Individual Project: Executive Summary

This week, students were preparing for the submission of the second graded assignment, the ‘Individual Project: Executive Summary, which was an addition to the first assignment, in week 6. In this assignment, which students were required to enumerate the potential risks to the quality and supply chain for Pampered Pets enterprise, having decided to go fully digitalized, expanding the operations worldwide. Included in this were recommendations of the likelihood and unlikelihood of certain events occurring, by applying the Monte Carlo simulation, and recommending a BCDR plan.

Assignment

The OCTAVE-S methodology was introduced in the previous risk identification report and applied to Pampered Pets enterprise for identifying and prioritizing different phases of security risks, recommended for smaller businesses, to provide recommendations on how to manage these risks. It has three phases: Build asset-based threat profiles, Identify infrastructure vulnerability and Develop a security strategy and plans. By applying this methodology to Pampered Pets enterprise, risk possibility and mitigation strategies were highlighted. This process of identifying risk, evaluating it, and taking the necessary action to lower that risk to a manageable level is known as risk management, or also known as Enterprise Risk Management (ERM). Risk is the overall detrimental effect of exploiting a vulnerability, considering both the likelihood and the severity of an event. The definition of risk management, the best way to apply it, and the results it may provide are topics of much debate with many methodologies available. In order to provide a globally recognized standard for the application of risk management concepts, the International Organization for Standardization (ISO) released standard 31000 in 2009, in which the definition states that risk is the effect of “uncertainty on objectives”. (AIRMIC, 2010) As an enterprise, whether small, medium or large, it is important to establish and identify risks based on organizational need and requirement. In a perfect world, managers would recognize every negative scenario that may arise and create a backup plan for each. However, in the real world, risk is uncertain, which comes in many forms. Mitroff and Alpaslan (2003) categorized emergencies and crises into three categories: natural disasters, malicious activities, and systemic failures of human systems. These may be tested and evaluated by gathering data and information via the use of Qualitative or Quantitative methodologies, which encompass a wide range of research approaches and techniques but have knowledge collection as their main goal in common. The primary focus of qualitative research is on data sources like images, diaries, films, questionnaires, and interviews. On the other hand, quantitative analysis uses methods to define, forecast, or explain variables of interest using numerical data. (National University, 2023) For Pampered Pets, the beginning of a full digitalization process forms an international supply chain and a number of automated warehouses worldwide. This could bring challenges to the operations of the business supply chain whilst endangering both the quality and availability of the company’s products. There are many risk categories when it comes to supply chain, which can be categorized as Internal and External. In order to enumerate the potential risks to the quality and supply chain for the company, the Monte Carlo methodology is proposed. This is a mathematical technique that predicts possible outcomes of an uncertain event. (AWS, 2024) The methodology is proposed due to the fact that it provides the probability of different outcomes in a process that cannot be easily predicted, such as the above examples in the risk categories. When using the Monte Carlo simulation, a variable that has no uncertainty, for example “Cyber Attacks” is assigned a random value. The model is then run and a result is provided. This process is repeatedly carried out while giving the variable under consideration a wide range of values. After the simulation runs, the outcomes are averaged to produce an estimate. For the purpose of this report, 10 000 simulations were completed for a selection of different scenarios, to create a probable outcome.

The Green column below represents various risks that could be attributed to Pampered Pets. Yellow column represents random values (RANDBETWEEN) which generate a random value between a set target. In Pampered Pets, statistics were drawn from a selection of data websites and a random value was set, with the lowest being 1, and the highest being the statistic value. The Blue column represents division of a value entered in the yellow column (Yellow / 365 = Blue) which provides a daily value. Total sum of Blue column 1.260273973 was applied to the Random Probability data table using ‘What If’ analysis to simulate 10 000 probabilities. By looking at the above figures of internal risk factors, the minimum probability or likelihood of the events occurring is varying at 24%. Naturally, external risks pose a slightly higher likelihood at 33%, as these events may arise from external factors, for example natural disasters or wars, which cannot be controlled by the business internally. Whether internal or external risk probability, one thing they both have in common is the supplier base. Diversifying suppliers and creating contingency supplier plans is a common strategy for controlling and mitigating supply chain risks. This can be done by conducting supplier assessments of existing and potential suppliers to ensure they meet quality, capacity and financial requirements. Also, fostering and maintaining supplier relationships which can open discussions and relationships in arising issues, disruptions and collaborative effort to mitigate them, as well as having back-up supplier alternatives, transportations routes and safety stock. (GetRiskManager, N.D) By applying these methods, Pampered Pets can ensure that the inventory and stock is maintained accordingly, on time deliveries are completed with alternative transportation routes available, quality maintains its current standard whilst meeting customer demand and product substitutions are available, with multiple suppliers on standby. When setting supplier agreements, it is important to consider risk-sharing agreements are contracts that suppliers and companies enter into where they specify how risk and reward will be shared throughout the supply chain. This can be done by defining each party’s roles and responsibilities in the agreement, it helps to ensure that everyone is aware of their responsibilities and how risk and reward will be shared, as well as helping with insurance policies. (GetRiskManager, N.D) On the other hand, some of the other risk categories can be addressed further in an integrated business continuity and disaster recovery plan which will be discussed below.

