Business risks exist inside and outside organizations. Threats are physical and digital, all requiring appropriate mitigation measures. We work with clients to balance tolerance, cost and response to achieve an acceptable business posture.
Actionable Strategies brings experience from different perspectives. As leaders working in top organizations, we have protected our own organizations, invoked and recovered from BCPs, advised others, developed solutions as vendors and audited organizations including ethical hacking. This diversity of thought enables us to deliver the most effective business solutions for our clients.
Business Continuity Planning Methodology
Managing business continuity risk, while essential, is often overlooked until a major incident arises. Developing an actionable Business Continuity Plan is not only prudent, but mandated in sensitive industries. Actionable Strategies applies a BCP framework to deliver comprehensive results.
Managing business risk, while essential, is often overlooked until a major incident arises. Developing an actionable Business Continuity Plan is not only prudent, but mandated in sensitive industries.
BCP Lifecycle Approach
BCP development follows a lifecycle and involves functions across an organization and outside of it. Successful planners require strategic thinking, operational experience, facilitation and negotiation skills, financial abilities and pragmatism.
A crisis will impact both internal and external stakeholders. Governance over BCP development must account for value chains that extend beyond the enterprise. Likewise, invocation of the BCP impacts upstream and downstream organizations.
Business Impact and Risk Analyses
The foundation of a BCP addresses both risks and impacts applicable to the organization. Risk Assessment is specific to the organization and aids in identification of risk mitigation opportunities.
The Business Impact Analysis determines the potential downsides to losing business functions. The BIA also determines objectives for recovery including level of functionality and timeframe.
Business Continuity Plan
BCPs identify recovery approaches for important processes encompassing different departments, IT systems and external parties. Recovery forces use of less functional As-Recovered vs. As-Is processes. BCPs consider different scenarios, dependencies during recovery and the impact of As-Recovered processes on stakeholders. Options and contingencies should be identified in advance.
The BCP should be actionable and include activities, resources, timelines, dependencies and a budget. It should incorporate communication plans and a temporary cross-functional organization. The BCP should guide coordination of the As-Recovered processes once it is invoked, including the Resumption sub-process.
Based on past experience, Actionable Strategies considers the following in creating a pragmatic BCP.
- Exposure: Organizations are exposed to operational risks, both acceptable and not
- Constraints: Capacity to protect the organization is limited by budget, staffing and business impact
- Foresight: Crises dramatically alter the operating environment and necessitate significant changes
- Recovery: Continuity of business should be limited in scope, covering critical processes
- Actionable: To be effective, BCPs require testing against recovery objectives.
- Maintenance: Business continuity plans must be maintained as the business constantly evolves
Actionable Strategies’ Value
Actionable Strategies consultants have proven experience in developing and coordinating BCPs across demanding industries in the U.S. and other global markets. Please contact us for further details.
Enterprise Risk Management Program
The client is among the top ten banks and asset managers globally. It was unable to accurately report enterprise wide risk and revenue by counterparty and country. The exposure posed an unacceptable business threat visible at the Board of Directors level.
Actionable Strategies managed the program to successful completion: on schedule and within budget. The client was able to understand enterprise risk for the entire customer base.
The client is among the top ten banks and asset managers globally with a presence in 36 countries and over 100 markets. It deals with tens of trillions in assets for institutions and individuals. Services include banking, clearing, custody and asset management.
The client was unable to accurately report enterprise wide risk and revenue by counterparty and country because of poor data quality in their central customer database. The exposure posed an unacceptable business threat visible at the Board of Directors level. Regulators from around the world also showed concern.
The underlying technical situation was an enterprise data management problem. The central customer database was actually composed of two legacy systems. After a merger, the combined bank continued to maintain data in both systems. This prevented effective reporting across the two systems. Data quality issues abounded as the databases were neither synchronized nor cleansed.
Multiple Legacy Systems
Information and processes exist in legacy systems confined to the heritage organizations where they were developed. In addition to multiple core banking systems, duplicate data was housed in clearing, asset management and capital markets systems.
Business stakeholders all had their own interests. While the program executive managed the board and senior executives, he required strong support to manage the diverse stakeholders. Actionable Strategies was engaged because of our ability to work with executives, experience in banking and technical knowledge including legacy systems.
A strategic plan was formulated to re-engineer the customer database, while simultaneously remediating the data. Numerous projects were created to execute the plan. The basic categories included:
- Data modeling
- Data quality management
- Process re-engineering
- System renovation
- Vendor management
- Reporting and analytics
Re-engineering in-flight processes and systems is not only exceptionally difficult but requires vision across the organization and into the future.
The plan faced several significant implementation risks.
- Coordination across multiple technology and business teams as well as outside contractors
- Significant reengineering of business processes to enforce data quality at the source
- Remediation of existing data before application controls could be put in place, meaning data could not be maintained in its remediated state
- Solution depended on assumptions about the current and future state that could only be verified as the program proceeded
Actionable Strategies identified the critical program deliverables, assessed their current status and schedule, cost and delivery risk as well as their dependencies on other deliverables. These findings were distilled into a program dashboard that provided clear indication as to what aspects of the program presented the greatest risks and what those risks implied for other elements of the program. A streamlined process was then established to refine the program against its objectives on a monthly basis.
The program dashboard identified critical areas of significant risk to enable root cause analysis. This identified the principal contributors to those risks and advised the program sponsor on specific actions to address those sources.
As key assumptions regarding the data remediation approach were found to be sub-optimal, the program was able to re-factor that information to design an alternate approach that could still be implemented without serious impact on the program schedule. Actionable Strategies then took a leadership role in implementing the revised approach to remediation.
By focusing on the delivery of key business objectives, the client was able to adapt the technology approach. Adapting to an evolving understanding of data quality and the future state that was required to meet these objectives, the bank met internal and regulatory requirements without incident.
Likewise, by focusing on key dependencies and critical risks, the program was able to proactively address challenges and risks to the project plan. The program came within budget and schedule expectations despite constantly emerging challenges.
Based on this highly visible success, the client executive was assigned another large program. He was subsequently recruited away by a competitor to run a key data initiative.
Data Loss Prevention Framework
Information can be a vital corporate asset. In additional to reputational impact, financial costs of data leakage can be significant. Information assets shared by customers and other individuals require even greater protection.
Risk management involves determining acceptable levels of risk for organizational assets. This assessment must come from business leaders and operational stakeholders.
DLP should be consistent with overall ERM with respect to policies, processes and practices. DLP should not diverge from ERM but extend it to encompass the exfiltration of relevant data assets.
Creating a model makes prevention possible through:
policies + processes + practices + people
A successful DLP engagement results in a sustainable model.
- Effective Policies Set: Crisp and meaningful
- Processes: Lean and measurable
- People: Right stakeholders involved
- Technology: Aligned to the business problem