Beth Frasure 00:06
As you can see on the slide, I am a master business continuity professional with DRI. I’ve been in the industry for over a decade. Now, I don’t like to say any more than that because the lady never ages herself. But I’ve been doing this for a while. I’ve done risk assessments, I’ve done business continuity plans, disaster recovery plans, ITDR plans, the whole kit and caboodle. I’ve been involved in it.
Beth Frasure 00:28
So as she was saying, I am very passionate about business continuity, and I love to get on my soapbox. But today we’re going to focus on risk assessments. Now one of the things that I’ve noticed about risk assessments is that a lot of people struggle with it. It’s a particular process that a lot of people don’t know how to start off with or how to get into it, it seems like a very daunting task, and it can be. But first, before we dive too deep into that, let’s start off with some basic terms. Now, I know this is going to be review for some of some of you, but I want to make sure that we’re covering the terms I’m going to be using in this discussion so that we’re not losing anybody during the discussion. If at any time I use a term that you don’t know, please put it in the chat. If you don’t know it, more than likely somebody else doesn’t know it. And sometimes I get so into the industry jargon as far as business continuity jargon that sometimes I forget that something needs to be described. So please make sure you throw those in there. And Julie will go ahead and ping me and let me know when she needs to interrupt if I have to define a term.
Vocabulary Review
Beth Frasure 01:30
Now the first term we’re gonna go over is RTO, which is recovery time objective. Again, I know most of you probably know this, but I’m just gonna give a quick definition of it. Recovery time objective, the best way I found to describe that is how long can you have a process, function or an asset down? So can it be down for an hour? Can it be down for a week, whatever the case may be? The next term is recovery point objective, which is a point in time, it’s essentially how often does the data need to be restored? So essentially, how much data can you stand to lose in the event of some sort of outage or emergency? So what point of time do you need to look at to have that particular data backed up to? Assets, when I say the term assets, I’m referring to computers, people, buildings, applications, any of those. Assets in this aspect is going to be a very broad term. And then processes and functions. Processes or functions are essentially a duty that a particular business unit does whether it’s doing payroll or whether it’s doing some sort of ticketing system, or whether it’s inserting a ticket or creating a trade for a client, whatever the case may be. That’s kind of what I’m referring to on assets and functions. And then, now that we’ve covered the basic terms, we’re going to the next slide, we’ll go over the risk assessments, and then we’ll go into a risk matrix that we utilize, I’ll kind of dive deep into Octave, which is a risk methodology that I’ve used in the past, and then we’ll discuss a little bit about Veoci.
Which Type of Risk Assessment Should I Use?
Hazard Vulnerability Assessment
Beth Frasure 03:14
And if I start to talk way too fast, please let me know because I get excited. When I get excited about business continuity, I start to go at the rate of Speedy Gonzalez, for those of you that may know who that is. So the first one we’re going to review is hazard vulnerability assessment. Now, a hazard vulnerability assessment is event centric. And what I mean by that is it revolves around preparing for a particular event. For instance, if you’re preparing for hurricane, an earthquake or flooding, a server failure, it turns around and looks at building, the asset and identifying what risks you have based off of a particular event. Now, it’s strictly event related, and you’re going to have a plan for each one of those events. And then you’re going to look at how it could potentially impact you, impact your data, what is the probability of it happening, so on and so forth. So that’s what hazards vulnerability assessment, you see this more in the public sector and I use the public sector term very lightly. But you’re looking at hospitals will use a hazard vulnerability assessment, fire departments, police stations, things of that nature, because they have to take in consideration how it’s not only affecting their location, but it how it would also potentially affect the entire town or city or whatever the case may be, because they’re going to be impacted by that as well because they’re going to have an influx of patients they have to prepare for or an influx of fires they have to respond for during those events. So definitely that I see that more popular with the public sector as opposed to the private sector, and again, I use these terms very loosely.
