Innovation, Agility and Resilience - DNA of the fittest!

Strategy, AI, Digital transformation, Operational Resilience, Cyber Security, Process automation, Risk management and Compliance are your focus domains for value creation. AI supported disruption and geopolitical uncertainty - new reality. Agile organizations see all that as opportunities. People, Processes and Planet are changing at a faster pace as any time before. Sustainability, Artificial Intelligence and new business models are shaping the future. Without efficient utilization of "Digital" most businesses are at risk. Quick fix, systematic transformation or independent sparring partner to CX team - your call. We provide tailored Advisory Services for your Sustainable Growth.

AREM

DORA Q&A update 01

RTS published and sent to EU Commission:

  • JC 2023 83 – RTS on criteria for the classification of ICT-related incidents
  • JC 2023 84 – RTS on the policy on ICT services supporting critical or important functions provided by ICT third-party service providers
  • JC 2023 85 – Implementing Technical Standards (ITS) to establish the templates for the register of information
  • JC 2023 86 – RTS on ICT risk management framework and on simplified ICT risk management framework

JC_2023_83_-_Final_Report_on_draft_RTS_on_classification_of_major_incidents_and_significant_cyber_threats

JC_2023_84_-_Final_report_on_draft_RTS_to_specify_the_policy_on_ICT_services_supporting_critical_or_important_functions

JC_2023_85_-_Final_report_on_draft_ITS_on_Register_of_Information

JC_2023_86_-_Final_report_on_draft_RTS_on_ICT_Risk_Management_Framework_and_on_simplified_ICT_Risk_Management_Framework

Deadline for Final Report and the submission of the other draft RTS to the European Commission is 17th July 2024. RTS listed further are under construction:

  • Joint draft RTS specifying elements related to threat led penetration tests – EBA link
  • Joint Technical Standards on major incident reporting – EBA link
  • Joint Regulatory Technical Standards on subcontracting ICT services supporting critical or important functions – EBA link
  • Joint Regulatory Technical Standards on the harmonisation of conditions enabling the conduct of the oversight activities – EBA link

Final deadline for compliance:

Jan 17 2025

Digital Resilience

Digital Resilience and Cyber resilience are the terms we often hear in the boardrooms from the executives, in meetings with the regulators and government officials.

But what is it really? While there are some definitions out the there we wrote our own for Digital resilience.

Digital resilience is the ability of the entity (organization, corporation, state, country) to continue its mission and deliver value even if under cyber attack or under the influence of a disruptive digitally enabled business model by agile and effective use of its resources to:

  • anticipate successful cyber attacks and disruptions
  • anticipate disruptive business models based on ICT
  • prepare for key scenarios relevant to digital resilience
  • build and improve resilient digital business models
  • build and improve resilient enterprise and ICT architecture
  • understand and continuously test and improve all building blocks of the enterprise and ICT architecture.

Source: Renato Burazer, CISA, CISM, CRISC, CGEIT, CISSP, Managing Partner, AREM

Cyber Security Risk Management

What is a cyber security risk assessment ?

What is the value of cyber security risk assessment ?

Who should carry out a cyber security risk assessment?

What framework is best for you for cyber security risk management ?

How often should an organisation perform cyber security risk assessment ?

How to conduct cyber security risk assessment ?

What should be the result of cyber secuyrity risk assessment ?

Please contact us and we will be happy to help you at all levels of cyber security mastery.

IT Governance – how to do it right?

We can say that IT Governance is just a puzzle whitin the Corporate Governance.

But how important part is it? And how to do it right?

What are the factors influencing the need to focus on raising the IT Governance maturity?

During our recent diagnostic project we were asked to identify the opportunities for improvements in an organization that is continuously missing the deadlines in executing tasks supporting strategic objectives. As such strategy execution was at least from the timeline perspective at risk.

Key challenges we identified were:

  • Strong influence of external environment on priorities.
  • Individual plans and tasks not connected with the strategic plans and projects.
  • Poor visibility or not reliable indicators (performance, risk …).
  • Obsolete and not fit for purpose: service, task and project management platforms.
  • Low morale, burnout signs within IT and some other functions.
  • Bad scores in measuring organizational climate, no systematic focus on organizational culture.
  • IT Strategy not formalized.
  • Mission and Vison of the IT teams not clear.

It was clear that the organization was falling behind because key success factors that would allow the organization to follow its strategic objectives in a more sustainable way where not there.

How to fix this?

Simple answer – do the IT Governance right.

There is no recipe to fix it once for all. This is a journey lasting as long as organization is alive.

Need support – let us know and we will put you on track and keep you there!

