WhiteHelm End to End Network Security
Risk Assessment

 

Risk assessment by corporations has been refocused to include  risks associated with the implementation of complex  information technology,  the use of increasingly sophisticated financial  instruments and multi-jurisdictional  regulations for environmental, health and safety standards. For many corporations, operational processes have undergone profound change  as the traditional layered  approach to control has been stripped away and re-engineered processes  implemented.

What does all this mean  for internal audit? Many  corporations are pausing  to re-evaluate the traditional  role and responsibility of internal audit within the corporation. The role  of internal audit as a  "corporate financial accounting cop" is vanishing.

In today's environment,  internal auditors must  be capable of monitoring  the extent to which internal  controls are appropriately  aligned with a diverse  and increasingly complex  arena of corporate risks. Corporations are acknowledging  that an effective internal  audit group can help the  corporation achieve its business objectives by ensuring that risk and internal controls have been properly aligned, and then monitoring the  implementation of those internal controls.

How important is internal  audit to the corporation? This question is being asked both by directors  and senior executives.  For many corporations the response is: "Important  but not core."

As with many other important but non-core activities, corporations are increasingly  turning to outsourcing  as the optimum means to achieve a multidisciplinary  team of internal auditors to assist in monitoring  the complex range of corporate  risks and controls.

Outsourcing provides a cost-effective means to  ensure that skilled expertise is available to monitor  the risk and controls for areas such as enterprise-wide  systems, firewall installations,  data security, treasury,  supply chain activities,  environment, health and safety. Many corporations  are also discovering that outsourcing is not an "all or none" option. Outsourcing  can range from the complete outsource of the entire  internal audit department to strategic outsourcing  of certain parts of the internal audit plan, like  information technology  security control assessment.

A key issue to consider  when evaluating full or strategic outsourcing alternatives is the availability and  mobility of existing skilled employee resources to meet the corporation's internal audit needs. Other important considerations are the  average retention period  of internal audit staff and the cost of maintaining  an in-house internal audit  group including salaries and benefits, overhead,  training and technology tools.

For multinationals, the  ability and effectiveness of the internal audit group  to service multi-jurisdictional subsidiaries and divisions is frequently evaluated.

The existing internal audit  group might also provide  a training ground for future  managers and executives.  The willingness and ability  of an internal audit outsource  provider to support a corporate training program by including  corporate employees on various internal audit assignments should be assessed.

Strategic outsourcing is an alternative where the existing internal audit  group provides practical, value-added business recommendations but lacks the necessary  skill to evaluate internal  controls supporting specific  complex business activities.

The final decision to enter  into either a full or strategic internal audit outsourcing arrangement should be driven by the practical business needs of the corporation.  However, in reaching either decision, a corporation  cannot delegate responsibility for implementing and maintaining an effective internal control  environment. That responsibility  will always reside with  the board of directors  and management.

The internal audit outsourcer's  responsibility is to assist the corporation to achieve its business objectives  by ensuring that risk and  internal controls have  been properly aligned,  and then to monitor the implementation of those  internal controls.

  • How  can you enhance shareholder value through effective  enterprise-wide risk  management strategies?
  • How  do you determine which  risks to take, which  to avoid, which to manage,  and which to accept?
  • How  do you decide where to  allocate resources among  a variety of options  with different risks  and potential rewards?
  • How  do you develop and implement  effective enterprise-wide risk management processes  throughout an organisation?

Objectives and Risk Assessment

 In order to answer these  critical questions, our Strategic Risk Services  (SRS) specialists work  closely with senior management  to clarify and articulate your organisation's overall  business objectives and the strategies identified  to achieve those objectives.  We then work with you and  designated business or  functional units, through a series of one-on-one meetings and facilitated group sessions, to identify  and assess the key risks that can jeopardise achievement  of your goals, evaluate the likelihood of occurrence and potential impact, assess the strategies in place  to mitigate those exposures,  and identify and prioritise additional or alternative  risk mitigation strategies  needed. Our objectives-based approach to risk assessment  and management ensures  that major focus is directed  at protecting against the risks that would have the greatest impact on realising your objectives. An improved understanding of your organisation's objectives and risk profile  provides the foundation  for focusing your entire  organisation on the critical  role risk management plays  in the achievement of the organisation's goals.

