Risk and controls go together like salt and pepper.
It’s just that sometimes we forget about the ever changing relationship between the two, and instead spend a lot of fruitless time remediating controls in IT based on past assumptions or simply their severity, without any relationship to current business risks, complimentary controls or changed conditions.
The following story about the experience of one organization helps explain the importance of paying attention to changing risks and controls. Similar conditions at your organization are purely coincidental.
Acme Conglomerate (not the real name of the organization) depended on its financial transaction processing systems to accurately account for store-sales during its heaviest seasons and for routine month- and quarter-end rollups and reporting.
Originally staged on mainframes, the relevant applications were migrated several times to other platforms, including System/36 minicomputers, and then onto PCs. About two years ago the applications were virtualized and run on demand, as needed and from whatever PCs were available.
When the applications were hosted on the mainframes, they were assigned a “severity level 1″ rating if the applications were degraded or not available. The impact of the Sev-Level 1 rating for applications is that someone in IT is dispatched to immediately investigate and restore services as rapidly as possible. The time frame associated with resumption of service for the applications is two hours at Acme Conglomerate.
The assignment of Sev level 1 for these applications have not changed since first assigned, when the applications were first deployed on the mainframe. Since then, the retail portion of Acme’s business has declined from 76 percent of its revenues to 22 percent of its revenues.
A brief look at the severity level (or “Sev level”) assignments at Acme Conglomerate reveals:
Sev-levels at Acme Conglomerate
Sev 1: assigned to mission-critical production systems being down with no workaround immediately available
Sev 2: assigned to noticeable changes in performance or throughput for some critical systems that are operating in a restricted manner
Sev 3: assigned to degraded functions or performance impacting only some users of the IT systems
Sev 4: assigned to routine problems affecting a small number of users of IT systems
The original thinking had been that these financial recording and reporting applications were critical to Acme’s financial reporting, that the mainframe being used to generate the information was an expensive resource, and that the inability to produce accurate financial data could lead to business risks the organization wanted to avoid.
Over the years the changes that occurred included, the acquisition of non-retail businesses that represented a larger share of the organizations business, cheaper and more easily replaced IT resources, leading eventually to virtualization and run-anywhere, anytime for the applications. In addition, complementary controls evolved with the evolution of the platforms to deal with notification and more automated forms of remote-recovery in case something was not working. And, one other thing changed: in the past six years the company has had to report on material impacts from operational events related to its financial reporting.
Despite the changes in its business, its systems and complementary controls, Acme Conglomerate has kept the assignment of Sev 1 with these retail financial rollup applications, even when it’s no longer warranted.
Was this a major problem for the company? No, but it did waste resources, including time and money that could have been been spent on more critical issues. And, because IT was forced to treat this application as “Sev 1″ well after it was necessary, additional expenses were borne to treat other Sev-1 problems that posed much higher business risks for the organization.
Which severity level is appropriate at Acme Conglomerate?
Given the changes in its business, its regulatory reporting requirements covering the information and controls, and the systems being used to run these applications, what severity level would you assign to this?
Severity levels and risk
The use of severity levels plays a critically important role by informing people about events that should be responded to, and importantly, what they should do to respond and in what time-frame. But, severity levels are not the only marker to use when making decisions about mitigating actions.
And, business downtime is not the only possible business risk related to the use of information systems. Examples of others include events impacting intellectual property, the brand of the organization, Internet security threats, and other high-profile threats.
But frequently, we forget to take into account the business risks, and as happened at Acme, we forget to update our assumptions about risk as conditions change.
For some organizations, the lessons have been to develop, implement and maintain a centralized Risk Register, while for others the nature of operations dictates the use of different Risk Registers, some of which are IT-focused, others of which are line-of-business focused. Which approach – business or IT-focused – do you think is delivering better results?
For others, the use of formal change-control boards and change-management systems are required for IT-related resource employed in a production capacity. Why is the use of formal change control procedures helpful?
For others, Sev-levels have been re-thought. For example, I know of some organizations where Severity level 1 is now only associated with potential death or injury, and all other threat-events have lower severity levels associated with them. At others, I’ve seen a time-dimension added to the categorization of threats and severity levels, which includes the impact of non-trivial Internet security threats. At other organizations, the use of automated asset discovery procedures and mappings of assets against regulatory mandates, risk registers, controls, severity levels and policies is common.
To see additional practices, download a free copy of the latest research, Data Driven Reporting and Communicating about IT, at the IT Policy Compliance Group.
What are some of the lessons learned at your organization?
Some additional resources:
Severity Levels and Security, Vista Internet Bank Audits. www.internetbankingaudits.com/severity_levels.htm
Severity Levels, Columbia University. services.cuit.columbia.edu/definition-severity-levels
Risk register, Wikipedia. en.wikipedia.org/wiki/Risk_register
Benefits of a Change Control Board, PMI. blogs.pmi.org/blog/voices_on_project_management/2011/07/the-benefits-of-a-change-contr.html
Risk and controls, U. Central Florida pegasus.cc.ucf.edu/~inspgen/RisksControls.htm
Evolution of Risk and Controls, KPMG. www.kpmg.com.cn/en/virtual_library/Audit/The_evolution_of_risk.pdf
Operational Risk Systems and Controls, FSA-UK. www.fsa.gov.uk/pubs/cp/cp142.pdf