18 May 2014

Transparency: "Square One" in ORM...

Operational Risk Management (ORM) has been evolving for over a decade.  There are new insights into why effective business process management coupled with Operational Risk architecture makes sense, through the lens of the Board of Directors.  Transparency.

Still to this day, the questions remain:
  • What can my organization do about the risk of loss resulting from inadequate processes, people, or systems?
  • To what extent should my organization link employee compensation or job performance with operational risk management?
  • How is operational risk taken into consideration when new products or technology solutions are designed or acquired, deployed, and executed?
  • Does my organization have an inventory of its key business processes with documented controls and designated senior managers responsible?
Can these questions be answered in a book of 308 pages from 2008?  It was a good start, to say the least.  The authors understood, that to really embed a culture of (ORM) into the enterprise you have to begin at the architecture level, the business process level.  This is far in advance of the governance of information and the business rules coded into software systems, even for such mundane corporate tasks as expense report or travel request review and sign-off.

You see, some companies still think that they are just doing fine with their Safety and Security Team, Continuity of Operations and Crisis Team, Chief Information Officer (CIO), General Counsel (GC), Chief Financial Officer (CFO) and in limited cases the Travel Risk Management department all working autonomously.  They think that having a few dedicated investigators to look into corporate malfeasance, is all they require in a corporate population of tens of thousands.

What do we mean by autonomous?  Not what you may think.  There is no doubt that the leaders of these organizational departments are cooperating and coordinating functionally.  They have each other on speed dial.  They share high level red alert intel with each other.  The question is, what is being done at the metadata level of the Operational Risk Enterprise Architecture (OREA)?  How are they designing Operational Risk Management systems to answer key questions at the speed of business?  To continuously adapt to an organization’s changing global environment, executives must know about, keep in balance, and communicate several vital components:
  • What are the organizational strategies (Strategic Intent) and how these should be implemented (Strategy Development and Organizational Change)
  • What organizational processes are executed and why, how they are integrated, and how they contribute to the strategy of the organization (Business Process Management)
  • How human resource utilization is working and whether there is optimum use of skills and resources available across processes and functions (Human Resource Management)
  • To what extent the enterprise organizational chart is cognizant of appropriate roles and responsibilities, in order to effectively and efficiently carry out all work (Organization Management)
  • What IT applications exist and how they interface with what processes and functions they support (IT Portfolio Management)
  • How the performance of each process, each function and each individual adds up to the organization’s performance (Performance Management)
  • What projects are currently underway, how they effect and impact change, what processes and IT applications they change and how this contributes to the strategy of the organization (Project & Program Management)
Is Operational Risk Management (ORM) about "Big Data Analytics"?  Only if your organization values better transparency, governance and regulatory compliance.  Ask the the Board of Directors their answer on this question to determine whether ORM is a "Big Data Analytics" issue.  How big is big?

The momentum for transparency is now at the U.S. government level of commitment.  It is the law.   As a prudent (ORM) practitioner, you already realize the cancerous outcomes from organizational fraud.  You know the root cause of the systemic disease that contributes to fraud within the enterprise. Big Data Analytics will mean nothing, without increased transparency.  Now we can ask the questions that we all want answers to:
The final language also requires everything the federal government spends at the appropriations account level to be published on USASpending.gov, with the exception of classified material and information that wouldn't be revealed in response to a Freedom of Information Request. One amendment, added earlier Thursday, gives the Department of Defense the option to request extensions on its implementation of the bill's requirements.
The Operational Risk Management (ORM) architecture of your enterprise will now begin with transparency, as the fundamental "Square One".

04 May 2014

Consumer Privacy USA: The Risk of Viceroy Tiger and Keyhole Panda...

There is a flurry of Operational Risk Management (ORM) activity around the DC beltway and across Silicon Valley in order to gain new consumer confidence.  The confidence that their personal metadata and information is being protected with encryption software and that privacy policies are in place to notify users, when their information is requested by the government.  Interesting.

