13 October 2019

Organizational Culture: Four Steps to Wisdom...

"Each step up in learning requires a new technology platform. The technology platform that will make possible the leap from Information to Knowledge is the blending of computers and telecommunications with human actions. By the time the knowledge phase matures, around a decade from now, billions of people will use computers with no training at all. Can we imagine the technology platform that will enable us to take the final step to wisdom?" --Four Steps to Wisdom - From "The Monster Under The Bed" by Stan Davis and Jim Botkin

Stan and Jim wrote this book and it was published in 1994. Getting to wisdom is surely now upon us in 2019.  Or is it?

Maturing from step-to-step is not as easy as it may seem.  Think about that learning phase where your organization was taking on the chasm between "Information" to "Knowledge".  What kinds of challenges did you encounter and then conquer in your cultural transformation?
wisdom noun (1)

wis·​dom | \ ˈwiz-dəm
Definition of wisdom

1a : ability to discern inner qualities and relationships : insight
b : good sense : judgment
c : generally accepted belief

The transformation in your organizations from "Knowledge" to "Wisdom" may take much longer to accomplish than the "Information" to "Knowledge" phase.  This is because your culture has not matured enough to even consider the technology platform necessary to make the leap to "Wisdom."

Davis and Botkin talk further about this:  "Business-driven learning will be organized according to the values of today's information age:  service, productivity, customization, networking, and the need to be fast, flexible, and global." Page 18

Does this sound familiar?  Maybe you have heard the words Scrum or DevOps being thrown around in your particular organization.  Or perhaps you have started to focus on agility or innovation as the latest phase of transformation awareness in your business, agency or enterprise.

How can you and your organization take the next step, if you have not achieved the previous level of maturity in your technology adoption?  The speed and comprehension to utilize technology to effectively learn, is a combination of factors beyond just the hardware and software.  It is also a maturity of your learning culture.

As your enterprise makes the leap from "Knowledge" to "Wisdom" the speed of change in your organizational culture must also be commensurate with the speed of change in our technology platforms.

Is your organization still maintaining your own servers and hosting your E-mail internally?  There must be a really good reason why.  Yet have your techies been throwing around that new solution named "Kubernetes."

So as you and your organization tries to innovate into 2020, ask yourself.  Is our learning culture ready for the next generation of technology adoption?

06 October 2019

A Renewed Sense of Courage: Readiness, Response, Recovery...

"Abqaiq is a single point of failure that could remove millions of barrels per day from the global oil market for an extended period if damaged badly enough. It has long been identified as the top security risk worldwide

For that reason, Abqaiq has been one of the most heavily protected places on the planet. Saudi Arabia has armed guards to protect the perimeter, and security forces actively target threats from foreign militants and domestic dissidents."  John Kemp is a Reuters market analyst.

Our U.S. Critical Infrastructure Protection is a national priority.  Our state and local governments are still pressed to do more with less and to continue to keep such a vigilant force emotionally engaged. There is still frustration with the lack of public-private coordination, yet it is improving one step at a time.

The focus on Critical Infrastructure resilience programs centers upon these four objectives:

1. Prevention Planning

2. Impact of Loss Analysis (Economic/Local)

3. Cycle Time to Recovery

4. Understanding Interdependencies

The diverse set of stakeholders who own and operate these critical assets are continuously opening new doors of trust and cooperation. Yet the private sector is still timid to reveal it's greatest vulnerabilities and share in the risk with the public domain, to work on mitigating or reducing this exposure.

One only has to look no further than a consistent breakdown of our power grids, to know that a simple lack of maintenance is sometimes the only culprit, not a natural but a man-made disaster.

So predicting the rate of failure or loss on future communications networks, pipelines, bridges, tunnels and rails could be as simple as the rate of reinvestment in repair, up keep and preventive maintenance. Yet that is not our greatest fear.

Remaining vigilant requires a more thorough understanding of threat and the myriad of tools being utilized by criminals and nation states to attack us. Once you understand this, you realize that your greatest fear is, the unknown.

The Low Probability, High Consequence event. That is what keeps all of us awake at night and what keeps us getting up in the morning, to do it all over again. We are all searching, detecting and monitoring, in hope that we are not too late once more.

And maybe even more important than this, is the hope that when that day, hour or minute does arrive, that we have the courage to respond, recover and revive ourselves even faster than the last incident.

To be better. And more resilient than we ever have been before...

29 September 2019

DEF2019: Far Beyond Innovation in U.S. National Security...

"The creativity and talent of the American warfighter is our greatest enduring strength, and one we do not take for granted."  --Summary of the 2018 National Defense Strategy

Walking away from the Defense Entrepreneurs Forum #DEF2019 Annual National Conference today in Washington, DC, produces so many simultaneous thoughts and emotions.  Being together with other colleagues and "Quiet Professionals" for an entire weekend in a small yet beautiful space, reminds us why we exist and where we are continuously navigating.

The people.  Organizations don't innovate.  Your people do the thinking and have the "Neurodiverstiy" to produce outcomes from their own TrustDecisions.  Most organizations think culture is a set of values, that you have spelled out as bullets on your web site, or the wall in your lobby.

A Decision to Act.  A Decision to Pause.  A Decision to Stop.  A Decision to Deliver.  They are all decisions, that are based upon your ability to process information and utilize your unique talents as a human being.

Culture is a management system, with passion for the mission.  Most organizations run on norms.  It's time to "Break the expletive Filter".
What kind of rebel are you?

Do you complain or do you create?

Are you "Me Focused" or are you "Mission Focused"?

What about the rules.  Do you break them or do you change them?

Do you "Alienate" or do you "Attract"?

Do you "Doubt" or do you "Believe"?

Are you "Energy Sapping" or "Energy Generating"?

Do you exemplify Anger or Passion?
From James "Hondo" Geurts - Assistant Secretary of the Navy for Research, Development & Acquistions- DEF2019 Presentation

Priority is a singular noun and your structure is your culture.  The truth is, the culture of your particular business enterprise, government agency, startup or team, is a direct manifestation of your own peoples creative spirit and their abilities to adapt and deliver outcomes, with a dynamic set of decisions in your environment.

Signing off now.  It is time to go "Deliver"...

21 September 2019

Endgame: A Life of Operational Risk Management...

"After climbing a great hill, one only finds that there are many more hills to climb. I have taken a moment here to rest, to steal a view of the glorious vista that surrounds me, to look back on the distance I have come. But I can rest only for a moment, for with freedom comes responsibilities, and I dare not linger, for my long walk is not yet ended." Nelson Mandela

Operational Risk Management (ORM) is not a project with a deadline. It is a journey of a lifetime that requires continuous and adaptive change. There have been many great leaders who understood this during their quest for improving the quality of their environment.

Flashback six year ago.  Mr. Mandela endured the challenges of managing risk his entire life. With a life purpose that burned bright, he was able to endure the journey and mitigate the threats to achieving many of his ideas. Ideas for a higher quality of life for those living and working together in South Africa.

(CBS News) People across South Africa and around the world are honoring Nelson Mandela this weekend (December 8, 2013), in spontaneous and emotional outpourings that are as much a celebration of Mandela's life as an expression of grief -- bringing home the accomplishments of the remarkable man who died this past week at age 95 after a lifetime of struggling for justice.

Whether your quest is to end apartheid, rule a nation or even a continuous battle with the Operational Risks surrounding you and your organization, the fight goes on. The process adapts to ever changing conditions, new rules, new laws and the latest formula for your adversary to achieve their goals.

Those who never lose sight of the journey, completing the endless tasks to influence change, will endure.

