30 March 2014

SMART Objectives: The Catalyst for Resilience...

The past four days participating in Alaska Shield of the National Level Exercise Capstone 2014 is a stark reminder of how far we have come and yet how far we still have to go. Operational Risk Management (ORM) is evolving into a discipline with an over arching set of objectives. The organizations and entities that do not understand the purpose and the reason behind, having SMART objectives, might need a refresher:
  • Simple
  • Measurable
  • Achievable
  • Realistic
  • Task-oriented
Without "SMART" objectives, any project will continue to strive for a purpose and a relevant set of outcomes. Constituents, stakeholders and various affected employees that intersect with an internal risk mitigation exercise, will continuously require coaching on how to base the project on "SMART" objectives.

Next, the stakeholders will require a path forward that includes a building block approach to gaining consensus, agreement and a set of written events that will either be simulated or real. These events comprise a master scenario, that the organization will utilize to test a hypothesis or set of operational capabilities. The high reaching outcome, is to determine where there are gaps, vulnerabilities and opportunities to improve.

The building blocks approach may include:
  1. Seminars
  2. Workshops
  3. Table Top Exercises
  4. Games
These provide the stakeholders with the opportunity to converge on their respective areas of expertise and integrate them with the overall scenario being developed. However, these are still based upon first identifying the "SMART Objectives" and the application to your particular business, organization, city, state or country.

Taking the foundation of Operational Risk Management and applying a process for evaluation, requires a set of standards so all of the respective constituents, will be talking and practicing from the same exercise play book. In the United States this standard is HSEEP or "Homeland Security Exercise and Evaluation Program":
The Homeland Security Exercise and Evaluation Program (HSEEP) is a capabilities and performance-based exercise program that provides a standardized methodology and terminology for exercise design, development, conduct, evaluation, and improvement planning.

The Homeland Security Exercise and Evaluation Program (HSEEP) constitutes a national standard for all exercises. Through exercises, the National Exercise Program supports organizations to achieve objective assessments of their capabilities so that strengths and areas for improvement are identified, corrected, and shared as appropriate prior to a real incident.
Whether your organization is new to doing functional or full-scale exercises doesn't matter. Having a process oriented model for program management and project management will provide you with the tools and the foundation to achieve new found learning on where and how to improve your enterprise resilience.

Operational Risk Management professionals are working with an organization or population that is constantly striving to be more resilient. Without testing, without exercising and without the process framework in place to try and achieve measurable objectives, the organization will never gain the vital insight on where and how it can improve rapidly. It will never fully understand where the enemy will try and exploit the weaknesses. The organization will never realize their resilience factor at this point in time.

When was the last time your organization really tested itself, to survive? How long has it been since you re-established the relationships and the trusted connections with your own supply chain? Why has it been that long? There are some elite organizations in the world who understand readiness, that have learned along the way of their evolution why exercising and a trusted supply chain is critical to their own survival before the next incident occurs:
To become a SEAL in the Naval Special Warfare/Naval Special Operations (NSW/NSO) community, you must first go through what is widely considered to be the most physically and mentally demanding military training in existence. Then comes the tough part: the job of essentially taking on any situation or foe that the world has to offer.
Direct action warfare. Special reconnaissance. Counterterrorism. Foreign internal defense. When there’s nowhere else to turn, Navy SEALs are in their element. Achieving the impossible by way of conditioned response, sheer willpower and absolute dedication to their training, their missions and their fellow spec ops team members.
This analogy to the Navy SEALs demonstrates that preparedness long before you are asked to test your own resilience, will save lives. Yet there are so many other ways that our planet and the people on it, are being tested every day outside of the context of counterterrorism or national defense missions.

"Mother Nature" and the magnitude by which she continues to unleash her strength and in many cases her unrelenting path to destruction (hurricanes, earthquakes, drought, pandemic) makes any organization vulnerable and any population exposed to substantial operational risks:
The IDRN is the official arm of the Starfish Community for responding to disasters around the world. No single organization has the resources to respond to every disaster event, but because of the partnerships within the Starfish Community, members are able to leverage the strength of the entire network to provide meaningful help to those in need.

Every event is different in location, scope and impact. As different Starfish Community members decide whether or not to respond to any single event, those individuals and/or organizations that choose to respond, can pull together and collaborate with other Starfish Community members through the International Disaster Response Network which is often referred to as the IDRN.
 
Because disaster response conversations are so specific and time-sensitive, the IDRN has its own dedicated website for sharing information and managing collaboration. It can be found online at: www.idrn.info.
When you think about resilience in the context and relevance of the threats before us, we all have to realize that whether it is the National Level Exercise (NLE), US Navy SEALs or the Starfish Community, only SMART objectives will increase our ability to learn, to save lives and allow for the potential survivability of our organizations or impacted populations.

