28 July 2014

Global Pulse: Resilience in Development...

The asymmetric threats cast upon the private sector on a daily basis across the globe, are rising and more complex.  As a result, Operational Risk Management is a discipline that has quickly matured in the past decade.  

Today, as we embark on this blog post number 1060 we can reflect on our amazing journey.  When you search Google from our location on "Operational Risk Management Blog" this blog is the number 1 link.

This endless journey encounters new insights and has transversed industry sectors to include financial services, energy, automotive manufacturing, aerospace, defense industrial base, pharmaceuticals and government both local and federal.  It has involved the following four fundamental principles of ORM:
  • Accept risk when benefits outweigh the cost.
  • Accept no unnecessary risk.
  • Anticipate and manage risk by planning.
  • Make risk decisions at the right level.
Whether the oversight and pursuit encountered the risks of fraud, economic espionage, workplace violence, natural disasters, terrorism or cyber vulnerabilities does not matter.  The threats and hazards that span the spectrum of Operational Risks to the enterprise are vast and increasingly diverse.  The discipline continues the quest to improve and to learn new lessons from both the private sector and government.  Now both of these need to also include a third dimension, that is evolving and could be the place to look for real innovation:  Non-Governmental Organizations. (NGO)

The NGO community is the environment that has now gone beyond response and is finally becoming more predictive:
Global Pulse is a United Nations initiative, launched by the Secretary-General in 2009, to leverage innovations in digital data, rapid data collection and analysis to help decision-makers gain a real-time understanding of how crises impact vulnerable populations. Global Pulse functions as an innovation lab, bringing together expertise from inside and outside the UN to harness today’s new world of digital data and real-time analytics for global development. The initiative contributes to a future in which access to better information sooner makes it possible to keep international development on track, protect the world’s most vulnerable populations, and strengthen resilience to global shocks.
There are plenty of situational awareness analogies that can be made to the risk management of vital private sector or government assets over the years.  Predictive operations have been evolving for years with the goal of preemptive capabilities to detect an attack on a Homeland.  The analysis of information from disparate sources is nothing new.  Link analysis and other methods of qualitative and human factors analysis give us the cues and clues to a possible evolving pattern of human behavior.

Yet what is fascinating now about the NGO perspective, is the intersection of Big Data and the mobile phone:
Wherever people are using mobile phones or accessing digital services, they are leaving trails behind in the data. Data gathered from cell phones, online behavior, and Twitter, for example, provides information that is updated daily, hourly and by the minute. With the global explosion of mobile phone-based services, communities all around the world are generating this real-time data in ever-increasing volumes. These digital trails are more immediate and can give a fuller picture of the changes, stressors, and shifts in the daily living of a community, especially when compared with traditional indicators such as annual averages of wages, or food and gas prices. This is especially crucial during times of global shocks, when the resilience of families and their hard-won development gains are tested.
These global shocks that are economic, geopolitical or as a result of climate change are at a macro level nothing more than environmental volatility.  This volatility in markets, government leadership, religious conflict and drought are what is driving the NGO development community to be more predictive and to be more preemptive.

In concert with this focus on predictive intelligence is the initiative "data philanthropy".  How can the data sets from our respective countries be shared to work on the really hard global problems together?  Open Data Sites is just the beginning.  You have to make sure that you recognize the attributes of "Big Data for Development" vs. the private sector or purely government:
Big Data for Development sources generally share some or all of these features: 
(1) Digitally generated – i.e. the data are created digitally (as opposed to being
digitised manually), and can be stored using a series of ones and zeros, and thus
can be manipulated by computers; 
(2) Passively produced – a by product of our daily lives or interaction with digital
(3) Automatically collected – i.e. there is a system in place that extracts and stores
the relevant data as it is generated; 
(4) Geographically or temporally trackable – e.g. mobile phone location data or
call duration time; 
(5) Continuously analysed – i.e. information is relevant to human well-being and
development and can be analyzed in real-time;
What if the private sector and the government started looking through a different lens?  Or perhaps the other way around.  Is the NGO development community capable of learning from the mistakes with data that intersect with privacy and national intelligence?  Operational Risk Management is just as much an imperative in the NGO environment, as we evolve in the integration of Big Data for global humanitarian initiatives.

When you really look at the opportunity and the challenge ahead, you must consider this intersection of data today in context with where development is still in its infancy.  Look at this visualization of Google search volume by language.  Notice the darkest parts of the planet Earth.  These are where the NGO community lives today, with little access to the Internet, regardless of language.  The human resilience factor necessary to evolve in these non-connected IP (Internet Protocol) deprived areas of the world, must be addressed as we aspire to become more predictive risk managers.

20 July 2014

Predictive Intelligence: Data or Precogs...

The use of the term "Predictive Intelligence" has been around for a few years. Born from the marketing collateral of the Business Intel (BI) vendors. Essentially, get a whole bunch of GB's of historical data and then use some new tools to mine it for so called insight. The question is, why is this predictive intelligence and not just more "Information."

Now introduce the nexus of "Human Factors". The unexplained behavior of people influenced by environment, interaction with other people or even the substances people put inside their body. Whether it's the coffee kicking in, the hangover from last nights Monday Night Football party or the latest argument with your spouse, it influences your perceptions on information.

