Digital RubiCON: The Fifth Domain...

Operational Risk Management is a continuous process in the context of our rapidly expanding corporate environments. What is one example?

People traveling to emerging markets to explore new business opportunities or new suppliers that will be connected by high speed Internet connections to the supply chain management system. These boundaries of managing operational risk, have not only expanded, they have become invisible.

Ru·bi·con

1. a river in N Italy flowing E into the Adriatic

—Idiom

2. Rubicon, to take a decisive, irrevocable step

This "Digital Rubicon" before us, to take on a more "Active Defense" in navigating the risk across international waters of e-commerce, privacy and legal jurisdictions will forever shape our future.

The decisions made on what constitutes an adversarial attack in the cyber domain, will not be as easy as the dawn of the nuclear age. Policy makers today have to weave the potential implications into a sophisticated decision tree that crosses the complex areas of intelligence, diplomacy, defense, law, commerce, economics and technology.

The new digital "Rule Sets" are currently being defined by not only nation states but the "Non-State" actors who dominate a segment of the global digital domains.

The same kinds of schemes, ploys, communication tactics and strategies are playing out online and what has worked in the physical world, may also work even better in the cyber-centric environment.

Corporations are increasingly under estimating the magnitude of the risk or the speed that it is approaching their front or back door steps.

The private sector is under tremendous oversight by various regulators, government agencies and corporate risk management. Yet the "public-private" "tug-of-war" over information sharing, leaks to the public press and Wikileaks incidents has everyone on full alert.

As the government has outsourced the jobs that will take too long to execute or that the private sector already is an expert, operational risks have begun to soar.

As the private sector tasks morph with the requirements of government you perpetuate the gap for effective risk mitigation and spectacular incidents of failure.

Whether it is the failure of people, processes, systems or some other clandestine event doesn't matter. The public-private paradox will continue as long as the two seek some form of symbiosis.

The symbiotic relationship between a government entity and a private sector supplier must be managed no differently than any other mission critical resource within an unpredictable environment.

Once an organization has determined the vital combination of assets it requires to operate on a daily basis, then it can begin it's quest for enabling enterprise resiliency.

The problem is, most companies still do not understand these complex relationships within the matrix of their business and therefore remain vulnerable.

The only path to gaining that resilient outcome, is to finally cross that "Digital Rubicon" and realize that you no longer can control it.

The first step in any remediation program, is first to admit the problem and to accept the fact that it exists.

Corporate enterprises and governments across the globe are coming to the realization that the only way forward is to cooperate, coordinate and contemplate a new level of trust...

C²: Continuous Continuity in the Enterprise...

Many enterprises today understand the myriad of potential threats to its people, processes, systems and structures. It stands to be better equipped for sustained continuity. 

Business Crisis and Continuity Management (BCCM) is a dynamic change management initiative that requires dedicated resources, funding and auditing.

Certainly the largest organizations realize that the risks are taking on different forms than the standard fire, flood, earthquake and hurricane/twister scenarios. These large catastrophic external loss events have been insured against and the premiums are substantial.

What it is less easy to analyze from a threat perspective are the constantly changing landscapes and continuity postures of the many facets of the organization having to do with people, processes and systems.

The many sources of significant loss events are changing as we speak. Here are a few that should not be overlooked:

• · Public perception
• · Unethical dealings
• · Regulatory or civil action
• · Failure to respond to market changes
• · Failure to control industrial espionage
• · Failure to take account of widespread disease or illness among the workforce
• · Fraud
• · Exploitation of the 3rd party suppliers
• · Failure to establish a positive culture
• · Failure in post employment process to quarantine information assets upon termination of employees

Frankly, corporate directors have their hands full helping executives managing risk and continuity on behalf of the shareholders.

The risk management process will continue to have as big an impact on the enterprise as other key functions because shareholders will be asking more questions about the changing landscape of managing risk for corporate governance.

Since effective BCCM analysis is a 24/7 operation, it takes a combination of factors across the organization to provide what one might call C², or “Continuous Continuity”.

A one-time threat or risk assessment or even an annual look at what has changed across the enterprise is opening the door for a Board of Directors worst nightmare.

These nightmares are “Loss Events” that could have been prevented or mitigated all together.

Most of the best practices talk about a BCCM plan that will be periodically updated. Periodic is not continuous. Change is the key factor here.

What changes take place in your organization between these periodic updates? How could any organization accurately account for all the changes to the organization in between BCCM updates? The fact is that they can’t.

This will change over time as organizations figure out that this is now as vital a business component as Accounts Receivable. The BCCM will become a core process of the organization if it is not already, dynamically evolving by the minute as new change-based factors take place in the enterprise.

