23 November 2014

Trust Decisions: The Future State of Risk Management...

Trust Decisions are being made at the speed of light.  The rules of the game are embedded in lines of code written to instruct computers and simultaneously in the rule of law that is printed in Constitutions around the globe.  As the speed of Internet commerce accelerates the Operational Risk Management (ORM) frameworks will evolve and adapt.  The privacy vs. security evolution is now in full debate as our Critical Infrastructures feel the stress of points of failure.

The future architecture of what is at stake continues to be challenged in so many ways.  Jeffrey Ritter sums this up perfectly:
"Yet, in either direction, freedom vs. surveillance, what are being proposed are nation-state rules. At this point in the Net’s evolution, any national solutions seem almost contradictory to the ambitions of any government to actually be effective in achieving their ambitions. The inherent functionality of the Net is to “route around failure”. Nation-state rules that impose restrictions on the market’s appetite to create economic pricing tiers merely drive commercial activity into other geographic regions. Laws requiring backdoors have the same effect, provoking and encouraging bad actors to find mechanisms that avoid such technology features to be baked into the relevant devices. In a global market where, as one economist observed, there will soon be no further emerging economies, what is the proper role of the nation-states toward the Net? When do new regulations, well-intentioned to provide positive qualities of life, actually become walls that divert the movement of information, funds, and economic activity to other geographic regions?"
As the governance of the Internet continues to be debated, consider the velocity of what is occurring even as broadband and wireless are still so scarce in many locations around the world:
Alibaba Group Holding Limited is a Chinese e-commerce company that provides consumer-to-consumer, business-to-consumer and business-to-business sales services via web portals. It also provides electronic payment services, a shopping search engine and data-centric cloud computing services. 
Alibaba's consumer-to-consumer portal Taobao, similar to eBay.com, features nearly a billion products and is one of the 20 most-visited websites globally. The Group's websites accounted for over 60% of the parcels delivered in China by March 2013, and 80% of the nation's online sales by September 2014. Alipay, an online payment escrow service, accounts for roughly half of all online payment transactions within China.
The "Trust Decisions" being made every day by citizens of the planet Earth using the Internet continues growing exponentially.  The systems-of-systems are executing the rules given to them and the human element is beginning to diminish.  Why?

Most people believe in some form of risk management and the truth is, that it doesn’t work all the time.  It doesn’t work because the human being is incapable of processing all of the possible rules of the moment, the game, in any specific scenario, fast enough.  Therefore, failures of people, processes, systems and external events seem to occur randomly.

Is it possible to achieve a state of zero surprise?  Where all risks are mitigated and humans can achieve an environment of trust that is sustainable.  We think it is.  In the right environment and in a specific scenario, surprise is now “impossible”.

“Trust Decisions” occur today at the speed of light and with an accuracy of 99.999%.  Risk Management is our current state and it is destined for extinction.  Trust Decisions as we will now apply them, becomes our future state.  With zero surprise.  The truth is, that risk management is obsolete and a new digital invention is ready for mankind.

16 November 2014

Top Ten Mistakes: Board of Directors Risk...

A few years ago, Randy Myers article in Corporate Board Member Magazine discussed a Top Ten List for the Board of Directors. In light of the current state of corporate performance, we would like to revisit the most common mistakes.

General Counsel to Directors: Your 10 Most Common Mistakes

The in-house lawyers think that you've got a lot to learn about risk, trust, and reward. And when there's trouble, you too often fail to follow the Boy Scout creed: Be Prepared. By Randy Myers

1. Not Asking Questions
2. Failing to Understand the Company and the Risks it Faces
3. Failing to Lead on Ethics and Compliance
4. Not Insisting on a Crisis-Management Plan
5. Speaking out in a Crisis Before the Facts are in
6. Relying on the Wrong Outside Counsel
7. Failing to Understand Attorney-Client Privilege
8. Underestimating Regulators
9. Giving too Much Leeway to Rainmakers
10. Getting Caught Up in the dilemma of False Options
And as Randy so clearly states: "Serving on a corporate board isn't easy. Avoiding these common mistakes should be."

We can't accept that No. 4 even is on this list. No. 2 and No. 3 is ever so common place. And No. 7 is not a surprise. But what continues to amaze even those professionals associated with consulting to the Board of Directors, is No. 8.

The Chief Risk Officer (CRO) is the independent keeper of oversight in the corporate enterprise. Should any organization be the subject of an investigation by the SEC, FTC or any other government regulator, they need to look to the CRO. It's the job of any CRO to keep regulator awareness at a high level and to let the business be in charge of risk management. Whenever you see a CRO getting involved in managing the risks of the business, then the independence and clarity of oversight has been extinguished.

The General Counsel and the Chief Risk Officer must work hand-in-hand to follow the Boy Scout creed:

Be Prepared.


09 November 2014

Veterans Day 2014: Leading the Enterprise to Victory...

The 1% are soon to be recognized on Tuesday, November 11, Veterans Day.  CxO's across the country who have served in the military know all about "Operational Risk Management" (ORM). They understand that the safety and security of their personnel is paramount, if they are to achieve the mission assigned to them by the Board of Directors and the majority stakeholders.

It makes sense that if only 1% of the country serve in the military, and fewer make it to the rank of CxO in commercial industry, why ORM remains so esoteric.  Only an enlightened few truly understand the value of investing in continuous training, cultural and ethical development and the safety and security of not only employees, but also intellectual capital and information assets.

Indeed, this Veterans Day is a time to focus on our 1%.  Those who have served the United States of America in the Armed Forces.  At the top of each of these branches including the Army, Marine Corps, Navy, Air Force and Coast Guard are people that have seen, smelled, heard, felt and lived with the logic and the necessity for Operational Risk Management.  Why is the Navy leadership focused on ORM?
ORM is the guiding Navy instruction for implementing the ORM program. The naval vision is to develop an environment in which every individual (officer, enlisted and civilian) is trained and motivated to personally manage risk in everything they do on and off duty, both in peacetime and during conflict, thus enabling successful completion of all operations or activities with the minimum amount of risk. 
The most common idea of what ORM revolves around is a simple five-step process that is most frequently used in planning. These five steps are:
  • Identify hazards
  • Assess the hazards
  • Make risk decisions
  • Implement controls
  • Supervise and watch for change
Another level of ORM is Time Critical Risk Management which involves a quick, committed-to-memory process and a set of skills that allow our people to manage risk when in the execution of a plan or event. The standard for the Navy is being developed, however it might be thought of in simple terms such as:
  • What can go wrong or is changing
  • How can I keep it from effecting the mission without hurting me
  • Act to correct the situation
  • Telling the right people if you are unable to take the right action
If you were retired from the Marine Corps and now the CxO of a Global 500 company, do you think that ORM would be a forgotten system?  Would you neglect to focus on this, if you were running FedEx?  Fred Smith is not a former pilot, but was vital as a "Forward Air Controller":

