23 November 2014

Trust Decisions: The Future State of Risk Management...

Trust Decisions are being made at the speed of light.  The rules of the game are embedded in lines of code written to instruct computers and simultaneously in the rule of law that is printed in Constitutions around the globe.  As the speed of Internet commerce accelerates the Operational Risk Management (ORM) frameworks will evolve and adapt.  The privacy vs. security evolution is now in full debate as our Critical Infrastructures feel the stress of points of failure.

The future architecture of what is at stake continues to be challenged in so many ways.  Jeffrey Ritter sums this up perfectly:
"Yet, in either direction, freedom vs. surveillance, what are being proposed are nation-state rules. At this point in the Net’s evolution, any national solutions seem almost contradictory to the ambitions of any government to actually be effective in achieving their ambitions. The inherent functionality of the Net is to “route around failure”. Nation-state rules that impose restrictions on the market’s appetite to create economic pricing tiers merely drive commercial activity into other geographic regions. Laws requiring backdoors have the same effect, provoking and encouraging bad actors to find mechanisms that avoid such technology features to be baked into the relevant devices. In a global market where, as one economist observed, there will soon be no further emerging economies, what is the proper role of the nation-states toward the Net? When do new regulations, well-intentioned to provide positive qualities of life, actually become walls that divert the movement of information, funds, and economic activity to other geographic regions?"
As the governance of the Internet continues to be debated, consider the velocity of what is occurring even as broadband and wireless are still so scarce in many locations around the world:
Alibaba Group Holding Limited is a Chinese e-commerce company that provides consumer-to-consumer, business-to-consumer and business-to-business sales services via web portals. It also provides electronic payment services, a shopping search engine and data-centric cloud computing services. 
Alibaba's consumer-to-consumer portal Taobao, similar to eBay.com, features nearly a billion products and is one of the 20 most-visited websites globally. The Group's websites accounted for over 60% of the parcels delivered in China by March 2013, and 80% of the nation's online sales by September 2014. Alipay, an online payment escrow service, accounts for roughly half of all online payment transactions within China.
The "Trust Decisions" being made every day by citizens of the planet Earth using the Internet continues growing exponentially.  The systems-of-systems are executing the rules given to them and the human element is beginning to diminish.  Why?

Most people believe in some form of risk management and the truth is, that it doesn’t work all the time.  It doesn’t work because the human being is incapable of processing all of the possible rules of the moment, the game, in any specific scenario, fast enough.  Therefore, failures of people, processes, systems and external events seem to occur randomly.

Is it possible to achieve a state of zero surprise?  Where all risks are mitigated and humans can achieve an environment of trust that is sustainable.  We think it is.  In the right environment and in a specific scenario, surprise is now “impossible”.

“Trust Decisions” occur today at the speed of light and with an accuracy of 99.999%.  Risk Management is our current state and it is destined for extinction.  Trust Decisions as we will now apply them, becomes our future state.  With zero surprise.  The truth is, that risk management is obsolete and a new digital invention is ready for mankind.

16 November 2014

Top Ten Mistakes: Board of Directors Risk...

A few years ago, Randy Myers article in Corporate Board Member Magazine discussed a Top Ten List for the Board of Directors. In light of the current state of corporate performance, we would like to revisit the most common mistakes.

General Counsel to Directors: Your 10 Most Common Mistakes

The in-house lawyers think that you've got a lot to learn about risk, trust, and reward. And when there's trouble, you too often fail to follow the Boy Scout creed: Be Prepared. By Randy Myers

1. Not Asking Questions
2. Failing to Understand the Company and the Risks it Faces
3. Failing to Lead on Ethics and Compliance
4. Not Insisting on a Crisis-Management Plan
5. Speaking out in a Crisis Before the Facts are in
6. Relying on the Wrong Outside Counsel
7. Failing to Understand Attorney-Client Privilege
8. Underestimating Regulators
9. Giving too Much Leeway to Rainmakers
10. Getting Caught Up in the dilemma of False Options
And as Randy so clearly states: "Serving on a corporate board isn't easy. Avoiding these common mistakes should be."

We can't accept that No. 4 even is on this list. No. 2 and No. 3 is ever so common place. And No. 7 is not a surprise. But what continues to amaze even those professionals associated with consulting to the Board of Directors, is No. 8.

