31 December 2005

Managing Operational Risks: On the Wall at 100 Ft...

After five days off taking in the magnificent sights at 100+ feet below the surface off Grand Cayman Island we are reminded how Operational Risk Management is prevalent in even places like this. Take for example the mandate for using dive computers as a guest of Wall to Wall Diving. For those not initiated with Scuba Diving you might not realize that "sensors" are utilized in measuring potential threats to your life from something called "The Bends", or decompression sickness. Giles Charlton-Jones and his wife Deanna from Wall to Wall Diving use a combination of proven Operational Risk Management processes and tools to reduce the risks to their clients. They do this because their small business is no different than that of a Fortune 500 company. As the owners and primary shareholders of any organization it is the law in most cases to provide Duty of Care.

Decompression sickness , (DCS), diver's disease, the bends, or caisson disease is the name given to a variety of symptoms suffered by a person exposed to a reduction in the pressure surrounding their body. It is a type of diving hazard and dysbarism.


Dive computers perform a continuous calculation of the partial pressure of gases in the body based on the actual dive profile. As the dive computer automatically measures depth and time, it reduces the need for the diver to carry a separate watch and depth gauge and is able to warn of excessive ascent rates and missed decompression stops. Many dive computers also provide additional information to the diver, for example, the water temperature, or the pressure of the remaining breathing gas in the diving cylinder. The point is that these sensors attached to each diver help deter and detect potential threats associated with decompression sickness. This even includes a calculation when it is safe to fly on an airplane.

Like other manufacturers in the high technology systems sector, SCUBA has it's own champions of companies who focus on the latest tools and solutions to help you manage risks and to plan for future scenarios based upon collected intelligence. Suunto is just one example of a Finnish company who has been developing instruments for measurement and sensors for various outdoor pursuits whether it be on the mountain at 20,000 ft. or underwater at 85 ft.. Weather and the environment will always play a part in the daily risks mountaineers and divers face and with the use of new tools they can operate in a more safe and secure manner.

Yet without the proper people with the training, experience and intuition all the best tools may not be enough. How often do we encounter situations where the new intelligence collected and the automatic warning alerts are not enough to keep us from harms way?

In a Fortune 500 company, the Board represents the interests of shareholders, as owners of the company, in optimizing value by overseeing management performance on the shareholders' behalf. The Board's responsibilities in performing this oversight function include a duty of care and a duty of loyalty. A director's duty of care refers to the responsibility to exercise appropriate diligence in overseeing the management of the company, making risk management decisions and taking other actions.

It remains refreshing to witness that even on a small island in the British West Indies that smart people are applying the use of Operational Risk management in their own employee-owned business. First, they practice it each day because they are professionals. Second, they do it instinctively because they know that it can mean the difference between life and death.

As we end 2005, we say congratulations to all of those of you who have found the science of Operational Risk. And more importantly, thank you to all of you who have applied your own art to make our world a little more safe and secure in 2006!

24 December 2005

Enterprise Preparedness: Business Process Management (BPM)

Enterprise Preparedness Organizations are experiencing unprecedented pressure from a number of directions to remain competitive in today's changing economy. The challenges of satisfying profit expectations, meeting customer demands, avoiding litigation, and complying with government regulations have created tough conditions for the executives who are managing the business. Besides the pressure to create new markets, manage cost, and generate profits, they must also demonstrate the ability to effectively manage adversity when it occurs. The current stringent regulatory environment coupled with a hypersensitive investment community has made the need to prepare for adverse events a corporate mandate.


Troy Smith's article is correct on many of the fundamentals of Enterprise Preparedness. We would emphasize the need to also have some effective tools for capturing the processes during the important planning phases. One company to consider is Metastorm.