Christian Bonilla may be on to something here:
Professionals in the foreign intelligence community take pains to distinguish between information and bona fide intelligence. Any piece of knowledge, no matter how trivial or irrelevant, is information. Intelligence, by contrast, is the subset of information valued for its relevance rather than simply its level of detail. That distinction is often lost in sector of the enterprise technology industry that is somewhat loosely referred to as Business Intelligence, or BI. This has become a bit of a catchall term for many different software applications and platforms that have widely different intended uses. I would argue that many BI tools that aggregate and organize a company’s information, such as transaction history or customer lists, more often provide information than intelligence. The lexicon is what it is, but calling something “intelligence” does not give it any more value. In order to sustainably outperform the competition, a company needs more than a meticulously organized and well-structured view of its history. Decision makers at all levels need a boost when making decisions amidst uncertainty and where many variables are exerting influence. They need what I would call predictive intelligence, or PI – the ability to narrow down the relevant variables for analysis and accurately measure their impact on the probability of a range of outcomes.
What does the fusion of human factors have to do with predictive intelligence? That depends on how much you value the kind of innuendo and messages in the Tom Cruise movie, Minority Report. Many aspects of the original Philip K. Dick story were adapted in its transition to film that was filmed in Washington, DC and Northern Virginia. Is it possible to predict someone's future behavior even before they commit a crime or become violent?
Set in the year 2054, where "Precrime", a specialized police department, apprehends criminals based on foreknowledge provided by three psychics called "precogs".
Cruise plays the role of John Anderton who is part of the experimental police force known as "Precrime." These aspects of clairvoyance and precognition has many skeptics and their use for predicting future events or a related term, presentiment, refers to information about future events which is said to be perceived as emotions.
Regardless of terms, beliefs or whether the software analytics are using historical data, the science of "Predictive Intelligence" is about forecasting the future. Based upon the recent global events that missed the forecast of economic implosion based upon historical data, maybe it's time to start introducing more human factors to the equation.

The interviews with people who have gone on record to predict a future historical event will probably be right at some point in time. How long will you be around to wait? The demise of General Motors and the extinction of Lehman Brothers, Bear Stearns and maybe even AIG were most likely predicted by someone, somewhere. The point is that you have to have context and relevance to the problem being solved or the question being asked.

Predictive analytics extracts information from data and attempts to forecast the future. It relies on capturing relationships between explanatory variables and the predicted variables from past occurrences, and exploiting it to predict future outcomes. Is it possible that there was and is too much reliance on the numbers and not enough on people's intuition?

This blog has documented the "11 Elements of Prediction" in the past. Now it's time to utilize the combination of these human factors in close collaboration with the data analytics and numbers. Effective execution of both will provide corporate management the situational awareness they seek within the time line they wish.

13 July 2014

ID Analytics: Risk of the Unknown...

Operational Risk Management (ORM) has been at the top of the news in the past few weeks.  Digital media and the metadata of "Big Data" is the topic of choice.  It is a revealing look behind the curtain of what is possible these days, with the tools and capabilities that exist for exploitation and analysis.  Is too much privacy an operational risk to your personal and professional well being?  What "Trust Decisions" did you make to arrive on this page in the universe of the Internet?

In the spirit of full disclosure, if you are reading this now, we tracked how you found this blog and perhaps what search terms you used to be referred here.  Some of you, revealed their company identity. So why do we do this?  The main reason is that we want to make sure that we understand what is on your mind these days, when it comes to the global Operational Risk Management (ORM) universe. Here are a few examples in the past day or so that caught our eye:
  • management of operational risk - Latvia
  • operational risk management - Nigeria, Illinois, South Dakota, The Vanguard Group
  • common board of directors mistakes - Turkey
  • lessons learning from fail in operational risk - Malaysia
  • predictive intelligence - North America
  • rogue trader operational risk - United Kingdom
  • fund industry operation management discussion topic - Luxembourg
  • operational risk management game - Unknown
  • reputation risk management process - Unknown
  • operational risks in bank call center - Qatar
  • coso definition of operational risk - Unknown
  • black swan incident that occurs once in a lifetime - Unknown
  • ubs operational risk case analysis - Unknown
  • business resiliency definition - JP Morgan Chase
  • "operational risk" outliers - France
  • a risk effect on a daily operation - DeVry
  • examples of smart objectives risk - United Kingdom
  • black swan incident\ - South Carolina
  • black swan incident - Computer Sciences Corporation
  • what is a black swan incident - South Carolina
  • duty of care board of directors - United Kingdom
Collection of data is one thing.  Relevance and sense-making is another.  Can you imagine some of the search terms that are tracked just by Google or Bing?

What about the companies that know us the best?  Those marketing and personal data sites that keep track of where you live, how much you spend on your credit cards and where, or even the name of your pets.  How often do you give them your phone number or e-mail address at the point-of-sale (POS) to get a discount at the local retailer, gas station or pharmacy?  Believe us when we say that there are hundreds of organizations that know more about you in the private sector than some government across the world.

The trail of "digital finger prints" you leave behind everyday are vast.  A snap shot of your face at the local ATM or a snap shot of your desktop when you login to the online banking web site.  In either case, these examples are just a few of the ways that your habits, locations, preferences and lifestyle are profiled each and every day.  Where did all of this begin?  Fraud Management.  Not Homeland Security.

As a citizen traveling across the country or a consumer, you willingly give up these digital bread crumbs of your journey through life.  Your goal now, is to make sure that you are not mistaken for someone else.  After all, you or your organization have developed a profile and a reputation that is being recorded and therefore, it could be a prudent strategy to make sure that you are not mixed up with another person or organization with the same name or brand identity.

How can you do this?  Operational Risk Management (ORM) is about monitoring yourself and your organization to make sure you understand your competition (good or bad) for the same personal or business identity space.  Do you have Biometric and DNA samples of all of your key executives?  If you don't, then the question is why not?  You may have considered this in light of some of the places that your executives are traveling.  Cities and countries across the globe with the risk of kidnapping, improvised explosive devices (IED) and other risks to their lives.

