Predictive Intelligence: Data or Precogs...

The use of the term "Predictive Intelligence" has been around for a few years in the Operational Risk Management (ORM) community.  Born from the marketing collateral of the Business Intel (BI) vendors, it essentially requires hundreds of gigabytes or even terabytes of historical data and then is analyzed or data mined for so called insight.  The question is, why is this "Predictive Intelligence" and not just more "Information" in a different context?

Now introduce the nexus of our own "Trust Decisions" and the "Human Factors" associated with the science of cognitive decision making.  How do we as humans make our decisions to trust vs. how computers make their decisions to trust?  Are they not executing rules written by humans?  When is it information in a different format as opposed to true intelligence?

Christian Bonilla may be on to something here:

"Professionals in the foreign intelligence community take pains to distinguish between information and bona fide intelligence. Any piece of knowledge, no matter how trivial or irrelevant, is information. Intelligence, by contrast, is the subset of information valued for its relevance rather than simply its level of detail. That distinction is often lost in sector of the enterprise technology industry that is somewhat loosely referred to as Business Intelligence, or BI. This has become a bit of a catchall term for many different software applications and platforms that have widely different intended uses. I would argue that many BI tools that aggregate and organize a company’s information, such as transaction history or customer lists, more often provide information than intelligence. The lexicon is what it is, but calling something “intelligence” does not give it any more value. In order to sustainably outperform the competition, a company needs more than a meticulously organized and well-structured view of its history. Decision makers at all levels need a boost when making decisions amidst uncertainty and where many variables are exerting influence. They need what I would call predictive intelligence, or PI – the ability to narrow down the relevant variables for analysis and accurately measure their impact on the probability of a range of outcomes."

What does the fusion of human factors have to do with predictive intelligence?  That depends on how much you value the kind of innuendo and messages in the Tom Cruise movie, Minority Report.  Many aspects of the original Philip K. Dick story were adapted in its transition to film that was filmed in Washington, DC and Northern Virginia.  Is it possible to predict someone's future behavior even before they commit a crime or even become violent?

Set in the year 2054, where "Precrime", a specialized police department, apprehends criminals based on foreknowledge provided by three psychics called "precogs".

Cruise plays the role of John Anderton who is part of the experimental police force known as "Precrime."  These aspects of clairvoyance and precognition has many skeptics and their use for predicting future events or a related term, presentiment, refers to information about future events which is said to be perceived as emotions.

Regardless of terms, beliefs or whether the software analytics are using historical data, the science of "Predictive Intelligence" is about forecasting the future.  Based upon the recent global events that missed the forecast of economic implosion based upon historical data, maybe it's time to start introducing more human factors to the equation.

The interviews with people who have gone on record to predict a future historical event will probably be right at some point in time. How long will you be around to wait?  The demise of the banking sector and the extinction of Lehman Brothers, Bear Stearns and maybe even AIG were most likely predicted by someone, somewhere in 2007/2008 time frame.  The point is that you have to have context and relevance to the problem being solved or the question being asked.

The real story of the crash began in bizarre feeder markets where the sun doesn't shine and the SEC doesn't dare, or bother, to tread: the bond and real estate derivative markets where geeks invent impenetrable securities to profit from the misery of lower--and middle--class Americans who can't pay their debts. The smart people who understood what was or might be happening were paralyzed by hope and fear; in any case, they weren't talking.

Predictive analytics extracts relevant information from data and attempts to forecast the future. It relies on capturing relationships between explanatory variables and the predicted variables from past occurrences, and exploiting it to predict future outcomes.  Is it possible that there was and is too much reliance on the numbers and not enough on people's cognitive intuition?

This blog has documented the "11 Elements of Prediction" in the past.  Now it's time to utilize the combination of these human factors in close collaboration with the data analytics and raw numbers. Effective execution of both will provide corporate management the situational awareness they seek within the time line they wish.

The future state of Predictive Intelligence will combine the science of "Trust Decisions" with the art of "Data Analytics" to achieve our desired outcomes.

Adverse Consequences: Enabling Digital Trust of Global Enterprises...

In the World Economic Forum 2016 - Global Risks Report, there are several insights and alarms that Operational Risk Management (ORM) professionals and the Board of Directors are quickly analyzing.  This years Davos, Switzerland Annual Meeting and report has the underlying theme of the "Fourth Industrial Revolution".

