29 July 2012

Supply Chain: Interdependencies Risk...

In what countries do you operate? Do you source raw materials from politically unstable regions of the globe for your end products? Are you subject to a myriad of taxes, tariffs and duties including new security measures in our ports? How complex is your sales and distribution channels? At the end of the day the big question is: What is my financial, operational and economic risk exposure in the event of a disruption in our external supply-chain?

The risk of external supply-chain interdependencies has been talked about for many years. Monte Carlo simulations, scenario analysis and other methods have been effective in the determination of what the magnitude of a loss event may look like. Once the dollar analysis is done and you know that your exposure is $XXM. or $XB., then what do you do with that information?

Much of the outcome of this exercise may go into the next strategic planning phase on who you need to partner with or create an alliance with in order to satisfy certain future contingencies. Once you realize that you need more than one source for a raw material or a key service to run your business, then the real analysis begins. Who and where do I find the best alternatives for this vital component in my global supply-chain?

If you begin your due diligence now on the top 10 vital components in your supply-chain contingency planning exercise you might have these all completed, through the legal department and signed within a few months time. If you are lucky. Then you must really test the new supplier or source for your product or service to determine how smooth they operate when you pick up the phone or send the "Alert".

The ultimate architecture requires an "Adaptive Supply-Chain" that will provide cross-border agreements and resilient mutual-aid partners to assist in times of crisis. Just shifting production from one country to another may not be enough to mitigate the disruption in a vital component of the manufacturing process or delivery of services. Having a reflexive and responsive supply-chain is only one of many contingencies in a robust Business Crisis and Continuity Management plan.

When was the last time you reviewed your key suppliers and sourcers plans for continuous operations and their record for testing these plans? This will be the place you find your greatest weakness in external supply-chain management. In the US, it is now less than 30 days away from the next hurricane season. Gasoline prices and fuel costs are impacting every sector of the economy. One thing is for sure. You are in complete control of your readiness factor. And your readiness factor is directly proportional to your interdependencies in your supply-chain.

21 July 2012

Crowdsourced Risk: Situational Awareness in Mass Emergency...

Real-time information and raw intelligence via mobile devices has changed the risk management dialogue from the Emergency Operations Center (EOC) to the corporate board room.  Operational Risk Management (ORM) professionals are leveraging this information in combination with crowdsourced mapping applications, GPS, video feeds and live reporting.  Intelligence Analysts have leveraged Big Data and Digital Analytics to extract the relevance of key questions asked by their constituents.

These same ORM professionals also realize the raw data feeds from John Q. Citizen is exactly that.  Fact checking, vetting and data verification is still the task of journalistic and intelligence experts.

Whether you are talking about risk incidents that involve whistleblowers on Wall Street, severe weather events, natural disasters, the Arab Spring or an active shooter in a Denver, CO suburb; social media is there.  Corporate Chief Information Officers are in the middle of "Bring Your Own Device" (BYOD) policy development, while National Public Radio (NPR) is using Twitter as a news room approach to reporting in the Middle East.  Errors, Omissions and the operational risks associated with this "New Normal" is upon us with the crowdsourced future of news and intelligence:
Only a few days ago, we were writing about how users of Twitter and Reddit used those networks to tell a compelling story about a mass shooting in Toronto, and now the same phenomenon is playing out in real-time during another horrific incident: a shooting at a movie theater in Colorado that has killed at least a dozen people and wounded more than 50. Although local TV news channels and CNN have been all over the story since it broke late Thursday night, some of the best fact-based information gathering has been taking place on Reddit and via curation tools like Storify. In each of these events, we can see how a new form of journalism — one that blends traditional reporting and crowdsourced reports — is taking shape.
When an era of these applications and petabytes of pictures and videos are available to the public the journalist/analyst has a tremendous volume of sources.  And with those sources, comes a renewed responsibility to the integrity of the real mission before us.  The truth.  What is actually the truth?  What happened to whom and when?