How do you decide: Event vs Asset Based Risk Assessment
Beth Frasure 05:06
Now, event versus asset. The difference between this is you’re looking at, again, you’re looking at whether you’re going to use a HVA. Or if you’re going to use an asset based risk assessment methodology, and this I will go into in the next two of them. You have to decide for your company, which is going to be best. Do you need to prepare for all events? Or do you just need to look at an asset, and what happens if it’s down? Do you need to concentrate on if we lose this server, these applications are going to be affected, or if we lose, this team becomes unavailable, or this person becomes unavailable. And when I say asset, again, you’re looking at servers, people, application, hardware, equipment, locations, you’re taking those assets and breaking them down and analyzing the risks that could pose to those individual assets. So I’ve noticed this works a lot better for in my past lifetime, I worked for a financial firm and asset based risk assessment made a lot more sense. And I think it’s becoming more popular now that we a lot of the world has turned into a remote from home base, as opposed to having to physically go in an office, events aren’t as critical as they used to be. So a lot of companies have switched from the event centric risk assessment as opposed to doing a or have switched from the event risk assessment and then have gone to the asset risk assessment because it makes more sense. No longer we can find you a building and if the buildings affected, then the entire company is going to be dealing with a massive issue because that location is down. Now we’ve come more into you have ITDR plans, creating resumption plans, and creating backups for all of the systems where it’s no longer restricted to one location if one location goes down. Normally, most of the time, it can quickly or fairly quickly, depending on the criticality of the asset be brought back up in another data center location or whatever the case may be. So it really is personal preference, though, it’s really what’s going to work well with your company’s environment, your company’s production, how things work. Because obviously, an asset based risk assessment is not going to work for say a company that has a factory, because there’s specialized equipment, people have to go into that location, they have to be able to use that equipment to be able to complete those particular processes. That being said, some companies will decide you know what, these IT items, we can do an asset based risk assessment for the IT items and day to day items. But we need to do a resumption plans for these warehouses or these factories, and then turn around and do an event based risk assessment for those locations. So again, it’s just depends on your infrastructure and what’s going to work best not only for your infrastructure, but also your culture, your culture may be more that they understand event way better than they understand assets.
Beth Frasure 08:15
You really need to sit down, and my recommendation is get a steering committee. If you have a business continuity steering committee already, bring it up to them take those C suites when you have their ears and say, look, here’s some ideas that we can do for these risk assessment, what’s going to be the best, best practice? You know, and research and understand both of them thoroughly. And I’m always available for questions. So don’t hesitate to hit or shoot me an email if you have questions after the fact. Because when you start really getting into this, depending on where you’re at in the process, it can be very confusing, and it can be very overwhelming. When I started doing risk assessments, I looked at the risk assessment that me and my manager had decided to utilize and I’ll go over that that’s the Octave, I’ll go over that later. But I looked at it and I was overwhelmed. So it can be extremely overwhelming. But one of the things you really want to do is look at what you have in place already.
Beth Frasure 09:09
More than likely, if you’re working if you’re with the business continuity department, and this is something because you’re starting new, the IT department may already be doing one or your IT risk manager may be already doing one. And that’s where you can combine efforts and work together. Because you want to make sure that you’re utilizing the same risk assessment across the board. You don’t want John and IT risks doing one risk assessment. Let’s say he’s using the Octave method. And then you’re using an event centric risk assessment. You guys are duplicating efforts when you don’t need to be so definitely talk to him. Another thing that I always recommend, talk to your internal and I’m going to emphasize this because when I do this presentation in person, I always say, say it back to me, internal talk with your internal audit department. See what they’re looking for see what they’re I’m being asked to review as far as the business continuity programs. I became really good friends with my internal audit person and I was able to get an idea, okay, what are they, what is coming down the road? What do I need to prepare for next year? So that way I know to improve my business continuity plans, my risk assessment plans, ITDR, the whole kit and caboodle, I knew how to improve it ahead of time. I knew what was potentially coming down the road and what we were going to be audited on and what I needed to be prepared for. And normally, if you look at that internal audit, and you are able to have those candid conversations with them, it helps you with external audits, because they’re probably going to be looking, for the most part, for the exact same thing. And occasionally, you’ll get hit with something new or something that you weren’t prepared for. And then they give you the usually six months to a year to fix that. But definitely try to get on board with the internal audit, if you can, having those individuals in there is an amazing process, and an amazing help and asset to the entire program overall.