Our first insight, is the rise in "Cyber Dependency" that is called out in the "Risk-Trends" Interconnections Map.  It is tied directly to the following technological "Global Risks" ranked by highest impact:

1. Cyberattacks
2. Critical Information Infrastructure Breakdown
3. Adverse Consequences of Technological Advances
4. Data Fraud or Theft

#1 makes sense in the Upper Right Quadrant of High Impact and High Likelihood.  The alarms however are going off, with #2 and #3 for several reasons.  First, they are in the Upper Left Quadrant of "High Impact" and "Low Likelihood".  Why does this create concern?

The Upper Left Quadrant has risks that some of the most experienced OPS Risk professionals will pay attention to the most.  This is the place that organizations usually ignore with people and resources and where enterprises are caught off guard or blindsided by asymmetric threats.  These are the risks that no one has really exercised for and is not actively developing proactive hypotheses, to address in a real-time crisis.

There are two other risks shared in this same Upper Left Quadrant in 2016:

• Weapons of Mass Destruction
• Spread of Infectious Diseases

These are risks that nation states spend hundreds of millions of dollars each year collecting intelligence on and devoting substantial resources to try and keep the likelihood of these occurring, as low as humanly possible.  The impact on humanity is far to great not to devote attention to these, yet the private sector is rarely involved.

Now, let's consider the other two in the same quadrant, slightly less in impact and just a little higher in likelihood.  What does each really mean as a global risk?

"Critical Information Infrastructure Breakdown": "Cyber dependency increases vulnerability to outage of critical information infrastructure (e.g. internet, satellites, etc.) and networks causing widespread disruption.

"Adverse Consequences of Technological Advances":   Intended or unintended adverse consequences of technological advances such as artificial intelligence, geo-engineering and synthetic biology causing human, environmental and economic damage. 

• A global risk is an uncertain event or condition that, if it occurs, can cause significant negative impact for several countries or industries within the next 10 years.
• A global trend is a long-term pattern that is currently taking place and that could contribute to amplifying global risks and/or altering the relationship between them.

Although organizations may recognize the benefit of cyber technologies for their bottom lines, they may not be fully internalizing cyber security risks and making the appropriate level of investment to enhance operational risk management and strengthen organizational resilience. Particular attention is needed in two areas that are so far under-protected: mobile internet and machine-to-machine connections. It is vital to integrate physical and cyber management, strengthen resilience leadership and organizational and business processes, and leverage supporting technologies. (Page 23 of WEF_GRR16)

The combination of the two aforementioned technological global risks, are almost invisible to the major stakeholders of our vital organizations and governments.  This is because the focus on "Cyberattacks" and "Data Fraud or Theft" has dominated the news cycles.  It makes sense.  However, we must consider this:

As is often the case, however, public-private partnership can be held back by lack of trust and misaligned incentives. Businesses may fear exposing their data and practices to competitors or to law enforcement agencies. And the private sector’s primary interest in rapid recovery and continuity of business operations may not align with the public sector’s primary interest in apprehending and prosecuting perpetrators. In addition, governments need to balance their investments in cyber offensive weapons and efforts to enhance capabilities for cybersecurity and defence. (Page 83 of WEF GRR16)

 Cyber Dependency.  A long-term pattern that is currently taking place that could contribute to amplifying global risks and/or altering the relationship between them.  The underlying root cause of the disruption and the perceived risks are focused on the integrity of "Digital Trust"and the continuity of "Trust Decisions":

• Machine-to-Machine
• Person-to-Person
• Business-to-Business
• Government-to-Government
• Country-to-Country

Business Executives and Leaders of Nation States, have one thing in common.  Their employees and their citizens are evermore connected by mobile digital devices.  Their economic engines of banking, finance and trading are dependent upon the confidentiality, integrity and assurance of data.  The abilities and the opportunities by the mass of humanity to continuously leverage their personal digital devices, is simultaneously a global risk.  So what?

You see, the 2016 Global Risks Report is flawed.  It relies on an outdated and soon to be irrelevant set of four Quadrants.  The axis of Impact and Likelihood, are no longer capable of addressing risk management and the human perceptions of both.  On the planet Earth, in the Internet ecosystem of 500 Billion computing machines, lies the answer to our future quest:

Enabling Digital Trust of Global Enterprises...

Veterans Day 2014: Leading the Enterprise to Victory...