The private sector has been leveraging Big Data Analytics for decades, including little known companies such as Acxiomto collect and verify information on people, for the purpose of marketing.  This indeed is a mature and established sector of the consumer retail industry and financial institutions for the purpose of operational risk management:
Acxiom Identity Data on Demand is a consumer-based web service that allows qualified organizations to use specifically regulated data for:
  • Fraud prevention
  • Debt recovery
  • Location of individuals (beneficiaries, witnesses, victims and missing persons)
  • Fraud management
  • Adherence to laws and legal requirements
Get fast access to real-time, comprehensive and cost-effective data on more than 300 million U.S. consumers. Even better: You’re in complete control. Unique data sets can be added as your data and business needs evolve, and you can control as many or as few pieces of information as you wish. Our advantage is in the flexibility and breadth of our data—our single application programming interface saves you the time and energy of having to aggregate multiple sources of data. 
Acxiom applies our industry-leading data integration and recognition capability, which eliminates the need for time-consuming entity resolution—giving you a high confidence that you have the right information on the individual—and helps you to quickly identify and prevent fraud.
The ideal combination of vetted and proven data sources from private sector companies such as Acxiom in the U.S. along with the raw reporting of information from the social media sources is the future of journalistic trade craft.  When journalism from trusted sources or intelligence reports from trusted analysts misuse or error in their use of these tools the operational risk factors are magnified.  This can damage reputations and even jeopardize human lives.

The mobile social media revolution has the potential to be a Pandora's Box.  Operational Risk Management discipline provides the framework and the proven methodologies to mitigate the likelihood of a "Decision Disadvantage."  Whether you are the editor of a major publication or the watch commander at the local police department does not matter.  Whether you are the CISO at a major corporate enterprise or the head of a government intelligence agency does not matter.  The mobile social media revolution is upon us and the new rule-sets should be established soon.  Where does it begin?

It begins long before Journalism school or high school english class.  The ethics and integrity of information is at stake and begins the first time you hand a pre-teen their first mobile digital device.  The information posted on Facebook, Reddit or the organizational blog is at stake.  Crowdsourcing and Crowdmapping with the correct tools and trusted rule-sets is just the beginning.  

From innovation to Revolution, Patrick Meier and his blog captures even more on the crowdsourcing topics we have started to explore in this post.  Also be sure to visit Sarah Vieweg's latest dissertation on situational analysis:

Situational Awareness in Mass Emergency: A Behavioral and Linguistic Analysis of Microblogged Communications (2012)
"In times of mass emergency, users of Twitter (a popular microblogging service) often communicate information about the event, some of which contributes to situational awareness. Situational awareness refers to a state of understanding the “big picture” in time- and safety-critical situations. The more situational awareness people have, the better equipped they are to make informed decisions. Given that hundreds of millions of Twitter communications (known as “tweets”) are sent every day and emergency events regularly occur, automated methods are needed to identify those tweets that contain actionable, tactical information."

04 July 2012

July 4th, 2012: U.S. Vets Bring 236 Years of Freedom...

Operational Risk professionals know and understand that on this July 4th, 2012, we celebrate our freedom because of one reason.  Our veterans who serve and those who have served, the United States of America.  In this year, we ask you to do your best to hire a veteran for your business.  They make excellent Operational Risk Management experts and here are the other reasons your company should hire a vet:

  1. Companies Value Veterans' Leadership and Teamwork Skills
  2. Veterans Character Makes Them Good Employees
  3. Veterans are Disciplined, Follow Processes Well and Operate Safely
  4. Companies Seek Veterans' Expertise
  5. Veterans Adapt and Perform Well in Dynamic Environments
  6. Veterans are Effective Employees
  7. Veterans in the Organization are Successful
  8. Veterans are Resilient
  9. Veterans are Loyal to their Organization
  10. Hiring Veterans Carries Public Relations Benefits
  11. Hiring Veterans is the "Right Thing to Do"

Source:  Employing America's Veterans - Perspectives from Businesses

Happy 236th Birthday America!  Hire a Vet this year...

02 July 2012

Derecho: OPS Risk in the NCR...