Although the above risk percentages provide no immediate risk to implementing the fully digitalized environment, in modern environments, one can never be certain of risk. That’s why having a business continuity and disaster recovery solution is no longer a luxury, but a necessity. Protecting data is critical to the survival of any company, no matter the size, growth stage or business. (Andrade, E. et al 2017) Therefore, a business continuity (BC) and disaster recovery (DR) which can also be referred to as (BCDR) plan is highly recommended.

Business continuity and disaster recovery (BCDR) aids organizations in resuming regular business activities in the event of a disaster. Despite their close relationship, business continuity (BC) is a more proactive approach, aiming to maintain operations before, during and after a disaster whilst disaster recovery (DR) is more reactive, focusing on critical processes and roles, mostly recovery post disaster. Both processes focus on two important components:

  1. Recovery Time objective (RTO) which is a term used to describe how long it takes to resume business operations following an unforeseen event. This is the first and most important step an enterprise should consider when creating their disaster recovery plan.
  2. Recovery Point Objective (RPO) is the quantity of data a business can tolerate losing and yet recover from a disaster. Given that many modern businesses consider data protection to be essential, some regularly replicate data to a different data center in order to provide continuity in the event of a significant breach. Some people know they can recover from whatever they’ve lost during that period by setting an RPO of a few minutes or even hours for them to restore company data from a backup system. (Flinders, M., Smalley, I. 2023).

For Pampered Pets, the online shop needs to be available 24/7/365 with less than one-minute changeover window should DR need to be invoked, as the business cannot afford to lose more than 1 minute of data. For this Disaster Recover as a Service, also referred to as (DRaaS) is recommended, which is a type of cloud computing that allows for a full recovery in the cloud, safeguarding an application or data from a natural disaster, cyber-attack or service interruption. When considering a DRaaS solution, there are many vendors and types to choose from, however they all have the common options, of either ‘Self-service’ where the solution is purchased and managed locally by the company, which would require an experienced IT individual/s to implement and maintain, possibly adding additional costs, ‘Assisted’ where certain parts of the organization are managed by the DRaaS solution, and others by the organization, and fully ‘Managed’ where the cloud provided takes full responsibility for disaster recovery. (Cloudian, N.D) For Pampered Pets, it is recommended to use the ‘Managed’ cloud solution, such as Microsoft Azure, which is a well-established cloud solution used worldwide, and named industry leader in 2019 by Gartner. It enables replication frequencies as low as 30 seconds and is adaptable to meet RPO and RTO goals unique to an organization. The RTO can be further decreased by integrating automation runbooks with both Traffic manager and Pampered Pets required recovery plans. Disaster Recovery is also a requirement under the GDPR under Section 32(1) that all companies handling customer data should therefore have an adequate DR solution that can restore both the availability of and access to personal data. By taking this approach, the company will be integrating a disaster recovery solution, into a platform which holds a robust cyber security protection regime as well as other important global and regional privacy standards, such as ISO/IEC 27018 & 27001, EU-U.S. Privacy Shield, EU Model Clauses, PCI-DSS, HIPAA/HITECH, and HITRUST. (Azure, 2018) This approach will also address the customer data, cyber-attacks and legal compliances which will need to be considered as per the Internal/External risk assessment above. Regardless of which solution is implemented, it is important to establish whether the DR provider is a data processor or data controller, to ensure that clear indication is set on who is responsible for what, avoiding any confusion should a breach should occur.

Although there are many steps to risk management, especially when it comes to supply chain, the most important aspect is to identify assets. Regardless of the size of an enterprise, specific risks and their consequences may change, having a plan is essential. The risk types that have the greatest influence on the performance and goals of your organization should be considered when customizing this approach. These values may vary over time, but they should always be connected to particular risk management objectives. This will ensure business continuation and reputation control.

References:

SoftTech Tutorials (2021). Excel Monte Carlo Simulation. [online] Available From: https://www.youtube.com/watch?v=9egrU3hOnY8. [Accessed 30 March 2024]

support.microsoft.com. (n.d.). Introduction to Monte Carlo simulation in Excel. [online] Available From: https://support.microsoft.com/en-us/office/introduction-to-monte-carlo-simulation-in-excel-64c0ba99-752a-4fa8-bbd3-4450d8db16f1. [Accessed 30 March 2024]

Ali, M. (2024). CFBLOG. Supply Chain Statistics: Key Insights and Trends for 2023. [online] Available From: https://cashflowinventory.com/blog/supply-chain-statistics/. [Accessed 30 March 2024]