As the first breakaway BPM vendor, Metastorm is a leader in business process management (BPM) software and best practice methodologies for modeling, automating, integrating, and improving both human and system-based processes. Metastorm BPM™ is a complete solution for roundtrip process improvement, designed specifically to address complex processes that are unique to organizations. Metastorm’s 1200+ global client base in manufacturing, retail, financial services, business services, healthcare and government are achieving rapid ROI and Enterprise Process Advantage® in customer service, supply chain operations, risk management, and internal operations.


22 December 2005

Financial Services Marketers: Get Ready for Your Audit...

The FDIC Small-Entity Compliance Guide is now available. The guide summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Guidelines apply to specific situations.

Distinction between the Security Guidelines and the Privacy Rule

The requirements of the Security Guidelines and the interagency regulations regarding financial privacy (Privacy Rule)8 both relate to the confidentiality of customer information. However, they differ in the following key respects:

- The Security Guidelines address safeguarding the confidentiality and security of customer information and ensuring the proper disposal of customer information. They are directed toward preventing or responding to foreseeable threats to, or unauthorized access or use of, that information. The Security Guidelines provide that financial institutions must contractually require their affiliated and non-affiliated third party service providers that have access to the financial institution's customer information to protect that information.

- The Privacy Rule limits a financial institution's disclosure of nonpublic personal information to unaffiliated third parties, such as by selling the information to unaffiliated third parties. Subject to certain exceptions, the Privacy Rule prohibits disclosure of a consumer's nonpublic personal information to a nonaffiliated third party unless certain notice requirements are met and the consumer does not elect to prevent, or "opt out of," the disclosure. The Privacy Rule requires that privacy notices provided to customers and consumers describe the financial institution's policies and practices to protect the confidentiality and security of that information. It does not impose any other obligations with respect to safeguarding customers' or consumers' information.


3rd Party marketers of financial institutions are preparing for new audits of the their information securtiy controls and processes. Slicing and dicing customer information utilizing pscyhograpics and demographics is a normal task. Mailing millions of pieces annually with new offers from collaborating internal companies and external partners creates significant challenges in managing sensitive customer information. This increased exposure to potential data loss and other threats warrants additional scrutiny with supply chain companies that interface with the marketing department.

One way to find out how ready your partners would be for a formal audit is to ask them when was the last time they had an independent audit of their information security controls. Many organizations today serve multiple financial institutions in the same region and therefore are consistently being asked for evidence of a SAS 70 audit opinion. SAS 70 is not a predetermined set of standards that an organization must satisfy in order to “pass” the audit. In a SAS 70 audit, the service organization is responsible for describing its control objectives and control activities that might be of interest to auditors in user organizations. SAS 70 objectives can be non-specific for an audit and may have large gaps in real-time day to day operations.

20 December 2005

Resilience Masks the Real Problem: Training...

The UK financial services sector has completed the first phase of it's Resilience Benchmarking Project. More than 60 key firms and financial infrastructure providers from the UK volunteered to take part in the Resilience Benchmarking Project, the results of which were mixed and highlighted a number of significant operational risk issues relating to business continuity. Here is the summary of FSA discussion points:

1 Although the financial system appears to be technologically resilient, are there vulnerabilities in other areas that could put it at risk?

2 What action could the Tripartite Authorities take to help bring together the component parts of the system?

3 How can firms strengthen their collective resilience?

4 Would it be helpful to publish recovery-time targets for wholesale payments, trade clearing and settlement? If so, would 60-80% of normal values and volumes within four hours, rising to 80-100% by the next working day, be reasonable recovery targets?

5 If we decide to publish targets, should these apply to core firms and financial infrastructure providers only, or should they apply more widely?

6 Should we consider publishing targets for other functions such as resumption of trading and retail payments?

7 If we were to publish targets, should these be informal in nature or should they be embedded into rules and guidance?

8 What more can be done to encourage joined-up planning and testing to reflect better the likely impact of a major operational disruption and how this could be facilitated?

9 Could the weaknesses in business continuity and crisis management arrangements undermine recovery time capabilities?

10 Would it be helpful to set a minimum distance criteria between primary and recovery sites? If so, what should that distance be?