As new or terminated employees, suppliers and partners come and go into the BCCM process, the threat profile is updated in real-time. This takes the operational management that much closer to C², or “Continuous Continuity”.

So what?

Boards of Directors have the responsibility to insure the resiliency of the organization. The people, processes, systems and external events that are constantly changing the operational risk landscape become the greatest threat to an enterprise.

It’s the shareholders duty to scrutinize which organizations are most adept at “Continuous Continuity” before they invest in their future.

Business Resilience: Beyond Readiness…

The continuity of your telecom operations is an operational risk that in many cases is underestimated until a significant business disruption occurs. When telecom is down, this means a combination of voice and data services that serve your business enterprise may not be available. The resilience of both the voice and data communications is the holy grail of continuity of operations and disaster recovery professionals on a global basis.

Business Resilience and the ability to effectively anticipate or absorb the impact of an incident, whether man made or as a result of a natural phenomenon differentiates your suppliers. When is the last time you tested your Tier I service supplier for a mission critical business process to determine the ability to keep their voice and data services running during a time of crisis?

And maybe more important, is your own enterprise Incident Command system survivable so that you can provide voice leadership to your "Incident Commanders" where ever they may be located?

As we approach the middle of the Hurricane season here in the U.S., you can understand why having energy to power systems is an important aspect of most COOP discussions. This simple yet valid argument for back-up power has been going on for a decade or more.

When it comes to planning for the next Hurricane Katrina or the "Tip of the Spear" overseas operations readiness, resilient business organizations need to implement robust planning, exercises and systems to be able to overcome the operational risks that are before them.

Power blackouts are the catalyst for many risks to the critical infrastructure including Transportation, Internet, Voice communications and even those services that you take for granted like pumping gas at the local petrol station or emergency services at the local hospital. 

September is DHS Preparedness Month in the US and the focus is once again on the physical readiness of our nation.

Cyberspace as we know it is so embedded into most of the mission essential aspects of business today that our readiness factor needs to go well beyond redundant power supplies and battery back ups for power. 

Cyber-Readiness is a key component of any organizations plan to stay resilient in the face of a Distributed Denial of Service Attack (DDOS) and other cyberspace exploits that disrupt our operations.

Do you think you're spending too much time with your team planning and training? You haven’t.

Success in your organization doesn't happen because everything goes according to the plan. It happens because you were prepared when things go wrong.

"The organizations whose team has planned for every possible scenario and trained together in live simulations will become the most successful in their strategy execution. Their missions will be accomplished on time and within budget."

Incidents of different severity and frequency are happening around you and your organization every day. Would your employees know what an incident looks like let alone know what to do next to mitigate the risk to them and the organization?

9/11/2025: Never Forget...

Where were you on 9/11/2001?  Do you remember…

What this day is about every year beyond these memories, is the renewed vow of vigilance. A time to revisit all the reasons why you have made the decisions you have since that Tuesday morning in America so many years ago.

Never forget that day. Never forget why you wake each morning.

9/11 vigilance is about being adaptive. It is about resilience. For those of us who have never paid the same price as those who have served, supported and are the mothers, fathers, brothers, sisters or relatives of those who have, we can never know or really feel what they have. We can only pledge our vigilance in continuing our respective missions.

Most of all. The mission is not America's alone and the entire planet understands this. As they teach the history of 9/11 in the schools of New York City, Haiti, Chile, Pakistan, India and even Saudi Arabia, what do you think the lesson is about?

If it is not about vigilance and resilience, then we are doing our children a disservice. We must be preparing them for the future threats that this globe will be facing in the years and decades before us.

Whether it is the wrath of "Mother Nature" or the evil planning of ordinary people does not matter. We can never predict exactly the day the hour or when and where the next attack will occur.

Whether it will impact our buildings, bridges, rivers, schools or the Internet is unknown. If all of us on this 3rd rock from the sun, have done our job teaching our kids about vigilance and resilience, then we should all be able to have a peaceful nights sleep.

Devoid of nightmares.

"Remember that Tuesday in September across the globe for the lessons we have all learned since that infamous day in New York City, Washington, DC and Shanksville, Pennsylvania."

For the children, teach them the truth…

Proactive Measures: Beyond the Perimeter...

Operational Risk Management requires both proactive and passive measures that encompass a comprehensive organizational strategy. Odds are that you have devoted a majority of your time and resources to this point on the passive mode of preparedness and defense. A reactive and alert oriented focus. The time has come to change the priorities and to increase the allocation of strategy on the "Active Measures." Why?

Stuxnet is and was ground zero for a new generation of digital infrastructure cyber weapons.

The attribution game is still going on with several suspects on who actually developed, tested and deployed "Stuxnet." This is not as important as the realization that sitting back and waiting for the next variant or hybrid cyber weapon to attack your critical infrastructure assets in passive mode.

