30 December 2012

2013: The Speed of Operational Risk...

As we look into the rear view mirror of 2012 and scan the horizon of 2013, Operational Risks are ever more so present.  Whether you are a leader of a global organization or the sole bread winner of your single parent household, the management of risk is a daily priority.  Even getting enough sleep is a risk to health and well being.

So what are you going to do about 2013 and managing risk in your life?  Your company.  Your nation.  Operational Risk Management is a discipline that can be mastered and those who will excel in the next few years understand what is at stake.  Unfortunately, many people and organizations will not have the wisdom, experience or resources to survive the onslaught of new threats and to mitigate existing vulnerabilities.
"Achieving a substantial level of competence and resilience in Operational Risk Management takes decades of experience in seeing the mistakes.  Witnessing the tragedy.  Feeling the successful outcomes of a solid process for sense making.  Using information in ways that we never dreamed about.  Turning speed into your greatest ally."
Your ability to thrive in 2013 and beyond will rest with your leadership and the ability to adapt.  Yet even beyond this fundamental reality is the continuous discipline to effectively accept more risks.  The organizations and those individuals who rise to the 2% or even 1%, took more risks than you did.  The question is, why?

Accepting a risk means that you have to think through the real potential outcomes.  Both positive and negative.  And you have to make the decision to accept each risk action at light speed.  Otherwise, it is too late. This is not a game of spending too much time trying to figure out odds and percentages as much it is a professional decision to act, while not knowing the exact future outcome.  What you do know, is the clear result of a positive outcome and even more importantly, you know the result of a negative outcome.

Can you live with either outcome?  If the answer is yes, then you should consider yourself a true Operational Risk Professional.  Now make the decisions faster, before someone else makes it before you do...

We wish you an abundance of new and rapid Operational Risk decisions in 2013!

15 December 2012

Threat Management Team: Preemptive Risk Strategy....

The Corporate Threat Management Team (TMT) has been busy this past year and your employees are consistently seeing new and startling behavior beginning to emerge. These small and versatile task forces within corporate Operational Risk committee members include the Chief Security Officer, Human Resources (EAP), Ethics & Compliance, General Counsel and Chief Information Officer or Privacy Officer.

Assessment of threats in the workplace that include violence, sabotage, financial fraud, homicide or suicide are growing in the current economic environment and the Board of Directors are on alert. The Board has a daunting responsibility to provide the enterprise stakeholders:
  • Duty to Care
  • Duty to Warn
  • Duty to Act
  • Duty to Supervise
Threat assessment is a legal responsibility by corporate management and directors but this is not anything new per se. What may be trending upwards and at an alarming rate is the litigation associated with continuing job losses in many states across the United States where the stimulus programs have not stopped the erosion of employment opportunities. This in turn exacerbates the pressure on existing employees who are being held hostage by employers to do more with less and the stress factors in their jobs produce extreme and sometimes bizarre behavior. Just ask Dr. Larry Barton about the subject of corporate threat assessment:
Despite sound recruitment practices, any employer may encounter situations in which colleagues are worried about their safety because of the actions or statements made by a co-worker. The person at risk could be a current employee, former associate/contractor, disgruntled customer, investor or other person who makes or constitutes a threat to your most vital resource - your human capital.

This (Threat Assessment) approach employs strategies that have been successful in a variety of situations, including:
  • an associate being stalked by a spouse or former partner
  • an employee who states that he or she is experiencing significant mental deterioration or who has thoughts of self-harm or homicide
  • altercations between co-workers and/or with a supervisor that are escalating in tone and severity
  • serious changes in attitude and performance with known or suspected substance abuse factors
  • social networking, blog and other means of electronically threatening an individual or team
Having personally witnessed Dr. Barton's methods and approaches, the science and his applications are sound. The strategy for implementation is based upon several decades of experience and encompasses the legal framework necessary to sustain the scrutiny of law enforcement and the courts.

The actions that are utilized to address a growing threat by a person in the workplace takes a dedicated team, with the right tools and information at their fingertips. Making split second decisions based upon a lack of documented evidence, protocol failure to a set of written policies or just the wrong timing can open the doors for substantial and costly plaintiff suits.

Achieving a Defensible Standard of Care in the reality of today's volatile enterprises requires a sound governance strategy execution combined with new resources and tools to properly prepare for those almost certain legal challenges. Combining effective "BioPsychoSocial" subject matter expertise, along with the right people from legal, security, investigations, internal audit or corporate risk management can produce successful outcomes for "At Risk" employees and the entire enterprise.

This brings us to the next point regarding how a particular employee was allowed to get to the point of "No Return" in the workplace. Put on your thinking caps for a few minutes.

Whenever you have a Threat Management Team assembling to interdict a serious danger to the company, you immediately start to converge on the motive or reason why the person has or is acting against company policy or behaving in a threatening manner. It's natural to do so, as most people want to know what's causing the issue. Be careful. What seems to be the cause is only known as the "Proximate Cause." Do you really understand the "Root Cause" of the failure of people, processes, systems or some external events?