11 Should we actively encourage firms to diversify their back-up arrangements, in particular core firms and financial infrastructure providers?

12 Do you agree with our conclusions and proposed actions in relation to recovery service provision? Is there more that the Tripartite Authorities should do in this area – for example including a specific survey on recovery service provision in future benchmarking studies?

13 We invite feedback on the measures we propose to take to mitigate concentration risk: encouraging end-to-end testing; sharing information on resilience and recovery arrangements the financial infrastructure providers have in place; and encouraging wider geographical diversification.

14 Should FSA maintain its non-prescriptive approach to business continuity management?

15 We would welcome comments on the estimated cost of reaching the targets we propose to publish for core firms and financial infrastructure providers:
– from those organisations to which these targets would apply; and
– from other organisations for which these targets might be considered aspirational goals.

16 We would welcome views on the estimated cost of lost business arising from the delayed recovery of a vital counterparty (i.e. a core firm or financial infrastructure provider).


The word "Resilience" occurs 70 times in this 52 page document. The word "Security" occurs only 12 times. The word "Continuity" occurs 63 times. The word "Risk" occurs 52 times. Resilience seems to be the overall theme these days.

The definition of Resilience is an interesting one:

Main Entry: re·sil·ience
Pronunciation: ri-'zil-y&n(t)s
Function: noun
1 : the capability of a strained body to recover its size and shape after deformation caused especially by compressive stress

2 : an ability to recover from or adjust easily to misfortune or change


The definition has a reactive flavor to it with the thought that something is going to happen and when it does, you must be able to recover quickly. With all the synomyms and word games being used today it all comes back to effective training. And this is where the benchmarking study has revealed the corporate business enterprises greatest weakness:

Training is another potential area for improvement. Only 42 firms include business continuity planning in induction programmes for new staff, and ten respondents had provided training to less than 5% of their staff. Fewer than a third of participants have provided training to staff that might be called upon to deal with sensitive issues, such as working on a casualty helpline. The responses to these and a number of other questions indicate a lack of appropriate training needs analysis and a need for greater consideration of the effects of a crisis on those who might be asked to undertake some of the most harrowing and disturbing roles.


16 December 2005

High Quality or Low Price: Pick One...

Have you ever heard that old saying, "You can have high quality or you can have a low price, pick one." Now apply this to Operational Risk Managment in your domain.

It seems that the U.S. Senate has mixed priorities right now on the U.S. Patriot Act debate. Wyoming is a low risk area in terms of critical infrastructure yet it will receive the same funding as states with more shoreline, ports and vulnerabilities to the security of the United States. James Jay Carafano has identified what the key issue really is:

What’s Missing?

There was one important provision that did not make out of conference. The original Patriot Act established the requirement that a significant percentage of all homeland security grants be distributed automatically to each state, big or small, regardless of national priorities or risks. Current funding formulas guarantee each state .75 percent of the funds available. As a result, 40 percent of these funds are immediately tied up, leaving only 60 percent for discretionary allocations. As the 9/11 Commission’s report rightly stated, the current system is in danger of turning homeland security funding into “pork-barrel” spending, making spending on security just another state entitlement program. In conference, an initiative to restructure the system and allocate money according to risk and needs rather than an archaic formula was rejected by Senate conferees. This is the third time the Senate has turned back House legislation to reform the grant system. And it is just wrong.


Prudent risk management policies and strategy point to investing to improve resilience in the areas that are identified as being most vulnerable and that the consequences of a loss would be unacceptable. What part of the risk management methodology is missing in the presentations or education of our law makers?

The part that is missing is the part that no one can present in fear of it becoming public information and for it to get into the hands of those who may use it to harm the homeland. Those single-points-of-failure exist in every country or city that has a significant capitalist marketplace. The resilience of the respective economies depends on the infrastructure that fuels it and every dollar and resource needs to be focused on those highest risk areas.

