I.T. Strategy, Risk Management & Governance

Steve Howse, C.Dir.

President, Millington & Associates Inc.

steve@millington.ca

President, Millington & Associates Inc.• Facilitator, Strategist, Communications & PR, I.T.

Assessments & Risk Mitigation, Governance• 16 years Corporate LeadershipForum Chair, MacKay CEO Forums• The CEO peer learning group partnered with Canada’s Best

Managed Companies.Adjunct Professor,• DeGroote School of Business, McMaster University

- Strategy, B2B Marketing, International Business• Executive Education

- Sales Leadership, Strategic Planning, Crisis Management• The Director’s College

- IT Strategy, Corporate Reputation Management Professional Speaker• Conferences, Corporate Events, Sales RalliesBoard AppointmentsNumerous For Profit and NFP Boards

What is IT Strategy & Governance

• Assure IT assets are leveraged effectively

• Understand the risk & rewards, therefore making informed choices

• Understand IT capacity & capability and assess alignment with organizational goals and objectives

• Appropriate exposure and discussion at the board level

• Measurement and course correction

June 12, 2015• Cyber attacks raid small firms too: City's NoMoreClipboard a victim• Store your medical records in one place online, be able to update them from your

own home when needed and, more importantly, be able to share them with a physician or other health care group before you get to a doctor’s office or emergency room. 

• But what happened last month to the NoMoreClipboard network – as well as the network for the Fort Wayne medical software company behind it – is also the latest in a growing trend plaguing the health care industry as a whole: 

• They were hacked.

• People’s names, addresses, dates of birth and Social Security numbers as well as other information were all vulnerable for nearly three weeks in May until officials with Medical Informatics Engineering – the parent company of NoMoreClipboard – discovered the hack.

Why is IT Governance Important?

• Target: Credit Card information

– Target spent $61 million through Feb. 1 responding to the

breach, according to its fourth-quarter report to investors.

– Target’s profit for the holiday shopping period fell 46 percent

• Others in 2014: K-Mart; Home Depot, Dairy Queen & Goodwill

• Bell Mobility - Billing

• TJX (Winners / HomeSense) hacker stole client info including

credit cards

TJX

• What are the key learnings?

• What could have been done differently?

Carol Meyrowitz, President and Chief Executive Officer of The TJX Companies, stated:

"From the inception of our Company, our customers have always come first. We deeply regret any inconvenience our customers may have experienced as a result of the criminal attack on our computer system”.

• Estimated costs to TJX related to this settlement were reflected as part of the $107 million (after tax) reserve for estimated potential losses…

• Future non-cash charges of $21 million (after tax) anticipated to be taken in fiscal 2009.

May 8, 2013: Nearly 70% of Canadian businesses hit by cyber

attacks, says year-long survey• Over a one-year period, 69 per cent of Canadian businesses said

they experienced some type of cyber attack• Dubbed the Study of the Impact of Cyber Crime on Businesses in

Canada, the survey followed 520 small, medium and large Canadian businesses over the course of one year and tracked how their bottom line was affected by cyber crime.

• "About a quarter (26 per cent) of those interviewed say that attacks had a considerable impact on their business both in terms of financial loss and reputational damage with financial fraud being the biggest threat," the report states.

Take A Moment – Once Around The Room

• List 3 concerns you have about IT strategy & Risk

1.

2.

3.