The Operational Risk professionals in the Washington, D.C. region are scrambling these past few days as a rare "Derecho" swept across Ohio, West Virginia, Virginia, and the National Capital Region of the United States on Friday night.  The power generators are now humming at full capacity and the diesel fuel trucks are going into action for the myriad of data centers impacted by the massive power outage:

Widespread hurricane-force winds associated with a multiple-state derecho has taken out power to millions and left at least 15 dead. 
A derecho defined as a widespread, long-lived wind-storm with a band of rapidly moving showers or thunderstorms, formed in northern Indiana and raced east and southeast into the Mid-Atlantic states within 10 hours, according to the Storm Prediction Center (SPC). 
Widespread high wind gusts in excess 70 to 90 mph were reported as the derecho downed thousands of trees, power lines and damaged homes and other structures along its estimated 600 to 700-mile path Friday afternoon into late Friday night.

The term "Business Resilience" is now becoming a more widely used term beyond just Business Continuity, as corporate and small enterprises focus on being able to withstand at least a 72 hour (3 day) incident of this magnitude.  Not forecasted and unlike a hurricane, where business may have days to prepare, this is a real wakeup call for many.

Even when you are the mighty Amazon Web Services, mother nature can take her toll.  Several high profile sites were down for some period as a result of the massive Derecho:
A severe patch of storms that rumbled across the Eastern U.S. — leaving nine people dead and millions without power — also disrupted an Amazon Web Services data center, affecting service for social media sites like Pinterest, Instagram and Netflix, which host their services at Amazon’s data centers.
Business Resiliency is about bouncing back, quickly.  Ten minutes later, the power services were restored and they were up and running.  Power yes, data is a different issue.  The Amazon Web Services (AWS) is just one reason why the "Cloud" is here to stay and the adoption rate by many business CIOs is rising.  Now, are there some cloud providers capable of withstanding a strong thunderstorm such as this?  Absolutely.  If you are a business with mission critical applications that are reliant on the cloud service providers infrastructure, you may ask what due diligence has your organization done?   What are the interdependencies of your cloud service provider?

When you tour one of these data centers, you will see the massive CAT diesel generators and your tour guide may tell you that they spin up in "xx" number of seconds upon power failure.  The next question is, what is the size of the fuel supply?  The rest of the Business Continuity 101 questions then get answered. So how do you know for sure that you WILL NOT be impacted because of an adverse event such as this one, in the National Capital Region this weekend?

You don't.  Regardless of the data hosting or cloud provider the risk is real and data availability will never be 100%.  This brings us back to resilience and the degree to which an Operational Risk professional visualizes and has effective strategy execution for those processes and systems that are the lifeblood of almost every enterprise today.  Even though we have some so far, the business case for resilience continues to become more apparent on a daily basis:
"Even as the impact of disruptions was growing, so too was their frequency, velocity and unpredictability.  Who anticipated a Japanese reactor meltdown, a deep water oil spill or an Icelandic volcano what closed trans-Atlantic traffic?  In the age of volatility, companies must develop the capacity to manage the outcomes of disruption, irrespective of trigger."  U.S. Resilience Project - Resilience Roundtable Report 

Here in the metro region of the United States Capital, critical infrastructure is being tested.  At hundreds of roadway intersections with traffic lights out, at senior citizen centers, gas stations, restaurants and all those impacted without air conditioning as the temperature soars to the high 90s again today.  Saving data or saving lives, the people and the organizations who have the resources, time and correct tools will continue to try and hedge risk, mitigate risk and avoid risk.

It is only those who deny the existence of risk in their environment, that will become victims of this or a future event.  For each person or organization who has the resources, time and tools and then still becomes a victim, we can only ask why?  Why would you put yourself in this situation?

Questions for Future Consideration:

  1. How can the public and private sectors better collaborate to address emerging risks?
  2. How can the competitive advantages of resilience be balanced against the shared value of collaboration and information-sharing around best practices, processes and tools?
  3. How can the private sector leverage best practices in risk management and resilience to identify opportunities to streamline rules and regulations?
  4. What are the new skill sets needed to create a resilient workforce able to anticipate and manage volatility and uncertainty?