Enterprise financial security management system

The concept of a systematic combination of control, planning, feedback and information support functions is at the heart of ensuring the financial security of an enterprise.

When developing and creating a financial security management subsystem, it is advisable to comply with the following requirements: it must function continuously; must be well planned; within the institution, not only the functional independence of this subsystem should be ensured, but also its integration into the overall enterprise management system.

The subsystem of controlling the financial security of an enterprise should solve the following tasks: control over the performance of its functions by other financial security systems of the enterprise; determining the causes and extent of the crisis, as well as the results to be achieved as part of the implementation of anti-crisis measures; comparison of achieved results with expected indicators; determination of the degree of deviation of actual financial results from the planned ones; control over the development of operational decisions to normalize the financial activities of the enterprise; assessment of the effectiveness of measures to neutralize the crisis; monitoring the implementation of financial management tasks; ensuring the exchange of information flows between the key subsystems of the financial security management of the enterprise.

The planning process for ensuring financial security includes: assessment of threats to economic security that are of a political and legal nature; assessment of the current level of financial security; assessment of the effectiveness of preventing possible damage from negative impacts; planning a set of measures to ensure financial security and developing recommendations for its implementation; budget planning for the practical implementation of the proposed set of measures; corporate resource planning; operational implementation of planned actions in the process of financial and economic activities of the enterprise.

The main purpose of the financial security analysis subsystem is to timely inform about possible problem areas in the operation of the enterprise, as well as assess the degree of their threat. In general, we propose to form the main tasks of the enterprise financial security management subsystems as follows:

1. Determining the priority financial interests of the enterprise and ensuring their adjustment, if necessary.
2. Creation of an effective mechanism for ensuring the financial security of the enterprise, conditions for prompt response to threats, their timely detection.
3. Forecasting trends leading to disruption of the normal functioning of the financial system of the enterprise and its development.
4. Establishing the causes and conditions that cause financial damage and threaten the realization of the financial interests of the enterprise, disruption of the normal functioning of its financial system.
5. Timely identification and elimination of threats to the financial security of the enterprise, reducing risks in its financial activities.
6. Ensuring the interest of management and staff in the effective financial activities of the enterprise.
7. Ensuring the conformity of the defined mission and financial strategy of the enterprise with the totality of its priority interests.
8. Ensuring the balance of the financial interests of individual departments and personnel with the priority financial interests of the enterprise as a whole.
9. Creation of conditions for the maximum possible compensation or localization of damage caused by illegal actions of legal entities or individuals.
10. Carrying out a set of measures to verify the business partners of the enterprise.

So, in our opinion, the financial security management system of an enterprise should be a complex of interrelated balanced solutions both in the field of ensuring the protection of the financial interests of the enterprise and in managing its financial activities. The management system must take into account alternative ways to ensure the security of the enterprise, and the choice of a specific project must comply with the financial strategy and specific financial policy of the enterprise.

financial security(financial security) is a concept that includes a set of measures, methods and means to protect the economic interests of the state at the macro level, corporate structures, financial activities of business entities at the micro level.

The concept of financial security is as broad as, in fact, the interpretation as an economic category. To date, there is no single, well-established definition of the concept of "financial security". The available formulations reflect only certain aspects of financial security and cannot claim its unambiguous and exclusive interpretation. Financial security as a definition is considered from different angles, in particular:

• from the standpoint of the resource-functional approach, financial security is the protection of the financial interests of business entities at all levels; security of households, enterprises, organizations and institutions, regions, industries, sectors of the state economy, sufficient to meet their needs and fulfill their respective obligations;
• from the point of view of statics, financial security is such a state of the monetary, currency, budgetary, investment, customs tariff and stock systems, characterized by balance, resistance to internal and external negative influences, the ability to prevent external financial expansion, ensure the effective functioning of the national economic systems and economic growth;
• in the context of legal regulation, financial security provides for the creation of such conditions for the functioning of the financial system, under which, firstly, it is virtually impossible to direct financial flows to areas of their use that are not fixed by legislative acts and, secondly, the possibility of abusing financial resources is reduced to a minimum .

Thus, from the point of view of a multifaceted approach financial security— protection of financial interests at all levels of financial relations; a certain level of independence, stability and stability of the country's financial system under the influence of external and internal destabilizing factors that constitute a threat to financial security; the ability of the state's financial system to ensure the effective functioning of the national economic system and sustainable.

At the macro level, financial security is the ability of the state in peacetime and in emergency situations to adequately respond to internal and external negative financial impacts.

Financial security reflects the state and readiness of the financial system of the state for timely and reliable financial support of economic needs in amounts sufficient to maintain the necessary level of economic and military security of the country. Financial security is achieved by activities in the financial sector and related areas: monetary, economic, social, international financial, etc. Therefore, the concept and strategy of financial security should be reflected in the concept and state strategy of economic security, in economic, budgetary, etc.

The financial security strategy must also ensure that the core national security objectives are met.

The main goals and objectives of ensuring financial security, both for the state and the company:

• determination of factors influencing financial and production activities, their formalization;
• building a system of restrictions that eliminate unintentional and deliberate impact.