As we look into the crystal ball of our digital futures, we see the scenes from movies past that have already captured our own human imagination.  A world where everyone is known and you may even choose to "opt-in" to be tracked.  After all, you are unique.  You make your own choices in life.  The risks that you face may very well be greater, for those who choose a life to remain private, anonymous and even unknown.

06 July 2014

4th of July: Resilience of Your Team...

The United States is celebrating the birth of the American nation this weekend.  238 years ago the formation of the Republic set the course for the country that it is today.  The Declaration of Independence was born.

A key aspect of any prudent Operational Risk Management (ORM) program is focused on people.  The risk of people and the whole dynamics of what is going on in peoples lives.  As Thomas Jefferson, John Adams, Ben Franklin, Robert Livingston and Roger Sherman toiled over the draft; what do you think was also going on in their individual lives at the time?
While political maneuvering was setting the stage for an official declaration of independence, a document explaining the decision was being written. On June 11, 1776, Congress appointed a "Committee of Five", consisting of John Adams of Massachusetts, Benjamin Franklin of Pennsylvania, Thomas Jefferson of Virginia, Robert R. Livingston of New York, and Roger Sherman of Connecticut, to draft a declaration. Because the committee left no minutes, there is some uncertainty about how the drafting process proceeded—accounts written many years later by Jefferson and Adams, although frequently cited, are contradictory and not entirely reliable.[62]What is certain is that the committee, after discussing the general outline that the document should follow, decided that Jefferson would write the first draft.[63] The committee in general, and Jefferson in particular, thought Adams should write the document, but Adams persuaded the committee to choose Jefferson and promised to consult with Jefferson personally.[2] Considering Congress's busy schedule, Jefferson probably had limited time for writing over the next seventeen days, and likely wrote the draft quickly.[64] He then consulted the others, made some changes, and then produced another copy incorporating these alterations. The committee presented this copy to the Congress on June 28, 1776. The title of the document was "A Declaration by the Representatives of the United States of America, in General Congress assembled."[65]
The ecosystem of this set of committed custodians of a new nation also included the personal lives of each one of them.  No different than the ranks of any organization who has executives and key staff members who are steering the daily direction of the enterprise.  Each individual on that team has a work life and a personal life they are managing simultaneously while doing the work of the country or the corporate business.
We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness, That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness. Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security.
So think for a minute about your team within the enterprise.  Each person on your staff or within your division is managing and coping with life events that are occurring in real-time each day.  How much are you in tune with all those emotions and potential changes in a fellow employees life, to see how it may impact their work?

Organizations across the globe utilize Operational Risk Management (ORM) as a discipline for those safety and security events that could produce significant risks.  The same can be applied to each person and their individual ecosystem.  Each person on the team may be in different phases of their lives and need only a few pieces of the entire ORM mosaic for their personal lives.  Contingency planning however is still one of those easy exercises that most people can do on their own and in their own personal environments.

The power of the "What if" questions that you ask yourself on a daily basis is a healthy way to begin and to continuously provide effective Operational Risk Management (ORM) outcomes.  "What if" you developed a ORM college within the enterprise to educate all those new employees and existing with the skills, knowledge and capabilities available to them?  As they say "Life Happens."  Each person shall have an ecosystem of both personal and professional risks that they are encountering every day.

It could be imagined that people such as Ben Franklin had a few other items on his mind at the time.

The person to your right and to your left on the front lines of the organization, who you engage with everyday; has their own set of risks to manage in life.  A strategy for each individual to better plan, develop and deploy effective risk management individually provides the entire team with the focus they require long term.  They have been trained on using the effective continuous process for ORM:
  • Identify
  • Assess
  • Decide
  • Implement
  • Audit
  • Supervise
Imagine your organizational unit, whether it be Congress, your Family, your work out partners at Pilates or the entire executive staff all in synchronicity, with the use of Operational Risk Management. The principles of enhancing your life or your country will require a life long devotion to the rules and to the risks to a breakdown in rules of governance.  Personally or professionally.

Consider the peace of mind as your country endures the challenges to it's "Declaration of Independence" and knowing that it has a longevity of 200 plus years.  Think about the confidence and the assurance you will have about your team or family unit as each of them manage their life events and risks.  The resilience factor is strong and the safety and security of the people you care about the most, will endure.

29 June 2014

Trust Decisions: The Risk of a Digital Supply Chain...

Are you a business that is operating internationally?  What components of Operational Risk Management (ORM) currently intersect with your international business operations?  The safety and security of your employees who travel into countries with unstable political elements are no doubt of immediate concern.  There may even be a heightened sensitivity with whom your international business executives are meeting with and the tremendous U.S. rule-base associated with OFAC, as one example.

Fortune 500 organizations are all too familiar with these concerns, as major players in international business. The Chief Security Officers (CSO) and other key executives charged with the safety, security and integrity of employees, are focused on those who are traveling and meeting across the globe.  This is considered ORM 101.  This facet of ORM is quite mature and familiar to the Board of Directors who are charged with the Enterprise Risk Management (ERM) of the company.

What is growing more pervasive and continues to plague organizations doing business internationally is the risk of a Digital Supply Chain.  Trusted information and the confidentiality, integrity and assurance of data.  The "Genie" is out of the bottle and even the most mature and risk adverse global organizations, are continuously barraged by sudden incidents that interface with privacy and security of information.