Frederick Wallace "Fred" Smith (born August 11, 1944), is the founder, chairman, president, and CEO of FedEx, originally known as Federal Express, the first overnight express delivery company in the world, and the largest in the world. The company is headquartered in Memphis, Tennessee. 
Smith was commissioned in the U.S. Marine Corps, serving for three years (from 1966 to 1969) as a platoon leader and a forward air controller (FAC), flying in the back seat of the OV-10
As a Marine, Smith had the opportunity to observe the military's logistics system first hand. He served two tours of duty in Vietnam, flying with pilots on over 200 combat missions. He was honorably discharged in 1969 with the rank of Captain, having received the Silver Star, the Bronze Star, and two Purple Hearts. While in the military, Smith carefully observed the procurement and delivery procedures, fine-tuning his dream for an overnight delivery service.[5] 
A primary function of a Forward Air Controller is ensuring the safety of friendly troops. Enemy targets in the Front line ("Forward Edge of the Battle Area" in US terminology) are often close to friendly forces and therefore friendly forces are at risk of friendly fire through proximity during air attack. The danger is twofold: the bombing pilot cannot identify the target clearly, and is not aware of the locations of friendly forces.
Fred Smith not only implemented the mindset of a "Forward Air Controller" running FedEx, he also has been able to build a culture focused on Operational Risk Management (ORM).
FedEx Corporation will produce superior financial returns for its shareowners by providing high value-added logistics, transportation and related business services through focused operating companies. Customer requirements will be met in the highest quality manner appropriate to each market segment served. FedEx will strive to develop mutually rewarding relationships with its employees, partners and suppliers. Safety will be the first consideration in all operations. Corporate activities will be conducted to the highest ethical and professional standards.
Now back to Veterans Day, November 11.  Are you starting to make the connection between the 1%, becoming a global CxO and the reason why ORM has such tremendous applications inside the global enterprise?

The opportunity now is for us to unleash our emerging and proactive "Vetrepreneurs," to take their years of knowledge and understanding of ORM and now apply it within the ranks of their new companies or new positions, just as Fred Smith has done at FedEx.  These veterans have the practical knowledge, skills and valuable use cases on how Operational Risk Management contributes to the overall mission.

If you are a 1% entrepreneur (Vetrepreneur) and have Co-founder or CxO as your title, then your proactive nature should allow you the opportunity to apply ORM within your organization.  Here are three places you can begin your program focus:
Inside:  Develop a culture of trust that begins by teaching employees how to find the truth.  A culture that promotes and teaches people how to apply the rules to the business that you are operating in.  A culture where no one can hide and that understanding our own vulnerabilities makes the overall organization more resilient each day.
Outside:  Architect the enterprise from the ground up to make more informed "Trust Decisions."  The architecture must first assemble and organize the rule-base and contextual framework associated with the environment that you will be operating in both physically and virtually.  The interdependencies of the automated machines developed to operate the enterprise, shall exist in a transparent and highly governed "system-of- systems". 
In-The-Middle:  Create new learning scenarios on a consistent but random basis.  Test the enterprise Inside and Outside with these exercise scenarios.  Determine how the humans and/or machines behave.  Establish what is normal and create your baseline. Continue to test and to measure the gaps of performance and make changes to improve the quality, accuracy or resiliency of the entire enterprise architecture.
On this Veterans Day 2014, scan the horizon for the organizations that stand out and are remarkable. With the 1% at the helm, in the cockpit or now the HQ Board Room, Operational Risk Management (ORM) is leading the enterprise to victory!

02 November 2014

NewCo: Operational Risk Accelerators...

Operational Risk Management (ORM) is an essential component of any serious business.  These are the internal risks you take when you add people, processes and systems together and then operate in a specific industry or geography.  Innovation within the ranks of a new breed of business accelerator, has the opportunity to include "Operational Risk Strategy Execution" as a vital mechanism for the growth of the new born company.

Do you know about a start-up company that is building a product or solution to address one of these Operational Risk categories?  The following lists the official Basel II defined seven event types with some examples for each category:
  1. Internal Fraud - misappropriation of assets, tax evasion, intentional mismarking of positions, bribery
  2. External Fraud - theft of information, hacking damage, third-party theft and forgery
  3. Employment Practices and Workplace Safety - discrimination, workers compensation, employee health and safety
  4. Clients, Products, and Business Practice - market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning
  5. Damage to Physical Assets - natural disasters, terrorism, vandalism
  6. Business Disruption and Systems Failures - utility disruptions, software failures, hardware failures
  7. Execution, Delivery, and Process Management - data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets
The start-up phenomenon has taken many metro areas around the United States by surprise.  The typical centers of innovation in Seattle, San Francisco, Los Angeles, Austin, Boston and Washington, DC are now being joined by newcomers such as Cincinnati:
The entrepreneurial world is not an easy one to take on, but for those brave enough to do so, Cintrifuse is here to help. Located in the heart of downtown Cincinnati, Ohio, Cintrifuse acts as a connecter and supporter to create a global destination for entrepreneurial success. 
Cintrifuse connects the region’s high-potential, venture-backable startups to advice, talent, funding, and customers. With over 30 ecosystem partners, 30+ participating local corporations, 75+ mentors and advisors, Cintrifuse leverages the power of its network to serve over 100 startup members and improve their chances of success. 
To amplify the efforts and extend the reach of the entrepreneurial community, Cintrifuse operates a $56MM Fund of Funds, which invests in early-stage venture capital funds both regionally and nationally. The Fund of Funds provides an avenue for corporations and venture capitalists alike to gain further insights into and engagement with the Cincinnati startup community. 
Cintrifuse’s efforts are made possible through support from some of Cincinnati’s most prominent companies
To connect more than 100 startups with venture capital firms, corporations and service providers, Cintrifuse uses a proven membership model. Entrepreneurs gain access to like-minded, driven and engaged individuals, venture capitalists, business leaders and services providers are introduced to startups on the rise.  Grow your business with Cintrifuse by signing up for membership today.
As the focus on innovation continues and NewCo's are being formed across the country, these new entrepreneurs need a foundation in truly understanding "Operational Risk Management". Why?

If these new entrepreneurs are better able to understand the core reasons why a business must operate within a universe of Operational Risks, then their innovation may adapt.  The ideas they have for better managing cyber security, detecting the insider threat or automating the continuity of operations planning may change.

Building a new company with an innovative new product also means understanding the problem sets that a much larger enterprise is encountering on a daily basis.  Innovators today sometimes lose sight of the operational risks that can be addressed by their products, as they are installed and implemented into the larger enterprise.  The value proposition that addresses the decrease in loss events, will soon get the attention of senior management.

What can a business accelerator like "Cintrifuse" do to make sure that the 100+ new start-ups better understand Operational Risk Management?  Perhaps even more importantly, how can their hot new NewCo product fit into the ORM matrix for addressing Enterprise Risk at a Fortune 500 company?

