CA Community






This Blog
Syndication

September 2008 - Posts

Financial Crisis: Lessons in Risk Management

Published: September 29 2008, 04:00 AM | 6 Comment(s)
by Sumner Blount


The current financial crisis that we face has dominated the headlines recently. Many people on Main Street have asked "how could this have happened to our economy?"¦.who was asleep at the switch?....who was managing this risk?"

These are certainly reasonable questions that we all are probably asking, even if only to ourselves. And, with home prices cratering, and the stock market in an occasional free-fall, virtually nobody is exempt from the impact of this crisis. Let's face it "" it's a very scary situation for anyone who owns a home, or who has retirement money in the stock market.

There are endless debates about what happened, who's at fault, whether we should be bailing them out, and how this will impact the average American. Take a look at Burton Group's explanation (one of the better ones out there) for a quick primer.

I am not an expert in risk management, but you don't really have to be an expert to recognize the obvious failings of existing financial risk management models. In reading these scholarly analyses of the crisis, I am struck by two things.

First, the entire financial risk analysis was based on one simple assumption "" that house prices would keep rising. As soon as that stops happening, all bets are off and all financial instruments backed by mortgages are vulnerable. How could these "experts" not have seen at least the potential for this turnaround? As a personal anecdote, I had to buy a house 2 years ago. I knew that prices were overheated, because the asking prices for houses in the Boston area were often a minimum of $100K higher than was reasonable. The greed and unrealistic expectations were obvious. Anybody could tell that when house prices are appreciating significantly greater than incomes, something's gotta give. How could all of these "financial experts" have based their entire strategy on such a simple (and obviously unrealistic) assumption?

The second thing worth noting is how easy it is to mis-quantify risk. Given the lack of income documentation required for many of these mortgages (giving rise to the term "liar loans"), or the potential for interest rate increases, most anyone with a little bit of knowledge could have determined that many of these mortgages were high risk. Yet, these mortgages were packaged together"¦.essentially aggregating their risk"¦.and were rated highly (AA+, etc) by the ratings agencies. Basically, if a bunch of junk was sold by a reputable financial firm, the junk automatically acquired the strong reputation of the selling firm. Look closely at each investment vehicle, and you'll see high risk mortgages. Aggregate them together in some faceless group, and all of a sudden they became "blue chip investments."

We as a nation will be unwinding this Gordian financial knot possibly for years to come. But, it only serves to highlight the importance of basic assumptions on which financial risk models can be built, and the absolute critical nature of accurate assessment of the underlying risk of a given event.
Share this post:  
Tags: , ,
Leave a comment

 

By: Sumner Blount
Sumner Blount has spent his 25-year career focused on the development and marketing of software products for a range of top-tier enterprise IT firms. Currently, he’s a Director in the Security business unit at CA. Previously he managed the large computer operating system development group at Digital...
Read More..

Where Security and GRC Intersect: Article in Business Management magazine

Published: September 26 2008, 04:30 AM | no comments
by Sumner Blount


Earlier this year, I wrote an article that was published in Business Management magazine on "The Changing Face of Compliance."

The article highlights some of the recent trends in compliance, and their impact on both security controls and overall GRC management.

At the time, I was on CA's security team, and I attempt to illustrate in this article the close linkage between security and GRC. You'll find this is a common topic of interest to the contributors here on the CA GRC blog, as well, as we look to shed light on how security issues may impact your GRC initiatives.

I hope you find the Business Management article interesting, and welcome your comments.
Share this post:  
Tags: , , , ,
Leave a comment

 

By: Sumner Blount
Sumner Blount has spent his 25-year career focused on the development and marketing of software products for a range of top-tier enterprise IT firms. Currently, he’s a Director in the Security business unit at CA. Previously he managed the large computer operating system development group at Digital...
Read More..

Lessons Learned from "Personal" Risk Management

Published: September 24 2008, 04:00 AM | 3 Comment(s)
by Christopher Daugherty


Many of you reading this have purchased large ticket items like a home, condo, car, etc. These purchases are somewhat calculated expenditures and typically a large investment of your disposable income. If you are like me, these decisions are made after weighing alternatives while trying to predict future risks. You undoubtedly ask yourself questions like:
  • Will the home or condo appreciate and if so, at what rate?
  • What is the maintenance cost of the dwelling?
  • What repairs are needed and expected outlays?
  • Will the car hold its value, what is the anticipated maintenance, what is the automakers history for this model, etc...?


The truth is, there are many more questions affecting these decisions than we could include here.

This process is what I call "personal risk management." All of us have done it and will continue to do so. Why is it, then, many companies have ignored following similar principles with the on-going health of the business? This is a debate with many different answers so I ask you to select the best answer for your employer:

a) Have not ignored as this keeps me awake at night!
b) Please restate the problem, I cannot hear well with my head buried in the sand.
c) We passed our SOX audit so we checked this off the list!
d) We are informed of the challenge but we have a business to run and profits to make
e) Is this what internal audit and risk management has been telling us?
I believe the concept of risk management is making a comeback; however, for many of us it never left. In the internal audit and risk management areas, it seems the past 5 years have been focused solely on becoming compliant with any number of state, federal, and international regulations. This is not comprehensive risk management, although compliance management is part of an overall risk management strategy. The regulations remain intact and are actually growing in number and scope with each passing day so we must learn to efficiently meet these requirements. I continue to observe companies becoming more efficient in addressing compliance management allowing more time to devote to other endeavors such as business risk management.

