22 July 2007

Show Me The Money: Complacency Risk...

The last time we checked, CFO's were still doing battle with CxO's about their budget and the growing magnitude of Operational Risks as a result of too little funding. Learning how to count differently is a consistent conversation within the ranks of corporate enterprises today. How do I address the needs of the employee, the regulators and management for software systems and safety solutions that require continuous change with this budget?
"Champions for new investments in Enterprise Content Management (ECM) solutions must make convincing arguments for change. Among many hurdles, the champion must express a business case for an ECM solution. That business case must present an economic analysis of the "before" and "after" financial impact. It must deliver measurable financial return on investment (ROI). The bottom line that is always asked is "show me the money".

Enterprise Content Management is the technologies used to Capture, Manage, Store, Preserve, and Deliver content and documents related to organizational processes.

The business case for any new investment requires an analysis of what the existing business issue or problem is and what the benefits are, making this new investment. Counting differently than in the past may require looking beyond the typical methods for creating this so called "Show me the money" step for executive management. Can ECM provide the solution to more than one of the problems in the enterprise with managing information and getting answers faster and more accurately than ever before? If it can, then this could be a path to designing a risk management architecture that provides a myriad of capabilities across a spectrum of potential vulnerabilities.

The most important job is to keep in-house information under control. The questions add up: where to put the thousands and thousands of e-mails, what to do with the electronically signed business correspondence, where to put taxation-relevant data, how to transfer information from the disorganized file system, how to consolidate information in a repository that everybody can use, how to get a single login for all the systems, how to create a uniform in-basket for all incoming information, how to make sure that no information is lost or ignored, etc. etc. Document technologies play an important role in all these questions. ECM solutions are necessary basic components for many applications. Every potential user will naturally consider his own individual needs before deciding on a system. However, putting off decisions does not make them less necessary. Every year something supposedly better and easier to use will come along, but waiting will just mean never installing anything. Every time the decision is put off, the mountain of uncontrolled and unused information gets bigger, and known problems get larger. A sensible long-term migration strategy removes the fear of fast technology change.

Complacency is a threat that many do not think about. What is the cost of complacency in delaying decisions to invest? Whether it be that latest hot stock, buying new enterprise software or the maintenance on the critical infrastructure supporting your operations, timing is everything. At some point, a decision has to be made and you are never going to have enough data to totally justify an investment one way or another. You must find the courage to do something, before complacency makes the decision for you:

One person has been killed and at least 20 others injured when a steam pipe exploded underneath a street in central New York during the evening rush hour.

The explosion in midtown Manhattan sent clouds of steam, mud and rocks into the air and forced the evacuation of nearby streets and Grand Central Station.

The New York Police Department said the incident was not terrorism-related.

Millions of pounds of steam are pumped beneath the streets of New York to help heat and cool thousands of buildings.

The 83-year-old pipe exploded just before 1800 (2200 GMT), sending people running from the scene as steam billowed up from the ground.

New York Mayor Michael Bloomberg later ruled out the possibility of a terrorist attack.

"There is no reason to believe whatsoever that this is anything other than a failure of our infrastructure," he told a news conference.

"The big fear that we have is whether there may or may not have been asbestos released."

Maintaining, upgrading and investing in your IT software systems is no different than looking after your power generation pipelines or critical infrastructure conduits along right of ways. Lack of robust Software Quality Assurance and the complacency for justification of new systems may not result in human fatalities such as the explosion in NYC. Unless of course the information you desire can't be found or can't be accessed when you need it.

Connecting the Dots and Show Me The Money are what complacency risk is all about.

17 July 2007

4GW: Trusted Information Class Actions...

The SEC is in the middle of a Supreme Court battle and they have called in the "A" team to assist. Former SEC officials William H. Donaldson, Arthur Levitt and Harvey J. Goldschmid want to expand investors' abilities to sue in frauds:

The big-money issue has mobilized lawyers who bring class-action lawsuits and the companies and executives they target in one of the most important securities-law issues to reach the Supreme Court in years.