Operational Risk Management (ORM) requires a focus on the endgame. What does your vision of the endgame look like? Nelson Mandela achieved his and more. How long might it take to achieve yours?

15 September 2019

Never Forget: Beyond 9/11 & Adapting Inside the Enterprise...

"Being a patriot doesn't mean prioritizing service to government above all else.  Being a patriot means knowing when to protect your country, knowing when to protect your Constitution, knowing when to protect your countrymen, from the violations of and encroachments of adversaries.  And those adversaries don't have to be foreign countries."  Ed Snowden

One could wonder whether even just one of the individuals working with your organization internally or externally has the same or similar mindset of "Ed".  The question is, what are you doing as an Operational Risk Management(ORM) leader, to be legally proactive in your "Insider Threat" approach with employees, partners and your extended supply chain?

The adversary working with you inside your company, agency or partner, doesn't always start out to bring loss events to your enterprise.  It could take years, or months to develop a real justification in the adversaries mind, yet even when the activities and behaviors are evident, they are all to often missed, never understood or just too late to interrupt:
The National Counterintelligence and Security Center (NCSC) and the National Insider Threat Task Force (NITTF) are today partnering with federal agencies across the government to launch “National Insider Threat Awareness Month” during September 2019. Throughout September, the Office of the Director of National Intelligence, the Department of Defense, the FBI, the Department of Homeland Security, the Department of State and other federal agencies will be holding events to emphasize the importance of safeguarding our nation from insider threats and to share best practices for mitigating those risks.  
How could you and your organization improve and adapt your current practices to raise the bar of excellence?  What can you do each day to make the quality and the results of your programs even better?

First, begin to understand the process by which events can trigger new behaviors in an individuals perceived stressors and lack of personal control.  Second, expand your proactive organizational toolkit, to include such proven technologies such as sentiment analysis for marketing purposes.

These same tools with the proper legal oversight and "Acceptable Use Policy" can be effective in your early warning systems.  Enterprise Risk Management also incorprates oversight and protections for privacy and civil liberties.

Here are five steps to be proactive at your organization in the U.S. this month of September 2019:
  • Create, refine and share your organizations "Insider Threat Program "(InTP) vision.
  • Educate, clarify and communicate the authorities, roles and policies of the program.
  • Validate tools, models and sources of information.
  • Plan ahead for the utilization of automated tools and human behaviors observed.
  • Seek better solutions to a continuously changing enterprise & supply chain environment.
Never Forget.  We have all heard the thought "Never Forget," when it comes to our recent anniversary of 9/11.  Yet we must simultaneously remember, that our adversary may be hiding in plain sight...

01 September 2019

InTP: Insider Threat in the IT Supply Chain...

As a Board Director with your organization a "Duty of Care" discussion could be a regular roundtable dialogue.  The question is, how often does your Board of Directors dive head first into the analysis and architecture of your "Digital Supply Chain?"

The Enterprise Architecture of your Information Technology networks is a vast set of Third Party Suppliers.

They provide you a set of Critical Infrastructure domains, such as the Power and Water Sectors to start, that seems obvious at the high level.

Yet when you begin to really understand the true suppliers to your entire IT supply chain, it is not just a simple equation.  As you analyze the Cloud Provider(s), Internet Service Providers (ISP) and the total number of Third Party Software companies that make up your spectrum of InfoTech (IT) assets, the complexity rises.

The threat rises as you add the "Human Factors" of behavior and now the Operational Risks begin to soar.  The potential for simple errors, or mistakes and unintentional events becomes exponential, at each interface of the "Digital Supply Chain," in each major process of the enterprise:
  • Management
  • Human Resources
  • Legal Counsel
  • Physical Security
  • Information Technology
  • Information Assurance
  • Data Owners
  • Software Engineers
In every company, every day, employees are hired, promoted, terminated, or resigned. Each employee transition event can create legal risks if the related systems, applications and electronic data accessible to an employee, are not properly managed to protect the company’s interests.

So what?
"A Pakistani man bribed AT&T call-center employees to install malware and unauthorized hardware as part of a scheme to fraudulently unlock cell phones, according to the US Department of Justice. Muhammad Fahd, 34, was extradited from Hong Kong to the US and is being detained pending trial.

An indictment alleges that "Fahd recruited and paid AT&T insiders to use their computer credentials and access to disable AT&T's proprietary locking software that prevented ineligible phones from being removed from AT&T's network," a DOJ announcement yesterday said. "The scheme resulted in millions of phones being removed from AT&T service and/or payment plans, costing the company millions of dollars. Fahd allegedly paid the insiders hundreds of thousands of dollars—paying one co-conspirator $428,500 over the five-year scheme."

In all, AT&T insiders received more than $1 million in bribes from Fahd and his co-conspirators, who fraudulently unlocked more than 2 million cell phones, the government alleged. Three former AT&T customer service reps from a call center in Bothell, Washington, already pleaded guilty and agreed to pay the money back to AT&T."
The "Operational Risk Attack Surface" internally, externally and with trusted partners, has a vast set of insider ties and trusted relationships.  This is why an organization this complex, must begin the implementation of an Insider Threat Program (InTP), especially focused in the "Digital Supply Chain...

25 August 2019

Red Team: The Unknown Adversary...

Anticipating risks and potential threats to critical assets takes a "Red Team" mentality. Communities and companies need to be training, planning and adapting to all hazards.

Whether they be the structural failure of a bridge, ransomware of major municipalities or the next major attack on our U.S. Homeland.

Critical infrastructure is physical and cyber-based systems, that are essential to the minimum operations of the economy and our government.

This means that many states are in a continuous review of their own critical infrastructure. When the analysis is done and the finger pointing is over, we will have one more example of why the public private partnership is essential for the future of government and business.

Organizations such as WashingtonDCFIRST, ChicagoFIRST and others around the U.S. are working on putting more emphasis on critical infrastructure resiliency.

InfraGard in San Francisco, Los Angeles, New York Metro, Chicago, the Nations Capital or any of the other 70+ major metro areas, is just another example of how private business is interacting with government in the context of cooperation, coordination and connecting tens of thousands of subject matter experts.

The people who can make a difference long before an incident, or minutes after one occurs, can be found in each of these local chapters. How the local community takes advantage of these resources is up to government leadership.  Since over 85% is owned and operated by the Private Sector.
"The ability to anticipate an opponent’s intent is critical to many forms of planning, analysis, design, and operations. While this need is recognized in the military and intelligence communities, infrastructure providers and first responders find themselves on the front line facing a range of potential threats, that in many cases exceed the defenders direct experience."
Having this "Red Team" mentality can save lives and dollars, through continuous exercises and a business resilience approach to discovering and eradicating new found vulnerabilities...

18 August 2019

Performance Management: Risk on the Front Line...

As a leader in your particular organization, how often during your busy day do you think about culture.  The organizational pace.  The transparency and integrity that each key leader exemplifies, as they operate each hour with employees, partners and your most important community stakeholders.

Competent leaders who model peformance management processes to make Operational Risk Management (ORM) an enabling and growth oriented mechanism, truly understand that this requires a mind-set shift.

Executing on how to enable more risk taking and catalyst innovations to achieve superior growth, requires the ability to effectively incorporate risk management into your daily work products.

When you login to your APP, create a new document, start a new e-mail or enter new data into the database in the course of your daily work, you are playing the role of an information risk manager.  When you meet with, counsel, or coach another fellow employee, you have full control of how you are achieving new levels of trust.

The degree to which you follow protocols, procedures and training involved with corporate records management, information security and work place employment policies, creates the foundation for how much risk and trust, you will generate today.

