18 January 2020

Corporate Social Responsibility: An Era for New Leadership...

Here are a few of this mornings top news stories. It seems that Operational Risks have us surrounded and yet many organizations are still in denial that anything will impact them directly:

Libyan Oil Exports Blocked Ahead of Berlin Peace Conference
By Salma El Wardany
January 18, 2020, 4:46 AM PST Updated on January 18, 2020, 7:16 AM PST

World News
China reports new virus cases, raising concern globally before key holiday
Published Sat, Jan 18 20206:34 AM EST

Why Iran plane disaster protests mark most serious test yet

By Amir Azimi BBC Persian service 18 January 2020

U.S. Government Confirms Critical Browser Zero-Day Security Warning For Windows Users

Davey Winder Cybersecurity

How long will this naivete go on in your company, city, state or country?  Maybe it's time for more Corporate Social Responsibility and a renewed focus on training new leaders.

As the finger pointing continues and the documents of the day are debated, there is one strategy that has been with us for many years, and many have forgotten.  It is called Corporate Social Responsibility (CSR). CSR is gaining new emphasis around the globe:

Mary Parker Follett's (1869-1933) thoughts on democracy, society and management have inspired business leaders in fits and starts during the 20th century and they deserve to be revisited as we move forward in this century.

What is the important role that businesses play in society?  She gave serious attention to what we now call corporate social responsibility, a topic of great interest in today's boardrooms and business schools.

One thing is certain. All of the employees and citizens on the planet want leadership and courage from the ordinary person next door.
The citizen soldier who is willing and capable of leading the people around them in the face of a sudden catastrophic crisis.
In the midst of an important ethical decision. In the moment of the day, are "Leaders Born, Not Made"?  What would Mary Parker Follet and Laura Tyson have to say:

"Leaders can be taught, and should be keen on sharpening their skills as rigorously as a surgeon. In 1933, she put it plainly: managers must realise that they, as professional[s], are assuming grave responsibilities, that they are taking part in one of the large functions of society, a part which, I believe, only trained and disciplined [business people] can hope to take with success."

As the Operational Risks continue to surround our corporate enterprises, it's imperative we look at where we are spending our money and deploying our resources.

What would happen to our preparedness, readiness and recovery capabilities if we just reallocated 5% of the corporate marketing budget to the Risk Management budget?

If we did, then we might find ourselves with fewer calls to the Court house, State house and the White House.

11 January 2020

Davos 2020: Culture in a Complex, Interdependent World...

"No institution or individual alone can address the economic, environmental, social and technological challenges of a complex, interdependent world"...
In 9 days, leaders on the planet Earth will be converging on Davos, Switzerland for the World Economic Forum Annual Meeting. What will this years pressing themes tell us, about what is on the minds of Presidents, CEOs, Managing Directors, Chief Information Security Officers, Chief Risk Officers, Generals, Secretarys and Activists?

Davos 2020 will be focused on the following four themes:

__1. How to address the urgent climate and environmental challenges that are harming our ecology and economy.

__2. How to transform industries to achieve more sustainable and inclusive business models as new political, economic and societal priorities change trade and consumption patterns.

__3. How to govern the technologies driving the Fourth Industrial Revolution so they benefit business and society while minimizing their risks to them.

__4. How to adapt to the demographic, social and technological trends reshaping education, employment and entrepreneurship.

If you only could pick one of these four very important issues facing our global societies, which would you feel you have the most ability to impact, with your own organization?

Got it?  Now, think about how your organization will change, in order to make a greater difference in that particular theme you have selected.

The culture in your organization is going to be the difference between your ability to succeed, or to be soon facing failure.  As a leader, how will you continuously adapt to your human culture, just as Davos is addressing our interdependent world?

How might you change the way you are "Visible" to your stakeholders?  Why are you the one they "Trust", to achieve organizational objectives?

You see, you are not as visible as you think you are.  You are not as trusted as you think you are.

Your organization needs you, to step out and really show them who you really are.  They need to see, hear and read about the collective mission.  Their respective purpose, for being present today.

Culture.  As a leader, it is all on you...

05 January 2020

ORM: Pervasive Risk Across Disciplines...

What is the origin of the "Operational Risk Management" (ORM) discipline? Was it derived from the work within the financial services industry from the Basel II initiatives?

The definitions and the actual work towards creating standards of conduct and rule-based design has been evolving for the past few decades.

Operational Risk and the approach to risk that is not otherwise considered to be market or credit risk, is one mind set. The other mind set considers the hazards associated with the threat to our valuable assets.

Either point of view depends on the environment that you operate in and the risks associated with that environment.

To give a quick example, here are a few views into Operational Risk in the United States:

"It didn’t take long—the first attack on a U.S. government website hit on Saturday, a day after the killing of Qassem Suleimani in Baghdad. The fact there was an attack is not a surprise—speculation has been rife. And the style of the attack is consistent with the nature of the primary cyber threat we now face. Hackers claiming to be linked to Iran targeted a low-level domain—the website of the Federal Depository Library Program—defacing its home page, echoing Teheran’s threats of vengeance alongside imagery of President Trump, Ayatollah Khamenei and the Iranian flag" Forbes

"Boeing will still burn more than $1 billion a month even after halting 737 Max production, according to J.P. Morgan.  Boeing’s decision to stop suspend production of the troubled aircraft was made in light of months of cash-draining groundings worldwide, but the company’s internal overhead and labor expenses will remain and will increase cash burn, analyst Seth Seifman wrote to clients."  CNBC

These examples encompass a U.S. government agency and a private sector U.S.-based global aerospace company.  Both are operational risk scenarios that could contribute to losses that will also impact the reputation of the entity involved.

That aspect alone, could be the major factor in why Operational Risk Management is such a growing discipline in our 2020 global landscape.

Some of the earliest origins of the Operational Risk concerns come from the military. The U.S. Navy is one of the branches who has embraced it fully:
  • Purpose. To establish policy, guidelines, procedures, and responsibilities per reference (a), standardize the operational risk management (ORM) process across the Navy, and establish the ORM training continuum.
  • Scope. This instruction applies to all Navy activities, commands, personnel, and contractors under the direct supervision of government personnel.
  • Discussion. Risk is inherent in all tasks, training, missions, operations, and in personal activities no matter how routine. The most common cause of task degradation or mission failure is human error, specifically the inability to consistently manage risk. ORM reduces or offsets risks by systematically identifying hazards and assessing and controlling the associated risks allowing decisions to be made that weigh risks against mission or task benefits. As professionals, Navy personnel are responsible for managing risk in all tasks while leaders at all levels are responsible for ensuring proper procedures are in place and that appropriate resources are available for their personnel to perform assigned tasks. The Navy vision is to develop an environment in which every officer, enlisted, or civilian person is trained and motivated to personally manage risk in everything they do.
If only our major business entities would would fully encompass the following steps with all employees and processes then more lives would be saved, corporate assets would be protected and the enterprise would be ever more resilient:

(1) Identify the hazards;

(2) Assess the hazards;

(3) Make risk decisions;

(4) Implement controls; and

(5) Supervise.
Yet the losses and the potential for loss continues across the organizations who are well equipped to make Operational Risk Management a part of every person and operating divisions daily mind set:

The places change, the numbers change, but the choice of weapon remains the same. In the United States, people who want to kill a lot of other people most often do it with guns.

Public mass shootings account for a tiny fraction of the country’s gun deaths, but they are uniquely terrifying because they occur without warning in the most mundane places. Most of the victims are chosen not for what they have done but simply for where they happen to be.

There is no universally accepted definition of a public mass shooting, and this piece defines it narrowly. It looks at the 172 shootings in which four or more people were killed by a lone shooter (two shooters in a few cases). It does not include shootings tied to robberies that went awry, and it does not include domestic shootings that took place exclusively in private homes. A broader definition would yield much higher numbers.