Continuous Audit – why and how to implement it?

Challenges of Auditing complex information systems, compliance requirements and the pressure from regulators resulted in a trend and the need for ongoing, regular and integrated auditing of organizations. Information technology is present in every organisation and for many it is the core pilar of current business models and is seen as enabler of sustainable business strategies and transformations.

Number of transactions and the influence of late detection of challenges in the domains of management, risks or compliance, demand the use of modern integrated approach in auditing information systems.

  • What it the best approach and solutions for integrated GRC management (Governance, Risk, Compliance) in SAP environments?
  • How to best understand and implement controls monitoring and auditing?
  • How execute and improve continuous audit?

We will be happy to help.

How mature is your business and ICT? Is your ICT new business model “enabler” or is it holding you back? Does it have the potential to shine?

Mature and successful organisations have proven that they have done something right in the PAST. They may have been lucky to be in the right industry at the right time with the product and the business model that worked.

Can we expect that good business results in the past are a guarantee for the pole position in the future?

Financial Audit industry has evolved around this dilemma and is providing some assurance that financial statements can be trusted. Annual reports and quarterly disclosures can provide additional information to relevant stakeholders or public.

Regulated industries and listed companies are under increased scrutiny year by year as the world is trying to ensure investor confidence and trust in financial markets.

Still, not all tough questions are answered in those disclosures and annual reports. Why not?

There are many reasons and answers specific to individual organisation and case, however we can identify at least one common denominator – organisations are safeguarding some information – to preserve value.

A deep dive in organisation’s internal affairs is normal during the “mating process” – due diligence review.

If the financial, tax and compliance due diligence were the most important sources of information for setting the price for the company in the past, companies today are very dependent on their digital maturity.

It is critical to understand and assess ICT and digital business model maturity.

Big and regulated organisations:

Yes, it is true that some of that information comes from the internal audit reports, however internal audit functions are in many cases understaffed, and they are not seen as robust business advisors but rather as internal control specialists that were not exposed to many other environments. Most of small organisations and start-ups do not have internal audit functions.

True business advisor or consultant is in the position to bring value because of the regular and frequent exposure to various environments, industries, geographies, methodologies, research and at the end many good and not so good practices as well.

In many cases we complement internal audit functions by performing specific assurance or independent advisory tasks within and under the umbrella of the internal audit function. We firmly believe that organisations that take this co-sourcing approach are better positioned to identify unused potential and improve the maturity of the ICT and digital business models.

Small and Medium Enterprises:

How to assess small and medium sized organizations ICT and digital business model maturity?

SMEs may become potential new unicorns or investor nightmares. Level of uncertainty is even higher since most of SMEs and start-ups do not have internal audit functions.

We provide independent professional services for SMEs usually by initial diagnostic reviews. We assess the maturity of domains:

  • Technology,
  • Processes,
  • People,
  • Digital business models value.

Detailed due diligence reviews can go down to the level of details where we bring in if needed, specific technology or industry experts to perform deep dive assessments.

We help our clients to:

Better understand existing maturity of the ICT and digital business model maturity, risks, gaps and potential value;

Develop vision and strategy for the ICT and digital business models;

Anticipate and resolve obstacles in the maturity improvement journey by: coaching, providing independent quality assurance support, or executing specific deep dive project tasks to help the projects remain on critical path.

Information Security – How to do it right? What a Board Member needs to know…

Business, Governments and individuals – we are all reminded daily of our dependence on information.

We must protect the value of some information because we classified it as Confidential and we allow only trusted parties to access it. In this case we focus on Confidentiality.

We must protect some information from unwanted or undetected change to ensure its Integrity because corrupt or changed information could result in risk or loss in business terms or even loss of life in health care environments.

We want to ensure information is available to us when we need it. In this case we focus on Availability. Organizations have Business Continuity and Disaster Recovery Plans in place and they have prepared them by doing Business Impact Assessment (BIA) where they assess their business needs via Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

As noted above CIA – Confidentiality, Integrity and Availability are important attributes of information that we are typically using to address information security needs.

All of the above is more or less clear to information security professionals and even general public, however, there are still significant differences in maturity of organizations when implementing Information Security Governance and Enterprise Risk Management.

These are some of our recent observations from working on Information Security or Risk Management consulting and Audit engagements:

  • Organizations are addressing mostly Availability but are neglecting Integrity and some also Confidentiality.

  • Internal Information Security Professionals are overwhelmed with Information Security related events – only those who have SIEM systems in place and can detect events.

  • However, there are organisations which “don’t know that they don’t know” and may be exposed or already exploited.

