles and challenges when they feel that their coworkers and managers genuinely care about them, both at work and in their personal life.
• Content workers experience less stress. High levels of stress can cause a variety of mental and physical issues, including increased employee absenteeism. Happy workers are more likely to show up for work, which keeps the quality of your workplace culture high.
2. Workers prefer to focus on what they do best.
Today’s workers want much more than just a wage. They seek a feeling of direction and the opportunity to develop their professional abilities. Being able to perform what they do best at work is very important, according to 60% of employees. Additionally, having people work on projects that play to their strengths has a positive impact on your business because it boosts productivity and reduces employee turnover.
3. Employees prioritize work life balance
Before, people divided “life” and “work” into two categories. But in a society where communication is ubiquitous, these two components frequently coexist. Today’s workers prioritize both their work and their personal lives equally. They frequently don’t want to give up one for the other. A better work-life balance and a greater sense of personal well-being are in fact viewed as being very important by 53% of employees, according to SurveyMonkey.
• More and more employees want the flexibility to work remotely and change their schedules as needed. This gives them the freedom they require to handle life’s difficulties.
• Businesses should emphasize the perks they provide to aid employees in maintaining a healthy work-life balance.
Varied people have different definitions of work-life balance. Knowing your employees’ priorities and maintaining open communication are crucial because of this.
• Employees who emphasize their own work-life balance are more likely to be female than male.
• Compared to baby boomers, millennials and Gen-Xers are more inclined to place a higher priority on overall satisfaction at work and at home.
4. Well-being matters more than “fun”
There was a time when employee gathering places like putting greens and foosball tables were considered to be conducive to a productive workplace. But the emphasis today is on wellbeing since times have changed.
• A enjoyable work atmosphere only offers immediate benefits to employees. Employee engagement or long-term happiness at work are not the results of this.
• Well-being programs focus on crucial concerns including reducing stress and boosting emotional toughness. The best, most enthusiastic workers are frequently the ones who are most susceptible to burnout from continually heavy workloads. Enhancing their health keeps them active and productive at work.
• Employee engagement is increased and burnout is decreased when there are opportunities for employees to pause, recharge, and reengage. Studies have repeatedly proven that having the chance to take frequent, brief breaks enhances focus, mood, and productivity. This means that you might want to think about allowing workers to take a break during the workday to check social media or personal communications and promote conversations at the water cooler or coffee station.
5. Unhappy employees will leave to find happiness
Today, the majority of employers are concerned about employee turnover. In the past, it was normal for workers to remain on the job for a considerable amount of time—even 20 or 30 years. But in today’s market, it’s typical for people to work for a company for just one or two years before moving on to another opportunity with a better work environment.
• According to a recent Gallup poll, half of all workers were looking for a new job or better employment opportunities.
• According to the report, 51% of workers would quit their current position for one that allows for flexible scheduling, and 37% would leave to work off-site at least occasionally.
Measuring and improving employee happiness
So how can you tell if your staff members are content? Surveys about employee happiness are a great way to get candid, anonymous feedback from your staff. The responses present an opportunity for you to identify and prioritize the most important issues that affect employee happiness as well as the urgent problems. You’ll be able to keep current employees as well as draw in qualified candidates if your company places a high priority on ensuring that its employees are happy with their current positions and with it.
You can create bespoke surveys to help you and your employees align your company’s vision and mission by using the appropriate experience management insights. A happy employee is one who feels heard, therefore the survey questions you ask can be tailored to represent your business’s values while also helping respondents feel heard. With the help of this tactic, communication between your business and employees may be positive and two-way. You’ll be able to enforce your message through your online survey while gathering insightful employee feedback to raise employee satisfaction.
Using pop culture or industry lingo in surveys to make them entertaining to complete can help increase employee contentment. This strategy fosters a positive work environment. Innovative survey findings can also be used as team-building activities for workers to get to know their managers and coworkers better.
You can utilize surveys to start an employee appreciation program because a satisfied employee is one who feels valued. Allow employees to review the performance of their coworkers in an anonymous manner, and then use the results to both reward those who received excellent ratings and to identify strategies for raising the performance of those who received lower ratings. Employee satisfaction surveys reward contented workers while focusing on the unsatisfied ones. At that time, you might submit a different kind of survey meant to assist you in discovering the potential causes of some of your employees’ dissatisfaction.
Allowing employee participation in one of your surveys is another technique to improve employee satisfaction. Ask them to submit an anonymous query, for instance. This strategy is also applicable to departments, teams, and department heads. It can be used as a lighthearted team-building exercise or to gather important feedback. Just think about how happy your team will be to learn that their question was chosen for a corporate survey.
Course Manual 3: Automation Risks
Automation offers advantages that businesses undergoing digital transformation cannot dispute. Because of this, the majority of businesses have moved past pilot programs and are implementing RPA at full speed. However, they haven’t received the returns or speedy time-to-value they were promised. Instead, businesses in all sectors spend the majority of their time and money fixing brittle digital workforces that frequently fail, which keeps their profits low and their irritation levels high.
This is due to the fact that if these risks aren’t carefully taken into consideration, they’ll reduce RPA ROI and destroy any scaling efforts.
You may maximize your returns and be well on your way to efficient automation at an enterprise scale by avoiding these seven most noticeable hidden hazards of automation design in business.
1. Poorly chosen business processes
An RPA candidate must be found and chosen before the automation is designed. Many businesses are failing in this area of automation. Simply said, they’re choosing the wrong processes, which later causes problems with RPA maintenance and support.
This is why it’s crucial to have joint IT and business ownership of RPA, in addition to clearly outlining RPA criteria for evaluating processes to automate. Strong business processes are chosen as candidates because IT is aware of the constraints of automation, and the business contributes its extensive process knowledge and organizational understanding.
2. Neglecting Business Process Optimization Before Automating
Although it’s a straightforward idea, optimizing subpar processes will result in subpar automations. RPA offers the chance to automate more than simply monotonous, rule-based operations; it also offers the chance to use automation to promote process improvement.
Examining RPA candidates should reveal any inefficiencies, gaps, or waste so that it may be rectified throughout the design phase. Your RPA project should provide robust, high-quality automations that won’t frequently break and detract from the desired business value.
3. Allowing Islands of Automation to Exist
The standardization and information sharing required to achieve high-quality automation design that results in resilient digital workforces are present in automation projects built around an RPA Center of Excellence.
The devastating load of bot failures and RPA downtime, on the other hand, will eventually overcome enterprises with Islands of Automation, where several lines of business build and implement their own autonomous automations. Lack of information exchange, disparate automation design methodologies, reoccurring errors, and even segregated RPA tools all result in expensive costs and a degraded level of quality whose detrimental bite is felt over time.
4. No Governance Model
A solid and reliable governance model is necessary for effective automation design. For this reason, several organizations have taken the initiative to create their own RPA Centers of Excellence, the main duty of which is to specify a governance model.
Defined procedures for locating, evaluating, validating, and ranking RPA possibilities are necessary for robust automation design that reduces risk downstream. It is necessary to standardize the way automation work is created, communicated, and developed in order to adhere to best practices. Additionally, this guarantees that lessons learnt can be put into practice for ongoing improvement to prevent costly errors from being made repeatedly.
5. Over-automating
Business operations within businesses advocate for increasing levels of automation because of the operational efficiency and cost savings it provides. This need was heightened by the epidemic and the associated increases in supply and demand. The best way to deal with such volatility was recognized as automation, but the haste to automate has led to fragile automations that break, which is what typically occurs when design and development are rushed.
Before automation is used, it needs to be thoughtfully and deliberately designed with process optimization as a top priority. To improve governance and change management, it is essential that the process itself is linked to all associated dependencies.
6. Communicating Automation Design Using Outdated Methodologies
It makes little sense to put so much thought and good judgment into automation design just to package it in an antiquated, paper-based format like a PDD (Process Design Document) or SDD (Solution Design Document). These outdated documentation frequently lead to overlooked criteria, which leads to the creation of a subpar, fragile bot.
There is a need for a more effective, digital way to bundle and share automated design work that promotes accurate development by providing developers with clear, accessible instructions and encourages collaboration with all stakeholders.
7. Neglecting Dependency Mapping
User interface updates that the automated process interacts with are the most frequent cause of bot failures. Many RPA programs are guilty of failing to connect automated processes with their dependencies, such as the legacy systems and applications they deal with, which is a key automation design mistake that often leads to problems and outages. It’s also crucial for businesses operating in highly regulated sectors to map out the regulations’ restrictions and the resulting policies and controls.
Comprehensive dependency mapping in automation design allows organizations to manage change better. Robust and meticulous dependency mapping also enables reactive change management to transform into a proactive strategy that minimizes RPA downtime.
Case Study: Dropbox – The buggy outage that dropped Dropbox from the web
An outage is never fun for an IT team, especially if it forces your staff to scramble to put its emergency plans into action. This exact situation forced Dropbox to scramble in January 2014 when a planned product upgrade caused the websites to go offline for three hours.
A “subtle fault” in the Dropbox script led to the failure of the company’s live services when it prompted a small number of active PCs to automatically apply upgrades to thousands of Dropbox production servers. Luckily for Dropbox, its emergency protocols were carefully thought out and mainly successful. The IT team used their backup and recovery plan to restore the majority of its services in three hours. However, recovery took longer for some of the bigger databases, taking the business several days to fully restore all of its main functions.
Managing the risks and returns of intelligent automation
The COVID-19 epidemic has intensified the digitization of business. More than two-thirds of top executives who responded to polls think their companies’ embrace of digitization and automation has intensified since the start of the crisis (Exhibit 1). In order to optimize end-to-end business processes, many institutions (such as banks, insurance companies, and other large corporate enterprises) are implementing automation and AI solutions, a combination increasingly referred to as “intelligent automation.” This automates not only tactical tasks but also more complicated prediction problems and decision making.
Exhibit 1
By drawing fresh conclusions from complex data, intelligent automation systems can support decision-making and contribute to increases in efficiency and effectiveness. The delivery of essential business services to the surrounding ecosystem could be impacted by these tools and technologies, just like other kinds of AI, raising risks for the company and attracting more regulatory scrutiny.
The threats of AI come from numerous angles. Potential violations of data privacy laws during model development, a lack of transparency regarding how these systems operate with the risk that errors, unfairness, or bias may be introduced by flaws in model design or training-data selection, and new cybersecurity risks like model extraction or purposeful “data poisoning” by malicious actors are among the most significant (Exhibit 2).
Exhibit 2
The majority of businesses currently lack the necessary frameworks and resources to adequately manage the risks and benefits of intelligent automation. Particularly, distinct roles frequently manage system development and operation’s many components in a fragmented manner (such as implementation and system management, risk and resilience management, and business-process optimization). Additionally, enterprises often do not have the solid frameworks, procedures, and infrastructure necessary to guarantee the efficient risk and return evaluation of automation and AI. Therefore, it’s more important than ever for businesses to include automation-specific considerations in their overall AI and digital risk management plans.
Toward a better understanding of automation risk
Institutions can develop a comprehensive understanding of the advantages and hazards of intelligent automation, including where these technologies touch crucial operations and potential weak spots, to inform strategic decisions across the business. They also need to know how to systematically lower risk and strengthen institutional resilience in addition to how to streamline and automate procedures. Five crucial tactical steps might be taken into account for this reason throughout the automation and AI life cycle (Exhibit 3).
Exhibit 3
Step 1. Establish a dedicated intelligent-automation risk-return center of excellence
The gathering of all pertinent data and decision-making oversight in one location is the first prerequisite. Establishing a specialized center of excellence (CoE) for intelligent-automation risk-return management is one method to achieve this. This key role would be in charge of ensuring that AI and automation solutions improve performance and value across business processes while not exceeding the organization’s predetermined risk thresholds.
The CoE requires a thorough understanding of three things in order to fulfill this goal. To discuss and navigate the process landscape, it must first comprehend the enterprise taxonomy of business services and processes used by the entire organization. Second, it must understand where AI and automation are now used in those processes and where there is room for future deployment of additional use cases to boost productivity or business performance. Last but not least, it must have a thorough understanding of the flaws found in the planned and existing AI and automation solutions.
Simple automation solutions frequently rely on reasonably deterministic methodologies, thus implementation mistakes or improper configuration are more likely to be the main dangers. Contrast it with the dangers posed by complicated AI techniques, which are typically created to address uncertainty and generate a wider range of possible problems, including explainability and numerous biases. As a result, automation concerns are frequently seen as a part of AI hazards.