Whether it is on the deck of an aircraft carrier or within any organizations business facility, operational risk is pervasive. It is up to you and your organization to begin to make a difference...

31 December 2019

Year 2020: Navigating to your "Why"...

The Year 2020 is upon us and a new decade is at our doorstep.  Are you looking at how much you have accomplished this past year or reflecting on all the goals you were unable to achieve?

What is your "Why"?

The world around us is rapidly changing and we must recognize when we are deveating from our intended course.  All of us have our daily risk challenges with work, friends, spouses and kids or family, yet how effective are you at consistently navigating back on your true heading?

This will make all the difference in your life.

The difference between achieving your dreams and finding yourself in a different or unintended place, without vital key resources.

Where are you on your life map, at the end of this year and this decade?

How many books or articles of research have you read and studied this year that provides you even more insight, into your particular mission, craft, or trade or skill-set?

Guess what?  You are not as smart as you think you are.  You might not have as much context and experience as your parent, your teacher, your coach, your co-worker, or your partner.

On the dawn of a new decade known as 2020, maybe it is time for you to truly dedicate yourself to the science of your mission.  Your particular "Why."

Only then, will you begin to achieve the discipline you require each day, to navigate your true course.

Your life...wishing you a wonderful "New Decade"!

21 December 2019

Christmas 2019: Look Around and Look Up...

"Let the true light of Christmas shine bright through you. You have received the greatest gift of all."
As your unique holiday season surrounds you this week, what will you be saying to yourself?  Why are you so joyful?  Who will you be celebrating with, as we sing together?

This time, of each year, we have the opportunity to reflect.  To Remember.  To Give.  To Pray.

As you look around the room at some gathering point, focus on why we all traveled to come together.  Are you a Mother or Father, a Son or Daughter, Brother or Sister, an Aunt or Uncle, a Grandfather or Grandmother?  Or just a Friend.

Think about where your life has taken you so far.  Yet wonder, about the future and what is next for you.
"Who among mortal men are you, good friend? Since never before have I seen you in the fighting where men win glory, yet now you have come striding far out in front of all others in your great heart..." --Homer, The Iliad
As you transcend through the thoughts and emotions of your journey so far, "Look Up"...


14 December 2019

The Risk of A Blueprint For Action: Hero's Yet Undiscovered...

Thomas P.M. Barnett's book was sitting there on the bookcase shelf last night gathering dust from 2006 and this is the next step in the "The Pentagon's New Map."

What an inspiring exercise in "Strategic Foresight" and a journey it was, well over a decade ago.  And yet now the journey begins again, to find our "heroes yet undiscovered".

What the author means is this.  Along the path through an uncertain and new worldview, we are going to encounter people who are hero's in the implementation of the bold concepts described in this insightful book.

Mr. Barnett gives us a few descriptions of who to look out for back then, and evermore so today:
  • The four-star military police general:
  • Japan's first combat casualty since World war II:
  • The "Martin Luther King" of Islamic Europe:
  • The "Serpico" who blows the lid off human rights abuses in the global war on terrorism:
  • China's "JFK"
  • India's "Bill Gates":
  • The first female leader of an Arab state:
His unreasonable ideas that sound at first to be far fetched are by design, to make us think deeper about the impact of globalization and the future.  In fact, they are upon us today.
"All things being equal, no one chooses the informal economy over the formal economy. Because the efficiency and security of the latter are undeniably a better deal." Page 262
"In the end, the Gap (non-core countries outside the G-20) is plagued not so much by bad governments as by simply the lack of good ones. Our goal in shrinking the Gap must entail, therefore, increasing the number of good governments there, governments that extend the rule of law, develop the human capital of all citizens (and especially that of young females), and ---most specifically---foster entrepreneurial opportunities by recognizing property rights and expanding contract case law." Page 262

The real risk of "A Blueprint For Action" is that our world leaders in 2020 still have not converged on this remarkable book and discussed it over their next dinner together.

If they do, then we will be on our way to a trusted future worth creating...

07 December 2019

Operational Continuity: Top Ten...

As your Board of Directors Meeting agenda is prepared for your next conference call, Operational Continuity should be near the top of the list of priorities.

Californian utility giant Pacific Gas and Electric (PG&E) has agreed a $13.5bn (£10.2bn) settlement with victims of wildfires in the state.  The company's equipment has been linked to several blazes including the deadliest and most destructive wildfire in state history, 2018's Camp Fire.

The risk of a significant business disruption is increasing and shareholders are increasingly asking for additional oversight by boards, to make sure that executive management is on top of Operational Risk Management (ORM) issues.

Catastrophic losses may be caused by natural disasters such as hurricanes, earthquakes, flooding, drought, tornados, fires and winter storms or man-made events.

Workplace Violence and/or Terrorist acts are tragic and complicated, taking an awful toll in human lives and resulting in insurance claims that run into the millions or billions of dollars and, often, litigation.

Here is a top ten list for your board to consider. If you can answer "Yes" to these items then you are well on your way to a high level of "Operational Continuity" in your organization:
__1. The Board of Directors reviews and approves company-wide contingency plans annually.

__2. Formal documented guidelines, policies, and procedures exist for the development and maintenance of business Continuity/Disaster Recovery, Emergency Response (evacuation and life safety) and Crisis Management plans (public relations and communications).

__3. An Operational Risk Assessment that categorizes potential threats (internal and external) has been performed on all corporate facilities for both information technology and work areas.

__4. There is a current (updated annually) Business Impact Analysis that determines recovery time objectives (the maximum tolerable time to recover critical business functions) and existing resources supporting each function.

__5. Recovery strategies exist for the resumption of critical business processes and support services.

__6. The Operational Continuity Plan and the recovery efforts are driven by the business requirements of the Business Impact Analysis.

__7. A Gap Analysis has been performed to identify the differences between Business Impact Analysis (business requirements) and the current environment.

__8. Business recovery strategies have been developed for all essential business functions.

__9. Manual workarounds exists for processes that could be completed in the absence of automated systems.

__10. Business Continuity and Disaster Recovery plans are exercised and tested bi-annually.

If you answered "No" or "Don't Know" to any of these ten, then your organization is at risk to a myriad of threats including shareholder legal actions...

30 November 2019

Enterprise Resilience: Compete or Die...

Enterprise Resilience is the road to competitiveness. It is the global answer to many of the Chief Security Officers (CSO) who have faced the troublesome battle of selling more "Fear and Doubt" to the CEO and Board of Directors.

The 34th Overseas Security Advisory Council event was held the week before Thanksgiving as usual.  Yet flashback to when Deborah Wince-Smith stood up on the stage at the 21st Annual Security Briefing at OSAC on November 16th, 2006, when her words were music to our ears:

"It is undeniable that the world has gotten more risky. Businesses now function in a global economy characterized by increasing uncertainty, complexity, connectivity and speed. Managing this rapidly changing risk landscape is an emerging competitiveness challenge—a challenge that demands resilience: the capability to survive, adapt, evolve and grow in the face of change. The Council on Competitiveness is proud to offer this report, which promotes a strategy of resilience for both the public and private sectors a strategy with clear benefits for our companies’ competitiveness and our nation’s homeland security."

On the doorstep of 2020, globalization, technological complexity, interdependence, and speed of digital information are fundamentally changing the kind of risks and competitive challenges that companies— and countries—face.

Failure, whether by attack or accident, can spread quickly and cascade across networks, borders and societies.

Increasingly, disruptions can come from unforeseen directions with unanticipated effects. Global information and transportation networks create interdependencies that magnify the impact of individual incidents. These new types of risk, demand new methods of Risk Management.

Was this a way for the Chief Security Officers of the Fortune 500 to finally shift their thinking from protection to something less macho? How could "Resilience" become a platform for a mind set shift to justify new funding?

