A real crisis is happening now and if we really want to reduce losses for our organization then we will need to adjust our focus. We don’t have to wait for any pandemic or catastrophe to strike; organizations are experiencing losses that range between $35 billion and $500 billion per month. If these losses are the result of best practices that are intended to protect our organizations from crisis, then some might even consider these regulations and best practices to be gravely dysfunctional.
Compliance with federal, state, and international privacy and security laws and regulations often is more an interpretive art than an empirical science—and it is frequently a matter for negotiation. When business metrics are applied to compliance, many companies decide to deploy as little technology or process as possible—or to ignore the governing laws and regulations completely. Every company weighs the cost of protecting personal data with the cost of what it would take to notify customers if a breach occurred.
It is not rational to promote best practices and guidelines that do not meet the real needs of today’s technologically-rich organization.
Are Ineffective controls the result of:
- Too Many or Confusing Regulations?
- Dysfunctional Best Practices, Guidelines and Processes?
- Inferior Internal Controls?
- Mediocre, Ineffective and Inadequately trained Audit Oversight?
- IT Complexity?
- Lack of Risk Awareness?
- Focus on the wrong Risks?
- Probability Neglect?
- Heuristic Bias?
- Subjective and Intuitive Judgment Error?
- Combination of all of the above
Regulatory Landscape:
- There is a plethora of regulatory compliance rules that companies must be aware of and mitigate the risk of non-compliance is exhausting. The regulatory landscape is full of compliance land mines for the unaware organization. From Sarbanes-Oxley, HIPAA, Basel II, Graham-Leach-Bliley, SEC Rules 6835 & 17-a, TREAD Act, FCC-LSOG, USA Patriot Act, California Security Breach Notice Law and the list may as well go on ad infinitum. There are services that organizations now subscribe to just to keep up with all the regs.
- In addition, there are a large group of guidelines and best practices that are intended to protect our organizations from crisis i.e. BCM Institute, British Standard BS25999, ISO 22301, HB 221:2004, HB 292:2006, NFPA 1600:2007, MS 1970:2007, ISACA, CObIT, ASIS, ITIL.
State of the Technology:
- The Ponemon Institute estimates that worldwide organizational are losing over $35 Billion monthly from data center downtime.
- Meta Group estimates that businesses lose an average of $1 million in revenue for every hour of downtime.
- Nicholas G. Carr point out in his seminal Harvard Business Review article IT Doesn’t Matter, “today, an IT disruption can paralyze a company’s ability to make products, deliver its services, and connect with its customers, not to mention foul its reputation … even a brief disruption in availability of technology can be devastating.”
- Roger Sessions also attempts to quantify the problem in his The IT Complexity Crisis: Danger and Opportunity, in which he calculates that IT failures are costing businesses $6.18 trillion per year worldwide. The cost of IT failure is paid year after year, with no end in sight. If this trend continues, within another five years or so a total IT meltdown may be unavoidable.
BCM must begin to apply the principals of ‘Prospect Theory’ and loss aversion to promote better decisions regarding operational resiliency, high availability and disaster recovery.