The intelligent-automation risk-return CoE can rely on both internal expertise and resources from other parts of the company to construct this picture. For instance, the model-risk-management team in banking would normally offer a perspective on weaknesses found in AI, such as problems with bias and fairness in decision-making, or with the “explainability” of the underlying models. The CoE would play a strategic role in coordinating the work currently done by the legal, compliance, and IT teams as well as the model-risk-management function, extracting pertinent data through effective reporting procedures.
Step 2: Identify and prioritize opportunities for end-to-end optimization and business simplification
Numerous AI and automation solutions may already be in use by organizations, and many more are either being considered or are in the development phase. The intelligent-automation risk-return CoE’s essential mission is the establishment and upkeep of a comprehensive inventory of these applications.
This inventory would contain details on each case’s approach and procedures, as well as information on the platform utilized for implementation, the in question business processes, the system owner, and any connected technology vendors. Details on all the potential vulnerabilities found in the technique would also be disclosed. For each AI and automation application they adopt, business units would be expected to provide this information to the CoE, with frequent reviews and audits in place to make sure the information is constantly up to current. The procedure might make use of already-existing knowledge: banks’ model-risk-management teams often keep an inventory of models with an eye on the AI solutions applied throughout the company.
Both sides of the risk-return equation are supported by the inventories of AI and automation. The inventory helps management find synergies and possibilities to duplicate or expand tried-and-true methods into new areas by offering a comprehensive view of how and where AI is currently being used in the organization. The inventory also gives the CoE the ability to discover hazards, track down their owners, and handle any necessary mitigation actions.
The risk-return CoE can make strategic choices regarding the deployment, enhancement, retirement, or consolidation of solutions and technologies based on this transversal perspective of intelligent automation that has been established throughout the business. Within such framework, the organization can set processes in order of organizational value and business criticality. One organization’s management were able to describe more than 40 strategic existing AI solutions that other companies may use when they performed an enterprise-level identification and prioritization effort at a worldwide security and cash logistics company with operations spread across numerous locations.
Step 3. Develop a robust framework to integrate technology solutions across the end-to-end value chain
The intelligent-automation risk-return CoE can design a defined approach and set of principles for the development and implementation of AI and automation technologies in collaboration with pertinent analytics and technology teams. In order to guarantee that these principles are applied uniformly throughout the enterprise, the CoE might then collaborate with business units. By doing this, you can ensure that important risks and constraints are recognized early in the development cycle and that your organization’s AI and automation efforts are more transparent.
To design a standardized transformation strategy that could be used across all regions and business lines, one large bank went back and completely rebuilt its playbook for automation and AI development. The playbook’s guidelines underlined the need to track project risks effectively, emphasizing the necessity of precise risk assessments and indicators, as well as the impact, results, and additional advantages of the transformation. A strict system of prioritization also fostered a focus on the most vital programs, procedures, and services. The bank was able to design strong mitigating controls after using this approach to help it comprehend for the first time the limitations of the AI and analytics tools utilized throughout the enterprise.
Step 4: Assess AI and automation risks
To discover any risk of bias or inaccuracy in the input, processing units, and output, every AI system or automation tool needs to go through a rigorous and thorough testing program. The evaluation would typically include, at a minimum, the following elements: data quality (such as the possibility of bias or error in the data sample), correctness of implementation (such as the application of the right formulas and rules), performance, sensitivity, and robustness of the system (focusing on output accuracy), explainability of the model (given its use cases and complexity), and any bias and unfairness in the results it produces. It may be necessary to engage specialized internal or external teams for certain testing, such as those looking for security flaws or data poisoning susceptibility.
Every AI system or automation tool needs to undergo a rigorous and comprehensive test regime to identify any risk of inaccuracy or bias.
Decision-making on AI applications can be aided in sectors like banking by functions monitoring analytics risk assessment (such as model-risk management) and the analyses they carry out. As part of its digitization journey, a major US bank had created a number of AI and automation solutions, including chatbots, optical character recognition (OCR) technology, robotic-process automation, and speech-to-text methods. As part of the bank’s regular supervision procedures, an independent review and challenge process found a number of ways to reduce risks and boost the efficiency gains these systems produce.
For instance, problems with OCR technique stability emerged. Too frequently, the method used led to incorrect interpretations of letters in customer-account identifiers, such as the letter “O” being mistaken for the number “0” or the number “5” for a “S.” These flaws would erroneously map client information in pertinent systems, necessitating numerous human interventions to manually repair the mistakes. Controls were put in place to guarantee that high-risk instances were recognized early on and handled carefully, all without having an impact on customers.
In other cases, chatbots were prepared for deployment without a strong monitoring strategy to guarantee that upcoming modifications (such the addition of new languages or features, including access to private financial information), were recognized and regulated before distribution. By implementing such a plan, the bank was shielded from potential hazards to its finances or reputation. Additionally, it enabled the organization to monitor gains in productivity, for example, by assessing the requirement for human involvement in routine customer contacts.
Step 5: Create a system and infrastructure for tracking risk and returns.
Finally, because decisions must be made frequently, businesses can establish procedures for tracking the advantages and dangers of automation and AI over time. A strong monitoring system and infrastructure that has clearly defined performance and risk indicators must be developed in this situation. These frameworks are already in use in the banking industry, but they have only ever focused on risk. To guide strategic business decisions across the organization, it is essential to develop a perspective that considers both the dangers and advantages of AI and automation technologies.
In an ideal world, the monitoring would deliver a dashboard with an overall picture of automation and AI across the enterprise, as well as information relevant to solutions when needed (such as the last time the AI was tested, the level of benefit observed over time, and any performance deterioration). The intelligent-automation risk-return CoE could eventually use this to create a real-time heat map and dashboard (Exhibit 4).
Exhibit 4
This monitoring would be accompanied by an issue-management procedure for effective remediation of errors and limitations identified in AI tools and automation systems. It would also escalate cases in which efficiency is deteriorating over time, and a system needs to be enhanced or redeveloped.
Intelligent automation is already transforming the efficiency and effectiveness of many business processes. As companies seek to expand their use of these technologies through wider application and the adoption of more sophisticated approaches, however, they are also exposing themselves to ever-greater risks. Balancing these risks against the potential returns of automation and AI will be a critical challenge in the coming years. Organizations that put the right structures, systems, and governance measures in place today will be able to unlock significant improvement potential.
Case Study: Opsmatic – Recipe for disaster
When managed under traditional server administration, automation often faces the same set of age old IT problems. One of those classic, faulty assumptions is “if it ain’t broke, don’t fix it” – assuming that all systems are operating the way they should be. When Opsmatic’s routine server maintenance shut down its whole operation, it was because things weren’t exactly as they had thought.
In Opsmatic’s case, a Chef recipe called “remove_default_users” had been created during the early stages of the company’s Amazon Web Services experimentation. Now, long after the test, that recipe was somehow still running against the production servers, unbeknownst to the staff maintaining them.
Like many major outages, this incident was the result of a long, causal sequence of mistakes, none of which were caught until they added up to a giant problem.
Course Manual 4: Compliance Risks
What is compliance risk?
The danger of not acting in compliance with industry laws and regulations, internal policies, or recommended best practices exposes a business to possible legal consequences, financial forfeiture, and material loss. Integrity risk is another name for compliance risk.
Compliance risk affects businesses of all kinds and types, whether they are state or federal agencies, for-profit or charity organizations, or public or private organizations. Failure to abide by relevant laws and regulations may have an impact on an organization’s earnings, which may result in diminished reputation, lost commercial opportunities, and decreased valuation.
Types of compliance risk
Any of the following compliance concerns could affect an organization:
• Corrupt and unauthorized actions. Legal compliance assures that the company, its representatives, and employees are abiding by all applicable laws and rules. Fraud, theft, bribery, money laundering, embezzlement, and other unlawful activities are frequent compliance concerns.
• Privacy violations. The breach of privacy regulations is a frequent compliance risk. Viruses, malware, and hacking are a some of the cyber dangers that businesses must worry about. Additionally, if a business handles sensitive data, it must take the necessary precautions to safeguard it and avoid privacy violations.
• Environment-related issues. The environmental harm and pollution that an organization’s operations may produce are the subject of these compliance risks. Examples include destroying natural ecosystems, using dangerous chemicals, disposing of hazardous trash, and polluting groundwater. Many businesses are incorporating sustainability into their company plans and giving their staff members the tools and training they need to comply with environmental regulations.
• Process dangers. Any variation from the specified process for finishing a task or failing to adhere to it constitutes a process risk. For instance, a business needs a written process for remote network access. It is a process risk if an employee misuses the correct procedure for remote access.
• Safety and wellbeing at work. Legal requirements force businesses to adhere to particular health and safety procedures. Many of these rules are implemented in the United States by federal organizations like the U.S. Food and Drug Administration (FDA) and the Occupational Safety and Health Administration (OSHA) (FDA). The European Agency for Safety and Health at Work (EU-OSHA) and European Medicines Agency are the analogous regulatory authorities in Europe (EMA).
Case Study: Compliance Failure – ABN Amro: €480m
The Dutch bank ABN Amro received the largest compliance failure fine of 2021 after being hit with a hefty €480 million fine by Dutch authorities over allegations of money laundering. The organization consented to pay a €300 million fine and €180 million in disgorgement.
Prosecutors had previously charged ABN Amro with failing to recognize accounts engaged in money laundering, ending relationships with suspect clients, and failing to disclose such activities to the appropriate authorities.
The Netherlands Public Prosecution Service, which undertook the prosecution, said at the time, “Because ABN AMRO fell seriously short of compliance with the AML/CTF Act, various clients engaged in criminal activities were able to abuse bank accounts and services of ABN AMRO for a long time. ABN AMRO should have observed that certain flows of money through bank accounts held at ABN AMRO possibly originated from crime. The bank failed to act upon this sufficiently.”
What is compliance risk management?
The process of identifying, evaluating, and reducing possible losses that can result from a company’s failure to adhere to laws, regulations, standards, and both internal and external policies and procedures is known as compliance risk management. The goal of management practices is to assist firms in maintaining compliance with numerous rules and laws. The structure and processes used by organizations undergoing digital transformation to control compliance risk may include compliance risk management policies and procedures. In order to make sure that an organization’s compliance is current, compliance risk management is a continual process that entails tracking changes in the regulatory environment. In light of new policies, directives, and regulations, compliance policies, procedures, and training materials must be periodically reviewed.
Organizations must be aware of their compliance risk on several levels, not just from the chief compliance officer’s perspective (CCO). The organization’s compliance risk extends to all levels of the organization, including information technology, even though the CCO and other compliance personnel are responsible for analyzing all aspects of the risk, including its legal, regulatory, financial, and technical hazards (IT). For this reason, compliance risk management needs to incorporate the organization’s IT department.
A subset of the overall governance, risk, and compliance (GRC) discipline is compliance risk management. GRC is a collection of management techniques and tools created to make sure that a business operates in accordance with its core principles, goals, and risk tolerance. The financial sector is where GRC laws are most prevalent, but other sectors like healthcare are also compelled by law to implement risk management and compliance procedures.
GRC is intended to assist firms in identifying and assessing threats to their brand and bottom line. Internal auditing, operational risk assessment, and incident management are all related to these three disciplines.
Compliance risk examples
Corporate compliance in the United States is frequently linked to pertinent laws and regulations. For instance, the Sarbanes-Oxley (SOX) Act is applicable to businesses with publicly listed stock, but the Foreign Corrupt Practices Act (FCPA) is applicable to publicly traded firms. The U.S. Securities and Exchange Commission (SEC) and other authorities enforce both the FCPA and SOX. The FCPA forbids providing anything of value to a foreign official in order to influence business decisions through offers, promises, or grants. Publicly traded corporations must maintain accurate books and records under SOX. Business operations and financial reporting are two additional responsibilities that must comply with SOX.
There are several compliance concerns and regulations in the healthcare industry. The Health Insurance Portability and Accountability Act includes laws and regulations that pose a considerable risk of noncompliance (HIPAA). Protected health information (PHI) must, at the very least, be protected in accordance with HIPAA. Other information that would be regarded as PHI under other laws, such as genetic data, health insurance information, and any other information pertaining to the delivery and payment of healthcare, must also be protected according to HIPAA.
