CRMS: Mechanisms for Continuous Risk Monitoring...

Stryker, Lloyds Bank, European Commission, Fortinet and others have yet to announce their settlement with recent hacker and/or data breach law suits.

One of the systemic resilience problems at large institutions including large and global organizations like Stryker is keeping your finger on the pulse of "Risk Indicators”.

Unfortunately for SVP's and other CxO executives in the corporate hierarchy, your middle managers are creating the layer that impedes the best Early Warning System you have at your disposal.

When problems surface on the front line or in the "Cube City" down in Information Systems, the normal agenda is for the employee to go to their direct supervisor to raise the "Red Flag" or disclose the incident.

And the first behavioral response by the Middle Manager is to keep it quiet. Fix it before anyone else finds out. Keep it under wraps until damage control can be implemented.

When you are the head of Enterprise Risk Management, you need mechanisms to bypass and eradicate the barrier holding your intelligence, incidents and overall hunches for ransom.

There is no magic system or process that will solve it all. The only way to attempt at breaking through this layer of social and organizational dysfunction is to circumvent it.

A continuous risk monitoring system has to be implemented and operating anonymously 24/7 if the upper echelons of executive management are ever going to "Feel the Pulse" of true risk hotspots in the company.

These hotspots translate into human "Risk Indicators" from the sources themselves, people who know what's going wrong and know the truth.

A Continuous Risk Monitoring System (CRMS) is an automated human feedback and problem identification mechanism for detecting risks. It allows leaders of large organizations to quickly identify problems and incidents of all kinds in their company.

Call it a sophisticated whistle-blower system or suggestion box but that is exactly what it is, on steroids.

The ideal system would emulate communication patterns in small groups which is often a major ingredient in successful teams. It would also run on the existing computers and networks of the organization or from home by logging in via a trusted VPN.

The soldiers on the front line know what is going on far sooner than the commanders in the “Joint Operations Center” just as the employee or 3rd party supplier does and they need a way to communicate the issue, concern or threat in a rapid and efficient manner.

The system provides the executives with instant or trend based Intel that is actionable. It provides the "Insight" as well as the pertinent facts that you need to make quick effective decisions.

Think about how long it takes for data and relevant information to percolate and bubble up from the places in your organization that are considered "Current Risk Hot Spots”.

The point is that for far too long we have been playing the old telephone game. You know, the one that you played as a kid sitting around the kitchen table or on the floor in a circle.

One person starts and whispers into the ear of the person to their right. Just a sentence or two. By the time the message gets around to the 3rd or 4th person, now the data is dramatically different than the original. It's been interpreted, edited and sanitized.

Walk down the hall or pick up the phone and contact the person in person who is in charge of the corporate “Emergency Operations Plan (EOP)”, electronic suggestion box or corporate whistle-blower program at your institution.

Ask them for the most recent activity log.  Ask yourself how you could get this mechanism to perform better and then work with your front line to develop something that middle management can't filter, change or delete.

That is when you will be on your way to getting the real story, in more recent real time…

OPS Risk: All Hazards & Ai…

The CxO’s at our global institutions have a primary “Duty of Care” to insure the safety of employees whenever asymmetric threats take place.

There is no "Radar" that can alert you to when the next incident will occur.

This is why many institutions have taken a new "Operational Risk Management" (ORM) perspective when it comes to the “All Hazards” and events that may impact the business.

A true Operational Risk perspective has it's roots in understanding exposure to risk and the likelihood of an event that might occur.

Yet how could one ever predict the rise of another so called Unabomber?

The fact is that you don't. This is why you must have an "All Hazards" worldview operating within the culture of your organization 24 x 7 x 365.

The threat could be an innocent looking “Priority Mail” package with a toxic substance or just a thick brown envelope containing the latest class action law suit.

While this potential threat entering the mail room has affected only a few institutions, there is another battle going on in a different part of each business that is a whole different type of risk, in speed and reach across our enterprises.

What OPERATIONAL RISK MANAGEMENT “Is Not” . . .

• About avoiding risk
• A safety only program
• Limited to complex-high risk evolutions
• A program -- but a process
• Only for on-duty
• Just for your boss
• Just a planning tool
• Automatic
• Static
• Difficult
• Someone else’s job
• A well kept secret
• A fail-safe process
• A bunch of checklists
• Just a bullet in a briefing guide
• Going away

This has to do with the frequency and the pervasive spectrum of new digital “Artificial Intelligence” (Ai) risks across the enterprise.

The speed of change in our global connected economy is rapidly accelerating.

You have to be operating in a “ROBUST” and complete state of preparedness for whatever the next potential incident will bring…

ID Risk Management: Corporate Intelligence Unit (CIU)…

What is your name? Where do you live? What is your phone number? Where were you born? What is your social security number? What is your passport number? Where was it issued? What evidence do you have that this is all true? Your identity is at stake and Operational Risk Management is on the line.

These questions and more are asked of us on a regular basis to establish our true identity. The entity asking these questions is considering you to be granted access, access to what?

It could be to establish an account at a banking institution, get a drivers license or become a member of a trusted community of people. Or it could be a country deciding whether to grant you a visa to visit or work for a period of time.

Whether you are in the UK, admitting people into your country or a Global 500 company allowing someone access to your corporate facilities, digital assets or place of business; you must have ways to effectively validate who people say they are, and who they really are.

Even if you asked all of the questions above in the early stages of the company hiring process, would you really have the entire picture? This changes over time and events in a persons life. Identity Management and the use of both "known to many" and "known to few" attributes about who you are and who you know, is a reality in today's blur of global commerce.

When a country has a breach of security admitting people, who are not who they purport to be, is it any different in the context of a Defense Industrial Base company headquartered in Chicago, IL or an Investment Banking firm in Geneva, Suisse? What are different are the motives and the outcomes from the fraudulent acts.

What are the current arguments and the leading reasons why our policies, methods and tools associated with Identity Management are in a state of chaos in the United States?

"What is interesting is that the same people who are coming to work every day with their TWIC or CAC cards are also victims of ID Theft as consumers."

The same individuals who walk into the SCIF or the bank vault may very well be people who have active investigations going on regarding their identity being used to perpetrate crimes or other fraudulent motivations. So what are some of the most important issues on the Identity Management horizon?

In all of the breaches, all of the incidents there is a root cause for the failure in the people, process, systems or external factor that opened up the vulnerability for the attacker to exploit and obtain their objective.

It's called Continuous Monitoring. This issue is found in all places in Appendix G of the US NIST sp800-37 that illustrates the reason why “Continuous Monitoring” is critical especially in information systems:

Private Sector companies have a duty to invest in resources, policy refinement and new methods or tools to keep continuous monitoring as vigilant as possible:

"Conducting a thorough point-in-time assessment of the deployed security controls is a necessary but not sufficient condition to demonstrate security due diligence. A well designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status-related information to organizational officials in order to take appropriate risk mitigation actions and make cost-effective, risk-based decisions regarding the operation”

Much of what we know about our employees is found in their HR files, background reports (if ever done) and what co-workers say about their behaviors in the workplace.

Corporate Security, Risk Management, General Counsel, Information Technology, Public Relations and even the EAP (Employee Assistance Program) executive managers shall create, maintain and continuously operate a Corporate Intelligence Unit (CIU) and “Threat Assessment Team”.

Without it, the consequences of not knowing a persons true identity or current state of mind could cost you more than the loss of life.

It could cost you or the organizations global reputation…