To answer this, just look more deeply at the 75+ mentors and advisors that Cintrifuse has at their disposal.  Has Cintrifuse developed a diagnostic tool to better understand the subject matter expertise of each of those mentors?
  • First,  create an inventory of the skill sets and knowledge of these mentors and develop a database for the start-up entrepreneurs, then they can query who is the best mentor for a specific subject or business problem they are encountering.
  • Second, the mentors themselves would need an orientation on how to assist the start-ups in seeing the nexus with operational risk in their own business model.
  • Third, the mentors would demonstrate how the innovations that the enterprise requires have a nexus with the start-ups products being developed for the mass market.
Remember, ORM is the oversight of operational risk, including the risk of loss resulting from inadequate or failed internal processes and systems; human factors; or external events.
When you scan the companies being accepted and graduated from all of the incubators and accelerators across the globe, many will have a product solution that impacts some facet of Operational Risk Management.  The mission now is to make sure that those new entrepreneurs discover how their inventions and patents may address real-world scenarios.  Just look at the current cohort companies at the MACH37 Accelerator in Herndon, Va as one example:

iAspire 
Eric Whittleton, Cofounder and CEO
Arash Nejadian, Cofounder and CTO 

iAspire is currently addressing the significant pent up demand for fully implemented email encryption in large enterprises by enabling end-to-end encryption that also addresses the need for real-time and in-volume secure email access for forensics, e-Discovery and compliance requirements. Aspire develops standards-based digital key management products that serve as material enablers of the “Trusted Web”. Future products will include additional store and forward applications such as a cloud-based Secure Drop-box as well as mobility solutions.

Virgil Security
Michael W. Wellman Cofounder and CEO
Dmitry Dain, Cofounder and CTO 

Virgil Security provides easy-to-deploy and easy-to-use cryptographic software and services for use by developers and end-users. Virgil Security’s encryption libraries and services, along with an accompanying public key management infrastructure, ease the pain of developing, deploying, and using strong cryptography. Virgil Security enables a new generation of enhanced privacy and security for applications, cloud services, and the Internet of Things.

FireDrillMe
Marcus Carey, Founder

FireDrillMe provides a SaaS platform that orchestrates cybersecurity “fire drills” on production networks by imitating attackers. FireDrillMe helps organizations train personnel, evaluate products, and refine procedures for incident response.

Syncurity Networks 
JP Bourget, Cofounder and CEO
Ray Davidson PhD, CoFounder
Mike Volo, CoFounder 

Syncurity Networks develops software for Information Security Process Management and Automation focused on Incident Response (IR) incorporating standard IR processes, automated artifact collection, and standardized report generation. Syncurity helps mid-size businesses respond to incidents faster, document lessons learned, and collect metrics for continuous improvement.

SecureDB
Karthik Bhat, Founder and CEO

SecureDB is an encrypted cloud database for storing sensitive customer information such as authentication credentials, PII, PHI and credit card numbers. SecureDB’s cloud based encrypted database and associated APIs will allow enterprises to secure their customer data by providing strong cryptographic protection against unauthorized access.

BiJoTi
Josh Marpet, Cofounder and CEO
Billy Boatright, Cofounder and CMO
Tim Krabec, Cofounder and CTO
Ben Huey, Cofounder and CRO

Compliance requirements are coming downhill to smaller companies, and the bad guys are going after data within companies of all sizes. BiJoTi's turnkey appliance packages the advanced compliance and security benefits that large enterprises enjoy from a dedicated security organization, but at a price that works for small and mid-market businesses.

Cyph
Ryan Lester, Cofounder and CEO
Josh Boehm, Cofounder and COO 

Cyph is a secure messaging app for Facebook users who aren't security experts, but demand a simple way to chat privately with their friends.

As Operational Risk Management is incorporated into the core capabilities of each new entrepreneurs business plan it will benefit their own launch and better serve their intended customers.

25 October 2014

Reputation Risk: Organizational Stewardship Revisited...

Reputation risk is becoming more of a topic of discussion these days. The loss of reputation results in several outcomes both economic and personal. The fact is that most of the time organizations are "Reacting" to a crisis, news leak or some other corporate failure.

You don't have to name names of people or companies to understand the impact that reputation has on the success or demise of an organization. What has to change to lower the severity and likelihood of loss events associated with "Reputation"?

First you have to ask yourself a couple of key questions:
  1. What is your reputation worth?
  2. Are you being Proactive or Reactive in managing and safeguarding your reputation?
The PR and marketing communications processes in your organization may have certain facets of the solution to better reputation risk management. However, these processes are designed with out the consciousness of proactive threat anticipation, detection, prevention and remediation.

What has become more clear to executives in proactive oriented companies is the requirement for a specific and strategic approach to Reputation Risk Management. This approach encompasses an emerging theme from the early nineties pioneered by author Peter Block. We call it Organizational Stewardship.

Organizational Stewardship as a core guiding principle is the cornerstone in managing an institutional reputation risk management process. It has three components that support this rekindled idea of applying the concepts of stewardship to the organization:
  • Economic Accountability
  • Information Management
  • Business Integrity
Reputation Risk Management is about the proactive monitoring and management of a portfolio of threats in the organization. Several categories include:
  1. Intellectual Property and Information Assets
  2. Demonstrations, planned boycotts and social activism
  3. Physical infrastructure including employees and suppliers
  4. Legal threats including class actions, insider trading or whistle-blowers
Microsoft closed its free Internet chat rooms in 28 countries many years ago because of threats from pedophiles and junk e-mailers. This is an example of proactive reputation risk management. Unfortunately, this has opened the door to another related threat of hackers hijacking other Social Media accounts.

Organizational Stewardship is a guiding principle. Once it is embedded into the organization it begins to permeate the mindsets of the individuals who are responsible for the conscious reputation risk management processes. Over time, these individuals help influence the corporate mindset, philosophy and ethics to a new found level.

Someday soon the executives in the board room will realize that managing reputation is not about keeping secrets and fighting fires. They will realize that they need to find a proactive, preventive and relevant strategy for achieving Organizational Stewardship in their company.

19 October 2014

4GW: Strategic Risk Vs. Tactical Insurgencies...

Fourth Generation Warfare (4GW) is upon us in the E-Ring, The West Wing and the PGP Keyring. Information Assets and the knowledge that is the key to wealth is not a physical debate any longer. Thomas X. Hammes articulates this in his book, The Sling and The Stone:
Fourth-generation warfare (4GW) uses all available networks -- political, economic, social, and military -- to convince the enemy's political decision makers that their strategic goals are either unachievable or too costly for the perceived benefit. It is an evolved form of insurgency. Still rooted in the fundamental precept that superior political will, when properly employed, can defeat greater economic and military power, 4GW makes use of society's networks to carry on its fight. Unlike previous generations of warfare, it does not attempt to win by defeating the enemy's military forces. Instead, via the networks, it directly attacks the minds of enemy decision makers to destroy the enemy's political will. Fourth-generation wars are lengthy -- measured in decades rather than months or years.
The Mission
The global business landscape has known for all to long the power of marketing. Knowledge is not a fixed asset in a fixed physical location. Intellectual property, patent applications and new formulas can be reduced to zeros and ones and sent to anyone in the world almost instantaneously. Encrypted data flows through the veins of the Internet and has changed the playing field for governments and for your organization.

While nations states and growing adversaries wage their respective political and economic battles, the private sector and the Fortune 500 are in another and parallel conflict to keep their Intellectual Property and Information-Based Assets safe and secure from a growing threat spectrum. Modern digital insurgents and other 4GW opponents are part of a virtual network that has no specific location found in longitude latitude or geocode. The money center bank or transnational pharmaceutical company is all to familiar with the hijacking of trade secrets or personal identities, held for ransom or sold to the highest bidder.