Much of this wasted bandwidth is focused on competitive strategies.  If LinkedIn gets 3 or 4 stars from the EFF "Who Has Got Your Back Report" then our social media company should aspire to do the same. Transparency to the consumer end user on how data is protected and when you are notified of it being lost, leaked, hacked or handed over to law enforcement is the buzz right now.  Why?
Apple, Facebook, others defy authorities, notify users of secret data demands 
By Craig Timberg, Published: May 1 
Major U.S. technology companies have largely ended the practice of quietly complying with investigators’ demands for e-mail records and other online data, saying that users have a right to know in advance when their information is targeted for government seizure.
This increasingly defiant industry stand is giving some of the tens of thousands of Americans whose Internet data gets swept into criminal investigations each year the opportunity to fight in court to prevent disclosures. Prosecutors, however, warn that tech companies may undermine cases by tipping off criminals, giving them time to destroy vital electronic evidence before it can be gathered. 
Fueling the shift is the industry’s eagerness to distance itself from the government after last year’s disclosures about National Security Agency surveillance of online services. Apple, Microsoft, Facebook and Google all are updating their policies to expand routine notification of users about government data seizures, unless specifically gagged by a judge or other legal authority, officials at all four companies said. Yahoo announced similar changes in July. 
As this position becomes uniform across the industry, U.S. tech companies will ignore the instructions stamped on the fronts of subpoenas urging them not to alert subjects about data requests, industry lawyers say. Companies that already routinely notify users have found that investigators often drop data demands to avoid having suspects learn of inquiries.
Enterprise business are now waking up to the reality of investing in more robust Operational Risk Management (ORM) practices within their Enterprise Architecture Framework.  Areas that have been neglected in the architecture for data transport are now finally being updated.  Even the fact that the latest versions of SSL capabilities are being exposed as a result of the "Heartbleed" vulnerability, has finally motivated many to upgrade to TLS 1.2 and add Forward Secrecy.  Even LinkedIn, who gets multiple stars from EFF (and only a "B" from Qualys SSL Labs) doesn't even use TLS 1.2 nor does the average consumer even understand why Forward Secrecy is an important capability or why Google uses it within the popular Gmail service.

The privacy policies and opt-out capabilities the consumer really needs, are from the private sector companies that are currently trading your personal information.  Your browsing history. Your purchases at national retailers.  When was the last time you gave your phone number to a cashier at the register, to earn buy 1 get 1 coupons or a discount at the local gasoline pump?  Where do you think all of this activity-based behavior about you the consumer is being resold?

The marketing of privacy and security will continue to become a product or service differentiator.  The government agencies will continue to follow the law to obtain your information.  The magistrate judges will make sure of this.  The adversaries however, are becoming more productive and will find new exploits to attack your infrastructure in new ways, on vectors that you have not even thought of yet.

Who are some of the adversaries?  A few worth noting:

  • Iran:  Cutting Kitten
  • India:  Viceroy Tiger
  • China:  Comment Panda, Deep Panda, Foxy Panda, Keyhole Panda, Union Panda, Vixen Panda et al

These cyber adversaries are in many cases focused on cyber espionage and the theft of your Intellectual Property or Research and Development.  This leaves hundreds of other capable crime-ware driven organizations across the globe, who are targeting other valuable data to perpetuate their fraudulent activities.  So what have you done at the Board of Directors level and the Executive "C" Suite, to pave the way for more effective collaboration with the G-man?

Collaboration with the FBI, Secret Service, SEC, FTC, OFAC, U.S. Attorney, State Attorney General or even the local county prosecutor is a prudent and wise Operational Risk Management strategy. "Complacency"--this could be one of the greatest vulnerabilities that your share holders and stake holders have ignored.  A proactive organization has established protocols, implemented best practices and tested policies.  They are already in place to work collaboratively with local, state and federal government.  These organizations will ultimately be the marketplace front runners.
“In an era where very sophisticated and determined criminals have proven capable of successfully attacking a wide range of computer networks, we must all increase our level of vigilance. Michaels is committed to working with all appropriate parties to improve the security of payment card transactions for all consumers.”
This is just one more example of what is becoming the new normal.  The Operational Risk Management (ORM) professionals in your organization are ready and willing to support corporate executives and the Board of Directors new found enlightenment.  Your new government partners will even share information with you, on the latest modus operandi of "Keyhole Panda"...