Creating a financial security system is a heuristic process that consists in solving multi-criteria tasks that require the participation of highly qualified specialists in various fields. For companies, the development of a financial security strategy is part of a development strategy, through which its leaders solve two of the most important tasks that constitute a trade secret: the development of new and (or) modernization of existing methods for promoting products and services in commodity and financial markets, allowing it to optimize the receipt and distribution cash and cash equivalents, taking into account a balanced distribution of various risks and ways to cover them, the search for an optimal corporate capital structure; building in a market environment characterized by a high degree of uncertainty and increased risk.

The most important aspect in solving the problem of ensuring the financial security of the company is to build the optimal structure of its capital based on generally accepted coefficients, which allows you to optimize the company's debt management and methods for attracting additional financial resources to. The main problem in implementing the company's financial security concept is the lack of proven and standardized ways to cover various types of risks, as well as the formalization and description of the structure of the risks themselves.

As a system, financial security also includes a set of tasks to eliminate conflicts of interest between financial market infrastructure entities at the state level and company divisions at the corporate level. Among the proven methods and means of eliminating conflicts of interest are a clear construction of the document flow and control over its observance; rigid distribution of access rights of various subjects and divisions to information; hierarchy of powers, as well as the establishment of conditional barriers, the so-called "Chinese walls" (eng. Chinese wall), with the help of which employees of various business entities and their divisions with the potential for a conflict of interest are separated in time and space.

Separately, the problem of security is solved when transferring data over local, distributed or global networks from accidental or intentional modification, destruction, disclosure, and unauthorized use. The system of measures taken should be transparent - the introduction of security mechanisms should not disrupt the normal operation of the entire system; delays in the data transfer process introduced by security software and hardware should be minimal; transmission reliability should not be reduced either. At the same time, the security devices themselves must be protected from unauthorized access. Tools and technology for protecting computer networks (protective screens, defense in depth, etc.) have been developed.

In order to protect databases, apply:

• backup, which protects data and programs from errors, damage and deletion during failures and various kinds of failures that occur in the system or network;
• ensuring confidentiality through the use of various technical and mathematical methods, in particular, cryptography, which ensures the secrecy of programs and data that are stored in systems or transmitted over a network;
• registration of subscribers (users) who have the right to access certain programs and data, which makes it possible to authenticate them.

The process of ensuring the safety, integrity and reliability of data processing and storage is understood as a single data protection process. In a number of highly developed countries, specialized standards are being developed for data protection. For example, the United States has approved the "Private Enhanced Mail" standard, which is used to encrypt information for both commercial and non-commercial purposes and to render documents unrecognizable.

To provide a legal framework, a number of countries have passed relevant laws. For example, in the United States since 1974, the Secrecy Act has been in force, which determines the rules for storing data. Subsequently, in addition to it, the following was adopted: the Law on the Secrecy of Financial Transactions (1978), which restricts access to banking transactions, including for state organizations; the Records Retention Act (1978), requiring users to be notified when a third party gains access to their records; Electronic Communications Act (1986), prohibiting the interception of data transmitted over a communications network.

The concept of data security is being developed by the National Computer Security Center, NCSC (National Computer Security Center), where the main work on standards in this area is concentrated.

The financial security of an enterprise is the state of its protection from the negative impact of external and internal threats, destabilizing factors, which ensures the sustainable implementation of the main commercial interests and goals of the statutory activities.

According to I.A. Blank, the essence of the financial security of an enterprise lies in the ability of an enterprise to independently develop and implement a financial strategy in accordance with the goals of the overall corporate strategy, in an uncertain and competitive environment. The main condition for the financial security of an enterprise is the ability to withstand existing and emerging dangers and threats that seek to cause financial damage to the enterprise or it is undesirable to change the capital structure, or to forcibly liquidate the enterprise. To ensure this condition, the enterprise must maintain financial stability, balance, ensure sufficient financial independence of the enterprise and flexibility in making financial decisions.

Financial stability and financial security of an enterprise are inextricably linked, mutually influence and complement each other. Speaking figuratively, we can say that they are two sides of the same coin. Financial stability is a necessary but not sufficient condition for the financial security of an enterprise. However, if the condition that an enterprise with financial security also has financial stability is true, then the converse will not be true.

Consequently, ensuring financial security can only be based on the financially sustainable development of an enterprise in which conditions have been created for the implementation of such a financial mechanism that is able to adapt to changing conditions of the internal and external environment. With this approach to the financial stability of an enterprise, the levels of financial stability are of particular importance, since not an absolute, but a rational level of financial stability is important for the financial security of an enterprise.

Thus, the need for constant monitoring of financial security is predetermined by the objective need of each business entity to ensure stable functioning and achieve business goals.

The level of financial security of an enterprise depends on how effectively its management and specialists (managers) are able to avoid possible threats and eliminate the harmful effects of certain negative components of the external and internal environment.

Sources of negative influences on the financial security of an enterprise (organization) can be:

Conscious or unconscious actions of individual officials and business entities (public authorities, international organizations, competitors);

A combination of objective circumstances (the state of the financial situation in the markets of a given enterprise, scientific discoveries and technological developments, force majeure, etc.)

Depending on subjective conditionality, negative impacts on financial security can be objective and subjective. Such negative influences are considered objective, which arise not through the fault of the enterprise itself or its individual employees. Subjective influences take place due to the inefficient work of the enterprise as a whole or its individual employees (primarily managers and functional managers).

