CRMS: Mechanisms for Continuous Risk Monitoring...

Stryker, Lloyds Bank, European Commission, Fortinet and others have yet to announce their settlement with recent hacker and/or data breach law suits.

One of the systemic resilience problems at large institutions including large and global organizations like Stryker is keeping your finger on the pulse of "Risk Indicators”.

Unfortunately for SVP's and other CxO executives in the corporate hierarchy, your middle managers are creating the layer that impedes the best Early Warning System you have at your disposal.

When problems surface on the front line or in the "Cube City" down in Information Systems, the normal agenda is for the employee to go to their direct supervisor to raise the "Red Flag" or disclose the incident.

And the first behavioral response by the Middle Manager is to keep it quiet. Fix it before anyone else finds out. Keep it under wraps until damage control can be implemented.

When you are the head of Enterprise Risk Management, you need mechanisms to bypass and eradicate the barrier holding your intelligence, incidents and overall hunches for ransom.

There is no magic system or process that will solve it all. The only way to attempt at breaking through this layer of social and organizational dysfunction is to circumvent it.

A continuous risk monitoring system has to be implemented and operating anonymously 24/7 if the upper echelons of executive management are ever going to "Feel the Pulse" of true risk hotspots in the company.

These hotspots translate into human "Risk Indicators" from the sources themselves, people who know what's going wrong and know the truth.

A Continuous Risk Monitoring System (CRMS) is an automated human feedback and problem identification mechanism for detecting risks. It allows leaders of large organizations to quickly identify problems and incidents of all kinds in their company.

Call it a sophisticated whistle-blower system or suggestion box but that is exactly what it is, on steroids.

The ideal system would emulate communication patterns in small groups which is often a major ingredient in successful teams. It would also run on the existing computers and networks of the organization or from home by logging in via a trusted VPN.

The soldiers on the front line know what is going on far sooner than the commanders in the “Joint Operations Center” just as the employee or 3rd party supplier does and they need a way to communicate the issue, concern or threat in a rapid and efficient manner.

The system provides the executives with instant or trend based Intel that is actionable. It provides the "Insight" as well as the pertinent facts that you need to make quick effective decisions.

Think about how long it takes for data and relevant information to percolate and bubble up from the places in your organization that are considered "Current Risk Hot Spots”.

The point is that for far too long we have been playing the old telephone game. You know, the one that you played as a kid sitting around the kitchen table or on the floor in a circle.

One person starts and whispers into the ear of the person to their right. Just a sentence or two. By the time the message gets around to the 3rd or 4th person, now the data is dramatically different than the original. It's been interpreted, edited and sanitized.

Walk down the hall or pick up the phone and contact the person in person who is in charge of the corporate “Emergency Operations Plan (EOP)”, electronic suggestion box or corporate whistle-blower program at your institution.

Ask them for the most recent activity log.  Ask yourself how you could get this mechanism to perform better and then work with your front line to develop something that middle management can't filter, change or delete.

That is when you will be on your way to getting the real story, in more recent real time…

OPS Risk: All Hazards & Ai…

The CxO’s at our global institutions have a primary “Duty of Care” to insure the safety of employees whenever asymmetric threats take place.

There is no "Radar" that can alert you to when the next incident will occur.

This is why many institutions have taken a new "Operational Risk Management" (ORM) perspective when it comes to the “All Hazards” and events that may impact the business.

A true Operational Risk perspective has it's roots in understanding exposure to risk and the likelihood of an event that might occur.

Yet how could one ever predict the rise of another so called Unabomber?

The fact is that you don't. This is why you must have an "All Hazards" worldview operating within the culture of your organization 24 x 7 x 365.

The threat could be an innocent looking “Priority Mail” package with a toxic substance or just a thick brown envelope containing the latest class action law suit.

While this potential threat entering the mail room has affected only a few institutions, there is another battle going on in a different part of each business that is a whole different type of risk, in speed and reach across our enterprises.

What OPERATIONAL RISK MANAGEMENT “Is Not” . . .

• About avoiding risk
• A safety only program
• Limited to complex-high risk evolutions
• A program -- but a process
• Only for on-duty
• Just for your boss
• Just a planning tool
• Automatic
• Static
• Difficult
• Someone else’s job
• A well kept secret
• A fail-safe process
• A bunch of checklists
• Just a bullet in a briefing guide
• Going away

This has to do with the frequency and the pervasive spectrum of new digital “Artificial Intelligence” (Ai) risks across the enterprise.

The speed of change in our global connected economy is rapidly accelerating.