After all, now we aren't trying to scare people into the "Low Probability - High Impact" incidents anymore and focusing in on the high probability incidents, that may have enough impact to cause a significant business disruption.

What are the incidents and areas of risk that insurance won't touch these days? If the insurance companies can write the policy to give you peace of mind, then is this necessarily an area that you can ignore, because you have transfered the risk to someone else?  Maybe not.

Being agile, ready and capable of a quick recovery is what competitiveness is all about, on the field, on stage or around the table in the Board Room. Working towards control and protection while fear builds in the back of your mind makes you stiff, depletes your energy and creates doubt.

And when you are operating a business or standing on the tee of your first sudden death hole on any PGA weekend, you better have resilience.

The business equivalent to Homeland Security and Critical Infrastructure Protection is Operational Risk Management (ORM)—a domain that many executives see as the most important emerging area of risk for their firms. Increasingly, failure to plan for operational resilience can have “bet the firm” results.

Back in 2000, the Meta Group (now owned by Gartner) did a study on the cost of "An hour of computer downtime by industry group". These numbers are now 19 years old:
  • Energy - $2.8
  • Telecommunications - $2.0
  • Manufacturing - $1.6
  • Financial Institutions - $1.4
  • Information Technology - $1.3
  • Insurance - $1.2
  • Retail - $1.1
  • Pharmaceuticals - $1.0
  • Banking - $0.996
We all know that it costs lot of money to have any systems downtime, that's why so many dollars have been invested in Disaster Recovery (DRP) and other Business Continuity Planning (BCP).

Yet is this the kind of resilience that is going to make you more competitive, to seize more opportunities? The economics of resilience are more than investing for the likely or unlikely information systems incident (ransomware) that will attack your organization tomorrow.

The threat of Tort Liability and the loss of reputation is top of mind these days with every major global company executive. The threat is real and increasing at a faster rate than many other real operational risks to the enterprise. Litigation from regulators, class actions and competitors has given the term "Legal Risk" new emphasis and meaning.

Once corporate management understands the need for a "Resilience" mentality in place of a "Protection" mental state, a new perspective is found. Investing in the vitality, agility and competitive capabilities of the organization sounds and is more positive.

It alleviates the fear of doom and gloom and inspires new found innovation. The future of your organizations longevity and in its adaptability, can be achieved with a new perspective.

Compete or die.

"Enabling Global Enterprise Business Resilience
" is just the beginning...

23 November 2019

Trust Decisions: Future Outcomes in an Unpredictable World...

What new information have you processed or new insight have you gained today, that will be necessary for your next Trust Decision?

The little screens and nano-processors in the palm of our hand, have taken over our abilities to think clearly.  To ask the right questions.  To process information, using our own biological and cognitive capabilities.

The ability to make your next decision to act, will depend on your level of trust in the information you are now processing.  How are your recieving this new information and what is the source?  Is it trusted?

The speed and quality of "Trust Decisions" in your life will make all the difference in your ability to prosper or not.  How much do you trust the sources of your daily information?  How much does it distract you, from your primary mission?

Are you starting a new education or training class?  Are you starting a new job?  Are others following you?  Are you going on a first date?  Are you planning a wedding?  Are you moving to a new city?  Are you going to be a Mother or Father in the next nine months?  It is an unpredictable world.

What happens to your behavior, when you receive this trustworthy information?  You act on that information, whether it is positive in your plans or creates a new and challenging problem-set to be solved.
"The Internet, the embrace of cyberspace, and the ubiquitous presence of digital information in human society are making immense, positive contributions. In the simplest actions of our daily lives and in the most important decisions we make in business, in government, in education, and in choosing between war and peace, we have become reliant upon the availability and presence of digital information. As our reliance speeds into dependency and, in turn, addiction, there are two profound shifts occurring that are shaping the direction of this war on trust." --Jeffrey Ritter-Achieving Digital Trust
The little screen in the palm of your hand, does not make information more trustworthy.  It makes information more readily accessible and in greater volumes.  It assumes you are pressed for time and therefore, you do not have the patience or the ability to ask timely questions about it's origin, or authenticity to make your next "Trust Decision".

As you sit there and read this, look around you.  What do you see?  How do you feel?  These are the outcomes of your own history of "Trust Decisions".

Why did you decide to get on that plane with this particular airline today?  Why did you decide to make the appointment to travel to your destination, to meet with the person(s) you are traveling to visit?  Why are you going to spend your valuable time, listening to what they have to say, what they will show you and tell you?

Your future continuously depends on your next "Trust Decisions."  What is the information you are receiving and from where?  Will you trust this information?  You see, your next behaviors and actions will take place as a result of how your brain and your trust calculations have processed this information.

So what?

  • Every transaction creating wealth first requires an affirmative decision to trust.
  • Building trust creates new wealth. Sustaining trust creates recurring wealth.
  • Achieving trust superior to your competition achieves market dominance.
  • Leadership rises (or falls) based on trust (or the absence of trust).  --Jeffrey Ritter-Achieving Digital Trust
Your decisions to trust some thing or some one, is far more a science and a calculation than you may have ever known before.
It is time to begin thinking differently about the science of "Trust" itself.
The time has come for you to spend more time with the leaders and the sources of trustworthy information and behavior.
It is time for you to evaluate your wealth in this world.  Whether that wealth is tangible or intangible.  Whether it is measured in love, knowledge, experiences or in currency.

The calculus of your own "TrustDecisions" will continue to be the difference...

16 November 2019

Intelligence Fusion: The Race Against Time...

 Human intelligence may be the most sought after way to prevent new threats to your organization.

Yet that is never enough to give you total peace of mind. You have to implement multiple collection points for real-time and relevant information.

The front line of intelligence analysis begins far in advance of the actual event or incident taking place. Companies like "Quid" have provided some of the tools to detect the presence of new and relevant information in the hundreds of millions of active web sites across the Internet.

You may also see Dataminr in the corporate Security Operations Center (SOC) and even the local Fusion Center for more Real-Time information.

They assist CxO's in navigating their operational risk strategy execution across a competitive and increasingly threatening global landscape.

The fusion of intelligence from the Internet and broadcast media requires not only sophisticated software, hardware and talented Intelligence Analysts, it requires good old fashioned investigative tactics. And when you combine all of these to create the closest version of reality, then you have found true "Integrity."

Keeping information truely confidential is a difficult task. Assurance that the information will be there when you need it, is also equally important. Yet it is the "Integrity" of the information that we are in constant pursuit of.

Data fusion involves the exchange of information from different sources—including "John Q. Public" with his mobile phone, Ring and other IoT sensors, Law Enforcement, Public Safety, and especially the Private Sector—and, with analysis, can result in meaningful and actionable intelligence and information.
In a wide-ranging hearing on the myriad threats to the U.S. homeland, from white supremacist terrorists, border security, school shooters, and cyber attackers, the director of the FBI gave a glimpse of how the agency is using technology to blunt one of those threats.

FBI Director Christopher Wray, testifying before the Senate Homeland Security and Governmental Affairs Committee, said his agency has implemented a new threat-sharing capability on its Law Enforcement Enterprise Portal (LEEP).
The fusion process turns this information and intelligence into actionable knowledge. Fusion also allows for relentless reevaluation of existing data, in context with new data in order to provide constant updates.

The Private Sector is still the biggest challenge. Trusted relationships need to be continually fostered. New mechanisms for public-private coordination are consistently being discussed.

Fusion Center's are not the only answer. It still remains a significant piece of a very complex operational security challenge, that we will be facing for still years to come...

11 November 2019

Veterans Day 2019: A Spectrum of American Service...

What do we all have in common on this Veterans Day 2019?  Walking through the atrium of the U.S. National Museum of the Marine Corps, reminds us what this day is really all about, in our history and as a whole of nation.

Yet those who have sacrificed so much for our freedoms and our country, know first hand what being part of the 1% really means.