The Take Away
Yet this is not about technology and it is even more apparent that it is not about the Internet. It is about how people are able to operate in a wide variety of countries, cultures and operating environments. These human networks are the most powerful forces to governments and to marketers. Whether it's a brand being endorsed by a superstar rocker like Paul McCartney or a book being recommended by Oprah Winfrey this 4GW strategy is exactly what this sharing of human knowledge and intelligence is all about. And let's not forget the power of Aljazeera and The New York Times.

The risk of operating your enterprise across the planet requires a "4GW" mentality and toolkit to help ensure your success. What is your organization doing to retool and retrofit your work force to compete on an operational level with more educated people and superior human capital?

11 October 2014

Unintentional Insider Threat (UIT): Human Factors Risk...

Operational Risk Management (ORM) is a discipline that encompasses several facets of science and art. The human factors will continue to challenge the people who are tasked with mitigating risks in the face of a Republic with constitutional rights.  The United States is one of the many countries in the world, where employees of governments and private sector institutions, must comply with a myriad of laws pertaining to the privacy of the work force.

The behavioral aspect of humans operating day-to-day in the workplace, whether inside the R & D department at Google or the 7th Floor at DARPA have many of the same set of risks.  When you put an information storage and computing device in their hands, the likelihood of encountering a potential operational loss or failure increases dramatically.

For the past several years, there has been a significant amount of attention devoted to the topic of "Insider Threat."  In light of the Edward Snowden and "The Fifth Estate" events, many government and private sector organizations have been revisiting their employees security clearances and backgrounds.  A reaction-based effort that would not be out of the ordinary, for most organizations who are protecting national secrets or substantial intellectual property.

This however, is a small percentage of the overall risk that the organization is being exposed to every day, when that digitally enabled-human goes to work.  The reason is that the lense that is currently being focused on "Insider Threat," is looking for the next Edward Snowden.  This kind of insider will forever continue to amaze and surprise you, just like the people who may now be in legal proceedings, for collaborating with Bernie Madoff.  You see, not every human will show the behaviors, that all of a sudden look out of the ordinary.  The person stealing information or manipulating the books, will continue to operate within your organization without disclosure.

There is a foundational study completed by the CERT Insider Threat team at Carnegie Mellon University that highlights even a greater potential loss or failure.  "A significant proportion of computer and organizational security professionals believe insider threat is the greatest risk to their enterprise, and more than 40% report that their greatest security concern is employees accidentally jeopardizing security through data leaks or similar errors."

Unintentional Insider Threat Definition 
We recommend the following working definition of UIT:  An unintentional insider threat is: 
(1) a current or former employee, contractor, or business partner 
(2) who has or had authorized access to an organization’s network, system, or data and who, 
(3) through action or inaction without malicious intent, 
(4) causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s information or information systems.  
       SEI  Insider Threat Team, CERT; Unintentional Insider Threats: A Foundational Study (CMU/SEI-2013-TN-022). Software Engineering Institute, Carnegie Mellon University, 2013.
Abstract
This report examines the problem of unintentional insider threat (UIT) by developing an operational definition of UIT, reviewing relevant research to gain a better understanding of its causes and contributing factors, providing examples of UIT cases and the frequencies of UIT occurrences across several categories, and presenting initial thinking on potential mitigation strategies and countermeasures. Because this research topic has largely been unrecognized, a major goal of this study is to inform government and industry stakeholders about the problem and its potential causes and to guide research and development (R&D) investments toward the highest priority R&D requirements for countering UIT.
Operational Risk Management is a 24 x 7 x 365 day process, that is focused on all humans operating in the ecosystem of the enterprise.  The Edward Snowden's are coming to work today along with their friend Bernie Madoff.  Hiding in plain sight.  Operational Risk Management professionals understand this and operate with the focus on the unintentional consequences of their behavior.

The enterprise that is solely focused on finding the one or two people in several decades of operations will overlook the dozens or hundreds who contribute to a loss of Intellectual Property or a breach. Believe us when we say that indeed the "Spy" and "Fraudster" will have a much harder time, operating each day in an organizational environment that is focused on the UIT.

Countering UIT, may seem like it is something that is already being accomplished, in the new hire orientation class or the remedial training that is mandated each year on information security for example.  Those who perceive it this way are again, only human.  The behaviors that we bring to work each day about how we treat and handle information, is not learned in a single session or a single annual workshop. Learning to behave consistently with sensitive or classified information on a daily basis, requires a discipline that few really understand right now.  This is especially true in the Defense and Intelligence Community supply chain.

Your goal is to get that UIT awareness inside every one of your employees, partners and suppliers.  To instill inside them the same diligence in their work processes to Deter, Detect, Defend and Document.  UIT is a major percentage of the answer to mitigating the risk of another Edward Snowden or Bernie Madoff incident in your organization.  More importantly, it is the answer to the other 98% of the losses you will incur this next calendar year.  Think about "Achieving a Defensible Standard of Care."

05 October 2014

1 WTC: Trust Decisions of Technology, Privacy and Rule of Law...

Technology, Privacy and the Rule of Law.  All three attributes for a robust Operational Risk Management (ORM) system.  The Operational Risk professionals in the critical infrastructure sectors that intersect with personal identifiable information (PII), are experts in the trio of changing technology, new laws and legal decisions while preserving the rights of privacy.  Financial services and Healthcare are currently under a significant barrage of attack.

All of these attributes are just small components of a much larger and more complex system.  The pursuit by all parties including consumers, technology innovators and those charged with our legal governance, is attaining a future state where the majority of humans will judge that system as trustworthy.

Trustworthiness begins with the basis by which you engage with a particular system.  Here is a fundamental example.  The trust that you put into the technology on your wrist or hold in your hand, requires you to take a leap of faith at first.  Can you believe that the chronometer on a MTM Patriot watch, at 132 feet below the surface of the Pacific ocean Scuba diving is accurate at 18 minutes 36 seconds?  If you can't trust the accuracy of this system to count minutes and seconds, a life may be in jeopardy from DCS.

An affirmative "Trust Decision" occurs when actions or rules are executed as a result of the systems design or planning.  A decision to ascend from 132 feet to 66 feet at 19 minutes into the dive is a "Trust Decision" leveraging the system programmed to keep accurate time and the divers planning in advance.

You have come to trust many systems in your lifetime.  Simple computers on your wrist or the complexity of the engineering associated with a BMW, Apple iPhone 6 or IBM Watson, requires the human to experience enough favorable outcomes, to begin to trust that particular system.  Those positive outcomes for safe and secure highway travel or the end-point IoT device will strive to establish trust over time. Even one of the virtual machines (VM) on the massive servers in over 100 Equinix Data Centers across the globe, are the basis for your trust as these particular invisible systems store and retrieve your most personal, sensitive intellectual property.