I also see organizations, both businesses and professional service firms, improving overall effectiveness by leveraging the information gained as part of their compliance initiatives. Companies are beginning to document processes beyond those of financial reporting and credit card processing to completely understand the business and flow of information. This can lead to more comprehensive documenting of the processes, procedures, and ultimately the controls in place derived from these areas to map to business risks along with relevant compliance requirements.

In the end, we can all learn from this by following the risk management principles practiced in our daily lives in our professional lives. Several compliance regulations are requiring companies to do just that by implementing a top down, risk-based approach when looking at business practices. This approach is not only good for compliance efforts; it is good for the business by potentially reducing time, energy, and conversely audit fees. This is a win-win for all parties involved.
Share this post:  
Tags: , , , , ,
Leave a comment

 

By: Christopher Daugherty
Christopher Daugherty has over 14 years of consulting experience focused on technical assessments, ERP implementations, IT infrastructure management, IT governance, and information security. Today he is a Sr. Architect with CA, where he works with Fortune 500 companies to develop solutions involving...
Read More..

The Challenge of Information Silos

Published: September 23 2008, 05:30 AM | no comments
by Sumner Blount


Many of the large companies that we at CA talk to about their risk and compliance activities have different approaches, with somewhat different challenges that they need to meet. Still, the one common element that virtually all of them have (at least to some degree) is the problem of "information silos."

The meaning of this description is fairly obvious "" pockets of information spread around the organization which contain either similar, or in some cases, identical data relating to compliance activities. And, of course, when the same information is stored in multiple places, the opportunity for inconsistency is persistent.

The reason why this is such a pernicious problem is that the existence of these silos is often invisible to the people who need to know where this information is kept. A simple (and common) example is that of a SOX program team that conducts a test of some Sox controls, some of which are failing to operate effectively. The SOX team can attempt to initiate a project to remediate their controls, but these controls also are used for PCI compliance, and that program team is not aware of these control failures. The result is higher risk for PCI compliance that is invisible to upper management.

This situation also results in significant duplicated work, and some controls get tested redundantly, simply because information about previous tests is spread out around the organization in multiple spreadsheets.

It also makes it very hard to identify the total costs of compliance, since cost information tends to be spread around the organization, but more importantly, not tracked on a formal basis across all these units. Most companies tend to be spending much more on compliance than they are aware, because these "hidden costs" don't get captured sufficiently to help measure their total compliance costs.

As with almost any problem of duplicated information, it only gets worse over time. New regulations mean that there is more controls testing going on, and probably more groups within the company that need to obtain and track this type of information.

So, what's the solution? Well"¦it's obvious"¦.a way of centralizing information about risk and compliance, and mapping (cross-referencing) it, so that everybody can always know the current status of all information objects (e.g., polcies, controls, risks, remediation efforts, etc) at any time. The challenge, though, is how to do this effectively and expeditiously. Simply finding where this information exists can be a significant challenge for a large organization. In addition, there are often major political challenges when attempting to centralize that information (and therefore remove it from local groups).

The bottom line is that information silos is probably the most common challenge in risk and compliance, but with sufficient planning (and political finesse), it can be solved.
Share this post:  
Tags: , , , ,
Leave a comment

 

By: Sumner Blount
Sumner Blount has spent his 25-year career focused on the development and marketing of software products for a range of top-tier enterprise IT firms. Currently, he’s a Director in the Security business unit at CA. Previously he managed the large computer operating system development group at Digital...
Read More..

Does Compliance Equal Security?

Published: September 22 2008, 04:00 AM | no comments
by Mike Hoefgen


In case you are one of the few CIOs or IT managers out there still asking this question, Network World offers up its answer in its "Does compliance equal security?" post in mid-August.

While it may be common understanding at this point, it's an important reminder that simply complying with a standard or regulation does not mean your company or information is secure. Pick your favorite authority document from PCI, ISO 27001/27002, and NIST 800-53, to COBIT and the FFIEC IT Handbook. They are all best practices. Implementing them is not a 100% guarantee of security. Yes they are all great first steps at securing you assets, but they are only first steps. If you have implemented any one of these frameworks within your organization, you are certainly on the right path!

But you are never done.

As the Network World article points out, compliance is not a checkbox. Neither is security.

We may become a little less focused on being secure from time to time. If ever you are feeling this way, check out the chronological listing of data breaches to remind yourself of where you could be if you stop your continuous efforts.

To paraphrase Arthur Robert Ashe, Jr.: Security is a journey, not a destination.
Share this post:  
Tags: , , , , , ,
Leave a comment

 

By: Mike Hoefgen
Mike Hoefgen has been helping clients solve business problems for over 20 years. Mike is currently a Principal Consultant with CA, Inc working with the Governance business unit and is based in Seattle. Mike holds a Bachelor of Science degree in electrical engineering from the University of Wisconsin...
Read More..

More Posts Next page »