  • The Board is not aware of true health of Information Security. There is lack of robust and consistent Information Security performance reporting.

  • There is lack of trust between Information Security professionals and the Board since Information Security Governance is not mature enough.

  • Information Technology Architecture is rapidly changing, however, it is poorly documented and as such does not provide the basis for the robust Information Asset Management which is an essential element of Information Security Management.

    • How can we protect or secure something if we don’t even know what Information Assets we have, where they are and how important they are for the organization.

     

    • Vulnerability management is slow and not efficient.
    • Still there are unsupported and obsolete systems in use which are known to pose a risk because they have known vulnerabilities.
    • Organizations are engaging managed security services providers, however, they are not always able to control their quality and performance.
    • System Admins have many tools and control mechanisms at their disposal, however, they do not have the time or knowledge to implement them.
    • There is high pressure from information security software and systems vendors on organizations as well as rapidly changing value propositions, licensing options and business models. Without robust IT Strategy and regular IT Architecture Scenario analysis it is very likely that vendors will have an upper hand.
    • Only some organizations are executing all Cyber Security Scenarios beyond tabletop walkthrough exercises.
    • Exit strategies are addressed formally (in regulated environments only) before entering into agreement as part of the risk assessment process, however, exit strategies are mostly forgotten and not tested during the course of cooperation.

    This was just a sample we wanted to share but the list goes on and on.

    So where do we go from here?

    Every organization is unique, however, there are common Enterprise Risk and Information Security denominators related to Governance and Management. We didn’t comment on Enterprise Risk Management above, however, it is linked to Information Security.

    We will be happy to help you diagnose and improve the maturity of your Enterprise Risk and Information Security efforts or work with you on continuously raising the bar on the never ending journey to resilient, sustainable and agile organisation.

    New reality 202X : Corona = Fast digital transformation

    Very few people could imagine the scenario that we are living in today in light of Corona virus. This is why not only the corporations but also the governments were taken by surprise.

    Lack of simple hardware – disinfection materials, masks and ventilators costed us lives.

    Lack of fast and bold decisions – resulted in very high pressure on the health care system.

    One area where we didn’t fail and the area that allowed us to carry on is digital resilience.

    The speed of the adoption of the digital solutions in all areas of human communication, data access and personal identification we were witnessing during March and April 2020 was outstanding. Even the most “rusty” co’workers that resisted the use of information technology are now on board and are surfing on the wave of the new discovery. We are witnessing the rapid mental and operational shift demonstrating us all how easy it is actually to work and communicate using modern digital communication and productivity tools.

    It is very true that big corporations with operations in different geographies and time zones were used to this “normal”, however this self isolation was all new for local business, schools, teachers, students and many governments. To survive they had to catch up! And they did. Most of the businesses that can operate remotely are operational – they switched to alternative communication channels very fast.

    Many were not that lucky. Many simply because their business model relies on human and not digital interaction. Can or will the pubs, cafes, clubs, restaurants, hotels and hair salons ….. shift to digital? Probably not.

    What can we learn from this crisis:

    “Digital” can save lives but we can not neglect the very basic “hardware” that is helping us survive. Food, water, medical protection and detection facilities and smooth operation of the critical infrastructure.

    Accelerated use of “digital” and in many cases “digital dept” became a window of opportunity for cyber crime and cyber criminals who are targeting systems and users with simple and very sophisticated attacks.

    We are sailing on the same boat and our planet is not so big after all. It took only a few weeks and we learned that the virus knows no borders.

    What was left was a global, regional, country, company and personal crisis and risk management.

    Organisations and governments have readjusted their strategic objectives based on the lessons learned from this crisis.

    There are so many conflicting forces in this game and limited resources – as always. If not any time before now is the time for the risk management functions to excel to ensure resilient operation and the future!

    We would be happy to work with your teams on the diagnostics or realignment of your risk management practices and your resiliency programs.

    Client focus

    “Digital transformation” was for the last few years or still is the buzz word “for profit” organization could not neglect. New job titles and positions were created and there was a slight shift of “internal power” in favour of the initiatives and programs that were delivering platforms that could enable digital transformation.

    Only the best organizations are making an extra effort to evaluate the quality of these initiatives.

    Why would this step be important?

    As with any hype the speed of change and the varieties of business models in different organisations mean that one size does not fit all.

    Are you squeezing the maximum value of your data?

    What are additional opportunities and risks?

    Is your governance model fit for your digitally transformed organisation?

    How well will your change management program roadmap take advantage of Artificial Intelligence?

    123

    Copyright © 2026 AREM / Advisory Services for Sustainable Growth / Assurance Risk Enterprise Management