Interview UNHAPPY ‘Modern slavery has rightly been made a priority across law enforcement, but it is a hidden crime so the onus is on us to seek it out.’ Will Kerr, the National Crime Agency’s Director of Vulnerabilities. continued ... from page 30 IT, for example a priority, and escalated or not. The various arms of the business such as IT and human resources, and research and development, and legal, have their own sub-risk groups, that feed into the overall register. The scoring is from one to five, the lower the better. How effective is the control? One for complete, five for not at all. What’s the likelihood of the risk happening? One for very unlikely, five for highly likely, and grades in between. And likewise with impact, from one for negligible to five for big. As a visual aid, the evaluation of the risk is coloured in a ‘traffic light’ system: green is all right, yellow is to keep and eye on, red is ‘do something about this’. It takes a spreadsheet to, even if only briefly, type the nature of the risk and its history of what you’ve done. A good example that Guy takes is IT assets. It’s not giving away any corporate secret that Suntory staff use laptops and other kit; like anyone else, they run the risk of losing them, whether in error or theft. The risks go further. It only takes a click to let in malware; and worse still if the business is running on an unsupported programme such as Windows XP, as parts of the National Health were found out in May thanks to the Wannacry ransomware. “It was encouraging,” Guy says, “that we had no breach.” But as an example of how risk management is not a one-off, but a process that you halt at your peril, Guy adds that Suntory comes under such cyber attacks consistently; the same as anyone else; and has measures to combat that. The register also gives the risk a category (in the case of IT assets, technological) and it has a named ‘owner’. Cyber security policy is documented, so that people know what to do if something does go wrong. Another control mechanism that Guy points out, that’s easily overlooked, is capex estimates. As he says, you have a team to evaluate risk; but have you estimated what the budgetary cost would be, for what’s proposed - to encrypt every laptop, for example, or to pull staff away for cyber awareness training? Do you need to factor that in? Later, Guy points out the temptation to actually or at least say you’re going to throw money at a problem; if you have that money; and what if you can only find that money by taking it from elsewhere. Hence the scoring of risk matters, to give some sense to priorities. To leave Guy for a minute; it may have seemed sensible, or an acceptable risk to skimp on a Windows update; only to prove a false economy when you can’t do a thing because you’re a victim of ransomware. Back to Suntory. Once they complete a control (such as that training of staff), they assess how effective it is, and give a new score and priority to the risk; most obviously, seeking to bring the red down to a yellow or green. Attention to detail As Guy sets it out, it becomes plain that such attention to detail is the only way to keep up with everything - the visible and the invisible cyber - that can and does happen to a business. The sub-risk groups send their findings into what Guy describes as a clearing house, that evaluates. To stay with the IT assets as a risk; IT flag it, but is the risk really at a level that they say it is? Thus you build the ‘master risk register’, that Guy and colleagues will work on continuously: “So it should always be a live document.” It’s subjective, as Guy admits - to stay with the example, IT, close to the risk, have one evaluation of the risk, others another. Likewise, how many risks do you list: a top ten? 15? 50? When if ever is it sensible to stop? Routine Guy now calls up another document, the ‘corporate governance cycle time-line’. Again, it’s hardly giving away a secret that inside the 12-month year, divided into quarters, you have a routine that begins with the risk sub-groups reporting to Guy and colleagues to collate. The clearing house meets, to judge those identified risks. Updates go to a risk management committee, that may invite the head of the IT risk sub-team to talk about a particularly burning issue. Next, an ethics and compliance committee meets; to take everything in the round. Then the register goes in front of the board. And you finish the loop, with the sub-groups beginning again: “So you are constantly trying to refresh that risk. In an ideal world, you wouldn’t get to a point where the risk registers were static.” Movers and shakers Another document Guy shows is the numbered top risks. Guy shows his age by likening it to ‘Top of the Pops’; what are the ‘movers and shakers’. Instead of pop music, it’s familiar UK business stuff: Brexit, supply chain, IT. As Guy says, pointing towards the screen: “So much of this I would argue would be pretty consistent for most business sectors.” Guy closes by showing a Venn diagram; the three overlapping circles represent crisis management, risk management and business continuity planning. In the middle is a enterprise risk management system. Again, it’ll be familiar to other corporates, who may express it differently, in a quadrant for example. And like any other multi-national company, Suntory needs a way to pass on between countries an identified risk. Some risks straddle countries, such as the general data protection regulation, that is due to come into force in 2018; sensibly, as it’s European Union-wide, Suntory are working on it at a European level. Given that any product can have ingredients from one country (or continent) taken to a factory in another, and sold in another, if a ‘Watchdog’ TV show in one country unveils some compliance failing, whether a car or a washing machine, it may damage the wider reputation of the business. Underlying all this, you assume, that the physical premises security of your factory is sound; and that is where we’ll go next. p 32 OCTOBER 2017 PROFESSIONAL SECURITY www.professionalsecurity.co.uk
OPERATE IN THE BEST CIRCLES! Awarded Dahua’s Distributor of the Year 2016 Range of value added services, including technical support, pre-sales design, pre-configuration and onsite commissioning Competitive pricing Certified Dahua training provider DELIVERING TOMORROW’S SECURITY TODAY For more information call or email our sales team Tel +44(0)29 2064 1509 sales@oprema.co.uk www.oprema.co.uk