The 1% are soon to be recognized on Tuesday, November 11, Veterans Day.  CxO's across the country who have served in the military know all about "Operational Risk Management" (ORM). They understand that the safety and security of their personnel is paramount, if they are to achieve the mission assigned to them by the Board of Directors and the majority stakeholders.

It makes sense that if only 1% of the country serve in the military, and fewer make it to the rank of CxO in commercial industry, why ORM remains so esoteric.  Only an enlightened few truly understand the value of investing in continuous training, cultural and ethical development and the safety and security of not only employees, but also intellectual capital and information assets.

Indeed, this Veterans Day is a time to focus on our 1%.  Those who have served the United States of America in the Armed Forces.  At the top of each of these branches including the Army, Marine Corps, Navy, Air Force and Coast Guard are people that have seen, smelled, heard, felt and lived with the logic and the necessity for Operational Risk Management.  Why is the Navy leadership focused on ORM?

ORM is the guiding Navy instruction for implementing the ORM program. The naval vision is to develop an environment in which every individual (officer, enlisted and civilian) is trained and motivated to personally manage risk in everything they do on and off duty, both in peacetime and during conflict, thus enabling successful completion of all operations or activities with the minimum amount of risk. 

The most common idea of what ORM revolves around is a simple five-step process that is most frequently used in planning. These five steps are:

• Identify hazards

• Assess the hazards

• Make risk decisions

• Implement controls

• Supervise and watch for change

Another level of ORM is Time Critical Risk Management which involves a quick, committed-to-memory process and a set of skills that allow our people to manage risk when in the execution of a plan or event. The standard for the Navy is being developed, however it might be thought of in simple terms such as:

• What can go wrong or is changing

• How can I keep it from effecting the mission without hurting me

• Act to correct the situation

• Telling the right people if you are unable to take the right action

If you were retired from the Marine Corps and now the CxO of a Global 500 company, do you think that ORM would be a forgotten system?  Would you neglect to focus on this, if you were running FedEx?  Fred Smith is not a former pilot, but was vital as a "Forward Air Controller":

Frederick Wallace "Fred" Smith (born August 11, 1944), is the founder, chairman, president, and CEO of FedEx, originally known as Federal Express, the first overnight express delivery company in the world, and the largest in the world. The company is headquartered in Memphis, Tennessee. 

Smith was commissioned in the U.S. Marine Corps, serving for three years (from 1966 to 1969) as a platoon leader and a forward air controller (FAC), flying in the back seat of the OV-10. 

As a Marine, Smith had the opportunity to observe the military's logistics system first hand. He served two tours of duty in Vietnam, flying with pilots on over 200 combat missions. He was honorably discharged in 1969 with the rank of Captain, having received the Silver Star, the Bronze Star, and two Purple Hearts. While in the military, Smith carefully observed the procurement and delivery procedures, fine-tuning his dream for an overnight delivery service.[5] 

A primary function of a Forward Air Controller is ensuring the safety of friendly troops. Enemy targets in the Front line ("Forward Edge of the Battle Area" in US terminology) are often close to friendly forces and therefore friendly forces are at risk of friendly fire through proximity during air attack. The danger is twofold: the bombing pilot cannot identify the target clearly, and is not aware of the locations of friendly forces.

Fred Smith not only implemented the mindset of a "Forward Air Controller" running FedEx, he also has been able to build a culture focused on Operational Risk Management (ORM).

FedEx Corporation will produce superior financial returns for its shareowners by providing high value-added logistics, transportation and related business services through focused operating companies. Customer requirements will be met in the highest quality manner appropriate to each market segment served. FedEx will strive to develop mutually rewarding relationships with its employees, partners and suppliers. Safety will be the first consideration in all operations. Corporate activities will be conducted to the highest ethical and professional standards.

Now back to Veterans Day, November 11.  Are you starting to make the connection between the 1%, becoming a global CxO and the reason why ORM has such tremendous applications inside the global enterprise?

The opportunity now is for us to unleash our emerging and proactive "Vetrepreneurs," to take their years of knowledge and understanding of ORM and now apply it within the ranks of their new companies or new positions, just as Fred Smith has done at FedEx.  These veterans have the practical knowledge, skills and valuable use cases on how Operational Risk Management contributes to the overall mission.

If you are a 1% entrepreneur (Vetrepreneur) and have Co-founder or CxO as your title, then your proactive nature should allow you the opportunity to apply ORM within your organization.  Here are three places you can begin your program focus:

Inside:  Develop a culture of trust that begins by teaching employees how to find the truth.  A culture that promotes and teaches people how to apply the rules to the business that you are operating in.  A culture where no one can hide and that understanding our own vulnerabilities makes the overall organization more resilient each day.