Now think about how this, will impact your continuous ability to be innovative, competitive and productive, while building a trusted culture, that employees, partners and community stakeholders will quickly recognize as trustworthy and extraordinary:
So, what is trust?  
"Trust is the affirmative output of a disciplined, analytical decision process that measures and scores the suitability of the next actions taken by you, your team, your business, or your community. Trust is the calculation of the probability of outcomes. In every interaction with the world, you are identifying, measuring, and figuring out the likelihoods. When the results are positive, you move ahead, from here to there. When the results are negative, you rarely move ahead; you stay put or you find an alternate path."   Jeffrey Ritter- Achieving Digital Trust
Turning risk management into performance management, shall begin on the front line of the enterprise, with the ideal compensation strategy and the behaviors you are seeking from your front line customer service and field-based revenue generators.

Whether it's direct or in-direct channel personnel, you have to understand how to use the right mix of compensation and incentives, to drive a revenue risk appetite, that is appropriate for your organizaition.

Performance Management could also be enabled or supressed, by the amount of power you give your 2nd Tier leadership. Do they have the ability to make a $1M decision or just $10K decisions when it comes to investing budgeted capital into their particular business unit growth?

Do they manage risk on a field or geographic level where they are the most informed and the most knowledgeable about the business, or is the "Mother Ship" back at the home office, dictating the way they spend or the way they invest?

The ability to know how to manage operational risk, at the point of creating new information is the nexus of several disciplines and requires substantial situational awareness training.

Every minute that goes by, with derailed leadership or a negative culture, puts the enterprise at greater risk to lost performance opportunities.

Your cultural trustworthiness depends on how effective you are as a leader, to communicate with those who you trust the most in your organization.

You need them to assist you, with perpetuating a culture that understands the relationship with operational risk and performance management simultaneously on the front line...

10 August 2019

Fusion Center: A Top Line Opportunity...

Operational Risk Management (ORM) is about managing a jigsaw puzzle of vulnerabilities and threats, that expose those weak points in community or organizational operations.

How can a U.S. community such as Las Vegas, NV, Dallas, TX, San Bernardino, CA, Dayton, OH or El Paso, TX in concert with law enforcement, public safety, emergency management and private sector entities, embrace a collaborative process to improve intelligence sharing?

Together and ultimately, to increase the ability to deter, detect, and prevent domestic terrorism while safeguarding our homeland, sometimes you have to tell a story and create a narrative.

Fusion centers bring all the relevant partners together, to maximize the ability to prevent and respond to workplace violence, terrorism and other major criminal acts. By embracing this concept, these entities are able to effectively and efficiently safeguard our homeland and maximize anti-crime efforts.

Who knew, what and when?  Even before 9/11, the private sector has embraced the idea of "Fusion Centers" and for good reason.

It has often been labeled the Security Operations Center (SOC), that includes the convergence of both the physical and information-based risk management professionals, taking place to mitigate a spectrum of risks and new opportunities.
As a Board Director or Executive Committee member of your public or private organization, the economic reasons for doing this are many and the benefits of greater insight and more rapid response are a continuous mandate.
A fusion center is an effective and efficient mechanism to exchange information and intelligence, maximize resources, streamline operations, and improve the ability to mitigate internal and external risk events, by analyzing data from a variety of internal and external sources.

When you begin to coordinate the company departments or government entities, the rules of the game calls for agreements, contracts and memorandums of understanding (MOU).  These are required to help facilitate coordination and cooperation. Here are some of the elements that should be considered:
  • Involved parties
  • Mission
  • Governance
  • Authority
  • Security
  • Assignment of personnel (removal/rotation)
  • Funding/costs
  • Civil liability/indemnification issues
  • Policies and procedures
  • Privacy
  • Terms
  • Integrity control
  • Dispute resolution process
  • Points of contact
  • Effective date/duration/modification/termination
  • Services
  • De-confliction procedure
  • Code of conduct for contractors
  • Special conditions
  • Protocols for communication and information exchange
Regardless of how much planning goes into the establishment of the corporate or the public domain fusion center, the challenges are similar. Funding, resources and attention by the power base of leadership.

One way to keep the Fusion Center at the center of the CEO's or Mayor's daily progress review comes back to economics. The top line revenue discussions here are no different than the same arguments that the head of Marketing has for the advertising budget.  The bottom line.

The Chief Marketing Officer (CMO) is consistently getting a robust piece of the budget pie because they have done an effective job of convincing everyone that advertising/branding is what generates sales leads.

Sales leads convert to top line revenue. So the question is, how many dollars produce a sales lead and what is the ratio of the number of leads generated to the number that close new revenue business.

What is the argument for the head of the Fusion Center? How does this become a top line revenue opportunity and not just a cost?

The same way advertising is justified to create leads is the same way the Fusion Center creates a different yet equally valuable risk management lead.

In either case, the data and information required to generate a lead in advertising and to generate a lead in mitigating risk begins with a hypothesis.

At today's speed of business and commerce, both are generated from raw data and information either collected internally or purchased externally to the organization. The answer lies in the Information Economics analysis exercise of generating each and the value to the community and continuous operations of the organization.

In the end, you may find that both are equally important and now it's a matter of fine tuning the ratio of budget dollars devoted to the Fusion Center vs. the Marketing Department.

If you are a Chief Risk Officer (CRO), Chief Information Security Officer (CISO), or Chief Security Officer (CSO), the answer to consistently funding your Fusion Center just might be found in how timely data and information is utilized.

What is the true value to the continuous livelihood and resilience of your community or enterprise...

03 August 2019

Intelligence Factor: A Decisive Risk Element...

In this John Keegan book review by Thomas Powers of Intelligence in War: Knowledge of the Enemy from Napoleon to Al-Qaeda ; Mr. Powers captures the essence of the decisive risk element of local information:
"The real challenge in the war on terror is one we got right in the war against Nazi Germany and failed badly at in the war in Vietnam -- helping the locals do what they want to do on their own. The free French, the partisans in Yugoslavia, the Poles and the Czechs all desperately wanted the United States to win because our enemy was their enemy. In Vietnam, our locals were defeated by their locals, who just wanted us to leave.
The war on terror is something of an afterthought in Keegan's book, added because he believes intelligence is likely to be the decisive weapon. He is surely right about that. But victory won't come from big intelligence, the kind Americans are best at -- gathering so much information and acting on it in so timely a manner that the terrorists will be nailed as soon as they step out the door. Winning this contest requires an older kind of intelligence: the kind that grows out of deep knowledge of place, language, culture and people, and then getting the basic question right -- knowing what the locals want to do on their own and putting that first."
Operational Risk Management (ORM) in your particular Area of Responsibility or Enterprise, is about the mitigation of attacks on your assets and eliminating potential hazards, in order to be a more resilient foe, or competitor on the corporate battlefield. Intelligence is information. Only information at the right time and from the right source, can give you the edge to fend off the latest barrage of share holder law suits, denial of service attacks on your corporate web site or the smoldering fire in the janitors closet.

Whether that intelligence (information) is being gathered by sensors detecting smoke, packets on the network, or the late night cleaning crew; you will not have a chance of acting in time without the human element. The human factor is still the last fail safe for determination whether a "False Positive" or "True Negative" is at hand.

Human Intelligence is being gathered every hour of every day humans are talking to each other, writing to each other or walking around using other signals to communicate. The eyes and ears of your organization are what will ultimately determine whether you win or lose the risk mitigation battle you are fighting.

Managing risks to your operations requires a network of human intelligence from the front desk to the loading dock. Intelligence is being gathered on every sales call and each customer service call to the 800 number. However, it is not until you act on what you are learning, that all of this information is converted to something productive or protective.

Look around you. How many sensors and repositories of intelligence are walking around your organization today without anyway or anyone, to convert all of that raw information into a mechanism for effective Operational Risk Management?