The average American walking down Main street watching the parades today, may not have the same context, experienced the same fear, nor truly understands what it means to protect the person to the right or left of you, or on the invisible front lines of this United States of America.

Our highly trained military "First Responders" deployed to foreign lands have many of the same experiences with our own Domestic "First Responders" in keeping our citizens, families and our governments safe and resilient.

Walking through the cafeteria at dinner time and witnessing the young and eager faces, at any of our "National Academies" across America, is an inspiring experience and an emotional reminder to each of us.

These young and eager Americans being trained in Intelligence, Surveillance and Reconnissance, hope they never will have to use the other lethal tools they may be learning about and training with, to become experts.

Others know that the new skills and experience they are gaining in Science, Technology, Engineering, Medicine, Logistics and Navigating, Operating or Flying sophisticated new platforms, makes a vital difference each day.

Whether you have worked on many missions overseas, or in the metro areas of Washington, DC, Chicago or Los Angeles on a daily basis, you wake up each morning with a mutual purpose.  A thought pattern that drives you to improve the safety and the security of your collective team each minute, of each day.

Veterans Day in America celebrates the service of all U.S. military roles, whether they be on the front lines of the battle in the air, space or on the ground and continuously in our growing digital domains.

God Bless you all and Godspeed!

03 November 2019

Culture: Systems of Trust in Your Worldview...

Why are you spending your time on this?  Why does it mean this much to you?  Why do you continue to do it day after day?  Why is it so important to you?

Your particular purpose in life may be different than others.  The question is, are you bold enough to be transparent enough to tell the world who you are and what compels you on your daily mission?

The people who surround you and look up to you are waiting.  They are seeking your real purpose, your particular life mission.  The role of a leader, is to make sure that they truly know you and what your "Why" is every day.

When you begin to study the life journey of leaders at companies such as General Electric what do you think about?  Jack Welch created a noble company and a unique culture there to be certain.  So how do you compare it, with a company like Apple, Palantir, Costco or even SpaceX.

The founders or key leaders that shaped and built the culture there, forever shape the mission and the employees vision of the "Why."

How effective have you been as an "Operational Risk Management" practitioner in your life so far?  The ability to sense, process and mitigate operational risks in any system is a worthwhile purpose, personally and professionally.

Whether you are approaching a person, artificial intelligence, an organization or an agency with your new ideas, products or services, they all require several key elements as a system.  First and foremost, how do you build Trust?
"It is really very simple. In the foreseeable future, we will not function as a global society without the Net and the immense digital resources and information assets of our society. The addiction is established—commerce, government, education, and our neigh- bors offer no option other than to require that we rely upon digital information in making decisions. But we will not function success- fully if the war for control of those assets is lost. The battlefield, however, is the one on which trust is to be gained or lost—trust in the information we use, trust in the infrastructures that support us, and trust in the decisions we make in a digital world."  Jeffrey Ritter
In 2020 and beyond, what and who will you "Trust?"  How will you build systems that are trustworthy?  In your relationships, family, organization or agency, there are risks to sense, to process and to mitigate.

Why will you be more aware of the "Trust Decisions" you have to achieve today?  Your particular culture and livelihood depends on it...

26 October 2019

General Counsel: Directors Top 10 Mistakes...

"There is no question that AI is materially affecting business models and operations. Now that it's getting serious attention from shareholders, employees, other corporate stakeholders, boards need to pay attention, too." Corporate Board Member Magazine
In the July/August issue of Corporate Board Member Magazine in 2006, an article by Randy Myers talked about ten insightful and reinforcing items of interest.

General Counsel to Directors: Your 10 Most Common Mistakes

The in-house lawyers think that you've got a lot to learn about risk, trust, and reward. And when there's trouble, you too often fail to follow the Boy Scout creed: Be Prepared. By Randy Myers

1. Not Asking Questions
2. Failing to Understand the Company and the Risks it Faces
3. Failing to Lead on Ethics and Compliance
4. Not Insisting on a Crisis-Management Plan
5. Speaking out in a Crisis Before the Facts are in
6. Relying on the Wrong Outside Counsel
7. Failing to Understand Attorney-Client Privilege
8. Underestimating Regulators
9. Giving too Much Leeway to Rainmakers
10. Getting Caught Up in the dilemma of False Options

And as Randy so clearly has stated: "Serving on a corporate board isn't easy. Avoiding these common mistakes should be."

We can't accept that No. 4 even is on this list. No. 2 and No. 3 is ever so common place. And No. 7 is not a surprise. But what continues to amaze even those professionals associated with consulting to the Board of Directors is No. 8.

Fast forward to 2019.
"The number of public companies disclosing artificial intelligence (“AI”) as a material risk factor in their SEC filings has grown exponentially from virtually none in 2016 to more than 80 this year alone."  --By  Lisa Fontenot and Cassandra Gaedt-Sheckter
The Chief Risk Officer (CRO) is the independent keeper of oversight in the corporate enterprise. Should any organization be the subject of an investigation by the SEC, FTC or any other government regulator, they need to look to the CRO.

It's the job of any CRO to keep regulator awareness at a high level and to let the business be in charge of risk management. Whenever you see a CRO getting involved in managing the risks of the business, then the independence and clarity of oversight has been extinguished.

The General Counsel and the Chief Risk Officer must work hand-in-hand to follow the Boy Scout creed:

Be Prepared.

20 October 2019

Privacy: The "New" Age of Unreason...

In the new age of unreason, Charles Handy the author of The Age of Unreason would say that discontinuous change is upon us. He would say that we need to outsource everything that is not a core function of the enterprise. And he would say that learning, is the same as change from a different worldview.
Mark Zuckerberg came to Washington, DC, on Thursday to claim the mantle of Martin Luther King and the Founding Fathers as a champion of free speech. Standing in the stately Gaston Hall auditorium at Georgetown University—which has hosted the likes of Bill Clinton, Barack Obama, and Bono—the Facebook CEO declared, “I’m here today because I believe we must continue to stand for free expression.”

And a city full of regulation-hungry politicians and foes of Big Tech undoubtedly thought: How’s that working out?  --Ars Technica-Steven Levy, wired.com -
Making changes is also about learning what those changes will mean, to everything that interfaces with that change. It means that testing must take place in a lab or compartmentalized area of the business to insure that the change doesn't impact the core operations.

In the words of Charles Handy:

"Learning is not finding out what other people already know, but is solving our own problems for our own purposes, by questioning, thinking and testing until the solution is a new part of our lives."

"If changing is, as I have argued, only another word for learning, then the theories of learning will also be theories of changing. Those who are always learning are those who can ride the waves of change and who see a changing world as full of opportunities rather than damages. They are the ones most likely to be the survivors in a time of discontinuity."

Adaptation in order to survive in the corporate world is nothing new. The risks associated with making new decisions depend on how that decision will impact the other persons, processes or systems in the enterprise.

It means observing performance and measuring the results, to determine if the change is worth the new risks that the organization is about to encounter...

13 October 2019

Organizational Culture: Four Steps to Wisdom...

"Each step up in learning requires a new technology platform. The technology platform that will make possible the leap from Information to Knowledge is the blending of computers and telecommunications with human actions. By the time the knowledge phase matures, around a decade from now, billions of people will use computers with no training at all. Can we imagine the technology platform that will enable us to take the final step to wisdom?" --Four Steps to Wisdom - From "The Monster Under The Bed" by Stan Davis and Jim Botkin

Stan and Jim wrote this book and it was published in 1994. Getting to wisdom is surely now upon us in 2019.  Or is it?