RTOs and RPOs
Beth Frasure 10:59
So now let’s go over the IT RTOs versus the business unit RTOs. And this is also the same for the RPOs as well. How this, this is how I initially started, it’s one of the simpler ways to do a risk assessment. And then you can also utilize it to do the gap analysis. So if you’re looking at the if you’re creating an ITDR plan, and then you’re looking at your business unit, business continuity plans, and you’re comparing the assets, and seeing what the RTOs and RPOs are, it’ll allow you to really assess your risk to see if there’s a risk. Hypothetically speaking, let’s say that IT has served at A with an RTO of a week. And the RPO is one week as well. So they’re considering that it’s important because it’s done once a week, but it’s not as critical. But the business unit comes back and says no, this is something that we’re constantly changing, we need that we can’t lose more than four hours worth of data and it can’t, the system cannot be down more than four hours.
Beth Frasure 12:01
There’s the assessment right there, you’re seeing that there’s a gap because IT department’s doing one thing, but the business continuity department or excuse me, the business unit is asking for another, it’s not matching up. So that’s the assessment that you’re doing. And then it goes very smoothly into the gap analysis, because then you can take the reasons the business unit is saying this is so critical and so important to take it back to the IT department. And this is where your negotiation skills come into play. Because normally what’s going to happen is the IT department is going to say, well, we can do that, but it’s going to cost you X amount of dollars, then you go back to the business unit and then they turn around and say well, no, maybe that’s not so important. We can stick to what we have a minute, things get updated and changed and it all matches up. That’s one of the easiest risk assessments that I have done. And I’ve noticed it’s the quickest to get off the ground, because you’ve already got your ITDR plans built. If not, you definitely can get those built, which is something that you should have. And then the business units can look at their business continuity plans and then it’s a kind of a back and forth until you go through that. But you’re being able to complete on the risk assessment as well as the gap analysis simultaneously.
The Octave Method
Beth Frasure 13:16
Now, let’s go into the Octave method. This is the very scary, very robust system, or, excuse me, robust risk assessment I said before. I’m going to ask stop here for a quick polling question if it will, let me.
Beth Frasure 13:37
So the first question I’m going to ask is, what aspects of the risk assessments are you struggling with? Are you struggling with getting started? Are you struggling with determining which methodology to use? Are you know getting upper management support? Which is extremely important because you always want to make sure you have the C suite. Are you struggling with finding an appropriate tool? Or is there other? And if there’s other if you answer other I’m going to ask the in the chat you put with that other is because I definitely would like to go through that. So we’re going to take a 30 second break to give everybody a chance to kind of answer that.
Beth Frasure 14:14
Looks like the biggest, oh, it looks like you guys are struggling with finding a tool. Well, that’s good to hear. It’s not good to hear obviously, because anybody is struggling is not a good thing to hear. But that’s good to know. It sounds like a lot of you already have, some of you are struggling with determining what methodology to use. And again, it’s just dependent on your culture. Are you really have to look at how you’re building your business continuity plans, how you’re doing your ITDR plans. I know some companies are still siloed, where the IT does their own thing, business continuity works with the business units, they do their own thing. So my recommendation is, if it’s siloed, like that, you’re probably wanting either going to go with the, the HVA, or you’re going to want to look at doing possibly an asset base, but then you’re going to have to get IT involved with that, that can be a little bit of a struggle. Now, the nice thing about those struggling to find a tool, Veoci is a great tool for doing the business con- or two for doing the risk assessments and the business continuity plans. So it’s definitely something that we can offer. Later on, I will ask a question about who would like a demo, and you can definitely add your name to the list. But we definitely have quite a few, HVA is one of the ones we have 100% built out. But the nice thing is, is Veoci is so customizable, if you already have a methodology that I haven’t listed here, or if it’s something that you guys have developed in house, we can create the system to match that. Veoci is a very customizable tool. And it’s really nice. We have some great solutions engineers that have built a lot. I’ve seen this system used for so many different things that using your first assessment would be pretty simple.