Mitroff, I.I. and Alpaslan, M.C. (2003). Preparing for evil, Harvard Business Review 81:4, 109–115, In: Enterprise Risk Management Models. Springer Texts in Business and Economics. Springer, Berlin, Heidelberg. Available From: https://doi-org.uniessexlib.idm.oclc.org/10.1007/978-3-662-60608-7_1 [Accessed 30 March 2024]

Ionita, D. (2013) Current Established Risk Assessment Methodologies and Tools. Available from: https://doi.org/10.13140/RG.2.2.32981.01769. [Accessed 30 March 2024]

Stoneburner, G., Feringa, A. and Goguen, A. (2002). SP 800-30. Risk management guide for information technology systems. Washington, Dc U.S. Available from: https://dl.acm.org/doi/pdf/10.5555/2206240 [Accessed 30 March 2024]

AIRMIC (2010). A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000. (n.d.). Available from: https://www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf.

National University (2023). What Is Qualitative vs. Quantitative Study? [online] National University. Available from: https://www.nu.edu/blog/qualitative-vs-quantitative-study/#:~:text=While%20both%20share%20the%20primary. [Accessed 31 March 2024]

Amazon Web Services, Inc. (n.d.). What is The Monte Carlo Simulation? - The Monte Carlo Simulation Explained - AWS. [online] Available from: https://aws.amazon.com/what-is/monte-carlo-simulation/#:~:text=The%20Monte%20Carlo%20simulation%20is%20a%20probabilistic%20model%20that%20can. [Accessed 31 March 2024]

Andrade, E., Nogueira, B., Matos, R., Callou, G. and Maciel, P. (2017). Availability modeling and analysis of a disaster-recovery-as-a-service solution. Computing, 99(10), pp.929–954. Available from: doi: https://doi.org/10.1007/s00607-017-0539-8. [Accessed 03 April 2024]

Petrosyan, A. (2022). Quarterly Online Data Breaches 2022. [online] Statista. Available from: https://www.statista.com/statistics/1307426/number-of-data-breaches-worldwide/. [Accessed 05 April 2024]

Rudden, J. (2024). Cost of natural disaster losses worldwide 2000-2020. [online] Available from: https://www.statista.com/statistics/612561/natural-disaster-losses-cost-worldwide-by-type-of-loss/. [Accessed 08 April 2024]

Munich RE (n.d.). Record thunderstorm losses and deadly earthquakes: the natural disasters of 2023 Munich Re. [online] Available from: https://www.munichre.com/en/company/media-relations/media-information-and-corporate-news/media-information/2024/natural-disaster-figures-2023.html#:~:text=2023%20natural%20disasters%20in%20figures [Accessed 07 April 2024].

Institute for Government (2021). Supply chain problems. [online] Institute for Government. Available from: https://www.instituteforgovernment.org.uk/explainer/supply-chain-problems. [Accessed 09 April 2024].

EM-DAT, CRED / UCLouvain (2023). Our World in Data. “Global reported natural disasters by type”. Available from: https://ourworldindata.org/grapher/natural-disasters-by-type [Accessed 10 April 2024].

GetRiskManager (n.d.). Supply Chain Risks: How To Best Control and Mitigate Uncertainties. [online] Available from: https://getriskmanager.com/supply-chain-risk-management-uncertainties/. [Accessed 14 April 2024].

Flinders, M. and Smalley, I. (2023). What Is Business Continuity Disaster recovery? IBM. [online] www.ibm.com. Available from: https://www.ibm.com/topics/business-continuity-disaster-recovery. [Accessed 14 April 2024].

SkyFlow (2023). How to Achieve Global Data Privacy Compliance in 2023 - Skyflow. [online] Available from: https://www.skyflow.com/post/how-to-achieve-global-data-privacy-compliance. [Accessed 14 April 2024].

Acronis. (2024). What is Disaster Recovery as a Service (DraaS)? [2024]. [online] Available from: https://www.acronis.com/en-gb/blog/posts/draas/ [Accessed 14 April 2024].

Cloudian. (n.d.). Disaster Recovery as a Service (DRaaS): Why, Where and How. [online] Available from: https://cloudian.com/guides/disaster-recovery/disaster-recovery-as-a-service-draas-why-where-and-how/. [Accessed 14 April 2024].

azure.microsoft.com. (2018). Protecting privacy in Microsoft Azure: GDPR, Azure Policy Updates. [online] Available from: https://azure.microsoft.com/en-us/blog/protecting-privacy-in-microsoft-azure-gdpr-azure-policy-updates/. [Accessed 14 April 2024]. Direct, C. (2017). GDPR compliance: is your Disaster Recovery provider putting you at risk? -. [online] www.clouddirect.net. Available from: https://www.clouddirect.net/gdpr-compliance-is-your-disaster-recovery-provider-putting-you-at-risk/ [Accessed 14 Apr. 2024].