Modern Systems are More Complex than Ever
If you mapped the systems your company uses, would you know where they were most vulnerable? As companies integrate technology and software into day to day operations, data becomes more valuable to hackers. Your internal controls may not be doing enough to secure your assets. This leads to fraud, waste, and abuse, costing your company in lost revenue and productivity. According to a study by KCRP, 61% of fraud and misconduct resulted from weaknesses in internal controls that allowed the acts to go undetected.
Ensure strong systems and better controls. Conduct a system analysis!
What is a System Analysis?
A system analysis, sometimes called a fault tree, helps map out processes and shows the possible results of an undesired event. It can be applied to almost any complex systems within your company. Most importantly, a thorough review allows your team uncover risks, anticipate events, and take action.
How is it Used?
If you think of a system analysis like a tree, a top undesired event is the trunk, the intermediate events are the branches, and the basic events are the leaves. The events connect to one another using and/or logic. These analyses can be drawn on a white board or created with software. Invite your whole team to participate in its creation. Include employees on all levels and departments to view the undesired event from multiple perspectives.
Step 1: Top Undesired Event
The top undesired event is your main concern. Fill the first box with a specific, measurable result of system failure. Let’s use a data breach as an example.
Step 2: Connect Events
Work backward from the resulting event to determine an intermediate event. In this case, the data breach could be caused by three possible events. Use “or” to connect the top event to the intermediate event. Additionally, you may use "and" if all the events are related. In the graphic, the symbol between the the top desired event and the intermediate events stands for "and." The symbol between the intermediate events and the basic events stands for "or." Both can be used at any point in your analysis, depending on the event.
Step 3: Intermediate Events
Ask yourself, what are some possible causes that made this event occur? These are your intermediate events. By using the data breach example, we could say:
- Employee clicked a phishing email by mistake.
- Malware was installed on the company system.
- Company data was stolen.
Step 4: Connect Events
As in step two, these intermediate events connect with basic events. These are the actions that led to the intermediate events.
Step 5: Basic Events
Basic events are the lowest level of the chart. Each intermediate event can have as many branches as necessary. In this section, look at potential risks for each event. Break each event down further. For example:
- Intermediate Event: Employee clicked a phishing email by mistake.
- The email was spoofed and not caught by spam filter.
- Employee did not receive proper training.
- Intermediate Event: Malware was installed on the company system.
- A firewall failed to block the software.
- A third-party associated with the company was hacked.
- Too many employees have access to the system.
- Intermediate Event: Company data was stolen.
- Malware went undetected in the system for over 24 hours.
- A report did not receive a follow-up because of a vacancy in the IT department.
At each of these steps, identify which area needs improved or changed, then use this analysis as a guideline on how to respond to each issue. Do your employees need more training? Do you need to limit access to your systems to only those who need to use it? Are your vendors in compliance with your contract terms? Where are the gaps that cause risk?
In sum, a System Analysis is the first step to increase transparency and put the right safeguards in place to improve your risk identification. Click here to download a PDF of this article.