Beth Frasure 15:36
So let’s move on to the next question, because I got myself behind on my questions, because again, I got on my soapbox. Okay, so the next question I want to ask is, have you started your risk assessments?
Beth Frasure 16:48
I’m kind of getting an even split, which is kind of what I expect. And here’s the reason I say that COVID redirected us so badly in the business continuity world. We were in the process of updating our plans, doing our pandemic plans, doing all of our risk assessments, gap analysis and everything, and then everything shifted when COVID hit. So it does not surprise me at all that we’re at a 50/50 mix for that. Because I think some people were further along in the process where they were starting the risk assessments before the pandemic hit. And then some people were just getting into it and it was their next step in their process and COVID hit. So I mean, it definitely that does not surprise me at all, everybody’s going to be in a different process, or different steps in the process. Business continuity is not a one and done. It’s a constantly living program. It’s constantly changing. There’s constantly changes to industry, there’s constantly updates that need to be made.
Beth Frasure 17:45
And then the next question, and I’m just gonna let this question kind of sit there out there for a little bit. I want to find out what risk assessment methodology are you using now? And if it’s not listed, please put in the comments which ones you are using. And with that, will we leave that poll up for a while I’m gonna go on to the Octave method. Now, as I said, the octane method is is kind of a complicated system. Now. I am going to show and Julie, please confirm that you can see the page that I just put up on the screen for me, please.
Julie Reynolds 18:25
I am still looking at the poll. Oh, yeah. See, we can only show one thing at a time. So while we have the poll running, yeah.
Beth Frasure 18:34
That is good to know. I’ll give it a couple, I’ll give it another 30 seconds for the poll.
Julie Reynolds 18:41
In the meantime, Beth, we actually do have someone who’s wondering about ITDR, and what that stands for?
Beth Frasure 18:48
Oh, I apologize. ITDR is information technology disaster recovery. So essentially, think of it like the best way I’ve found to explain it to those not familiar with ITDR, is it’s a business continuity plan for the IT department. They’re obviously more focused on the process or the assets and the servers and the applications. They go more towards the back end of things as opposed to dealing with processes and people and client facing things they deal with the back end stuff and applications.
Julie Reynolds 19:25
Thank you also Beth if you’d like you aren’t able to share the results with everybody. So I don’t know if everyone on is curious about which methodology other folks on the line are using. But you can you can share the results if you want to.
Beth Frasure 19:42
I would love to do that. I just not sure how.
Julie Reynolds 19:44
So it should have a button on the same way that you ran the poll. Now that you’ve run it, it should give you an option to share results.
Beth Frasure 19:55
Oh, here we go. So um, looks like thank you very much, Julie. And I apologize. I’m still, I struggle with technology at times when it comes to which presentation system I’m using.
Beth Frasure 20:06
So as you can see, the majority are using HVA. I would love to hear the 30% that are using other, what methodology you’re using, because there’s so many out there, and I obviously can’t cover them all. And then we have 10% using the IT versus business unit, my personal favorite and 5% using Octave. That’s very impressive. The last time I gave this presentation, not very many people had heard of Octave. So for those who are using Octave, this is going to, now can you see my presentation?
Julie Reynolds 20:41
Let me see here. Nope, we are still looking at the poll results. You have to fully like exit the poll, and then we should go right back to your slides. There you go.
Beth Frasure 20:52
Thank you. Sorry about that, guys. So those that have used the Octave method, you’re familiar with this tree, I’m sure if you’re using this one, or you may be familiar with to the work pages that Octave Allegro uses. I was going through that switch when I left my previous firm. I’m going to go into this bigger.