For enterprises that need to achieve and maintain compliance, the cloud has brought new dangers. Many businesses are concerned about whether cloud computing services are safe enough to store extremely sensitive data that has to be guarded. When data is transferred onto the cloud without the proper rights structure or when it is exposed to employees who shouldn’t have access to it, compliance can also become a problem. All data is encrypted by the most reliable cloud service providers to protect against security risks.
Compliance risk assessment
The risk assessment process, which includes identifying and assessing the potential hazards that threaten an organization’s capacity to assure compliance with laws and regulations, is a crucial idea in compliance risk management. In addition to analyzing information sources including reports from the company’s management and regulatory authorities, risk assessment may also involve finding data and information that the organization already has access to.
A compliance risk assessment can be used by an organization to examine its level of compliance and identify any improvements that need to be done. With the aid of this data, a business can design and put into action a compliance risk management strategy that will help it stay in compliance with the law. For instance, the evaluation can show that the company needs more secure policies for working remotely. The company can develop more comprehensive remote work procedures as a strategy to counteract this issue.
Consequences of Non-Compliance
Every year, non-compliance with regulatory standards costs organizations all around the world billions of dollars. Due to tighter data rules and restrictions, this will only increase. Losses, however, go beyond only fines and penalties. Businesses that do not comply run the real danger of security lapses, lost productivity, damaged reputations, and more.
According to estimates, the cost of non-compliance is more than three times greater than the cost of compliance. In actuality, a single non-compliance incident costs organizations $4 million on average.
It would be prudent to take non-adherence seriously and put the necessary precautions in place given the consequences. Here is a list of the penalties for non-compliance that you could experience.
Legal Consequences
To reduce the danger of a security breach, businesses are obligated by law to abide by privacy and data protection standards. The following legal repercussions will result from any failure.
• Fines and penalties: Organizations that violate privacy rules may be subject to fines and penalties from the regulatory agencies in charge of those requirements. Depending on the level of non-compliance and the regulatory agency in charge of the matter, these sanctions could change. An organization may lose up to 4% of its revenue due to GDPR fines, for example.
• Lawsuits: When a data breach occurs as a result of non-compliance, the consequences extend beyond fines and penalties. Customers, staff, vendors, and other stakeholders are just a few who are impacted by a data breach. There is a good likelihood that these impacted parties will choose to file a lawsuit and pursue legal action.
• Regulator scrutiny: It’s not simple to bounce back from a security compromise that resulted from non-compliance. Businesses may endure pricey regulatory examinations for years to come, even after paying fines and penalties.
• Imprisonment: According to regulatory norms, businesses must take the appropriate precautions to safeguard the data of their clients. Business owners, directors, and executives of a company may even face prison time for criminal negligence in the worst circumstances of non-compliance.
Business Consequences
In many cases, the commercial effects of non-compliance may not really result in financial loss, but the harm can be fairly extensive. Here are a few typical business repercussions:
• Corporate disruption: Non-compliance has a cascade effect that can have a negative influence on a business organization. Customers won’t trust a company that can’t protect their data privacy, and they’ll probably go to the competitors. Additionally, the expenses incurred by fines, lawsuits, etc., will have a detrimental impact on an organization’s capacity to make crucial corporate investments.
• Revenue loss: Businesses may be forced to temporarily halt operations due to noncompliance. Due to the huge overhead costs of operating an unattended firm, this can completely destroy a company. This is why the majority of businesses never fully recover from a significant data breach disaster.
• Breach of security: Any breach of security brought on by non-compliance may result in the loss of important corporate data. Cybercriminals frequently profit from the sale of this data. Businesses cannot afford this while also dealing with other non-compliance issues.
• Reputational damage: As news of non-compliance problems or security breach instances spreads among the public, the company in question’s reputation may suffer long-term damage. Customers will lose faith in the business, and it can take a while for it to rebuild its reputation to its previous luster.
Case Study: Compliance Failure – NatWest: £264m
UK company NatWest, which entered a guilty plea for three counts of money laundering violations on October 7 at Westminster Magistrates Court, became another bank to incur a significant fine as a result of compliance failings. The Financial Conduct Authority’s first criminal investigation was conducted in this instance (FCA).
The bank was accused of failing to adequately oversee the activities of Bradford-based jewellery retailer Fowler Oldfield, a commercial client of the bank, from 8 November 2012 to 23 June 2016. NatWest first believed it would not handle cash from Fowler Oldfield when the customer was onboarded; nonetheless, during the course of the customer relationship, the customer deposited about £365 million into the bank, with £264 million of that amount being cash.
The FCA stated that several of the NatWest personnel in charge of these cash deposits informed bank personnel looking into money laundering of their suspicions. Nevertheless, nothing was done.
How to create a successful corporate compliance program
Few companies can afford to put off implementing a corporate compliance program. Don’t let your company’s hindsight be 20/20. Have the wisdom to act right away.
To ensure that staff members are knowledgeable in all compliance-related topics, your program should be carefully prepared, implemented, and accompanied by training initiatives.
Here are some actions you may do to create or improve your company compliance program:
Get your leadership on board
You must actively manage your corporate compliance program. The task of overseeing the program on a daily basis should fall under the purview of one individual.
Your organization may have one compliance officer or numerous, depending on its size. No matter what, whomever is in charge of the compliance program ought to have the power to impose the rules and hold everyone accountable.
They also require direct access to the company’s governing body, which could be either the board of directors or senior management.
When possible compliance issues arise, access to high management and the ability to enforce rules are crucial, enabling your officers to act fast.
However, communication is two-way. The governing board must routinely evaluate how well the business compliance program is working.
Corporate compliance is the process of promoting an ethical workplace environment.
This starts at the top.
Your leaders must first abide by the guidelines in order for the program to be successful. They ought to promote moral conduct and clearly discuss the significance of compliance.
Employer involvement should be valued, and company executives should emphasize that reporting illegal or unethical activity won’t result in retaliation.
A checklist for assessing business compliance processes was developed by the Department of Justice, and it includes the following questions:
• How have top leaders fostered or discouraged the in question sort of wrongdoing through their words and deeds?
• What specific steps have they made to show leadership in the organization’s compliance and improvement efforts?
• How does the business keep an eye on the actions of its senior leadership? How has senior leadership served as an example of proper conduct for employees?
Conduct risk assessments
Corporate compliance is about managing risk, as was already mentioned.
You must be aware of the compliance areas that represent the most risks to your firm in order to develop a successful program. You can concentrate your resources on addressing these issues once you have recognized them.
Regulations from the federal and state governments as well as business standards are always changing. Conducting regular assessments is vital to reduce the risk of noncompliance. A risk assessment is advised to be done once per year, according to the Association of Corporate Counsel (ACC).
A formal evaluation procedure, such as the one the ACC suggests, can assist your business in taking preventative measures to avoid corporate compliance violations:
• audit findings
• recent court cases
• Concerns about compliance
• Worker claims
• trends in industry enforcement
• policies for compliance in each risk area
Establish and maintain your code of conduct, policies, and standards
A clear code of conduct is necessary for any corporate compliance program. Why? because it can create expectations for conduct and aid in defining the objective of your program.
The code of conduct serves as a guide and should clarify the following essential ideas:
• Who is in charge of overseeing the program?
• How to report wrongdoing by workers
• Punitive actions for breaking the code of conduct
On top of that basis, your corporate policies should include instructions for certain areas of compliance. They could discuss typical company compliance infractions like these:
• Corporate criminality
• Bribery
• Tax procedures
• Competing interests
• record keeping
The list continues. However, the specific areas you must address will vary depending on your sector.
You should design procedures to aid staff in following policies appropriately when risk areas have been identified and rules have been created. Making detailed instructions makes it simpler to follow processes and spot noncompliance.
Risky places in some sectors might need higher criteria. For instance, the Foreign Corrupt Practices Act may mandate that you maintain elaborate procedures for vetting outside business partners.
Properly train all employees
Standards and policies for compliance are pointless if personnel don’t adhere to them.
You must inform each employee of the policies and processes for your business compliance program after they have been established.
Ensure that all compliance rules and procedures are read and approved by corporate officers, employees, and third-party vendors.
Training on laws, rules, company policies, and banned behaviour should be provided to all workers and pertinent vendors. Depending on the size of your company, you might wish to offer specialized training to some employees who work in high-risk areas.
You should monitor, record, and follow up on training, according to the ACC. You can do this and automate many of your manual operations by putting in place a compliance policy and training management platform. You can communicate regulations, deliver online training, develop unique examinations, and more with the proper software.
Case Study: Credit Suisse – £147m
In addition, the FCA fined Credit Suisse £147 million for serious due diligence errors related to transactions with the Republic of Mozambique.
The penalty was imposed because Credit Suisse mishandled the $1.3 billion in loans it made for the Republic of Mozambique in terms of financial crime due diligence. These loans and a bond swap, according to the FCA, were tainted by wrongdoing.
The FCA and Credit Suisse reached an agreement wherein Credit Suisse would waive $20 million in debt that the Republican of Mozambique owed as a result of the tainted loans.
Course Manual 5: Cloud Risks
Organizations keep creating new apps for the cloud or moving their current ones there. The adoption of the cloud has recently been prioritized by the federal government as part of its IT modernization agenda. Unaware of the risks involved, an organization adopting cloud technology and/or selecting cloud service providers’ (CSP) services or apps exposes itself to a variety of business, financial, technical, legal, and compliance hazards. We discuss 12 risks, threats, and vulnerabilities that organizations encounter when migrating applications or data to the cloud in this section of the course manual. The best practices for moving data and applications to the cloud securely are discussed in the following section.
We would like to point out that the risks and weaknesses associated with moving to the cloud are constantly changing, and the ones described here are by no means all of them. It is crucial to take into account additional difficulties and dangers related to cloud adoption that are unique to their objectives, systems, and data.
The cloud model from the National Institute of Standards and Technology (NIST) gives a definition of cloud computing as well as examples of its applications.
NIST identifies the following characteristics and models for cloud computing:
• Essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service
• Service Models: software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS)
• Deployment Models: private cloud, community cloud, public cloud, and hybrid cloud
Cloud Computing Threats, Risks, and Vulnerabilities
At a high level, dangers in cloud environments are similar to those in traditional data center environments; the threat landscape is the same. In other words, cloud computing uses software, and since software contains flaws, adversaries strive to exploit those flaws. However, in cloud computing, the CSP and the cloud consumer share responsibility for reducing the risks brought on by these software vulnerabilities, unlike information technology systems in a traditional data center. Therefore, customers must be aware of the responsibility breakdown and have faith in the CSP to fulfill their obligations. The following list of cloud-unique and shared cloud/on-premise vulnerabilities and threats was compiled based on literature searches and analysis efforts. Additionally, the danger landscape for cloud computing platforms is shown in the graphic below.
Cloud-Specific Risks and Threats
The five cloud computing characteristics that a CSP implements lead to the following vulnerabilities. Traditional IT data centers do not include these issues.
#1 Consumers Have Less Control and Visibility. Organizations lose some visibility and control over their assets and processes when they move them to the cloud. When leveraging external cloud services, the CSP becomes responsible for portions of the infrastructure and policies.
A paradigm shift in how agencies approach security monitoring and recording results from the real shift of responsibilities, which relies on the specific cloud service model(s) implemented. Without leveraging network-based monitoring and logging, which are available for on-premises IT, organizations must do monitoring and analysis of information about applications, services, data, and users.
#2 On-Demand Self Service Simplifies Unauthorized Use. It is quite simple to provision new services with CSPs. The staff of an organization are able to provision extra services from the agency’s CSP without IT approval thanks to the cloud’s on-demand self-service provisioning features. Shadow IT is the term used to describe the practice of employing software within an organization that is not supported by the organization’s IT department.
The possibility of unlawful usage of cloud services rises as a result of the lower costs and simplicity of installing PaaS and SaaS solutions. However, a business runs the danger of having services provided or used without IT’s knowledge. Since the corporation is unable to defend resources it is unaware of, the usage of unauthorized cloud services could increase malware infections or data exfiltration. Utilizing illegal cloud services also reduces an organization’s network and data visibility and management.
#3 Access to the Internet Management APIs can be made vulnerable. Customers can control and communicate with cloud services via a set of application programming interfaces (APIs) that CSPs expose (also known as the management plane). These APIs are used by organizations to provision, administer, orchestrate, and watch over their users and assets. These APIs may have the same software flaws as those found in the operating system, library, etc. APIs. The CSP APIs are accessible via the Internet, making them more vulnerable to possible exploitation than management APIs for on-premises computing.
