Fear: The Elements of Prediction...

"Just as some things must be seen to be believed, some must be believed to be seen." "...so one way to reduce risk is to learn what risk looks like." --Gavin De Becker

These words from his book The Gift of Fear reminds us of how many people talk about risk management, mitigation and implementing risk controls and don't have any context. In order to truly understand something, you actually have to come face-to-face with it, experience it and feel it.

For every 100 people in your organization, how many are a risk? By that we mean, the factors are high that an individual will do something or be the target of an incident that causes irreversible harm to themselves and or the institution during their tenure as an employee. The actuaries behind the insurance you purchase for different kinds of hazards or incidents in the workplace could give you some answers here. How likely is it that this kind of event occurs in this industry over the course of one year as an example? Certainly the ratios are known, otherwise the insurance product would not exist to protect you.

Predictive analytics and processing of information to predict what has a high chance of actual occurrence is a whole other matter. In order to be predictive, you have to have actual experience and it has to be so innate that it now becomes more than just an intuition. Some call it "Self-talk" and others a gut feeling but whatever it is, it got there because of your past experience. If it's more powerful than that, now you may just be experiencing something we all know as "Real Fear". You have to realize that when you get that tingle sensation up the back of your neck, you are way beyond self-talk and into a whole new dimension of emotion.

DeBecker's elements of prediction can help us figure out the likelihood of a prediction actually occuring:

1. Measurability - How measureable is the outcome you seek to predict?

2. Vantage - Is the person making the prediction in a position to observe the preincident indicators and context?

3. Imminence - Are you predicting an outcome that might occur soon, as opposed to some remote time in the future?

4. Context - Is the context of the situation clear to the person making the prediction?

5. Pre-Incident Indicators - Are there detectable pre-incident indicators that will reliably occur before the outcome being predicted?

6. Experience - Does the person making the prediction have experience with the specific topic involved?

7. Comparable Events - Can you study or consider outcomes that are compareable- though not necessarily identical- to the one being predicted?

8. Objectivity - Is the person making the prediction objective enough to believe that either outcome is possible?

9. Investment - To what degree is the person making the prediction invested in the outcome?

10. Replicability - Is it practical to test the exact issue being predicted by trying it first elsewhere?

11. Knowledge - Does the person making the prediction have accurate knowledge about the topic?

This OPS Risk professional has realized that these 11 elements exist in many of the risk management methodologies and systems experienced over the years. What is remarkable is the degree that we see time and time again, these elements being left out, avoided or just plain not utilized in organizations of all sizes and industry sectors.


It's time that CxO's revisit all of these elements in each of the risk management systems that are in place in their enterprise. From the front door to the intrusion prevention system, in the HR process from interview to termination and from the training room to the board room.

Predictive analytics is a science that comes in the form of an art. Make sure you have the people who are masters of the art and experts in implementing the science.

operational risk

Executive Security: Personal Protection Specialist...

In the corporate Protective Security environment, the "Advance Work" will ensure your success or contribute to the embarrassment or injury of your client/principal. Professionals in Protective Security Detail's (PSD) realize that your site or lead advance agent can make or break the entire operational risk strategy for your proactive and preventive security measures.

Thinking like the DEVGRU attacker and possessing a "Red Cell" mentality is a valid approach for several aspects of the advance work necessary to ensure an effective "protective envelope". What ends up being the greatest threat to your operation may be technology itself. Too much reliance on new high tech tools such as "Google Maps" or even the Garmin GPS will create a vulnerability during the point in time when your principal says, let's change the itinerary or the location of the next meeting. A "15 Minute Map" comprised from a good old fashioned road atlas can be the low tech tool that saves lives and chaos.

21st Century Executive Security and modern day Personal Protection Specialist's (PPS) who understand the value of the "Advance" and apply it effectively will continue to keep their principal's safe and secure and with a high degree of professional client service. Corporations operating in countries where executives are required to visit critical infrastructure plants, manufacturing facilities or meet with government officials have been incorporating more protective intelligence and advance work for good reason. The global business environment is increasingly more volatile and subject to the political risks and subjective "Rule of Law" in many emerging economic countries.

Whether it is weapons in close range or a distance, explosive IED's or kidnapping plots, today's global and mobile executive is more at risk. Advance Work is the most important and critical aspect of the security operation. Site and route surveys, "eyes on" residences, airports and buildings including hotels, hospitals, police stations, restaurants and convention centers are a mandatory component of the advance operations.