Outside:  Architect the enterprise from the ground up to make more informed "Trust Decisions."  The architecture must first assemble and organize the rule-base and contextual framework associated with the environment that you will be operating in both physically and virtually.  The interdependencies of the automated machines developed to operate the enterprise, shall exist in a transparent and highly governed "system-of- systems". 

In-The-Middle:  Create new learning scenarios on a consistent but random basis.  Test the enterprise Inside and Outside with these exercise scenarios.  Determine how the humans and/or machines behave.  Establish what is normal and create your baseline. Continue to test and to measure the gaps of performance and make changes to improve the quality, accuracy or resiliency of the entire enterprise architecture.

On this Veterans Day 2014, scan the horizon for the organizations that stand out and are remarkable. With the 1% at the helm, in the cockpit or now the HQ Board Room, Operational Risk Management (ORM) is leading the enterprise to victory!

operational risk

Red Alert: Operational Risk Quotient...

Operational Risk is in the U.S. news again this past week.  Several prominent CEOs and the Board of Directors are under fire in the United States for failures to comply with documented best practices and governance processes.  The failure to execute these processes for the effective management of Operational Risk has now become a "Red Alert" for organizations in the financial services and banking industry.   The ranks of those tasked with vetting and validating candidates for high profile positions in public companies are also under increased scrutiny.  We should look at these one at a time.  JPMorgan first:

FAIR GAME

At JPMorgan, the Ghost of Dinner Parties Past

By GRETCHEN MORGENSON

Published: May 12, 2012 

WHAT goes around comes around. Sometimes it happens sooner than you’d think.  That round wheel turned on JPMorgan Chase last week, which disclosed that it had suffered a $2 billion trading loss in credit derivatives. That such a hit had befallen the mightiest of banks was perhaps more stunning than the size of the loss. 

So where does the karma come in? The loss, and the embarrassment it held for Jamie Dimon, the bank’s imperious chief executive, came just one month after a private dinner party in Dallas at which he assailed two respected public figures who have pushed for policies that would make banks like JPMorgan smaller and less risky. 

One was Paul Volcker, the former Federal Reserve chairman, whose remedy for risky trading by too-big-to-fail banks is known as the Volcker Rule.

The story is not about losing $2B. USD in trading derivatives.  And as Gretchen Morgenson has stated, we are witnessing a paradox.  The same rules JPMorgan is opposing in regard to proprietary trading could very well be the same rules that could provide a "Red Alert" that a threat is on the horizon.  The cost to the institution is far beyond the loss of the trade in terms of reputation and overall market value.  The credit ratings agencies and the SEC are now moving into place for their respective response to this incident.

Now let us take a look at Yahoo and a CEO who is embroiled in an error on his curriculum vitae:

Exclusive: Yahoo’s Thompson Out; Levinsohn In; Board Settlement With Loeb Nears Completion  Published on May 13, 2012  

by Kara Swisher 

Yahoo’s embattled CEO Scott Thompson (pictured here) is set to step down from his job at the Silicon Valley Internet giant, in what will be dramatic end to a controversy over a fake computer science degree that he had on his bio, according to multiple sources close to the situation. 

The company will apparently say he is leaving for “personal reasons.”  But the evolving crisis — which is just over a week old — centered on his botched resume and how he handled the thorny issue is clearly the key reason for the abrupt leaving.

This Operational Risk loss is a failure of a process that may have been outsourced to an executive recruiting firm or to the Board Director responsible for the vetting and validation of each candidates information.  What is even more compelling to think about are all of the other CEOs that are now losing sleep over night because of the same issue at their own organization.  So where did someone go wrong in this case?  Was it a missed step in the process for hiring or a simple lack of integrity by the CEO himself, Scott Thompson?

This brings us to the convergence of our discussion on Operational Risk Management for both of these incidents.  There are aspects of transparency, governance and finding the truth.  And the truth is, we are all human.  Whether we are trading derivatives to hedge risk or we are vetting the information on a resume, the human factors and behavior associated with the actual risk management tasks themselves are the focus here.  Humans will make mistakes and that is precisely why we need the controls in place, to mitigate the potential for human error, omission and stupidity.

