28 April 2019

C²: Continuous Continuity in the Enterprise...

Many enterprises today understand the myriad of potential threats to its people, processes, systems and structures.  The Board of Directors stands to be better equipped for sustained continuity.

Business Crisis and Continuity Management (BCCM) is a dynamic change management initiative with Operational Risk Management (ORM) that requires dedicated resources, funding and auditing.

Certainly the largest organizations realize that the risks are taking on different forms than the standard fire, flood, earthquake and hurricane/twister scenarios. These large catastrophic external loss events have been insured against and the premiums are substantial.

What it is less easy to analyze from a threat perspective are the constantly changing landscapes and continuity postures, of the many facets of the organization having to do with people, processes and systems.

The many sources of significant loss events are changing as we speak. Here are a few that should not be overlooked:
  • Public perception
  • Unethical dealings
  • Regulatory or civil action
  • Failure to respond to market changes
  • Failure to control industrial espionage
  • Failure to take account of widespread disease or illness among the workforce
  • Fraud and Cyber-related incidents
  • Exploitation of the 3rd party suppliers
  • Failure to establish a positive culture
  • Failure in post employment process to quarantine information assets upon termination of employees
Frankly, corporate directors have their hands full helping executives managing risk and continuity on behalf of the shareholders. The risk management process will someday have as big an impact on the enterprise as other key functions because shareholders will be asking more questions about the changing landscape of managing risk for corporate governance.

Since effective BCCM analysis is a 24/7 operation, it takes a combination of factors across the organization to provide what one might call C², or “Continuous Continuity”.

A one-time threat or risk assessment or even an annual look at what has changed across the enterprise is opening the door for a Board of Directors worst nightmare. These nightmares are “Loss Events” that could have been prevented or mitigated all together.

Most of the best practices talk about a BCCM plan, that will be periodically updated. Periodic is not continuous. Change is the key factor here. What changes take place in your organization between these periodic updates?

How could any organization accurately account for all the changes to the organization in between BCCM updates? The fact is that they can’t.

This will change over time as organizations figure out, that this is now as vital a business component as Accounts Receivable. The BCCM will become a core process of the organization, if it is not already, dynamically evolving by the minute as new change-based factors take place in the enterprise.

As new or terminated employees, suppliers and partners come and go into the BCCM process, the threat profile is updated in real-time. This takes the operational management that much closer to C², or “Continuous Continuity”.

So what?

Boards of Directors have the responsibility to insure the resiliency of the organization. The people, processes, systems and external events that are constantly changing the operational risk landscape become the greatest threat to an enterprise.

It’s the shareholders duty to scrutinize which organizations are most adept at “Continuous Continuity” before they invest in their future.

Managing Risk: 100 Years and Beyond...

Senior executives continue to wonder why they are continually surprised by certain incidents or events that take place within their enterprise. Operational Risk exposure is hard to manage, without a robust risk management system that is constantly monitoring the business environment you operate in and the people that work within that environment.

If you asked any CEO of a Fortune 500 company about their current financial condition or market position they would be able to answer with confidence and with valid facts and figures to support the statements.

Yet if you were to ask the same CEO, about their current exposure to Operational Risks, you may get a "Deer in the Headlights" look, followed by less than confident facts about their proactive, preventive or defensive strategies to address:
  • Governance, Regulatory and Compliance (GRC)
  • Employee Ethics, Malfeasance, Fraud and Corruption
  • Continuity of Business Systems Operations
  • Supply Chain Cyber Resilience
  • Litigation and Class Action Suits
Yet Operational Risks erode the corporate earnings and impact the reputation of the enterprise in the marketplace. The Board of Directors are charged with understanding Operational Risks and how these are being addressed in concert with the organizations strategies for growth or mergers and acquisitions.

They are continually asking for more effective risk management systems from the organization and the CEO should be well versed in what, where, who and why they are addressing the threats and the likelihood of these events taking place.

The point is, as the CEO you have no idea when the next significant business disruption is going to take place that impacts the organization. Therefore, the CEO and the enterprise must accept the fact that these Operational Risk events are going to occur, and when they do, the CEO must know what to do immediately and who to assist them with the incident before them.

So if this is the case, that you as a senior corporate leader agree that you can't ever know where or when the next threat is going to take place, then the question presents itself, what are you and the enterprise doing "Today" to mitigate the threat or prepare for the response?

You see, every day is a training day and if the organization is not testing itself in some place or some way, the next incident that presents itself could be the final blow. The event that brings the entire enterprise to it's knees or the failure that changes the entire world's perception of who you are and what you represent.

With the stakes that high, wouldn't you want to know what people in the organization are doing each day to manage risks in their business unit, department and section? What are the contingency plans and when was the last time they were exercised? Is once a year enough, based upon the speed of change in your business environment? Maybe not.