Surveillance Detection (SD) remains a vital facet of the advance work including the ongoing SD as the Protective Security Detail agents run the operation. The Principal is potentially aware of such activity yet is shielded from any less than lethal imminent threats as the days agenda unfolds.

What may be more obvious is the PSD's use of "Coopers Colors:":

By using a well-practiced, concrete, formulaic train of thought, it prevents the hesitation normally experienced when one is under threat of attack or actual attack, and this is the purpose of the code, to prevent unnecessary hesitation, and to apply only that force which is necessary to defend yourself. The way Jeff Cooper explains it is:

• White - relaxed and fairly oblivious of your surroundings, you should only be in this condition if you are at home or another secure setting behind locked doors.
• Yellow - the state of not only constant awareness, but the constant recognition of possible threats. In this state, you are observant of your surroundings, allowing you to recognize threats if they present themselves.
• Orange - in this state, you have recognized a potential threat, and are ready to defend yourself against this threat if necessary.
• Red - you are actively defending yourself or others against a threat that has presented itself to you.

It's not just about general awareness, it's about positively identifying potential and actual threats as you go about your daily life. It's this threat identification and acquisition process that is so valuable, and that reduces your response time to those threats if they present themselves.

Executive Security and the Personal Protection Specialist (PPS) becomes an even more vital asset in the OPS Risk portfolio, where the Board of Director's has authorized significant premiums for an executive's kidnap and ransom (K & R) insurance. Why? Like many aspects of our society today regarding information privacy, one only wonders how information gets leaked from the confines of the corporate enterprise. Operational Risks to and from people in your organization exist everyday. Insuring against losses and protecting against loss events is imperative. Utilizing the correct strategy, tools and human assets to comprise the entire security envelope including the effective use of Protective Security Details can make all the difference in your organizations deterrence factor.

operational risk

Risk Culture: The Root Cause of Business Assurance...

There is a scarcity of enlightened organizations who truly understand the root cause of risk in their enterprise. The business assurance they seek and the Operational Risk Management outcomes they receive, are in direct proportion to the "Risk Culture Maturity" within the company. This risk cultures maturity is at the root cause of why certain kinds of risks exist and what ability the organization has to accept, mitigate or transfer that risk.

A risk culture begins and ends with a human ability to communicate effectively with other humans. The human behaviors associated with communicating risk has all to do with the ability of one person to know the truth and to effectively tell the other accurately and effectively what the risk is and how it could impact the business. The trouble is, most organizations fail to spend enough time doing exactly that and doing it with out fear.

What kind of fear? The fear that by telling your supervisor you might offend them. The fear that by questioning the co-worker about their decision that you will alienate them. The fear that by uncovering a fellow workers risky behaviors to the rest of the team that you will jeopardize the overall mission.

Guess what people; the ability or lack of ability by a human to communicate risk factors to each other with the truth and without the fear of judgement or retribution is why you either live or die. This is the reason why your organization continues to flourish or rots from the inside out. You see, the risk management environment in your team, unit, office location or FOB has all to do with communicating the truth in an effective way.

The risk culture problem is one that continues to rear its ugly head time and time again and exemplifies itself in the published press, or the digital eDiscovery process of modern day litigation. Look back on most any loss event like this and you will see that it could have been addressed or contained, if only humans would have communicated effectively about risk(s) to them personally or to the unit. Whether it be a family, a branch office or entire agency of government.

The organizations that survive and are able to out perform their competition are those that understand this reality. Leadership who magnifies the requirement for people to strip away the fear of judgement, retribution, or long term bias and to communicate the reality of what they truly sense as humans will be superior. The risk culture that is understood, truly, and simultaneously monitors peoples ability to learn from their mistakes will continue to outperform and survive in whatever environment it lives in.

Leadership is charged with the state of their organizations culture. The fundamental risk to any organization, is that leadership does not recognize this and pays little or no attention to maturity of their culture to deal with risk and human factors. This begins with the person across the table, by your side in bed or next to you in control of a vehicle, on land in the air or in the ocean.

It doesn't matter who the leader is. The Founder, CEO or Chief Risk Officer. The Branch Manager, Area Supervisor or Vice-President. The Element Leader, Master Chief or C.O.. Mother or Father. Managing the culture of communicating the truth, reality and without judgement begins the process of a risk management entity that will not only survive; it will outperform the perceived opposition.

