How Risk Management Can Fail: Identifying Critical Assets for Business Preparedness

How Risk Management Can Fail: Identifying Critical Assets for Business Preparedness

One might wonder why it is crucial to identify the right standard when there are so many to choose from.  Let me illustrate with a past client's experience. They wanted to build a program based on NIST 800-53  security and privacy controls. However, our initial assessment revealed that this standard was not suitable for their assets and threats. Despite our advice, they chose to work with another company that was willing to use this standard. The consequences of this decision were significant, leading to a severe financial impact and a loss of reputation.

When they lost power and the refrigeration and freezer thawed, their program did not address the large inventory loss and how to maintain customer satisfaction. This resulted in a severe financial impact, a loss of reputation, and a stark reminder of the importance of comprehensive risk management. The program they spent tens of thousands to develop did not address the threats to their landscape.

Previously, I provided a high-level overview of how to protect your business. This article will explore the first steps of defining the risks or the PLAN stage of the PLAN-DO-CHECK-ACT(PDCA) lifecycle.

Understanding what are you protecting?

This is the process of identifying what you need to protect. So, this online bakery had multiple assets it needed to protect. We identified it as critical data (customers, emails, recipes, accounts payable and receivable), systems like logins (PCs), software, credit card and order tracking systems, the facility itself, which would include access, cold and warehouse storage, shipping and receiving etc.

Though the customer felt the credit card processing and customer data were the most vital to protect, they failed to identify the controls and protections already in place. The risk was already mitigated since they used a third-party to run and process all the credit card transactions, and the information was never entered or stored in their online ordering software.

Start your program and planning by identifying the items at risk and what is controllable. Items that a third-party vendor manages are out of your control. The use of a vendor is a mitigating factor in the contract meeting a service level agreement acceptable to your company. Understanding what you can control is key to making the right decisions on addressing the risks associated with the asset/business function. This is why having a company like ours or a good risk manager is so important.

Draft a policy to support your objectives.

The policy can and should align with the standards applicable to your industry, and various standards could be applicable. A general standard for a smaller company might be Disaster Recovery Institute International’s Professional Practices; however, it applies to any size company.  Technology companies tend to adapt to ISO standards, NIST, and COBIT, while the financial industry always leans towards the Federal Financial Institutions Examination Council (FFIEC) Information Technology (IT) Examination Handbook.

Regardless, a company is responsible for adapting standards as they make sense based on regulatory, shareholder and customer requirements since the policy dictates to the business areas and risk managers the expectations their programs must address. The policy documents the requirements, and the risk program manager(s) are responsible for building out a program that aligns with the company policy through the procedures and controls implemented that need to be addressed in your program. The policy is a living document in the PDCA lifecycle and is periodically reviewed and revised.

Anything could happen; where do I start?

Once a policy is defined, standards identified, and your initial critical asset/business functions identified to address, your program manager(s) or we would need to identify the gaps and prioritize them so you can begin to address or mitigate them.

This is the initiation of the detailed risk assessment. In the assessment, there are six primary areas to be concerned with:

  1. Confidentiality – to keep something a secret or visible to only those who need to know.
  2. Possession – control or loss of the asset
  3. Integrity- the asset has not been compromised, changed, or stolen.
  4. Authenticity – the veracity of the claim of origin
  5. Availability – is it accessible?
  6. Utility – Usefulness of the asset

*If you are exploring cyber security risks only, they often call this the CIA Triad – Confidentiality, Availability, and Integrity. Business does not think in such simplistic terms.

All assets can fall into one or more of these categories, after which we would initiate a Business Impact Analysis(BIA) intended to understand the impact in the key areas below:

  1. Reputational – will a loss result in a reduction to the company's reputation?
  2. Legal- could the loss result in legal repercussions, like breach of SLAs or contracts
  3. Financial – what financial loss may occur, like equipment, site repairs, and recovery costs.
  4. Sales- will the impact result in a loss of sales, current or future?
  5. Regulatory- what fines or penalties could result from a regulating agency?
  6. Other- what other impact might be considered?