The organization who truly understands how to capitalize on the collection of organizational intelligence and act on it without hesitation, will be the most resilient operators and the most formidable competitors on our global asymmetric business landscape...

20 July 2019

Whole Community: OPS Risk Spectrum...

Operational Risk Management is a discipline that comprises a spectrum of "All Threats and All Hazards." A "Whole Community" approach to the nexus of national security, economic security and the entirety of our citizens.

The resilience factor in your private sector organization or the entire nation, will consistently be tied to the weak links in your preparedness:
  • Prevention
  • Protection
  • Response
  • Mitigation
  • Recovery
One of these five aspects will be your nemesis, when the next incident or catastrophic event touches your company, city, state or country. These are an increasingly interdependent ecosystem that determines your resilience factor. What business units, neighborhoods, counties or states are your weak links?

With every global event, whether it be the Active Shooter/Terrorist attack, Earthquakes, Floods, Hurricanes, Fires or Oil spills, the local community has a 72 hour window that will dictate it's destiny.

Three days that will set the tone and the direction for the remaining weeks, months and years of recovery.

Time and time again we are reminded how important an effective security posture must be, before the "Whole Community" can begin to operate effectively. So what is the most effective system that focuses on people and not necessarily just a single process?

What are the correct steps soon after the event unfolds? The answer lies with the subject matter experts (SMEs) who time and time again, have been at the zero hour or day of the incident itself:
  • Security
  • Medical
  • Water
  • Shelter
  • Food
  • Counseling
Human behavior is an unpredictable factor. It can impact everything in terms of the speed and quality of post incident response. Without security, the first responders that perform medical triage will be reluctant and in harms way to treat those who may have a greater likelihood to survive.

This cascades into several discussions that we know are hot for debate. What if the first responders are your fellow tenants on the floor above you, or the office building next door? Not the professionals from the local fire or police department.

"Citizen First Responders" (CFR) are your organizations front line Operational Risk Managers.

They are the individuals who will have the "Ground Truth" and will be required to make the hard and fast decisions on what needs to be secured, who needs to be saved and where to establish incident command.

How many CFR's are ready in your organization today? Your business park? Your neighborhood? Who is in charge of security? This list goes on...

Post Incident, it all begins from the ground up with people who want to be more active as a "Citizen First Responder" that are given the programs, tools and training. Here are just three facets of the different types of CFR's that exist:
The list of Non-Government organizations (NGO), Faith-based (FBO) organizations and others that exist is exhaustive. Like most everything, you have a pyramid where only a few rise to the top to become the most effective; because they truly understand the discipline of Operational Risk Management (ORM). 

Yet security is still the concern of any civilian-based personnel and population even today.

Where is the weak link in your Operational Risk spectrum?

13 July 2019

Red Zone: Behavioral Analysis Interviews...

Industrial Espionage and the theft of trade secrets is continuously on every Operational Risk Management (ORM) executives mind these days.  The names Chelsea Manning and Julian Assange have been headline news for years.

In addition, the 2009 conviction under the Economic Espionage Act of 1996 in the United States, is a stark reminder of the accelerated requirements for an "Insider Threat Program" (InTP), by the counter intelligence and OPSEC units of major public and private organizations.  Flashback to a decade ago:

"A former Rockwell and Boeing engineer from Orange County, CA was remanded into custody this morning after a federal judge convicted him of charges of economic espionage and acting as an agent of the People’s Republic of China, for whom he stole restricted technology and Boeing trade secrets, including information related to the Space Shuttle program and Delta IV rocket."

How 250,000 pages of classified, proprietary and otherwise sensitive information was found under this employees house is a good question? What might be an even more interesting question is pertaining to the controls for OPSEC and INFOSEC at Boeing in Orange County, CA a decade ago.

Information Operations (IO) or Information Security controls are only as good as the creativity and the will of the individual human being, that exploits the vulnerabilities in the design, configuration or implementation of your layers of defense.

This is why the counter intelligence and OPSEC capabilities within the enterprise must be ever vigilant and continuously adapting to the changing personnel within the organization.

In collaboratin with the Information Technology organization, the Digital Operational Risks that the OPSEC team is focused on these days, has to do with Data Loss Prevention (DLP)  software platforms and proactive data exfiltration detection capabilities.

As companies such as Boeing and other Defense Industrial Base (DIB) institutions utilize the latest software, hardware and other technology to assist in the "insider" detection and prevention of stealing, changing or deleting sensitive information, there still remains the risk of human factors and social engineering.

Sometimes the low tech or human designed detection systems that work on behavioral sciences, can be just as effective as the newest software running on the fastest computer box.

One example is "The Reid Technique" in the context of doing routine interviews and investigations with a set of "Red Zone" employees. Who are the red zone employees?

Those individuals who have certain access to systems or information, leave the organization for involuntary reasons or people that may be 3rd party suppliers to the key people in the red zone. So how does the Reid Technique help?

"The Reid Technique is a method of meeting, conferring with, and evaluating, the subjects of an investigation. It involves three different components — factual analysis, interviewing, and interrogation. While each of these are separate and distinct procedures, they are interrelated in the sense that each serves to help eliminate innocent suspects during an investigation."

The "Integrity Interview" is a highly structured interview with a job applicant. The purpose for the interview is to develop factual information about the applicant's past behavioral patterns.

The philosophy behind the interview is very straightforward. The most accurate indicator of an individual's future behavior, is their recent past behavior.

The same technique can be used on a departing employee with the emphasis on adherence to all "Acceptable Use" policies, regarding digital assets and cyberspace access to organizational data repositories.

Individuals who have the characteristics associated with deception, could be the target of a further investigation to determine whether any unauthorized information has been sent to an encrypted webmail account or if a 2 TB Thumb Drive happened to be plugged into a corporate laptop, the night before the last day on the job.

This low tech method may still be one of the most effective means for industrial espionage. Old school methods with 21st century technologies. All of the detection hardware and software, CCTV cameras, tagged files or RFID countermeasure, will not be able to thwart a diligent, patient and trusted insider.

Utilizing "Behavioral Interview Analysis" can make the difference between early detection or late reaction.

And while the OPSEC group is working on the "Lone Wolf" insider, there are swarms of non-state attackers initiating their asymmetric information operations strategy on the corporations and governments worldwide.

Economic espionage and attacks on nations states critical infrastructures, requires a substantial shift in policy and taxonomy, if we are ever going to be effective in protecting our IP and trade secrets.

While the CEO's and the General's are being briefed on the latest facets of "Weaponizing Malware," we can only hope that OPSEC is still conducting the behavioral analysis exit interview.

A face to face encounter, with someone who may just be that one person, who has your most valuable intellectual property or trade secrets in the purse or backpack at their feet...

06 July 2019

Business Resilience: Supply Chain Risk to National Security...

The Operational Risks associated with a major disruption is now again at the top of the Board of Directors agenda. Economic discussions inside the corporate risk management executives conference rooms, have been focused on the WEF Global Risks Report these past six months.
"The Global Risks Report 2019 is published against a backdrop of worrying geopolitical and geo-economic tensions. If unresolved, these tensions will hinder the world’s ability to deal with a growing range of collective challenges, from the mounting evidence of environmental degradation to the increasing disruptions of the Fourth Industrial Revolution."
The art of Risk Assessment and Vulnerability Management, extends far beyond the guards, gates and fire walls defending your global institutions. The risk of suppliers' "Supply Chain" disruption has grown significantly in the past few years as a result of just-in-time (JIT) inventory management.

This is further inflamed by the outsourcing momentum, as some economies continue their struggle with semiconductor trade wars or escalating natural disasters.

