31 March 2019

Operational Risk Management: Discipline and Professional Development...

You know that the discipline of Operational Risk Management has finally reached the minds of global executives and Board of Directors, when you see growth in the organizations that have established a Board-level Executive in charge of Operational Risk Management (ORM).

The ORM discipline has now spanned several primary critical infrastructure sectors of the global economy for over a decade, including Energy, Financial Services, Information Technology, Defense Industrial Base and others who are highly regulated by government.

Global organizations such as BP as one example, have found the necessity of new Operational Risk capabilities. This is to produce a prudent and consistent strategy after a Gulf of Mexico Macondo Blowout, in other parts of the planet where deep water drilling is still a vital solution.

Goldman Sachs and the other band of brothers in the global financial crisis of the decade past, have reinvested in more prudent Operational Risk Management strategies. The books that have been written outlining the risks of people taking on derivatives of one type or another to hedge the marketplace have been prolific.

IBM, Google, Apple, AWS and Cisco have capitalized on "Operational Risk Management" and its focus on business continuity planning (BCP), continuity of operations planning (COOP) and the facilitation of utilizing cloud computing to enhance the resilience factor of critical systems.
The pervasive growth of people however, utilizing social networking in the workplace, has created its own set of OPS Risk challenges.

Spear phishing, targeted fraud schemes such as Business E-mail Compromise (BEC) and sophisticated software exploits, can be attributed in many cases to the plethora of personal information the criminals and intelligence activities have to work with.

Social engineering, economic espionage and other transnational criminal activities are continually perpetuated by the security and privacy failures of the critical infrastructure industries.

The Defense Industrial Base including the US Navy, US Marines, US Army, US Air Force and our Coast Guard, know the value of effective Operational Risk Management. The discipline is a core aspect of their cultures and is continuously tested and measured on a daily basis.

On the flight line or on the base, these branches of the military use ORM to save lives and protect valuable assets worth millions of dollars every day.

As the Board of Directors focus on ORM across the globe, one can only wait and see how it will impact the discipline of the individuals themselves.

We trust that our practitioners will continue their own quest for expanding the portfolio of thinking and to see that the right people are at the table, to assist in ORM direction and continued global success.

24 March 2019

Operational Threat Matrix: The Mission Ready Many...

"Five years after the release of the Framework for Improving Critical Infrastructure Cybersecurity, organizations across all sectors of the economy are creatively deploying this voluntary approach to better management of cybersecurity-related risks. The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) issued what is now widely known simply as the “NIST Cybersecurity Framework” on February 12, 2014."

Measuring an incident first requires defining a taxonomy on what an "incident is" and what an "incident is not". In other words, how can you measure something that has not been sufficiently defined in your organization. How do you know when an incident has occurred?

Our corporate assets are under attack by a continuous barrage of new laws, new employees, new competitors and new exploits.

Business survival in the next decade will require a more effective and robust risk strategy to deter, detect and defend against a myriad of new threats to the organization.

Modern day attackers include hackers, spies, terrorists, corporate raiders, professional criminals, vandals and voyeurs. Simply said, these attackers use tools to exploit vulnerabilities. They create an action on a target that produces an unauthorized result. They do this to obtain their objective.

The Mission

The organization shall develop, implement, maintain and continually improve a documented operational risk management system:
  • Identify a method of risk assessment that is suited for the organizations business assets to be protected, regulatory requirements and corporate governance guidelines. 
  • Identify the assets and the owners of these assets. Identify the threats to those assets.
  • Identify the vulnerabilities that might be exploited by the threats.
  • Identify the impacts that losses of confidentiality, integrity and availability may have on the assets.
Assess the risks. Identify and evaluate options for the treatment of risks. Select control objectives and controls for treatment of risks. Implement and operate the system. Monitor and review the system. Maintain and improve the system.

The Take Away

While you were in the Board of Directors meeting, your Operational Risk Profile changed. When you were asleep last night it changed again. The people, processes, systems and external events are interacting to create a new and dynamic threat matrix for your organization.

Who is responsible for Operational Risk Management in your business? Everyone is. You see, if everyone in the organization was able to understand and perform the mission flawlessly, then the business could stay in constant control of how much incidents are costing the enterprise.

Only a guarded few understand the mission of operational risk management in your company. Only a guarded few can do it flawlessly.

If you want to protect your corporate assets better than you do today, then turn those guarded few into the mission ready many.

