QFD: The End of Compliance...

Corporations will continue to be responsible for the criminal behavior and actions of their employees, 3rd party suppliers and other contractors for at least the near term.

In any case that has the defense legal eagles and "Usual Suspects" arguing against the corporate liability issue, the intent is getting cloudy or is it crystal clear?

Even if your Corporate Compliance Programs are in full force and the financial integrity unit is robust in it's efforts, the "Operational Risk" still exists for litigation.

Regardless of the amount of awareness building, education and corporate window dressing, you can't ultimately control human behavior. 

More compliance enforcement and regulatory pressure may seem to be the answer. A voluntary effort to shore up security, soundness and the opportunity for malfeasance in the work place may not be working effectively.

And still the liabilities exist from the plaintiffs and government adversaries to gain compensation. So what is the answer?

The answer lies in the "Enterprise Architecture" of our institutions and the failure to implement the process of "Quality Function Deployment" (QFD). This has been ignored by senior executives and US business because many judge it to be too complex.

One only has to look at the state of our automobile manufacturers versus the likes of Japanese companies to get a sense of the success of incorporating QFD on a comprehensive basis. But now apply this to the culture of an organization and how each individual makes logical business decisions instead of emotion-based decisions.

What many liability issues begin with are the employee(s) who made a bad decision.

QFD in its simplest form is a tool to promote communications. Among peers and connected teams within the organization it provides the methodology to catch errors, omissions and emotional bias early in the process.

As an example, let's take the Request for Proposal (RFP).

Many companies depend heavily on winning business by responding to RFP's. A "deal makers" perception of importance to the RFP determines the effort for the response.

Many times, this is influenced by an incentive plan. The human behavior to accept or decline the effort on an RFP as well as what it takes to push it through the organization for executive sign offs, is not always compatible with the strategic and quality measures of the enterprise.

Over time this will form an unimaginable amount of moral decay within a company. This leads to bad behavior and unethical decisions that people make because the business environment has rewarded it for far too long. So who is to blame here? The employee or the culture and company that has condoned and encouraged the behavior that ultimately damaged someone or something.

Implementing QFD in your information-based enterprise could have a dramatic impact on achieving a defensible standard of care by reducing the likelihood of catastrophic emotional decisions.

More importantly, QFD programs such as this that are directly reducing the likelihood of bad employee behavior and criminal incidents, can reduce the necessity for invasive compliance programs that most everyone wants to ignore.

InTP: “Insider Threat Program”...

Does your company have a culture of "Organizational Integrity?"

Boards of Directors have the responsibility to insure the resiliency of the organization. The people, processes, systems and external events that are constantly changing the operational risk landscape become the greatest threat to an enterprise.

One key item may have revealed itself in your experience so far.  How would you improve your organization, when it comes to "Incident Response"?

One truth is, that our individuals who have a "C" in their title acronym, (CEO, CSO, CIO, CTO, CISO, CMO, CRO) have been challenged in new ways.  These same leaders have not trained enough, or long enough in this past decade.  Complacency is now becoming apparent again.

Our leadership skills have all been exposed to the vulnerabilities of people, processes, systems and external events. We have been caught off guard on a spectrum of challenging global incidents just these past 24 months.  A crisis spectrum that spans our physical world.  Also to our invisible virtual digital world.

Our growing "Incident Response Spectrum" is wide and vast.  It still requires specialized skills and knowledge to address the kind of change, that will now increasingly be required, in Fortune 500 Global Companies, Mid-Market INC 500 emerging businesses and especially, our Small-Medium Businesses (SMB).

How will we continuously Understand, Decide and Act from this point forward?

"The private sector organizations of the United States are vital to the protection and security of the Homeland.  The private sector owns a majority of our assets and Critical Infrastructure Protection (CIP) remains a priority as a result of the latest asymmetric threats."

The U.S. National Strategy to Secure Cyberspace, emphasizes the importance of public/private partnerships in securing these critical infrastructures and improving national cyber security.

Similarly, one focus of the Department of Homeland Security is enhancing protection for critical infrastructure and networks by promoting working relationships between the government and private industry.

The federal government has acknowledged that these relations are vital because most of America’s critical infrastructure is privately held.  Further, the networks of our global super-infrastructure are tightly “coupled”—so tightly interconnected, that is, that any change in one has a nearly instantaneous effect on the others.

Attacking one network is like knocking over the first domino in a series: it leads to cascades of failure through a variety of connected networks, faster than most human managers can respond.

Many companies have already started the establishment of an “Insider Threat Program” (InTP)…have you?