The Chief Risk Officer (CRO) is the independent keeper of oversight in the corporate enterprise. Should any organization be the subject of an investigation by the SEC, FTC or any other government regulator, they need to look to the CRO. It's the job of any CRO to keep regulator awareness at a high level and to let the business be in charge of risk management. Whenever you see a CRO getting involved in managing the risks of the business, then the independence and clarity of oversight has been extinguished.

The General Counsel and the Chief Risk Officer must work hand-in-hand to follow the Boy Scout creed:

Be Prepared.

09 November 2014

Veterans Day 2014: Leading the Enterprise to Victory...

The 1% are soon to be recognized on Tuesday, November 11, Veterans Day.  CxO's across the country who have served in the military know all about "Operational Risk Management" (ORM). They understand that the safety and security of their personnel is paramount, if they are to achieve the mission assigned to them by the Board of Directors and the majority stakeholders.

It makes sense that if only 1% of the country serve in the military, and fewer make it to the rank of CxO in commercial industry, why ORM remains so esoteric.  Only an enlightened few truly understand the value of investing in continuous training, cultural and ethical development and the safety and security of not only employees, but also intellectual capital and information assets.

Indeed, this Veterans Day is a time to focus on our 1%.  Those who have served the United States of America in the Armed Forces.  At the top of each of these branches including the Army, Marine Corps, Navy, Air Force and Coast Guard are people that have seen, smelled, heard, felt and lived with the logic and the necessity for Operational Risk Management.  Why is the Navy leadership focused on ORM?
ORM is the guiding Navy instruction for implementing the ORM program. The naval vision is to develop an environment in which every individual (officer, enlisted and civilian) is trained and motivated to personally manage risk in everything they do on and off duty, both in peacetime and during conflict, thus enabling successful completion of all operations or activities with the minimum amount of risk. 
The most common idea of what ORM revolves around is a simple five-step process that is most frequently used in planning. These five steps are:
  • Identify hazards
  • Assess the hazards
  • Make risk decisions
  • Implement controls
  • Supervise and watch for change
Another level of ORM is Time Critical Risk Management which involves a quick, committed-to-memory process and a set of skills that allow our people to manage risk when in the execution of a plan or event. The standard for the Navy is being developed, however it might be thought of in simple terms such as:
  • What can go wrong or is changing
  • How can I keep it from effecting the mission without hurting me
  • Act to correct the situation
  • Telling the right people if you are unable to take the right action
If you were retired from the Marine Corps and now the CxO of a Global 500 company, do you think that ORM would be a forgotten system?  Would you neglect to focus on this, if you were running FedEx?  Fred Smith is not a former pilot, but was vital as a "Forward Air Controller":

Frederick Wallace "Fred" Smith (born August 11, 1944), is the founder, chairman, president, and CEO of FedEx, originally known as Federal Express, the first overnight express delivery company in the world, and the largest in the world. The company is headquartered in Memphis, Tennessee. 
Smith was commissioned in the U.S. Marine Corps, serving for three years (from 1966 to 1969) as a platoon leader and a forward air controller (FAC), flying in the back seat of the OV-10
As a Marine, Smith had the opportunity to observe the military's logistics system first hand. He served two tours of duty in Vietnam, flying with pilots on over 200 combat missions. He was honorably discharged in 1969 with the rank of Captain, having received the Silver Star, the Bronze Star, and two Purple Hearts. While in the military, Smith carefully observed the procurement and delivery procedures, fine-tuning his dream for an overnight delivery service.[5] 
A primary function of a Forward Air Controller is ensuring the safety of friendly troops. Enemy targets in the Front line ("Forward Edge of the Battle Area" in US terminology) are often close to friendly forces and therefore friendly forces are at risk of friendly fire through proximity during air attack. The danger is twofold: the bombing pilot cannot identify the target clearly, and is not aware of the locations of friendly forces.
Fred Smith not only implemented the mindset of a "Forward Air Controller" running FedEx, he also has been able to build a culture focused on Operational Risk Management (ORM).
FedEx Corporation will produce superior financial returns for its shareowners by providing high value-added logistics, transportation and related business services through focused operating companies. Customer requirements will be met in the highest quality manner appropriate to each market segment served. FedEx will strive to develop mutually rewarding relationships with its employees, partners and suppliers. Safety will be the first consideration in all operations. Corporate activities will be conducted to the highest ethical and professional standards.
Now back to Veterans Day, November 11.  Are you starting to make the connection between the 1%, becoming a global CxO and the reason why ORM has such tremendous applications inside the global enterprise?