The implications and outcomes of a lack of effective supply chain resilience planning, can provide exposure beyond just a loss of sales. This myopic approach to effective Operational Risk Management (ORM) strategy, can extend to market share erosion and a tarnished brand image.

The risk assessment of suppliers' "Supply Chains" will not be overlooked any longer from the Board Room. More prudent audits of current supply chain exposures will take place and the corporate operations management will feel the pain for some time to come.

The independent and thorough review of the exposures to the institution are going to make some in procurement and accounting uncomfortable. The risk mitigation strategy going forward will invoke a third party review, of most supply chain strategy planning, to encompass the use of "Black Swan" scenarios and alternative thinking on the risk of volatility.

Even a survey of resilience professionals conducted by The Business Continuity Institute found that almost three quarters of supply chains had experienced significant disruption in the 12 months prior to the study.

With 28 per cent of those occurrences attributed to supplier insolvency and 20 per cent due to failure of outsource service provision, almost half of these supply chain disruptions were down to supplier or service provider failure - in other words, circumstances outside one’s own immediate control.

So how resilient is your supplier's "Supply Chain?" The security and safety of your private sector organizations supply chain is now back on the Board of Directors agenda, so how proactive is your organization?

Now think about this. What if the security and safety of your country depended upon a specialized semiconductor for an electronic component that was destined for Broadcom, Boeing, Raytheon or Cisco?

The risk of your supplier's "Supply Chain," may have significant consequences far beyond the bottom line, at the next shareholders meeting.

It could mean the difference between having a resilient economy, or even a devastating asymmetric attack on our Homeland.

29 June 2019

The One Percent Doctrine: Prepared When Things Go Wrong...

There is no avoiding the realities of the information age. Its effects manifest differently in different sectors, but the drivers of speed and interdependence will impact us all. Organizations that continue to use 20th-century tools in today's complex environment do so at their own peril. Stanley A. McChrystal
Read more at: https://www.brainyquote.com/search_results?q=mccrystal
There is no avoiding the realities of the information age. Its effects manifest differently in different sectors, but the drivers of speed and interdependence will impact us all. Organizations that continue to use 20th-century tools in today's complex environment do so at their own peril. Stanley A. McChrystal
Read more at: https://www.brainyquote.com/search_results?q=mccrystal
There is no avoiding the realities of the information age. Its effects manifest differently in different sectors, but the drivers of speed and interdependence will impact us all. Organizations that continue to use 20th-century tools in today's complex environment do so at their own peril. Stanley A. McChrystal
Read more at: https://www.brainyquote.com/search_results?q=mccrystal
"There is no avoiding the realities of the information age.  Its effects manifest differently in different sectors, but the drivers of speed and interdependence will impact us all.  Organizations that continue to use 20th-century tools in today's complex environment do so at their own peril."  --Stanley A. McChrystal

In David Suskind's book The One Percent Doctrine we are reminded that planners need to continue to focus on the 1%.  The "One Percent" doctrine considers threats with even a 1% likelihood, to be treated as certainties.  How proactive are you and your organization?

Do you think you're spending too much time with your team planning and training? You haven't.

Success in your organization doesn't happen because everything goes according to the plan. It happens because you were prepared when things go wrong.

The organizations whose team has proactively planned for every possible scenario and trained together in live simulations, will become the most successfully resilient to uncertain change.

Incidents of different severity and frequency are happening around you and your organization every day. Would your employees know what an incident looks like, let alone know what to do next to mitigate the risk to them and the organization?

Even if Mr. Suskind's book is somewhat critical of the US Government, looking in our own corporate mirror of preparedness, should be enough to get most executives rethinking their resource allocations for the current and future budget for planning, rehearsing and exercising for uncertain events:
Analysts at two security firms, Crowdstrike and Dragos, tell WIRED that they've seen a new campaign of targeted phishing emails sent to a variety of US targets last week from a hacker group known by the names APT33, Magnallium, or Refined Kitten and widely believed to be working in the service of the Iranian government. Dragos named the Department of Energy and US national labs as some of the half-dozen targeted organizations. A third security firm, FireEye, independently confirmed that it's seen a broad Iranian phishing campaign targeting both government agencies and private sector companies in the US and Europe, without naming APT33 specifically. None of the companies had any knowledge of successful intrusions.

22 June 2019

Cyber Risk: Human Factors vs. Automation...

Operational Risk Management (ORM) is a growing multi-faceted mosaic comprised of people, processes, systems and external events. The risks to the enterprise are increasing at a dynamic speed and trajectory that requires the use of automated tools.

This is where risk to the enterprise may actually expand as executives and operational management rely on software to provide information assurance. The design and architecture of software needs a human-based fail-safe. It requires a human interface that allows and simultaneously requires human intervention. Has too much automation contributed to our increased levels of vulnerability?

Fortunately, the software designs have allowed for these opportunities and for a human-factor to ask "What if" questions. Those questions that may arise after an automated alert from the system tells us that something is outside the baseline parameters set for the system, the sensor or the alarm.

Now we go back to Operational Risk and the nature of thinking from a security and safety perspective. What is the continued reliance on automated systems doing to the human capital who have been charged with the over all "Standard of Care" for the enterprise?

We believe that they may have lost the ability to ask the right questions, at the right moment and with the correct contextual understanding.

What is the truth? Is it true? What evidence do we have that this is true? How do you know that the evidence is not spoiled or compromised? If we know the truth, then what do we do next? Is the software really telling us the truth?

The security and the safety of the enterprise is counting on you. And more importantly, the enterprise is asking you to question the software. The "rule-sets" that you have chosen as a result of the programmers and architects decisions can no longer be trusted.

Is our system learning? In what capacity is the system learning in context with the human interaction for judgement, intuition and ethical emotions? Are you with us? The next generation of "Cyber Security" Innovators are now at the edge of significant new breakthroughs and solutions.

"Active Defense" has been and is a controversial topic du jour, yet the next few years will be a new age of understanding, cultural bifurcations and significant global collaboration.

Our entire platform of digital trust is at stake and the conversation has finally made its way to the nation state policy levels.

Operational Risk Management (ORM) will remain a key factor in decision points for the enterprise, the consumer and the operators of critical infrastructure across the globe.

Lets work on keeping the human factor in the loop as automation continues to give us a false sense of security and safety...

15 June 2019

Fatherhood: Reflecting on a Wondrous Journey...

After 31 years of experience as a Husband and a Father, the emotions are heart felt this June 16th, 2019.  The eyes are moist, thinking of so many wonderful memories.  My Daughter and Son have a Dad who has been there for them, whenever they cried or whenever they called (texted).

Having a day of recognition as a Father is twofold, especially if your reflection is on the journey of marriage as being completely integrated.  Seeing the wonderful process of being a Dad, is completely enhanced when your life partner is there by your side, to share all that life together has to offer.

When you have the responsibility and the challenges of Fatherhood in front of you, the only context you have is your own childhood.  Fathers Day is not just about anticipating the future, yet it is also reflecting on your own past.  How are you the same or different than your own Father?

You have the opportunity from day one as a Dad to be different and to be better.  You will lose sleep and you will ask yourself how to achieve all that you had growing up and so much more for your own kids.  Everyone has a Father, and you have a choice.

Are you capable of being a true partner with your wife to develop a wondrous team effort?  How will you work together to solve problems, provide all that a child requires in their first two decades of life?  And then that point in time arrives sooner then you wished, the day your child drives off for the first time in your automobile alone.

This is the point in time as a Father, when you feel so helpless and at a loss of control as a parent.  Think back to the past 16 or so years at that point.  This is when prayer, is even more of a refuge.