01 March 2014

RSA Conference 2014: The Aftermath and the Consequences...

The 2014 RSA Conference USA is complete and yet what have we learned?  Operational Risk Management (ORM) is still top of mind from the "Board Room" to the back office.  The mitigation strategies are permeating the 3rd Party supply chain, as management realizes that operational risks really do exist with partners and suppliers.  By now the RSA attendees are reviewing their notes, connecting with people on LinkedIn and sorting the stack of business cards on their desk.  Now what.
  • Have some of the largest retailers been the victims of massive data breach hacks?  Yes.  Have those attendees of the RSA Conference who downloaded the mobile app been exposed to a potential data leak of their information.  Yes.
  • Meanwhile, Operational Risks exist far beyond Moscone and San Francisco.  Have financial institutions been fined by government regulators over alleged violations of the sale of mortgage securities, that lead to the 2008 financial crash?  Yes.  
  • Have the age old competitive intelligence tactics evolved into full blown "Industrial Espionage" funded and supported by nation states?  Yes.
  • Has the polar vortex created a vast economic risk for millions of businesses due to adverse weather? Yes.
And the Operational Risks to your organization will continue, that is for certain.  How after a week of RSA can you return to your enterprise and know where to begin?  What to change.  What new initiative to begin.  What new vulnerability to remediate.  Don't worry, the list will not be getting any shorter.  The priorities however may be changing.

So maybe it is time for a new "Consequence Assessment."  Here are the key variables for the rows of your matrix:
  1. Loss of life:  Likely fatality count.
  2. Economic damage:  Estimated costs of the attack or hazard.
  3. Psychological impact:  Considerations of change in population behavior toward social functions.
Now, the consequence levels become your columns of the matrix:
  • 0 - None or Negligible
  • 1 - Minor
  • 2 - Moderate
  • 3 - Significant
  • 4 - Catastrophic or Severe
In order to make the consequence assessment relevant and applicable to your business size, industry sector and geographic location, you now need to define each of the cells of the matrix.  So as an example, if we go to the matrix cell of Economic Damage / Moderate (2), what is your definition?  In the range of $1 billion to $10 billion.

If you are JPMorgan Chase then this may be the case for a consequence of legal liabilities, due to adverse litigation by the U.S. government in the Madoff case:
JPMorgan Chase has been fined more than $2 billion for violations of the Bank Secrecy Act tied to failure to report suspicious activity related to Bernie Madoff's decades-long, multi-billion dollar Ponzi scheme. Madoff was sentenced in 2009 to 150 years in prison for his deception. 
The fines against Chase were the result of three settlements. A settlement with the U.S. Attorney's Office for the Southern District of New York included a $1.7 billion penalty; a separate settlement with the Office of the Comptroller of the Currency included a $350 million penalty. Additionally, the Treasury Department's Financial Crimes Enforcement Network fined Chase $461 million for BSA-related violations. But FinCEN determined that its fine was satisfied by Chase's payment to the U.S. Attorney of New York.
If you are a mid-level business enterprise in the software industry that develops an "App" for consumers to file their income taxes online, then the metrics will be different for a moderate consequence of "Economic Damage." Your matrix will be entirely different and fine tuned to what is relevant in your industry sector.

The Loss of Life category will be an interesting exercise.  None or Negligible will be zero fatalities. Yet how do you define the difference between minor (1) and moderate (2).

The Psychological Impact category will span:

0 - None or Negligible = No major change in population behavior; no effects on social functioning
to
4 - Catastrophic or Severe = Loss of belief in government and institutions; widespread disregard for official instructions; widespread looting and civil unrest

Once you have designed your particular matrix for your size and type of business, the real work begins. You must now begin developing the "Use Cases."  What are the scenarios that you will apply to the exercise that will take place next with the effected stakeholders?

In a generic fashion, you will design specific and customized scenarios that address the major business revenue components of your particular enterprise.  You are imagining an attack or hazard outcome, that impacts that component of your business.  Such as these typical cases:
  • Earthquake destroys data centers
  • Tsunami overcomes nuclear reactors
  • Data hack exposes millions of customers PII
  • Infectious disease outbreak across work force
  • Government prosecutes for violations of regulatory laws
  • Employee sues company for management harassment
  • New Customer Order Management system launch encounters substantial bugs/failures
After you have cleaned off your desk from a week away at RSA, the work really begins.  Start your new "Consequence Assessment" soon.  Gather senior executives for an off-site for two days to review the new scenarios you have designed.  Get their independent feedback and perception of the variables of your matrix.  Ask your Board of Directors for the resources and budgets to address the outcomes and insights from the exercise.
“ Man must be arched and buttressed from within, else the temple will crumble to dust. ”
— Marcus Aurelius Antoninius