The opportunity now is for us to unleash our emerging and proactive "Vetrepreneurs," to take their years of knowledge and understanding of ORM and now apply it within the ranks of their new companies or new positions, just as Fred Smith has done at FedEx.  These veterans have the practical knowledge, skills and valuable use cases on how Operational Risk Management contributes to the overall mission.

If you are a 1% entrepreneur (Vetrepreneur) and have Co-founder or CxO as your title, then your proactive nature should allow you the opportunity to apply ORM within your organization.  Here are three places you can begin your program focus:
Inside:  Develop a culture of trust that begins by teaching employees how to find the truth.  A culture that promotes and teaches people how to apply the rules to the business that you are operating in.  A culture where no one can hide and that understanding our own vulnerabilities makes the overall organization more resilient each day.
Outside:  Architect the enterprise from the ground up to make more informed "Trust Decisions."  The architecture must first assemble and organize the rule-base and contextual framework associated with the environment that you will be operating in both physically and virtually.  The interdependencies of the automated machines developed to operate the enterprise, shall exist in a transparent and highly governed "system-of- systems". 
In-The-Middle:  Create new learning scenarios on a consistent but random basis.  Test the enterprise Inside and Outside with these exercise scenarios.  Determine how the humans and/or machines behave.  Establish what is normal and create your baseline. Continue to test and to measure the gaps of performance and make changes to improve the quality, accuracy or resiliency of the entire enterprise architecture.
On this Veterans Day 2014, scan the horizon for the organizations that stand out and are remarkable. With the 1% at the helm, in the cockpit or now the HQ Board Room, Operational Risk Management (ORM) is leading the enterprise to victory!

02 November 2014

NewCo: Operational Risk Accelerators...

Operational Risk Management (ORM) is an essential component of any serious business.  These are the internal risks you take when you add people, processes and systems together and then operate in a specific industry or geography.  Innovation within the ranks of a new breed of business accelerator, has the opportunity to include "Operational Risk Strategy Execution" as a vital mechanism for the growth of the new born company.

Do you know about a start-up company that is building a product or solution to address one of these Operational Risk categories?  The following lists the official Basel II defined seven event types with some examples for each category:
  1. Internal Fraud - misappropriation of assets, tax evasion, intentional mismarking of positions, bribery
  2. External Fraud - theft of information, hacking damage, third-party theft and forgery
  3. Employment Practices and Workplace Safety - discrimination, workers compensation, employee health and safety
  4. Clients, Products, and Business Practice - market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning
  5. Damage to Physical Assets - natural disasters, terrorism, vandalism
  6. Business Disruption and Systems Failures - utility disruptions, software failures, hardware failures
  7. Execution, Delivery, and Process Management - data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets
The start-up phenomenon has taken many metro areas around the United States by surprise.  The typical centers of innovation in Seattle, San Francisco, Los Angeles, Austin, Boston and Washington, DC are now being joined by newcomers such as Cincinnati:
The entrepreneurial world is not an easy one to take on, but for those brave enough to do so, Cintrifuse is here to help. Located in the heart of downtown Cincinnati, Ohio, Cintrifuse acts as a connecter and supporter to create a global destination for entrepreneurial success. 
Cintrifuse connects the region’s high-potential, venture-backable startups to advice, talent, funding, and customers. With over 30 ecosystem partners, 30+ participating local corporations, 75+ mentors and advisors, Cintrifuse leverages the power of its network to serve over 100 startup members and improve their chances of success. 
To amplify the efforts and extend the reach of the entrepreneurial community, Cintrifuse operates a $56MM Fund of Funds, which invests in early-stage venture capital funds both regionally and nationally. The Fund of Funds provides an avenue for corporations and venture capitalists alike to gain further insights into and engagement with the Cincinnati startup community. 
Cintrifuse’s efforts are made possible through support from some of Cincinnati’s most prominent companies
To connect more than 100 startups with venture capital firms, corporations and service providers, Cintrifuse uses a proven membership model. Entrepreneurs gain access to like-minded, driven and engaged individuals, venture capitalists, business leaders and services providers are introduced to startups on the rise.  Grow your business with Cintrifuse by signing up for membership today.
As the focus on innovation continues and NewCo's are being formed across the country, these new entrepreneurs need a foundation in truly understanding "Operational Risk Management". Why?

If these new entrepreneurs are better able to understand the core reasons why a business must operate within a universe of Operational Risks, then their innovation may adapt.  The ideas they have for better managing cyber security, detecting the insider threat or automating the continuity of operations planning may change.