In cases in which fraud-ridden corporations have filed for Chapter 11 bankruptcy protection, investors may not be able to wrest money from the company itself. Lawsuits against business partners and advisers such as accountants and lawyers may present the only rich and viable option for shareholders and plaintiff lawyers, experts said.

What have we learned since Enron? Do we not have a more ethics based atmosphere at the professional services firms? In the long run, will investors be better off with the ability to sue the advisors of the companies as accomplices to wrong doing? You can bet that if the US Chamber of Commerce has it's way, the SEC is in for a real fight on this one.

Some people are behind bars. Some companies are out of business. And the Dow is again at an all time high nearing the 14,000 threshold. All of the legislation, class actions and fraud allegations are all about one thing. Information. Trusted Information.

A number of trends focused on corporate data continue to distract today's IT departments. Shareholders are clamoring for more transparency as a result of the financial scandals that have shaken confidence in corporate governance around the world. Compliance legislation such as the U.S. Sarbanes-Oxley Act (whose impact is reaching far beyond the U.S.) can result in jail sentences for executives who - even unintentionally - report erroneous information. New privacy laws around the world restrict the use of customer information. Increasing global competition has put pressure on organizations to use their expensive information assets more strategically.

All these issues can be summed up in a single concept: trusted information. Simply accessing data is no longer enough. Today's CEOs, CFOs and knowledge-workers must be able to reliably track the information they use for decisions back to the original source systems in order to ensure its timeliness, accuracy and credibility.

Over the last decade, organizations have invested millions of dollars in systems to collect, store and distribute information more effectively. Despite this, information users at all levels of the organization are often uncomfortable with the quality, reliability and transparency of the information they receive.

Today's organizations rarely have a "single view of the truth." Executives waste time in meetings debating whose figures are correct, rather than what to do about the company's issues. Additionally, they worry about the consequences of making strategic decisions using the wrong information, directly impacting the long-term survival of the organization.

This brief essay by Jeffrey Ritter discusses the compelling forces converging at the beginning of the 21st century that are shaping the need to consider trusted information as a vital asset that should be the priority of any organization:

As the 21st century accelerates, digital devices connected to the Net will continue to be indispensable to modern life. But those devices, and the services provided through them, remain vulnerable to human judgment—the 21st century winners will be those who earn and sustain the trust of those using the devices and the services—whether those are consumers, employees, shareholders, lenders or service providers.

When the law intersects with the validity of information the corporate battle lines are drawn. Think about how much time and dollars are spent proving or disproving the integrity of information in a court of law. Those organizations who know that they are in the "4th Generation Warfare" (4GW) era will survive only if they can grasp this concept. Fourth Generation Warfare removes the front entirely. Attackers rely on a barrage of information salvos and coordinated incidents to paralyze or erode the adversaries political will, rather than seeking decisive hand-to-hand combat. Does this sound familiar to your General Counsel?

We are not talking about Al Qaeda now. We are talking about the class action "Army" that is forming the strategy and the means to wage unconventional battles against your, trusted information. Or is it?

07 July 2007

ORM: The Science & The Art...

Operational Risk Management today is a true "science", with the "art" becoming more of a key component in connecting the dots. Yes there are plenty of standards from various disciplines to assist professionals in the assessment and measurement of risk. The tools that have been developed over decades to help predict risk dates back to the insurance industry inception. Actuaries are indeed a key component in this evolution of the science. What happens when you put several other factors into the equation? Like dates in time when various events are converging on a single window of potential risk consequences and implications.

Actuaries are those with a deep understanding of financial security systems, their reasons for being, their complexity, their mathematics, and the way they work (Trowbridge 1989, p. 7). They evaluate the likelihood of events and quantify the contingent outcomes in order to minimize losses, both emotional and financial, associated with uncertain undesirable events.