Threat actors scan management APIs for weaknesses. Cloud assets owned by the firm may be affected if these vulnerabilities were to be found. From there, attackers can carry out additional attacks against CSP clients using the resources of the business.
#4 Separation Among Multiple Tenants Fails. Failure to maintain tenant separation may result from the exploitation of system and software flaws in a CSP’s infrastructure, platforms, or applications that support multi-tenancy. An attacker could use this flaw to access data or resources belonging to another user or organization from the resource of another organization. In the event that the separation mechanisms are ineffective, multi-tenancy broadens the attack surface and raises the risk of data leakage.
Exploiting flaws in the CSP’s apps, hypervisor, or hardware, disabling logical isolation measures, or launching attacks against the CSP’s management API can all be used to carry out this assault. The SaaS platform of a CSP has not yet had a verified security breach that allowed an outside attacker to access the data of tenants.
Logic separation failure-based attacks have not been reported, however proof-of-concept exploits have been shown to work.
#5 Data Deletion is Incomplete. Because the user has less visibility into where their data is physically held in the cloud and less ability to confirm the secure deletion of their data, threats related to data deletion exist. This risk is serious since the data is dispersed across numerous storage devices in the multi-tenancy environment of the CSP’s infrastructure. Furthermore, deletion methods may vary from provider to provider. It may be impossible for organizations to confirm that their data was properly erased and that no copies of it are still accessible to hackers. As an agency makes increasing use of CSP services, this hazard grows.
This chart from an InformationWeek and Dark Reading survey shows the top cloud computing risks that concern IT professionals. As you can see, the top three center on the threat of unauthorized access and security.
Case Study: Relying only on one provider
The mortality of an organization’s data due to vendor lock-in was revealed in 2013 when Nirvanix went down. Users sometimes assume that their provider will be there for them for as long as they require it, but as the cloud market grows more competitive, some providers are unable to keep up. Customers of Nirvanix had 30 days to relocate their assets. Many people were given a very small window to move significant volumes of data at once as a result. Those who couldn’t transfer all of their data had to question whether the files would be cleaned up, erased, or even disposed of correctly.
Some Nirvanix-using businesses would use the bulk of the given time to move their data. This is because many businesses have download bandwidth restrictions that make it difficult for them to restore their assets. Because they had no redundancy and had put all of their eggs in one basket, firms were compelled to use all of their resources to retrieve their data.
“A business should always have a strong sense of the assets it has stored in the cloud, but it needs to consider those points in terms of the time and cost of retrieving them,” IT analyst Charles King told CIO.
Cloud and On-Premise Threats and Risks
Organizations need to address the risks listed below that pertain to both cloud and on-premise IT data centers.
#6 Credentials are Stolen. Assuming an attacker gets hold of a user’s cloud credentials, the attacker can target the assets of the company and utilize the CSP’s services to supply extra resources (if the credentials allowed for such access). The attacker might employ cloud computing resources to target the CSP administrators, other organizations using the same CSP, or administrative users within the enterprise. The systems and data of the organization may be accessed by an attacker using the cloud credentials of a CSP administrator.
The administrator positions that apply to CSPs and organizations differ. Depending on the service, the CSP administrator has access to the CSP network, systems, and applications of the CSP infrastructure, but the administrators of the consumers only have access to the organization’s cloud implementations. In essence, the CSP administrator supports several services and has administration powers over multiple customers.
#7 Vendor Lock-In Makes Changing CSPs Difficult. When a company considers switching its assets or operations from one CSP to another, vendor lock-in becomes a problem. The company learns that the migration would cost more, take more time, and require more effort than originally anticipated because of things like non-standard data formats, non-standard APIs, and dependency on one CSP’s proprietary tools and special APIs.
In service models where the CSP assumes greater responsibility, this problem gets worse. The amount of exposure to a CSP’s distinctive implementations rises when an agency utilizes additional features, services, or APIs. When a capability is transferred to a different CSP, adjustments are necessary due to these special implementations. A significant issue arises if a chosen CSP closes its doors since data may be lost or may not be able to be promptly moved to another CSP.
#8. IT Staff is Stressed by Increasing Complexity. IT operations may become more complicated after a cloud migration. It might be necessary for the agency’s existing IT employees to learn a new model in order to manage, integrate, and operate in the cloud. In addition to their present duties for on-premises IT, IT staff members need to be able to manage, integrate, and support the migration of assets and data to the cloud.
In the cloud, key management and encryption services are more complicated. The complexity is further increased by the fact that different CSPs often offer different services, methodologies, and tools for logging and monitoring cloud services. Due to the complexity of the technology, rules, and implementation techniques, there may potentially be emergent risks or hazards in hybrid cloud installations. Because of this increased complexity, security flaws in an agency’s cloud and on-premises systems are more likely to occur.
#9 Insiders Abuse Authorized Access. Insiders who misuse their permitted access to the networks, systems, and data of the company or CSP, such as employees and administrators, are in a unique position to cause harm or exfiltrate information.
Because an insider can provision resources or carry out illicit operations that require forensics for identification while using IaaS, the damage is probably worse. With cloud resources, these forensic skills might not be possible.
#10 Stored Data is Lost. Other than hostile attacks, data saved in the cloud may be lost. Customer data may be permanently lost as a result of a physical disaster, such as a fire or earthquake, or an accidently deleted file by the cloud service provider. The supplier is not the only party responsible for preventing data loss. Data will be lost if a client encrypts it before uploading it to the cloud but misplaces the encryption key. Inadequate comprehension of a CSP’s storage model may also cause data loss. Agencies need to think about data recovery and be ready in case their CSP is bought, changes its service offerings, or goes bankrupt.
As an agency makes increasing use of CSP services, this hazard grows. Because a SLA specifies availability/uptime percentages, restoring data on a CSP might be simpler than retrieving it at an agency. When the agency chooses a CSP, it should look into these percentages.
#11 The CSP Supply Chain is Compromised. The needs that the CSP is contracted to deliver with an organization may not be satisfied/supported if the CSP outsources some of its infrastructure, operations, or maintenance to third parties. An organization must assess the CSP’s compliance enforcement procedures and determine whether it extends its own standards to other parties. The threat to the agency escalates if the demands are not placed on the supplier chain.
As a company uses more CSP services and becomes more reliant on certain CSPs and their supply chain policies, the threat grows.
#12 Cybersecurity Risk Is Increased by Insufficient Due Diligence. Organizations moving to the cloud frequently don’t do enough research beforehand. They transfer data to the cloud without fully comprehending its implications, the CSP’s security protocols, or their own obligation to implement security safeguards. They choose to employ cloud services despite not completely comprehending how secure those services must be.
How to Mitigate Common Cloud Computing Security Issues
Even if adopting cloud services isn’t your organization’s main information technology strategy, it nevertheless does so (IT). There are three recommended practices that all enterprises should adhere to in order to reduce the security risks associated with cloud computing:
• DevSecOps processes — DevOps and DevSecOps have frequently been shown to boost the speed of application development and feature deployment while reducing exploits and vulnerabilities and improving code quality. To operate at the speed that today’s business environment requires, it is essential to integrate development, QA, and security processes within the business unit or application team rather than depending on a separate security verification team.
• Automated application deployment and management tools – Even the most seasoned security expert struggles to keep up with the number and velocity of security risks as well as the shortage of security talents. Modern IT operations include automation as a basic element since it eliminates repetitive labor and enhances human benefits with machine advantages.
• Unified security with centralized management across all services and providers — However, having a variety of management tools makes it too easy for something to get by. No one product or vendor can deliver everything. By connecting the dots and optimizing procedures, a unified management system with an open integration fabric minimizes complexity.
Finally, when choosing between two options, greater control should not take precedence over improved visibility. It is preferable to be able to observe the entire cloud than to try to manage just a small section of it.
Wrapping Up and Looking Ahead
Recognize that CSPs employ a shared responsibility paradigm for security. Some security-related responsibilities are accepted by the CSP. The CSP and the customer share responsibility for other security-related issues. Finally, some security-related issues are still wholly the consumer’s responsibility. Understanding your obligations as a consumer and fulfilling them will ensure effective cloud security. An important factor contributing to security issues in cloud-based systems is consumers’ failure to comprehend or fulfill their obligations.
Breaches can destroy backups
Code Spaces, a business that hosted source code, shut down in June 2014 as a result of a severe attack on its cloud platform. According to Ars Technica, an unauthorized person gained access to the company’s Amazon Web Service account and erased the majority of the client data that was stored there. To make matters worse, Code Spaces had boasted that it could protect customer data from dire situations and had a complete recovery strategy. A distributed denial-of-service attempt that aimed to extract money was followed by the breach.
Users began to question Code Spaces’ trustworthiness as a result of its inability to deliver on its claims, which finally caused the site to shut down. The financial burden of fixing the problem and recovering subscriber data would have put the business in an unrecoverable situation and probably led to a similar service suspension.
“Backing up data is one thing, but it is meaningless without a recovery plan, not only that [but also] a recovery plan – and one that is well-practiced and proven to work time and time again,” Code Spaces’ website stated.
Course Manual 6: Cybersecurity Risks
What are common cybersecurity risks?
Risks associated with cybersecurity can take many different forms, differ between industries, and change over time. However, when developing your organization’s cybersecurity risk management program, there are a few important factors to bear in mind.
The typical security concerns that organizations face are described below:
Third-party vendor risk
Organizations can outsource specific business processes to third- and fourth-party providers, which helps reduce costs and improve operational effectiveness. The most sensitive information held by an organization, including the personally identifying information of its clients, is frequently accessible to these vendors (PII).
The comprehensive and ongoing visibility of every entity within an organization’s entire network is crucial. With the help of third-party risk management, businesses can profit from vendor advantages without sacrificing security.
Employees and contractors (insider threats)
As was already said, employees and contractors who have access to the network play a significant part in keeping an organization’s cybersecurity posture strong. This makes social engineering and cybersecurity awareness training essential. Insiders should be able to recognize different risks and know what to do when they are found. Insiders can take proactive measures to reduce risk when they fully grasp the many dangers that they should be aware of.
The Zero Trust Security model, a security strategy based on the idea that access should be managed in accordance with each user’s or device’s unique job function, should be implemented by organizations. This reduces the likelihood that insiders may purposefully or carelessly circumvent their access constraints.
Lacking compliance measures
A greater number of regulatory compliance standards, including PCI, HIPAA, and GDPR, are being implemented as customers’ concerns about data privacy grow. Although adhering to these rules is a crucial consideration that should be made, it’s crucial to realize that doing so does not automatically render a business secure from intruders.
Because firms can wander in and out of compliance in between audits, the old-fashioned point-in-time assessments are no longer sufficient. Instead, to enable your firm to adapt to changing industry standards, a comprehensive cybersecurity plan should give you the capacity to regularly check your whole network environment for non-compliance.
Improperly secured intellectual property and sensitive information
Companies are accumulating more client data than ever in the modern digital age. Organizations can use this sensitive data to improve customer experiences and influence future decisions, but doing so exposes them to a tremendous degree of danger, particularly if sensitive data or intellectual property is not adequately secured. To make sure that the appropriate security measures are taken into account, organizations should review the rules governing data protection in their sector.
What is the Business Significance of Cyber Attacks?
Although conventional IT security measures are beneficial, they are insufficient to guard against advanced attacks and improper configuration from cyberattacks.
More than ever before, the spread of technology makes it possible for unauthorized people to access the data of your company. Information about third parties is being made available to them more frequently through the supply chain, customers, and other third- and fourth-party suppliers. Organizations are increasingly storing substantial amounts of personally identifiable information (PII), which requires proper configuration in order to adequately protect data, on external cloud providers, which increases the risk.
The growing number of gadgets that are constantly connected for data exchange should be taken into account. Expectations of rapid access to information are growing as your company becomes worldwide and its network of workers, clients, and third-party vendors widens. The attack surface for viruses, vulnerabilities, and other exploits has drastically increased as younger generations anticipate instantaneous real-time access to data from everywhere.
Unexpected cyber dangers might originate from adversaries, rivals, organized criminals, employees, inadequate configuration, and your third-party vendors. As regulations and rules for the disclosure of cybersecurity events and data breaches continue to expand, firms are adopting software to manage their third-party vendors and regularly check for data breaches. As a result, cyber security policies are growing more complex.
