Several years ago, executives at Eastman Kodak wanted to create a new set of guidelines to help with overall company risk management. The company had existing guidance, but it was not aligned with overall business goals, explained Bruce Jones, the company’s global IT security manager, speaking at the recent RSA conference in San Francisco.
Another problem with the former risk framework was that it focused heavily on IT security-related risk, said Jones, who led the new framework’s development. But IT risk is just one of many significant corporate risk areas ranging from operations to compliance to earnings and revenue.
In developing the new program, Jones involved representatives from many business units both to get input and to get buy-in. He also wanted to create a program that “facilitated discussion of risk throughout the company,” Jones explained. The framework could serve as a way for the company to communicate about risk.
Another overarching goal was to create a framework, or matrix, graphically depicting via computer interface a wide array of possible risks, the probability that they might occur, and the potential damage they could cause the organization. Eventually, Kodak would create a new risk dashboard, helping executives view potential ways certain threats might negatively affect the company and under what circumstances.
Risks discussed ranged from malware infections to insider threats to data breaches to damage to Kodak’s brand image. Executives also discussed the value of certain assets and data and how this might affect risk. One issue was how to protect personally identifiable information (PII), such as Social Security numbers, birth dates, and addresses. The discussion also involved how to mitigate certain losses if they did occur.
The dashboard tool would allow executives to place risk factors into a three-tiered risk system—a core element of the new framework. The third tier represents the most severe risk, and the first tier the lowest. Typically, any risk falling into the top two tiers would require some form of remediation. Tier-three risks would be considered acceptable overall.
The tiered system can also give executives an approximate risk score. This score can then be put into another main component of the framework, a series of statistical analysis charts. After placing scores into charts, executives can see how they develop over time as other risk factors and circumstances change, says Jones. This contrasted with Kodak’s previous framework, which concentrated on a single static risk score for certain events.