Think of a specific system that is trusted universally.  Think about all of the computers that support the system.  Each computer has been provided instructions coded in software or firmware.  For the most part, these rules have been programmed by humans.  In many cases, the software has automated a previous system that was manually operated by humans, for decades or longer.  Now this new trusted system is more efficient and the work that it performs saves us time.  It generates economic growth. Eventually, the system becomes trusted by a majority of humans and no one questions the calculus anymore.  Our current banking system in the U.S. is one that is top of mind.

When you have a fusion of Technology, Privacy and the Rule of Law that requires trust, not just by humans, but by systems-to-systems, then you must also have something else.  In order for the complete system and all of it's attributes to be accepted, adopted, codified, tested, ruled-upon, pervasive and universally utilized, it must be trusted by the other "systems" themselves.  Here is another example.

When you look at the architecture of the new "One World Trade Center" (Freedom Tower) scheduled for completion this year in New York City, do you think about:
Structural redundancy, enhanced fireproofing, biological and chemical air filters, extra-wide pressurized staircases, interconnected redundant exits, safety systems incased in three feet concrete wall, dedicated firefighter staircase, special "areas of refuge" on each floor.
You should think about it and so does Skidmore, Owings & Merrill, LLP.  The architect of the Freedom Tower.  If only we could utilize this metaphor for what we have learned about the architecture and construction of the new Freedom Tower.  Will you trust 1 WTC as a system?  Why?

The systems talking to other systems in order to design, build and occupy 1 WTC have been vast.  The technology incorporated to satisfy a complex set of business rules, building codes and privacy or security governance is extraordinary. "Trust Decisions" to accomplish affirmative outcomes have been executed for years by Skidmore, Owings and Merrill (SOM) not only in New York but on a global basis.

The trustworthiness of a system goes far beyond just the edifice.  The device.  The packaging.  The marketing.  The brand.  You will always have to look deeper for your "Trust Decisions".  You must discover how these trusted systems are being utilized, to provide you the affirmative economic results you seek.  And without the positive outcome of the creation of new found time or monetary assets, you will then abandon the tool, the machine, the system and simultaneously your trust.

TrustDecisions...

28 September 2014

HSI: Homeland Security Intelligence...

What is the modern definition of U.S. Homeland Security Intelligence (HSI)? Many would differ on the jurisdiction, sources and nexus with specific intelligence that falls outside U.S. borders. The future of sharing relevant pieces of the vast mosaic of information may well lie with the definition and the interpretation of Homeland Security Intelligence.

One thing is certain about this topic of debate. If the information is being utilized to determine the nature of a threat within the confines of the U.S. Homeland, then that information will be treated according to the laws of the United States. This brings us to the next question. Are the current laws an impediment to more effective Homeland Security Intelligence (HSI) processes, methods and outcomes?  The following areas must be addressed in order to get closer to the truth.
  • Governance
  • Policies
  • Regulatory and Statutory Concerns
  • Civil rights and Liberties
Yet the question begs the discussion on the structure and the purpose of the Intelligence Community (IC) itself. Is a policeman or fireman on the ground in every major city in the country part of the IC? Are they not collectors of Homeland Security Intelligence as they fill out their manual or electronic "Suspicious Activity Reports" (SARS)? If they are then as much a part of the greater HSI mechanism that is deemed collection and not analysis, so too will they be subjected to the laws of the land regarding privacy and information governance.
Getting to the point where we are spending even more than half of the time doing actual human analysis is a long way off in to the future. Software systems are getting automated crawlers to pull more relevant OSINT into the data bases for unstructured query yet what about the front line observer who is the witness to an incident. They must process this by interfacing with a paper based report that is filled in with a #2 pencil or an electronic form on a PDA to check boxes and select categories that best describe the observed event that risk managers, watch commanders and operations directors need for more effective decision support.
Regardless of how the collector gets the information it still remains a matter of relevance with other data that already exists in a repository or the addition of a future data set that suddenly creates a "Red Flag." It isn't until that "Red Flag" indicator goes off that the human analyst can then put grey matter on the issue to determine the relevance at that point in time and the implication of the law, policies and governance. This topic has been addressed in previous posts to this blog:

There are some that would say that the reason why the "Dots are not Connected" sooner, faster or more efficiently is because we are drowning in too much information to analyze. The automation of collection is the easy part. The filtering and pushing relevancy through the digital cheese cloth to get the most vital intelligence assets is a bit harder to accomplish. The human analysis and applying "Gray Matter" to the problem set and understanding the current "State-of-Play" is the ultimate challenge.

Beyond this, the average "John Q" citizen has probably never heard of 28CFR Part 23. The privacy assurance mechanism put into place in the 90's pertaining to the fusion of criminal intelligence. Perhaps this is the single greatest impediment we face to insuring our safety, security and threats from transnational eCrime syndicates, non-state actors and even the most sophisticated Nation States.
The topic of Homeland Security Intelligence is really about the Information Risk Governance and Consumer Privacy laws that protect us as U.S. citizens. At the same time, these same legal statutes might be the exact balance between what law enforcement and the intelligence community need to do their jobs without infringing on the rights of "John Q. Jihadist."  Here is a great example:

A Saudi student appeared to smile Friday morning as U.S. marshals escorted him to his first federal court appearance on a terror charge.
Khalid Ali-M Aldawsari, 20, stood before U.S. Magistrate Nancy Koenig charged with attempted use of a weapon of mass destruction.
The former Texas Tech student was suspected of purchasing chemicals and supplies to build a bomb and of researching possible targets in the United States before his arrest by federal officials late Wednesday.

Aldawsari came to federal attention after trying to have a large quantity of a suspicious chemical, which has both benign and nefarious uses, shipped to a Lubbock freight address, according to a sworn affidavit by an FBI agent filed in support of the warrant for Aldawsari’s arrest.
Subsequent electronic surveillance led to two secret searches of Aldawsari’s Lubbock apartment, where authorities found a makeshift lab that could be used to make explosives, as well as some of the ingredients and supplies necessary to build and detonate a bomb, according to the affidavit.
E-mails and his personal journal indicated an interest in planning attacks, ranging from an initial desire to start a local al-Qaida-type organization to researching nightclubs as a potential target, according to the FBI investigation.
Homeland Security Intelligence collected from a U.S. domestic chemical company, freight trucking line and as a result of legal searches of the suspects apartment all were utilized to interdict this potential plot of terrorism in the United States. Effective HSI will determine whether we continue to be as effective in the future. Gods Speed to us all....

21 September 2014

Alternative Analysis: Intelligence-Led Methodologies...

Operational Risk Management (ORM) is about the consideration of past failures and the possibility of unknown future failures of people, processes, systems and external events. The analysis of the likelihood and implications of those loss events requires different methodologies to assist in the mitigation strategies to prevent or avoid the risks of failure. In light of the nature and complexity of transnational asymmetric threats, this requires the use of alternative methods of analysis.

Intuitive decision making and sense-making— can be combined into a framework for categorizing the residual thought processes of intelligence analysts. This is called "intelligence sense-making". This process involves the application of expertise, imagination, and conversation and the benefit of intuition without systematic, consideration of alternative hypotheses. Compared to traditional methods of analysis, intelligence sense-making is continuous rather than discrete, informal rather than formal, and focused more on issues that don't have normal constraints.