The analysis, investigation, documentation and presentation on what happened and why is the hard stuff. Getting to the "Truth" and getting answers to the "Root Cause" requires another team of specialty practitioners. These independent, outside risk advisory professionals should not be from any current or existing corporate supplier, auditor or management consultant. They truly need to be the independent, unbiased and diligent entity to discover the truth and to document the root cause of the incident. The goal is to eliminate the future threat and to mitigate any risks that may still be "lying in wait."

Corporate Management and Boards of Directors must continue to move to the left of the proximate cause on the risk management spectrum to be preemptive, proactive and preventive. 

01 December 2012

Powerbase: Information Operations in the Workplace...

How robust is your organizations "Information Operations" capabilities? The degree to which the threat to your institution escalates in a war of words is going to be in direct proportion to your ability to monitor and counter the "Powerbase" within your information-centric community.

Operational Risk within the institution, the city or the country is a factor of the likelihood of a particular threat and the ability to deter, detect, defend and document the threat. However, the overt abilities to sensor, block or suppress your particular community from communicating freely, will be difficult if not impossible.  Or will it?
By Craig Timberg and Babak Dehghanpisheh, Published: November 29 
Syria’s civil war went off­line Thursday as millions of people tracking the conflict over YouTube, Facebook and other high-tech services found themselves struggling against an unnerving national shutdown of the Internet. 
The communications shutdown immediately evoked memories of similar action by Libya’s Moammar Gaddafi and Egypt’s Hosni Mubarak, and it sparked fears that President Bashar al-Assad could be preparing to take even harsher action against Syrian opposition forces, which have recently made significant advances in the battle against the government.
A Syrian official blamed the outages on technical problems. Analysts said it was far more likely that Assad had ordered the Internet and some cellphone connections switched off, although it was possible that a rebel attack had severed crucial cables. 
Whatever the cause of the blackout, it was clear that the remarkable window into the war offered by technology had dramatically narrowed for Syrians on both sides of the conflict and the many outsiders following the story. Observers said it signaled the beginning of a dangerous new phase after 20 months of escalating conflict.
Nations states have for years been subjected to the technology innovation of proxy servers and other methods for obtaining blocked Internet content. The human element of the insatiable pursuit of information will continuously provide for the innovation to obtain that information that has been withheld from the community. Whether that community is a corporation or a country, the employees or the citizens will find a way to gain the access and obtain the information they seek.
“...our intelligence apparatus still finds itself unable to answer fundamental questions about the environment in which we operate and the people we are trying to protect and persuade.” Lt. Gen. Michael T. Flynn, U.S. Army
The ability to utilize ubiquitous devices such as camera enabled wireless smart phones has changed the landscape for "Information Operations" within your company and your local community. Operational Risk professionals are keenly aware of the requirements to monitor and detect the use of roque communications devices in the workplace including unauthorized broadband hot spots (simple and effective). Yet the state of business and politics precludes these individuals from truly understanding what their real role should be in this fight for zero's and one's. The fight is not about learning who has unauthorized access, it is about understanding human behavior and the powerbases within a particular community.

Even the use of more sophisticated wireless mesh networks has been pervasive for years within the context of the USIC and where U.S. defense forces need to operate in areas with little or no telecommunications infrastructure. The questions begs then to what degree are these same kinds of capabilities being utilized within the context of industrial espionage and foreign intelligence services within the skyscrapers of downtown Washington, DC, Chicago, New York or Los Angeles?
Having a better understanding of the powerbase of each actor, the number and types of dimensions of that power, which elements of the powerbase are inherent or inferred, and whether it is growing or shrinking through cooperation or conflict, are all essential elements of information in stability operations and prerequisites for effective influence operations. Understanding Local Actor Bases of Power - Col. Patrick D. Allen, USA (Ret.)
So how easy or difficult would it be to set up a relatively effective mesh network? Look to one of the leaders in the technology itself for guidance:
Firetide Corporate Profile
Reliable Connectivity Anywhere: Designed for seamless indoor and outdoor operation, Firetide mesh networks securely handle concurrent video, voice, and data applications, making it ideal for large scale municipal and enterprise networks. The mesh's self-forming and self-healing properties enable rapid deployment and highly reliable operation. Firetide's AutoMesh routing protocol manages network load and traffic flow to optimize mesh-wide performance and capacity.
If the City of Chicago or the country of Singapore can utilize these capabilities to create their own information networks for voice, video and data applications then so too could any private enterprise with the right funding and the people to operate these systems.

Your organizations "Information Operations" capabilities go far beyond the IT department and their ability to sweep for rogue "Wi-Fi Hotspots" in the workplace. It could mean the difference between the safety and security of your municipality or the entire academic campus. In either case, the powerbase of information will still have to be analyzed and understood. Without this powerbase insight your organizational "Operational Risks" will remain unknown and your ability to mitigate these risks unknowable.