Risk Culture: The Root Cause of Business Assurance...

There is a scarcity of enlightened organizations who truly understand the root cause of risk in their enterprise. The business assurance they seek and the Operational Risk Management (ORM) outcomes they receive, are in direct proportion to the "Risk Culture Maturity" within the company.  This risk culture maturity, is at the root cause of why certain kinds of risks exist and what ability the organization has to accept, mitigate or transfer that risk.

A risk culture begins and ends with a human ability to communicate effectively with other humans. The human behaviors associated with communicating risk has all to do with the ability of one person to know the truth and to effectively tell the other accurately and effectively what the risk is and how it could impact the business. The trouble is, most organizations fail to spend enough time doing exactly that and doing it with out fear.

"What kind of fear? The fear that by telling your supervisor you might offend them. The fear that by questioning the co-worker about their decision, that you will alienate them. The fear that by uncovering a fellow workers risky behaviors to the rest of the team, that you will jeopardize the overall mission."

The ability or lack of ability by a human to communicate risk factors to each other with the truth and without the fear of judgement or retribution is why you either live or die. This is the reason why your organization continues to flourish or rots from the inside out. You see, the risk management environment in your team, unit, office location or FOB has all to do with communicating the truth in an effective way.

The risk culture problem, is one that continues to rear its ugly head time and time again and exemplifies itself in the published press, or the digital eDiscovery process of modern day litigation. Look back on most any loss event like this and you will see that it could have been addressed or contained, if only humans would have communicated effectively about risk(s) to them personally or to the unit. Whether it be a family, a branch office, partner or entire agency of government.

Companies need to put in place oversight of strategic partners, vendors and service providers to ensure that those support organizations are meeting their own risk standards. A company should share its risk management guiding principles with third-party suppliers or partners to influence their decision-making process. Risks and controls should be a consideration when choosing new partners, and they should be re-evaluated on a regular basis to help avoid the potential of vicarious liability by the poor decisions of an alliance partner.

The organizations that survive and are able to out perform their competition are those that understand this reality. Leadership who magnifies the requirement for people to strip away the fear of judgement, retribution, or long term bias and to communicate the reality of what they truly sense as humans will be superior. The risk culture that is understood, truly, and simultaneously monitors peoples ability to learn from their mistakes will continue to outperform and survive in whatever environment it lives in.

Leadership is charged with the state of their organizational culture. The fundamental risk to any organization, is that leadership does not recognize this and pays little or no attention to maturity of their culture to deal with risk and human factors ecosystem. This begins with the person across the table, by your side in bed or next to you in control of a vehicle, on land in the air or in the ocean.

It doesn't matter who the leader is. The Founder, CEO or Chief Risk Officer. The Branch Manager, Area Supervisor or Vice-President. The Element Leader, Master Chief or C.O.. Mother or Father. Managing the culture of communicating the truth, reality and without judgement begins the process of a risk management entity that will not only survive; it will outperform the perceived opposition.

Enlightened individuals who are multi-dimensional and are comprised of a brain trust of diverse people who have different life experiences. These courageous people must then be engaged in the correct setting and risk culture, with the right combination of business objectives, resources and highly detailed mission outcomes. Only then will the environment they operate in determine who survives the continuous performance evolution.

The root cause of Business Assurance and Resilience is the Risk Culture.

Adverse Consequences: Enabling Digital Trust of Global Enterprises...

In the World Economic Forum 2016 - Global Risks Report, there are several insights and alarms that Operational Risk Management (ORM) professionals and the Board of Directors are quickly analyzing.  This years Davos, Switzerland Annual Meeting and report has the underlying theme of the "Fourth Industrial Revolution".

Our first insight, is the rise in "Cyber Dependency" that is called out in the "Risk-Trends" Interconnections Map.  It is tied directly to the following technological "Global Risks" ranked by highest impact:

1. Cyberattacks
2. Critical Information Infrastructure Breakdown
3. Adverse Consequences of Technological Advances
4. Data Fraud or Theft

#1 makes sense in the Upper Right Quadrant of High Impact and High Likelihood.  The alarms however are going off, with #2 and #3 for several reasons.  First, they are in the Upper Left Quadrant of "High Impact" and "Low Likelihood".  Why does this create concern?

The Upper Left Quadrant has risks that some of the most experienced OPS Risk professionals will pay attention to the most.  This is the place that organizations usually ignore with people and resources and where enterprises are caught off guard or blindsided by asymmetric threats.  These are the risks that no one has really exercised for and is not actively developing proactive hypotheses, to address in a real-time crisis.

