Critical Sucess factors include focusing on not only those initiatives that are directly related to profits, but

also the ones that are related to reducing risks and preventing chaos in a crisis - by avoiding the pitfalls of catastrophe.

TECHOLOGY & SECURITY RISK SERVICES

The Art of Crisis Management:

Approach
And Responding To Worms & Viruses Effectively
In our previous issue of Spotlight on Business, John Ho Chi discussed the issues and needs for crisis management in The Art of Crisis Management: The Technology Enabled Approach With new and unexpected crisis situations appearing, there is definitely more to crisis management now than we had ever experienced in even the most severe crises of the past. The dimensions and stakes are now greater than ever. This issue: John describes the framework for a crisis management portal
A potential crisis or threat is sometimes never treated with the same degree of care and trepidation until it strikes home, or near home. The recent catastrophic events such the recent blackout in the US and the SoBig.F virus have increased the awareness of the need for good crisis management. The need for it is not a question of good to have or nice to have, as it can make the difference between bad or worse. The United States saw its biggest blackout in the nations history, which affected its northeastern region. Cities like New York grinded to a halt as businesses failed to continue and connectivity, wireless and wired failed.
Spotlight on Business

A Portal Based

Early reports indicated that there were problems prior to the outage, including strange voltage fluctuations in the Midwest power grid hours before its transmission lines failed. Indicators and warnings were also given to but perhaps, were not taken seriously on time.

interfered with the emergency radio frequencies used by the police and fire fighters - according to public safety agencies. This in turn has affected rescue efforts in emergencies where the radio of rescue personnel went dead due to overcrowding. On the cyberfront, the SoBig.F virus spread

The blackout that affected eight states, which started on Thursday, 14 August 2003 and lingered till Saturday, is estimated to have cost hundreds of millions of dollars. The explosive growth of the mobile phone industry had apparently been the cause of the situation where wireless signals

from unsuspecting computers when users open email file attachments with familiar headings such as, Thank You and Re: Details. Once opened, the SoBig.F virus used the infected computer to re-send itself to the next wave of victims, and signed the email with a random name and address using the computers address book.

16

The virus, which originated from a sexoriented Internet discussion group, spread to hundreds and thousands of computers and sent out millions of virus-infected emails, causing massive traffic congestion problems for companies network systems. Computer administrators scrambled to identify the source of the problem, and email, which is depended heavily upon, was suspended for outbound and inbound traffic.

for a crisis, evaluating the potential type of crisis, taking into account the probability, setting up a loss event system, and the mechanisms for: anticipation (key risk indicators), diagnosis (self assessment),

t h e r i s k o f l o s s re s u l t i n g f ro m inadequate or failed internal processes, people and systems or from external events. According to the paper, it is important to note that this definition is based on the underlying causes of operational risk. It seeks to identify why a loss happened and at the broadest level includes the breakdown by four causes: people, processes, systems and external factors.

development of plans (strategy and development), training and awareness (information database). ! The During Stage, is concerned

So what sort of a tragedy and how many will it take, for companies to start

with the deployment of plans (plan repository, database) based on the

thinking about how they would respond to a disruptive event? And what lessons can we learn from them?

crisis encountered, command centre reporting, and resuming to normal as quickly as possible. This calls for intensive coordination, communication, reaction and monitoring. ! The After Stage, will focus on the assessment of the impact, damage and future prevention; and if possible with earlier anticipation, analysis, learning from the mistakes and update of the loss/near miss into the loss event system.

As such, processes will need to be put in place for the collection and analysis of loss data. Depending on the nature of a companys activities, the industry and the landscape in which it operates, there does not exist today an industry standard for collecting and analysing operational loss data. And it is only when such loss data is collected and stored in a manner that will facilitate analysis, can we than design the Key Risk Indicators (KRIs) and Control Self Assessment Program. In this way, the future and respectively the future events become less unexpected, unknown and unpredictable.

FRAMEWORK FOR A CRISIS MANAGEMENT PORTAL

The development of a crisis management plan can be enabled with the use of technology; using a portal based approach that can support the drafting and build-up of the knowledge, plans, assessment and monitoring of the effectiveness of the plans when it needs to be deployed. The framework can be divided into three stages: ! The Before Stage, which focuses on the organisation preparing itself 17

DEVELOPING A LOSS EVENT DATABASE

A definition from a paper prepared by the Risk Management Group of the Basel Committee, defines operational risk as:

Spotlight on Business

DEVELOPING THE PLAN IN THE BEFORE STAGE

The use of technology collating information in the development of plans offers several advantages. For one, it allows users a single point of access to submit the information in pre-defined templates with explanatory notes to assist them in understanding the required information to be entered. Depending on the need, process and dependencies can also be linked so that the full picture can be seen.

as the steps to be followed based on the scenarios planned. Multiple tasks from an occurrence, through response and recovery, can be guided from the plans stored in the portal, which can be accessed via a connected link.

more effective and efficient channel to maintain the crisis management plan, relevant information, and preventive monitoring mechanisms with the availability of a command centre reporting when needed.

! Standard Operating Procedures (SOPs) integrate with emergency plans, provide real-time modification or additions to SOPs as conditions

Regardless of the source of crisis: a natural phenomenon, human activity or inactivity. and no matter what type it is: destructive or not; sudden, emerging or stable, it goes through several stages. According to the experts, the number of those stages differs, ranging between three and five. But the former are unanimous in that, crisis management involves all procedures, initiatives and activities carried out before, during and after the crisis event. However, in the final analysis, it is the b o a r d o f d i r e c t o r s w h o m u s t e ff e c t policies to ensure that the company is a c t i n g r e s p o n s i b l y, a n d i s s u i t a b l y prepared to deal with crises. Critical success factors will require investment

Millions of virus-infected emails causing massive traffic congestion problems for companies network systems sent computer administrators scrambling to identify the source of the problem.

Having stored them in electronic form, the same single point of access will also facilitate the search for information through a menu structure tailored for the organisation resulting in faster access to information. In peace time, the simulation testing of the plans will allow users to be familiar with the framework, and its use allow for flexibility of access and refinement of the specifications needed to support the crisis.

USING THE PORTAL IN THE DURING AND AFTER STAGE

When a crisis is met, the contact management database will allow the Crisis Management Team to identify the points of contact for activitation, as well

warrant, and automatically log procedure status to completion; ! Emergency contact list mentioned earlier also provides a log of both training and certifications of staff and other organisations personnel who, when assigned, are recorded automatically in the incident log; ! Dashboard technology can be

in the people with the right capabilities, and deployment through the enterprise t o e n s u r e i t s s u b s t a i n a b i l i t y. T h i s includes focusing on, not only the initiatives that are directly related to profits, but also those that are related to reducing risks and preventing chaos in a crisis - by avoiding the pitfalls of catastrophe.

incorporated to create a briefing tool, showing key indicators of the realtime response capabilities of the o rg a n i s a t i o n i n b o t h t a b u l a r a n d graphical formats.

IN CONCLUSION
At the end of the day, the goal of the portal is not to save money. But allow a

John Ho Chi (email:john.ho-chi@sg.ey.com) is a Principal of Ernst & Young Technology & Security Risk Services

Spotlight on Business

18