The Quiet Professionals of the Operational Risk Management discipline are enlightened individuals who are multi-dimensional and that requires a brain trust of diverse people who have different life experiences. These courageous people must then be engaged in the correct setting and risk culture with the right combination of business objectives, resources and mission outcomes. Only then will the environment they operate in determine who survives the continuous performance evolution. The root cause of Business Assurance is the Risk Culture.

operational risk

PPD-8: Resilience of the Whole Community...

Business Resilience in 2012 will continue to be a factor of the private sectors ability to withstand the Operational Risks that it encounters. The strategy for business assurance will be cognizant of the environments developed for preparedness and sustainability set forth by local and federal governments.

This bottom up approach to achieving a "Whole Community" resilience depends upon the cooperation, coordination and communication at the citizen, city and county level. In the United States, Presidential Preparedness Directive 8 (PPD-8) has been put forth as the future baseline for both private and public entities to adopt and implement going forward:

National Preparedness is aimed at strengthening the security and resilience of the Nation by preparing for the full range of 21st century risks that threaten national security, including weapons of mass destruction, cyber attacks, terrorism, pandemics, transnational threats and catastrophic natural disasters.

The National Preparedness System Description is the second deliverable required under Presidential Policy Directive (PPD) 8: National Preparedness. The National Preparedness System Description concisely describes current efforts and how we will build on those efforts, many of which are established in the Post-Katrina Emergency Management Reform Act and other statutes, to build, sustain and deliver the core capabilities needed to achieve the National Preparedness Goal.

Specifically, it identifies six components to improve national preparedness for a wide range of threats and hazards, such as acts of terrorism, cyber attacks, pandemics and catastrophic natural disasters. The system description explains how as a nation we will build on current efforts, many of which are already established in the law and have been in use for many years. These six components include:

• Identifying and assessing risks;
• Estimating capability requirements;
• Building or sustaining capabilities;
• Developing and implementing plans to deliver those capabilities;
• Validating and monitoring progress made towards achieving the National Preparedness Goal; and
• Reviewing and updating efforts to promote continuous improvement.

The six components can be internalized for the citizen, community and private sector to encompass into their own respective operational risk management strategy. The mechanisms for elevating situational awareness have improved dramatically over the years since 9/11. Citizens have prepared their own personal 72 hour kits, business organizations have created awareness programs for their members to heighten planning activities and local city and counties have trained thousands of volunteers for the Community Emergency Response Team (CERT).

This continues to get us so close to the goal and yet so far from really understanding the reality of where we are weak and where the single points of failure still remain. Think about it. How often has your household, community or business actually tested and exercised your ability to withstand a 72 hour crisis? The odds are you haven't and therefore all your planning and preparedness will never know where to improve and what resource investment is required to achieve greater degrees of safety, security and overall resilience.

Ten years after the 9/11 attacks, are our first responders prepared? A new report conducted by Capella University seeks to answer this question.

"To assess our preparedness for another disaster, Capella University partnered with leading national public service and public safety organizations, including the U.S. Council of the International Association of Emergency Managers, the American Public Health Association, the American Society for Public Administration, the Comprehensive Emergency Management Research Foundation, and the FBI National Academy Associates to conduct a nationwide survey of more than 1,000 public service and public safety professionals. We wanted to hear directly from those who would be on the front lines of the next crisis."

Key findings include:

• 71% believe the United States is better prepared for a terrorist attack today than we were in the days before September 11, 2001.
• 67% think the federal government and our leaders in Washington, DC, are not giving this issue enough attention.
• 66% say their governor and state government leaders are not giving this issue enough attention.
• 69% are worried that the United States will experience another major terrorist attack.

Regardless of the outcomes of this study, each community, state and region will be at a different degree of readiness. Your job, should you choose to accept it, is to figure out where your community is today and how to get to the next level:

1. No Awareness
2. Denial / Resistance
3. Vague Awareness
4. Preplanning
5. Preparation
6. Initiation
7. Stabilization
8. Confirmation / Expansion
9. High Level of Community Ownership

Do you think that Houston is more prepared than Denver? Why or why not. Do you think Los Angeles is more prepared than Las Vegas? The degree to which an area has an ongoing perceived threat and vulnerability will in most cases dictate where they are on the 1-9 scale above.

Ultimately, the United States National Preparedness System’s ability to succeed, is based upon ensuring the whole community has the opportunity to contribute to its implementation to achieve the goal of a secure and resilient Nation. How often is the private sector the catalyst or the citizens community asking government to participate in their exercise, as opposed to the other way around?

operational risk

OPS Risk 2011: A Year of Living Dangerously...