The utility of traditional, cyclical IT security measures as a preventative measure is outweighed by the significance of recognizing, responding to, and publicizing a potential breach.
Data breaches frequently result from inadequate data protection and have a significant, negative impact on businesses. Any sound risk management plan includes external monitoring through third- and fourth-party vendor risk evaluations. Your company runs the danger of facing financial, legal, and reputational harm without adequate IT security management.
Cybersecurity Risk Management
What Is Cybersecurity Risk Management?
Prioritizing threats through cybersecurity risk management is a strategic approach. Organizations use cybersecurity risk management to make sure the most serious threats are dealt with quickly. Based on the potential harm that each danger could cause, this method aids in the identification, analysis, evaluation, and mitigation of threats.
A risk management plan recognizes that a company cannot completely eliminate all system flaws or prevent all online threats. Developing a cybersecurity risk management strategy aids firms in being the first to respond to the most serious vulnerabilities, threat patterns, and assaults.
In general, there are four steps in the risk management process for cybersecurity:
• Identifying risk – evaluating the organization’s environment to identify current or potential risks that could affect business operations
• Assess risk – analyzing identified risks to see how likely they are to impact the organization, and what the impact could be
• Control risk – define methods, procedures, technologies, or other measures that can help the organization mitigate the risks.
• Review controls – evaluating, on an ongoing basis, how effective controls are at mitigating risks, and adding or adjusting controls as needed.
What is a Cybersecurity Risk Assessment?
A cybersecurity risk assessment is a procedure that aids businesses in identifying their main goals and the pertinent IT resources needed to achieve them.
It entails the detection of cyberattacks that could have a bad effect on these IT assets. The organization must assess the likelihood of these assaults happening and specify the potential effects of each attack.
The complete threat environment should be mapped out in a cybersecurity risk assessment, together with any potential effects on the organization’s business goals.
The assessment’s findings need to help security teams and other important parties make well-informed choices on the implementation of security measures that reduce these risks.
T-Mobile breach exposes sensitive customer data—twice
T-Mobile disclosed in December 2021 that it had experienced a fifth hacking attack in three years.
Because it is more cost-effective to pay the fines imposed by the Federal Trade Commission in the event of a breach, companies that repeatedly violate cybersecurity laws generally decide to forgo additional safeguards. Whether T-Mobile is one of them is unknown.
“Some companies, including banks, do a cost/benefit analysis,” he said. “In some cases, it’s cheaper to take the hit. Slap us on the wrist so we can move on.”
When a cybercriminal obtained access to employee email accounts and stole information about T-Mobile employees and some of its customers, it was verified that this was the first T-Mobile attack of 2020. While some users’ account information was simply seized, “social security numbers, financial account information, and government identity numbers” were stolen from some users.
The FCC defines the second attack as being restricted to “customer private network information,” which includes phone numbers, the number of lines connected to an account, and call history data. T-Mobile was cautious to point out that only 0.2% of its 100 million customers were impacted by the incident, which still translates to around 200,000 people. While a hacker cannot steal your identity or withdraw money from your bank account using stolen customer metadata (information about a customer’s transaction history that does not personally identify them), they may use it in conjunction with another technique.
For instance, they can conduct coordinated phone scams and phishing attacks. The method of verbally manipulating a victim into disclosing their personal information is known as social engineering. When a hacker has specific knowledge about you, such as your transaction history, they can appear more convincingly to be a call center agent.
What Are Cyber Threats?
Any method that can be used to compromise security, harm the organization, or exfiltrate data is often referred to as a cyber threat.
Modern businesses frequently encounter the following hazard categories:
• Adversarial threats—including third-party vendors, insider threats, trusted insiders, established hacker collectives, privileged insiders, ad hoc groups, suppliers, corporate espionage, and nation-states. This category also includes malicious software (malware) created by any of these entities. Large organizations mitigate these threats by establishing a security operations center (SOC) with trained security staff and specialized tooling.
• Natural disasters—hurricanes, floods, earthquakes, fire, and lightning can cause as much damage as a malicious cyber attacker. A natural disaster can result in loss of data, disruption of services, and the destruction of an organization’s physical or digital resources. The threat of natural disaster can be minimized by distributing an organization’s operations over multiple physical sites or using distributed cloud resources.
• System failure—when a system fails, it may cause data loss and also lead to a disruption in business continuity. Make sure that your most critical systems are running on high-quality equipment, have redundancy in place to ensure high availability, are backed up, and your providers offer timely support.
• Human error—any user may accidentally download malware or get tricked by social engineering schemes like phishing campaigns. A storage misconfiguration may expose sensitive data. To prevent and mitigate these threats, you should establish an employee training program and enforce strong security controls. For example, use password managers and monitor critical systems for misconfigurations.
The following are the main threat areas that the majority of companies face:
• Unauthorized access—may be the result of malicious attackers, malware, and employee error.
• Misuse of information by authorized users—an insider threat may misuse information by altering, deleting, or using data without authorization.
• Data leaks—threat actors or cloud misconfiguration may lead to leaks of personally identifiable information (PII) and other types of sensitive data.
• Loss of data—poorly configured replication and backup processes may lead to data loss or accidental deletion.
• Service disruption—downtime may cause reputational damages and revenue losses. It may be accidental, or the result of a denial of service (DoS) attack.
Cyber Risk Management Frameworks
There are various frameworks for managing cyber hazards, and each one offers guidelines that organizations can use to pinpoint and reduce risks. These frameworks are used by senior management and security leaders to evaluate and enhance the organization’s security posture.
Organizations can assess, monitor, and define security policies and procedures to address threats with the aid of a cyber risk management framework. Here are a few popular frameworks for managing cyber risk.
NIST CSF
A well-known framework is the NIST CSF (National Institute of Standards and Technology Cybersecurity Framework). A complete collection of best practices that standardize risk management are offered via the NIST CSF framework. Protect, detect, identify, respond, and recover are mapped out as the key activities and results for cybersecurity risk management.
ISO 27001
The ISO/IEC 270001 was developed in collaboration between the International Electrotechnical Commission and the International Organization for Standardization (ISO) (IEC). A collection of standards that may be certified and are designed to systematically manage information system risks are provided by the ISO/IEC 270001 cybersecurity framework. The ISO 31000 standard, which offers standards for business risk management, can also be used by organizations.
DoD RMF
The Risk Management Framework (RMF) for the Department of Defense (DoD) outlines the standards that DoD entities must follow when evaluating and managing cybersecurity threats. The six main steps in the RMF breakdown of the cyber risk management plan are categorize, choose, implement, assess, authorize, and monitor.
FAIR Framework
Enterprises can assess, analyze, and comprehend information hazards with the aid of the Factor Analysis of Information Risk (FAIR) framework, which is defined in this regard. The objective is to help businesses make educated decisions while developing cybersecurity best practices.
Best Practices for Cybersecurity Risk Assessment
Build Cybersecurity into the Enterprise Risk Management Framework
Integrate your risk-based cybersecurity program fully into the framework for enterprise risk management, which serves as the guiding concept for identifying and categorizing company risks. The framework should serve as the organizing principle rather than a broad rule of thumb. This strategy makes cyber risk management more understandable to organizations by portraying cyber risk as a business concern.
Identify Value-Creating Workflows
Determine the workflows that produce the most business value and the risks they carry. The potential effects of essential workflows must be taken into account because they can present a serious risk. For instance, payment processes add value but pose a risk to the organization because they are open to fraud and data loss.
Make sure the cybersecurity team is aware of the processes that are important to your business and list the teams, tools, and data assets that are utilized in each process. This enables you to use the suggested controls. Instead of taking a maturity-based strategy on its own, cybersecurity and business personnel should work together.
Prioritize Cyber Risks
To inform your risk management and mitigation techniques, determine the level of risk based on the cost of prevention and the value of information. High-level risks should be dealt with right away, while low-level hazards can be dealt with later or tolerated as risks. The expense is not justified if the cost of protecting an asset exceeds its value, unless the danger could harm your reputation.
Implement Ongoing Risk Assessments
To keep up with changing cybersecurity threats and solutions, perform continuous, adaptive, and actionable risk identification and assessment. Review risk management procedures frequently to find holes and fill them. To secure digital environments and assets, cybersecurity professionals rely on actionable insights from risk assessments.
The FireEye attack exposed a major breach of the U.S. government
A significant breach that had gone unnoticed for an estimated nine months was discovered by the California-based cybersecurity business FireEye when it found that over 300 of its unique cybersecurity products had been taken. The U.S. Treasury Department, Energy Department, and even some of the Pentagon were among the approximately 250 federal departments that were affected by the incident.
FireEye did not, however, start the breach. The attack started when SolarWinds, an IT management software provider, was infiltrated, leading to the exposure of some of its most well-known clients, including Fortune 500 companies including Microsoft, Intel, Deloitte, and Cisco. A “supply chain” assault occurs when the cybersecurity defenses of one organization are breached, making all of its clients vulnerable to attack.
According to Reuters, which first reported on the cyberattack in mid-December, hackers also kept an eye on the internal communications of the U.S. Treasury and Commerce departments. Government representatives and cybersecurity specialists claim that the attacks are being carried out by Russia’s SVR Foreign Intelligence Service. To determine the hacker’s objectives, investigators are still putting together the specifics of the incident.
For two reasons, software companies are often targets of cyberattacks. First off, there is a lot of pressure on them to provide new versions and updates before their rivals, even if it means compromising cybersecurity safeguards.
“This is something that has plagued the software industry in general for the last twenty to thirty years,” said Adams. “If there are delays in getting that next product or update out it just doesn’t look good because that’s revenue sitting on the table.”
Second, by targeting a software company, hackers can compromise more victims than if they had chosen to target a single business or government agency. Hackers simply need to infect a new software update or patch to compromise the clients of a software company while the intrusion goes unnoticed. All of the company’s clients who download the compromised software unintentionally download and install the hacker’s virus onto their computers.
Course Manual 7: Resiliency Risks
IT resilience for the digital age
Late in January 2021, as GameStop’s stock rose sharply, investors all throughout the United States logged on to brokerage websites. However, when several of the brokerage platforms abruptly failed, millions of users were unable to access their account information or do transactions during the craze. IT problems and outages affect more than just the financial industry. Slack’s stock dropped 14% in September 2019 after the company’s quarterly earnings report showed that it had lost $8.2 million in revenue as a result of offering customers credits (amounts set aside to pay for upcoming invoices in the event of service outages).
These circumstances highlight the need of businesses addressing IT resilience—their capacity to manage a technical disruption. Without a doubt, the COVID-19 pandemic did not cause inadequate IT resilience, but the crisis undoubtedly made it worse. However, the pandemic’s increased web traffic puts strain on legacy on-premises IT systems, which causes disruptions and service delays.
Why then don’t businesses improve their IT resilience? Simply put, because their CEOs and boards frequently do not consider IT resilience as a business problem until it has a negative financial impact due to customer attrition or until they are criticized by regulators. Consider the previous CEO of the Tokyo Stock Exchange who resigned under pressure from regulators after the trading platform was down for a day. Therefore, it is advised that businesses adopt a thorough strategy based on a number of fundamental principles that take into account both IT and business outcomes in order to boost IT resilience (exhibit)
The case for resilience
In the past, businesses could reduce downtime in physical channels by adopting manual business continuity procedures, like having a customer service representative submit an order with administrative access. But as more and more customers switch to digital channels, the old methods of dealing with stability problems are no longer effective. Additionally, the IT systems’ inherent dependencies make the pursuit of resilience more difficult. As an illustration, some companies are integrating with application-programming-interface (API) ecosystems, a strategy that can add value by giving them access to rich customer data or enabling them to build new applications through an API portal, but one that can also create a new point of failure.
It’s no surprise that there are more severe failures on a more frequent basis when you combine the ongoing complexity of IT with antiquated processes and operations. According to a 2020 study of infrastructure and operations leaders, 76% of respondents had an occurrence in the previous two years that necessitated an IT disaster-recovery strategy, and 50% had two such incidents. In a different study, 88 percent of participants said that losing a crucial server for an hour would cost them more than $300,000, and 40 percent said that the loss would be greater than $1 million. More businesses are increasing their spending in disaster recovery as a result of these occurrences with substantial downtime costs. These investments are essential since many IT projects only incorporate a few controls into new business processes, have insufficient (or nonexistent) change management procedures, and have little to no design input from the security, privacy, risk, and legal teams. As a result, businesses are generating undetected nonfinancial risks in a variety of fields, including operational resilience, technical debt, cybersecurity, and technological debt.
