Facilities Safety: +Beyond Travel Risk Management...

Have you ever wondered where high value assets are located in your facility or on your campus? Especially those that are mobile assets. Have you ever wondered who and where visitors to your offices or campus facilities are located at any given time?

Ekahau is making the answers to these and other questions much easier and at a more rapid response. Safety, production costs, and time-to-market are vital points of consideration for industries, education and campus organizations.

"By being able to easily track people, vehicles, and assets, these factors can be made substantially more safe and efficient."

Founded in 2000, Ekahau is the recognized leader in location-enabling enterprise Wi-Fi networks. Ekahau's mission is to provide the easiest, most cost effective and accurate positioning solutions for locating people, assets, inventory and other objects using wireless enterprise networks. The Ekahau solution tracks wireless laptops, PDAs, VOIP phones, Wi-Fi tags and other 802.11 enabled devices.

Ekahau’s solution allows businesses to keep track of valuable assets and equipment, improve the overall workflow, and improve the levels of corporate security and customer service. With Ekahau, the critical corporate resources, people and assets, will be always available at the right place and at the right time.

As Ekahau's location tracking solution does not require installation of proprietary wireless infrastructure, but can be done individually over the private Wi-Fi network, the deployment cost is kept in minimum, and the overall system payback time is the fastest possible.

Safety and security applications are numerous especially in Healthcare:

• Emergency management - more efficient and faster emergency response

• Patient monitoring - better patient safety and increased throughput

• Workflow management - better staff utilization and increased patient throughput

• Equipment management - reduced need for inventory

• Information delivery - improved workflow, reduced errors

• Billing support & verification - improved revenue capture

Can you think of other Homeland Security and first responder applications using the Ekahau capabilities especially in post event incident management and key personnel tracking inside a closed perimeter? As WiMax and other 802.11 networks are deployed in major metro locations, the applications become wide spread.

People: Beyond Travel Risk Management...

When was the last time your corporate travel department gave you some timely INTEL?

Maybe you got a report on the current level of risk in the foreign region, city or country you are now scheduled to visit in the next few days. What are you going to do if everything “Goes South” in a matter of seconds or minutes?

The Mission

In situations that require instinctive response, you have to go beyond the traditional travel management report on what to do and who to call. You have to be proactive and make decisions on your own.

In order to survive, one must be trained on the authoritative, detailed description of the methods by which terrorist organizations, hostile intelligence services, and criminal groups select and target specific individuals.

Individuals and a team must learn how they can detect and counter potential threats against them, and their sponsoring organizations to better manage these pervasive operational risks.

These threats could include recruitment by a hostile service, kidnapping or assassination by terrorist and criminal elements or espionage by business competitors.

Combined with real-time INTEL, you must receive intense, real-time instruction in surveillance detection and counter-surveillance so that you can take appropriate actions.

Combining real-time intelligence with a focused surveillance and threat detection-training program is exactly what savvy corporate executives and Chief Security Officers are looking for from a single source.

Personnel threat management is a prudent risk mitigation solution. This combination is one key strategy to mitigate the operational risks associated with key personnel in your organization.

Individuals whose occupations place them at risk may include people with access to valuable proprietary information or holders of high level security clearances, the wealthy and those responsible for their safety.

The Take Away

Combine two parts Threat Detection & Management Training with one part INTEL and you have the perfect combination to ensure the successful completion of corporate or organizational missions across the globe…

QFD: The End of Compliance...

Corporations will continue to be responsible for the criminal behavior and actions of their employees, 3rd party suppliers and other contractors for at least the near term.

In any case that has the defense legal eagles and "Usual Suspects" arguing against the corporate liability issue, the intent is getting cloudy or is it crystal clear?

Even if your Corporate Compliance Programs are in full force and the financial integrity unit is robust in it's efforts, the "Operational Risk" still exists for litigation.

Regardless of the amount of awareness building, education and corporate window dressing, you can't ultimately control human behavior. 

More compliance enforcement and regulatory pressure may seem to be the answer. A voluntary effort to shore up security, soundness and the opportunity for malfeasance in the work place may not be working effectively.