Employing alternative analysis means that you can't “afford getting it wrong” and then you challenge assumptions and identify alternative outcomes. However, it may be of little use in today's growing non-state transnational threats and for ongoing criminal enterprise complexities. This is because there are so many considerable outcomes, consistent and perpetual changes, and contingencies for any single risk management process to be effective all the time.

Web-logs 3.0 are the future for some effective transnational alternative analysis. Combined with new APPs such as Recorded Future, the open source analyst can operate with increasing pace and context. Unlike more formal published papers, intelligence Web-logs are a more free flowing “unfinished” production, whereby both human intuitions and more formal arguments are posted, and then challenged by those with alternative ideas. Indeed, Web-logs are the mechanism for a facilitated contextual dialogue— the electronic equivalent of out loud sense-making.

On September 11th, about half of the hijackers had been flagged for scrutiny at the gate before boarding the ill-fated flights. Had the concerns of the Phoenix FBI office about flight training not only been shared broadly within the government but also integrated into a mindfulness-focused inter- agency process—featuring out loud sense-making, Web-log type forums, computer-generated references to extant scenarios for crashing airplanes into prominent targets—might at least some of the detentions been prolonged, disrupting the plan?  --“Rethinking ‘Alternative Analysis’ to Address Transnational Threats,” published in Kent Center Occasional Papers, Volume 3, Number 2.

In our modern day era of Twitter, Facebook and "Crowd Sourcing" technologies perhaps the tools are already in place. Platforms such as Ushahidi are geocoding the information origin, providing ground truth situational awareness and providing context on issues that are unbounded. How often does the published press currently use these tools to get their original leads, potential sources or new ideas for a more formal story. This story then takes on the formal journalistic requirements for confirmation from trusted and vetted sources, before it makes the final deadline and is delivered on printed paper to our doorstep each morning.

The doctrine of analysis for transnational threats and homeland security intelligence, are still evolving in this accelerating digital ecosystem. The alternative methods and tools that we will utilize to examine, refute or justify our thoughts remains endless. The degree to which we are effectively operating within the legal rule-sets for our particular country, state or locality, remains the ultimate privacy and civil liberties challenge. These respective governance guidelines particularly with regard to intelligence record systems and liability issues, must remain paramount:

  • Who is responsible for entering information into the Intelligence Records System?
  • Who is the custodian of the Intelligence Records System that ensures all regulations, law, policy and procedures are followed?
  • What types of source documents are entered into the Intelligence Records System?
  • Does the retention process adhere to the guidelines of 28 CFR Part 23 in the United States?
Finally, community-based policing has developed skills in many law enforcement first responders, that directly support new counterterrorism responsibilities. Intelligence-led policing (ILP) provides strategic integration of intelligence, into the overall mission of the larger "Homeland Security Intelligence" enterprise. It involves multiple jurisdictions, is threat driven and incorporates the citizens of the community to cooperate when called upon, to be aware of your surroundings and report anything suspicious.

So what types of information do street officers need from an Intelligence Unit?
  1. Who poses threats?
  2. Who is doing what with whom?
  3. What is the modus operandi of the threat?
  4. What is needed to catch offenders / threat actors?
  5. What specific types of information are being sought by the intelligence unit to aid in the broader threat analysis?
Alternative analysis is designed to hedge against human behavior. Analysts, like all human beings, typically concentrates on data that confirms, rather than discredits existing hypotheses. Law enforcement is constantly focused on the key evidence to prove who committed the crime. Alternative analysis shall remain part of the intelligence tool kit, for more formal policy level work. Imagine the use of Intelligence-led methodologies such as "intelligence sense-making" combined with secure Web 3.0 collaborative APPs, at the finger tips of our Homeland Security first responders. Now think about that "lone wolf" or "sleeper cell" laying in wait.

Proactive and preventative risk management requires the right tools, with the right information in the hands of the right people.

14 September 2014

Rule-based Design: The Future of HSI...

Levers in the Homeland Security Intelligence (HSI) ecosystem impact the performance and the health of the environment that the entities are sharing their respective insights. These HSI entities are people within the analytic ecosystem, who are diverse in the art and science they utilize to create and share insight.

The threat to any ecosystem in many cases is "too much" or "too little" of a key element of that environment that makes it thrive. Anything that occurs to offset the equilibrium in the ecosystem can have dramatic effects. What is the greatest killer of human beings on the planet earth over the past few decades? A good guess would be "Drought". Too much sun and too little water has killed millions.

Yet in the context of intelligence, if data is "The Sun" and shared insight is "The Water" then in order to mitigate the impacts of upsetting the equilibrium of our HSI ecosystem a prudent course of action is required. The levers should assist in the governance of the right amount of data and the right amount of shared insights so no one entity is at risk. Now we must examine the topic of "Rule-based Design."

Homeland Security Intelligence analysts who are experiencing too much data and not enough insight is many times the argument at hand. They are indeed at the mercy of the compliance and data governance mechanisms that are in place, because of the civil liberties, legal framework and privacy statutes across 50 U.S. states. To add to the complexity are the systems and analytic software solutions that have been developed over the past ten plus years. The software designers must incorporate "Rule-based Design" if they are to assist in the entire equilibrium of the HSI ecosystem. Jeffrey Ritter explains:
Clearly, for the IT architect, there are lessons to be learned. For each step taken by the IT architect to better account for all of the rules that a solution must navigate, before the design process begins and long before construction of the solution is underway, the IT architect is able to better assure the timely completion of the solution, and the compliance of the systems and resulting data with applicable rules. Yet, even in this second decade of the 21st century, we are witnessing a continued failure of IT systems to be designed for compliance. Time and again, systems are designed, built and implemented without early and complete evaluation of the rules that must be satisfied. The result is that corporations (and their lawyers) are often patching compliance onto the systems after the fact. Expenses are increased, compliance is less assured, and the IT architect often gets stuck with the responsibility.
“Rules–based design” means that IT solutions are designed with a fully-informed awareness of all of the rules, including the legal rules, that the solution and the data must satisfy. With cloud computing, data that is dynamic and volatile, and mobile users, the challenge is genuine – how do we anticipate all of the legal rules that may apply?
The solution will emerge incrementally. But the first step is to accept the principle that IT systems, and their data, can be designed differently. We can take into account prior to the design process, and not after the completion of construction, all of the rules that the systems and the data must successfully navigate.
Now we must examine the "Civil Liberties and Privacy Policy" and the applicability within the Department of Homeland Security.
The Policy applies to “protected information,” which the ISE defines as information about U.S. citizens and legal permanent residents that is subject to information privacy, civil rights, and civil liberties protections required under the U.S. Constitution and Federal laws of the United States. DHS has instituted a policy whereby any personally identifiable information (PII) that is collected, used, maintained, and/or disseminated in connection with a mixed system is treated as a system of records subject to the administrative protections of the Privacy Act regardless of whether the information pertains to a U.S. citizen, legal permanent resident, visitor, or alien. As a result, this Policy also applies to information about nonresident aliens contained in “mixed systems.”
When you combine the complexity of a vast and endless data ecosystem with the rule-based design to try to accomplish the civil liberties and privacy of U.S. citizens; you have the basis for a significant challenge and a simultaneous opportunity. The governance of Homeland Security Intelligence is in the hands of policy makers and software systems designers. The drought metaphor utilized earlier to illustrate the point on "too much data" and "too little insight" can now be clarified in our focus post 9/11. As of this writing, the system is working and has prevented a terrorist attack in the U.S. homeland on the magnitude of that unforgettable Tuesday in September, 2001.