The main goal of the financial security of the enterprise is to ensure its long-term and most efficient operation today and high development potential in the future.

From this goal follow the functional goals of the financial security of the enterprise:

Ensuring high financial efficiency, stability and independence of the enterprise;

Ensuring technological independence and achieving high competitiveness of its technical potential;

High management efficiency, optimality and efficiency of its organizational structure;

High level of personnel qualification and its intellectual potential, efficiency of corporate R&D;

Minimization of the destructive impact of the results of production activities on the state of the environment;

High-quality legal protection of all aspects of the enterprise;

Ensuring the protection of the information field, trade secrets and achieving the required level of information support for the work of all subsections;

Ensuring the safety of the personnel of the enterprise, its capital and property, commercial interests.

The general scheme of the process of organizing the financial security of an enterprise, including the implementation of functional components to prevent possible harm and achieve its minimum level today, has the form (Figure 4.1) .

Fig.4.1. The process of organizing the economic security of an enterprise

It can be concluded that the process of organizing the financial security of an enterprise is a rather laborious process that includes many components.

Protection of financial information. New information technologies in financial management based on modern PCs, on the one hand, ensure the high quality of the work performed, and on the other hand, create many threats that lead to unpredictable and even catastrophic consequences. Such threats include the penetration of unauthorized persons into accounting and financial databases, the widespread distribution of computer viruses, erroneous entry of financial data, errors in the design and implementation of economic systems, etc. You can counter the possible implementation of threats by taking financial information security measures.
The protection of financial information is understood as the state of protection of information and its supporting infrastructure (computers, communication lines, power supply systems, etc.) from accidental or intentional effects of a natural or artificial nature, fraught with damage to the owners or users of this information.
Information security of financial data in the narrow sense of the word includes: the reliability of the computer; safety of valuable credentials; protection of accounting information from making changes to it by unauthorized persons; preservation of documented accounting information in electronic communication.
The scale of threats to society from theft and distortion of information is enormous and is growing year by year. Damage from virus attacks alone, according to Computer Economics, has grown almost 30 times in recent years, reaching $14.2 billion.
Among the companies surveyed, 313 showed a total loss of $52 million from information security breaches. The results can be approximated for the entire US industry: about 140 million employees with an average loss of $50 from information security breaches result in $7 billion in losses for the US.
The loss of only 20% of information constituting a trade secret in 60 cases out of 100 leads to the bankruptcy of the company, and losses as a result of the actions of unscrupulous competitors amount to about 30% of all economic damage in the world - this formula was derived by the World Bank experts, and, unfortunately, it almost always works.
The problem is not limited to the theft of information, as damage can also be caused by unauthorized modification or deletion of information for personal gain, such as the distortion of financial information, etc.
The objects of information security in financial management include: information resources containing information classified as a trade secret and confidential information presented in the form of financial databases; means and systems of informatization - technical means used in information processes (computer and organizational equipment, informative and physical fields of computers, general system and application software, in general, automated systems of accounting and financial data of enterprises).
The threat to the information security of financial management consists in a potentially possible action that, through the impact on the components of the financial management system, can lead to damage to the owners of information resources or users of the system.
The whole set of potential threats in financial management can be divided into two classes by the nature of their occurrence: natural (objective) and artificial.
Natural threats are caused by objective reasons, as a rule, not dependent on the accountant and financier, leading to the complete or partial destruction of accounting along with its components. Such natural phenomena include earthquakes, lightning strikes, fires, etc.
Man-made threats are associated with human activities. They can be divided into unintentional (unintentional) ones, caused by the ability of workers to make any mistakes due to inattention, fatigue, illness, etc. For example, when entering information into a computer, an accountant may press the wrong key, make unintentional errors in the program, introduce a virus, or accidentally disclose passwords.
Deliberate (deliberate) threats are associated with the selfish aspirations of people - intruders who intentionally create unreliable documents.
In terms of their direction, security threats can be divided into the following groups: the threat of penetration and reading of data from credential databases and computer programs for their processing; threat to the safety of credentials, leading either to their destruction or modification, including falsification of payment documents (payment requests, instructions, etc.); a data availability threat that occurs when a user cannot access credentials; the threat of refusal to perform operations, when one user sends a message to another, and then does not confirm the transmitted data.
Depending on the source of threats, they can be divided into internal and external.
The source of internal threats is the activities of the organization's personnel. External threats come from the outside from employees of other organizations, from hackers and others.
External threats can be subdivided into: local ones due to the intruder entering the organization's territory and gaining access to a separate computer or local network; remote, typical for systems connected to global networks (Internet, SWIFT international banking system, etc.).
Such dangers arise most often in the system of electronic payments in the settlements of suppliers with buyers, using the Internet in settlements. The sources of such information attacks can be located thousands of kilometers away. At the same time, not only computers are affected, but also accounting information.
Intentional and unintentional errors in accounting, leading to an increase in financial risk, are as follows: errors in recording credentials; incorrect codes; unauthorized accounting transactions; violation of control limits; missed accounts; errors in data processing or output; errors in the formation or correction of directories; incomplete accounts; incorrect assignment of records by periods; data falsification; violation of the requirements of regulatory enactments; violation of accounting policies; inconsistency of the quality of services with the needs of users. Unprotected accounting and financial data leads to
serious shortcomings in the enterprise management system: many undocumented episodes of management; the lack of a complete picture of the management of what is happening at the enterprise in individual structural divisions; delay in obtaining information relevant at the time of the decision; disagreements between structural divisions and individual performers jointly performing work, arising from poor mutual awareness of the state of business processes; complaints from employees at all levels about information overload; unacceptable deadlines for the development and distribution of business documents; long terms for obtaining retrospective information accumulated at the enterprise; difficulties in obtaining information about the current state of a document or business process; unwanted information leakage resulting from the disordered storage of large volumes of documents.