Adapting can sometimes be challenging but understanding that Risk = (Vulnerabilities x Threats x Consequences) is vital in weighing or prioritizing the risk impacts.  Using the areas or scope defined in the policy helps focus the planning, potential vulnerabilities, threats, and the resulting consequences. Then, it should be easy to identify the impact of the risk.

The result should be a list of assets or business functions, a clear understanding of the potential risk, and the likelihood. Then, we prioritize the risks and identify which you can control through prevention, detection, or recovery.

Why is the BIA important?

Going back to my previous client, they ran an online bakery business. The BIA identified critical business functions as the baking process(manufacturing), food storage(warehouse), shipping department, facility access and third-party vendor risks. Though we may use third-party vendors to reduce risk, the company still owns the risk.

The company primarily used software provided as Software as a Service (SAAS), which had contractual obligations to the bakery and a responsibility to protect that critical information per the contract. They specifically had a website that integrated with their ordering system, inventory system and credit card processing system. Third-party vendors provided all of this which mitigated(reduced) risks.

We identified the risks they could control such as the facility, supply chain options, some data (recipes and email), shipping and receiving. The most critical was identified as the facility itself. The site-specific risks included access management, electricity, food preparation, and shipping. The facility was the highest risk, with access management key to mitigating the risks. Through access management, the company could restrict areas to be accessible only to personnel who needed access.

Management did not agree with our assessment and believed that any risks to the facility were low probability. The business was in an urban area, which rarely lost power, so they decided not to address this risk. They identified that the ~50K in sales they would make in a day or two would be minimally impacted if they could not bake or ship items for a few hours. They had a workaround stating staff could work overtime to make up for the difference.

Do not lose oversight of your gaps.

The bakery chose not to address the risk assessment and proposed gaps identified by my team. They went with another vendor who focused on the areas the bakery thought they needed, and the mitigation costs and efforts were much less. Everything was fine until the fire, which quickly showed the gaps not considered/addressed. A local fire resulted in transmission lines to several communities being damaged. Though the 100k initially impacted customers had power restored within 24 hours, the power company focused on repairing the most significant impacted areas first. The repair that would restore power to most customers was prioritized over the repair that would restore less populated lines.  

The baker watched other businesses and homes just a block or two away have their power restored while theirs remained off. While the power was out, they could not bake, receive perishable items, or ship end products all packed and ready to ship. The cold storage and freezers warmed up, and ingredients and products began to spoil. After five days, when power was restored, the bakery had a significant loss of ingredients and products and plenty of angry customers.

The total loss was close to 130K in product sales and loss revenue, and employees were not paid for their time off.

In the end

Know that your business, like every other business, will not get all things right the first time. The policy and initial assessments are a starting point. If you are realistic, clearly understand what you can control and cannot, and then prioritize accordingly, you will reduce risk.

If the bakery had installed a facility backup generator or contracted with a local company to have one brought to the facility, fueled, and maintained in an emergency, the resulting loss would have been zero. Although it may have increased the operating costs for that period, the reputational hit from upset customers with delayed orders, destroyed food, and other impacts would have been addressed.

Their loss directly resulted from misidentifying the policies and risks they could control and were directly responsible for.

My next article will address the DO portion or the second phase of the PDCA lifecycle. It does not matter what size your company is; implementing this lifecycle will allow your risk management processes to mature, which should ensure the company's sustainability

 

James Knox is a resiliency expert with an innovative spirit who thrives when building meaningful solutions to various daily problems in the corporate world. He is an avid outdoorsman and loves extreme rock crawling, fishing, and hunting. As a survivalist, James has learned from necessity how to prepare for life’s bumps and thrive with practical and sensible solutions, supporting his family's self-sustaining lifestyle.