Maturing from step-to-step is not as easy as it may seem.  Think about that learning phase where your organization was taking on the chasm between "Information" to "Knowledge".  What kinds of challenges did you encounter and then conquer in your cultural transformation?
wisdom noun (1)

wis·​dom | \ ˈwiz-dəm
Definition of wisdom

1a : ability to discern inner qualities and relationships : insight
b : good sense : judgment
c : generally accepted belief

The transformation in your organizations from "Knowledge" to "Wisdom" may take much longer to accomplish than the "Information" to "Knowledge" phase.  This is because your culture has not matured enough to even consider the technology platform necessary to make the leap to "Wisdom."

Davis and Botkin talk further about this:  "Business-driven learning will be organized according to the values of today's information age:  service, productivity, customization, networking, and the need to be fast, flexible, and global." Page 18

Does this sound familiar?  Maybe you have heard the words Scrum or DevOps being thrown around in your particular organization.  Or perhaps you have started to focus on agility or innovation as the latest phase of transformation awareness in your business, agency or enterprise.

How can you and your organization take the next step, if you have not achieved the previous level of maturity in your technology adoption?  The speed and comprehension to utilize technology to effectively learn, is a combination of factors beyond just the hardware and software.  It is also a maturity of your learning culture.

As your enterprise makes the leap from "Knowledge" to "Wisdom" the speed of change in your organizational culture must also be commensurate with the speed of change in our technology platforms.

Is your organization still maintaining your own servers and hosting your E-mail internally?  There must be a really good reason why.  Yet have your techies been throwing around that new solution named "Kubernetes."

So as you and your organization tries to innovate into 2020, ask yourself.  Is our learning culture ready for the next generation of technology adoption?

06 October 2019

A Renewed Sense of Courage: Readiness, Response, Recovery...

"Abqaiq is a single point of failure that could remove millions of barrels per day from the global oil market for an extended period if damaged badly enough. It has long been identified as the top security risk worldwide

For that reason, Abqaiq has been one of the most heavily protected places on the planet. Saudi Arabia has armed guards to protect the perimeter, and security forces actively target threats from foreign militants and domestic dissidents."  John Kemp is a Reuters market analyst.

Our U.S. Critical Infrastructure Protection is a national priority.  Our state and local governments are still pressed to do more with less and to continue to keep such a vigilant force emotionally engaged. There is still frustration with the lack of public-private coordination, yet it is improving one step at a time.

The focus on Critical Infrastructure resilience programs centers upon these four objectives:

1. Prevention Planning

2. Impact of Loss Analysis (Economic/Local)

3. Cycle Time to Recovery

4. Understanding Interdependencies

The diverse set of stakeholders who own and operate these critical assets are continuously opening new doors of trust and cooperation. Yet the private sector is still timid to reveal it's greatest vulnerabilities and share in the risk with the public domain, to work on mitigating or reducing this exposure.

One only has to look no further than a consistent breakdown of our power grids, to know that a simple lack of maintenance is sometimes the only culprit, not a natural but a man-made disaster.

So predicting the rate of failure or loss on future communications networks, pipelines, bridges, tunnels and rails could be as simple as the rate of reinvestment in repair, up keep and preventive maintenance. Yet that is not our greatest fear.

Remaining vigilant requires a more thorough understanding of threat and the myriad of tools being utilized by criminals and nation states to attack us. Once you understand this, you realize that your greatest fear is, the unknown.

The Low Probability, High Consequence event. That is what keeps all of us awake at night and what keeps us getting up in the morning, to do it all over again. We are all searching, detecting and monitoring, in hope that we are not too late once more.

And maybe even more important than this, is the hope that when that day, hour or minute does arrive, that we have the courage to respond, recover and revive ourselves even faster than the last incident.

To be better. And more resilient than we ever have been before...

29 September 2019

DEF2019: Far Beyond Innovation in U.S. National Security...

"The creativity and talent of the American warfighter is our greatest enduring strength, and one we do not take for granted."  --Summary of the 2018 National Defense Strategy

Walking away from the Defense Entrepreneurs Forum #DEF2019 Annual National Conference today in Washington, DC, produces so many simultaneous thoughts and emotions.  Being together with other colleagues and "Quiet Professionals" for an entire weekend in a small yet beautiful space, reminds us why we exist and where we are continuously navigating.

The people.  Organizations don't innovate.  Your people do the thinking and have the "Neurodiverstiy" to produce outcomes from their own TrustDecisions.  Most organizations think culture is a set of values, that you have spelled out as bullets on your web site, or the wall in your lobby.

A Decision to Act.  A Decision to Pause.  A Decision to Stop.  A Decision to Deliver.  They are all decisions, that are based upon your ability to process information and utilize your unique talents as a human being.

Culture is a management system, with passion for the mission.  Most organizations run on norms.  It's time to "Break the expletive Filter".
What kind of rebel are you?

Do you complain or do you create?

Are you "Me Focused" or are you "Mission Focused"?

What about the rules.  Do you break them or do you change them?

Do you "Alienate" or do you "Attract"?

Do you "Doubt" or do you "Believe"?

Are you "Energy Sapping" or "Energy Generating"?

Do you exemplify Anger or Passion?
From James "Hondo" Geurts - Assistant Secretary of the Navy for Research, Development & Acquistions- DEF2019 Presentation

Priority is a singular noun and your structure is your culture.  The truth is, the culture of your particular business enterprise, government agency, startup or team, is a direct manifestation of your own peoples creative spirit and their abilities to adapt and deliver outcomes, with a dynamic set of decisions in your environment.

Signing off now.  It is time to go "Deliver"...

21 September 2019

Endgame: A Life of Operational Risk Management...

"After climbing a great hill, one only finds that there are many more hills to climb. I have taken a moment here to rest, to steal a view of the glorious vista that surrounds me, to look back on the distance I have come. But I can rest only for a moment, for with freedom comes responsibilities, and I dare not linger, for my long walk is not yet ended." Nelson Mandela

Operational Risk Management (ORM) is not a project with a deadline. It is a journey of a lifetime that requires continuous and adaptive change. There have been many great leaders who understood this during their quest for improving the quality of their environment.

Flashback six year ago.  Mr. Mandela endured the challenges of managing risk his entire life. With a life purpose that burned bright, he was able to endure the journey and mitigate the threats to achieving many of his ideas. Ideas for a higher quality of life for those living and working together in South Africa.

(CBS News) People across South Africa and around the world are honoring Nelson Mandela this weekend (December 8, 2013), in spontaneous and emotional outpourings that are as much a celebration of Mandela's life as an expression of grief -- bringing home the accomplishments of the remarkable man who died this past week at age 95 after a lifetime of struggling for justice.

Whether your quest is to end apartheid, rule a nation or even a continuous battle with the Operational Risks surrounding you and your organization, the fight goes on. The process adapts to ever changing conditions, new rules, new laws and the latest formula for your adversary to achieve their goals.

Those who never lose sight of the journey, completing the endless tasks to influence change, will endure.

Operational Risk Management (ORM) requires a focus on the endgame. What does your vision of the endgame look like? Nelson Mandela achieved his and more. How long might it take to achieve yours?

15 September 2019

Never Forget: Beyond 9/11 & Adapting Inside the Enterprise...

"Being a patriot doesn't mean prioritizing service to government above all else.  Being a patriot means knowing when to protect your country, knowing when to protect your Constitution, knowing when to protect your countrymen, from the violations of and encroachments of adversaries.  And those adversaries don't have to be foreign countries."  Ed Snowden

One could wonder whether even just one of the individuals working with your organization internally or externally has the same or similar mindset of "Ed".  The question is, what are you doing as an Operational Risk Management(ORM) leader, to be legally proactive in your "Insider Threat" approach with employees, partners and your extended supply chain?