Are you Indispensable? To your employees, your shareholders, your customers? The fact is that you and your organization are not as ready as you could be and you are not as indispensable as you want to be.

There are plenty of examples out there on the planet however, that make sense to model or examine and to learn from based upon the way they behave in the marketplace and the value they bring from being so consistent, reputable and resilient to all that the risk environment can throw at them. They are not perfect, but maybe close:

Of the top 25 industrial corporations in the United States in 1900, only two remained on that list at the start of the 1960s. And of the top 25 companies on the Fortune 500 in 1961, only about six remain there today.

Some of the leaders of those companies that vanished were dealt a hand of bad luck. Others made poor choices. But the demise of most came about because they were unable simultaneously to manage their business of the day and to build their business of tomorrow.

Today we take a moment to step back and view the longer arc of history. We’d like to share some of what we have learned—sometimes in humbling ways—on our journey so far.

A century of corporate life has taught us this truth: "To make an enduring impact over the long term, you have to manage for the long term."

21 April 2019

Easter 2019: Another Day to Remember & to Be Proactive...

“Blessed be the God and Father of our Lord Jesus Christ, which according to his abundant mercy hath begotten us again unto a lively hope by the resurrection of Jesus Christ from the dead,”  1 Peter 1:3

COLOMBO (Reuters) - Over 200 people were killed and at least 450 injured in bomb blasts that ripped through churches and luxury hotels in Sri Lanka on Easter Sunday, the first major attack on the Indian Ocean island since the end of a civil war 10 years ago.


On this Easter Sunday 2019, the world mourns the news from Sri Lanka. Across the globe people are reminded that evil remains a constant in our society today and for the future. Our prayers today are evident in every language and every continent...

Looking around your religious venue today you may notice a heightened presence of security and law enforcement.  Our public safety and first responders are on high alert.

So what can you do as a public citizen to learn, prepare and perhaps spring into action if you are ever needed?  How can you train and learn what to do, in the event of a mass casualty incident?  At your place of worship, place of education, place of business or place of recreation.

You can attend a training similar to this one, being offered in a community near you:

"ACTIVE SHOOTER (PAR) TRAINING WITH A FOCUS ON (Your Venue):"

Preparation – Action – Recovery

Mass shootings seem to be more and more prevalent nowadays. As the world focuses all its attention on the “why”, we must focus our attention on how we can better prepare our critical infrastructure sectors and communities alike. Learn about the signs and pre-incident indicators (PII’s) of an active shooter before it’s too late. And learn life-saving techniques during and after an active shooting such as how to use a tourniquet and other items in a “stop the bleed” kit.

PART 1 - PREPARATION: INTELLIGENCE SME - Pre-Incident Indicators / behavioral indicators of potential subjects prior to a terrorism or criminal related incident & how to be situationally aware and prepare for such incidences.

PART 2 - ACTION: SWAT SME - To address run-hide-fight, appropriate response for when law enforcement arrives on scene and active shooter survival kit.

PART 3 – RECOVERY: TACTICAL MEDIC SME: Trauma and treatment post active shooting incident. Use of trauma kit, chest seals and current industry standards. Tourniquet drills will be a part of this training.


If you are a Father, Mother, Brother, Sister or just a good friend, you must continue to think about being proactive.  To be ready.  To be more aware.

Take a moment this Sunday in your prayers for Sri Lanka and soon plan to be more prepared...volunteer at your church, school or business to be a proactive advocate and responder for Preparation, Action and Recovery.

Godspeed...

13 April 2019

Digital Trust: Transparency in a World of Cyber War...

"British police arrested Wikileaks founder Julian Assange on Thursday. He had been hiding in the Ecuadorian Embassy in London since 2012 and was arrested after the Ecuadorian government invited the Metropolitan Police Service into the embassy to remove him. Assange was initially arrested for jumping bail in 2012, but the Metropolitan Police Service subsequently announced that he had been "further arrested on behalf of the United States authorities."

After Assange's arrest, the US Justice Department unsealed its indictment against him. The indictment focuses on Assange's role in helping Chelsea Manning steal classified information from the US military."
  Wikileaks — Julian Assange arrested, charged with conspiracy to hack US computers Assange had been holed up in the Ecuadorian Embassy in London since 2012.  Timothy B. Lee - 4/11/2019, 7:05 AM


Someday in the future, there will be a documentary on the timeline and journey of Julian Assange, beyond what has already been produced about his life and his behavior.

It is going to be years before the U.K. legal system finishes the process it has demonstrated in the past with people and issues such as this one.

Yet transparency remains an important topic here.  Whether you are arguing for greater disclosure on what is going on inside government or within the R&D practices of a Global Fortune 1000 public company, transparent communications to the public and shareholders is vital.