Here is a recent example:
After a public comment period, the Federal Trade Commission has approved final orders that settle charges against 14 companies for falsely claiming to participate in the international privacy framework known as the U.S.-EU Safe Harbor. Three of the companies were also charged with similar violations related to the U.S.-Swiss Safe Harbor.
The FTC previously announced the settlements in January, February and May of 2014 with the following companies: 
Under the settlements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
Consumers who want to know whether a U.S. company is a participant in the U.S-EU or U.S.-Swiss Safe Harbor program may visit http://export.gov/safeharbor to see if the company holds a current self-certification.
Under the settlements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
So what is the real underlying issue here?  It is about "Trust Decisions".

These organizations were representing themselves as compliant with a U.S.-EU framework designed and established to protect their constituents, under the jurisdiction of the Federal Trade Commission (FTC).  The decisions to trust these organizations by an individual or business, regarding the perception that they are in compliance with a framework for privacy and security, is what is true.

How often have you ever made a "Trust Decision," based upon your knowledge that a business is displaying an official seal, mark or a sign that your information is safe and secure?  There are dozens of high profile companies operating across the globe that are in the business of selling "Trust".  Symantec, TRUSTe and GeoTrust to name a few.  The reason that a business buys one of these trusted seals or marks is because it wants to increase it's perception of trust, to the consumer or business that it is engaged with to transact business.

The business wants to display that they are compliant with the particular laws or rules associated with their industry or country.  It wants to create a sense of business assurance or peace of mind for the buyer of their products or services.  When you use one of these seals to assist in making an affirmative "Trust Decision" based upon the display of one of these badges, marks, signs or even special symbols or colors; the consumer still assumes risk of the unknown risks.  So what?

So how many consumers on a daily basis do you think visit this web site to get their free annual credit report? Green Padlock https://www.annualcreditreport.com/index.action

This is the official web site advocated by the U.S. Federal Trade Commission (FTC) for consumers to get a free annual credit report in compliance with Fair Credit Reporting Act (FCRA).  When you visit this site, you see that the URL displays a green padlock and the https: designating that the site is using secure protocols to transmit your Personal Identifiable Information (PII).  Or is it?

When you test the Annual Credit Report web site with a SSL security test service, run online by Qualys SSL Labs, https://www.ssllabs.com/ssltest/ this is their rating, on the security of Annual Credit Report.com as of 6/28/14.

Overall Rating
Protocol Support
Key Exchange
Cipher Strength

This server supports SSL 2, which is obsolete and insecure. Grade set to F.
Experimental: This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224), but probably not exploitable.
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
The server does not support Forward Secrecy with the reference browsers.  MORE INFO »
This server is not vulnerable to the Heartbleed attack.

Q: What information do I need to provide to get my free report? 
A: You need to provide your name, address, Social Security number, and date of birth. If you have moved in the last two years, you may have to provide your previous address. To maintain the security of your file, each nationwide credit reporting company may ask you for some information that only you would know, like the amount of your monthly mortgage payment. Each company may ask you for different information because the information each has in your file may come from different sources.
On a daily basis, humans are subjected to signs, marks, badges and other indicators that help them make more informed affirmative "Trust Decisions".  Whether it is the "Green Light" at the local intersection or the "Green Padlock" on the web site where we are being asked to give up our Personal Identifiable Information (PII).  The regulatory and private entities that are tasked to ensure that the signs, marks, badges and even colors are in compliance, must also look to their own level of trust of their Digital Supply Chain.

This is just one glaring example of why "Trust Decisions" are so vital to online global e-commerce.  It is also a wake-up call for any organization that is advocating trust by using a digital third party that the consumer relies on every day.  However, the FTC and other government agencies rely on private sector companies to assist them in outsourced services such as hosting Annual Credit Report. com.  The site is hosted by:

IP LocationUnited States - Massachusetts - Cambridge - Akamai Technologies Inc.

How confident are you, that your organizations digital supply chain is ensuring safe and secure "Trust Decisions" for your customers?

22 June 2014

Asymmetric Warfare: Board Room to Battlefield...

The planet Earth is experiencing a multitude of historical and 21st century "Asymmetric Wars" from the Board Rooms of the Global 500, Internet Cafes of Third World countries and the Miranshah.

Operational Risk Management (ORM) doctrine will continue to be a factor:


  [ey-suh-me-trik, as-uh-]  Show IPA
not identical on both sides of a central line;
"Asymmetric warfare" can describe a conflict in which the resources of two belligerents differ in essence and in the struggle, interact and attempt to exploit each other's characteristic weaknesses. Such struggles often involve strategies and tactics of unconventional warfare, the "weaker" combatants attempting to use strategy to offset deficiencies in quantity or quality.[1] Such strategies may not necessarily be militarized.[2] This is in contrast to symmetric warfare, where two powers have similar military power and resources and rely on tactics that are similar overall, differing only in details and execution.
The Irish Republican Army (IRA) perfected the car bomb against the British.  Now "Improvised Explosive Devices" (IED) and suicide bombers continue to be the single greatest threat to U.S. troops in Afghanistan as we withdraw and in Iraq as we engage once again. The Middle East has been embroiled in conflicts with the modern use of "Social Media" and an asymmetric rebel element to initiate change in labor laws or to overthrow a nation states leadership.

A laymen may not understand the relevance of "Asymmetric Warfare" on the corporate battlefield. Some would describe the age old tactic of industrial espionage, competitive intelligence or even patent litigation as a method for a small unknown company to gain an advantage over a much larger and established institution. This is a strategy of Asymmetric Warfare, nothing new. In any case, the perception is that the small and agile still have the means, tools and tactics to defeat the large and overbearing with the benefit of time, resources and the will of the people.