Beth Frasure 21:19
Okay, perfect. So as you can see, I have a portion of the Octave method, but I wanted to go further into this because one of the things I noticed when I was explaining is not a lot of people have heard of the Octave method. This is an IT security risk methodology. So I reported to the head of IT risk, which took not only business continuity ITDR into consideration, but also the IT security, IT infrastructure as far as what their risks were, as well. So we wanted to find a risk assessment that accommodated both. So the way the Octave method works is it takes the critical asset, and again, this is obviously very asset based, takes the critical asset looks out whether it is a, and this is a small chunk of the Octave tree, there’s a huge chunk, this is only addressing network access. I believe if memory serves correctly, there’s four other that they look at but it takes in consideration, so we’re looking at the network access and then it decides is it an inside threat or outside threat? So is John and IT department in the IT department or the networking department upset? So he’s going around pulling out cords that he shouldn’t be pulling? Because he’s upset about the fact that he doesn’t have a stand up desk? Or is it somebody outside that has used some way to get into the system, whether they’re breaking in, whether they’re using social engineering, whatever the case may be, they’ve gone in there and have gotten into our networking closet that they aren’t supposed to get into. And they’re pulling out cords.
Beth Frasure 23:04
You know, the next thing they take into consideration was an accident. Did John go in there to fix a network connection and tripped over a cord and yanked out five of our servers now no longer have internet connection? Or is it deliberate, because he’s still mad about not having a standard desk? And then it goes into even further, whether you’re looking at was the resulting effect, was the outcome going to be disclosure? Our information is getting out there that shouldn’t be? Is it going to be modification where the information is being changed when it shouldn’t be? Or is it going to be a complete loss and destruction? Or is it just going to be a minor interruption, you know, him unplugging cords, that’s going to be a minor interruption in that example. But if he turned around and cut all the cords, well, that could potentially be identified as a loss or destruction. Or if he’s switching chords around so our firewalls are all messed up and the correct IP addresses aren’t listed, that would be a this, you know, a modification of the system. Or is he sending out our IP addresses out to all the bad hackers in the world and they’re going to come in and try to mess up, block our network and mess up our IP addresses? Because those are things to take in consideration. And that’s how Octave does it. Now this is a very thorough deep dive of doing a risk assessment. It’s 100% looking at every single asset and you’re not just looking at the asset, once you’re looking at it four different times there, you’re taking network access into it, you’re taking, you know, a server destruction in there, you’re taking human threats in there, they’re also taking into consideration if there’s some sort of hack there are quite a few different and that’s for one asset. So you’re reviewing this asset 100 times through different routes. And that’s the nice thing about the tree because it covers every single possible vulnerability that you may have. It makes you think about every little thing. But it’s extremely, Octave, it’s extremely time consuming. When I went through it, it was a lot to go through the assets. You know, we started off going with doing the Octave method on all the critical assets, and then we moved into all our urgent assets, and then our beneficial assets. Those are the criticality ratings that we used anyway, but we went through, and we looked at every single one of this, and we gave them a rating.