And still the liabilities exist from the plaintiffs and government adversaries to gain compensation. So what is the answer?

The answer lies in the "Enterprise Architecture" of our institutions and the failure to implement the process of "Quality Function Deployment" (QFD). This has been ignored by senior executives and US business because many judge it to be too complex.

One only has to look at the state of our automobile manufacturers versus the likes of Japanese companies to get a sense of the success of incorporating QFD on a comprehensive basis. But now apply this to the culture of an organization and how each individual makes logical business decisions instead of emotion-based decisions.

What many liability issues begin with are the employee(s) who made a bad decision.

QFD in its simplest form is a tool to promote communications. Among peers and connected teams within the organization it provides the methodology to catch errors, omissions and emotional bias early in the process.

As an example, let's take the Request for Proposal (RFP).

Many companies depend heavily on winning business by responding to RFP's. A "deal makers" perception of importance to the RFP determines the effort for the response.

Many times, this is influenced by an incentive plan. The human behavior to accept or decline the effort on an RFP as well as what it takes to push it through the organization for executive sign offs, is not always compatible with the strategic and quality measures of the enterprise.

Over time this will form an unimaginable amount of moral decay within a company. This leads to bad behavior and unethical decisions that people make because the business environment has rewarded it for far too long. So who is to blame here? The employee or the culture and company that has condoned and encouraged the behavior that ultimately damaged someone or something.

Implementing QFD in your information-based enterprise could have a dramatic impact on achieving a defensible standard of care by reducing the likelihood of catastrophic emotional decisions.

More importantly, QFD programs such as this that are directly reducing the likelihood of bad employee behavior and criminal incidents, can reduce the necessity for invasive compliance programs that most everyone wants to ignore.

Corporate Directors: Continuous Continuity (C2) of the Enterprise...

The modern enterprise that effectively manages the myriad of potential threats to its people, processes, systems and critical infrastructures stands to be better equipped for sustained continuity.

A Business Crisis and Continuity Management (BCCM) program is a dynamic change management initiative that requires dedicated resources, funding and auditing. Corporate Directors must scrutinize organizational survivability on a global basis.

Since effective BCCM analysis is a 24/7 operation, it takes a combination of factors across the organization to provide what one might call C2, or "Continuous Continuity”.

A one-time threat or risk assessment or even an annual look at what has changed across the enterprise is opening the door for a Board of Directors worst nightmare.

These nightmares are "Loss Events" that could have been prevented or mitigated all together.

The following testing techniques must be used to ensure the continuity plan can be executed in a real-life emergency:

• Table-top testing: Discussing how business recovery arrangements would react by using example interruptions
• Simulations: Training individuals by simulating a crisis and rehearsing their post-incident/crisis management roles
• Technical recovery testing: Testing to ensure information systems can be restored effectively
• Testing recovery at an alternate site: Running business processes in parallel with recovery operations at an off-site location
• Test of supplier facilities and services: Ensuring externally provided services and products will meet the contract requirements in the case of interruptions
• Complete rehearsals: Testing to ensure the organization, employees, equipment, facilities and processes can cope with interruptions

Many of these best practices talk about a BCCM that will be periodically updated. Periodic is not continuous. Change is the key factor here.

What changes take place in your organization between these periodic updates? How could any organization accurately account for all the changes to the organization in between BCCM updates? The fact is that they can’t.

This will change over time as organizations figure out that this is now as vital a business component as supply chain management. The effective BCCM framework will become a core process within the organization if it is not already, dynamically evolving by the minute as new change-based factors take place in the enterprise.

As new or terminated employees, suppliers and partners come and go into the BCCM process, the threat profile is updated in real-time. This takes the operational management that much closer to C2, or "Continuous Continuity”.

Having survived several large quakes in Southern California in years past, we are not sure that all of the testing in the world can prepare people for human behaviors that come from within.

"People literally lose all sense of common sense when you are on the 42nd floor of the 50+ sky scraper and without any warning it physically sways a couple feet to the left and a few more feet to the right. Believe me, the issue is not the testing itself, it’s how to create a real enough scenario that you get similar behaviors out of unsuspecting people."