So what are some good examples of modern day asymmetric conflicts:
  • Apple vs. Google
  • NATO vs. Putin
  • Sunni vs. Shiite
  • BMW vs. Jaguar
  • Earth vs. Anonymous
  • Taliban vs. Afghans
  • United States vs. Jones
Each of these represent a conflict between two able parties, regardless of the perception of who is the "David" and who is the "Goliath". So what can your organization or nations state do to prepare yourself for the inevitable risks that will be associated with doing business or operating your enterprise across countries and in hostile environments? By providing your employees and stakeholders the best education, research, training and exercise programs; technology test and evaluation and capability improvement programs that your resources can offer.  Why?  In a few words, to make faster and more informed "Trust Decisions".

The desire to Deter, Detect, Defend and Document is prudent doctrine in Operational Risk Management (ORM). You may call these steps or tactics by other names in your particular process; such as Observe, Orient, Decide Act. What matters most is that the environment and landscape for the "Asymmetric Threats" and "Asymmetric Warfare" will continue to be challenging and dynamic.
WASHINGTON — Judges around the country are grappling with the ripple effects of a 2-year-old Supreme Court ruling on GPS tracking, reaching conflicting conclusions on the case’s broader meaning and tackling unresolved questions that flare in a world where privacy and technology increasingly collide. 
The January 2012 opinion in United States v. Jones set constitutional boundaries for law enforcement’s use of GPS devices to track the whereabouts of criminal suspects. But the different legal rationales offered by the justices have left a muddled legal landscape for police and lower-court judges, who have struggled in the last two years with how and when to apply the decision — especially at a time when new technologies are developed at a faster rate than judicial opinions are issued. 
The result is that courts in different jurisdictions have reached different conclusions on similar issues, providing little uniformity for law enforcement and judges on core constitutional questions. Technological advancements are forcing the issue more and more, a development magnified by a heightened national debate over privacy versus surveillance and the disclosure of the National Security Agency’s bulk collection of Americans’ telephone records.

15 June 2014

TOC: The Implications of Consumer Privacy...

Operational Risks are pervasive in most every business both large and small. A small business can learn a tremendous amount from those failures by large corporate enterprises. Privacy laws in the United States are for all business owners whether they be a sole practitioner or a soon to be corporation with a $100 Billion valuation.  Operational Risk Management (ORM) is present in any serious business that makes important "Trust Decisions" on a minute-by-minute basis.

Consumer privacy and the risks associated with the protection of personal identifiable information of clients, members and customers is at stake. Learning the lessons from the organizations who have made changes and are working on a daily basis to comply with the regulatory frameworks, can be a very beneficial lesson to all.

Beyond the cost of a breach of data, Operational Risk Management (ORM) professionals understand that human behavior is the reason behind many of these incidents. Employees and supply chain insiders not clandestine hackers or malicious code sent from afar can be the major threat. So what can a Chief Privacy Officer or CISO do to mitigate the risks of employees and their behavior? All of the education and awareness campaigns may help, but the "Trust Decision" process itself is the place to begin.

Information Governance and the steps that are utilized to ingest or acquire and process that information is also paramount.  Hayley Tsukayama from the Washington Post highlights part of the issue:
Facebook came under fire Thursday from privacy advocates who say that changes to its ad network mark an unprecedented expansion of its ability to collect users' personal data. The advocates are also criticizing the Federal Trade Commission for allowing Facebook to make the changes and argue that the network's size gives it too much knowledge about its users.
Whether you are in the business of "Social Networking" like Facebook or you are the regional health care system in your state, the privacy of information of the consumer is at stake. Where that stolen information ends up in many cases, is in the hands of "Transnational Criminal Organizations" where it becomes of the lifeblood of their business operations to perpetuate their fraud schemes. These schemes are impacting the economic security of major organizations in the private sector and so the U.S. government (USG) has ramped up in the past 3 years to address the threat. Combined with other factors associated with legitimate business operations, organized digital crime syndicates have infiltrated the country and is costing the United States billions of dollars per year.

Here are several actions USG will be taking as the TOC strategy continues to be enabled:


  • Implement a new Executive Order to prohibit the transactions and block the assets under U.S. jurisdiction of TOC networks and their associates that threaten critical U.S. interests.
  • Prevent or disrupt criminal involvement in emerging and strategic markets.
  • Increase awareness and provide incentives and alternatives for the private sector to reduce facilita- tion of TOC.
  • Develop a mechanism that would make unclassified data on TOC available to private sector partners.
  • Implement the Administration’s joint strategic plan on intellectual property enforcement to target, investigate, and prosecute intellectual property crimes committed by TOC.
  • Enhance domestic and foreign capabilities to combat the increasing involvement of TOC networks in cybercrime and build international capacity to forensically exploit and judicially process digital evidence.
  • Use authorities under the USA PATRIOT Act to designate foreign jurisdictions, institutions, or classes of transactions as ‘‘primary money-laundering concerns,” allowing for the introduction of various restrictive measures on financial dealings by U.S. persons with those entities.
  • Identify foreign kleptocrats who have corrupt relationships with TOC networks and target their assets for freezing, forfeiture, and repatriation to victimized governments.
  • Work with Congress to enact legislation to require disclosure of beneficial ownership information of legal entities at the time of company formation in order to enhance transparency for law enforce- ment and other purposes.
  • Support the work of the Financial Action Task Force, which sets and enforces global standards to combat both money laundering and the financing of terrorism.

The FTC is continuously working with companies like Facebook. The White House NSC is working on strategies that have a nexus with stealing consumers information to exploit the financial system. Yet all of this will be for nothing, if the private sector does not work in concert with government. Public-Private partnerships are in full swing and are making some progress.