The adversary working with you inside your company, agency or partner, doesn't always start out to bring loss events to your enterprise.  It could take years, or months to develop a real justification in the adversaries mind, yet even when the activities and behaviors are evident, they are all to often missed, never understood or just too late to interrupt:
The National Counterintelligence and Security Center (NCSC) and the National Insider Threat Task Force (NITTF) are today partnering with federal agencies across the government to launch “National Insider Threat Awareness Month” during September 2019. Throughout September, the Office of the Director of National Intelligence, the Department of Defense, the FBI, the Department of Homeland Security, the Department of State and other federal agencies will be holding events to emphasize the importance of safeguarding our nation from insider threats and to share best practices for mitigating those risks.  
How could you and your organization improve and adapt your current practices to raise the bar of excellence?  What can you do each day to make the quality and the results of your programs even better?

First, begin to understand the process by which events can trigger new behaviors in an individuals perceived stressors and lack of personal control.  Second, expand your proactive organizational toolkit, to include such proven technologies such as sentiment analysis for marketing purposes.

These same tools with the proper legal oversight and "Acceptable Use Policy" can be effective in your early warning systems.  Enterprise Risk Management also incorprates oversight and protections for privacy and civil liberties.

Here are five steps to be proactive at your organization in the U.S. this month of September 2019:
  • Create, refine and share your organizations "Insider Threat Program "(InTP) vision.
  • Educate, clarify and communicate the authorities, roles and policies of the program.
  • Validate tools, models and sources of information.
  • Plan ahead for the utilization of automated tools and human behaviors observed.
  • Seek better solutions to a continuously changing enterprise & supply chain environment.
Never Forget.  We have all heard the thought "Never Forget," when it comes to our recent anniversary of 9/11.  Yet we must simultaneously remember, that our adversary may be hiding in plain sight...

01 September 2019

InTP: Insider Threat in the IT Supply Chain...

As a Board Director with your organization a "Duty of Care" discussion could be a regular roundtable dialogue.  The question is, how often does your Board of Directors dive head first into the analysis and architecture of your "Digital Supply Chain?"

The Enterprise Architecture of your Information Technology networks is a vast set of Third Party Suppliers.

They provide you a set of Critical Infrastructure domains, such as the Power and Water Sectors to start, that seems obvious at the high level.

Yet when you begin to really understand the true suppliers to your entire IT supply chain, it is not just a simple equation.  As you analyze the Cloud Provider(s), Internet Service Providers (ISP) and the total number of Third Party Software companies that make up your spectrum of InfoTech (IT) assets, the complexity rises.

The threat rises as you add the "Human Factors" of behavior and now the Operational Risks begin to soar.  The potential for simple errors, or mistakes and unintentional events becomes exponential, at each interface of the "Digital Supply Chain," in each major process of the enterprise:
  • Management
  • Human Resources
  • Legal Counsel
  • Physical Security
  • Information Technology
  • Information Assurance
  • Data Owners
  • Software Engineers
In every company, every day, employees are hired, promoted, terminated, or resigned. Each employee transition event can create legal risks if the related systems, applications and electronic data accessible to an employee, are not properly managed to protect the company’s interests.

So what?
"A Pakistani man bribed AT&T call-center employees to install malware and unauthorized hardware as part of a scheme to fraudulently unlock cell phones, according to the US Department of Justice. Muhammad Fahd, 34, was extradited from Hong Kong to the US and is being detained pending trial.

An indictment alleges that "Fahd recruited and paid AT&T insiders to use their computer credentials and access to disable AT&T's proprietary locking software that prevented ineligible phones from being removed from AT&T's network," a DOJ announcement yesterday said. "The scheme resulted in millions of phones being removed from AT&T service and/or payment plans, costing the company millions of dollars. Fahd allegedly paid the insiders hundreds of thousands of dollars—paying one co-conspirator $428,500 over the five-year scheme."

In all, AT&T insiders received more than $1 million in bribes from Fahd and his co-conspirators, who fraudulently unlocked more than 2 million cell phones, the government alleged. Three former AT&T customer service reps from a call center in Bothell, Washington, already pleaded guilty and agreed to pay the money back to AT&T."
The "Operational Risk Attack Surface" internally, externally and with trusted partners, has a vast set of insider ties and trusted relationships.  This is why an organization this complex, must begin the implementation of an Insider Threat Program (InTP), especially focused in the "Digital Supply Chain...

25 August 2019

Red Team: The Unknown Adversary...

Anticipating risks and potential threats to critical assets takes a "Red Team" mentality. Communities and companies need to be training, planning and adapting to all hazards.

Whether they be the structural failure of a bridge, ransomware of major municipalities or the next major attack on our U.S. Homeland.

Critical infrastructure is physical and cyber-based systems, that are essential to the minimum operations of the economy and our government.

This means that many states are in a continuous review of their own critical infrastructure. When the analysis is done and the finger pointing is over, we will have one more example of why the public private partnership is essential for the future of government and business.

Organizations such as WashingtonDCFIRST, ChicagoFIRST and others around the U.S. are working on putting more emphasis on critical infrastructure resiliency.

InfraGard in San Francisco, Los Angeles, New York Metro, Chicago, the Nations Capital or any of the other 70+ major metro areas, is just another example of how private business is interacting with government in the context of cooperation, coordination and connecting tens of thousands of subject matter experts.

The people who can make a difference long before an incident, or minutes after one occurs, can be found in each of these local chapters. How the local community takes advantage of these resources is up to government leadership.  Since over 85% is owned and operated by the Private Sector.
"The ability to anticipate an opponent’s intent is critical to many forms of planning, analysis, design, and operations. While this need is recognized in the military and intelligence communities, infrastructure providers and first responders find themselves on the front line facing a range of potential threats, that in many cases exceed the defenders direct experience."
Having this "Red Team" mentality can save lives and dollars, through continuous exercises and a business resilience approach to discovering and eradicating new found vulnerabilities...

18 August 2019

Performance Management: Risk on the Front Line...

As a leader in your particular organization, how often during your busy day do you think about culture.  The organizational pace.  The transparency and integrity that each key leader exemplifies, as they operate each hour with employees, partners and your most important community stakeholders.

Competent leaders who model peformance management processes to make Operational Risk Management (ORM) an enabling and growth oriented mechanism, truly understand that this requires a mind-set shift.

Executing on how to enable more risk taking and catalyst innovations to achieve superior growth, requires the ability to effectively incorporate risk management into your daily work products.

When you login to your APP, create a new document, start a new e-mail or enter new data into the database in the course of your daily work, you are playing the role of an information risk manager.  When you meet with, counsel, or coach another fellow employee, you have full control of how you are achieving new levels of trust.

The degree to which you follow protocols, procedures and training involved with corporate records management, information security and work place employment policies, creates the foundation for how much risk and trust, you will generate today.

Now think about how this, will impact your continuous ability to be innovative, competitive and productive, while building a trusted culture, that employees, partners and community stakeholders will quickly recognize as trustworthy and extraordinary:
So, what is trust?  
"Trust is the affirmative output of a disciplined, analytical decision process that measures and scores the suitability of the next actions taken by you, your team, your business, or your community. Trust is the calculation of the probability of outcomes. In every interaction with the world, you are identifying, measuring, and figuring out the likelihoods. When the results are positive, you move ahead, from here to there. When the results are negative, you rarely move ahead; you stay put or you find an alternate path."   Jeffrey Ritter- Achieving Digital Trust
Turning risk management into performance management, shall begin on the front line of the enterprise, with the ideal compensation strategy and the behaviors you are seeking from your front line customer service and field-based revenue generators.

Whether it's direct or in-direct channel personnel, you have to understand how to use the right mix of compensation and incentives, to drive a revenue risk appetite, that is appropriate for your organizaition.

Performance Management could also be enabled or supressed, by the amount of power you give your 2nd Tier leadership. Do they have the ability to make a $1M decision or just $10K decisions when it comes to investing budgeted capital into their particular business unit growth?

Do they manage risk on a field or geographic level where they are the most informed and the most knowledgeable about the business, or is the "Mother Ship" back at the home office, dictating the way they spend or the way they invest?