Of particular danger are information constituting a commercial secret and related to financial information (data on partners, clients, banks, analytical information on market activities). In order for this and similar information to be protected, it is necessary to draw up agreements with employees of accounting departments, financial services and other economic departments indicating a list of information that is not subject to public disclosure.
In the process of analyzing the financial management security system, it is necessary to determine: what exactly is important for the company (key resources and business processes); what might threaten her; what consequences for the business the implementation of each threat will lead to (decrease in income, legal consequences, operational activities, customer and investor confidence, etc.); what are the main risks of the company and what is their assessment in value or quality terms.
The legal regime of information resources is determined by the rules that establish: the procedure for documenting information; ownership of individual documents and individual arrays of documents, documents and arrays of documents in financial management information systems; category of information according to the level of access to it; order of legal protection of information.
The main principle violated during the implementation of an information threat in financial management is the principle of documenting information. A document received from an automated accounting information system acquires legal force after it is signed by an official in the manner prescribed by the legislation of the Russian Federation.
Information protection in automated accounting and financial systems is based on the following basic principles. Ensuring the physical separation of areas intended for the processing of classified and non-classified information. Ensuring cryptographic protection of information. Ensuring authentication of subscribers and subscriber settings. Providing differentiation of access of subjects and their processes to information. Ensuring the establishment of the authenticity and integrity of documentary messages during their transmission over communication channels. Ensuring protection against disclaimers of authorship and content of electronic documents. Ensuring the protection of equipment and technical means of the system, the premises where they are located, from leakage of confidential information through technical channels. Ensuring the protection of encryption technology, equipment, hardware and software from information leakage due to hardware and software bugs. Ensuring integrity control of the software and information part of the automated system. The use of only domestic developments as protection mechanisms. Ensuring organizational and regime protection measures. It is advisable to use additional measures to ensure communication security in the system. Organization of protection of information about the intensity, duration and traffic of information exchange. The use of channels and methods for transmitting and processing information that make it difficult to intercept.
The protection of information from unauthorized access is aimed at forming three main properties of the protected information: confidentiality (classified information should be available only to the person to whom it is intended); integrity (information on the basis of which important decisions are made must be reliable, accurate and fully protected from possible unintentional and malicious distortion); readiness (information and related information services should be available, ready to serve interested parties whenever the need arises).
To ensure the protection of accounting information, obstacles, access control, masking, regulation, coercion, and inducement are used.
Obstacle - a method of physically blocking the attacker's path to the protected accounting information. This method is implemented by the access system of the enterprise, including the presence of security at the entrance to it, blocking the way of unauthorized persons to the accounting department, cash desk, etc.
Access control is a method of protecting accounting and reporting information implemented through: identification of users of an information system. (Each user gets their own personal identifier); authentication - establishing the authenticity of an object or subject by the identifier presented to them (carried out by comparing the entered identifier with that stored in the computer's memory); authorization checks - checking the compliance of the requested resources and performed operations with the allocated resources and allowed procedures; registration of calls to protected resources; informing and responding to attempts of unauthorized actions.
Masking is a method of cryptographic protection of information in an automated information system of an enterprise.
Coercion is a method of protecting information due to the threat of financial, administrative or criminal liability. The latter is implemented by three articles of the Criminal Code: “Illegal access to computer information” (Article 272); "Creation, use and distribution of malicious programs for computers" (Article 273); Violation of the rules for the operation of computers, computer systems or their networks” (Article 274).
Motivation is a method of protecting information by observing the established moral and ethical standards in the enterprise team by users. In the United States, for example, moral and ethical means include, in particular, the code of professional conduct for members of the association of computer users.
The legal force of a document stored, processed and transmitted using automated and telecommunication systems may be confirmed by an electronic digital signature.
When transferring documents (payment orders, contracts, instructions) over computer networks, it is necessary to prove the truth that the document was actually created and sent by the author, and not falsified or modified by the recipient or any third party. In addition, there is a threat of denial of authorship by the sender in order to relieve himself of responsibility for the transmission of the document. To protect against such threats, in the practice of exchanging financial documents, methods of message authentication are used in the absence of trust among the parties to each other. The document (message) is supplemented with a digital signature and a secret cryptographic key. Forgery of a signature without knowledge of the key by unauthorized persons is excluded and irrefutably indicates authorship.
An accountant (user) signs documents with an electronic digital signature using a private key known only to him, transfers them in accordance with the workflow scheme, and the hardware-software system checks the signature. Confidential documents can be encrypted with individual keys and are inaccessible to intruders. The system is based on Russian standards and norms of office work, the practice of organizing the accounting of documents and controlling the actions of executors in structures of any form of ownership (state and non-state).
The security of financial data makes it possible to: ensure identification/authentication of the user; define for each user functional rights - the rights to perform certain functions of the system (in particular, to access certain document registration logs); determine the level of confidentiality for each document, and for each user - access rights to documents of different levels of confidentiality; confirm the authorship of the user using the electronic signature mechanism; ensure the confidentiality of documents by encrypting them, as well as encrypting all information transmitted through open communication channels (for example, by e-mail); encryption is performed using certified cryptographic tools; log all user actions in the audit logs (in the login and logout audit log, the log of completed operations).
Signature forgery without knowledge of the key by attackers is excluded. When protecting accounting information, the following principle must be observed: if you value information at 100 rubles, then you should not spend 150 on protecting it.
Controls in automated financial systems are placed at those points where possible risk can turn into losses.
Such points are called risk points, or control points. These are the points where control will be most effective and at the same time most economical. But no matter how effective the controls are, they cannot provide a 100% guarantee, in particular due to unintentional errors.
Evaluation of the effectiveness of investments in information security. The realities of modern business are such that in market conditions, almost any company is focused on maintaining its competitiveness - not only products and services, but the company as a whole.
