27-10final
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Interview<br />
UNHAPPY<br />
‘Modern slavery has<br />
rightly been made a<br />
priority across law<br />
enforcement, but it is a<br />
hidden crime so the<br />
onus is on us to seek it<br />
out.’<br />
Will Kerr, the National<br />
Crime Agency’s Director<br />
of Vulnerabilities.<br />
continued ... from page 30<br />
IT, for example<br />
a priority, and escalated<br />
or not. The various arms<br />
of the business such as IT<br />
and human resources, and<br />
research and development,<br />
and legal, have their own<br />
sub-risk groups, that feed<br />
into the overall register.<br />
The scoring is from one<br />
to five, the lower the<br />
better. How effective<br />
is the control? One for<br />
complete, five for not at<br />
all. What’s the likelihood<br />
of the risk happening?<br />
One for very unlikely,<br />
five for highly likely, and<br />
grades in between. And<br />
likewise with impact, from<br />
one for negligible to five<br />
for big. As a visual aid,<br />
the evaluation of the risk<br />
is coloured in a ‘traffic<br />
light’ system: green is all<br />
right, yellow is to keep<br />
and eye on, red is ‘do<br />
something about this’. It<br />
takes a spreadsheet to,<br />
even if only briefly, type<br />
the nature of the risk and<br />
its history of what you’ve<br />
done.<br />
A good example that Guy takes is<br />
IT assets. It’s not giving away any<br />
corporate secret that Suntory staff<br />
use laptops and other kit; like anyone<br />
else, they run the risk of losing them,<br />
whether in error or theft. The risks<br />
go further. It only takes a click to<br />
let in malware; and worse still if the<br />
business is running on an unsupported<br />
programme such as Windows XP,<br />
as parts of the National Health<br />
were found out in May thanks to<br />
the Wannacry ransomware. “It was<br />
encouraging,” Guy says, “that we had<br />
no breach.” But as an example of how<br />
risk management is not a one-off,<br />
but a process that you halt at your<br />
peril, Guy adds that Suntory comes<br />
under such cyber attacks consistently;<br />
the same as anyone else; and has<br />
measures to combat that. The register<br />
also gives the risk a category (in the<br />
case of IT assets, technological) and it<br />
has a named ‘owner’. Cyber security<br />
policy is documented, so that people<br />
know what to do if something does go<br />
wrong. Another control mechanism<br />
that Guy points out, that’s easily<br />
overlooked, is capex estimates. As<br />
he says, you have a team to evaluate<br />
risk; but have you estimated what<br />
the budgetary cost would be, for<br />
what’s proposed - to encrypt every<br />
laptop, for example, or to pull staff<br />
away for cyber awareness training?<br />
Do you need to factor that in? Later,<br />
Guy points out the temptation to<br />
actually or at least say you’re going<br />
to throw money at a problem; if you<br />
have that money; and what if you<br />
can only find that money by taking<br />
it from elsewhere. Hence the scoring<br />
of risk matters, to give some sense<br />
to priorities. To leave Guy for a<br />
minute; it may have seemed sensible,<br />
or an acceptable risk to skimp on a<br />
Windows update; only to prove a<br />
false economy when you can’t do<br />
a thing because you’re a victim of<br />
ransomware. Back to Suntory. Once<br />
they complete a control (such as<br />
that training of staff), they assess<br />
how effective it is, and give a new<br />
score and priority to the risk; most<br />
obviously, seeking to bring the red<br />
down to a yellow or green.<br />
Attention to detail<br />
As Guy sets it out, it becomes plain<br />
that such attention to detail is the only<br />
way to keep up with everything - the<br />
visible and the invisible cyber - that<br />
can and does happen to a business.<br />
The sub-risk groups send their<br />
findings into what Guy describes as<br />
a clearing house, that evaluates. To<br />
stay with the IT assets as a risk; IT<br />
flag it, but is the risk really at a level<br />
that they say it is? Thus you build the<br />
‘master risk register’, that Guy and<br />
colleagues will work on continuously:<br />
“So it should always be a live<br />
document.” It’s subjective, as Guy<br />
admits - to stay with the example, IT,<br />
close to the risk, have one evaluation<br />
of the risk, others another. Likewise,<br />
how many risks do you list: a top ten?<br />
15? 50? When if ever is it sensible to<br />
stop?<br />
Routine<br />
Guy now calls up another document,<br />
the ‘corporate governance cycle<br />
time-line’. Again, it’s hardly giving<br />
away a secret that inside the 12-month<br />
year, divided into quarters, you<br />
have a routine that begins with<br />
the risk sub-groups reporting to<br />
Guy and colleagues to collate. The<br />
clearing house meets, to judge those<br />
identified risks. Updates go to a risk<br />
management committee, that may<br />
invite the head of the IT risk sub-team<br />
to talk about a particularly burning<br />
issue. Next, an ethics and compliance<br />
committee meets; to take everything<br />
in the round. Then the register goes in<br />
front of the board. And you finish the<br />
loop, with the sub-groups beginning<br />
again: “So you are constantly trying<br />
to refresh that risk. In an ideal world,<br />
you wouldn’t get to a point where the<br />
risk registers were static.”<br />
Movers and shakers<br />
Another document Guy shows is<br />
the numbered top risks. Guy shows<br />
his age by likening it to ‘Top of the<br />
Pops’; what are the ‘movers and<br />
shakers’. Instead of pop music, it’s<br />
familiar UK business stuff: Brexit,<br />
supply chain, IT. As Guy says,<br />
pointing towards the screen: “So<br />
much of this I would argue would be<br />
pretty consistent for most business<br />
sectors.” Guy closes by showing a<br />
Venn diagram; the three overlapping<br />
circles represent crisis management,<br />
risk management and business<br />
continuity planning. In the middle<br />
is a enterprise risk management<br />
system. Again, it’ll be familiar to<br />
other corporates, who may express it<br />
differently, in a quadrant for example.<br />
And like any other multi-national<br />
company, Suntory needs a way<br />
to pass on between countries an<br />
identified risk. Some risks straddle<br />
countries, such as the general data<br />
protection regulation, that is due to<br />
come into force in 2018; sensibly, as<br />
it’s European Union-wide, Suntory<br />
are working on it at a European<br />
level. Given that any product can<br />
have ingredients from one country<br />
(or continent) taken to a factory in<br />
another, and sold in another, if a<br />
‘Watchdog’ TV show in one country<br />
unveils some compliance failing,<br />
whether a car or a washing machine,<br />
it may damage the wider reputation of<br />
the business. Underlying all this, you<br />
assume, that the physical premises<br />
security of your factory is sound; and<br />
that is where we’ll go next. p<br />
32 OCTOBER 2017 PROFESSIONAL SECURITY www.professionalsecurity.co.uk