You have to be operating in a “ROBUST” and complete state of preparedness for whatever the next potential incident will bring…

ID Risk Management: Corporate Intelligence Unit (CIU)…

What is your name? Where do you live? What is your phone number? Where were you born? What is your social security number? What is your passport number? Where was it issued? What evidence do you have that this is all true? Your identity is at stake and Operational Risk Management is on the line.

These questions and more are asked of us on a regular basis to establish our true identity. The entity asking these questions is considering you to be granted access, access to what?

It could be to establish an account at a banking institution, get a drivers license or become a member of a trusted community of people. Or it could be a country deciding whether to grant you a visa to visit or work for a period of time.

Whether you are in the UK, admitting people into your country or a Global 500 company allowing someone access to your corporate facilities, digital assets or place of business; you must have ways to effectively validate who people say they are, and who they really are.

Even if you asked all of the questions above in the early stages of the company hiring process, would you really have the entire picture? This changes over time and events in a persons life. Identity Management and the use of both "known to many" and "known to few" attributes about who you are and who you know, is a reality in today's blur of global commerce.

When a country has a breach of security admitting people, who are not who they purport to be, is it any different in the context of a Defense Industrial Base company headquartered in Chicago, IL or an Investment Banking firm in Geneva, Suisse? What are different are the motives and the outcomes from the fraudulent acts.

What are the current arguments and the leading reasons why our policies, methods and tools associated with Identity Management are in a state of chaos in the United States?

"What is interesting is that the same people who are coming to work every day with their TWIC or CAC cards are also victims of ID Theft as consumers."

The same individuals who walk into the SCIF or the bank vault may very well be people who have active investigations going on regarding their identity being used to perpetrate crimes or other fraudulent motivations. So what are some of the most important issues on the Identity Management horizon?

In all of the breaches, all of the incidents there is a root cause for the failure in the people, process, systems or external factor that opened up the vulnerability for the attacker to exploit and obtain their objective.

It's called Continuous Monitoring. This issue is found in all places in Appendix G of the US NIST sp800-37 that illustrates the reason why “Continuous Monitoring” is critical especially in information systems:

Private Sector companies have a duty to invest in resources, policy refinement and new methods or tools to keep continuous monitoring as vigilant as possible:

"Conducting a thorough point-in-time assessment of the deployed security controls is a necessary but not sufficient condition to demonstrate security due diligence. A well designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status-related information to organizational officials in order to take appropriate risk mitigation actions and make cost-effective, risk-based decisions regarding the operation”

Much of what we know about our employees is found in their HR files, background reports (if ever done) and what co-workers say about their behaviors in the workplace.

Corporate Security, Risk Management, General Counsel, Information Technology, Public Relations and even the EAP (Employee Assistance Program) executive managers shall create, maintain and continuously operate a Corporate Intelligence Unit (CIU) and “Threat Assessment Team”.

Without it, the consequences of not knowing a persons true identity or current state of mind could cost you more than the loss of life.

It could cost you or the organizations global reputation…

Operational Risk: The Pursuit of Trusted Information...

Operational Risk is about Performance Management and Business Resilience. A few months ago the topic of "Compete or Die" was discussed here. Why revisit this topic?

CEO's and the Board of Directors realize the road to eliminating fear in their organization and the marketplace is through trusted information.

Being agile, ready and capable of a quick recovery is what competitiveness is all about, on the field, on stage or around the table in the Board Room.

Working towards control and protection while "Fear" builds in the back of your mind makes you stiff, depletes your energy and creates doubt. And when you are operating a business or standing on the tee of your first sudden death hole on any PGA weekend, you better have resilience.

The business equivalent to Homeland Security and Critical Infrastructure Protection is Operational Risk Management—a domain that many executives see as the most important emerging area of risk for their firms. Increasingly, failure to plan for Operational Resilience can have “bet the firm” results. 

There are numerous examples of how errors, omissions and glitches have brought down the reputations of many a Fortune 500 companies. What do they all have in common that led to their demise? A lack of economic and business resilience to remain competitive in the marketplace.

The threat of Tort Liability and the loss of reputation is top of mind these days with every major global company executive. The threat is real and increasing at a faster rate than many other real operational risks to the enterprise. Litigation from regulators, class actions and competitors has given the term Legal Risk new emphasis and meaning.

Once corporate management understands the need for a "resilience" mentality in place of a "protection" mental state, a new perspective is found. Investing in the vitality, agility and competitive capabilities of the organization sounds and is more positive.

It alleviates the fear of doom and gloom and inspires new found innovation. The future of your organizations longevity and in it's adaptability can be achieved with a new perspective. Compete or die.

Performance Management could be enabled or suppressed by the amount of power you give your leadership. Do they have the ability to make a $1M decision or $10K decisions when it comes to investing budgeted capital into their business unit growth?