Certainly the largest organizations realize that the external threats are taking on new and different forms than the standard fire, flood, earthquake and twister scenarios. These historically large catastrophic external loss events have been insured against and the premiums are substantial.

What it is less easy to analyze from a threat perspective are the constantly changing landscapes and continuity postures of the internal facets of the organization having to do with people, processes and systems.

Corporate Boards of Director’s are now being continuously subjected to regulatory scrutiny across the globe to ensure the continuity and survivability of the enterprise.

It is their duty and responsibility to their shareholders to make sure this occurs on a continuous basis. The world can only hope that our Global 500 companies are well on their way to achieving C2 already.

Corporate Directors are ultimately responsible for Continuous Continuity (C2) of the Enterprise…

Pain or Joy: Change Management 101...

Habits are hard to change.  It takes discipline and continuous perseverance.

When was the last time you changed something that increased your revenue?  Your health.  Or your safety and security.

Change and managing change whether in the corporate ranks of your Fortune 500 Global Enterprise or back in your own personal life at home is a true challenge.

Before you even thought about what you needed to change in your business or your own life, you probably have encountered one of two experiences:

• Pain

• Joy

Which one of these two experiences have you recently encountered?

You see, our human behavior is quite predictable and it is usually one of these two motivators in life that will change your behavior.

Educating yourself and others you care about requires that you sometimes utilize one of these motivators in order to initiate new change.  Let’s begin with “Pain”.

These realities are exactly what the evil in our world today continues to prey on.  Those individuals who are unable or unwilling to change, and to manage change in their lives.

“It is really very simple. In the foreseeable future, we will not function as a global society without the Net and the immense digital resources and information assets of our society. The addiction is established—commerce, government, education, and our neighbors offer no option other than to require that we rely upon digital information in making decisions. But we will not function successfully if the war for control of those assets is lost. The battlefield, however, is the one on which trust is to be gained or lost—trust in the information we use, trust in the infrastructures that support us, and trust in the decisions we make in a digital world.”  Page 19 - Achieving Digital Trust | The New Rules For Business At The Speed Of Light  - Author Jeffrey Ritter

In your own digital life, these habits may be as simple as using the same password on multiple accounts that each of us rely on, each day or each week of our lives.  You know who you are.

As the continued use of “Ransomware” remains so pervasive across the globe and is utilized by so many criminal gangs and nation states, each one of us must consider our personal and business habits.

At home and at work.

It is now time to change.  It is time to change your digital habits so you may avoid the pain and continue to have even more joy in your life.

Take action.

Start a new habit now of changing the weak password on your bank accounts.  Make it 20 characters, and make it random.  Easily addressed when you "Use a Password Manager App".  Then set a reminder to change it on January 1, April 1, July 1, and October 1 of each year.

“Microsoft warns that ransomware threat actor Storm-0501 has recently switched tactics and now targets hybrid cloud environments, expanding its strategy to compromise all victim assets.

The threat actor first emerged in 2021 as a ransomware affiliate for the Sabbath ransomware operation. Later they started to deploy file-encrypting malware from Hive, BlackCat, LockBit, and Hunters International gangs. Recently, they have been observed to deploy the Embargo ransomware.

Storm-0501's recent attacks targeted hospitals, government, manufacturing, and transportation organizations, and law enforcement agencies in the United States.” —BleepingComputer

After you have successfully accomplished this simple task in your business and in your own personal life, remember:

The “Pain” of doing this simple “Change Management” step in your life, will help bring you continued “Joy” for so many years to come…:)

Godspeed!

Enterprise Resilience: Compete or Die...

Enterprise Resilience is the road to competitiveness. It is the global answer to many of the Chief Security Officers (CSO) who have faced the troublesome battle of selling more "Fear and Doubt" to the Board of Directors.

When Deborah Wince-Smith stood up on the stage at the 21st Annual Security Briefing at OSAC November 16th, 2006, her words were music to our ears:

“It is undeniable that the world has gotten more risky. Businesses now function in a global economy characterized by increasing uncertainty, complexity, connectivity and speed. Managing this rapidly changing risk landscape is an emerging competitiveness challenge—a challenge that demands resilience: the capability to survive, adapt, evolve and grow in the face of change.”

