27-10final

Interview
UNHAPPY
‘Modern slavery has
rightly been made a
priority across law
enforcement, but it is a
hidden crime so the
onus is on us to seek it
out.’
Will Kerr, the National
Crime Agency’s Director
of Vulnerabilities.
continued ... from page 30
IT, for example
a priority, and escalated
or not. The various arms
of the business such as IT
and human resources, and
research and development,
and legal, have their own
sub-risk groups, that feed
into the overall register.
The scoring is from one
to five, the lower the
better. How effective
is the control? One for
complete, five for not at
all. What’s the likelihood
of the risk happening?
One for very unlikely,
five for highly likely, and
grades in between. And
likewise with impact, from
one for negligible to five
for big. As a visual aid,
the evaluation of the risk
is coloured in a ‘traffic
light’ system: green is all
right, yellow is to keep
and eye on, red is ‘do
something about this’. It
takes a spreadsheet to,
even if only briefly, type
the nature of the risk and
its history of what you’ve
done.
A good example that Guy takes is
IT assets. It’s not giving away any
corporate secret that Suntory staff
use laptops and other kit; like anyone
else, they run the risk of losing them,
whether in error or theft. The risks
go further. It only takes a click to
let in malware; and worse still if the
business is running on an unsupported
programme such as Windows XP,
as parts of the National Health
were found out in May thanks to
the Wannacry ransomware. “It was
encouraging,” Guy says, “that we had
no breach.” But as an example of how
risk management is not a one-off,
but a process that you halt at your
peril, Guy adds that Suntory comes
under such cyber attacks consistently;
the same as anyone else; and has
measures to combat that. The register
also gives the risk a category (in the
case of IT assets, technological) and it
has a named ‘owner’. Cyber security
policy is documented, so that people
know what to do if something does go
wrong. Another control mechanism
that Guy points out, that’s easily
overlooked, is capex estimates. As
he says, you have a team to evaluate
risk; but have you estimated what
the budgetary cost would be, for
what’s proposed - to encrypt every
laptop, for example, or to pull staff
away for cyber awareness training?
Do you need to factor that in? Later,
Guy points out the temptation to
actually or at least say you’re going
to throw money at a problem; if you
have that money; and what if you
can only find that money by taking
it from elsewhere. Hence the scoring
of risk matters, to give some sense
to priorities. To leave Guy for a
minute; it may have seemed sensible,
or an acceptable risk to skimp on a
Windows update; only to prove a
false economy when you can’t do
a thing because you’re a victim of
ransomware. Back to Suntory. Once
they complete a control (such as
that training of staff), they assess
how effective it is, and give a new
score and priority to the risk; most
obviously, seeking to bring the red
down to a yellow or green.
Attention to detail
As Guy sets it out, it becomes plain
that such attention to detail is the only
way to keep up with everything - the
visible and the invisible cyber - that
can and does happen to a business.
The sub-risk groups send their
findings into what Guy describes as
a clearing house, that evaluates. To
stay with the IT assets as a risk; IT
flag it, but is the risk really at a level
that they say it is? Thus you build the
‘master risk register’, that Guy and
colleagues will work on continuously:
“So it should always be a live
document.” It’s subjective, as Guy
admits - to stay with the example, IT,
close to the risk, have one evaluation
of the risk, others another. Likewise,
how many risks do you list: a top ten?
15? 50? When if ever is it sensible to
stop?
Routine
Guy now calls up another document,
the ‘corporate governance cycle
time-line’. Again, it’s hardly giving
away a secret that inside the 12-month
year, divided into quarters, you
have a routine that begins with
the risk sub-groups reporting to
Guy and colleagues to collate. The
clearing house meets, to judge those
identified risks. Updates go to a risk
management committee, that may
invite the head of the IT risk sub-team
to talk about a particularly burning
issue. Next, an ethics and compliance
committee meets; to take everything
in the round. Then the register goes in
front of the board. And you finish the
loop, with the sub-groups beginning
again: “So you are constantly trying
to refresh that risk. In an ideal world,
you wouldn’t get to a point where the
risk registers were static.”
Movers and shakers
Another document Guy shows is
the numbered top risks. Guy shows
his age by likening it to ‘Top of the
Pops’; what are the ‘movers and
shakers’. Instead of pop music, it’s
familiar UK business stuff: Brexit,
supply chain, IT. As Guy says,
pointing towards the screen: “So
much of this I would argue would be
pretty consistent for most business
sectors.” Guy closes by showing a
Venn diagram; the three overlapping
circles represent crisis management,
risk management and business
continuity planning. In the middle
is a enterprise risk management
system. Again, it’ll be familiar to
other corporates, who may express it
differently, in a quadrant for example.
And like any other multi-national
company, Suntory needs a way
to pass on between countries an
identified risk. Some risks straddle
countries, such as the general data
protection regulation, that is due to
come into force in 2018; sensibly, as
it’s European Union-wide, Suntory
are working on it at a European
level. Given that any product can
have ingredients from one country
(or continent) taken to a factory in
another, and sold in another, if a
‘Watchdog’ TV show in one country
unveils some compliance failing,
whether a car or a washing machine,
it may damage the wider reputation of
the business. Underlying all this, you
assume, that the physical premises
security of your factory is sound; and
that is where we’ll go next. p
32 OCTOBER 2017 PROFESSIONAL SECURITY www.professionalsecurity.co.uk