The justice systems will finally have the opportunity to produce the information, that will allow every world citizen, to read about the true facts in the Assange case.

Meanwhile, the use of sophisticated exploit tools by nation states and rogue non-state actors continues to disrupt our international e-commerce.  Many variations of these tools are now in the wild as a result of the actions of Wikileaks and are being utilized in nefarious ways.  Here is just one example:

Canadian Police Raid ‘Orcus RAT’ Author
"Canadian police last week raided the residence of a Toronto software developer behind “Orcus RAT,” a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. Its author maintains Orcus is a legitimate Remote Administration Tool that is merely being abused, but security experts say it includes multiple features more typically seen in malware known as a Remote Access Trojan." Krebs on Security

This latest phase of legal justice is about a digital world that exists underground and unknown to the naive "John Q. Citizen" on the street.  Brian Krebs own transition from journalism at the Washington Post to creating his own blog, is only part of this transparency topic.  The Dark Web and all that is comprised of it, is still growing exponentially.

Remember that only about 4-5% of the world wide web (WWW) is what you are seeing in the searchable "Google" Internet.  The other 95% of the Deep and Dark web, is indeed another virtual world.

The international entrepreneur today who has that new great idea, product or service will be operating on the Internet and the World Wide Web.  No different from years before the Internet when you set up your office/business on Mainstreet, in the skyscraper or in the Mall, yet now your reach is instantaneously global.  Your inventory display, banking, accounting, order entry, distribution and delivery is done with software and global communications networks.

Today and since the dawn of the Internet, every new online entrepreneur has a digital spectrum of Operational Risks that must be addressed as part of your daily business.  Those digital trust factors have created new dimensions of risk and resilience strategies, to counter the size and scope of the expanding cyber crime and terrorism enterprises.

So what?

There are several analogies that could be used here to illustrate the issues associated with selling cyber weapons online or the theft and distribution of those digital weapons in our modern society.  Yet the truth is, international commerce is here to stay and it will require new and more rapid action by business and governments.

Simultaneously, the future of our digital trust and the lack of manpower and enforcement resources is spelled out daily in the public press.  How many times have we heard, that there is a shortage of Cyber Security and Risk professionals in the commercial and government workforce?  There is a reason for this.

Transparency of reporting is vital for the public, so they can make more informed decisions.

Balancing the nightly television news with politics, business earnings reports, weather events and the reality of our expanding "Cyber World War," will soon become the new normal...

07 April 2019

Preemption: An Operational Risk Perspective...

"The global regulation of cybersecurity is one of the most contentious topics on the international legal plane. States, the actors primarily responsible for arranging most other international regulatory regimes, have so far been incapable of reaching a consensus on how to govern international cyberspace. For example, in 2017, the United Nations Group of Governmental Experts, arguably the most promising effort to create international norms for cyberspace, collapsed. In this vacuum, private tech companies are seizing the opportunity to create norms and rules for cyber operations, essentially creating a privatized version of cybersecurity law."  LawfareBlog Ido Ikilovaty

Preemption - A Knife That Cuts Both Ways by Alan M. Dershowitz should be considered for the professional Operational Risk Managers reference library:

Decisions to act preemptively generally require a complex and dynamic assessment of multiple factors. These factors include at least the following:
  1. The nature of the harm feared.
  2. The likelihood that the harm will occur in the absence of preemption.
  3. The source of the harm--deliberate conduct or natural occurrence?
  4. The possibility that the contemplated preemption will fail.
  5. The costs of a successful preemption.
  6. The cost of a failed preemption.
  7. The nature and quality of the information on which these decisions are based.
  8. The ratio of successful preemptions to unsuccessful ones.
  9. The legality, morality, and potential political consequences of the preemptive steps.
  10. The incentivizing of others to act preemptively.
  11. The revocability or irrevocability of the harms caused by the feared event.
  12. The revocability or irrevocability of the harms caused by contemplated preemption.
  13. Many other factors, including the inevitability of unanticipated outcomes (the law of unintended consequences).
Regardless of the agreement or bias of the reader, this book makes you think upside down and sideways about decisions you have made, and will make.

While Mr. Dershowitz takes time to make his own opinions known, his mastery of building the foundation for transformation is unequaled on such a topic; controlling dangerous and destructive human behavior and how to confront terrorism, crime and warfare.

During the course of a single day in the life of the Operational Risk Manager there are dozens if not hundreds of preemptive or preventive decisions to be made.

Private Sector vs. Public Sector is not so much the issue here. Whether you are the Chief Operational Risk Officer at a major banking institution or the Commander in the local Emergency Operations Center, you both have the same dilemma.

A decision must be made quickly and you must be able to live with the implications of either decision.