Actuarial science
applies mathematical and statistical methods to finance and insurance, particularly to risk assessment. Actuaries are professionals who are qualified in this field through examinations and experience.

Actuarial science includes a number of interrelating disciplines, including probability and statistics, finance, and economics. Historically, actuarial science used deterministic models in the construction of tables and premiums. The science has gone through revolutionary changes during the last 30 years due to the proliferation of high speed computers and the synergy of stochastic actuarial models with modern financial theory (Frees 1990).

The art of Operational Risk comes into play with practitioners and professionals who have the "Grey Matter" to see the big picture. They have the ability to think like the enemy, or examine the window of opportunity. Working with windows in time and the ability to see the convergence of particular events allows for the creation of scenarios, to draw more strategic insight. This ability to create filters and extract true meaning from raw data, segmented information and then from cognitive analysis creates the true vision we seek. This is an art as much as it is a science.

Forecasters in the hurricane, typhoon and tsunami warning centers around the globe know the meaning of using the science as much as the art of risk management. The nexus of security and terrorism puts another dimension on the meaning of operational risk management and now you have the Terrorism Screening Center (TSC) assisting with the fusion of intelligence to counter potential individuals from terrorist acts.

Suicide bombers have not hit the United States since the 2001 terrorist hijacking attacks, but they remain a constant concern because of their prevalence around the globe and determination to die for their causes, according to the FBI's chief of counterterrorism.

He does not believe America is overflowing with homegrown terrorists, but Joseph Billy said "a significant number" of attacks have been thwarted since airliners were crashed into the World Trade Center, the Pentagon and a Pennsylvania farm field on Sept. 11, 2001.

While declining to divulge the nature of the averted plots, Billy credited intelligence that led to either fortified security around potential targets or identification of suspected terrorists. Authorities recently stopped homegrown plots targeting the Fort Dix military base in New Jersey and a jet fuel pipeline at New York's Kennedy International Airport.

If you were planning an event for your organization in downtown Washington, DC for the 3rd week in October 2007, what are the factors that are taken into consideration? Have you scheduled to fly in all of your key executives for a Board of Directors Meeting and a round of golf at RTJ? What about all of the other events and organizers who have made the decision to hold their event the same week or day in October? What impact will any of these other events have on you and your organizations ability to facilitate a safe, secure and productive meeting for your participants, members or customers?

The fact is that many event planners and organizers are not even tied into the same database or the systems as the Chief Security Officer. The CSO in many cases is not aware that the sales or marketing organization has scheduled a customer summit or new product kick-off the same time as a scheduled anti-[insert activist group here] march. Or maybe it's just a PGA golf tournament or "Live Earth" concert drawing tens of thousands to the area to see their favorite player or band.

Live Earth is a 24-hour, 7-continent concert series taking place on 7/7/07 that will bring together more than 100 music artists and 2 billion people to trigger a global movement to solve the climate crisis.

Live Earth will reach this worldwide audience through an unprecedented global media architecture covering all media platforms - TV, radio, Internet and wireless channels.

Live Earth marks the beginning of a multi-year campaign led by the Alliance for Climate Protection, The Climate Group and other international organizations to drive individuals, corporations and governments to take action to solve global warming. Former U.S. Vice President Al Gore is the Chair of the Alliance and Partner of Live Earth.

So what? So what does the science of operational risk have to do with the art of operational risk?

Think clearly and use both when it comes time to develop your own "Fusion Center" for risk in your organization. Make sure you include the people and the data that could create the perfect storm when a combination of events all take place within the same time window. There are only so many hotels, convention centers and airports for people to utilize for the logistics of these meetings. The competition is fierce to get the location, dates and venues you seek to impress your audience. It's not always about the number of things going on at the same time, it is the combination of each unique entity that makes the "Art" of Operational Risk imperative.

Any combination of ingredients by itself can be harmless. But when you mix them together in the right amounts, in the right place, you could be facing a loss event that could not have been predicted looking at the science alone.