Kodak Develops Risk Framework
SEVERAL YEARS AGO, executives at Eastman Kodak wanted to create a new set of guidelines to help with overall company risk management. The company had existing guidance, but it was not aligned with overall business goals, explained Bruce Jones, the company’s global IT security manager, speaking at the recent RSA conference in San Francisco.
Another problem with the former risk framework was that it focused heavily on IT security-related risk, said Jones, who led the new framework’s development. But IT risk is just one of many significant corporate risk areas ranging from operations to compliance to earnings and revenue.
In developing the new program, Jones involved representatives from many business units both to get input and to get buy-in. He also wanted to create a program that “facilitated discussion of risk throughout the company,” Jones explained. The framework could serve as a way for the company to communicate about risk.
Another overarching goal was to create a framework, or matrix, graphically depicting via computer interface a wide array of possible risks, the probability that they might occur, and the potential damage they could cause the organization. Eventually, Kodak would create a new risk dashboard, helping executives view potential ways certain threats might negatively affect the company and under what circumstances.
Risks discussed ranged from malware infections to insider threats to data breaches to damage to Kodak’s brand image. Executives also discussed the value of certain assets and data and how this might affect risk. One issue was how to protect personally identifiable information (PII), such as Social Security numbers, birth dates, and addresses. The discussion also involved how to mitigate certain losses if they did occur.
The dashboard tool would allow executives to place risk factors into a three-tiered risk system—a core element of the new framework. The third tier represents the most severe risk, and the first tier the lowest. Typically, any risk falling into the top two tiers would require some form of remediation. Tier-three risks would be considered acceptable overall.
The tiered system can also give executives an approximate risk score. This score can then be put into another main component of the framework, a series of statistical analysis charts. After placing scores into charts, executives can see how they develop over time as other risk factors and circumstances change, says Jones. This contrasted with Kodak’s previous framework, which concentrated on a single static risk score for certain events.
This ongoing visual representation of risk helped security show results to management. After the new three-tier system was implemented, the company witnessed a significant increase in malware infections in servers located in some regions of the world where they did business, said Jones. Over several months, the company upgraded many of the affected servers. The analytical charts were able to show the decreasing infection levels and the overall lowering of corporate risk, he says. These graphs could be shown to managers, many of whom were familiar with the charts and the tier system.
Another major difference between the old framework and the new one has been the executive approval process, said Jones. Compared to the old system, many more executives who work in risk-related areas are now involved in the process of approving decisions.
The new system also involves a more tiered system of approval, depending on the level of risk. In any decision involving PII, for example, the head of the relevant business unit must give approval. For tier-three risk involving PII, however, signatures are required from senior executives, including the company’s chief information officer and chief security officer, the organization’s privacy officer, a corporate director, and Jones as well as the relevant business unit head. The multitude of signatures is based largely on the overall financial risks involved, he said. The tiered system of authorization also helps reduce the company’s workload, because lower risk decisions can involve the approval of fewer people.
Jones said that in his experience, many organizations are able to measure certain types of risk, but few have a framework geared towards assessing risk in the context of overall business objectives. “One thing you need to ask yourself is if you currently have a standard way to manage risk,” he said.
Companies without a comprehensive framework might want to “start small.” Developing a holistic, bottom-up system, he said, can sometimes evolve into a solution more tailored to a company’s unique