Mr. Carafano makes another observation worth consideration, regarding the The September 11 Commission Report Card: The Good, the Bad, and the Ugly:

At the top of the list is the failure of the Congress to put together a comprehensive package of border security and immigration reforms that enhance security, promote economic growth, and protect civil liberties. Also missing from the list is the tragic underfunding of the Coast Guard. The same service that saved 33,000 lives during and following Hurricane Katrina faces cuts to its modernization budget in the House.


The private sector can change all of this in a heart beat. The safety and security of our economic livelihood is in the hands of the telecom/high tech, banking and finance, health care and energy sectors. In the long run, the executives in these industry sectors have the power to change our law makers points of view. Let's just hope that they all realize that it is their own corporate assets that are at a greater risk now, than they were over four years ago.

15 December 2005

CIP Risk Management: NIPP & Tuck...

As part of the new National Infrastructure Protection Plan NIPP v1.0 the years old RAMCAP (Risk Analysis and Management for Critical Assets Protection) methodology of the American Society of Mechanical Engineers makes it's way into the mainstream:

RAMCAP is an overall methodology and provides a common framework for homeland security risk analysis decision-making that includes:

–Common terminology
–Common metrics for comparing risks across sectors
–Common basis for reporting results
–Basis for informing resource allocation decisions

•Countermeasures
•Consequence mitigation actions


ASME was awarded a grant by the Department of Homeland Security to develop uniform risk-based guidance in September 2003. The methodology's sequential steps include:

•Vulnerability analysis
•Consequence analysis
•Risk analysis
•Countermeasures and mitigation
•Decision analysis
•Multiple assets and sectors


The NIPP is a "draft" today and the comment period has already expired December 5, 2005. We expect that we will see sector specific plans soon after the national plan is finalized. It will be interesting to see how the private sector reacts. Industry critics say the draft lacks specificity at this point. However, maybe this is a good thing for the owners and operators of 85% of the nations critical infrastructure.

12 December 2005

Reducing Operational Risk Through CAP & IPv6...

After attending the United States IPv6 Summit last week it was apparent that Emergency Preparedness and National Security is a top priority. This is increasingly true as we see the grades on our progress by the 9/11 commission and others with regard to data communications and interoperability issues. One facet of all of this has to do with the important work already underway by the technical committees at OASIS:

The mission of the EM TC is to create incident and emergency-related standards for data interoperability. The TC welcomes participation from members of the emergency management community, developers and implementers, and members of the public concerned with disaster management and response.

Standards currently under review by the committee:

The Common Alerting Protocol (CAP), a data interchange standard for alerting and event notification applications, currently in version 1.1. CAP functions both as a standalone protocol and as a payload for EDXL messages.

The Emergency Data Exchange Language (EDXL), a broad initiative to create an integrated framework for a wide range of emergency data exchange standards to support operations, logistics, planning and finance.


Why is IPv6 and CAP a big issue in operational risk management? It will save lives and property as it is deployed in numerous communications devices and services in the future. Currently, the big drive for IPv6 is new uses, such as mobility, quality of service, privacy extension and so on. The U.S. Government has also specified that all federal agencies must deploy IPv6 by 2008.

Karen Evans and the OMB are preparing the federal CIO's for the transition:

The CIO Council will develop additional transition guidance as necessary covering the following actions. To the extent agencies can address these actions now, they should do so. Beginning February 2006, agencies’ transition activity will be evaluated using OMB’s Enterprise Architecture Assessment Framework:

• Conduct a requirements analysis to identify current scope of IPv6 within an agency, current challenges using IPv4, and target requirements.
• Develop a sequencing plan for IPv6 implementation, integrated with your agency Enterprise Architecture.
• Develop IPv6-related policies and enforcement mechanisms.
• Develop training material for stakeholders.
• Develop and implement a test plan for IPv6 compatibility/interoperability.
• Deploy IPv6 using a phased approach.
• Maintain and monitor networks.
• Update IPv6 requirements and target architecture on an ongoing basis.