Enterprise-Wide  Risk Management

 Traditional one-point-in-time risk assessment models have been made obsolete  by today's rapid pace of  change. Clients are increasingly  concerned about their ability  to effectively and efficiently  manage the risks associated with these swift changes.  In order to address these concerns, today's best practices in risk management focus on proactive and continuous enterprise-wide risk management. Our specialists incorporate our proven Objective Risk Control Alignment methodology and  partner with you to design, implement and embed a comprehensive  enterprise-wide risk management architecture within the  organisation. Our state-of-the-art  methodology brings this process to life by providing real time, continuous risk assessment and management  that is integrated into the strategic plan and day-to-day operations of  your organisation. This process results in a culture shift that empowers each business and functional  unit to take responsibility and be accountable for risk management.

Harness  the Power of Risk

 Risk is powerful. It can  drag you down or, if properly managed, it can enable you to realise your strategic  objectives. The perspective on risk is changing. Traditionally,  risk management focused solely on protecting the organisation from hazards  or uncertainties. Today,  risk is increasingly seen  on a continuum that incorporates  the downside view of risk and progresses beyond to include the opportunity-driven,  calculated risks taken as part of a proactive strategic plan to capitalise on opportunities in order  to realise desired rewards. Taking too little risk and over managing or avoiding  risk altogether can be  as much of a management failure as taking too much unmanaged risk. Our specialists  build processes within  the organisation to help  you determine which risks to take, which risks to  avoid, which risks to manage, and how to manage them.  We help you harness the power of risk to enhance shareholder value.

Some of the benefits which can be realised include:

  • Enhanced shareholder value
  • Improved reputation
  • Increased  ability to achieve strategic  objectives
  • Improved decision-making and smarter  allocation of resources
  • Reduced  likelihood of control breakdowns and crises
  • Clear  alignment between objectives, risks, and risk management strategies
  • Continuous,  real-time risk assessment,  management, measurement,  and monitoring
  • Risk management responsibility  driven to each business unit and individual
  • Improved accuracy of management reports.

Some Methodologies For Risk Assessment

  • Failure  Mode and Effects Analysis:  Examines each potential failure condition in a system to determine  the severity of the impact  to the system.
  • HAZOP  (Hazard and Operability): Examines process and engineering intentions to assess the potential  hazards that can arise  from deviations from  design specifications.
  • Historical Analysis: Examines frequency of past incidents to determine the probability  of a condition recurring.
  • Human-Error  Analysis: Examines the  possible impact of human  intervention and error  on a system.
  • Probabilistic  Risk Assessment: Examines the probability that a combination of events  will lead to a particular condition.
  • Tree Analysis: A family of  analysis methods, such  as event tree, attack tree, management-oversight tree and fault tree, that focuses on processes or a sequence of events  that may lead to a particular condition.

Services

  • Enterprise-Wide  Risk Management
  • Framework  Design and Implementation
  • Enterprise-Wide  Risk Management Monitoring
  • Office of Chief Risk Officer  Development
  • Risk Management Best Practices  Benchmarking.

When to Use Risk Analysis

Risk analysis is most useful  when applied during the system design phase of an application or system so that potential losses may be identified and security requirements defined right from the start. Experience has shown that implementing  security controls during  the design phase is far  less costly than retrofitting such controls after a computer system is operational. Nonetheless, for those systems already in operation,  risk analysis can identify  vulnerabilities for which corrective action can be taken. Risk analysis conducted during any phase of a computer  system life cycle should  use an approach for reducing  the loss of personnel efficacy, information, equipment,  and processing capability.

Please call 0870 421 4023 to find out more about  our risk assessment services, or e-mail risk.team@Whitehelm.com requesting more information.

 

[Home] [Security] [Services] [Products] [What Sets Us Apart] [Contact] [Site Map]

Copyright ©2004-2007 Whitehelm Network Security Ltd
Copyrights, Trademarks & Disclaimers Terms & Conditions