Under these conditions, the quality and efficiency of the information system affect the final financial performance indirectly, through the quality of business processes. Those companies where the financing of information protection is carried out according to the residual principle lose.
How to treat investments in information security - as a cost or as an investment? As for costs, then reducing these costs is an important problem for the company. However, this will noticeably move the company away from solving the strategic task associated with increasing its adaptability to the market, where security in general and information security in particular plays an important role. Therefore, if a company has a long-term development strategy, it usually considers these investments as investments. The difference is that costs are primarily a necessity, investments are the prospect of payback. And in this case, a thorough assessment of the effectiveness of such investments and an economic justification of the planned costs are required.
Investments in information security are necessary and justified, since this is an integral part of the overall security of the organization, which includes the economic security of business activities. How to assess the required level of costs for building an effective information security management system (ISMS) and how to minimize risks?
Doing business in today's environment requires a balanced assessment when making a decision. Every day, every company is exposed to financial, operational or other risks. Its success and stability lies in the ability to withstand potential risks, assess them correctly and in a timely manner. In order to increase the capitalization of the business, the value and significance of the company in the market, serious and constant investments are needed, therefore, in the course of the enterprise's activities, investing in assets with subsequent profit plays a key role, i.e. investing is becoming one of the main areas of financial risk.
The main economic effect that the company strives for by creating an information security system (IPS) is a significant reduction in material damage due to the implementation of existing threats to information security. The return on such investments in the development of the company should be quite predictable.
Most methods for evaluating the effectiveness of investments in information security are based on a comparison of the costs required to create an information security facility and the damage that can be caused to a company due to the absence of this system.
When making an investment decision, the obtained value is compared with the average in the industry, or a project with the best value of the “return on investment” indicator (ROI, the percentage of profit (or economic effect) from the project to the investment required to implement this project) is selected from the available options. Despite the extensive experience in using this indicator, to date, reliable methods for calculating the return on investment have not appeared, and attempts to determine it by analyzing the performance of companies that have implemented certain information technologies have led to the emergence of the TCO indicator proposed by Gartner Group.
The general model for calculating the total cost of ownership is based on the division of all costs into direct and indirect. As a rule, indirect costs are understood as hidden costs that arise during the operation of the information security facility. These unplanned costs can significantly exceed the cost of the protection system itself. According to the Gartner Group, direct costs account for 15-21% of the total cost of using information technology.
One of the key benefits of TCO is that it allows you to draw conclusions about the feasibility of implementing an information security project based on an assessment of costs alone. Moreover, in the case of information security, a situation often arises when the economic effect of the implementation of the information security system cannot be assessed, but there is an objective need for its creation.
Another advantage of this indicator is that the TCO calculation model includes an assessment of not only the initial costs for the creation of GIS, but also the costs that may occur at various stages of the entire life cycle of the system. But, despite this, the TCO indicator, however, like ROI, is static, reflecting a certain time slice, not taking into account changes in the situation over time. Over time, information systems are subject to constant changes, new threats and vulnerabilities appear. Thus, ensuring information security is a process that must be considered precisely in time. Therefore, to analyze the effectiveness of investments in information security, it is proposed to consider the possibility of using a system of dynamic indicators based on the method of discounted cash flows.
The goal of any investment is to increase the cash flow (in this case, to reduce the amount of damage resulting from the implementation of information security threats) compared to the existing one. When evaluating an investment project, it is necessary to consider all cash flows associated with the implementation of this project. In this case, it is necessary to take into account the dependence of the cash flow on time. Therefore, future cash flows (damage mitigation) must be discounted, i.e. adjusted to current value. For this, a discount rate is used, the size of which reflects the risks associated with the depreciation of money due to inflation and the possibility of failure of the investment project, which may not bring the expected effect. In other words, the higher the risks associated with the project, the greater the value of the discount rate. This rate also reflects the overall cost of credit for investments.
Often the discount rate is determined by the weighted average cost of capital. This is the average rate of return on invested capital, which has to be paid for its use. Usually this indicator is considered as the minimum rate of return, which must be provided by an investment project.
Directly to assess the effectiveness of investments use the indicator "net present value", discussed earlier. If the value of this indicator is greater than or equal to zero, it is considered that the capital investment is effective. When comparing several projects, the one that has the highest value of this indicator is accepted, if only it is positive.
Obviously, to evaluate the effectiveness of investments in the creation of a financial information protection system, it is not enough just to determine the indicators. It is also necessary to take into account the risks associated with the implementation of a particular project. These may be risks associated with specific information security vendors, or risks associated with the competence and experience of the implementation team.
In addition, it is useful to conduct a sensitivity analysis of the obtained indicators.
Not all the damage from the implementation of information security threats can be unambiguously expressed in terms of money. For example, damage to a company's intellectual property can lead to consequences such as loss of market position, loss of permanent and temporary competitive advantage, or loss of brand value. Therefore, often even in the presence of the considered indicators, the decision to create an information security system is made on the basis of a qualitative assessment of possible effects.
Any method for evaluating the effectiveness of investments in information security is just a set of mathematical formulas and logical calculations, the correctness of which is only a matter of justification. Therefore, the quality of the information necessary to make a decision on the feasibility of investments will primarily depend on the initial data on the basis of which the calculations were carried out. The weak point in any calculation method is the collection and processing of primary data, their quality and reliability.
In addition, a clear understanding of the goals for which the SZFI is being created, and the direct participation of the setter of these goals in the decision-making process is also a guarantee of high quality and accuracy in assessing the effectiveness of investments in information security. This approach ensures that the information security system will not be an artificial addition to the already implemented management system, but is initially designed as an essential element that supports the company's core business processes.