IT resiliency manifesto
Businesses must fundamentally alter their strategy in order to handle these IT complexity and risk challenges. They can achieve this by adhering to the following seven IT resiliency manifesto tenets:
Don’t solve for apps; solve for trips. Organizations should examine the entire customer journey and address the weakest link instead of concentrating on remediating important assets, such as applications and infrastructure, as the solution to IT resiliency. In other words, it’s not about modernizing apps; it’s about knowing how all the apps, API requests, and third-party dependencies interact to achieve the intended customer journey conclusion, and then figuring out which component’s downtime prevents customers from finishing their journeys.
Utilize a risk-based strategy. Many businesses consider IT infrastructure to be the only factor in robustness. Organizations should adopt a risk-based strategy with two prongs instead. Prioritizing customer journeys that address risk can be done using a business-driven, top-down strategy; for example, businesses should ask which customer journeys have an impact on revenue or customer satisfaction scores. The second strategy is a measurable bottom-up strategy that determines the risk profile of a technological element, like a third-party API call, in order to assist in developing a risk-reduction strategy for that particular asset. Companies can develop a risk profile by considering factors including the likelihood of failure, the consequences of a failure, and the capacity to identify failures quickly and lessen their effects.
Utilize operational IT data. Rich data sets are produced by IT operations, but many organizations find it difficult to regularly use them for insights, discovery, and capacity planning because of the diverse technologies, lack of particular organizational frameworks, and disparate organizational structures. Organizations can improve how they handle outages by utilizing artificial intelligence technology and sophisticated capabilities, such as event correlation that can correlate data sets. According to research by McKinsey, incident triage, for instance, used to take hours and frequently required having hundreds of IT experts and operations staff on call. Today, businesses may cut the mean time to identify events by 50 to 75 percent.
Create plans for storms, not for clear skies. IT organizations typically perform capacity-planning exercises and award a modest multiple—perhaps 50%—on top of peak volume. However, 300–500% increases in digital traffic can result in significant disruptions. Organizations should develop infrastructure capabilities, such as containerized apps, to quickly increase capacity across all components of the technical stack and address bottlenecks (such as message queues in middleware), in order to deal with this issue and surge volumes.
Adopt a technical mindset. By acquiring new talent, retraining the current staff in DevOps automation, and implementing site-reliability-engineering (SRE) capabilities, leading firms invest in capability building. These investments support teams in implementing cutting-edge engineering practices like end-to-end code ownership, service-level indicators to measure system behavior, predetermined metrics to track service-level goals, continuous integration and delivery (CI/CD) pipelines to automate software delivery, and error budgets. Organizations may increase uptime and use automation to spot and resolve IT issues by using these techniques.
Avert the hero culture. A crisis is seen as a teaching opportunity in company cultures that embrace quality and consistency standards, which makes them more resilient. There are a select few people in almost every organization who are adept at everything, empathetic toward others, and always the most helpful. However, when too many duties are assigned to a small number of individuals in this circumstance, resilience may be hampered. Instead, executives should encourage teams to break the hero culture and reward groups who encourage resilient applications and behaviors by serving as role models for the required organizational mentality shifts.
Be proactive rather than reactive. Failure is a given. Companies should, however, be aware of IT flaws before they become systemic. Large resiliency problems can be a result of operational control errors. Organizations should develop and automate procedures to immediately identify problems, recover quickly, and limit impact. Pre-mortem analysis, chaotic engineering, problem modeling, and strategy testing are a few techniques that can be used to increase resilience so that real problems won’t come as a surprise.
Through quick tactical solutions and better monitoring for its tier 1 trips, such the log-in, one top financial services company was able to cut downtime by 40%. Within six months, the organization lowered the average resolution time for all high-severity occurrences by nearly 60%. Along with this, a long-term plan to get rid of technical debt, update its IT architecture, and apply engineering best practices was started. There is a shift in the culture toward resilience, according to the head of application operations. The topics of conversation are more purposefully directed toward business risk.
A robust IT resilience strategy
It may seem impossible to avoid obstacles and disruptions to your organization while going through digital transformation. Although the journey toward digital transformation is intimidating, having a sound IT plan in place will help you feel at ease. IT resilience is the cornerstone of that strategy.
Being IT resilient is being ready for any disruption, whether it is planned or unforeseen, to reduce the risk of downtime and keep your attention on initiatives that promote transformation. It guarantees that business continues to go forward and, in fact, can speed up transformation by enabling you to proactively detect changes and adjust to them to avoid disruption.
Three elements are necessary for a strong IT resilience strategy: continuous availability, workload mobility, and multi-cloud adaptability. You’ll be able to resist disruptions, achieve IT agility, and confidently evolve if you have these in place.
Lets take a deeper look:
Continuous availability
Delivering a “always-on” client experience is of utmost importance, regardless of planned or unforeseen changes in the infrastructure. Customers are always connected to their data and apps because to continuous availability. Consider it having a generator or backup power for your IT.
For many years, backups have been a crucial component of any IT plan. No matter what happens to the production environment, data can be recovered by copying data and programs to storage offsite.
However, the majority of modern technologies are insufficient. Demands for recovery point objectives (RPOs) of seconds and recovery time objectives (RTOs) of minutes are incompatible with periodic backups that only offer a snapshot in time. You should integrate journal-based continuous data protection that is accessible across various hypervisor, storage, and cloud platforms as a result of this, along with the complexity that comes with outdated systems.
Continuous availability basically implies that, regardless of what occurs—a cyberattack, flood, or intentional outage—both you and your customers remain “on” and secure against disruption.
Workload mobility
Applications and workloads can be moved while still being completely protected thanks to workload mobility. This could refer to anything from migrations to M&A consolidations or the launch of a new project.
Although the idea of workload mobility is not new, the widespread use of public cloud by IT professionals has increased the frequency with which workloads are moved. With so many public clouds and CSPs available, it’s crucial for IT teams to be able to move workloads quickly, seamlessly, and without risk in order to open up on-premises environments that can expand data centers into the cloud.
Multi-Cloud, Hybrid Cloud agility
Fundamentally, developing a multi- and hybrid-cloud strategy enables you to utilize cloud to speed up business and benefit from its features, including the freedom to select your own cloud and the flexibility to migrate to, from, and between clouds.
Multi-cloud methods are becoming more popular due to numerous considerations. Each cloud provides unique features and services that can be better suited to particular applications. When you decide to use a multi-cloud strategy, you may choose the performance, response time, and throughput settings that are appropriate for each application and adjust them to meet your needs.
A key component of the digital transition is speed to market. You can release applications more quickly thanks to the cloud because you don’t have to worry about underlying infrastructure costs or upkeep.
These three components working in unison will guarantee that your company can weather any disruption. Your company will have the ingredients to foster innovation and real IT resilience when you combine these with analytics, control, and a unified platform.
What Is An IT Disaster Recovery Plan?
Companies can utilize an IT disaster recovery plan, which is a well-thought-out, strategic document, to recover from a crisis (natural or otherwise).
It entails a step-by-step procedure for resuming work following an unforeseen (and occasionally disastrous) occurrence.
A distinct IT disaster recovery strategy that is focused on the IT infrastructure should exist in addition to the overall disaster recovery plan for the entire enterprise.
Plans for disaster recovery are only useful if they are put in place well in advance of a disaster.
Why Is An IT Disaster Recovery Plan Important?
The majority of businesses would struggle to function without their IT infrastructure. Without IT, everything would come to a grinding halt, including customer orders, scheduling, and employee communication.
According to a short internet search, between 25 and 40% of companies never fully recover following a natural disaster.
In addition, according to the Council of Insurance Agents & Brokers, 60% of small firms fail to survive the first six months after a cyberattack because of the enormous expenses of recovery, which include ruined reputations, lost data and revenue, instability, and decreased staff productivity.
The good news is that you can take precautions to reduce hazards both during and after a disaster.
10 Things Every IT Disaster Recovery Plan Must Include
You can concentrate more on the other tasks at hand by developing an IT disaster recovery plan. The following 10 topics should be included in every IT disaster recovery plan:
1. IT Inventory
Make sure you have a list of all the IT resources, including systems, hardware, and software, that are utilized by the company.
Ask staff members how their job would be affected if specific systems or networks went down for a while. Determine which data and applications are essential to your company. Take extra precautions to keep them safe.
In order to determine which systems would be impacted in the event of a flood, hurricane, fire, power loss, or other disaster on your property, it can be useful to include various scenarios in your IT disaster recovery plan.
2. Data Backup & Verification
Create a system for routinely backing up your important data off-site if you don’t currently have one. (Data that is static and unchanging might not require several backups.) You might opt to use the cloud or a physical data center that is situated somewhere else in the world.
The risk of keeping backups physically on-site in the case of a natural disaster is often overlooked by enterprises.
Once you’ve established a regular backup plan and procedure, verify it frequently to make sure it functions as intended. The last thing you want to find out in the middle of a crisis is that your backups haven’t been functioning.
Risks exist with both physical and online backups. Determine which is most appropriate for your company.
3. Recovery Timeline
Set appropriate recovery objectives and deadlines for the return of specific IT systems. Healthcare, for example, may only need a few minutes to recover, whilst other industries could be able to handle longer recovery times.
Make sure your IT disaster recovery strategy has a Recovery Time Objective (RTO) and Recovery Point Objective that are well stated (RPO).
The RTO specifies the maximum time frame before your IT systems should recover. The maximum amount of time since the most recent data backup is defined by the RPO.
4. Detailed Responsibility
Get support from important stakeholders.
Make sure the team is aware of the potential IT activities that could be impacted, how that might impact various business functions, what would happen next, and who would be in charge of fixing the problems.
Include a strategy for reaching out to staff members in the case of a power or internet loss.
5. Physical Damage
Your on-site IT equipment could be impacted in addition to any physical damage to your company. Anything might be impacted, including servers and gadgets. By transferring some of your operations to the cloud, you can reduce some of these losses, but plan ahead for potential physical harm that could affect your IT infrastructure.
6. Insider Threats
Whether on purpose or accidentally, people can cause disasters. Locking down administrative permissions on your IT systems is one method to reduce risk.
Only the systems and data that they require should be accessible to employees and outside vendors.
There are innumerable examples of businesses being compromised by outside vendors who were granted unauthorized access to weak systems. Additionally, your internal salesmen don’t require access to other employees’ payroll and benefit information.
Giving frequent security awareness training to your staff members is another strategy to lower risk. This training will keep your personnel up to date on the most recent cyberthreats. Experts concur that human mistake accounts for between 80 and 90 percent of cyberattacks.
Your risk can be decreased with good personnel security awareness training.
7. Insurance
There are insurance policies that cover natural disasters and cyber attacks if you are worried about the price of recovery. This coverage can pay for wider losses caused by a disaster as well as the expense of replacing IT equipment.
Make sure the specifics are accessible in your IT disaster recovery plan if you invest in these kinds of solutions.
8. Validation
Plans for IT disaster recovery should be evaluated at least once (ideally twice) annually. When one of our clients finally tested their plan after several years, they discovered that all of their drives had failed during the restoration process.
The information would have been irretrievably destroyed if this had happened during a genuine tragedy.
You should thoroughly document any gaps found throughout these tests so that you can start filling them.
9. Business Continuity
The organization’s plan for continuing critical business operations as much as feasible both during and after a disaster is known as business continuity (BC). To be certain that you can face any unforeseen catastrophe head-on, develop and test a comprehensive BC strategy.
This plan should also be evaluated and kept up to date because it works hand in hand with the IT and organizational disaster recovery plans. It is a crucial component of the company’s overall BCDR activities.
10. Updates
Disaster recovery requires ongoing, active maintenance; it cannot be established and forgotten. Refresh your IT disaster recovery strategy with the latest practices, tools, and resources.
Update and inform everyone engaged in carrying out the strategy of any relevant business demands or workforce changes.
Resiliency Success Story: Arianna Huffington – When a little girl dreams become reality
The Huffington Post is a household name as a news website and blog. Do you believe the woman behind it is impervious to failure or that she achieved her objectives right away? Her road to achievement was paved with rejection.