“Globalization, technological complexity, interdependence, and speed are fundamentally changing the kind of risks and competitive challenges that companies— and countries—face.”

“Failure, whether by attack or accident, can spread quickly and cascade across networks, borders and societies. Increasingly, disruptions can come from unforeseen directions with unanticipated effects.”

“Global information and transportation networks create interdependencies that magnify the impact of individual incidents. These types of risk demand new methods of risk management.”

Thinking back to those days, was this a way for the Chief Security Officers (CSO) of the Fortune 500 to finally shift their thinking from just security protection to something less macho?

How could "Resilience" become a platform for a mind set shift to justify new funding?

"After all, now we aren't trying to scare people into the low probability high impact incidents anymore and are focusing in on the high probability incidents, that may have enough impact to cause a significant business disruption."

What are the incidents and areas of risk that insurance won't touch these days?

If the insurance companies can write the policy to give you peace of mind, then is this necessarily an area that you can ignore because you have transferred the risk to someone else? Maybe not.

Being agile, ready and capable of a quick recovery is what competitiveness is all about, on the field, on stage or around the table in the Board Room.

Working towards control and protection while fear builds in the back of your mind makes you stiff, depletes your energy and creates doubt.

And when you are operating a business or standing on the tee of your first sudden death hole on any PGA weekend, you better have resilience.

The business equivalent to homeland security and critical infrastructure protection is Operational Risk Management (ORM)—a domain that many executives see as the most important emerging area of risk for their firms. Increasingly, failure to plan for operational resilience can have “bet the firm” results.

We all know that it costs lot's of money to have any systems downtime, that's why so many dollars have been invested in Disaster Recovery (DRP) and other Business Continuity Planning (BCP). Delta?

Yet is this the kind of resilience that is going to make you more competitive to seize more opportunities? The economics of resilience are more than investing for the likely or unlikely information systems incident that will attack your organization tomorrow.

The threat of “Tort Liability” and the loss of reputation remains top of mind these days with every major global company executive.

The threat is real and increasing at a faster rate than many other real operational risks to the enterprise.

Litigation from regulators, class actions and competitors has given the term Legal Risk new emphasis and meaning.

Once corporate management understands the need for a "resilience" mentality in place of a "protection" mental state, a new perspective is found.

Investing in the vitality, agility and competitive capabilities of the organization sounds and is more positive.

It alleviates the fear of doom and gloom and inspires new found innovation.

The future of your organizations longevity and in it's adaptability can be achieved with a new perspective. Compete or die.

Enabling Global Enterprise Business Resilience is just the beginning...

Operational Risk: People, Process, Systems & External Events...

When was the last time your team presented their plan to execute your next major milestone in your important project?

As you lean back in your chair and hear the “What”, “Why”, “Where”, “How” in the bullets and pictures on each of their presentation slides, you might be pleased with what you see.

Now, what is the alternative plan for this particular operation? Just in case.

The more you experience change and the real setbacks of your intended goals, achievements or anticipated outcomes, the realization occurs that you will need a “Plan B”.

You know, a back-up plan. Perhaps you even may need a fail-safe:

fail-safe

adjective

1: incorporating some feature for automatically counteracting the effect of an anticipated possible source of failure.

What is your universal unlock code? What is your alternative plan? How will you ensure the safety, security and service of your intended game plan today?

Unfortunately in business and in any other highly engineered or sophisticated operation that is vital to your growth and success, you will need to create an alternative plan.

Operational risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. These risks are further defined as follows:

* Process risk – breakdown in established processes, failure to follow processes or inadequate process mapping within business lines.

* People risk – management failure, organizational structure or other human failures, which may be exacerbated by poor training, inadequate controls, poor staffing resources, or other factors.

* Systems risk – disruption and outright system failures in both internal and outsourced operations.

* External event risk – natural disasters, terrorism, and vandalism.

The definition includes Legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes the exposure to litigation from all aspects of an institution’s activities.

How will you ensure the safety, security and service of your intended game plan today?