Building a new company with an innovative new product also means understanding the problem sets that a much larger enterprise is encountering on a daily basis.  Innovators today sometimes lose sight of the operational risks that can be addressed by their products, as they are installed and implemented into the larger enterprise.  The value proposition that addresses the decrease in loss events, will soon get the attention of senior management.

What can a business accelerator like "Cintrifuse" do to make sure that the 100+ new start-ups better understand Operational Risk Management?  Perhaps even more importantly, how can their hot new NewCo product fit into the ORM matrix for addressing Enterprise Risk at a Fortune 500 company?

To answer this, just look more deeply at the 75+ mentors and advisors that Cintrifuse has at their disposal.  Has Cintrifuse developed a diagnostic tool to better understand the subject matter expertise of each of those mentors?
  • First,  create an inventory of the skill sets and knowledge of these mentors and develop a database for the start-up entrepreneurs, then they can query who is the best mentor for a specific subject or business problem they are encountering.
  • Second, the mentors themselves would need an orientation on how to assist the start-ups in seeing the nexus with operational risk in their own business model.
  • Third, the mentors would demonstrate how the innovations that the enterprise requires have a nexus with the start-ups products being developed for the mass market.
Remember, ORM is the oversight of operational risk, including the risk of loss resulting from inadequate or failed internal processes and systems; human factors; or external events.
When you scan the companies being accepted and graduated from all of the incubators and accelerators across the globe, many will have a product solution that impacts some facet of Operational Risk Management.  The mission now is to make sure that those new entrepreneurs discover how their inventions and patents may address real-world scenarios.  Just look at the current cohort companies at the MACH37 Accelerator in Herndon, Va as one example:

Eric Whittleton, Cofounder and CEO
Arash Nejadian, Cofounder and CTO 

iAspire is currently addressing the significant pent up demand for fully implemented email encryption in large enterprises by enabling end-to-end encryption that also addresses the need for real-time and in-volume secure email access for forensics, e-Discovery and compliance requirements. Aspire develops standards-based digital key management products that serve as material enablers of the “Trusted Web”. Future products will include additional store and forward applications such as a cloud-based Secure Drop-box as well as mobility solutions.

Virgil Security
Michael W. Wellman Cofounder and CEO
Dmitry Dain, Cofounder and CTO 

Virgil Security provides easy-to-deploy and easy-to-use cryptographic software and services for use by developers and end-users. Virgil Security’s encryption libraries and services, along with an accompanying public key management infrastructure, ease the pain of developing, deploying, and using strong cryptography. Virgil Security enables a new generation of enhanced privacy and security for applications, cloud services, and the Internet of Things.

Marcus Carey, Founder

FireDrillMe provides a SaaS platform that orchestrates cybersecurity “fire drills” on production networks by imitating attackers. FireDrillMe helps organizations train personnel, evaluate products, and refine procedures for incident response.

Syncurity Networks 
JP Bourget, Cofounder and CEO
Ray Davidson PhD, CoFounder
Mike Volo, CoFounder 

Syncurity Networks develops software for Information Security Process Management and Automation focused on Incident Response (IR) incorporating standard IR processes, automated artifact collection, and standardized report generation. Syncurity helps mid-size businesses respond to incidents faster, document lessons learned, and collect metrics for continuous improvement.

Karthik Bhat, Founder and CEO

SecureDB is an encrypted cloud database for storing sensitive customer information such as authentication credentials, PII, PHI and credit card numbers. SecureDB’s cloud based encrypted database and associated APIs will allow enterprises to secure their customer data by providing strong cryptographic protection against unauthorized access.

Josh Marpet, Cofounder and CEO
Billy Boatright, Cofounder and CMO
Tim Krabec, Cofounder and CTO
Ben Huey, Cofounder and CRO

Compliance requirements are coming downhill to smaller companies, and the bad guys are going after data within companies of all sizes. BiJoTi's turnkey appliance packages the advanced compliance and security benefits that large enterprises enjoy from a dedicated security organization, but at a price that works for small and mid-market businesses.

Ryan Lester, Cofounder and CEO
Josh Boehm, Cofounder and COO 

Cyph is a secure messaging app for Facebook users who aren't security experts, but demand a simple way to chat privately with their friends.

As Operational Risk Management is incorporated into the core capabilities of each new entrepreneurs business plan it will benefit their own launch and better serve their intended customers.