Arianna, a shy woman who was born in Athens, Greece, emigrated to the UK at the age of 16. Except for her mother, she hardly spoke any English, and nobody anticipated her success.
She was approved to study economics at Cambridge University and joined the Cambridge Union, a debate organization, as a politically motivated student. Despite being made fun of for her accent and her lack of familiarity with debate procedures, she persisted. She worked harder to eventually become the first foreign female president of the Union.
She was soon prepared to enroll in Harvard University, but a stroke of luck led to the offer to publish her first book, “The Female Woman,” which discussed the shifting role of women. She rapidly developed into a successful author as the book quickly became a bestseller.
Her personal life was also growing, and when participating in a TV panel program, she met and fell in love with Bernard Levin, a well-known Times columnist. He not only became the love of her life, but also a mentor and an inspiration to her because he was 22 years her senior.
Arianna was in her mid-20s and having trouble. She received 36 rejections for her second novel. a total of 36 times! She nevertheless managed to have it published by being calm and focused.
Despite her creative triumphs, Arianna, who is now in her 30s, felt her life lacked something. She chose to move to the US to start over after realizing that falling in love with a man who wasn’t ready to have a family wasn’t enough. She moved to New York City to start a new life after marrying a wealthy oil tycoon; but, once he was elected to Congress, the couple moved to Washington, DC.
But she still had to battle. Her spouse came out as bisexual after 11 years of marriage and the birth of two daughters, leading to their divorce. She relocated to California and entered the 2003 state governor election. Destiny once more looked down on Arianna.
She started the Huffington Post, one of the most well-known news websites in the world, two years later. She is a bestselling author of 15 books, the CEO of a start-up in the health and wellness industry, and a director of Uber.
When asked what gave her the strength of overcoming all the difficult moments of her life she simply quotes her mother, “Failure is not the opposite of success; it’s a stepping stone to success”.
Course Manual 8: Third-Party Risks
Third-Party Risk Today
When partnering with external parties, there are a variety of hazards that may occur (e.g., strategic, operational, compliance, financial, geopolitical, reputational, regulatory, digital, cyber, privacy). Understanding the full scope of an organization’s third-party interactions and the risks involved is one of the largest issues they face, especially when it comes to digital risk.
One of the main factors influencing digital risk is cloud adoption. These range from Cloud Hopper, one of the best examples of cloud and third-party risk that harmed enterprises globally, to the growing list of data exposures of AWS S3 buckets. The managed IT service providers who oversaw the target’s network, apps, and IT infrastructures were implicated in the attacks. The compromised service providers were employed as go-betweens by the attackers to access the true targets’ networks and steal critical corporate information, including trade secrets.
If these risks are not properly managed, a company may be subject to legal and regulatory action, financial loss, damage to its reputation, and even the inability to develop new business or fulfill existing contracts.
Regulatory And Legislative Change
A slew of recent laws and regulations, including GDPR, Australia’s Foreign Influence Transparency Scheme Act, the United States Foreign Corrupt Practices Act, and the United Kingdom Bribery Act, make it very obvious that companies are accountable for their choice to work with third parties.
Given our reliance on data and outside sources, particularly in light of the recent decade’s plethora of data breaches, compromises, and revenue losses, this is reasonable. Significant operational modifications will be necessary to fulfill these new commitments.
Why Third-Party Risk Is Critical to Every Business
Every firm, whether a startup or a large corporation, uses several vendors and depends on their software and systems. However, while these outside vendors offer priceless services, they also pose a serious risk to your company’s information security.
How do you tell if your third-party business partners are upholding their contractual, security, and privacy obligations? is the problem.
If you don’t have procedures in place to evaluate the risks posed by these third parties, the most likely response is that you are unsure. You must understand the dangers of these business partnerships and how much you can trust them because if they collapse, your firm might as well. This lack of visibility is a serious hazard.
In this course manual, we discusses third-party risk and how to effectively handle it in your business.
What Is Third-Party Risk?
Third-party risk is the possibility that using third-party software or outsourcing particular services could result in a negative event for your company (like a data breach, an interruption in business operations, or reputational damage).
Any independent company or person who offers software, tangible items, supplies, or services is a third party. These third parties could include consultants, contractors, employment agencies, raw material and component suppliers, software providers, and many others. Although relying on others to operate your business can be risky, it’s often necessary.
What Are Common Types of Vendor Risks?
We can group third-party risks into six broad categories.
Cybersecurity Risk
This is the potential for loss as a result of a cyberattack, data breach, or other security incident that results from your third-party engagement, as was previously mentioned. For instance, the third party hosting your data can come under assault, or perhaps the attackers might target the third party first before using it to access your IT systems. Throughout the vendor lifecycle, continual vulnerability monitoring and due diligence can help to lower this risk.
Operational Risk
Operational risk is the possibility that your third party won’t produce the goods or services they’ve promised, and that failure affects your business’s operations. For example, let’s imagine a cloud service provider goes offline at a crucial time, stopping your client fulfillment operations. To manage this vendor risk, service level agreements (SLAs) that are enforceable are typically employed. You could want a backup provider to maintain company continuity, depending on how important the current vendor is.
Legal, Regulatory, and Compliance Risk
This is the chance that a third party’s actions will have an impact on how well your business complies with local laws, regulations, or standards like the EU General Data Protection Regulation. This is especially important for businesses in the government, healthcare, and financial services industries as well as their business partners.
Reputational Risk
This is the risk posed by negative public views of your company caused by a third party. Customer grievances, inappropriate interactions, and poor recommendations are just the beginning. The most damaging cases are third-party vendor data breaches caused by weak security protocols, such the well-known Target data breach in 2013 (which actually began when attackers targeted one of Target’s vendors who had access to the company’s payment systems).
Financial Risk
The possibility that a third party will undermine your company’s ability to generate revenue is known as financial risk. For instance, a supplier can unexpectedly charge substantially more for materials that were promised, increasing the costs for your business.
Strategic Risk
Strategic risk is the likelihood that a third-party provider will obstruct your organization from accomplishing its objectives. For instance, one of your competitors might purchase a reseller in a foreign market, which would prevent you from selling items there until you can find a different distribution route.
It’s important to remember that these subjects commonly overlap. For instance, if a business experiences a cybersecurity breach and customer data is stolen, this may also create operational, compliance, reputational, financial, and, in the end, strategic threats.
Why Is it Important to Mitigate Third-Party Risk?
A corporation can outsource any number of its procedures in the modern digital business world, but it cannot outsource the risks inherent in doing so. In order to prevent the risks that result from these partnerships from derailing your goals, organizations need to take an active, risk-based approach to managing third parties.
A strong third-party risk management program can help you anticipate risk and increase business productivity. However, even though this may make managing the procedure more difficult, every level of the business must take part in adopting a risk-based third-party management program. Effective third-party risk management increases the value of your third-party agreements by controlling costs, enhancing operations, and lowering the risks of outsourcing.
Case Study: Chipotle’s third party risk assessment
As an example, Chipotle is well known for its flaws in third-party risk assessment. In 2015, hundreds of customers and employees nationwide were affected by E. coli infections linked to Chipotle locations in Massachusetts, Washington, Oregon, and other states. The public was reassured by Chipotle that this would “never happen again.”
Chipotle brought on a new CEO in an effort to restore its standing as a trustworthy eatery. In 2017, after numerous Chipotle diners in Sterling, Virginia, reported experiencing symptoms mimicking the extremely dangerous norovirus, the business once more changed CEOs.
Unfortunately, this had no impact on the disease’s transmission; later that year, a Chipotle restaurant in Los Angeles reported sick workers and customers. A UBS Evidence Lab survey from 2018 found that 32% of those who had quit eating at Chipotle claimed “nothing” would make them go back.
Soon after the business used a novel idea to employ locally obtained components in its recipes, the outbreaks began. With its locally sourced, decentralized cuisine, Chipotle transformed the industry, but it did not successfully integrate risk management best practices into its cutting-edge business strategy.
Chipotle exposed itself to more than 1,000 potential locations of food contamination by employing that dispersed procurement technique; a more conventional centralized procurement system would have only a small fraction of that. Chipotle repeatedly experienced problems with food safety because it did not address the root of the issue.
How to Conduct a Vendor Risk Assessment
You should have a strict vendor risk management process in place to evaluate the risks posed by your third parties. The following steps are usually involved in that process.
Vendor List: Who Are Your Suppliers?
Identify each of your vendors first. Any individual or business that delivers a good or service to your business but does not work there is referred to as a third-party vendor. Contractor staff, service providers, manufacturers, suppliers, and service companies may all fall under this category. (In certain circumstances, you might also add third-party providers to your vendor inventory.)
Vendor Evaluation Procedure
Second, create a procedure for assessing the risks that every potential third party might present. Usually, you can accomplish this by sending a questionnaire to each potential vendor before you decide to work with them. Think about the products or services the vendor will offer, how crucial they will be to your business operations, and any threats they might pose to your company.
Prioritizing High-Risk Suppliers above Lower-Risk Vendors
Different vendors present different dangers. While some sellers deliver generic goods, others provide specific components. With some third parties, you may disclose private customer information, but not with others.
Determine which vendors are most important to your company based on the hazards that were discovered during the due diligence and risk assessment procedures we covered in the previous stage. To make sure that no possible problems are missed, it is crucial to frequently evaluate each vendor using the same standards for all of them. For instance, vendor surveys should be finished both upon onboarding and then once a year after that.
How to Minimize Third-Party Risk
Even though the majority of firms concur that screening third parties is crucial before entering a business connection, 60% also don’t prioritize third-party risk effectively. An company can improve by taking a number of steps.
Request References
When assessing the security commitment of your vendors, ask for references. Find out how well the providers handle security by getting in touch with other businesses that have used their services. Ask each vendor questions that are relevant to the kind of engagement you are considering.
Apply Internal Standards to Third Parties
Create a service level agreement (SLA) after selecting a vendor that outlines the vendor’s responsibilities for security rules, performance standards, and service or product deliverables.
Use other methods except the vendor’s default ones. Take into account the requirements of your company, your sector, and your clients. Holding the vendor to the same regulatory and compliance requirements that you must achieve is your greatest option for ensuring data security.
Regularly Check Third Parties’ Cybersecurity Protocols
Situations are constantly changing, particularly in the quick-changing field of cybersecurity. Therefore, it’s imperative to regularly check the cybersecurity rules of your third parties. Regular audits and ongoing monitoring ensure accountability and keep vendors on their toes.
Establishing Your Third-Party Digital Risk Management Program
To begin addressing these problems, a risk management framework should be created. We advise including the following measures in a successful risk management strategy:
1. Create policy and processes for evaluating and vetting third parties’ security practices based on risk.
• Make a thorough list of all interactions with third parties.
• Know your numbers: Who among the following has access to your data? How is the data accessible and kept, and what level of sensitivity does it have? Who or what subcontractors are gaining access to or handling this data?
• Decide what level of third-party risk you can tolerate.
2. Develop/update your risk assessments.
• Concentrate on identifying and understanding the risks that third-party engagements along your supply chain bring (as described before).
• Does it take into account recent statutory and regulatory requirements?
• Add a “technology due diligence” evaluation. A good risk assessment is necessary given the surge in digital collaboration tools (VPNs, videotelephony, etc.): What do the terms state regarding the use or sharing of data gathered through their service by third parties? What location hosts the service? Is it in a nation where communications must be made available to law enforcement and intelligence agencies? Is it possible to quickly and fully remove all data from the service? Does it use adequate authentication (MFA) and complete encryption to access the service?
3. Review your third-party contracts.
• Do they contain the right clauses to satisfy statutory and regulatory privacy and security requirements?
• Exist provisions allowing you to assess third-party security measures?
• Include safeguards to ensure that your third party upholds its end of the bargain and performs audits and evaluations of the third parties they work with.
• Make sure you have the ability to revisit and revise the contract if circumstances change.
4. Monitor third parties.
The danger environment is ever-evolving. To spot new dangers and maintain compliance, ongoing monitoring is crucial. The inability of organizations to see into third-party networks makes it more difficult to mitigate possible dangers that arise there. Consider automating as much of your work as you can.
• Monitor user behavior to ensure that only authorized users have access to sensitive information and that they are acting within the parameters of the contract.
• Real-time threat detection and response tools should be implemented to spot fraud attempts and other malicious actions coming from outside sources.