Topic 10. Strategy and tactics for ensuring the financial security of the enterprise

10.1 The essence and elements of the strategy for managing the financial and economic security of the enterprise

10.3 Tactics to ensure the financial security of the enterprise.

10.4 Tools of strategy and tactics to ensure financial security.

10.5 Features of the choice of strategy and methods for solving managerial problems.

10.6 The main measures aimed at neutralizing the threat of the financial crisis.

Decision strategies under risk. Risk management includes strategy and management tactics.

Strategy is a long-term approach to achieving the goal. The General Security Strategy is expressed through the general concept of an integrated business security system. Within the framework of the general strategy, special and functional strategies are distinguished, incl. financial.

Under management strategy refers to the direction and method of using the means to achieve the goal. This method corresponds to a certain set of rules and restrictions for decision making. The strategy allows you to focus on solutions that do not contradict the adopted strategy, discarding all other options. After achieving the goal, the strategy as a direction and means of achieving it ceases to exist. New goals set the task of developing a new strategy.

For companies development financial security strategies- part of the development strategy, through which its leaders solve the two most important tasks that constitute a trade secret:

1) development of new and (or) modernization of existing methods for promoting products and services in commodity and financial markets, allowing it optimize receipt and distribution of cash and cash equivalents, taking into account balanced distribution of various risks and ways to cover them, search optimal corporate capital structure;

2) building financial management in a market environment characterized by a high degree of uncertainty and increased risk.

Includes:

1.C system of preventive measures, implemented through the regular, continuous, work of all divisions of a business entity to verify counterparties, analyze proposed transactions, examine documents, comply with the rules for working with confidential information, etc. The security service in this case plays the role of a controller.

2. Reactive measures strategy applied in case of occurrence or real implementation of any threats to the financial security of entrepreneurship. This strategy, based on the application of a situational approach and taking into account all external and internal factors, is implemented by the financial security service through a system of measures specific to a given situation.

The most important aspect in solving the problem of ensuring the financial security of a company is the construction of an optimal structure of its capital based on generally accepted coefficients, which makes it possible to optimize the company's debt management and methods for attracting additional funds in the financial market.

- ensuring a stable financial balance throughout the entire period of the organization's operation.

Financial Security Strategy enterprises in conditions of unstable existence should include the following elements:

Diagnostics of crisis situations;

Separation of objective and subjective negative impacts;

Defining a list of measures to prevent threats to economic security; assessment of the effectiveness of planned measures in terms of neutralizing negative impacts;

Estimation of the cost of the proposed measures to eliminate threats to economic security.

Financial Security Strategy enterprises include areas:

1. determination of criteria and parameters (quantitative and qualitative threshold values) of the financial system of the enterprise that meet the requirements of its financial security;

2. development of mechanisms and measures for identifying threats to the financial security of the enterprise and their carriers;

3. characteristics of areas of their manifestation (spheres of localization of threats);

4. identification of the main subjects of threats, mechanisms of their functioning, criteria for their impact on the economic (including financial) system of the enterprise;

5. development of a methodology for forecasting, identifying and preventing the occurrence of factors that determine the emergence of threats to financial security, conducting research to identify trends and opportunities for the development of such threats;

6. organization of an adequate system for ensuring the financial security of the company;

7. formation of mechanisms and measures of financial and economic policy, neutralizing or mitigating the impact of negative factors;

8. definition of objects, subjects, parameters of control over ensuring the financial security of the enterprise.