Do they manage risk on a level where they are the most informed and the most knowledgeable about the business, or is the "Mother Ship" back at the home office dictating the way they spend or the way they invest?

The ability to know how to manage risk at the point of creating new information is the nexus of several disciplines and requires substantial training. Every minute that goes by with people not behaving correctly puts the enterprise at greater risk to lost performance opportunities.

All these issues can be summed up in a single concept: trusted information. Simply accessing data is no longer enough. Today's CEOs, CFOs and knowledge-workers must be able to reliably track the information they use for decisions back to the original source systems in order to ensure its timeliness, accuracy and credibility.

Over the last few decades, organizations have invested Billions of dollars in systems to collect, store and distribute information more effectively. Despite this, information users at all levels of the organization are often uncomfortable with the quality, reliability and transparency of the information they receive.

Today's organizations rarely have a "single view of the truth." Executives waste time in meetings debating whose figures are correct, rather than what to do about the company's issues.

Additionally, they worry about the AI consequences of making strategic decisions using the wrong information, directly impacting the long-term survival of the organization.

The search for trusted information is a continuous pursuit for commanders in the "Mission Ready Room" and the "Corporate Board Room".

So how do you achieve the level of assurance that's required to make the "bet the farm" risk management decisions in your enterprise?

Partnership for Protection: Continuity, Safety and Resilience...

Are your Research and Development secrets protected and safe?

Do you have a counterintelligence program operating in concert with your own Information Security strategy?

Economic Espionage is a growing concern and a top priority at many US-based global organizations.

Who do you know personally that can help you and your organization Deter, Detect, and Defend against potential attacks on your intellectual assets?

Those formulas, algorithms and new break through products in beta testing are vulnerable from a barrage of social engineering and sophisticated attack tools.

The employees, suppliers and contractors operating in and around the perimeter of your organization represent the audience for your next "Tactical Awareness Program".

However, that is only the "tip of the iceberg" when it comes to your complete “Counterintelligence Strategy”.

How do you keep a consistent and pervasive mechanism in place to ensure that your greatest vulnerabilities and most valuable secrets are safe and secure?

If you ever find yourself having a conversation about the fact that your "source code" is now posted on the “Dark Web” or that a new competitor has just emerged with a very similar product as your own, then maybe the denial phase is now over.

The reality phase is kicking in and you now understand that you now need a more robust management system for all employees to learn and practice. Something that they can utilize in conjunction with your most valuable suppliers and contractors.

How will you be able create the kind of education and program strategy to make sure that your organization is not a target of corporate sabotage or economic espionage.

The rewards that your employees receive go far beyond the workplace and into their local cul-de-sac or apartment complex.

Raising peoples awareness about what has happened in the past and could happen in the future, is every leaders responsibility…

Competition: Life Long Learning Experience…

When you were growing up in your town across the USA, they probably had all kinds of ways for you as a kid to learn about competition.

Was it the Spelling Bee?  The Debate team. The High School ball sports games, running track or swimming meets. Cheer competitions. Car racing. The neighborhood park “Art” & “Pottery” contest. The city Golf championship.

Before you headed out of your own household to universities or colleges in other states or joined up with our Armed Forces and were stationed overseas, you really thought you understood what competition was all about didn't you.

Or did you?

competition

com· pe· ti· tion ˌkäm-pə-ˈti-shən

Synonyms of competition

1: the act or process of competing

compete

com· pete kəm-ˈpēt

1: to strive consciously or unconsciously for an objective (such as position, profit, or a prize) : be in a state of rivalry

The fact that you were in competition with others for the best example of your intellect, or your strength or your speed or your accuracy or creativity would soon become more of a life question.

"Who shall I serve in my years ahead and trust to help me navigate the joys and sorrows of my life long journey?"

How will they provide me with the wisdom and the guidance to know what is the right decision to make at the right time?

Competition in life is unavoidable and you might wonder why some people “Win” on one day and not on another.  Was it luck?

Just ask anyone who has made it to a C-Suite at Headquarters, or “Hall of Fame” or other Museum of History and the people who excelled at their particular Profession, Sport or Craft or Exploration milestone.

Have you ever heard someone say in your long competitive life:  “It’s not about Winning and Losing it is about how you play the game”.

What does that really mean?  Is it about following the rules and playing with good manners or sportsmanship?

Competition is truly a life learning experience whether it played on the field, in the pool, on the mountain, on the ice rink, on the track, in the auditorium, on the stage, in the conference room or the ready room, face-to face or online, it does not really matter.

Some may say it was lots of Time and Practice.  Some may say it was a Miracle.

What shall you learn about Competition in your own life?

Some may say it was "My Destiny"...

Godspeed!