To my Daughter T. and Son C. on Fathers Day.  I am so proud of both of you.  Thank you for being my kids who allow me to love them so much.  Thank you to my wife C. for finding me, understanding me and giving us such wonderful children...so much love to all!

Happy Fathers Day 2019

08 June 2019

New Vision: Security Operations Center and CIU...

Flashback over 8 years ago when there was a convergence of thinking about the topic of a "Defensible Standard of Care" going on in the industry.

The key Operational Risk Management news from the 2011 RSA Conference was coming in, yet there were inside sources who still needed to be interviewed. What did they think was the most brilliant presentation or idea(s) presented?

This particular release caught some eyes as it addressed much of the thinking on the latest evolution of the Security Operations Center (SOC).  How much of this is still relevant today:

New Vision for Security Operations: Six Core Elements
The vision includes six core elements and prescriptive guidance for how to incorporate these elements into existing security operations. These elements include:
  • Risk planning: The new SOC will take a more information-centric approach to security risk planning and invest in understanding which organizational assets are highly valuable and essential to protect. With priorities based on GRC policies, security teams need to conduct risk assessments that focus on the “crown jewels” of the enterprise.
  • Attack modeling: Understanding attack modeling in a complex environment requires determining which systems, people and processes have access to valuable information. Once the threat surface is modeled, organizations can then determine potential attack vectors and examine defense steps to isolate compromised access points efficiently and quickly. RSA® Laboratories has developed theoretical models based on known APT techniques and employed game theory principles to identify the most efficient means of severing an attack path and optimize defense costs.
  • Virtualized environments: Virtualization will be a core capability of tomorrow's SOC – delivering a range of security benefits. For example, organizations can "sandbox" e-mail, attachments and URLs suspected of harboring malware. Anything suspicious can be launched in an isolated hypervisor and the virtual machine can be cut off from the rest of the system.
  • Self- learning, predictive analysis: To remain relevant in tomorrow's IT environment, a SOC will need to truly integrate compliance monitoring and risk management. The system should continually monitor the environment to identify typical states which can then be applied to identify problematic patterns early. Statistic-based predictive modeling will be able to help correlate various alerts. Developing such a system will require real-time behavior analysis innovations, although some of these elements are available today.
  • Automated, risk-based decision systems: A key differentiator of a more intelligent SOC will be its ability to assess risks instantly and vary responses accordingly. Similar to risk-based authentication, the SOC will employ predictive analytics to find high-risk events and then automatically initiate remediation activities. The prospect of dynamic typography is one of the most exciting areas of this type of systems automation for the cloud. To implement an APT, an attacker must understand network mapping and be able to model it. In response to this, organizations can remap their entire network infrastructure to disrupt an attacker’s reconnaissance efforts. This is akin to physically rearranging a city at frequent intervals – and the entire process can be automated so that links between systems stay intact and dependencies are handled without human intervention.
  • Continual improvement through forensic analyses and community learning: Although forensic analysis can be resource-intensive, it is an imperative element of a SOC and key to mitigating the impact of subsequent attacks. Virtualized environments can provide snapshots of the IT environment at the time of the security event providing useful information if detection of the attack was delayed. Having a way to share information about attack patterns will be the future of the SOC. This concept should be embraced in order to exchange threat information within respective industries and better predict the path of the APT and thereby determine countermeasures.
The evolution of the SOC in your enterprise may start in some unconventional places. Who is it in your organization that is responsible for the loss of corporate assets?

Who in your company is the one who determines what items are counted as losses to the bottom line?

Who does the enterprise look to when the crisis hits and people are looking for answers in minutes, not hours, or days?

Who picks up the phone to answer the call from the local FBI Field Office?

These may not be the people you think of in the CIO's office or IT department. These people however need to be part of the combined Security Operations Center solution in the company.

The Advanced Persistent Threat (APT) now requires the intersection of prudent strategy from the business leadership, the accounting or finance leadership and the risk management leadership.

If the CIO is looked upon as the key executive running a "Utility" inside the enterprise, think again.

This blog has discussed the "Corporate Intelligence Unit" in years past :

Beyond the utilization of threat assessment or management teams, enterprises are going to the next level in creating a "Corporate Intelligence Unit" (CIU). The CIU is providing the "Strategic Insight" framework and assisting the organization in "Achieving a Defensible Standard of Care."

The framework elements that encompass policy, legal, privacy, governance, litigation, security, incidents and safety surround the CIU. It includes with effective processes and procedures that provides a push / pull of information flow. Application of the correct tools, software systems and controls adds to the overall milestone of what many corporate risk managers already understand.

The best way in most cases to defend against an insider attack and prevent an insider incident is to continuously help identify the source of the incident, the person(s) responsible and to correlate information on other peers that may have been impacted by the same incident or modus operandi of the subject. "Connecting The Dots" with others in the same company or with industry sector partners, increases the overall resilience factor and hardens the vulnerabilities that are all too often being exploited for months if not years.

In retrospect, you can be more effective investigating and collecting evidence in your company to gain a "DecisionAdvantage". To pursue civil or criminal recovery of losses from these insider incidents, you may not go to law enforcement, but it's likely they will come to you once they get a whistle blower report, catch the attacker and/or they have the evidence that you were a victim.
How your organization pulls together the right people to staff and operate your "CIU" is going to depend on your culture, funding and current state of the threat.
It has been a month since the City of Baltimore's networks were brought to a standstill by ransomware. On Tuesday, Mayor Bernard "Jack" Young and his cabinet briefed press on the status of the cleanup, which the city's director of finance has estimated will cost Baltimore $10 million—not including $8 million lost because of deferred or lost revenue while the city was unable to process payments. The recovery remains in its early stages, with less than a third of city employees issued new log-in credentials thus far and many city business functions restricted to paper-based workarounds.
Here is another thought. A thorough review of the current funding, staffing and strategy of a SOC or CIU in the enterprise, may even become a priority at the next "Board of Directors" meeting.

01 June 2019

Trust Decisions: Never Stop Questioning...

"Learn from yesterday, live for today, hope for tomorrow.  The important thing is not to stop questioning."  --Albert Einstein
What sources are influencing your "Trust Decisions" today?

The front page of the "Washington Post."  The e-mail from a parent.  The text message from a loved one.  A phone call from your commander or a work supervisor.

What does your future look like next week?  Next month.  Or next year.  You might think you have it all planned out and on your calendar.  Or maybe you have not even thought about it yet.

Which person are you?

One certainty is, that you will experience the unexpected and you will simultaneously be required to adapt, to adjust and to be agile, in order to respond to the changes in your day, your plan and in your life.

As a true leader in your business, in your agency, in your tribe or in your family, is there anyone you know, that asks questions all the time?  Here is a question.  Why does this bother you?

How will you achieve your latest objectives?  Most likely because you have a continuous passion for asking questions.  Then you truly listen.  You take the time to think.  You now make your "Trust Decisions" to act.

Albert Einstein was correct...
Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning.
Read more at: https://www.brainyquote.com/topics/hope

25 May 2019

Memorial Day 2019: The Courage of Risk Decisions...

Walking through Section 60 at Arlington National Cemetery on Memorial Day weekend is a stark reminder of the Operational Risk Management challenges we have faced these past 18+ years.  One example can be found in the budget at the Pentagon, on how to defeat the IED.

Billions of dollars are devoted to the strategies and tactics to keep U.S. "boots on the ground" on foreign lands from becoming KIA, an amputee or another invisible wound such as Traumatic Brain Injury or Post Traumatic Stress.