Tactics- these are specific methods and techniques to achieve the goal in specific conditions. Financial Security Tactics involves the application of specific procedures and the implementation of specific actions in order to ensure the economic security of a business entity. These actions, depending on the nature of the threats and the severity of the consequences of their implementation, can be, for example: expanding the legal service of the company; taking additional measures to protect trade secrets; creation of a computer security unit for financial information, filing claims against the offending counterparty; filing a claim with the judiciary; appeal to law enforcement agencies.

The task of management tactics is to choose the optimal solution and the most appropriate management methods and techniques in a given economic situation.

Factors determining the choice of the basic concept of ensuring the financial security of the enterprise:

General development strategy (“mission”), for example, focus on serving highly profitable industries or the shadow economy;

The degree of aggressiveness of the competitive strategy;

The degree of "criminogenicity" of the location region;

Financial opportunities to ensure their own security;

Qualification of bank security personnel;

Availability of support from local government authorities.

General sequence of implementation of the chosen strategy:

Definition of a general list of real and potential security threats, as well as their possible sources;

Formation of a ranked list of objects of protection;

Determining the resources needed to implement the strategy;

Determination of rational forms of protection for specific objects;

Defining the functions, rights and responsibilities of the company's security service;

Determining the tasks of other structural divisions and management authorities of the bank as part of the implementation of the strategy;

Development of an operational action plan and targeted programs.

Main activities aimed at neutralizing the threat of the financial crisis are:

insurance of financial risks of the enterprise;

sale of surplus or unused assets of the enterprise;

taking measures to collect receivables;

Reducing the volume of financial transactions in the most risky areas of the financial activity of the enterprise;

· Saving investment resources by suspending the implementation of certain real investment projects;

Saving current costs associated with the economic activity of the enterprise;

· evaluation of production capacity utilization;

· Conservation of expensive environmental protection measures;

transfer of non-production objects to the balance of city authorities and reduction of costs for their maintenance, etc.

Topic 11. Financial risk management (risk management)

11.1 Essence and classification of financial risks.

11.2 Methodology for assessing the level of financial security.

11.3 Economic assessment of possible damage from various threats.

11.4 Risk management, its functions.

11.5 Organization of risk management.

11.6 Rules and methods of risk management.

11.7 Basic concepts of risk management.

11.8 Methods for determining the likelihood and consequences of risks.

11.9 Risk treatment.

11.10 Methods of game theory.

11.11 Project sensitivity analysis.

11.12 Methods for minimizing project risks.

11.13 Risk response planning, risk monitoring and control. Assessment of the economic effect of risk management.

11.14 Risk management strategies.

Basic concepts of risk management. Uncertainty. Risk. The likelihood of risks. Chance, probability and impact. Objective and subjective methods for determining the probability of undesirable events. Risk tree (risk breakdown structure) of the project. External risk factors. Internal risk factors.

Risk- this is the uncertainty of the financial results of the enterprise in the future, due to the uncertainty of this very future.

The concept of "risk" from an economic standpoint primarily involves loss or damage, but still "moral damage" caused to the property rights of an enterprise, the probability of which is associated with the emergence of uncertainty in the final result of a business transaction.

Regarding management, the concept of "risk" in this area should be associated with the complexity and nature of the problems, the conditions for making managerial decisions, forecasting the situation point in time that may cause future negative consequences for the enterprise, affect the level of financial security.

Risk, along with innovation and investment policy, anti-crisis management technologies should be attributed to the determining factors of management, and this is especially true for anti-crisis management of enterprises. That is why this category should be considered in the context of investment processes, innovation, anti-crisis management technologies.

In crisis conditions, the enterprise faces the risk of bankruptcy, the risk of certain unforeseen events, and therefore the manager in this situation should take risks, but in a balanced way, within the framework that allows him to achieve the goals outlined earlier. Therefore, when analyzing the situation that has developed, one should take into account the type risk and its nature.

There are many different classifications of risks. The most famous in world practice is the division of risk into systematic and non-systematic

Unsystematic risk is also called the characteristic risk of the company. It can be caused by a number of reasons: strikes, unsuccessful marketing programs, termination of duties (official) on large contracts of this company, etc. Systematic or market risk can be caused by wars, catastrophes, inflation, rising interest rates and a number of other reasons.

Causes of risk are: the uncertainty of the situation arising from the multitude of accidents; the incompleteness of information about it, as well as the psychological characteristics of the personality of entrepreneurs.

Hence, risk measurement is a measure of uncertainty. And from the point of view of probability theory, this means that it is necessary to determine the probability distribution for the corresponding set of scenarios for the development of the situation.

There are risks of action, but there are also risks of inaction. Risks are predictable and unpredictable, voluntary and involuntary, acceptable and catastrophic.

Risks for the enterprise are internal and external and integration. If external ones are caused by violations of macroeconomic balance, internal - microeconomic, then integration - a manifestation of the international division of labor Among the internal ones, there are production, technological, marketing, financial, organizational and personnel management risks.

Any financial activity is always associated with a certain risk, the possibility of unforeseen loss of funds.