In addition, nation state industrial intellectual property theft and economic espionage has eroded our global competitive advantage in several industry segments.  Ellen Nakashima explains:
A Washington think tank has estimated the likely annual cost of cybercrime and economic espionage to the world economy at more than $445 billion — or almost 1 percent of global income. 
The estimate by the Center for Strategic and International Studies is lower than the eye-popping $1 trillion figure cited by President Obama, but it nonetheless puts cybercrime in the ranks of drug trafficking in terms of worldwide economic harm. 
“This is a global problem and we aren’t doing enough to manage risk,” said James A. Lewis, CSIS senior fellow and co-author of the report, released Monday.
Changing peoples behavior inside your own business will require substantial oversight and continuous education. Remain vigilant at the risk of your organizations own peril!

08 June 2014

Algo Bots: The Risk of Human Error...

What "Trust Decisions" did you make this past week?  How fast did you make them?  The ability to manage an entire portfolio of operational risks in a daily routine is daunting.  How do you prioritize? What Operational Risk Management (ORM) process will you engage in, with so many uncertain outcomes?  Why will you sit up in bed at 3AM, to read the latest alert on your smartphone?

In October of 2012, this ORM blog discussed the topic of "Algo Bots" and "Dark Pools".  Machine language talking to other machines, to make optical network speed decisions and more precise, "Trust Decisions."  What is the risk of a low probability and high consequence incident when humans are taken out of the equation?  Dave Michaels of Bloomberg explains the current focus:
Mary Jo White’s blueprint for imposing tighter controls on high-frequency traders and some of the murky venues they inhabit stops short of a crackdown. 
The U.S. Securities & Exchange Commission’s plan, unveiled by White in a speech this week, advanced some new ideas while borrowing heavily from existing proposals and measures that already have support on Wall Street. While stock exchanges, rapid-fire traders and private trading venues known as dark pools all would come under new scrutiny, White didn’t embrace the kind of tighter restraints that have been enacted in countries such as Australia and Canada. 
White isn’t acting in a vacuum. She is responding to political pressures raised by an investigation by the New York attorney general into whether speed traders prey on slower-moving investors as well as a book by Michael Lewis, “Flash Boys,” that condemned the role of exchanges and brokers in enabling unfairness. She announced the initiatives even as she said U.S. markets aren’t rigged and serve the goals of retail and institutional investors.
As an Operational Risk Management (ORM) professional, you have to stay on the edge.  You must imagine the future and dive into the current R&D of innovation.  Being a futurist is staying on the bleeding edge of technology and this is just one facet of the risk mosaic.  The other and more human factor oriented component are the TTP's.  Tactics, Techniques and Procedures (TTP) are what you need your own "Opposition Research" team to be studying.  This is your opportunity to gather the intelligence on your competition and simultaneously look at your own vulnerabilities.  Sam Mamudi and Keri Geiger explain:
The U.S. Securities and Exchange Commission cited Wedbush Securities Inc. and Liquidnet Holdings Inc. for violations of stock market rules, taking tangible steps a day after Chairman Mary Jo White outlined her plan to improve Wall Street trading. 
Wedbush, which the SEC said is among the five biggest Nasdaq Stock Market traders, failed to vet clients who broke the law as they placed billions of dollars of transactions in the stock market, the regulator said. Two current and former Wedbush executives, Jeffrey Bell and Christina Fillhart, were also targeted in the complaint. 
Liquidnet, one of the biggest independent dark pool operators, agreed to pay a $2 million fine for not living up to client secrecy standards on its private trading platform.
So what?  The Rise of the Machine Traders:
In the beginning was Josh Levine, an idealistic programming genius who dreamed of wresting control of the market from the big exchanges that, again and again, gave the giant institutions an advantage over the little guy. Levine created a computerized trading hub named Island where small traders swapped stocks, and over time his invention morphed into a global electronic stock market that sent trillions in capital through a vast jungle of fiber-optic cables. 
By then, the market that Levine had sought to fix had turned upside down, birthing secretive exchanges called dark pools and a new species of trading machines that could think, and that seemed, ominously, to be slipping the control of their human masters. Dark Pools is the fascinating story of how global markets have been hijacked by trading robots--many so self-directed that humans can't predict what they'll do next.
So how do you mitigate the potential risk of a rogue algorithm? Some have devised a mechanism called a circuit-breaker. In other words, an alarm that something is not normal. Let's slow down until we can understand what is going on here. What are some other ways that we could potentially address the threat or the vulnerability? Was the "Flash Crash" a weak signal of a pending melt down of the complete system?

Or is this just the next natural phase of the future growth curve.  Who will you put your faith in for your next "Trust Decisions"...

operational risk

01 June 2014

CRO: The Modern Day CISO...

In light of the new clairvoyance in many Board Rooms authorizing management to hire a dedicated CISO, Operational Risk Management (ORM) professionals have to smile.  Some are even laughing out loud.  Why?

The Board of Directors in organizations around the globe are finally waking up to the digital battle field that has been fought in the information technology trenches since the late 1990's.  Only a very few saw the threat horizon for "Botnet" enabled cyber malware and sophisticated and complex information operations by nation states.  Those organizations that have had a Chief Information Security Officer (CISO) participating in Senior Management for more than a decade are rare.

So what are the attributes of the ideal CISO?  If the Board of Directors is going to find the best person for the role in their organization, they must have a baseline of requirements for the search.  What do they need to know and what do they need to understand about Information Security?  What is the ratio of skills and knowledge that is balanced between technical, business and operational domains? How do you judge the potential CISO's ability to grasp the vast interdependencies in the enterprise with other business processes?