There are two other risks shared in this same Upper Left Quadrant in 2016:

• Weapons of Mass Destruction
• Spread of Infectious Diseases

These are risks that nation states spend hundreds of millions of dollars each year collecting intelligence on and devoting substantial resources to try and keep the likelihood of these occurring, as low as humanly possible.  The impact on humanity is far to great not to devote attention to these, yet the private sector is rarely involved.

Now, let's consider the other two in the same quadrant, slightly less in impact and just a little higher in likelihood.  What does each really mean as a global risk?

"Critical Information Infrastructure Breakdown": "Cyber dependency increases vulnerability to outage of critical information infrastructure (e.g. internet, satellites, etc.) and networks causing widespread disruption.

"Adverse Consequences of Technological Advances":   Intended or unintended adverse consequences of technological advances such as artificial intelligence, geo-engineering and synthetic biology causing human, environmental and economic damage. 

• A global risk is an uncertain event or condition that, if it occurs, can cause significant negative impact for several countries or industries within the next 10 years.
• A global trend is a long-term pattern that is currently taking place and that could contribute to amplifying global risks and/or altering the relationship between them.

Although organizations may recognize the benefit of cyber technologies for their bottom lines, they may not be fully internalizing cyber security risks and making the appropriate level of investment to enhance operational risk management and strengthen organizational resilience. Particular attention is needed in two areas that are so far under-protected: mobile internet and machine-to-machine connections. It is vital to integrate physical and cyber management, strengthen resilience leadership and organizational and business processes, and leverage supporting technologies. (Page 23 of WEF_GRR16)

The combination of the two aforementioned technological global risks, are almost invisible to the major stakeholders of our vital organizations and governments.  This is because the focus on "Cyberattacks" and "Data Fraud or Theft" has dominated the news cycles.  It makes sense.  However, we must consider this:

As is often the case, however, public-private partnership can be held back by lack of trust and misaligned incentives. Businesses may fear exposing their data and practices to competitors or to law enforcement agencies. And the private sector’s primary interest in rapid recovery and continuity of business operations may not align with the public sector’s primary interest in apprehending and prosecuting perpetrators. In addition, governments need to balance their investments in cyber offensive weapons and efforts to enhance capabilities for cybersecurity and defence. (Page 83 of WEF GRR16)

 Cyber Dependency.  A long-term pattern that is currently taking place that could contribute to amplifying global risks and/or altering the relationship between them.  The underlying root cause of the disruption and the perceived risks are focused on the integrity of "Digital Trust"and the continuity of "Trust Decisions":

• Machine-to-Machine
• Person-to-Person
• Business-to-Business
• Government-to-Government
• Country-to-Country

Business Executives and Leaders of Nation States, have one thing in common.  Their employees and their citizens are evermore connected by mobile digital devices.  Their economic engines of banking, finance and trading are dependent upon the confidentiality, integrity and assurance of data.  The abilities and the opportunities by the mass of humanity to continuously leverage their personal digital devices, is simultaneously a global risk.  So what?

You see, the 2016 Global Risks Report is flawed.  It relies on an outdated and soon to be irrelevant set of four Quadrants.  The axis of Impact and Likelihood, are no longer capable of addressing risk management and the human perceptions of both.  On the planet Earth, in the Internet ecosystem of 500 Billion computing machines, lies the answer to our future quest:

Enabling Digital Trust of Global Enterprises...

Duty of Care: Board of Directors OPS Risk...

The Board Rooms across America are in full tilt mode working hard on risk oversight. The Chairman of the Board (COB), is wrestling with divergent personalities and competing agendas as the organization races towards its next phase of growth.

Operational Risks are being presented from all facets of the business and the Board of Directors has a fiduciary responsibility to address them, without creating new risk in the process. Leadership is in short supply and collaboration among the entire board is dwindling. In terms of Operational Risk Management (ORM), what risk is the most dangerous to the enterprise at this point in time?

The risk that the Chairman of Board has lost their ability to forge trust and a favorable relationship with the Directors themselves becomes a significant threat. The trust and the relationship that a Chairman has with the Board of Directors is paramount. When this is no longer present, and the "Independent Directors" realize they can no longer trust the performance of the Chairman, significant risk factors begin to quickly evolve that puts the entire organization into a vulnerable state.

Once the Independent Directors see and hear or feel that the Chairman has lost credibility and respect from the Board, then it is time to act. The jeopardy of the organization is at stake and each day or week that goes by without action to change leadership, will increase the long term risk to the brand, confidence in the entire leadership and finally the people charged with making the organization compliant with all legal and ethical policies. A failure in people is an Operational Risk that far too often becomes overlooked or just plain ignored, due to the power base that may exist by the Chairman's role.