2011 has been a year of living dangerously. Operational Risks have plagued governments, private sector companies and the citizens of local communities across the globe. The continuous threats from people, processes, systems and external events will become substantially more asymmetric in 2012 and volatility will become the new normal.

As professionals plan and budget for the next annual cycle there will be tremendous debate on where to invest in new mitigation and remediation strategies. The economics of austerity programs will now become another threat to consider as infrastructures continue to decay. People are leveraging the power of mobile devices to perpetuate their situational awareness and to wage "Information Warfare" on the brand equity of Fortune 500 companies. Verizon has followed the foot steps of Bank of America. Ylan Mui and the Washington Post explain:

Verizon backed away on Friday from plans to charge customers a $2 fee to pay their bills online or over the phone after receiving thousands of complaints, the latest victory in a wave of consumer activism that has roiled some of the nation’s largest companies.

The announcement came a day after the fee was made public. Consumer advocacy groups derided the charge as “pay-to-pay.” The fee also caught the eye of Verizon’s regulator, the Federal Communications Commission, which had said it would look into the issue. But it was individual consumers — amped up after battles this year with corporate giants such as Bank of America and Target — that the company said tipped the scale.

Corporate brand managers and CEO's have little tolerance to an erosion in brand equity. This is counter to the politicians who are continuously operating at an approval rating hovering at 50%. How different the behavior remains in the public vs. private sector. Look for this to change in 2012 as an election year takes hold in the United States.

The systemic impacts from failed banking institutions and nation states will not be under estimated any longer. Will the rise of democratic states in the Middle East increase the risk to your organization? Think about the new risks that are yet to be discovered as a result of the death of Usama bin Laden. al-Qa'ida's so called new American recruits suggests a pattern to be debated and includes:

• Omar Hammami
• Daniel Boyd
• Carlos Bledsoe
• David Headley
• Michael Finton
• Hosam Smadi
• Betim Kaziu
• Terek Mehanna
• Jaime Paulin-Ramirez

Today's radicalization process is domestic to the U.S. and can take only months. It is decentralized and is taking place on the Internet, not in churches, synagogues, mosques or other locations of religious worship. The face of terrorism has morphed to people born in the USA, educated here and who have never left the homeland. They are invisible.

The number of supply-chain disruptions that have occurred over the course of 2011 is undetermined due to the sensitivity of the information and the implications to a business market share or stock price. Suffice it to say that the multi-headed hydra unleashed from the Macondo Gulf Oil Disaster is still being calculated even as new criminal charges are being considered by the Justice Department. Consider the possibility of some of the insurance industries scariest risks from Willis:

In the energy industry, the unthinkable has perhaps already happened: the $40 billion in losses associated with the Macondo well that blew out last year were utterly unprecedented. Most of that risk was uninsured, so the energy market got off relatively lightly in this case. But as the drive to drill wells similar to Macondo continues, the nightmare scenario for the energy market is the “perfect storm” of another blowout of a similar nature combined with a Gulf of Mexico windstorm on the scale of a Katrina, Rita or Ike. That would almost certainly lead to underwriting losses that would be sufficient to prompt a potential capacity crisis.

The point is that the attacks will continue and the defenses will never be high enough or wide enough to protect your assets from loss and harm. Then if this is the case, what have you planned for 2012 that will encompass the business resiliency doctrine? Who is your Chief Continuity Officer and how will they be investing in your continuous survival next year?

Operational Risks in 2012 will trend higher for organizations because there are decision makers who will continue to ignore the factors of resiliency. The mind set associated with resiliency takes the point of view that you will be attacked by cyber marauders, that your supply chain will suffer a catastrophe of epic proportions from a natural phenomenon, that you will suffer the consequences of a significant employee-based litigation. And the list goes on...

Which risk is scariest for your business?

