Economic Value Chains - costing the impact of risk by "Colin Sandall - Senior Consultant for...
-
Upload
project-controls-expo -
Category
Presentations & Public Speaking
-
view
20 -
download
0
Transcript of Economic Value Chains - costing the impact of risk by "Colin Sandall - Senior Consultant for...
Copyright @ 2017. All rights reserved
Economic Value Chains ‐ costing the impact of risk
Project Controls Expo – 16th Nov 2017Emirates Stadium, London
Copyright @ 2017. All rights reserved
About the speakers
Peter Tart Operational Analyst with 20 years experience primarily within Defence. Specialises in Balance of Investment, option assessment methods and
benefits analysis. Development of bespoke cost capability trade methods.
Colin Sandall Operational Analyst with over 25 years’ experience in Defence. Costing experience includes cost‐benefit analysis on numerous projects
across a range of different domains. Inventor of Economic Value Chains.
Copyright @ 2017. All rights reserved
About the topic
Topic OutlineUnmitigated disruptive events have potentially catastrophic effects onbusinesses. Even where the aim of a cyber‐attack is not economic, theproject delays, cost of recovering capability and loss of reputation fromsuch attacks can cripple organisations.Many organisations do not understand the full scope and scale of potentialrecovery costs which makes it difficult to justify decisions relating toinvestment in cyber defences or improved project controls.
Copyright @ 2017. All rights reserved
NHS WannaCry attack 12th May 2017
WannaCry was the largest cyber attack to affect the NHS
The NHS was warned about the risks of cyber attacks a year before WannaCry
The attack led to disruption in at least 34% of trusts in England, although full extent unknown
Five trusts had to divert patients to accident and emergency departments further away
Organisations could have taken relatively simple action to protect themselves
Could have caused more disruption if it had not been stopped by a cyber researcher
The Department does not know howmuch the disruption to services cost the NHS
Thousands of appointments and operations were cancelled
Copyright @ 2017. All rights reserved
NAO’s view on NHS WannaCry attack
Organisations could have taken relatively simple action to protect themselves
The Department does not know howmuch the disruption to services cost the NHS
Cost of action
Cost of inaction
EVC is a novel technique to aid calculation of the cost of inaction and the cost benefit of action
Copyright @ 2017. All rights reserved
Risk sources Project inaction causes risk
Not having sufficient safeguards Not implementing in a timely manner
Project action causes risk Withdrawal of fall backs Introduction of new threat vectors
External changes introduce risk
Cyber vulnerabilities occur at organisational level
Cyber attack is an organisational risk
Project Project ProjectInter‐project period Inter‐project period
Copyright @ 2017. All rights reserved
Cyber attack consequence and mitigation
Quantifying the consequences A technique to identify and quantify effect on organisation History is illustrative – it isn’t necessarily a true reflection of the risk The cost of identifying non‐effects
Mitigation options Quantify the cost effect of mitigation Ordering and prioritisation of options and risks Determining cost benefit of cost of action and cost of inaction
Copyright @ 2017. All rights reserved
Economic Value Chains
Cyberattack
Confidentialitybreach
NAO report states this did notoccur
Loss of availability
Loss of data
Data corruption
Loss of capability
Copyright @ 2017. All rights reserved
Economic Value Chains
Cyberattack
Loss of data
Confidentialitybreach
Loss of availability
Data corruption
Medical systems
Patient data
Appointments
Controland admin
Billing
Payments
IT
Environmental
Power
Communication
Loss of capability
Retail POS functions unaffectedPrivate customer billing delayedbut not prevented
Supplier billing delayedbut not prevented
Copyright @ 2017. All rights reserved
Economic Value Chains
Cyberattack
Loss of data
Confidentialitybreach
Loss of availability
Data corruption
Medical systems
Patient data
Appointments
Controland admin
Billing
Payments
IT
Environmental
Power
Communication
Loss of capability
Retail POS functions unaffectedPrivate customer billing delayedbut not prevented
Supplier billing delayedbut not prevented
Copyright @ 2017. All rights reserved
Economic Value Chains
Incorrectdiagnosis
Cancelledappointments
Cancelledoperations
Dischargedelays
Divertedpatients
Quantity [+]
Cost of each [+]
Immediate effect [*] (2,800)Follow on
appointments (?)
Value of appointment
(£160)
Medical effect of delay (?)
Appts per day(700)
Days affected(4)al
on
Transport costs (?)
Copyright @ 2017. All rights reserved
Economic Value Chains
Incorrectdiagnosis
Canx appt(£448,000)
Cancelledoperations
Dischargedelays
Divertedpatients
Quantity [+] (2,800)
Cost of each [+] (£160)
Immediate effect [*] (2,800)Follow on
appointments (?)
Value of appointment
(£160)
Medical effect of delay (?)
Appts per day(700)
Days affected(4)
Transport costs (?)
al
on
Copyright @ 2017. All rights reserved
Economic Value Chains
Incorrectdiagnosis
Canx appt(£3.112M)
Cancelledoperations
Dischargedelays
Divertedpatients
Quantity [+] (19,494)
Cost of each [+] (£160)
Hospital immediate
effect (6,912)Hospital follow
on appt (12,582)
Value of appointment
(£160)
Medical effect of delay (?)
Transport costs (?)
al
on
GP appt (?) 595 practices
Copyright @ 2017. All rights reserved
Economic Value Chains
Proportion of overall cost
Copyright @ 2017. All rights reserved
EVC does not attempt to cost everything Only consider what changes as a result of an event Only cost where costs change Explicitly identify what is excluded (black nodes) with explanation Explicitly identify zero cost (white nodes) with explanation
The EVC tree is the mechanism for Capturing the causality chain Explaining the structure Gaining stakeholder buy‐in Defining the calculations – the diagram is the model Explaining the results
Economic Value Chains
Copyright @ 2017. All rights reserved
Mitigation options Quantify the cost effect of mitigation
Unplug diagnostic equipment: reduction in infection, but increase in downtime
Disconnect external firewall: reduction in infection, but increase in downtime and knock‐on effect to non‐infected trusts
Reduction in downtime by reduced infection Reduction in effect by detection / remediation procedures and
fall‐back Ordering and prioritisation of options and risks Determining cost and benefit of action vs the cost of inaction
Economic Value Chains
Copyright @ 2017. All rights reserved
Caution ! ‐ History is only illustrative WannaCry first detection Friday 12th May late morning. Blocked (by luck) evening of 12th. WannaCry very obvious, not all cyber attacks are. Not targeted at NHS. Infection occurred Friday, giving trusts times to react before Monday.
Trusts didn’t react to previous events Same trust which was infected in October 2016 infected by WannaCry. Patch issued by Microsoft March 2017. NHS Digital alerts 17th March and 28th April to install patch.
Economic Value Chains
Copyright @ 2017. All rights reserved
QinetiQ’s EVC technique is A thorough bottom‐up investigation of risk and cost Guided by the past, but not mislead by it Transparent, visual and easy to comprehend Quick to use, easy to extend detail as required Capable of capturing organisation / enterprise level risks Capable of calculating the effect of individual projects on these risks Capable of correctly evaluating response and non‐response to events Provides evidence for decision making
Economic Value Chains
Copyright @ 2017. All rights reserved
Questions ?
Economic Value Chains