The Board of Directors are charged with the duties that involve the governance, regulatory, compliance, legal and ethical components of the organization. When any one of these starts to fail, then the faith in the entire leadership of the organization becomes a question mark. How many times do we hear the story that brought down the leaders with the words "Failure to Act"? Today and in the future, “serving on a Board of Directors means living in a fishbowl” according to Chief Justice Myron Steele of the Supreme Court of Delaware:

Once a difficult situation arises with the potential for litigation and its accompanying damage to the company’s reputation, the media will descend on the company, and directors must show 1) that they had a plan in place to deal with such situations in accordance with their oversight or compliance duties, 2) that the plan was reasonable and adequate, and 3) that the plan was followed. It is worth noting here some of the recent trends in corporation litigation. Two major categories of corporate litigation that a director might face include the traditional class actions based on breach of fiduciary duty, and derivative actions which are filed on behalf of the corporation due to wrong doing on the part of the board, either for its actions that resulted in a loss or its failure to act which also resulted in a loss through missed opportunity.

One of the major trends going on these days is to keep the Chairman separate from the CEO or President of the organization. The benefits are great especially if you have a CEO who will allow their ego to accept the other person as an ally and not competition:

In the public company arena, more and more companies are separating the Chairman of the Board position from the CEO. It turns out that this trend has benefits for earlier stage companies too. We believe that all CEOs – regardless of their experience – benefit from having a lead director on the board. In general, it has been our experience that boards (and the board meetings) work better when there is a Chairman in charge other then the CEO.

This strategy in overall Board Governance is a sound one. As a result of the "The Duty of Care" by the Board of Directors, at some stage it may require that the Chairman recommend to the Board that a CEO resign or be fired from running the day to day operations of the organization.

The Board of Directors and their behavior within the Board Room and in the functions outside in public are at stake. The governance of the Board of Directors begins with the Chairman but ends with each individual on the Board itself. If the Independent Board Director remains silent on any legal duty of the Board, they are putting all in jeopardy of a failure of the Duty of Care:

In tort law, a duty of care is a legal obligation imposed on an individual requiring that they adhere to a standard of reasonable care while performing any acts that could foreseeably harm others. It is the first element that must be established to proceed with an action in negligence. The claimant must be able to show a duty of care imposed by law which the defendant has breached. In turn, breaching a duty may subject an individual to liability. The duty of care may be imposed by operation of law between individuals with no current direct relationship (familial or contractual or otherwise), but eventually become related in some manner, as defined by common law (meaning case law).

It is the Chairman of Board who has the responsibility to keep the Independent Directors informed and aware of any persons behavior or actions that could put the entire board at risk. And even more importantly, it is the duty of each Independent Director to insure that they are constantly monitoring for any possible failure of the Duty of Care to their organization and their fellow Board Directors.

Privacy Engineering: Mobile Standards for Digital Trust...

The landscape for software engineering standards within corporate organizations, is now on the radar of Operational Risk Management (ORM) experts.  What are the privacy and security related engineering design standards, that are being utilized at JP Morgan Chase, Citibank or Paypal for mobile App development?

Effective and standardized "Privacy Engineering" of mobile applications at organizations in Critical Infrastructure sectors such as Finance and Banking is just one example.  It is soon to be a greater focus of the Federal Trade Commission (FTC) and other U.S. regulators.  Why?

"Trust Decisions" are being made by consumers each day, as millions of of mobile banking customers download an application to their Android or iOS smart phones.  The consumer then has immediate exposure to the quality of the software engineering, by the UX/design and developer of the software App.  The standards being utilized by each organization for designing and engineering those Apps with privacy and security, may vary by who developed the application and for what particular operating system.

So what?  U.S. financial institutions software engineering departments and other highly regulated industries will be a continued and concentrated focus by the Federal Trade Commission (FTC).  Standards for privacy software engineering and disclosure of the rules will become even more of a critical factor.  Why?

As a result, to act within the time constraints of deadlines, the presence of fiercer competition, and the looming threat of higher lost-opportunity costs, you have no choice—you must presume the trustworthiness of the information you acquire to make decisions. Deciding now requires you to acquire the information you need from the most accessible source, with zero time to ask the important questions: “Where did this information come from? Who put this report together? Has the data been confirmed to be accurate? Who actually authored the analysis? Does this bank statement reflect all of our deposits?”