Much of what IPv6 is all about has to do with capacity of our current standard IPv4. However, as more emphasis is put on interoperability and the use of millions of new data capture and reporting sensors both CAP and IPv6 will both be essential building blocks to the future. One example illustrated the other day is the changes being made in London and other global metro areas to capitalize on the fact that most citizens are carrying mobile phones with picture and video taking capabilities. These video images are increasingly being utilized to assist both law enforcement and emergency responders with new insight into the real situation as it unfolds. In some cases while voice circuits are jammed the data communications can get through.

Sometimes, a picture is worth a thousand words.

06 December 2005

Mitigating Operational Risks Around the Globe...

In this month's CSO Online, Todd Datz has an article worth exploring. How to Manage Security Halfway Around the World talks about several key components of global operational risk mitigation:

Different cultures. Unstable political environments. Language barriers. CSOs in global companies face many a challenge as they try to manage security in far-flung locations. One of the biggest challenges? A good number of your security managers reside in functions other than corporate security, so security is often a part-time gig managed by people with part-time security training. There’s no ironclad set of rules or policies that all those employees can follow.


If you are like most organizations doing business on a global basis, you don't have a security department in every office. This is why it is imperative for your local employees to establish local relationships with other businesses or entities who will help protect your vital corporate assets.

Educate Your Global Security Staff
Training is a critical component of any global security program, especially given that many security managers in foreign locations come from nonsecurity functions—such as HR or engineering—and thus wear multiple hats.


It's critical to have a local presence along with a centralized global policy and audit function know as Enterprise Security Risk Management. Together the partnership keeps a great degree of relevance to the issues and cultures in a particular country while simultaneously keeping a consistent and correlated set of standards for legal compliance. International laws for exchange of information, transmitting funds and selling products and services to Specially Designated Nationals (SDN)'s are all important business risks to be managed.

With a growing focus on risk management, The Yankee Group predicts that by 2008, the $165 million Enterprise Security Risk Management market will grow to $650 million as more organizations move to strengthen their global security posture. According to The Yankee Group, most organizations today utilize informal security risk management processes using professional services and homegrown databases that are often time-consuming and ineffective.

05 December 2005

Corporate Social Responsibility: An Era for New Leadership...

Here are a few of this mornings top news stories. It seems that Operational Risks have us surrounded and yet many organizations are still in denial that anything will impact them directly. How long will this naivete go on in your company, city, state or country? Maybe it's time for more Corporate Social Responsibility and a renewed focus on training new leaders.

ABC Online - 12 hours ago
The panel that investigated the September 11 terrorist attacks has criticized the Bush administration for not doing enough to prevent further strikes. The 10-member panel is disappointed that nearly 18 months ...

DMasia.com - 3 hours ago
Matan Gillon, a security researcher in Israel, has reportedly discovered a flaw in Internet Explorer (IE) which allows hackers to access personal information through Google Desktop. The problem, Gillon said ...

ABC News - 2 hours ago
Epilson, the 26th tropical storm listed on the wall size map at the National Hurricane Center in Miami Friday, Dec. 2, 2005, has strengthened into a record 14th hurricane in the Atlantic, two days after the hurricane officially ended. ...

ABC News - 14 minutes ago
NAIROBI (Reuters) - A strong earthquake shook East Africa on Monday in the Lake Tanganyika region frightening people from Congo to Kenya but causing little damage, according to initial reports. The US Geological ...

Food Consumer - 16 hours ago
By FC. Officials in Ukraine confirmed on Dec. 3 that several cases of bird flu in both domesticated and wild birds have tested positive for the H5 subtype of bird flu virus in some parts of Crimea, a peninsula that juts out into the Black Sea. ...

Bloomberg - 32 minutes ago
Dec. 5 (Bloomberg) -- A Palestinian suicide bomber blew himself up outside a shopping mall in the Israeli seaside city of Netanya today, killing five other people and injuring at least 50, police said. The ...