The teams who incorporate comprehensive Operational Risk Management (ORM) into each daily process, shall achieve their goals and will outperform the competition…

Comments

Add a comment…

No comments, yet.

Be the first to comment.

Enterprise Security Risk Management (ESRM): Be Proactive…

What are three major questions that most CxO executives and Boards of Directors need to answer when confronting information security issues:

1. Is your security policy enforced fairly, consistently and legally across the enterprise.
2. Would our employees, contractors and partners know if a security violation was being committed?
3. Would they know what to do about it if they did recognize a security violation?

In today’s complex 5G wireless world, global supply chains, nation states or insider threats to the information infrastructure of a company or government agency are not static, one time events.

With new exploits, vulnerabilities, and digital attack tools widely available for download or X-as-a-Service (XaaS), a “complete information security solution” in place today can easily become outdated and incomplete tomorrow.

As a result, a comprehensive security architecture solution must be flexible and dynamic, continuously monitored and updated.

Presently, the news of “Zero-Day” digital-threat events tends to spread through the computer security world in a “grapevine” manner.

Threat information is obtained from specialized websites, e-mail listservs, cyber managed services and countless other informal sources.

This haphazard system is incomplete and therefore raises enterprise security risk management concerns when evaluating the damaging, costly effects of an aggressive, systematic digital event.

A comprehensive security solution requires the careful integration of people, processes, systems and external events that allows correlation and implementation of a “layered” defense coupled with a firm application of risk-management principles.

To fully protect electronic information architectures, an organization needs current intelligence and analysis that allows constant adjustment and fine-tuning of security measures (e.g., firewalls, intrusion-detection systems, virus protection) to effectively defend against a rapidly changing landscape.

Threats and vulnerabilities relating to computer networks, websites and information assets must be addressed before an attack occurs.

Proactive Awareness and the ability to make informed decisions are critical.

So what?

In short, as our global electronic economy plays an increasing role in the private and public sectors, critical infrastructure organizations must take advantage of the resulting new opportunities for growth and gains in efficiency and productivity.

Realizing these gains, depends on an organization’s ability to open its information architecture to customers, partners and, in some cases, even competitors.

This heightened exposure creates greater risk and makes an organization a more likely target for attack (e.g., information and monetary theft, business ransomware disruption).

The cost of critical infrastructure failure climbs exponentially in relation to increasing reliance on our integrated systems with partners, subsidiaries and your vital supply chain.

Be proactive…

Critical Infrastructure Protection: Resolve to be Ready...

CxO’s in corporate enterprises are ever more concerned about emergency preparedness and the continuity of their enterprises.

Now that threats to government and business operations are becoming ever more prevalent, organizations must plan for every type of business disruption from hardware and communications failures, to natural disasters, to internal or external acts of terrorism.

Being forced is never as appetizing as being induced to do anything. In order for changes to take place, the environment must reward investments in preparedness and safety.

Consistently the conversations are not about “if” something is going to happen, it is about “where” or “when” it is going to happen.

In order to introduce new changes in process or design that impacts the physical or operational aspects of critical infrastructures (to reduce terrorism risk), it is important to better understand how these change levers can provide the incentives for owners.

Therefore, it is imperative we initiate a proactive hedge against the inevitability of a loss event occurring in the future.

First however, we must understand the character of terrorism risk in critical infrastructure and some of the anti-terrorism tools currently available to help manage that risk.

The recognition by insurers that owners will continue to invest in terrorism risk reduction and building safety with the proper incentives is vital to overall risk management of critical infrastructures. Think “Ransomware” or even Colonial Pipeline.

The assessment of terrorism vulnerability in key structures identified as soft targets can be a key component of the rating of risk for a specific structure.

In order for owners to benefit from the potential of reduced premiums from direct insurers they must be able to demonstrate a combination of risk mitigation measures and programs to help improve the survivability of the infrastructure or to reduce it’s vulnerability to certain threat profiles.

These need to be exercised on a continuous timetable with extensive documentation, training and reporting.

In order for insurance brokers to accurately represent their buyers mitigation programs and measures to the direct insurers, they must have a foundation of knowledge about the structures physical vulnerabilities.