The modern day CISO has certainly evolved since the early 2000 days.  The first generation CISO's were hired long before the evolution of the latest NIST Framework, Personal Identifiable Information (PII) definitions and data breach compliance notifications mandated by state and federal agencies.  Now the modern day CISO has all of this as a baseline, yet so much more.  The CISO today needs to really understand Operational Risk Management (ORM), more than ever.

You see, the Board of Directors really needs to understand that the CISO domain within the enterprise, does not manage risk or mitigate risk to information assets alone.  Here are just a few of the categories the modern day CISO must have mastered:
  1. Security policy - management direction
  2. Organization of information security - governance of information security
  3. Asset management - inventory and classification of information assets
  4. Human resources security - security aspects for employees joining, moving and leaving an organization
  5. Physical and environmental security - protection of the computer facilities
  6. Communications and operations management - management of technical security controls in systems and networks
  7. Access control - restriction of access rights to networks, systems, applications, functions and data
  8. Information systems acquisition, development and maintenance - building security into applications
  9. Information security incident management - anticipating and responding appropriately to information security breaches
  10. Business continuity management - protecting, maintaining and recovering business-critical processes and systems
  11. Compliance - ensuring conformance with information security policies, standards, laws and regulations
Operational Risk Management (ORM) touches each of these 11 categories and more.  The CISO who understands the interdependencies of these categories and how they intersect with the other senior managers in the enterprise, is a key factor.  How do you Plan-Do-Check-Act (P-D-C-A) with the VP of Human Resources?  How do you design "Acceptable Use Policy" and adapt consumer privacy policies with your General Counsel and the legal staff?  How do you coordinate with the Chief Financial Officer (CFO) or the Chief Security Officer (CSO) that is likely to have been on staff for far longer than most of the others.

The modern day CISO, equipped with a substantial understanding and comprehension of Operational Risk Management (ORM), will be able to interface easily with the other senior managers.  They will be able to do this because they have a substantial grasp of enterprise business operations.  They know how to run a business and they know how business is run. They know how to mitigate the risk of loss events within and to the business.  The CISO of the modern day enterprise has the ability to discuss with confidence, the risks associated within every other domain within the enterprise architecture. Why?

It is because the title of the position includes the word, "Information."  Yet maybe the title should not include the word "Security," as this could diminish the roles of risk management.  Risk mitigation. Risk avoidance.  In reality, the CISO should just now become, the "Chief Risk Officer" (CRO).

Information is a given.  It is the lifeblood of the organization.  Each front line manager or director knows they are responsible for the security of their proprietary or sensitive information.  Yet do they understand the "Why" of a holistic approach to mitigating systemic risks within the entire enterprise? Do they truly understand the necessity for a robust counterintelligence program within their global organization?  Do they even realize that their trade secrets and vital research and development formulas are being sold to the highest bidders, in an electronic marketplace designed for transnational organized crime (TOC)?  Do they know how this ecosystem works and why their organization may be the target?

What about the risks to organizational personnel who travel to places on the globe where OSAC has issued travel warning or security messages to U.S. citizens?  Does the CISO realize the focus of international business operations and the interdependent 3rd party supply chain?

The CISO shall now become the CRO.  The CRO shall be the master of Operational Risk Management (ORM).  Information Security is a given for the future state.  The Board of Directors shall be asking the Executive Recruiters to change the overall requirements for their next addition to senior management, if they haven't already.

24 May 2014

Memorial Day 2014: The Risk of Service is Understood...

It is Memorial Day weekend in the U.S. and on this final Monday of May 2014, we reflect on this past year.

In order to put it all in context, we looked back 12 months to our 2013 blog post here.  It was only a few weeks since a fellow colleague from Team Rubicon had ended his battle at home, after several tours of duty with AFSOC.  Neil had joined the ranks of those fallen heroes who survive deployment tagging and tracking the enemy in the Hindu Kush.  He was one of the 22 that day in early May that could not defeat the legacy of demons, that he fought each night as he fell deep asleep.

Memorial Day 2014, we honor Neil in Section 60 at Arlington Memorial Cemetery and all those other military members who have defended our freedoms for 238 years.  Simultaneously, we do the same for the "Stars" on the wall in Langley, Va for the officers who have done the same.

Whether you are on the front lines or inside the wire at the FOB.  Whether you are in Tampa, FL, Stuttgart, Germany or Arlington, VA.  Whether you are on your beat cruising the streets of a major metro USA city.  Whether you are watching a monitor at IAD, LAX or DFW.  Whether you are deep in analysis of Internet malware metadata or reviewing the latest GEOINT from an UAS.  We are all the same, in that the mission that gets each one of us out of bed each day.  Our countries "Operational Risk Management (ORM)."

The Operational Risk Management mission of the U.S. Homeland is vast and encompasses a spectrum of activity, both passive and kinetic.  Digital and physical.  It requires manpower and resources far beyond the capital that many developed countries of the world could to this day comprehend.  There are only a few places across the globe, where a normal citizen would say that the mission and the capital expenditures are worth every dollar and every drop of blood.

Memorial Day in the United States is exactly this:
Memorial Day is a United States federal holiday which occurs every year on the final Monday of May.[1] Memorial Day is a day of remembering the men and women who died while serving in the United States Armed Forces.[2] Formerly known as Decoration Day, it originated after the American Civil War to commemorate the Union and Confederate soldiers who died in the Civil War. By the 20th century, Memorial Day had been extended to honor all Americans who have died while in the military service[3].
So this weekend as we walk among the headstones, reflect on our colleagues who gave their service and their own lives, we will stand proud.  We understand the risks.  We know why we serve.  In the spotlight or in the shadows.  The tradition and the mission continues...