Financial risk manifests itself in:

1 Lack of free working capital;

2 Absence of innovation and investment costs;

3 Low liquidity of assets;

4 Unprofitable production, etc.

Reasons for the manifestation of financial risk:

1 Lack of proper financial and economic planning;

2 Unprofitable activity or functioning of the enterprise;

3 The presence of a large proportion of obsolete equipment;

4 Inconsistency of existing products with the needs of consumers.

Classification of financial risks:

1. According to the degree of danger(the size of the consequences) for the company allocate:

- reasonable financial risk, which implies the possibility of current losses, for example, partial or complete loss of profits;

- unwanted risk (threat of complete loss of revenue);

- invalid risk (bankruptcy).

2. According to expediency can talk about justified and unjustified risks, the boundaries between which in various areas of the financial activity of the company are not the same.

3. For reasons of occurrence allocate:

1. Currency risk(associated with the impact of exchange rate fluctuations on the position of exporters and importers). The main variety is economic risk, due to the fact that expenses and incomes take place in different currencies. With direct economic risk, there is a threat to the profitability of operations under concluded contracts, which have to be settled in unfavorable conditions.

2. Investment risk- this is the risk of an erroneous investment of funds, a fall in the price of the company's securities and, as a result, depreciation or a complete loss of invested capital and expected income, the inability to sell existing assets (due to their illiquidity).

3. Credit risk(Credit Risk) is the risk of losses resulting from the inability of a transaction partner to fulfill its obligations in a timely manner, i.e. the risk arising from the partial or complete insolvency of the partner. Banking organizations and other financial institutions are most exposed to this type of risk. Credit ratings are a generally accepted measure for assessing the credit risk of an enterprise, company or bank. In Russia, the construction of such ratings is just beginning, but you can already find them in the Expert magazine, RID (Russian Institute of Directors), Institute of Corporate Law and Management. Credit risks(arise due to non-fulfillment of obligations, bad faith): trade(non-payment of a debt on a commercial loan) and bank(bank insolvency).

4. Interest risks(changes in the absolute and relative level of the interest rate; its unpredictable fluctuations due to unfavorable general conditions, changes in the refinancing rate by the central bank, economic growth rates, inflation, public debt, government policy).

5 . Market risk(Market Risk) is the risk of changes in the price of goods or shares, interest rates on loans, the relationship between various market parameters and the volatility of these parameters.

6. Liquidity risk(Liquidity Risk) is the risk arising from the sale of an existing financial asset. This type of risk means the impossibility of a quick sale of an asset without a significant reduction in value.

7. Operational risk(Operational Risk) - the risk associated with the dishonest performance of their official duties by personnel (from theft to deliberate collusion with competitors).

With so many risks, the need for RM is obvious, which is based on a targeted search and organization of work to reduce the degree of risk, the practice of obtaining and increasing profits in an uncertain economic situation. The final role of the RM is fully consistent with the target function of the business - obtaining the greatest profit with the optimal ratio of profit and risk.

From a PM point of view, different types of risks should be approached differently. Thus, when dealing with operational risks and liquidity risks, risk management is in the nature of a problem that can be solved by building the correct organizational procedure based on expert knowledge. And when working with market and credit risks, it should be understood that managing such risks is the most formalized and regular task associated with mathematical measurements, calculations and procedures.

Anti-crisis management in a significant part of the problems to be solved is risky. In certain crisis situations, there are many risks that differ in content, nature, sources of manifestation, and speech, the fidelity of the offensive, the amount of losses or negative consequences for the enterprise as a whole. All this necessitates the formation of a risk management system with the involvement of qualified specialists in risk management ( consultants) These can be both direct specialists of certain areas of activity at the enterprise, and specialists from the outside.

In any case, the process of developing and making decisions by them reflects the following stages of the implementation of risky decisions:

information analysis,

Diagnosis of the situation

Development of solutions,

Decision-making,

Organization and implementation of management activities.

Diagnostics of financial security threats involves the identification and monitoring of factors that determine the stability of the financial and economic situation in the short and medium term, as well as indicators (indicators) for assessing the level of economic security; determination of their threshold values.

The adequacy of the assessment of the economic security of an enterprise depends on the correct choice of indicators of the manifestation of threats or a system of indicators for monitoring (that is, indicators).

Methods for determining the probability and consequences of risks. The essence of statistical methods and models for determining and assessing enterprise risks. Statistical methods that determine the degree of risk of an enterprise using the probability of occurrence of events. Risk as a measure of the uncertainty of the expected return. Risk as a measure of income volatility. Mathematical and statistical indicators of risk in terms of the probability distribution of the expected income and the standard deviation from the average expected income. Variation, covariance, correlation. The standard deviation from the mean observed income. Reducing these indicators as the goal and content of risk management. Positive and negative aspects of statistical methods.

Methodology for assessing the level of financial security, on the use of functional components, can be applied both to large and small enterprises, regardless of their form of ownership or legal form of activity. However, due to threats of a criminal nature and because most indicators of economic security are trade secrets, assessment of the overall level of security and its functional components is possible only within the enterprise The analysis of threats and security indicators is carried out by the economic security service of the enterprise, for small enterprises - by the head, accountant, or under the contract - by a consulting firm.

The assessment of the level of financial security of consumer enterprises, suppliers, competitors is carried out according to a simplified methodology, according to which the level of financial security of an enterprise is determined on the basis of an analysis of the financial performance of the enterprise and indicators of the provision of reserves and costs with own working capital (Kzab).