Areas to Address

Strategic Issues1. Strategy and

Planning2. Technology Trends3. Performance4. Personnel Internal Control

Issues5. Governance

Risk Issues

6. Risk and Controls

7. Personal Information and Privacy

8. E- Business

9. Availability

10. Legal Issues

The Bart Study

• The questions are a good idea

• Those who use them have higher performance

• Some questions are over-asked

• Only 40ish percent use them

• Everyone uses them after a problem

Going to the Gym• Everyone believes exercise

is a good idea• Exercise leads to physical

and mental wellness• Doing one exercise over

and over will have little result

• Most people can’t find the time to go

• Everyone takes care of their health after a scare

Bring the 20 questions to meetings – process makes you SMART

Strategic Issues

I Strategy & Planning1. Does management have:

– A plan that is monitored and updated– Link to annual and long term budget– Basis for project prioritization

II Technology Trends2. Does management have:

– Procedures to investigate trends– Assess them in efforts to better position the company

Strategic cont’d

III Performance3. Does the IT department have

– Key Performance Indicators in place– Monitored & benchmarked to industry standards

4. Is the same same in place for 3rd Party ProvidersAnnual report cards, penalty clauses

IV Personnel5-6. Has management processes:

– Identified required skills– Attract, develop and retain key personnel

Internal Control Issues

V Governance

7. Has the Board:

– Created an IT subcommittee (OR)

– Assigned 1 member

- Investment in, processes & use of IT

8. Has Management:

– Assigned IT corp. governance to sufficient senior management

– Communicated IT policies to personnel

9. What compliance policies are in place

– SOX, CSA

Risk Issues

VI Risk & Controls10. Does risk assessment occur for:

– Internal systems and processes– Outsourced services & third party communications– Any other services– HOW ARE THE RESULTS ACTED UPON

11. How does management ensure data integrity in regard to:10. Relevance, completeness, accuracy & timeliness11. Appropriate use

• How often are systems audited for– Risk mitigation– Controls in place for major business processes

How big is your dog?

Lets take a deeper look into Risk Management at the board level

Risk cont’d

VII Personal Information Privacy13. An individual assigned to Privacy:

– Policy, legislation and compliance14. Identify and comply with legislation in regard to

protecting personal information

VIII E-Business15. Review of risks and controls for E-Biz transactions16. What protection (internal & external) is in place to

protect against financial loss or embarrassment

Risk cont’d

IX Availability17. What availability policies are in place for systems and data18. Does the organization understand

– The impact of service interruptions– The need for business continuance / disaster recovery– If Business Continuance (BCP) are tested and improved

regularly

X Legal Issues19. Has management considered and addresses:

– Software, hardware, service agreements & copyright laws20. Has the above policies been disseminated to all personnel

Top Risks of 2014

• Overreliance on one security monitoring software: • Technology innovations that outpace security: • Outdated operating systems:• Lack of encryption:• Data on user-owned mobile devices: • Lack of management support:• Challenges recruiting and retaining qualified IT staff• Segregation of duties

What we can do?• The Millington Way – be vulnerable

Be open about what you don’t understand

• Bring the 20 question books with you to board meetingsSubmit the 20 questions as an agenda itemAssign to committee for a report/assessment based on 20 questionsReview the report by committee (audit/risk)Submit report to board for approvalAdd to Internal Audit reporting process

• Dedicate 1 Board member or form an IT Committee or a Risk Committee

Qualifications: Work for a Tech company; former CIO, Risk Expert, sits on other boards

• Ensure the CTO / CIO reports to the CEO and not the CFO–Not a budget controlled area–CEO needs a strong understanding

• Invite the CTO to joint strategy sessions–Ask for a risk assessment of strategic plan

• Benchmark the IT knowledge of the Board as it relates to the company

–As it relates to your industry

• Ensure Business Continuance plans are in place and tested regularly

Including a Crisis Communications Plan

• Ensure Internal Audit measures ITBoth internal and external systemsConsider a Chief Risk Officer

• Complete an assessment of your vulnerabilitiesThe board can hire a firm to attack the system

Questions & Discussions?

Steve HowseMillington & Associatessteve@millington.ca416-452-4813

Areas to Address – The 20 Questions

Strategic Issues

1. Strategy and Planning

2. Technology trends

3. Performance

4. Personnel Internal Control Issues

5. Governance

Risk Issues

6. Risk and Controls

7. Personal Information and Privacy

8. E- Business

9. Availability

10. Legal Issues