Regardless of the dollars devoted, many grave markers in Section 60 have birth dates in the 1980's and 1990's.  Standing there remembering Neil, a tear rolled down a cheek and the wind quickly blew it away...
"Memorial Day is a United States federal holiday which occurs every year on the final Monday of May.[1] Memorial Day is a day of remembering the men and women who died while serving in the United States Armed Forces.[2] Formerly known as Decoration Day, it originated after the American Civil War to commemorate the Union and Confederate soldiers who died in the Civil War. By the 20th century, Memorial Day had been extended to honor all Americans who have died while in the military service[3]."
If you are currently in the military we will thank you for your courage of service on Veterans Day, as we have before.  This day however, is for those in the U.S. forces who have died while serving.

Simultaneously, we must thank all of the other "Operational Risk Management" subject matter experts.  The "Quiet Professionals" who operate everyday in the shadows.  We hope that their decisions will continue to be the right ones.  They live each day with the burden of managing risk decisions, that could send another U.S. patriot on their way to Section 60 or a remembrance "Star" on the wall at Langley.

This Memorial Day and each day after, an average of 22 veterans will take their own lives.  Here in their own home town, in their own country.

The risks that each of us take in our chosen careers and life decisions, is a mosaic of future events that can be managed.  The likelihood and impact of those risks can be assessed and decisions can be made.  What risks will be mitigated, accepted or avoided all together?

It is up to you.  These courageous decisions will determine your risk appetite and your willingness for the consequences of your choice.

On our July 4th birthday, we will all remember why we celebrate Memorial Day in the United States.

It is worth the sacrifice, the loss and the tears.  God bless our heroes and our great nation...

11 May 2019

Insider Threat: Corporate Integrity Culture...

Does your organization have a culture of "Corporate Integrity?" One can only wonder how these findings have changed since these results.

The depth and breadth of Operational Risks were apparent over eight years ago in the 2011 CyberSecurity Watch Survey by CSO Magazine, USSS, CERT and Deloitte.

The most common insider e-crime at 63% is unauthorized access to / use of corporate information. Here are the others:
  • 57% - Unintentional exposure of private or sensitive data
  • 37% - Virus, worms or other malicious code
  • 32% - Theft of intellectual property
When asked which electronic crimes were most costly or damaging the results were:
  • 38% - Outsiders
  • 33% - Insiders
  • 29% - Unknown
Regarding the "Insiders" reasons were given for not referring for legal action, the one that stands out in our mind is this one. 40% could not identify the individual(s) responsible for committing the eCrime. And maybe even more astonishing is that 39% did not have enough information or a lack of evidence, to proceed with either civil or criminal litigation.

So what is really going on with these survey results presented so far? Even though the respondents say that 33% "Insiders", they have done little to collect enough evidence to identify who the responsible parties are to the incident. This may be for several reasons including the lack of internal expertise to preserve evidence and conduct timely investigations.

We have addressed the "Insiders" that make up one third of the digital incidents, yet what about the "Unknowns" who add an additional 29%. The combination of the two make up 62% of all the incidents in the study.

This is where Operational Risk professionals can have a significant impact within the enterprise.

The unauthorized access to information and use of that information is at the center of this issue. When an organization realizes that this "information" has impacted them, the funds have been stolen, the trades have been placed or the press has published a trade or national security secret.

Regardless of the high tech tools utilized or the systems and controls within the organization, there are always methods and processes that if properly implemented, will reduce the number of "Unknowns" and "Insider" threats.

In your particular case, it just may come down to developing more effective situational awareness with your employees.

Suppose you create a mandatory program for all employees that is focused on corporate integrity and each year the CEO kicks off the first session with their own attendance and their own direct reports, including the Board of Directors.

Next, all senior staff attend the program and posted on the corporate Intranet are webcast shows with several 5 minute clips of parts of the one day session.

Finally, the roll out for the remainder of the employees is tied to the annual 360 degree review, that each manager does with their subordinates in the company.

Employees must understand the ethical behavior expected of them. New employee orientation should detail the organization's mission, values and code of conduct, types of fraud, compliance, their responsibility to report violations of ethical behavior and impropriety, and details of the hotline or other ways to report incidents and other integrity concerns.

Periodic training throughout an employee's career reinforces awareness and the cost of internal incidents.

If your organization does not currently have a program as we have described earlier, then maybe it's time to start one.

If you already have one in place, how effective is it in detecting the "Insider Threat" and the spectrum of Operational Risks within your organization...

04 May 2019

Neurodiversity: Leveraging the Capital of the 4th Industrial Revolution...

"Grasping the opportunities and managing the challenges of the Fourth Industrial Revolution require a thriving civil society deeply engaged with the development, use, and governance of emerging technologies. However, how have organizations in civil society been responding to the opportunities and challenges of digital and emerging technologies in society? What is the role of civil society in using these new powerful tools or responding to Fourth Industrial Revolution challenges to accountability, transparency, and fairness?"  World Economic Forum

Is automation the current answer to all of our problems?  When will the research tell us the true impact of too much "Screen-Time" on our brains?  What will be the next terror incident in our society, that is "broadcast live" over the Internet?

These questions and more, are on the minds of community leaders in government, the R&D scientists and also the Chief Operational Risk Officer of your organization.

Our cultures, innovators and tools are on a major collision course, that will prove to be more challenging than we could ever have anticipated.  Even those working in the early days of the IBM Watson project, would probably tell you of their fears of the future.

Yet our youth across the globe, are being submerged in technology and software interfaces so early in life, that they may not learn how to think or work in manual/analog mode.  They will only have the creativity to code or to automate with software, unaware that history may have accomplished some of the same tasks without software, hundreds of years ago.

How might the older generations teach the younger generations about the way it used to be done?  Why would we even try to do this in a more manual method or process?  To provide context and generate cognitive creativity.

The truth is, that educators believe that innovation of technologies is driving their curriculum and our communities own economic development.  The impacts of automation and technology are being continuously researched in the wave of change known as the "Fourth Industrial Revolution".

These trends have significant risk implications on our workforce and the future opportunities of the vocational education and training of our future force.  This is clearly evident across our communities, business entities, military service and government policy.

The rapid adoption of digital innovation has impacted the requirements of certain knowledge workers to be more versatile.  They must be more adaptive, collaborative and have expanded skill-based capabilities for problem-solving.

Do not underestimate the importance of the soft skills and people skills for continuous development and reducing risk.  Simultaneously, we must understand the impact of advanced technologies on our workforce and the real opportunities in leveraging our neurodiversity assets.

How might we better understand the diagnostics of our own human capital, to leverage and apply the right people, with the correct technology, in the most compatible job?

What is your business, military branch or government agency doing today to cross-train and educate your employees?

When was the last time you put your STEM engineering group, through a soft-skills course on communications?  How might your business development team, become immersed in the new design for a next generation digital tool?

So what?

The Operational Risk before you is all about people and your evolving human capital.  When was the last time your Board of Directors contemplated the interaction with your Human Resources department and the workforce recruitment processes?

When was the training of new hired employees and even employees with 1, 3 and 5 years or more of tenure focused on new soft-skills?  New skills and techniques for Collaborative Dialogue, Negotiation or Management Coaching?

The human capital risks in your organization are changing rapidly and they are not always about automation and disruptive technologies.

The greatest risk to you and our society is your managements failure to recognize and apply, what you have learned about your people...

28 April 2019

C²: Continuous Continuity in the Enterprise...

Many enterprises today understand the myriad of potential threats to its people, processes, systems and structures.  The Board of Directors stands to be better equipped for sustained continuity.

Business Crisis and Continuity Management (BCCM) is a dynamic change management initiative with Operational Risk Management (ORM) that requires dedicated resources, funding and auditing.

