How Citicus ONE works

Why risk programmes fail

• Over-complex approaches to risk assessment
• Inability to measure risk objectively
• Turf wars between departments
• Lack of tools to automate the process in a reproducible way
• Lack of co-operation on the ground
• Lack of resources to drive and run the risk management initiative
• Immature processes and reporting structures.

Secrets of success from case studies

• Keep risk fact-gathering simple
• Ensure your risk programme is constructive rather than blame-oriented
• Produce meaningful results that capture the attention of busy decision-makers
• Show that incidents are not an inescapable feature of business life
• Make risk management a personal responsibility
• Cause pressure to filter down so it motivates others to act
• Get the organizational arrangements right
• Highlight where to focus scarce resources
• Gain top management commitment

Statistical insights

• It is what happens 'on the ground' that determines risk, and this is mainly driven by the business 'owners' of individual assets, processes, facilities and parties - not central staff.
• Establishing a 'pretty good, all-round level of protection' is far more effective than a mix of strong, medium and weak controls (which is the norm).
• Minor incidents are highly predictive of major ones.
• Risk is heightened by special circumstances like scale, complexity, immaturity.
• The business impact of incidents is easily assessed - but generally is not. That's why few organizations understand the 'business impact of insecurity'.

Citicus ONE is designed for deployment across an enterprise under the control of a programme director or manager, normally based at headquarters.

In a small organization, the programme director or member of his or her staff generally uses Citicus ONE directly to evaluate risk and compliance. In a larger enterprise, he or she generally orchestrates the process instead, using a network of local co-ordinators, as shown opposite.

Local co-ordinators become responsible for facilitating evaluations and progressing remediation activity within particular risk areas and parts of the enterprise.

This approach scales well in even the largest enterprise since the evaluation workload is divided up between members of a ‘virtual team’. Such teams have orchestrated hundreds, sometimes thousands, of evaluations in surprisingly brief periods.

Members of the virtual team can be easily set up in Citicus ONE and can use the system to:

• define the business applications, components of IT infrastructure, suppliers, sites or processes that they wish to assess
• evaluate each one's criticality or risk status, in conjunction with its business owner

Using Citicus ONE, risk ratings can be presented to the owner concerned as soon as each evaluation is completed, and are easily updated (eg as weaknesses are remedied). Ratings can also be aggregated periodically to provide decision-makers with a continuing view of their organization’s risk and compliance status.

As illustrated opposite, the process starts with its 'discovery phase'. This is where the assets, processes, facilities and / or external parties that fall within the scope of a risk programme are identified and set up in Citicus ONE, along with details of their business 'owners'.

This can be done in a variety of ways (eg by consulting documentary sources, uploading data from external data sources).

Perhaps the best is for a local co-ordinator to sit down with the general manager of his or her part of the enterprise and its local subject expert (eg head of IT, purchasing manager) and ask What are the assets, processes, facilities and / or external parties that are most important to our part of the enterprise?

This gives your local co-ordinator an opportunity to introduce the programme to the business and local subject expert, gets them thinking together and ensures that the programme starts from a business perspective.

Once the assets, processes, facilities and / or external parties that fall within the scope of your risk programme are identified and set up in Citicus ONE your programme can move to the 'criticality assessment' phase.

This involves the business 'owner' of each 'target of evaluation' completing a simple,1-page form that records the 'owners' judgement about the worst that could happen to your enterprise if his or her target of evaluation was compromised in some way.

Note: Citicus ONE does not take probability into account when assessing criticality. That comes later. Instead, the emphasis is understanding what's at stake for the enterprise if the worst happens. It is the failure to prepare adequately for the 'worst case' that precipitated the 2008 collapse of the financial services sector.

Criticality assessment forms can be completed in minutes (15 minutes is more than adequate in most cases).

To avoid subjectivity, a harm reference table is presented to help 'owners' employ a common scale for considering harm, and to consider all possible types of harm that the enterprise could suffer. This can be easily configured to suit the concerns of your organization.

The criticality assessment form can be completed on paper, by typing directly into the system (which can be used for this without training) or - best of all - by a facilitator sitting alongside the business 'owner'. This takes more effort (2 x 15 minutes or so) but offers an opportunity to explain the programme and help the 'owner' think through his or her worst-case scenario.

Once the assessment is submitted, Citicus ONE will present the 'owner' with a Criticality status report and the 'owner's criticality ratings can be ranked with others that have been completed. See Results produced for a closer look at Citicus ONE's outstanding reporting capabilities.

The Criticality league tables produced by Phase II provide an excellent, factual basis for determining which assets, processes, facilities and / or external parties warrant full evaluation. We recommend that you focus your resources on the assets, processes, facilities and / or external parties that are ranked at the top end of your corporate Criticality league table(s).

For each of these, we recommend that risk is evaluated by bringing key people together at a 3-hour risk workshop to complete a risk scorecard under the guidance of a trained facilitator. Normally, this will be the local co-ordinator of the part of the enterprise of risk area supported by the asset, process, facility or external party.

It's crucial he or she involves the right people: starting with the business 'owner' concerned. He or she will generally be able to advise who else should be present. Ideally, this should be people with first-hand experience of running or working with the target of evaluation.

Completing the scorecard entails jointly reviewing the criticality ratings that have previously been entered and then assessing the status of four other factors that determine or indicate risk, namely:

• status of controls (ie the arrangements made to protect the enterprise from incidents that could disrupt the asset, process, facility or services provided by an external party)
• special circumstances that apply (eg complexity, scale, immaturity)
• level of threat as indicated by experience of incidents
• the business impact of such incidents

These factors have been found to be fundamental to any assessment of risk.

Once completed, the system will generate a risk status report along with other results that record the discussion. See Results produced for more details.

Once criticality assessments have been completed, you can move on to the 'risk and compliance evaluation' phase.

Please note: while it's common to hear of 'questionnaire fatigue' in global businesses, this complaint is not often heard at risk workshops supported by Citicus ONE, as indicated by the following representative comments:

"The process has been excellent in gaining a common understanding of the risk we face"

"I'm very pleased with the education and communication that came out of this"

"I can’t remember the last time we sat down together like this (it’s all been in silos)"

Comments recorded at end of real evaluations

Citicus ONE supports a continuing risk and compliance management process. Thus, once the initial risk evaluations have been completed, the focus shifts towards 'business as usual'. This principally involves:

• updating scorecards and criticality assessments as things change (eg new 'owners', experience of incidents,
• completion of remediation activity)
• monitoring progress in completing remediation activity and individual asset, activity, process or supplier level
• identifying remediation activity that is best carried out at part of enterprise or enterprise level (eg awareness programmes, stronger policies, better continuity planning).
• reporting on progress at local and enterprise level
• arranging criticality assessments and risk evaluations for new assets, facilities, processes or external parties.

Citicus ONE provides excellent facilities to help you with the 'business as usual' phase. For example, risk evaluations can be updated in minutes by issuing a fresh scorecard, automatically populating it with the results of previous evaluation. All the completer has to do then is to vary the rating that's changed. Results will then be recalculated and presented in a way that shows the improvement over time.

Similarly, its oversight facilities enable you to review remediation activity as a whole or within parts of the enterprise under your control; and it offers first-rate facilities for consolidating, reporting and exporting ratings. See Results produced for more details.