• Terrorism (14%)
• Environmental Unknowns (8%)
• Death of Innovation (8%)
• Data Breach (8%)
• Supply Chain Disruption (8%)
• Not Understanding Risk (8%)
• Italian Default (7%)
• Chinese Pandemic (5%)
• Exploding Health Care Costs (5%)
• Macondo Mach II (5%)
• Mass Real Estate Disruption (5%)
• Systemic Risk (3%)
• Coal-tastrophe (3%)
• New Frontiers in Renewables (2%)
• D&O Insolvency (2%)
• Middle East Oil Prices (2%)
• Blackout Britain (2%)
• Aerospace Fuel Prices (2%)
• Credit Price Hikes (0%)
• Solvency II (0%)
• Obstetrics (3%)

Finally, we want to thank you for raising this blog to the #2 link on Google when searching for Operational Risk and Operational Risk Management. We agree that Wikipedia should remain #1. In 2012, look for more topics and expanded investigative reporting. And one of these days, perhaps it will be time to create the best of our over 1,000+ posts to create an e-book for your Kindle.

operational risk

Integrity & Ethics: Whistleblower Risk...

Operational Risk Management in your organization may be in need of a more robust awareness campaign.  Malfeasance and ethical wrongdoing is continuously perpetuated in the workplace when those who are victims or witnesses refuse to speak up. Many fear the retaliation by supervisors or other co-workers. This study emphasizes the issue at hand:

Labaton Sucharow LLP yesterday announced the results of its nationwide Ethics & Action Survey. Conducted by ORC International between November 17-20, the survey questioned 1,000 Americans on their knowledge of wrongdoing in the workplace and willingness to come forward and report it. With significant financial rewards and strengthened anti-retaliation and anonymity protections offered under Dodd-Frank, an overwhelming 78% of respondents indicated they would report wrongdoing in the workplace if it could be done anonymously, without retaliation and result in a monetary award. In fact, more than one-third (34%) of respondents knew about wrongdoing in the workplace. However, 68% were unaware that the Securities and Exchange Commission (SEC) has a new Whistleblower Program designed to protect and reward individuals who report violations of the federal securities laws.

This kind of Operational Risk doesn't have to involve insider trading or the SEC to be an issue.  Do you have a controlling boss or a bully in the organization who uses their position of power to get what they want at any cost or to force you to look the other direction?  What kind of facts point to their behaviors and the actions by others that contribute to a caustic and toxic work place setting or to further perpetuate the situation?  Whether it is your Fortune 500 public company or your tiny 501(c)3 non-profit does not matter.  When over one-third of the respondents of the ORC Ethics and Action Survey knowingly ignore or are afraid to report incidents of wrongdoing or ethics violations the culture is broken and in need of repair.  The people who have the fiduciary duty to see that this kind of behavior is deterred also have the responsibility to provide the tools and the mechanism for those being victimized and those who are observing the malfeasance to anonymously defend themselves.

So what should you do as an Operational Risk professional to make sure this doesn't happen to the people in your respective organization?  Here is a good start:

Many corporations have internal compliance programs for corporate misconduct. These programs are, in theory, designed to provide an audience for workers who want to report unethical or illegal corporate conduct. Whether to utilize internal compliance reporting procedures is not an easy question to answer. As a general proposition, some believe that where the wrongdoing is pervasive—as in the case of securities fraud—an internal compliance program will not provide an adequate means of redress. Some believe that where the issue involves massive overbilling to the Government, or an allegation that a corporation is receiving significant dollars in unlawful revenue through fraudulent conduct, the internal compliance system will not work.

It's imperative that you also become aware of and communicate to employees and volunteers what their rights are outside the formal processes that are in place within the organization. Sometimes the nature of the ethics violations will not easily fall into the category for the internal compliance department.

So even "A Decade After the Fall of Enron" the laws and the rules provide us with a false sense of security from the corporate and workplace malfeasance that so many U.S. citizens are being subjected to on a daily basis.  And based upon the current-state-of-play around the beltway in Washington, DC you can expect that the coordination and cooperation is increasing by the minute.

The increased collaboration among the alphabet soup of enforcement and regulatory agencies is also due to a collateral effect of the current financial crisis: declining agency budgets. In the current downward budget cycle, agencies are working in concert more than ever before. This trend is exacerbated by a change in the mission of the FBI in the post-Sept. 11, 2001, world, shifting resources to counterterrorism and creating a need for other agencies to play an increased role. The overarching lesson from this increased collaboration is clear: Gone are the days that inside or in-house counsel can assume that the state or federal agency with whom they are dealing is acting alone; it is increasingly likely there are additional state or federal agencies involved, resulting in overlapping criminal, civil or regulatory exposure.

If you are charged with the position of the Senior Operational Risk professional in your organization, this topic of wrongdoing in the workplace can not be overlooked any longer.  It is not too late to create a "Defensible Standard of Care" and to turn the word "Integrity" into a cultural pursuit for all to aspire to, before it is too late.

operational risk

4D: A Risk Strategy for Business Survival...