The entities within our Homeland Security Intelligence ecosystem will continue to be enabled or impeded by the policy decisions of civil liberties and privacy laws. The degree to which the software systems and rule-based design are commensurate with these policies may very well determine whether the equilibrium continues it's success in the United States.

The levers to improve our HSI in the midst of a dynamic and asymmetric enemy are a constant ambition. Looking into the future, we can only pray our analytic entities execute in an ecosystem that perpetuates our successes so far and minimizes our failures. The governance factors designed by our policy makers and software developers will determine our abilities to save lives and protect our vital national assets for years to come.

11 September 2014

9/11 2014: Never Forget This Anniversary...

On this anniversary of the four terrorist attacks on the United States, September 11, 2001, we pause and remember.  We reflect on where we were at 8:46, 9:03, 9:37 and 10:07AM on that horrific morning, as the two planes crashed into the World Trade Center Towers in New York City, followed by the Pentagon in Washington, DC and a field near Stonycreek Township outside Shanksville, Pennsylvania.

The Islamic State fight continues 13 years later in an arena of global asymmetric warfare.  This includes YouTube videos, Twitter, Special Operators from USSOCOM and  other "Quiet Professionals" on the Internet or in the shadows of Istanbul and Cairo, that you will never read about.

When any moral person watches the replay of the video news reporting on 9/11, emotions are evident. Telling the story to those who were not born or are too young to remember is imperative.  No different than the importance of other historic events of evil during two World Wars, Vietnam or the continued wars across Iraq, Afghanistan and the Middle East.

Over the past 13 years our lives have been forever impacted in the midst of conflict over religion, real estate and resources.  This is nothing new from a historical perspective until you add the technology components.  The Internet and mobile phone technologies have brought the reporting, intelligence and dissemination of real-time information to us in seconds or minutes.  No longer days or hours.

On this 9/11 anniversary, we can only pray that our humanity endures the kinetic evil and the light speed of digital information that will continue to evolve in the decades and milliseconds ahead of us...

07 September 2014

Cyber Insurance: The Future of Enterprise Risk Management...

There has been great debate over the years on the topic of cyber security insurance to complement a comprehensive Operational Risk Management (ORM) strategy.  Does the existence of a robust Enterprise Risk Management (ERM) program that includes substantial components of Operational Risk benefit the organization in the eyes of the insurer?

Could the Cyber Insurance industry be heading towards a future model for making the case for "Enterprise Risk Management" in the Cyber Risk Space?  As a parallel example, the banking industry requires homeowners insurance before loans are approved.  This is because there are a hundred plus years of history on fires as a potential threat and the actuaries know the odds for a loss event, especially with the new building materials and the rules on sprinkler systems in certain areas.

We are getting close to the point where data analytics and the history of cyber attack information will be used to assist insurers in writing a "Cyber Risk policy" based upon your industry sector and geographic location. The data being analyzed now on the banking sector and energy sector is vast and these are just two critical infrastructure sectors that have a long history of being attacked by criminal network bots and also nation states, on an hourly basis.

The U.S. Department of Homeland Security (DHS) has been looking into the multi-factors surrounding Enterprise Risk Management in the context of cyber insurance for the past few years:
Based on what it had learned, NPPD hosted an insurance industry working session in April 2014 to assess three areas where it appeared progress could lead to a more robust first-party market: the creation of an anonymized cyber incident data repository; enhanced cyber incident consequence analytics; and enterprise risk management evangelization.
The evangelization of ERM is vital not only for those Global 500 organizations but also for the INC. 500.  The companies that are the supply chain to the enterprise are even more at risk of attack since they provide an on-ramp for modern malware to seek new vulnerabilities.  These supply chain companies will soon be asked about their Enterprise Risk Management (ERM) program strategies and for good reason.

In order for the Global 500 to continue to have confidence in a robust ERM strategy, they must have ways to validate their own supply chain organizations maturity in the cyber risk management domain. So what did the participants in the DHS NPPD cyber insurance roundtable in 2014 recommend as elements of a successful ERM program?
Engagement of senior leadership. A reinsurer commented that effective ERM programs must be implemented at the senior leadership level. Specifically, he advised that they should reflect a corporate culture that features cyber-related ERM discussions at all board meetings and that subjects itself to regular oversight – including through periodic internal risk audits and audits by outside, independent organizations.
Engagement of general counsels. A broker described general counsels and chief compliance officers as key players in successful ERM programs and stated that her company’s risk assessment workshops for corporate leaders are always more successful when these leaders are involved.
Engagement of CISOs. An underwriter added that it is similarly valuable to include a company’s CISO in the ERM process – particularly a CISO who understands the role that insurance can play as part of a comprehensive risk management strategy.
Establishing direct lines of communication. A third underwriter asserted that when it comes to cyber security specifically, a company should establish a direct line for ERM reporting to its board of directors rather than a hierarchal chain that requires many approvals before funds can be spent on someone (e.g., outside cyber forensics support) or something (e.g., a new technology) to address a cyber risk or incident.
So what does all this mean, if my INC. 500 company is part of the supply chain of a Global 500 organization?

It means that your ERM program will be under the magnifying glass if not now, very soon.  If you are considered to be a vital supplier to the Global 500 enterprise, then you most likely are cyber-connected for data exchange or even more.  The digital systems level decisions and the speed of business require that you have cyber data handshakes every few minutes or seconds.  The ability for your product or service to perform, requires this high degree of "Trust Decisions."

The time has come for Cyber Risk insurance to mature and to become another standard component in the Operational Risk Management (ORM) portfolio.  We look forward to seeing the language of the policies themselves as they evolve.  Will attribution of the origin of the cyber attack be a factor in a first-party coverage claim?  We think you can count on it...

31 August 2014

HSI Governance: Equilibrium of Privacy and Security...

When people are faced with increasing Operational Risk Management (ORM) uncertainty in their organization, our inherent DNA makes us gravitate towards avoiding new risk at all costs. What any new bold policy shift requires to succeed for the masses is to face risk squarely in the eye and to manage it effectively. This is exactly how many private sector intelligence organizations have evolved and continue to thrive in a vast universe of "Open Source" and Electronically Stored Information (ESI).

The U.S. government "Homeland Security Intelligence" (HSI) enterprise has the same opportunity to embrace risk and simultaneously manage it more efficiently and effectively. Over the course of the past decade the U.S. Patriot Act has several controversial provisions that have been implemented, tested and refined. Several of these include Sec. 203(b) and (d) that allow information from criminal probes to be shared with intelligence agencies and other parts of the U.S. government. Another is Sec. 206 that allows one wiretap authorization to cover multiple devices, eliminating the need for separate court authorizations for a suspect's cell phone, PC and Blackberry, for example. The civil liberties debate on Sec. 215 known as the "libraries provision" allows access to records such as what books were checked out at the library or purchased from a bookstore, as long as the records are sought "in connection with" a terror investigation.

