This document discusses managing risk for your own business rather than trying to comply with various regulations. It recommends defining your business processes, assets, and priorities through risk analysis. Then get organized by collaborating across departments and formalizing methods. Practically apply this by right-sizing obligations, optimizing proactive approaches, and reducing complexity. Consider level of effort, insourcing vs outsourcing, and resilience over prevention. Finally, integrate risk management, development, and operations using systems thinking, feedback loops, and continual learning.
4. The Problem Space…
All these regulations and standards…
– PCI: Arbitrary & Capricious?
– HIPAA: Confusing & Misunderstood?
– NERC CIPs
Limited resources
Being reactive – how’s that working out?
6. Define Your Profile
How does your business operate?
What is most important to survival?
3 key attributes:
1. Business processes
2. Assets
3. Prioritization (via risk analysis)
8. Get Organized
Collaborate across the business
Formalize methods and policies
Identify strategic tools
– Improve communication
– Optimize quality
– Improve overall performance
12. Practical Application #2
Appropriate LOE and resources?
– Set a defensible definition of “good enough”
Insource vs. Outsource
– When to own it?
– When to transfer it out?
– What about insurance / self-insurance?
If you can’t win, then change the rules.
– Resilience, anti-fragile, survivability, rugged, etc.
– The goal is not to stop all bad things from happening!
Scaling Risk Management Practices
14. Practical Application #3
DevOps, RM, and the 3 Ways
Images: http://itrevolution.com/
1. Context
2. Assessment3. Treatment
4. Monitor &
Review
Communication
15. The Three Ways
The First Way: Systems Thinking
The Second Way: Amplifying Feedback Loops
The Third Way: Culture of Continual Experimentation & Learning
Holistic, No Silos, Understand Value Streams
Communication, Rapid Response, Embed Knowledge
Innovate, Fail Fast / Learn Fast, “Freedom & Responsibility”
Image: http://itrevolution.com/the-three-ways-principles-underpinning-devops/
17. To Recap…
Understand the problem space
Define your risk profile
Get organized
Practical application
1. Tame the compliance beast
2. Scale risk management practices
3. The DevOps revolution
“More than 99 percent of U.S. employer firms are in the small and midsize (SMB) space, and they’re getting crushed by countless regulations and standards. There must be a better way to manage the seemingly endless train of auditors and fire drills. Even more importantly, do any of these regulations reduce business risk and help improve business resilience? Just whose risk is really being managed? This presentation will discuss cost effective steps to regain control while simultaneously meeting regulatory obligations and achieving a legally defensible risk posture that helps ensure business survivability.”http://www.scmagazine.com/manage-your-risk-not-somebody-elses/article/234885/
The Problem Space * All of these regs and stds... * Limited resources... * Being reactive isn't getting it done...
“More than 99 percent of U.S. employer firms are in the small and midsize (SMB) space.”PCI:Cisero’s (Park City), Genesco
Define Your Profile * How does the business operate? * What is most important in keeping the doors open and the paychecks printing? * 3 steps: business processes, assets, prioritization via risk analysis
Define Your Profile * How does the business operate? * What is most important in keeping the doors open and the paychecks printing? * 3 steps: business processes, assets, prioritization via risk analysis
Get Organized * collaborate with business leaders across multiple areas * formalize methods and policies * strategically deploy key technologies to optimize program quality and performance
Get Organized * collaborate with business leaders across multiple areas * formalize methods and policies * strategically deploy key technologies to optimize program quality and performance
Practical Application #1: Taming the Compliance Beast
Practical Application #2: Scaling Risk Management PracticesScale risk management practices * What’s an appropriate level of effort and resources? -- Set a reasonable definition of sufficiency - that is, set a defensible definition of "good enough"! * Insource vs. Outsource: When to own it and when to transfer it out -- don't forget insurance options! * If you can’t win, then change the rules -- resilience, anti-fragile, survivability, rugged, whatever - the goal is not to stop all bad things from happening (impossible)
Scale risk management practices * What’s an appropriate level of effort and resources? -- Set a reasonable definition of sufficiency - that is, set a defensible definition of "good enough"! * Insource vs. Outsource: When to own it and when to transfer it out -- don't forget insurance options! * If you can’t win, then change the rules -- resilience, anti-fragile, survivability, rugged, whatever - the goal is not to stop all bad things from happening (impossible)
Practical Application #3: DevOps, RM, & The 3 Ways
Practical Application - DevOps, RM, & The 3 Ways * The First Way: Systems Thinking * The Second Way: Amplify Feedback Loops * The Third Way: Culture of Continual Experimentation and Learning
The Three Ways - The First Way: Systems Thinking – The performance of the entire system is paramount. Silos must be eliminated in favor of managing the business as a whole, including looking at all business value streams and how they are enabled (or, conversely, hindered) by ICT. Defects cannot be allowed to flow downstream, and optimization must be considered globally instead of locally, in order to achieve a Deming’esque understanding of the system . - The Second Way: Amplify Feedback Loops – Communication is vitally important, with a premium placed on ensuring that feedback is provided and incorporated quickly and at all levels . An interesting benefit of the second way is to also embed knowledge, which helps improve overall performance and quality while diminishing bottlenecks (as anticipated by the “theory of constraints” ). - The Third Way: Culture of Continual Experimentation and Learning – One of the largest challenges facing enterprises today is the notion of “technology debt.” How many ICT projects have languished, deprioritized by competing new work, only to crop up as a legacy failure point that introduces defects, continuously undermines performance, and, ultimately, business value? At the same time, experimentation and growth is of equal importance. As an example, consider the core values of Netflix corporate culture, which thrives on the “Freedom & Responsibility” mantra, and which encourages experimentation provided that problems are fixed quickly. Put another way, failing fast means learning fast , which not only enables creativity and innovation, but also results in more resilient code and operations.