Certainly the largest organizations realize that the risks are taking on different forms than the standard fire, flood, earthquake and hurricane/twister scenarios. These large catastrophic external loss events have been insured against and the premiums are substantial.

What it is less easy to analyze from a threat perspective are the constantly changing landscapes and continuity postures, of the many facets of the organization having to do with people, processes and systems.

The many sources of significant loss events are changing as we speak. Here are a few that should not be overlooked:
  • Public perception
  • Unethical dealings
  • Regulatory or civil action
  • Failure to respond to market changes
  • Failure to control industrial espionage
  • Failure to take account of widespread disease or illness among the workforce
  • Fraud and Cyber-related incidents
  • Exploitation of the 3rd party suppliers
  • Failure to establish a positive culture
  • Failure in post employment process to quarantine information assets upon termination of employees
Frankly, corporate directors have their hands full helping executives managing risk and continuity on behalf of the shareholders. The risk management process will someday have as big an impact on the enterprise as other key functions because shareholders will be asking more questions about the changing landscape of managing risk for corporate governance.

Since effective BCCM analysis is a 24/7 operation, it takes a combination of factors across the organization to provide what one might call C², or “Continuous Continuity”.

A one-time threat or risk assessment or even an annual look at what has changed across the enterprise is opening the door for a Board of Directors worst nightmare. These nightmares are “Loss Events” that could have been prevented or mitigated all together.

Most of the best practices talk about a BCCM plan, that will be periodically updated. Periodic is not continuous. Change is the key factor here. What changes take place in your organization between these periodic updates?

How could any organization accurately account for all the changes to the organization in between BCCM updates? The fact is that they can’t.

This will change over time as organizations figure out, that this is now as vital a business component as Accounts Receivable. The BCCM will become a core process of the organization, if it is not already, dynamically evolving by the minute as new change-based factors take place in the enterprise.

As new or terminated employees, suppliers and partners come and go into the BCCM process, the threat profile is updated in real-time. This takes the operational management that much closer to C², or “Continuous Continuity”.

So what?

Boards of Directors have the responsibility to insure the resiliency of the organization. The people, processes, systems and external events that are constantly changing the operational risk landscape become the greatest threat to an enterprise.

It’s the shareholders duty to scrutinize which organizations are most adept at “Continuous Continuity” before they invest in their future.

Managing Risk: 100 Years and Beyond...

Senior executives continue to wonder why they are continually surprised by certain incidents or events that take place within their enterprise. Operational Risk exposure is hard to manage, without a robust risk management system that is constantly monitoring the business environment you operate in and the people that work within that environment.

If you asked any CEO of a Fortune 500 company about their current financial condition or market position they would be able to answer with confidence and with valid facts and figures to support the statements.

Yet if you were to ask the same CEO, about their current exposure to Operational Risks, you may get a "Deer in the Headlights" look, followed by less than confident facts about their proactive, preventive or defensive strategies to address:
  • Governance, Regulatory and Compliance (GRC)
  • Employee Ethics, Malfeasance, Fraud and Corruption
  • Continuity of Business Systems Operations
  • Supply Chain Cyber Resilience
  • Litigation and Class Action Suits
Yet Operational Risks erode the corporate earnings and impact the reputation of the enterprise in the marketplace. The Board of Directors are charged with understanding Operational Risks and how these are being addressed in concert with the organizations strategies for growth or mergers and acquisitions.

They are continually asking for more effective risk management systems from the organization and the CEO should be well versed in what, where, who and why they are addressing the threats and the likelihood of these events taking place.

The point is, as the CEO you have no idea when the next significant business disruption is going to take place that impacts the organization. Therefore, the CEO and the enterprise must accept the fact that these Operational Risk events are going to occur, and when they do, the CEO must know what to do immediately and who to assist them with the incident before them.

So if this is the case, that you as a senior corporate leader agree that you can't ever know where or when the next threat is going to take place, then the question presents itself, what are you and the enterprise doing "Today" to mitigate the threat or prepare for the response?

You see, every day is a training day and if the organization is not testing itself in some place or some way, the next incident that presents itself could be the final blow. The event that brings the entire enterprise to it's knees or the failure that changes the entire world's perception of who you are and what you represent.

With the stakes that high, wouldn't you want to know what people in the organization are doing each day to manage risks in their business unit, department and section? What are the contingency plans and when was the last time they were exercised? Is once a year enough, based upon the speed of change in your business environment? Maybe not.

Are you Indispensable? To your employees, your shareholders, your customers? The fact is that you and your organization are not as ready as you could be and you are not as indispensable as you want to be.

There are plenty of examples out there on the planet however, that make sense to model or examine and to learn from based upon the way they behave in the marketplace and the value they bring from being so consistent, reputable and resilient to all that the risk environment can throw at them. They are not perfect, but maybe close:

Of the top 25 industrial corporations in the United States in 1900, only two remained on that list at the start of the 1960s. And of the top 25 companies on the Fortune 500 in 1961, only about six remain there today.

Some of the leaders of those companies that vanished were dealt a hand of bad luck. Others made poor choices. But the demise of most came about because they were unable simultaneously to manage their business of the day and to build their business of tomorrow.

Today we take a moment to step back and view the longer arc of history. We’d like to share some of what we have learned—sometimes in humbling ways—on our journey so far.

A century of corporate life has taught us this truth: "To make an enduring impact over the long term, you have to manage for the long term."

21 April 2019

Easter 2019: Another Day to Remember & to Be Proactive...

“Blessed be the God and Father of our Lord Jesus Christ, which according to his abundant mercy hath begotten us again unto a lively hope by the resurrection of Jesus Christ from the dead,”  1 Peter 1:3

COLOMBO (Reuters) - Over 200 people were killed and at least 450 injured in bomb blasts that ripped through churches and luxury hotels in Sri Lanka on Easter Sunday, the first major attack on the Indian Ocean island since the end of a civil war 10 years ago.

On this Easter Sunday 2019, the world mourns the news from Sri Lanka. Across the globe people are reminded that evil remains a constant in our society today and for the future. Our prayers today are evident in every language and every continent...

Looking around your religious venue today you may notice a heightened presence of security and law enforcement.  Our public safety and first responders are on high alert.

So what can you do as a public citizen to learn, prepare and perhaps spring into action if you are ever needed?  How can you train and learn what to do, in the event of a mass casualty incident?  At your place of worship, place of education, place of business or place of recreation.

You can attend a training similar to this one, being offered in a community near you:


Preparation – Action – Recovery

Mass shootings seem to be more and more prevalent nowadays. As the world focuses all its attention on the “why”, we must focus our attention on how we can better prepare our critical infrastructure sectors and communities alike. Learn about the signs and pre-incident indicators (PII’s) of an active shooter before it’s too late. And learn life-saving techniques during and after an active shooting such as how to use a tourniquet and other items in a “stop the bleed” kit.

PART 1 - PREPARATION: INTELLIGENCE SME - Pre-Incident Indicators / behavioral indicators of potential subjects prior to a terrorism or criminal related incident & how to be situationally aware and prepare for such incidences.

PART 2 - ACTION: SWAT SME - To address run-hide-fight, appropriate response for when law enforcement arrives on scene and active shooter survival kit.

PART 3 – RECOVERY: TACTICAL MEDIC SME: Trauma and treatment post active shooting incident. Use of trauma kit, chest seals and current industry standards. Tourniquet drills will be a part of this training.

If you are a Father, Mother, Brother, Sister or just a good friend, you must continue to think about being proactive.  To be ready.  To be more aware.

Take a moment this Sunday in your prayers for Sri Lanka and soon plan to be more prepared...volunteer at your church, school or business to be a proactive advocate and responder for Preparation, Action and Recovery.