Copyright @ 2017. All rights reserved

Economic Value Chains ‐ costing the impact of risk

Project Controls Expo – 16th Nov 2017Emirates Stadium, London 

Copyright @ 2017. All rights reserved

About the speakers

Peter Tart Operational Analyst with 20 years experience primarily within Defence. Specialises in Balance of Investment, option assessment methods and 

benefits analysis.  Development of bespoke cost capability trade methods.

Colin Sandall Operational Analyst with over 25 years’ experience in Defence. Costing experience includes cost‐benefit analysis on numerous projects 

across a range of different domains. Inventor of Economic Value Chains.

Copyright @ 2017. All rights reserved

About the topic

Topic OutlineUnmitigated disruptive events have potentially catastrophic effects onbusinesses. Even where the aim of a cyber‐attack is not economic, theproject delays, cost of recovering capability and loss of reputation fromsuch attacks can cripple organisations.Many organisations do not understand the full scope and scale of potentialrecovery costs which makes it difficult to justify decisions relating toinvestment in cyber defences or improved project controls.

Copyright @ 2017. All rights reserved

NHS WannaCry attack 12th May 2017

WannaCry was the largest cyber attack to affect the NHS

The NHS was warned about the risks of cyber attacks a year before WannaCry

The attack led to disruption in at least 34% of trusts in England, although full extent unknown

Five trusts had to divert patients to accident and emergency departments further away

Organisations could have taken relatively simple action to protect themselves

Could have caused more disruption if it had not been stopped by a cyber researcher

The Department does not know howmuch the disruption to services cost the NHS

Thousands of appointments and operations were cancelled

Copyright @ 2017. All rights reserved

NAO’s view on NHS WannaCry attack

Organisations could have taken relatively simple action to protect themselves

The Department does not know howmuch the disruption to services cost the NHS

Cost of action

Cost of inaction

EVC is a novel technique to aid calculation of the cost of inaction and the cost benefit of action

Copyright @ 2017. All rights reserved

Risk sources Project inaction causes risk

Not having sufficient safeguards Not implementing in a timely manner

Project action causes risk Withdrawal of fall backs Introduction of new threat vectors

External changes introduce risk

Cyber vulnerabilities occur at organisational level

Cyber attack is an organisational risk

Project Project ProjectInter‐project period Inter‐project period

Copyright @ 2017. All rights reserved

Cyber attack consequence and mitigation

Quantifying the consequences A technique to identify and quantify effect on organisation History is illustrative – it isn’t necessarily a true reflection of the risk The cost of identifying non‐effects

Mitigation options Quantify the cost effect of mitigation Ordering and prioritisation of options and risks Determining cost benefit of cost of action and cost of inaction

Copyright @ 2017. All rights reserved

Economic Value Chains

Cyberattack

Confidentialitybreach

NAO report states this did notoccur

Loss of availability

Loss of data

Data corruption

Loss of capability

Copyright @ 2017. All rights reserved

Economic Value Chains

Cyberattack

Loss of data

Confidentialitybreach

Loss of availability

Data corruption

Medical systems

Patient data

Appointments

Controland admin

Billing

Payments

IT

Environmental

Power

Communication

Loss of capability

Retail POS functions unaffectedPrivate customer billing delayedbut not prevented

Supplier billing delayedbut not prevented

Copyright @ 2017. All rights reserved

Economic Value Chains

Cyberattack

Loss of data

Confidentialitybreach

Loss of availability

Data corruption

Medical systems

Patient data

Appointments

Controland admin

Billing

Payments

IT

Environmental

Power

Communication

Loss of capability

Retail POS functions unaffectedPrivate customer billing delayedbut not prevented

Supplier billing delayedbut not prevented

Copyright @ 2017. All rights reserved

Economic Value Chains

Incorrectdiagnosis

Cancelledappointments

Cancelledoperations

Dischargedelays

Divertedpatients

Quantity [+]

Cost of each [+]

Immediate effect [*] (2,800)Follow on

appointments (?)

Value of appointment

(£160)

Medical effect of delay (?)

Appts per day(700)

Days affected(4)al

on

Transport costs (?)

Copyright @ 2017. All rights reserved

Economic Value Chains

Incorrectdiagnosis

Canx appt(£448,000)

Cancelledoperations

Dischargedelays

Divertedpatients

Quantity [+] (2,800)

Cost of each [+] (£160)

Immediate effect [*] (2,800)Follow on

appointments (?)

Value of appointment

(£160)

Medical effect of delay (?)

Appts per day(700)

Days affected(4)

Transport costs (?)

al

on

Copyright @ 2017. All rights reserved

Economic Value Chains

Incorrectdiagnosis

Canx appt(£3.112M)

Cancelledoperations

Dischargedelays

Divertedpatients

Quantity [+] (19,494)

Cost of each [+] (£160)

Hospital immediate

effect (6,912)Hospital follow

on appt (12,582)

Value of appointment

(£160)

Medical effect of delay (?)

Transport costs (?)

al

on

GP appt (?) 595 practices

Copyright @ 2017. All rights reserved

Economic Value Chains

Proportion of overall cost

Copyright @ 2017. All rights reserved

EVC does not attempt to cost everything Only consider what changes as a result of an event Only cost where costs change Explicitly identify what is excluded (black nodes) with explanation Explicitly identify zero cost (white nodes) with explanation

The EVC tree is the mechanism for Capturing the causality chain Explaining the structure Gaining stakeholder buy‐in Defining the calculations – the diagram is the model Explaining the results

Economic Value Chains

Copyright @ 2017. All rights reserved

Mitigation options Quantify the cost effect of mitigation

Unplug diagnostic equipment: reduction in infection, but increase in downtime

Disconnect external firewall: reduction in infection, but increase in downtime and knock‐on effect to non‐infected trusts

Reduction in downtime by reduced infection Reduction in effect by detection / remediation procedures and 

fall‐back Ordering and prioritisation of options and risks Determining cost and benefit of action vs the cost of inaction

Economic Value Chains

Copyright @ 2017. All rights reserved

Caution ! ‐ History is only illustrative WannaCry first detection Friday 12th May late morning. Blocked (by luck) evening of 12th. WannaCry very obvious, not all cyber attacks are. Not targeted at NHS. Infection occurred Friday, giving trusts times to react before Monday.

Trusts didn’t react to previous events Same trust which was infected in October 2016 infected by WannaCry. Patch issued by Microsoft March 2017. NHS Digital alerts 17th March and 28th April to install patch.

Economic Value Chains

Copyright @ 2017. All rights reserved

QinetiQ’s EVC technique is A thorough bottom‐up investigation of risk and cost Guided by the past, but not mislead by it Transparent, visual and easy to comprehend Quick to use, easy to extend detail as required Capable of capturing organisation / enterprise level risks Capable of calculating the effect of individual projects on these risks Capable of correctly evaluating response and non‐response to events Provides evidence for decision making

Economic Value Chains

Copyright @ 2017. All rights reserved

Questions ?

Economic Value Chains