The governance of information by the private sector may have either accelerated or detained HSI enterprises in terrorism investigations. One example are the policies private sector Internet Service Providers utilize for records management and "Electronically Stored Information" (ESI) readiness. Electronic discovery amendments to the Federal Rules of Civil Procedure (FRCP) have created the requirement for private sector companies to be more prudent in "Achieving a Defensible Standard of Care."

The risk associated with non-compliance of the Federal Rules of Civil Procedure (FRCP) is a major facet of Operational Risk Management. The fusion of the Corporate Governance Strategy Execution comes together with a dedicated internal "Task Force" inside the enterprise. Comprised of the General Counsel, CIO, CISO and VP of Human Resources, this team provides the mechanism for effective policy implementation and operations accountability. The mission is to carry out the fiduciary duty to create a culture of legal compliance within the organization.

The evidence obtained for Homeland Security Intelligence (HSI) investigations may only be as accessible and obtainable as the effectiveness of a private sector companies ESI policies. How often do they purge their e-mail from databases? How much data storage does the enterprise allow for each person's mailbox? Are there people circumventing the information governance policies in the private or public workplace in order to get their daily business accomplished?

The collection of information for HSI has a parallel path with the collection of evidence and it must be done according to the civil liberties and privacy laws of the United States. It is this balance and equilibrium between the governance of information and the legality of obtaining it for the purpose of a terrorism related investigation that brings us to a potential digital paradox.

Where action against a person or organization involves the law, either civil or criminal, the evidence presented shall conform to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard. This shall include compliance with any published standard or code of practice for the production of admissible evidence.
In Joshua Cooper Ramo's book "The Age of the Unthinkable","Why the New World Disorder Constantly Surprises Us and What We Can Do About It" the author discusses the concept of Deep Security. His analogy of how to think about "Deep Security" is the biological immune system. "A reactive instinct for identifying dangers, adapting to deal with them, and then moving to control and contain the risk they present."
The key word in Ramo's writing is "Adapt". Being Adaptive. However, prior to this there are two other very vital words that we feel are even more imperative. Instinct. Identifying. In other words, Proactive Intuition.

Ask any savvy law enforcement investigator or intelligence analyst on how she solved the case and you may hear just that, "I had a hunch." Talk with a Chief Privacy Officer in any Global 500 company and you might get them to admit they have a sense that their organization will be the target of a data breach incident in the coming year or two. The complexity of IT systems, data networks and the hundreds of laptops circling the globe with company executives is enough to predict that a major breach will occur.

Being adaptive and having proactive intuition in the modern Homeland Security Intelligence enterprise or private sector company does not come natural. You have to work at it and it requires a substantial investment in time and resources to make it work effectively. Once you realize that all of the legal controls, technology and physical security are not going to keep you out of harms way, you are well on your way to reaching the clairvoyance of "The Age of the Unthinkable."

24 August 2014

Inspect v. Study: Quality of Operational Risk Management...

As this weblog reaches it's 1,060th post in the next few months, much has been documented on the course of "Operational Risk" over the past ten years. We have continuously witnessed the dawn of new threats and vulnerabilities that could only have been imagined in the last millennium.

At the same time, we could not have predicted the new found solutions, to many of the same operational risk related incidents that have plagued our institutions, governments and the planet we call Earth. Every time you think you have heard or witnessed it all and that all new future risk events will just be some variant of those that have preceded us in history, we are surprised and blind-sided. The "Black Swan" has visited us once again.

Yet one item that remains consistent over the course of risk incidents and numerous after action findings is this fact. We have not devoted enough resources in preparation and in scenario-based exercises to improve our resiliency. We remain in denial that we could ever be subjected to the 1-in-100 year event. However, there is someone named Warren Buffet who to this day, is still adding reinsurance companies to the Berkshire Hathaway portfolio. Do you think it is because Mr. Buffet is betting on more risk or less in the world over the next decade?

Risk Managers think about the "What if" more than anyone else, in many cases because they are paid to do this on behalf of their employer. Yet as human beings, we take risks every day without even thinking twice about how much risk we are taking on and what the possible outcomes could be. We just move through life in a wait and see totally reactive mode. So how do you get at least a majority percentage of the people walking around the halls of your organization to think more like a savvy risk manager? What does it take to inject a little more "What if" into the consciousness of each person and the roles and jobs that they play in your institution?

The first is to design and engineer your management system to incorporate a risk-based standard for operations. Secondly, to incorporate the applicable risk management controls to produce the rules-based behavior that you are adopting. Finally, to test the rule-sets with a continuous approach to ever so incremental improvement over time. Sounds familiar doesn't it. Plan-Do-Check-Act.

Whether you are trying to improve the awareness, implementation and/or measurement of Operational Risk on the deck of the aircraft carrier, at the FOB, on the trading or manufacturing floor or within the supply chain of the vital resources that fuels your organization, "Plan-Do-Check-Act" (PDCA) works. And you have heard it before, those who are hit by the "Black Swan" event will die or go out of business relative to the previous attention they have paid over the years to PDCA.


PLAN
Establish the objectives and processes necessary to deliver results in accordance with the expected output (the target or goals). By making the expected output the focus, it differs from other techniques in that the completeness and accuracy of the specification is also part of the improvement.
DO
Implement the new processes, often on a small scale if possible, to test possible effects. It is important to collect data for charting and analysis for the following "CHECK" step.
CHECK
Measure the new processes and compare the results (collected in "DO" above) against the expected results (targets or goals from the "PLAN") to ascertain any differences. Charting data can make this much easier to see trends in order to convert the collected data into information. Information is what you need for the next step "ACT".
ACT
Analyze the differences to determine their cause. Each will be part of either one or more of the P-D-C-A steps. Determine where to apply changes that will include improvement. When a pass through these four steps does not result in the need to improve, refine the scope to which PDCA is applied until there is a plan that involves improvement.


It's clear to the "Operational Risk" professional why PDCA has one little flaw. The "Check" could and should be replaced by "Study" to emphasize analysis over inspection as Dr. W. Edwards Deming has said. To analyze and study takes us to the core of the issue. People are always looking for expected results, not unexpected outcomes. If we are to expect "unexpected" results, perhaps the "Analyze-Study" mindset would then perpetuate the plethora of risk professionals who are still caught up on the "Check". Inspection will get you killed and it will produce more "Black Swans" in your lifetime than you would ever expect. Check = Inspection. Study = Analyze.

So we think it is safe to say, that Warren Buffet is betting on the current trend of a mentality of inspection and not study. He is investing in the future of insurance companies needing insurance to hedge their own underwriting failures. Study and analysis are the ingredients of success for the most sought after risk managers on the globe. Unfortunately, too many still have not figured out that "Check" is out and "Study" is in.

The future quality of Operational Risk Management will lie in the hands of practitioners who are analyzing and studying before they apply new changes to gain new improvements. Now think about your organization. Where are the people who are patient? How long do they take to study the business problem or assess the climate you operate in every day? When you find these individuals you need to keep them close and you will soon find that you are well on your way to a more resilient future.