25 November 2010

Whole Community: OPS Risk Spectrum...

Operational Risk Management is a discipline that comprises a spectrum of "All Threats and All Hazards." A "Whole Community" approach to the nexus of national security, economic security and the entirety of our citizens. The resilience factor in your private sector organization or the entire nation will consistently be tied to the weak links in your:

  • Prevention
  • Protection
  • Response
  • Mitigation
  • Recovery

One of these five aspects will be your nemesis when the next incident or catastrophic event touches your company, city, state or country. These are an increasingly interdependent ecosystem that determines your resilience factor. What business units, neighborhoods, counties or states are your weak links?

With every global event, whether it be earthquakes, floods, hurricanes, oil spills or terrorist attack the local community has a 72 hour window that will dictate it's destiny. Three days that will set the tone and the direction for the remaining weeks, months and years of recovery. Time and time again we are reminded how important an effective security posture must be before the "Whole Community" can begin to operate. So what is the most effective system that focuses on people and not necessarily just a single process? What is the right order or steps soon after the event unfolds? The answer lies with the subject matter experts who time and time again have been at the zero hour or day of the incident itself:

  1. Security
  2. Medical
  3. Water
  4. Shelter
  5. Food
  6. Counseling

Human behavior is an unpredictable factor. It can impact everything in terms of the speed and quality of post incident response. Without security, the first responders that perform medical triage will be reluctant and in harms way to treat those who may have a greater likelihood to survive. This cascades into several discussions that we know are hot for debate. What if the first responders are your fellow tenants on the floor above you, or the office building next door? Not the professionals from the local fire or police department.

"Citizen First Responders" (CFR) are your organizations front line Operational Risk Managers. They are the ones who will have the "Ground Truth" and will be required to make the hard and fast decisions on what needs to be secured, who needs to be saved and where to establish incident command. How many CFR's are ready in your organization today? Your business park? Your neighborhood? Who is in charge of security? This list goes on...

It all begins from the ground up with people who want to be more active as a "Citizen First Responder" that are given the programs, tools and training. Here are just three facets of the different types of CFR's that exist:


The list of Non-Government organizations (NGO), Faith-based (FBO) or other organizations that exist today is exhaustive. Like most everything, you have a pyramid where only a few rise to the top to become the most effective; because they truly understand the discipline of Operational Risk Management. Yet security is still the concern of any civilian based personnel even today:

"U.S. Ambassador Rosemary DiCarlo said the United States is deeply concerned by what she called the seemingly ceaseless unlawful targeting of civilians, including women, children, humanitarian workers and journalists.

"The United States calls for more concrete actions to hold accountable those who attack humanitarian and peacekeeping personnel," she said. "We must also pursue accountability in places where insurgents and terrorists hide among civilian populations, turning communities into battlefields. These groups continue to inflict unspeakable crimes on innocents."

Remember all of those places across the globe whose resilience factor is low; because of a weak security posture and the environment for the "Citizen First Responders" to operate remains an unacceptable risk. It doesn't matter if it is New Orleans, LA USA post "Katrina" hurricane or the streets of Port-au-Prince or Santiago, post earthquake. Or even the few city blocks of Mumbai during a terrorist attack. Preparing for one type of incident without consideration for the other, may put your citizens and responders in harms way:

"The new head of Germany's top police union said Tuesday that officers lacked the training to deal with a terror attack, as the country maintained a state of alert after a warning from a foreign ally. Speaking at a Police Trade Union (GdP) congress in Berlin, Bernhard Witthaut said that Germany's security forces were equipped to cope with natural disasters but not an incident like a suicide bombing."

Where is the weak link in your Operational Risk spectrum?

16 November 2010

Proactive Measures: Beyond the Perimeter...

Operational Risk Management requires both proactive and passive measures that encompass a comprehensive organizational strategy. Odds are that you have devoted a majority of your time and resources to this point on the passive mode of preparedness and defense. A reactive and alert oriented focus. The time has come to change the priorities and to increase the allocation of strategy on the "Active Measures." Why? Stuxnet is ground zero for a new generation of digital infrastructure cyber weapons. Glenn Kessler from the Washington Post explains:

The Stuxnet computer worm that infiltrated industrial systems in Iran this fall may have been designed specifically to attack the country's nuclear program, potentially crippling centrifuges used to enrich uranium gas, according to new research.

In a blog post late last week, a Stuxnet researcher at Symantec wrote that the software firm had concluded that the worm targeted industrial systems with high frequency "converter drives" from two specific vendors, including one in Iran.

Independently, Langner Communications of Germany, a systems security firm, also announced over the weekend that another part of the worm's attack code was configured in a way to target a control system for steam turbines used in power plants, such as those installed at the Bushehr nuclear power plant in Iran. Langner also confirmed that the worm appeared to attack key components of centrifuges.

Ivanka Barzashka, a research associate at the Federation of American Scientists, said the Symantec findings "if true, are very significant."