"The most advanced organizations are now taking the "Proactive" stance to not only detect changes in their environment in a more real-time mode, but they are starting to hunt down the attackers."

There is a decision point where you realize that the passive mode will not buy you time nor will it redirect your attackers to other more vulnerable assets. Your organization will continue to operate with the goal of serving your clients, members or customers yet simultaneously a "SpecOPS" team of internal experts will be monitoring, measuring and exercising tactics to legally neutralize the threat before them.

Commercial and non-governmental entities are creating the means and the capabilities to deter, detect and document who is attacking their digital systems and where they can be found. This intelligence is being shared within the private sector organizations to determine fingerprints, modus operandi and other evidence that is required to effectively hunt down the attackers. The next challenge will be how to package this and make sure that the proper authorities are notified in a timely manner.

There is no longer a solution that is wide enough or in depth enough to be distributed across a whole spectrum of companies or organizations. The answers will be specific, customized to the unique environment and infrastructure that comprises a particular enterprise.

In order for that specification to be developed internally and provided to the correct people, you have to have the internal mechanisms in place to know in real-time what is changing and how fast it is changing from the normal state.

Is your view beyond your own perimeter? Are you looking for the anomalies that are over the horizon and could impact your network soon? It's one thing to look at the changes to your own perimeter but what about the intelligence on providers and ISP's somewhere on the other side of the planet? Do you know where your packets are going and how they are being routed?

"In a savvy Operational Risk Management enterprise, the "Corporate Intelligence Unit” (CIU) is alive and thriving."

A proactive intelligence-led investigation doesn't begin with a phone call from someone who say's, "My system is down" or "What does this Blue Screen mean”?

It doesn't start when your VP, Research & Development suddenly leaves the company for no apparent reason. Intelligence-led operations will continue to be the aspiration of many, yet only possessed by a few.

operational risk

Facilities Safety: +Beyond Travel Risk Management...

Have you ever wondered where high value assets are located in your facility or on your campus? Especially those that are mobile assets. Have you ever wondered who and where visitors to your offices or campus facilities are located at any given time?

Ekahau is making the answers to these and other questions much easier and at a more rapid response. Safety, production costs, and time-to-market are vital points of consideration for industries, education and campus organizations.

"By being able to easily track people, vehicles, and assets, these factors can be made substantially more safe and efficient."

Founded in 2000, Ekahau is the recognized leader in location-enabling enterprise Wi-Fi networks. Ekahau's mission is to provide the easiest, most cost effective and accurate positioning solutions for locating people, assets, inventory and other objects using wireless enterprise networks. The Ekahau solution tracks wireless laptops, PDAs, VOIP phones, Wi-Fi tags and other 802.11 enabled devices.

Ekahau’s solution allows businesses to keep track of valuable assets and equipment, improve the overall workflow, and improve the levels of corporate security and customer service. With Ekahau, the critical corporate resources, people and assets, will be always available at the right place and at the right time.

As Ekahau's location tracking solution does not require installation of proprietary wireless infrastructure, but can be done individually over the private Wi-Fi network, the deployment cost is kept in minimum, and the overall system payback time is the fastest possible.

Safety and security applications are numerous especially in Healthcare:

• Emergency management - more efficient and faster emergency response

• Patient monitoring - better patient safety and increased throughput

• Workflow management - better staff utilization and increased patient throughput

• Equipment management - reduced need for inventory

• Information delivery - improved workflow, reduced errors

• Billing support & verification - improved revenue capture

Can you think of other Homeland Security and first responder applications using the Ekahau capabilities especially in post event incident management and key personnel tracking inside a closed perimeter? As WiMax and other 802.11 networks are deployed in major metro locations, the applications become wide spread.

People: Beyond Travel Risk Management...

When was the last time your corporate travel department gave you some timely INTEL?

Maybe you got a report on the current level of risk in the foreign region, city or country you are now scheduled to visit in the next few days. What are you going to do if everything “Goes South” in a matter of seconds or minutes?

The Mission

In situations that require instinctive response, you have to go beyond the traditional travel management report on what to do and who to call. You have to be proactive and make decisions on your own.

In order to survive, one must be trained on the authoritative, detailed description of the methods by which terrorist organizations, hostile intelligence services, and criminal groups select and target specific individuals.

Individuals and a team must learn how they can detect and counter potential threats against them, and their sponsoring organizations to better manage these pervasive operational risks.

These threats could include recruitment by a hostile service, kidnapping or assassination by terrorist and criminal elements or espionage by business competitors.

Combined with real-time INTEL, you must receive intense, real-time instruction in surveillance detection and counter-surveillance so that you can take appropriate actions.