However, even more essential is the understanding of the operational and human attributes of the building that are contributing to the proactive tactics to prevent losses and further exposures to potential terrorism risk.

If this step takes place, the insurers can better evaluate these operational and human elements to determine the value and effectiveness of these tactics so that they can be considered for premium reductions.

The building itself, two miles from The White House, 10 Downing Street or the Eiffel Tower, has little chance of moving outside the high-risk zone for terrorist events.

The only methods for reducing risk exposures are to dramatically impact the operational and human elements of the building to mitigate hazards and increase the survivability of the people and systems that are resident.

As landlords and other interested real estate finance industry partners move towards new standards to mitigate terrorism risk and protect critical infrastructure, the necessity for state-of-the-art tools and systems to mitigate those risks is paramount...

CERT: Make a Difference in this World...

Since the beginning of time, weather has been unpredictable. So has man.

When was the last time you witnessed the aftermath of a natural disaster?

When was the last time you saw the devastation from the Fateh-110 family of short-range ballistic weapons?

The continuous examples of risks to our world could generally be put into two major categories, 1) those we as humans can control and 2) those natural risks that we can’t control and shall have to live with.

Our spectrum of "Operational Risks" across People, Processes, Systems and External Events is vast and endless.

Where do you as a leader in your organization spend most or your time and resources to try and mitigate risks:

• Natural Disasters and Weather (External Events)
• People and Processes

Why?

Do you think that you are able to make a difference with those risks that you might be able to control?

Which is it - A) controlling the weather or B) influencing human behavior. Pick one.

What might happen if we devoted more time and resources to “B”.

How might this investment have a risk reduction impact and reduction in annual loss events to your family, organization, community, college or government?

Complacency or ignorance will continue to plague us and will make the world a more dangerous place to work and live.

Just listen to your own local news for a day. What will you learn?

Now, learn what you might do to make proactive difference.

This is one great place to begin: Community Emergency Response Team CERT.

Similar to the Community concept, why not apply this just cause of continuous training and learning to a Corporation, a Church, a Synagogue, a Campus, a Club or a Cinema.

“The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.” Albert Einstein

Operational Risk: Volatility of Change...

What is volatility and how could this be an operational risk in your particular institution or organization?

The threat of "Volatility" depends on what is being measured. The stock price. The return on capital. The key is that you want to reduce volatility in most cases.

It scares some people. Long term investors, employees and customers.

Volatility is the standard deviation of the change in value of a financial instrument with a specific time horizon. It is often used to quantify the risk of the instrument over that time period.

Who likes volatility?

Volatility is often viewed as a negative in that it represents uncertainty and risk.

However, volatility can be good in that if one shorts on the peaks, and buys on the lows one can make money, with greater money coming with greater volatility.

The possibility for money to be made via volatile markets is how short term market players like day traders make money, and is in contrast to the long term investment view of buy and hold.

So volatility is in the "eye of the beholder". The point is that some people thrive on it and others are better off with that smooth and predictable future.

Risk in a financial institution is defined in terms of earnings volatility. Earnings volatility creates the potential for loss. Losses, in turn, need to be funded, and it is the potential for loss that imposes a need for institutions to hold capital in reserve.

This capital provides a balance sheet cushion to absorb losses, without which an institution subjected to large (negative) earnings swings could become insolvent.

How much capital is allocated to Operational Risk is a measurement issue. The decisions an institution makes in managing Operational Risks is not risk versus return, but risk versus the cost it takes to avoid these threats.

The key determinant of an institutions risk factor against operational failures is not the amount of reserve capital, it is the performance of management.

In fact, in a few spectacular cases of operational failures, incremental capital would have made no difference to the firm's survivability. It comes back to strategy, safety, security and soundness.

How volatile are your earnings? At the end of the day the question is about management controls and measurement.  What if your measurements were not earnings, but the number of workplace accidents and acts of violence?

How effective are they at mitigating operational risks in the areas of the institution that can't be insured?

Look at places where "Change" is happening in huge volumes and at a rapid pace and you will know where to begin.