The attribution game is still going on with several suspects on who actually developed, tested and deployed "Stuxnet." This is not as important as the realization that sitting back and waiting for the next variant or hybrid cyber weapon to attack your critical infrastructure assets is passive mode. The most advanced organizations are now taking the "Proactive" stance to not only detect changes in their environment in a more real-time mode, but they are starting to hunt down the attackers.

There is a decision point where you realize that the passive mode will not buy you time nor will it redirect your attackers to other more vulnerable assets. Your organization will continue to operate with the goal of serving your clients, members or customers yet simultaneously a "SpecOPS" team of internal experts will be monitoring, measuring and exercising tactics to legally neutralize the threat before them.

Commercial and non-governmental entities are creating the means and the capabilities to deter, detect and document who is attacking their digital systems and where they can be found. This intelligence is being shared within the private sector organizations to determine fingerprints, modus operandi and other evidence that is required to effectively hunt down the attackers. The next challenge will be how to package this and make sure that the proper authorities are notified in a timely manner.

There is no longer a solution that is wide enough or in depth enough to be distributed across a whole spectrum of companies or organizations. The answers will be specific, customized to the unique environment and infrastructure that comprises a particular enterprise. In order for that specification to be developed internally and provided to the correct people, you have to have the internal mechanisms in place to know in real-time what is changing and how fast it is changing from the normal state.

Is your view beyond your own perimeter? Are you looking for the anomalies that are over the horizon and could impact your network soon? It's one thing to look at the changes to your own perimeter but what about the intelligence on providers and ISP's somewhere on the other side of the planet? Do you know where your packets are going and how they are being routed? Just ask the people at Renesys:

Afghans headed to the polls today for parliamentary elections in a tense but hopeful atmosphere. If the Internet has a role to play this year in helping Afghanistan develop a peaceful civil society, it will probably turn on two key developments: cheap GPRS Internet delivered over mobile phones, and strong relationships with neighboring states to provide Internet transit.

In today's followup to last week's blog, we present the evidence we see in the global Internet routing tables for a strengthening technical relationship between the Tehran and Kabul governments. In Afghanistan, as in Iraq, Iran now sees an opportunity to export influence by exporting its technological infrastructure.


In a savvy Operational Risk Management enterprise, the "Corporate Intelligence Unit" is alive and thriving. A proactive intelligence-led investigation doesn't begin with a phone call from someone who say's, "My system is down" or "What does this Blue Screen mean"? It doesn't start when your VP, Research & Development suddenly leaves the company for no apparent reason. Intelligence-led operations will continue to be the aspiration of many, yet only possessed by a few.

09 November 2010

Operational Risk: 7 years and counting...

After writing this blog now since 2003, it is amazing how some items seem to be coming back full circle. Operational Risk does not change; only the places and the particular circumstances change. Do you know where a loss event will impact you and your organization next?

The US has intensified its war on terrorism on the financial front, targeting an ancient, informal system of money transfers that officials believe funnelled millions of dollars to Osama Bin Laden's al-Qaeda network.

The system is known as hawala, and it has been used for hundreds of years to move money across distances and around legal and financial barriers in South Asia and the Middle East.

The California Public Employees' Retirement System (Calpers) is opposing Freddie Mac's reappointment of auditor PricewaterhouseCoopers and the reelection of members of the mortgage finance company's audit committee, according to the Washington Post.

Any board member or executive today is well aware of the direct impact an adverse event or significant business disruption can have on shareholder value and customer confidence. When it does happen, how many people just throw up their hands and shout, Murphy's Law!

Murphy's Law ("If anything can go wrong, it will") was born at Edwards Air Force Base in 1949 at North Base.

It was named after Capt. Edward A. Murphy, an engineer working on Air Force Project MX981, (a project) designed to see how much sudden deceleration a person can stand in a crash.

Corporate Governance in the board room itself is blazing out of control at Hewlett Packard (HP) as a result of an internal investigation. The finger pointing, board resignations and ethics questions are all in the news. And that is just a very small story on the entire landscape of corporate digital surveillance or internal investigations. This is a business your insurance company is funding and for good reason.

These snapshots of the past demonstrate the variety, breadth and depth of the Operational Risk Management challenges before the Fortune 500 and the small-medium-enterprise (SME) that has limited staff and resources. Yet the time, effort and resources dedicated to the INFOSEC, OPSEC, Internal Audit and Risk Management functions within the enterprise are in many cases dwarfed by the Marketing and Advertising line items in the budget.

Will one more 30 second spot of an insurance lizard (GEICO) or vikings doing their banking (CAPITAL ONE) really make us change brands? Doubtful. On the other hand, if you were to show us that the bank is now using Multi-factor biometrics for it's online banking access and transactions you might make us switch. Perhaps the insurance carrier could make us change with a difference of 45% not just 15% savings because we doubt you will be able to hedge the risk of another driver running into the back of my automobile on a rainy day on the freeway.