18 May 2014

Transparency: "Square One" in ORM...

Operational Risk Management (ORM) has been evolving for over a decade.  There are new insights into why effective business process management coupled with Operational Risk architecture makes sense, through the lens of the Board of Directors.  Transparency.

Still to this day, the questions remain:
  • What can my organization do about the risk of loss resulting from inadequate processes, people, or systems?
  • To what extent should my organization link employee compensation or job performance with operational risk management?
  • How is operational risk taken into consideration when new products or technology solutions are designed or acquired, deployed, and executed?
  • Does my organization have an inventory of its key business processes with documented controls and designated senior managers responsible?
Can these questions be answered in a book of 308 pages from 2008?  It was a good start, to say the least.  The authors understood, that to really embed a culture of (ORM) into the enterprise you have to begin at the architecture level, the business process level.  This is far in advance of the governance of information and the business rules coded into software systems, even for such mundane corporate tasks as expense report or travel request review and sign-off.

You see, some companies still think that they are just doing fine with their Safety and Security Team, Continuity of Operations and Crisis Team, Chief Information Officer (CIO), General Counsel (GC), Chief Financial Officer (CFO) and in limited cases the Travel Risk Management department all working autonomously.  They think that having a few dedicated investigators to look into corporate malfeasance, is all they require in a corporate population of tens of thousands.

What do we mean by autonomous?  Not what you may think.  There is no doubt that the leaders of these organizational departments are cooperating and coordinating functionally.  They have each other on speed dial.  They share high level red alert intel with each other.  The question is, what is being done at the metadata level of the Operational Risk Enterprise Architecture (OREA)?  How are they designing Operational Risk Management systems to answer key questions at the speed of business?  To continuously adapt to an organization’s changing global environment, executives must know about, keep in balance, and communicate several vital components:
  • What are the organizational strategies (Strategic Intent) and how these should be implemented (Strategy Development and Organizational Change)
  • What organizational processes are executed and why, how they are integrated, and how they contribute to the strategy of the organization (Business Process Management)
  • How human resource utilization is working and whether there is optimum use of skills and resources available across processes and functions (Human Resource Management)
  • To what extent the enterprise organizational chart is cognizant of appropriate roles and responsibilities, in order to effectively and efficiently carry out all work (Organization Management)
  • What IT applications exist and how they interface with what processes and functions they support (IT Portfolio Management)
  • How the performance of each process, each function and each individual adds up to the organization’s performance (Performance Management)
  • What projects are currently underway, how they effect and impact change, what processes and IT applications they change and how this contributes to the strategy of the organization (Project & Program Management)
Is Operational Risk Management (ORM) about "Big Data Analytics"?  Only if your organization values better transparency, governance and regulatory compliance.  Ask the the Board of Directors their answer on this question to determine whether ORM is a "Big Data Analytics" issue.  How big is big?

The momentum for transparency is now at the U.S. government level of commitment.  It is the law.   As a prudent (ORM) practitioner, you already realize the cancerous outcomes from organizational fraud.  You know the root cause of the systemic disease that contributes to fraud within the enterprise. Big Data Analytics will mean nothing, without increased transparency.  Now we can ask the questions that we all want answers to:
The final language also requires everything the federal government spends at the appropriations account level to be published on USASpending.gov, with the exception of classified material and information that wouldn't be revealed in response to a Freedom of Information Request. One amendment, added earlier Thursday, gives the Department of Defense the option to request extensions on its implementation of the bill's requirements.
The Operational Risk Management (ORM) architecture of your enterprise will now begin with transparency, as the fundamental "Square One".

11 May 2014

Feeling Vulnerable: The Risk of the Unknown...

There are Operational Risk Management (ORM) professionals down range today.  They operate in the shadows continuously in some facet of the OODA Loop.  Whatever the specific mission may be and from most any Lat/Long on the planet, these professionals are paid to "Think-Outside-The-Box" as the cliche says.  What is it that these ORM professionals fear the most?  Feeling vulnerable.

You may have had this feeling in your life at some point.  Whether those early days in high school when the jocks are ganging up on the geeks in between classes or in that special relationship with the opposite sex.  What about all those days, weeks or years when you were aspiring to get that next great job in the organizational hierarchy?

Were you ever politically vulnerable?  When you have the feeling that you are vulnerable, that could have several implications.  Psychologically and physically.  The question has to be asked.  As a person, what is vulnerable?  Your Ego.  Emotions.  Relationship.  Finances.  Health.  Career.  Reputation.  Or even your life, or the lives of people you are charged with to keep safe and secure?

Feeling vulnerable is not what humans like to have swirling around in their head when they go to sleep at night or wake up in the morning.  As an Operational Risk Management (ORM) professional, our job is to experience all of those feelings on a select and continuous basis.  We do this so that we know what impact these feelings will have on us, our family, friends, neighbors and co-workers.  How will each and all of us behave, under each of these special circumstances of vulnerability?

Why do we want to experience and record the behavior of individuals, systems and even the unexpected natural event from mother nature?  So that we can be more predictive and ever more resilient.  This improves our self-confidence and our ability to become more adaptive.  In life and in our chosen vocations, in your local town or the federated state.  In the nation or continent we live. The Operational Risk Management (ORM) professional is forever learning and testing, in order to survive another day.

When the sounds and smells of your particular battlefield have dissipated, or the feelings of the intravenous (IV) needles taped to the inside of your forearm are gone, your vulnerabilities are changing. When the touch of your loved one on your shoulder makes you cry, you realize that you too are now on your way to surviving another day.  Together.