Combining real-time intelligence with a focused surveillance and threat detection-training program is exactly what savvy corporate executives and Chief Security Officers are looking for from a single source.

Personnel threat management is a prudent risk mitigation solution. This combination is one key strategy to mitigate the operational risks associated with key personnel in your organization.

Individuals whose occupations place them at risk may include people with access to valuable proprietary information or holders of high level security clearances, the wealthy and those responsible for their safety.

The Take Away

Combine two parts Threat Detection & Management Training with one part INTEL and you have the perfect combination to ensure the successful completion of corporate or organizational missions across the globe…

Innovation: Accelerate to "New"...

Remember the anticipation you had in your heart and mind at the beginning of your first year in college. Or the first day of that new job you had been seeking for months. Or that day your first child was born.

The anticipation of a next phase of your life that you had so much adrenaline or hope on your mind you couldn’t sleep thinking about it.

You see, discovering and experiencing “New” learning, “New’ opportunities, “New” challenges, “New” solutions and “New” insights is holy.

Before you were able to innovate and to accomplish the next anticipated change in your life, you were naive. You have learned to stay alive as you navigate your way across America and towards “New”.

As you join that next organizational phase to learn, to work or to care for others you realize you must continuously innovate:

Staying Alive While Creating Innovation

Key Takeaways

• Innovation is anything that helps your organization accomplish its mission, from small improvements to processes or policies to successful moon shots.
• To develop an innovative culture, you must be an agent of change.
• Creating innovation isn’t about new ways of doing work, it is about the outcomes, results and mission impact of those efforts.
• Speed is a fundamental change often needed to achieve significant results.
• A strategic approach is best, whether creating an innovative organization or developing innovative approaches to assist your organization.

Page 9 - Creating Innovation Navigators - Achieving Mission Through Innovation - Author, Sabra Horne

After you graduated from college, or were terminated from your job or celebrated your first child’s first birthday you had become more innovative.

You are well on your way to that next step, next opportunity or next life commitment with the wisdom you need.

The question now may be whether you have the right resources and the right team to accomplish the mission.

"How will you accelerate your activities so that you will discover whether your resources and your people are correct for your particular mission?"

Become an “Innovation Navigator” sixteen hours a day. Wake up early. Accelerate. Nourish your mind and body. Sleep eight hours a day. Repeat…

QFD: The End of Compliance...

Corporations will continue to be responsible for the criminal behavior and actions of their employees, 3rd party suppliers and other contractors for at least the near term.

In any case that has the defense legal eagles and "Usual Suspects" arguing against the corporate liability issue, the intent is getting cloudy or is it crystal clear?

Even if your Corporate Compliance Programs are in full force and the financial integrity unit is robust in it's efforts, the "Operational Risk" still exists for litigation.

Regardless of the amount of awareness building, education and corporate window dressing, you can't ultimately control human behavior. 

More compliance enforcement and regulatory pressure may seem to be the answer. A voluntary effort to shore up security, soundness and the opportunity for malfeasance in the work place may not be working effectively.

And still the liabilities exist from the plaintiffs and government adversaries to gain compensation. So what is the answer?

The answer lies in the "Enterprise Architecture" of our institutions and the failure to implement the process of "Quality Function Deployment" (QFD). This has been ignored by senior executives and US business because many judge it to be too complex.

One only has to look at the state of our automobile manufacturers versus the likes of Japanese companies to get a sense of the success of incorporating QFD on a comprehensive basis. But now apply this to the culture of an organization and how each individual makes logical business decisions instead of emotion-based decisions.

What many liability issues begin with are the employee(s) who made a bad decision.

QFD in its simplest form is a tool to promote communications. Among peers and connected teams within the organization it provides the methodology to catch errors, omissions and emotional bias early in the process.

As an example, let's take the Request for Proposal (RFP).

Many companies depend heavily on winning business by responding to RFP's. A "deal makers" perception of importance to the RFP determines the effort for the response.

Many times, this is influenced by an incentive plan. The human behavior to accept or decline the effort on an RFP as well as what it takes to push it through the organization for executive sign offs, is not always compatible with the strategic and quality measures of the enterprise.

Over time this will form an unimaginable amount of moral decay within a company. This leads to bad behavior and unethical decisions that people make because the business environment has rewarded it for far too long. So who is to blame here? The employee or the culture and company that has condoned and encouraged the behavior that ultimately damaged someone or something.

Implementing QFD in your information-based enterprise could have a dramatic impact on achieving a defensible standard of care by reducing the likelihood of catastrophic emotional decisions.

More importantly, QFD programs such as this that are directly reducing the likelihood of bad employee behavior and criminal incidents, can reduce the necessity for invasive compliance programs that most everyone wants to ignore.