Beth Frasure 25:32
So next, we’re going to go into the, into the rating slide. So this is the risk methodology that we utilize, there’s definitely a lot out there. And mathematically, we kind of customized it where it was high, medium, or low. To simplify the process, we just stuck with high, medium or low and then we took into consideration what the likelihood was, we took in consideration with the impact of a consequence would be, but this is essentially obviously you can see there’s a lot more numbers on this, we did a nine by nine. But either one that you take, what this does is this risk matrix allows you to identify, how large of a risk is this asset? Or, if you decide to go with the event risk methodology, how likelihood is this risk? You know, obviously, in Montana, where I’m currently at, the likelihood of me getting a tsunami, is like nil. But the likelihood of me getting a snow storm is very high. So that would be an event that I need to prepare for. So we would turn around and do snowstorm almost certain. Well, but what’s the impact? The majority of the time, the impact of a snowstorm for us is significant but not it doesn’t shut us down. It’s definitely not severe, or major. Now, if we get like 20 feet of snow, which hasn’t happened in last 20 years, that would be extreme, but for the most part, the most common process is it could be a significant impact on us. Now you can break that out. And you can turn around and say, okay, you know, what’s the likelihood of a massive blizzard. If we’re doing an event, because seeing a snowstorm in Montana, we get snowstorms all the time, it’s not a big deal. But saying that it’s a massive event like a massive blizzard that’s going to shut everything down. Well, that’s a lot. It’s not rare. I would say it’s rare, we don’t really get too many blizzards here that shut us down just because our infrastructure as far as our power supplies and everything like that are all used to heavy snow. So it’s very rare that we get a blizzard, that’s going to be massive impact. So we would say you know, rare, but it would be severe. If we did get one it would be severe. So it’s definitely something you want to prepare for, you want to make sure people can work from home, because if they can’t get into the office, you want to make sure that you know our systems have that we have backups in the building so that way the servers need to be brought up that kind of thing. So that’s what you’re looking at.
Beth Frasure 28:14
Now one of the things that I’ve also see some company do is they take this risk matrix, and that’s what they use for the risk assessment. They give it a score, and then identify, going through the gap analysis, which is a whole other presentation on its own because the gap analysis can get really complicated. But you know, having that score allows you to look at how much effort and time do we need to put in that particular, whether it’s an asset or a process, or an event? How much effort do we need to put into to prepare for it? That’s the entire point of a risk assessment is you’re looking at how are we currently prepared? What do we currently have in place? What are are areas that are most important, whether you’re looking at event or an asset? What is the most important? What do we need to make sure it’s up immediately what can wait a couple of days, it’s gonna be a pain to play catch up, but what can wait a couple of days before we brought it back up? And once you’re able to identify and categorize and look at what you have, and what risks that the company has, then you work into the gap analysis and look at how you can either remedy that risk, reduce the risk or completely accept that, you know, it’s a risk that we have, we know what’s the risk that we have, but we’re willing to accept that. This is all building up and risk assessment all builds up to you. The end goal is to find out how do we make these risks either gone, mitigated or accepted. And that’s not something that business continuity department should be doing,that’s not something that the IT department should be doing. It should be a combined effort, the business units and the IT department should be looking at it together and really identifying because what IT finds important, the business unit is probably not going to find important, what IT doesn’t find important, the business unit is probably going to find important. So this is definitely one of the things, you want to make sure that you’re bringing those two together and really looking at what you have to the company, how it affects the company by not having it. What are you going to do to be able to make sure that these risks aren’t affecting your company severely. And that’s your biggest argument when you’re going up to the C suite. You want to make sure you’re looking at how critical a particular asset or an event is, how much should you be prepared. And this risk assessment allows you to have the data and the backup information that you need, or the supporting information that you need, to be able to ask for more money to get a software that will help you do this risk assessment because it is important. Most industries are requiring that a risk assessment is done. So that way you can be aware of what your risks are.
Veoci and Risk Assessments
Beth Frasure 31:09
So before I move into going a little bit over what Veoci is, and what we’re made of, does anybody have any questions right now? Risk assessment is a huge ball of wax to try to address in 45 minutes. So I know there’s probably things I have not covered. And I want to give you guys a chance to ask those questions that you may have on risk assessments, because it is so important.
Beth Frasure 31:31
I don’t see any questions as of now. So I’m gonna go into the Veoci risk assessments, but please don’t hesitate to put those in while I’m going through kind of Veoci, the software and going over those pieces of it. And I’m gonna say right up front, and Julie is gonna hate me for this. I’m not a salesperson. Business continuity is my thing. I don’t like doing sales, I am very much a how can I help you get your business continuity plan or your risk assessment or your ITDR or whatever the case may be up and running? But Veoci is a great software. The nice thing about Veoci is, as you can see,