The ability to know how to manage operational risk, at the point of creating new information is the nexus of several disciplines and requires substantial situational awareness training.

Every minute that goes by, with derailed leadership or a negative culture, puts the enterprise at greater risk to lost performance opportunities.

Your cultural trustworthiness depends on how effective you are as a leader, to communicate with those who you trust the most in your organization.

You need them to assist you, with perpetuating a culture that understands the relationship with operational risk and performance management simultaneously on the front line...

10 August 2019

Fusion Center: A Top Line Opportunity...

Operational Risk Management (ORM) is about managing a jigsaw puzzle of vulnerabilities and threats, that expose those weak points in community or organizational operations.

How can a U.S. community such as Las Vegas, NV, Dallas, TX, San Bernardino, CA, Dayton, OH or El Paso, TX in concert with law enforcement, public safety, emergency management and private sector entities, embrace a collaborative process to improve intelligence sharing?

Together and ultimately, to increase the ability to deter, detect, and prevent domestic terrorism while safeguarding our homeland, sometimes you have to tell a story and create a narrative.

Fusion centers bring all the relevant partners together, to maximize the ability to prevent and respond to workplace violence, terrorism and other major criminal acts. By embracing this concept, these entities are able to effectively and efficiently safeguard our homeland and maximize anti-crime efforts.

Who knew, what and when?  Even before 9/11, the private sector has embraced the idea of "Fusion Centers" and for good reason.

It has often been labeled the Security Operations Center (SOC), that includes the convergence of both the physical and information-based risk management professionals, taking place to mitigate a spectrum of risks and new opportunities.
As a Board Director or Executive Committee member of your public or private organization, the economic reasons for doing this are many and the benefits of greater insight and more rapid response are a continuous mandate.
A fusion center is an effective and efficient mechanism to exchange information and intelligence, maximize resources, streamline operations, and improve the ability to mitigate internal and external risk events, by analyzing data from a variety of internal and external sources.

When you begin to coordinate the company departments or government entities, the rules of the game calls for agreements, contracts and memorandums of understanding (MOU).  These are required to help facilitate coordination and cooperation. Here are some of the elements that should be considered:
  • Involved parties
  • Mission
  • Governance
  • Authority
  • Security
  • Assignment of personnel (removal/rotation)
  • Funding/costs
  • Civil liability/indemnification issues
  • Policies and procedures
  • Privacy
  • Terms
  • Integrity control
  • Dispute resolution process
  • Points of contact
  • Effective date/duration/modification/termination
  • Services
  • De-confliction procedure
  • Code of conduct for contractors
  • Special conditions
  • Protocols for communication and information exchange
Regardless of how much planning goes into the establishment of the corporate or the public domain fusion center, the challenges are similar. Funding, resources and attention by the power base of leadership.

One way to keep the Fusion Center at the center of the CEO's or Mayor's daily progress review comes back to economics. The top line revenue discussions here are no different than the same arguments that the head of Marketing has for the advertising budget.  The bottom line.

The Chief Marketing Officer (CMO) is consistently getting a robust piece of the budget pie because they have done an effective job of convincing everyone that advertising/branding is what generates sales leads.

Sales leads convert to top line revenue. So the question is, how many dollars produce a sales lead and what is the ratio of the number of leads generated to the number that close new revenue business.

What is the argument for the head of the Fusion Center? How does this become a top line revenue opportunity and not just a cost?

The same way advertising is justified to create leads is the same way the Fusion Center creates a different yet equally valuable risk management lead.

In either case, the data and information required to generate a lead in advertising and to generate a lead in mitigating risk begins with a hypothesis.

At today's speed of business and commerce, both are generated from raw data and information either collected internally or purchased externally to the organization. The answer lies in the Information Economics analysis exercise of generating each and the value to the community and continuous operations of the organization.

In the end, you may find that both are equally important and now it's a matter of fine tuning the ratio of budget dollars devoted to the Fusion Center vs. the Marketing Department.

If you are a Chief Risk Officer (CRO), Chief Information Security Officer (CISO), or Chief Security Officer (CSO), the answer to consistently funding your Fusion Center just might be found in how timely data and information is utilized.

What is the true value to the continuous livelihood and resilience of your community or enterprise...

03 August 2019

Intelligence Factor: A Decisive Risk Element...

In this John Keegan book review by Thomas Powers of Intelligence in War: Knowledge of the Enemy from Napoleon to Al-Qaeda ; Mr. Powers captures the essence of the decisive risk element of local information:
"The real challenge in the war on terror is one we got right in the war against Nazi Germany and failed badly at in the war in Vietnam -- helping the locals do what they want to do on their own. The free French, the partisans in Yugoslavia, the Poles and the Czechs all desperately wanted the United States to win because our enemy was their enemy. In Vietnam, our locals were defeated by their locals, who just wanted us to leave.
The war on terror is something of an afterthought in Keegan's book, added because he believes intelligence is likely to be the decisive weapon. He is surely right about that. But victory won't come from big intelligence, the kind Americans are best at -- gathering so much information and acting on it in so timely a manner that the terrorists will be nailed as soon as they step out the door. Winning this contest requires an older kind of intelligence: the kind that grows out of deep knowledge of place, language, culture and people, and then getting the basic question right -- knowing what the locals want to do on their own and putting that first."
Operational Risk Management (ORM) in your particular Area of Responsibility or Enterprise, is about the mitigation of attacks on your assets and eliminating potential hazards, in order to be a more resilient foe, or competitor on the corporate battlefield. Intelligence is information. Only information at the right time and from the right source, can give you the edge to fend off the latest barrage of share holder law suits, denial of service attacks on your corporate web site or the smoldering fire in the janitors closet.

Whether that intelligence (information) is being gathered by sensors detecting smoke, packets on the network, or the late night cleaning crew; you will not have a chance of acting in time without the human element. The human factor is still the last fail safe for determination whether a "False Positive" or "True Negative" is at hand.

Human Intelligence is being gathered every hour of every day humans are talking to each other, writing to each other or walking around using other signals to communicate. The eyes and ears of your organization are what will ultimately determine whether you win or lose the risk mitigation battle you are fighting.

Managing risks to your operations requires a network of human intelligence from the front desk to the loading dock. Intelligence is being gathered on every sales call and each customer service call to the 800 number. However, it is not until you act on what you are learning, that all of this information is converted to something productive or protective.

Look around you. How many sensors and repositories of intelligence are walking around your organization today without anyway or anyone, to convert all of that raw information into a mechanism for effective Operational Risk Management?

The organization who truly understands how to capitalize on the collection of organizational intelligence and act on it without hesitation, will be the most resilient operators and the most formidable competitors on our global asymmetric business landscape...

20 July 2019

Whole Community: OPS Risk Spectrum...

Operational Risk Management is a discipline that comprises a spectrum of "All Threats and All Hazards." A "Whole Community" approach to the nexus of national security, economic security and the entirety of our citizens.

The resilience factor in your private sector organization or the entire nation, will consistently be tied to the weak links in your preparedness:
  • Prevention
  • Protection
  • Response
  • Mitigation
  • Recovery
One of these five aspects will be your nemesis, when the next incident or catastrophic event touches your company, city, state or country. These are an increasingly interdependent ecosystem that determines your resilience factor. What business units, neighborhoods, counties or states are your weak links?

With every global event, whether it be the Active Shooter/Terrorist attack, Earthquakes, Floods, Hurricanes, Fires or Oil spills, the local community has a 72 hour window that will dictate it's destiny.

Three days that will set the tone and the direction for the remaining weeks, months and years of recovery.

Time and time again we are reminded how important an effective security posture must be, before the "Whole Community" can begin to operate effectively. So what is the most effective system that focuses on people and not necessarily just a single process?