16 March 2019

Private Sector Mentoring: Operational Risk Specialists to the Rescue...

The international spectrum of Operational Risk Management (ORM) is playing out before us on a global stage.  Nation states and the airline industry are in full crisis management collaboration.

And while all of this, is distracting our attention, the operational risks associated with volatility on a financial world stage continues to unfold.

What will the future hold for global business commerce and the military personnel transitioning from regions of conflict?  Syria. Yemen. Iraq. Afghanistan.

This is where our next generation of "Operational Risk Specialists" will come from, to assist us in our most challenging future of global incidents, crisis and humanitarian requirements.

Yet these men and women will be competing in an economy that is ultra-competitive. There are however, innovative ways for us to hedge the risks for future U.S. veterans as they look for their next mission in the private sector. The first step is an old and very effective method called mentoring:



1. a wise and trusted counselor or teacher.

2. an influential senior sponsor or supporter.

verb (used without object)

3. to act as a mentor: She spent years mentoring to junior employees.

verb (used with object)

4. to act as a mentor to

1740–50; after Mentor (Greek Méntōr )

Related forms

men·tor·ship, noun

1. adviser, master, guide, preceptor.

It would be in the best interest of the private sector in a world that is challenged by so much change, volatility and uncertainty to have a cadre of "Operational Risk Specialists" who are there at a moments notice.

Working 24 x 7 in concert with all critical business functions, to enhance the resilience of the enterprise. Yet it will take thousands of mentors to assist these veterans, as they transition to this important role and mission.

Are you a CxO that relies now on a small team of risk minded people, tasked with your supply chain, personnel security, information security, facilities or even insider incidents? You are the perfect catalyst to get a new program going at your organization.

Begin the process of identifying and tasking the right people in your organization, to be mentors for the new "Operational Risk Specialists," that you should hire over the next few years.

What would happen, if you created a whole new way for you to mentor, hire, mentor, train, mentor and grow, a new generation of risk management professionals for your organization?

How might the performance and the resiliency of your enterprise improve, with the ongoing mentoring of veterans as they begin to understand the business of the private sector. A different and yet similar environment for the management of operational risks.

Your vision should be to create a "VetAccelerator" for each of your organizational business units. To engage mentors with new veterans returning and transitioning from almost 2 decades of war.

We have done this before in our U.S. history and it will not be the last. Let all of us embrace the opportunity to strengthen our business engine and to improve our resilience in the new world order.

Finally, never forget how all of this latest chapter started. And how it still continues to play out on a daily basis. Our vigilance is an imperative and veterans will be our Go-To "Operational Risk Specialists" for years to come.

09 March 2019

Trust: In Pursuit of Implicity...

RSA 2019 was another event for the vast spectrum of security and privacy professionals to reflect on, regardless of the color of hat you wear.  One word seemed to be prevalent in this years atmosphere:

trust (trŭst)n.

1. Firm reliance on the integrity, ability, or character of a person or thing.
—Related forms
trust·a·ble, adjective
trust·a·bil·i·ty, noun
truster, noun

—Synonyms 1. certainty, belief, faith. Trust, assurance, confidence imply a feeling of security. Trust implies instinctive unquestioning belief in and reliance upon something: to have trust in one's parents.
To have real trust in something or someone, you don't even think about it. It's implicit.

If you start to think about it, then it is not really trust in it's purest form. In Operational Risk Management (ORM), we are always in pursuit of trust. We want to trust our sensors, monitors and fail safe process.

Yet we know that this is why we train for contingencies. Because failure is always a possibility, even if it has a .00000000000099 probability.

As a true Operational Risk professional, you train for the remote possibility of failure and create alternative scenarios to test your contingencies. And when you find what works through exercises and experimentation, you put that in your memory bank or cache of alternatives. Never knowing when you will have to use it again.

And when it comes to trust and human beings, there is only one way we know you can get to implicity. It is through testing, training and observable behaviors.

And when this person or software algorithm has demonstrated that they are able to repeat the tasks, actions and behaviors with a .00000000000099 probability of failure, that is when trust begins to become inherent.
"Trust will not be accomplished 100% through AI / ML technologies when humans are still creating and writing the code. Nor the convergence of information in a database. It can only be forged through actions and observable behaviors."
Outcomes based upon sound planning, training, testing and continuous contingency operations. Only then will we reach the level of implicity we seek.