As the finger pointing continues and the documents of the day are debated there is one strategy that has been with us for many years, and many have forgotten. It is called Corporate Social Responsibility (CSR). CSR is gaining new emphasis around the globe:

Laura Tyson joined the Clinton Administration as an economic adviser in 1993. Here is what she says about a lady named Mary Parker Follet:

One bold management pioneer, who was decades ahead of her time as a lecturer to academics and businessmen in the 1920s and 1930s, put forth lessons that ring particularly true today. Mary Parker Follett's (1869-1933) thoughts on democracy, society and management have inspired business leaders in fits and starts during the 20th century and they deserve to be revisited as we move forward in this century.

Another point that rings particularly true in 2005 is Follett's belief in the important role that businesses play in society. She gave serious attention to what we now call corporate social responsibility, a topic of great interest in today's boardrooms and business schools.


One thing is certain. All of the employees and citizens on the planet want leadership and courage from the ordinary person next door. The citizen soldier who is willing and capable of leading the people around them in the face of a sudden catastrophic crisis. In the midst of an important ethical decision. In the moment of the day, are "Leaders Born, Not Made"? We also agree with Mary Parker Follet and Laura Tyson:

"Leaders can be taught, and should be keen on sharpening their skills as rigorously as a surgeon. In 1933, she put it plainly: managers must realise that they, as professional[s], are assuming grave responsibilities, that they are taking part in one of the large functions of society, a part which, I believe, only trained and disciplined [business people] can hope to take with success.


As the Operational Risks continue to surround our corporate enterprises it's imperative we look at where we are spending our money and deploying our resources. What would happen to our preparedness, readiness and recovery capabilities if we just reallocated 5% of the corporate marketing budget to the risk management budget? If we did, then we might find ourselves with fewer calls to the Court house, State house and the White House.

01 December 2005

Board of Directors: Corporate Responsibilities...

The primary responsibilities of the Board of Directors are getting more scrutiny than ever before. Especially in the light of the fact that statements executives make about quarterly earnings are a focus for class-action shareholder lawsuits.

Many public institutions are no longer bowing to Wall Street and publishing or promising quarterly numbers. In fact, many are following the lead of people like Warren Buffet of Berkshire Hathaway. He doesn't believe in the short sighted behavior that occurs around quarterly conference calls with analysts. Look to the The Washington Post as one example.

The Board is ultimately responsible for ensuring the performance and survivability of the corporation. The shareholders want the Board to do the following:

1. To ensure legal and ethical conduct.

2. To insist on strategic and operational planning.

2. To develop in collaboration with management a real-time risk assessment.

4. To establish a Corporate Governance culture based on best practices.

5. To exercise the Director's fiduciary duty of care on behalf of the shareholders.

An ever more important responsibility is to apply the use of technology and it's purpose in the survival and longevity of the organization. At the Washington Post, which does not offer quarterly guidance, they have adopted technology to help satisfy the analysts needs for information.

WASHINGTON, Nov. 30 -- The Washington Post Company (NYSE: WPO) will audio webcast its presentation at the Credit Suisse First Boston (CSFB) Global Media Week Conference next week. The Company's presentation will take place on December 6 at 4 p.m.

The live webcast will be accessible from a link on The Washington Post Company's website, http://www.washpostco.com, and at http://www.csfb.com. A transcript will be posted on http://www.washpostco.com following the presentation.


Maybe someday the SEC will reconsider Regulation FD:

"The Reg FD rule reads as follows: "Whenever an issuer, or any person acting on its behalf, discloses any material nonpublic information regarding that issuer or its securities to [certain enumerated persons], the issuer shall make public disclosure of that information... simultaneously, in the case of an intentional disclosure; and... promptly, in the case of a non-intentional disclosure."


In light of this, most Directors and Executive management are counseled to say very little about what is happening in the company.