What are the correct steps soon after the event unfolds? The answer lies with the subject matter experts (SMEs) who time and time again, have been at the zero hour or day of the incident itself:
  • Security
  • Medical
  • Water
  • Shelter
  • Food
  • Counseling
Human behavior is an unpredictable factor. It can impact everything in terms of the speed and quality of post incident response. Without security, the first responders that perform medical triage will be reluctant and in harms way to treat those who may have a greater likelihood to survive.

This cascades into several discussions that we know are hot for debate. What if the first responders are your fellow tenants on the floor above you, or the office building next door? Not the professionals from the local fire or police department.

"Citizen First Responders" (CFR) are your organizations front line Operational Risk Managers.

They are the individuals who will have the "Ground Truth" and will be required to make the hard and fast decisions on what needs to be secured, who needs to be saved and where to establish incident command.

How many CFR's are ready in your organization today? Your business park? Your neighborhood? Who is in charge of security? This list goes on...

Post Incident, it all begins from the ground up with people who want to be more active as a "Citizen First Responder" that are given the programs, tools and training. Here are just three facets of the different types of CFR's that exist:
The list of Non-Government organizations (NGO), Faith-based (FBO) organizations and others that exist is exhaustive. Like most everything, you have a pyramid where only a few rise to the top to become the most effective; because they truly understand the discipline of Operational Risk Management (ORM). 

Yet security is still the concern of any civilian-based personnel and population even today.

Where is the weak link in your Operational Risk spectrum?

13 July 2019

Red Zone: Behavioral Analysis Interviews...

Industrial Espionage and the theft of trade secrets is continuously on every Operational Risk Management (ORM) executives mind these days.  The names Chelsea Manning and Julian Assange have been headline news for years.

In addition, the 2009 conviction under the Economic Espionage Act of 1996 in the United States, is a stark reminder of the accelerated requirements for an "Insider Threat Program" (InTP), by the counter intelligence and OPSEC units of major public and private organizations.  Flashback to a decade ago:

"A former Rockwell and Boeing engineer from Orange County, CA was remanded into custody this morning after a federal judge convicted him of charges of economic espionage and acting as an agent of the People’s Republic of China, for whom he stole restricted technology and Boeing trade secrets, including information related to the Space Shuttle program and Delta IV rocket."

How 250,000 pages of classified, proprietary and otherwise sensitive information was found under this employees house is a good question? What might be an even more interesting question is pertaining to the controls for OPSEC and INFOSEC at Boeing in Orange County, CA a decade ago.

Information Operations (IO) or Information Security controls are only as good as the creativity and the will of the individual human being, that exploits the vulnerabilities in the design, configuration or implementation of your layers of defense.

This is why the counter intelligence and OPSEC capabilities within the enterprise must be ever vigilant and continuously adapting to the changing personnel within the organization.

In collaboratin with the Information Technology organization, the Digital Operational Risks that the OPSEC team is focused on these days, has to do with Data Loss Prevention (DLP)  software platforms and proactive data exfiltration detection capabilities.

As companies such as Boeing and other Defense Industrial Base (DIB) institutions utilize the latest software, hardware and other technology to assist in the "insider" detection and prevention of stealing, changing or deleting sensitive information, there still remains the risk of human factors and social engineering.

Sometimes the low tech or human designed detection systems that work on behavioral sciences, can be just as effective as the newest software running on the fastest computer box.

One example is "The Reid Technique" in the context of doing routine interviews and investigations with a set of "Red Zone" employees. Who are the red zone employees?

Those individuals who have certain access to systems or information, leave the organization for involuntary reasons or people that may be 3rd party suppliers to the key people in the red zone. So how does the Reid Technique help?

"The Reid Technique is a method of meeting, conferring with, and evaluating, the subjects of an investigation. It involves three different components — factual analysis, interviewing, and interrogation. While each of these are separate and distinct procedures, they are interrelated in the sense that each serves to help eliminate innocent suspects during an investigation."

The "Integrity Interview" is a highly structured interview with a job applicant. The purpose for the interview is to develop factual information about the applicant's past behavioral patterns.

The philosophy behind the interview is very straightforward. The most accurate indicator of an individual's future behavior, is their recent past behavior.

The same technique can be used on a departing employee with the emphasis on adherence to all "Acceptable Use" policies, regarding digital assets and cyberspace access to organizational data repositories.

Individuals who have the characteristics associated with deception, could be the target of a further investigation to determine whether any unauthorized information has been sent to an encrypted webmail account or if a 2 TB Thumb Drive happened to be plugged into a corporate laptop, the night before the last day on the job.

This low tech method may still be one of the most effective means for industrial espionage. Old school methods with 21st century technologies. All of the detection hardware and software, CCTV cameras, tagged files or RFID countermeasure, will not be able to thwart a diligent, patient and trusted insider.

Utilizing "Behavioral Interview Analysis" can make the difference between early detection or late reaction.

And while the OPSEC group is working on the "Lone Wolf" insider, there are swarms of non-state attackers initiating their asymmetric information operations strategy on the corporations and governments worldwide.

Economic espionage and attacks on nations states critical infrastructures, requires a substantial shift in policy and taxonomy, if we are ever going to be effective in protecting our IP and trade secrets.

While the CEO's and the General's are being briefed on the latest facets of "Weaponizing Malware," we can only hope that OPSEC is still conducting the behavioral analysis exit interview.

A face to face encounter, with someone who may just be that one person, who has your most valuable intellectual property or trade secrets in the purse or backpack at their feet...

06 July 2019

Business Resilience: Supply Chain Risk to National Security...

The Operational Risks associated with a major disruption is now again at the top of the Board of Directors agenda. Economic discussions inside the corporate risk management executives conference rooms, have been focused on the WEF Global Risks Report these past six months.
"The Global Risks Report 2019 is published against a backdrop of worrying geopolitical and geo-economic tensions. If unresolved, these tensions will hinder the world’s ability to deal with a growing range of collective challenges, from the mounting evidence of environmental degradation to the increasing disruptions of the Fourth Industrial Revolution."
The art of Risk Assessment and Vulnerability Management, extends far beyond the guards, gates and fire walls defending your global institutions. The risk of suppliers' "Supply Chain" disruption has grown significantly in the past few years as a result of just-in-time (JIT) inventory management.

This is further inflamed by the outsourcing momentum, as some economies continue their struggle with semiconductor trade wars or escalating natural disasters.

The implications and outcomes of a lack of effective supply chain resilience planning, can provide exposure beyond just a loss of sales. This myopic approach to effective Operational Risk Management (ORM) strategy, can extend to market share erosion and a tarnished brand image.

The risk assessment of suppliers' "Supply Chains" will not be overlooked any longer from the Board Room. More prudent audits of current supply chain exposures will take place and the corporate operations management will feel the pain for some time to come.

The independent and thorough review of the exposures to the institution are going to make some in procurement and accounting uncomfortable. The risk mitigation strategy going forward will invoke a third party review, of most supply chain strategy planning, to encompass the use of "Black Swan" scenarios and alternative thinking on the risk of volatility.

Even a survey of resilience professionals conducted by The Business Continuity Institute found that almost three quarters of supply chains had experienced significant disruption in the 12 months prior to the study.

With 28 per cent of those occurrences attributed to supplier insolvency and 20 per cent due to failure of outsource service provision, almost half of these supply chain disruptions were down to supplier or service provider failure - in other words, circumstances outside one’s own immediate control.

So how resilient is your supplier's "Supply Chain?" The security and safety of your private sector organizations supply chain is now back on the Board of Directors agenda, so how proactive is your organization?

Now think about this. What if the security and safety of your country depended upon a specialized semiconductor for an electronic component that was destined for Broadcom, Boeing, Raytheon or Cisco?

The risk of your supplier's "Supply Chain," may have significant consequences far beyond the bottom line, at the next shareholders meeting.

It could mean the difference between having a resilient economy, or even a devastating asymmetric attack on our Homeland.