monitoring process and risk.pdf

129Chapter 7Monitoring Process and Risk Vigilance . Pay close and continuous attention to what is going on to help spot glitches or differences before they become serious problems. The tone from the top sets the mood and environ- ment. Simulating a process prior to its becoming operational or “ in production ” and then determining potential risk could help prevent process and control failures. Monitoring an existing process is the logical next step to identify or detect current failures and allow the organization to fix its problems before they recur or become worse. This requires vigi- lance by every employee in every department. To do it right, every employee should understand how to identify existing or potential con-trol deficiencies. Ongoing monitoring of business processes is an essential compo- nent of an operational risk management (ORM) framework. Only through active involvement of business in a continuous review of process and risk can corporations embed ORM into their operations. A review of some past cases will help demonstrate the importance of such continuous review. c07.indd 129c07.indd 12910/24/08 3:33:18 PM10/24/08 3:33:18 PM130 w h e r e w e wan t t o b eKeep Your Company Safe Fleeing from unfortunate circumstances in the Ukraine, two brothers, Max and Morris Feldberg, immigrated to Massachusetts in the early 1900s and in 1956 opened the first Zayre self - service discount store that later expanded as a discount store chain throughout the United States. In the early 1970s, the company started the TJ Maxx store chain, and in the 1980s, the company started the BJ ’ s Wholesale Club store chain. Later, the company purchased the Home Club chain. In 1988, Zayre merged with another discount department store chain, called Ames, and changed the name of the combined retail discount store corporation to TJX. 1 TJX Companies, Inc. has its corporate offices in Framingham, Massachusetts, operating numerous discount store chains, such as Marshalls, TJ Maxx, and Home Goods, in the United States, Canada, and Europe. On January 17, 2007, the corporation announced that it was a victim of an unauthorized computer system intrusion. In other words, someone hacked into their system. After extensive investigation into the matter, TJX announced on March 29, 2007, that over 45 mil- lion credit card and debit card numbers (plus an unknown number of driver ’ s license and other personal identification data) were stolen from its systems over a period of about 18 months, making this the largest ever such event. 2 Who was at fault? Clearly, the hackers are the villains and should be caught and prosecuted. Yet, hacking is not new. Everyone who has heard of the Internet has heard of computer hacking. A countless number of movies are made every year where penetrating into the Internet, a gov- ernment system, or a corporate computer application is a part of the plot or even the main story line. Every year, we see incredible techno- logical advances in the use and misuse of computer systems. Both sides are moving ahead strongly. The “ good guys ” are building and buying new tools every year to protect systems in governments and corpora- tions. The “ bad guys ” who want to steal information or bring down corporate and government systems are able to build and buy new tools every year that would help them to continue to attack systems in governments and corporations. c07.indd 130c07.indd 13010/24/08 3:33:19 PM10/24/08 3:33:19 PMMonitoring Process and Risk 131The cunning criminals could not have succeeded if TJX had installed available technological protections, such as encrypting or masking the data. Such technology would have cost the company a sig-nificant amount of money. Indeed, since the breach, TJX management has finally installed the protections it could have implemented sooner. Yet, by avoiding those costs earlier, TJX lost much more later — as of August 2007, TJX reported booking over $ 250 million in charges due to this breach, while lawsuits adding to much more than that amount have been filed against the firm. 3Regardless of the final outcome of these suits and the amount of money this incident will cost TJX, it is clear that the cost of this cleanup in real dollars and in reputation impact far exceeds what the initial cost of monitoring and preventive measures would have been. Just one month later, the privacy commis-sioner of Canada issued a report of findings after investigating the TJX security breach and concluded, “ TJX had a duty to monitor its sys- tems vigorously, ” and if it had, “ then TJX should have been aware of an intrusion prior to December 2006. ” 4 It is no secret that information security risk exists in every busi- ness that uses technology. Computer hackers could steal important infor mation or insert a computer virus that could bring a corporation ’ s system to a standstill and prevent business 。