Answering these types of questions is inherent to how we make good decisions. You seek information that serves as fuel for your decision. You work hard to validate that the information can be trusted. You calculate toward your decision, constantly evaluating whether the information holds up its reliability. But in today’s 24/7/365, wired decision-making landscape, there is no time to ask those questions. Those controlling the information you need understand that pressure and require you to presume their digital information is trustworthy and reliable for making your decisions. Thus, to gain control of digital information is to succeed in imposing an enormous handicap—removing your ability to challenge its trustworthiness by asking the right questions.  Source:  Achieving Digital Trust by Jeffrey Ritter.

Is it possible to redesign mobile banking Apps, so that all Android or iOS software engineers must adhere to privacy and security engineering standards of practice?  The human-based "Trust Decisions" about whether to trust an application with personal identifiable information (PII) is currently buried in legal disclosures.  The privacy disclosures are written by lawyers, all different and in most cases never read, by the consumer prior to downloading the App.  Opt-in or Opt-out?

The future of mobile App Privacy and Security Trust engineering for consumers will be in the hands of government regulators soon and in concert with other laws associated with information security, such as the GLBA Safeguards Rule.  "Cyber Trust" indicators or other vital warning systems may be in the works.  Buyer Beware is the theme.

For years consumers have been looking at FDA Nutrition Labels and other Federal oriented tools, to provide more visible and rapidly effective disclosure.  Since the human being is making "Trust Decisions" on whether to download a software application to their computing device, they also may desire a method to quickly ascertain if the App is "Trustworthy."

Can they trust the application according to their particular appetite for risk?  What information will be shared with 3rd parties?  How will your information be used and collected while you are using or not using the application?  Here is one example of how a future warning "Privacy Label" may look before a consumer is permitted to download an application to their computing device.

What does the consumer experience today?  As one example, currently when you visit the App Store on an iOS mobile device such as the iPad, and then search for "Chase", the top choice is an App named Chase Mobile.  When you click on the "Get" button, it changes to "Install".  When you click on "Install" it prompts you to Sign In to iTunes Store.  Once you sign-in, the Chase Mobile App downloads to your device, the button then changes to "Open."

When you open the Chase Mobile App, it opens the first screen to "Log On".  There is a small "Privacy" button in the top left corner of the screen, however there is not an easy to understand Privacy Label that is visible before you actually "Log On" to Chase.  In the case of selecting the Privacy button in the upper left corner, it then reveals dozens of pages of legal documents explaining online privacy policy and U.S. consumer privacy notices.  There is however one easier to view grid, under the privacy notice that is helpful in understanding whether Chase shares personal information and whether as a consumer, you can limit this sharing.

The Critical Infrastructure sectors of the U.S. economy, that has a daily interface with consumers through mobile software Apps are now on notice.  Chief Legal Counsels, Chief Information Officers, Chief Privacy Officers and Software Engineering personnel, must address the reality of human behavior and how "Trust Decisions" impact legal risk and the ultimate perception of the corporate brand.

2016: A New Era of Operational Risk...

As we launch into 2016, Operational Risk Management (ORM) professionals are ready for another challenging year.  The current state of global events that includes uncertain political or economic behavior by nation states and the continuous barrage of certainty with "Internet Asymmetric Warfare," is the new normal.

Reflecting back on 2015, here are the top 5 blog posts by number of page views:

Insider Threat: Trusted Systems of the Future...

Trust Decisions: Beyond RSA and Our Digital Future...

Data Rupture: The Risk of Over-Classification...

Trust Decisions: The Extinction of Risk Management...

InTP: Quality of Design in a New Age of Terror...

There is now anticipation that the world economies are going to continue a meager growth rate, as we enter our 8th year since "The Big Short" in 2008:

When the crash of the U. S. stock market became public knowledge in the fall of 2008, it was already old news. The real crash, the silent crash, had taken place over the previous year, in bizarre feeder markets where the sun doesn’t shine, and the SEC doesn’t dare, or bother, to tread: the bond and real estate derivative markets where geeks invent impenetrable securities to profit from the misery of lower- and middle-class Americans who can’t pay their debts. The smart people who understood what was or might be happening were paralyzed by hope and fear; in any case, they weren’t talking.

From the analysts desktops at "Liberty Crossing" to the Cyber Security Operations Centers (SOC) of dozens of Global 500 private sectors companies, one thing remains certain.  The adversaries are too nimble, unpredictable and ever more so capable of operating on the front lines for months and years in plain sight or even for weeks and months totally undetected.

However, relying on certainty alone and not being simultaneously adaptive or innovative in an accelerating pace of business or Decision Advantage, can get your Board of Directors in real trouble.

In 2016, the dawn of a new Operational Risk Management era shall begin.  In a future state, where people and machines will operate making "Trust Decisions" with greater ease and increasing velocity.  Stay tuned...