Fall World 2015

Conference & Exhibit

Attend The #1 BC/DR Event!

Spring Journal

Volume 28, Issue 2

Full Contents Now Available!

Jon Seals

Wednesday, 13 August 2014 16:02

The Role of Executive Management in ERM

Ultimate responsibility for ERM starts at the top. However, everyone who matters within an organization should participate in the ERM process.

While several executives have significant responsibilities for ERM, including the Chief Risk Officer, Chief Financial Officer, Chief Legal Officer and Chief Audit Executive, the ERM process works best when all key managers of the organization contribute. The COSO ERM framework states that managers of the organization “support the entity’s risk management philosophy, promote compliance with its risk appetite and manage risks within their [respective] spheres of responsibility consistent with risk tolerances.” Therefore, identifying leaders throughout the organization and gaining their support is critical to successful implementation of ERM.

A goal of ERM is to incorporate risk considerations into the organization’s agenda and decision-making processes. This means that ultimately, every manager is responsible, which can only happen when performance goals, including the related risk tolerances, are clearly articulated, and the appropriate individuals are held accountable for results.

...

http://www.corporatecomplianceinsights.com/the-role-of-executive-management-in-erm

One question often posed to me is how to think through some of the relationships a company has with its various third parties in order to reasonably risk rank them. Initially I would break this down into sales and supply chain to begin any such analysis. Anecdotally, it is said that over 95% of all Foreign Corrupt Practices Act (FCPA) enforcement actions involve third parties so this is one area where companies need to put some thoughtful consideration. However, the key is that if you employ a “check-the-box” approach it may not only be inefficient but more importantly, ineffective. The reason for this is because each compliance program should be tailored to an organization’s specific needs, risks and challenges. The information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company, generally, to prevent violations, detect those that do occur, and remediate them promptly and appropriately.

...

https://tfoxlaw.wordpress.com/2014/08/13/thinking-through-risk-rankings-of-third-parties/

Wednesday, 13 August 2014 15:59

What IBM's New Chip Means for Data

By now, you’ve heard all the hoopla over IBM’s new brain-like chip. There’s little doubt that this is significant chip innovation, but what interests me is what this new development means for data.

Most of the news has focused on the similarities between SyNapse's TrueNorth and the human brain. Actually, as revealed last week, the technology represents 16 million neuron chips, which is a good deal short of the 100 billion neurons in the human brain, according to the UK’s University of Manchester Computer Engineering Professor Steve Furber.

Furber is a co-designer of the original ARM processor chip in the 1980s. For the past three years, he has worked on a project that would model 1 billion neurons, according to the UK Register.

...

http://www.itbusinessedge.com/blogs/integration/what-ibms-new-chip-means-for-data.html

During the process of developing a Business Continuity Plan or strategy it is easiest to focus on the larger picture; to understand the major impacts and potential roadblocks.  But when putting that Plan on paper (figuratively or literally) it is time to think about more granular logistical needs and issues.  One that is often overlooked is where – and how – the money will come from to pay for that recovery strategy.  A good plan must document that process, or create one if it doesn’t already exist.

Even if one assumes that the organization will pay any price to recover its business operations in the most timely manner possible, questions remain:

  • Who has the authority to approve expenditures?
  • What are the limitations of that authority?
  • What is the process needed to gain approval of expenditures?
  • How will expenses be documented?
  • How will vendors and suppliers be paid?

If the Business Continuity Plan calls for moving personnel to another office many miles away, how will their transportation costs (airline or train tickets, fuel reimbursement) and lodging be paid?

...

http://ebrp.net/who-holds-the-purse-strings-on-incident-management-spending/

CHRISTCHURCH, New Zealand — You don’t see it, but you certainly know when it’s not there: infrastructure, the miles of underground pipes carrying drinking water, stormwater and wastewater, utilities such as gas and electricity, and fiber-optics and communications cables that spread likes veins and arteries under the streets of a city.