Executive Summary

Our corporate assets are under attack by a continuous barrage of new laws, new employees, new competitors and new exploits. Business survival in the next decade will require a more effective and robust risk strategy to deter, detect and defend against a myriad of new threats to the organization.

Modern day attackers include hackers, spies, terrorists, corporate raiders, professional criminals, vandals and voyeurs. Simply said, these attackers use tools to exploit vulnerabilities. They create an action on a target that produces an unauthorized result. They do this to obtain their objective.

Here are four key lessons to create a "4D" risk strategy in your enterprise.

Lesson 1 – Deter

The Mission

Deter the attacker from launching a salvo of new threats to compromise your organizations assets. You first have to understand the value of your corporate assets to determine what are the most valuable in the eyes of your adversary. You must make it increasingly more difficult for these valuable assets to be attacked or you will find yourself under the constant eye of those who wish to create a significant business disruption.

These attackers are individuals who take on these quests or objectives for several key reasons. They include financial gain, political gain, damage or the simple challenge, status or thrill. It’s your job to create deterrence for each one of these objectives.

The Take Away

In order to effectively deter potential risks to your corporate assets, first you have to understand what they are and how valuable they are in the eyes of each kind of attacker. The more valuable the target, the more deterrence it requires.

Lesson 2 – Detect

The Mission

Detect the use of tools by the attackers. These tools are what they use to assess the vulnerabilities within and throughout the organization. These tools include surveillance, physical attack, information exchange, user commands, scripts or programs, autonomous agents, toolkits, distributed tools or data taps. Some are high tech and most are the craft of social engineers.

The attackers are using a combination of these tools and tactics to exploit corporate vulnerabilities in:

• Design
• Implementation
• Configuration

The Take Away

Just about any significant business disruption can be traced back to the fact that the attacker was able to effectively exploit the organizations defenses using a systematic method and the correct tools. Detection of threats begins by detecting the use of tools. Whether it’s the surveillance of an individual or of a facility. Whether it’s the design of the building or the software code for the E-Commerce system. Whether it’s the implementation of security cameras or the firewall. Whether it’s the configuration of the controls for access to the vault or to the ERP system. You have to continuously detect the use of the attackers tools and their methods to exploit your vulnerabilities.

Lesson 3 – Defend

The Mission

Defend the target from any actions by the attackers tools. Targets may include a person, facility, account, process, data, component, computer, Intranet network or Internet. Actions against the target are intended to produce the unauthorized result. Some action categories are labeled:

• Probe
• Scan
• Flood
• Authenticate
• Bypass
• Spoof
• Read
• Copy
• Steal
• Modify
• Delete

The Take Away

In order to understand how to defend your corporate assets, you have to attack them yourself using a continuous combination of tools and tests. Only then will you find out where your single point of failure lies and where the attacker is going to successfully exploit a vulnerability you didn’t know exists.

Lesson 4 – Document

The Mission

Document the normal so you know when and where there is an unauthorized result. In order for the attacker to obtain their objective, the target must produce this unauthorized result. These might include:

• Increased Access
• Disclosure of Information
• Corruption of Information
• Denial of Service
• Theft of Resources

In order to understand that an attack is actually occurring, normal results have to be documented and a historical trend has to be established. What is normal? How do you know what normal looks and feels like? You document, store, record and analyze what normal is. If you have done this for long enough and across the potential targets the attacker is trying to exploit, then you will know the second an unauthorized result takes place.

The Take Away

Documenting the behavior of people, processes, systems and external events is a vital component of a complete strategy for risk mitigation. Understanding what normal "is", begins with effective documentation and analysis. Many organizations begin to document long after it is too late or as a result of a significant business disruption. Documentation remains to be a challenge for many, and a task that attackers know is likely to be left undone or behind schedule.

Conclusion

A "4D" Risk Strategy for Business Survival is only effective if it is operating on a continuous basis. You must create the culture and the due diligence to see that it becomes part of the fabric of the organization internally and with outsourced partners or suppliers. Only then will the attacker realize that this combination to deter, detect, defend and document is alive and growing in your enterprise. This is when attackers become discouraged, afraid, uncertain and ultimately ready for a new and less formidable adversary.

Attackers use tools to exploit a vulnerability to create an action on a target that produces an unauthorized result, to obtain their objective. These "4D" lessons should put you on the way to creating a more survivable business.

operational risk