Operational Risk will continue to evolve as much as an "Art" as it is a "Science" because there will never be the perfect algorithm or software program to give you a sensor alert in time or in the right place. You need human factors to use such mechanisms as "Intuition", "Reid Technique", and other senses that only the Homosapien has the ability to process with a brain that contains a large cerebrum. Without lot's of these brains making sensual observations, analyzing and processing the possibilities; the likelihood of an adverse event will increase dramatically.

We are still amazed that organizations are spending more time and effort on sophisticated sensors and technology and less on the human factors. Yet the right ratio of both can get you to that place that tips the scales in your favor and your enterprise is on the verge of being more proactive, preventive and predictive.

When was the last time you spent a day on the front lines with your OPS Risk Team? It could be a CEO's wake up call...

04 November 2010

Linchpin: Who will you call?

Are you a "Linchpin" in your organization? The person who people may call the "Fixer", "Troubleshooter" or just plain "Rainmaker". Are you considered to be a combination of all three and indispensable? By now hundreds of thousands of people have read Seth Godin's book, Linchpin: Are you Indespensable and are well on their way to becoming more self-aware of their position within their organization. Are you just following instructions or are you a leader or an artist in your industry or company?

Operational Risk Management Executives may know who in the organization are considered "Linchpins". If they don't now then it's time to learn who they are and why. Some of these people may even be outside the formal organization and it's imperative that you know who they are as well. Why? Because when the next incident makes itself visible or the Emergency Management Broadcast System breaks into the TV or Radio show you're listening to, then you will know the correct "Linchpin" to deal with the risk category before you.

So who are some good examples of Linchpins? The people who get the call to handle the problem, issue or opportunity in their particular category or area of subject matter expertise:

Thad William Allen (born January 16, 1949) is a retired United States Coast Guard admiral who served as the 23rd Commandant of the Coast Guard. Allen is best known for his widely-praised[1][2][3] performance directing the federal response to Hurricanes Katrina and Rita in the Gulf Coast region from September 2005 to January 2006.

Following his position as commandant, Allen continued to serve on active duty for 36 days in his role as National Incident Commander of the Unified Commandfor the Deepwater Horizon oil spill in the Gulf of Mexico. Allen officially retired from the U.S. Coast Guard on June 30, 2010, but continues to serve as a civilian as the National Incident Commander of the Deepwater Horizon oil spill. He is a senior executive on the staff of DHS Secretary Janet Napolitano.[4]


Edward Bennett Williams (May 31, 1920–August 13, 1988) was a Washington, D.C. trial attorney who founded the law firm of Williams & Connolly and owned several professional sports teams.He represented many high profile clients, including Frank Sinatra, financier Robert Vesco,Playboy publisher Hugh Hefner, spy Igor Melekh, Jimmy Hoffa, organized crime figure Frank Costello, U.S. Senator Joseph McCarthy, corporate raider Victor Posner, Michael Milken, the Washington Post newspaper and the Reverend Sun Myung Moon.


Lara Logan (born 29 March 1971) is a South African television and radiojournalist and war correspondent. She is currently the Chief Foreign Affairs Correspondent for CBS News, 60 Minutes correspondent, filing reports for theCBS Evening News and the CBS Radio Network. In late January 2007, Logan filed a report about fighting along Haifa Street in Baghdad.[4] When CBS News refused to run the report on the nightly news because the footage was "a bit strong"[5] (although the network did run the report on their internet site), Logan tried to win public support to reverse this decision.

Marissa Ann Mayer (born on 30 May 1975) is the vice president of geographic and local services [3] at the search engine company Google. She acts as a gatekeeper for their product release process, determining when or whether a particular Google product is ready to be released to users. She has become one of the public faces of Google, providing a number of press interviews and appearing at events frequently to speak on behalf of the company.[4]

Each one of these people at their respective organizations has been a "Linchpin" at a particular moment in history with the following characteristics articulated by Seth Godin in his latest book:

  • Charm
  • Talent
  • Perseverance

Seth does a great Venn Diagram on page 43 of his book that describes those who may have only two out of these three traits or areas of competency. If you only have Charm and Talent then you are a Prodigy. If you have Charm and Perseverance then you are a Princess. If you have Talent and Perseverance without Charm then this is pure Frustration. Yet if you have all three, then you are a Linchpin. Now think about the people you know in your organization who have all three. These are the Linchpins that you want to know and you want to have at the tip of your call list.

Operational Risk Management that is effective and responsive may require the Linchpin to handle a dire situation or rectify a dispute or investigate an allegation or discover the right balance of art and science.

The road to becoming indispensable may begin with some DNA yet it is something that almost every human can aspire to become. Search out the people in your organization who are Operational Risk Linchpins and find out a way to have them start teaching your most promising students on how to achieve greater levels of charm, talent and perseverance.