No showers, no cups of tea or coffee, no flushing toilets, no lights, no heating, and no traffic lights — a modern bustling city immediately shuts down. Factor in damaged roads, bridges, and retaining walls above ground, and the situation is dire.

That calamity hit Christchurch, New Zealand, in a series of earthquakes that devastated the city in 2010 and 2011.

Most people here don’t see the extent of repair work going on underground. They just notice roadworks and seemingly millions of orange cones that have sprouted up all over the city. Yet the organization created to manage Christchurch’s infrastructure rebuild has a vital role, and it’s become something of a global model for how to put the guts of a city back together again quickly and efficiently after a disaster.

...

http://www.emergencymgmt.com/disaster/Christchurchs-SCIRT-Model-for-Rebuilding.html

By Charlie Maclean-Bristol

The first death caused by Ebola (officially Ebola virus disease (EVD)) outside Africa caught my eye this week, this was a Saudi national who had been visiting Sierra Leone.

Over the last few months the number of deaths from the illness has been growing, infecting people from Guinea, Sierra Leone and Liberia.

At the time of writing there have been 932 deaths and over 1500 cases.

Apart from the first death outside Africa, the illness has recently spread to Nigeria, with one death and a number of other cases.

Nigeria, with its large population and strong links to Europe, makes it more likely that the illness could spread further.

...

http://www.continuitycentral.com/feature1213.html

By Tom Salkield

2014 started badly - by severely testing the UK’s flood defences. Information security professionals have a similarly precarious feel, as they work to continuously hold back a flood of ever more sophisticated attacks and protect their information assets. Cybercrime, like the weather, is often unpredictable, but organizations can gain a competitive advantage by making risk–based decisions and investments to focus resources and get the best return on investment to prevent costly breaches to their defences.

The coverage of the flood damage to many areas of the UK dominated the news earlier this year. The debate still rages between those who argue that more should have been invested in planning and delivering effective defences, and those who claim that the volume of rain meant there was little more that could have been done to prevent the devastation.

...

http://www.continuitycentral.com/feature1214.html

Tripwire, Inc., has published the results of a survey of 215 attendees at the Black Hat USA 2014 security conference in Las Vegas, Nevada.

Industry research shows most breaches go undiscovered for weeks, months or even longer. Despite this evidence, 51 percent of respondents said their organization could detect a data breach on critical systems in 24 to 48 hours, 18 percent said it would take three days and 11 percent said within a week.

According to the Mandiant 2014 Threat Report, the average time required to detect breaches is 229 days. The report also states that the number of firms that detected their own breaches dropped from 37 percent in 2012 to 33 percent in 2013.

“I think the survey respondents are either fooling themselves or are naively optimistic,” said Dwayne Melancon, chief technology officer for Tripwire. “A majority of the respondents said they could detect a breach in less than a week, but historical data says it is likely to be months before they notice.”

...

http://www.continuitycentral.com/news07317.html

Agile project methodologies have their roots in the software industry, but the overall principle of staying close to market requirements can be applied in any sector. When risk management becomes difficult because of uncertainties like the weather or the economy, short agile cycles encourage a focus on objectives. This may make more sense than detailed planning that tries to put everything in place for the mid to long term. Efficiency and business continuity can be improved, on condition that communications remain open and productive with all stakeholders. So with these advantages, why don’t all organisations and projects jump on the agile bandwagon?

...

http://www.opscentre.com.au/blog/agility-business-continuity-and-communications-a-new-abc-for-some/

(MCT) — It’s been a little more than three months since the April 28 tornadoes ravaged a portion Limestone County, and efforts continue to get residents back on their feet.

United Way of Athens-Limestone County has played an integral role in those efforts.

After the tornadoes, the nonprofit organization took on 75 long-term recovery cases, but that doesn’t include those who were provided other services, according to United Way Executive Director Kaye Young McFarlen.

Some need quick, easy help on the front end. Others were more long term and more involved.

...

http://www.emergencymgmt.com/disaster/United-Way-Chief-Alabama-Tornado-Recovery.html