• Automate the follow-up risk assessment scheduling based on the third party’s level of risk. Consider adding rule-based triggers for prompt assessments when thresholds are crossed.
A third-party involvement is required when talking to a provider about risk because risk management is a specialized role. Even in this case, careful diligence is necessary.
In the end, risk can be managed and transferred, but accountability can never be.
Paying vendors on time
Why is it important to pay suppliers and vendors on time?
No matter how big or small the organization, cash flow is essential. If you have access to operating cash, you can manage and grow your business more successfully. When it comes to having trouble being paid on time, most suppliers are likewise in your shoes. Although you may not have thought of it that way before, the suppliers place a great deal of importance on cash flow (which are mostly small companies). That is why so many of them provide benefits like early payment bonuses.
In other words, if you have better cash flow, you can help your suppliers, so they too have better cash flow. As you open up numerous doors to opportunities for growth. Let’s look at it.
Should you pay early?
Typically, providers don’t offer discounts for paying invoices early. The industry norm, competitor discounts, the customer’s payment history, among other things, all play a role in determining the extent of the reduction. A Net 30 invoice will be discounted by 1%–2% if it is paid within 15–20 days. Even though it might seem like a small reduction, it could add up to significant savings over time, especially if you work with several vendors and suppliers who offer incentives for early payment.
Ask the suppliers what would happen if you pay them early if you do not notice such a term on the invoice. Money is king. So don’t be afraid to use cash flow to your advantage. Don’t just pay in advance. Ask your merchants and suppliers to provide you a justification for paying them earlier.
The Dangers of NOT Paying Your Purchase Invoices On Time
Every business wants to be compensated fairly and promptly for the labor, products, and services they deliver. Why should it be any different when you receive a supplier invoice? You wouldn’t anticipate doing your food shopping and then paying for it three months later. 76% of UK firms are being required to wait at least a month above their stated contract terms before receiving payment, according to a survey from Bacs Direct Credit. The culture of late payments has an impact on the entire supply chain, forcing many business owners to make difficult choices in order to survive.
• 20% of the Board of Directors have reduced their salaries to maintain money within the company.
• 26% of companies depend on their overdrafts to remain operational.
• Due to problems with business cash flow brought on by unpaid invoices, 23% of small businesses have paid their suppliers after the due date.
• SMEs incur extra expenses of about £677 per month that are directly related to late payments. 63% of these are connected to administrative time spent pursuing unpaid invoices.
• 25% of SMEs claim that £20,000 or less is sufficient to endanger their company’s future.
What are the risks, though, for companies that consistently pay their invoices late?
It is your obligation as a buyer to abide by any payment conditions you decide to accept.
Failure to pay your invoices on time could result in the following:
• Your connection with your suppliers can suffer as a result. Your account can be put on hold, preventing you from ordering the essential supplies for your business when you need them. Additionally, the way you handle the link between sales and purchases affects your profit margins. Any reductions offered for early payments are not available to you because of late payments.
• It could harm the reputation of your business since, if people don’t trust you, they won’t want to do business with you. It could also be interpreted as a sign that your company is having trouble.
• It can have a negative impact on your business’ credit standing, making it challenging to obtain a credit account in the future.
• You are required by law. Every company in the supply chain of the public sector is required to abide by the new government regulation that was introduced on February 25, 2015, which stipulates 30-day payment timeframes. Additionally, in order to increase accountability, public agencies are required to submit an annual report on late payments.
• Every day you go above the agreed-upon payment terms, you can be charged interest. Businesses are allowed to charge 8% more than the Bank of England base rate for late payments of commercial debts under government legislation known as the Late Payment of Commercial Debts (unless there is a different rate of interest in a contract). This might pile up significantly in a very short period of time.
• A breach of the contract is considered late payment. In the end, it can lead to a breach of contract and legal action.
• Your ability to make wise financial decisions is hampered by having a cloudy image of your company’s finances and financial responsibilities caused by a number of overdue bills.
• It has a detrimental impact on the UK economy as a whole, limiting corporate expansion and impeding the creation of new business prospects.
Workshop Exercises
IT Transformation Risks Exercises
01. Technology Risks: Explain in your own words how this process will directly impact upon your department?
02. Workforce Risks: Explain in your own words how this process will directly impact upon your department?
03. Automation Risks : Explain in your own words how this process will directly impact upon your department?
04. Compliance Risks : Explain in your own words how this process will directly impact upon your department?
05. Cloud Risks : Explain in your own words how this process will directly impact upon your department?
06. Cybersecurity Risks : Explain in your own words how this process will directly impact upon your department?
07. Resiliency Risks : Explain in your own words how this process will directly impact upon your department?
08. Third Party Risks : Explain in your own words how this process will directly impact upon your department?
SWOT & MOST Analysis Exercises
01. Undertake a detailed SWOT Analysis in order to identify your department’s internal strengths and weaknesses and external opportunities and threats in relation to each of the 8 IT Transformation Risks processes featured above. Undertake this task together with your department’s stakeholders in order to encourage collaborative evaluation.
02. Develop a detailed MOST Analysis in order to establish your department’s: Mission; Objectives; Strategies and Tasks in relation to IT Transformation Risks . Undertake this task together with all of your department’s stakeholders in order to encourage collaborative evaluation.
Project Studies
Project Study (Part 1) – Customer Service
The Head of this Department is to provide a detailed report relating to the IT Transformation Risks process that has been implemented within their department, together with all key stakeholders, as a result of conducting this workshop, incorporating process: planning; development; implementation; management; and review. Your process should feature the following 8 parts:
01. Technology Risks
02. Workforce Risks
03. Automation Risks
04. Compliance Risks
05. Cloud Risks
06. Cybersecurity Risks
07. Resiliency Risks
08. Third Party Risks
Please include the results of the initial evaluation and assessment.
Project Study (Part 2) – E-Business
The Head of this Department is to provide a detailed report relating to the IT Transformation Risks process that has been implemented within their department, together with all key stakeholders, as a result of conducting this workshop, incorporating process: planning; development; implementation; management; and review. Your process should feature the following 8 parts:
01. Technology Risks
02. Workforce Risks
03. Automation Risks
04. Compliance Risks
05. Cloud Risks
06. Cybersecurity Risks
07. Resiliency Risks
08. Third Party Risks
Please include the results of the initial evaluation and assessment.
Project Study (Part 3) – Finance
The Head of this Department is to provide a detailed report relating to the IT Transformation Risks process that has been implemented within their department, together with all key stakeholders, as a result of conducting this workshop, incorporating process: planning; development; implementation; management; and review. Your process should feature the following 8 parts:
01. Technology Risks
02. Workforce Risks
03. Automation Risks
04. Compliance Risks
05. Cloud Risks
06. Cybersecurity Risks
07. Resiliency Risks
08. Third Party Risks
Please include the results of the initial evaluation and assessment.
Project Study (Part 4) – Globalization
The Head of this Department is to provide a detailed report relating to the IT Transformation Risks process that has been implemented within their department, together with all key stakeholders, as a result of conducting this workshop, incorporating process: planning; development; implementation; management; and review. Your process should feature the following 8 parts:
01. Technology Risks
02. Workforce Risks
03. Automation Risks
04. Compliance Risks
05. Cloud Risks
06. Cybersecurity Risks
07. Resiliency Risks
08. Third Party Risks
Please include the results of the initial evaluation and assessment.
Project Study (Part 5) – Human Resources
The Head of this Department is to provide a detailed report relating to the IT Transformation Risks process that has been implemented within their department, together with all key stakeholders, as a result of conducting this workshop, incorporating process: planning; development; implementation; management; and review. Your process should feature the following 8 parts:
01. Technology Risks
02. Workforce Risks
03. Automation Risks
04. Compliance Risks
05. Cloud Risks
06. Cybersecurity Risks
07. Resiliency Risks
08. Third Party Risks
Please include the results of the initial evaluation and assessment.
Project Study (Part 6) – Information Technology
The Head of this Department is to provide a detailed report relating to the IT Transformation Risks process that has been implemented within their department, together with all key stakeholders, as a result of conducting this workshop, incorporating process: planning; development; implementation; management; and review. Your process should feature the following 8 parts:
01. Technology Risks
02. Workforce Risks
03. Automation Risks
04. Compliance Risks
05. Cloud Risks
06. Cybersecurity Risks
07. Resiliency Risks
08. Third Party Risks
Please include the results of the initial evaluation and assessment.
Project Study (Part 7) – Legal
The Head of this Department is to provide a detailed report relating to the IT Transformation Risks process that has been implemented within their department, together with all key stakeholders, as a result of conducting this workshop, incorporating process: planning; development; implementation; management; and review. Your process should feature the following 8 parts:
01. Technology Risks
02. Workforce Risks
03. Automation Risks
04. Compliance Risks
05. Cloud Risks
06. Cybersecurity Risks
07. Resiliency Risks
08. Third Party Risks
Please include the results of the initial evaluation and assessment.
Project Study (Part 8) – Management
The Head of this Department is to provide a detailed report relating to the IT Transformation Risks process that has been implemented within their department, together with all key stakeholders, as a result of conducting this workshop, incorporating process: planning; development; implementation; management; and review. Your process should feature the following 8 parts:
01. Technology Risks
02. Workforce Risks
03. Automation Risks
04. Compliance Risks
05. Cloud Risks
06. Cybersecurity Risks
07. Resiliency Risks
08. Third Party Risks
Please include the results of the initial evaluation and assessment.
Project Study (Part 9) – Marketing
The Head of this Department is to provide a detailed report relating to the IT Transformation Risks process that has been implemented within their department, together with all key stakeholders, as a result of conducting this workshop, incorporating process: planning; development; implementation; management; and review. Your process should feature the following 8 parts:
01. Technology Risks
02. Workforce Risks
03. Automation Risks
04. Compliance Risks
05. Cloud Risks
06. Cybersecurity Risks
07. Resiliency Risks
08. Third Party Risks
Please include the results of the initial evaluation and assessment.
Project Study (Part 10) – Production
The Head of this Department is to provide a detailed report relating to the IT Transformation Risks process that has been implemented within their department, together with all key stakeholders, as a result of conducting this workshop, incorporating process: planning; development; implementation; management; and review. Your process should feature the following 8 parts:
01. Technology Risks
02. Workforce Risks
03. Automation Risks
04. Compliance Risks
05. Cloud Risks
06. Cybersecurity Risks
07. Resiliency Risks
08. Third Party Risks
Please include the results of the initial evaluation and assessment.
Project Study (Part 11) – Logistics
The Head of this Department is to provide a detailed report relating to the IT Transformation Risks process that has been implemented within their department, together with all key stakeholders, as a result of conducting this workshop, incorporating process: planning; development; implementation; management; and review. Your process should feature the following 8 parts:
01. Technology Risks
02. Workforce Risks
03. Automation Risks
04. Compliance Risks
05. Cloud Risks
06. Cybersecurity Risks
07. Resiliency Risks
08. Third Party Risks
Please include the results of the initial evaluation and assessment.
Project Study (Part 12) – Education
The Head of this Department is to provide a detailed report relating to the IT Transformation Risks process that has been implemented within their department, together with all key stakeholders, as a result of conducting this workshop, incorporating process: planning; development; implementation; management; and review. Your process should feature the following 8 parts:
01. Technology Risks
02. Workforce Risks
03. Automation Risks
04. Compliance Risks
05. Cloud Risks
06. Cybersecurity Risks
07. Resiliency Risks
08. Third Party Risks
Please include the results of the initial evaluation and assessment.
Program Benefits
Information Technology
- Agile IT processes
- Improved value delivery
- Decreased defects
- Continuous improvement
- Modernized infrastructure
- Re-tooled staff
- Increased morale
- IT Business partnership
- Meaningful metrics
- Effective sourcing
Management
- Decreased costs
- Aligned strategies
- Servant leadership
- Clarified priorities
- Improved effectiveness
- Improved transparency
- Reduced risk
- Measurable results
- Satisfied customers
- Vendor partnerships
Human Resources
- Empowered teams
- Servant leaders
- Re-tooled staff
- Improved teamwork
- Enhanced collaboration
- Improved performance
- Reduced turnover
- Improved loyalty
- Leadership development
- Employee development
Client Telephone Conference (CTC)
If you have any questions or if you would like to arrange a Client Telephone Conference (CTC) to discuss this particular Unique Consulting Service Proposition (UCSP) in more detail, please CLICK HERE.