You see, it is the rules that matter in either case that have been ignored, disregarded or as a result of a lack of awareness.  The rule-sets are vital to the effectiveness of risk management whether they are best practices, international standards of conduct or the code of law within a particular jurisdiction.  These rule-sets have been discussed on this blog in the past, back in April of 2008:  Rule-Set Reset and others such as this one in May of 2004 on NYSE Rule 446:

Operational risk focuses on firms' abilities to maintain communications with customers and to retrieve key activity records through their "mission critical systems." Financial risk relates to firms' abilities to continue to generate revenue and to retain or obtain adequate financing and sufficient capital. In this regard, an eroding financial condition could be exacerbated or caused by deterioration in the value of a firm's investments due to the lack of liquidity in the broader market, which would also hinder the ability of the firm's counter-parties to fulfill their obligations. A firm would be expected to periodically assess changes in these exposures, and in the event of a significant business disruption, the firm would consult its plan and take appropriate action contemplated by its plan. Members' and member organizations' procedures should be written and implemented to reflect the interrelationship among these risks.

What rule-sets govern your organization?  Have you created a comprehensive governance map to help you guide yourself as a CEO and the remainder of your company through the maze of ethical, regulatory, legal and even sustainable rules that are before you?  Leadership in any organization whether it is in Silicon Valley, on Wall Street or the US Navy requires a prudent and clear path, to understanding the rules and the map to navigate both securely and safely.  Even with these rules and the map, you can predict that human behavior will intervene and deliver that next surprising blow to your institution.  Now it is just a matter of how often and the magnitude of the event.

Ask yourself:  What is our "Operational Risk Management" Quotient?


operational risk

Business Resilience: Late Bloomers Beware...

Believe it or not, there are still some Operational Risk Management late bloomers to the "Business Resilience" concept. The topic has been talked about for years and a recent IBM study highlights where risk management has changed and how business resilience is still gaining widespread adoption among large and smaller corporate enterprises.

Late bloomers—75 percent of which have revenues of US $500M or less—are not very well prepared for managing business risks and have narrow views on risk management strategies. Their performance is at the bottom of the scale on every indicator. A majority do not have a formal risk management strategy, and their financial performance trails the pack. Yet one-half say they plan to develop a formal risk management strategy and are most likely to say that they will establish a company-wide risk management team within the next three years.

The reason why the less than $500M. business enterprises are establishing more of a company wide risk management team is a multi-faceted issue. Depending on the industry sector being highly regulated such as financial services, energy or healthcare or not could be one indicator.

IBM in all of its wisdom has developed six elements of Business Resilience that are worth exploring more in detail. IBM provides a holistic, thorough and methodical approach to business resilience – in the pursuit of mitigating your organization’s risks:

• Integrated risk management focuses on looking at the full scope of risks facing your operations —using technology to better understand, respond to and manage those risks, even as they change.
• Continuity of business operations heightens your organization’s ability to maintain continuous operations, with processes and infrastructures that are responsive, highly available and scalable.
• Regulatory compliance helps assure that your business and its technology infrastructure conform to constantly evolving government and industry regulations and standards —including those regarding information integrity.
• Security, privacy and data protection helps you safeguard and manage your most valuable assets: data, information, systems and people.
• Knowledge, expertise and skills addresses the resilience of your business by confirming that you have the right resources in the right place at the right time, despite staff constraints and fluctuating demands for highly skilled talent.
• Market readiness concentrates on enhancing your organization’s ability to sense and respond to shifting customer demands and fast-breaking new market opportunities.

Any significant business disruption to your enterprise could be fatal. But if you had to create a budget to devote resources to the "Business Resilience Six Elements", how would you allocate your funding? Would you put 20% in "Security, privacy and data protection" or 30%? How much would you allocate to "Continuity of Business Operations" vs. "Regulatory Compliance"?

What "Operational Risk" professionals know is that it is a continuous process that requires emphasis in one area based upon market conditions and the overall business performance of the enterprise. When business revenues are down, you can bet that the budgets will suffer and the whole resilience of the business will suffer along with it. Could this be the greatest area of vulnerability that we have today? The fact that poor economic conditions exacerbate the risk in the enterprise for potential failure should it receive an unsustainable shock to its culture, operations or reputation.

We would contend that "Market Readiness" is the most underestimated element of the six outlined by IBM. The reason has to do with the word "Opportunity". All too often risk managers are so focused helping the enterprise avoid a natural catastrophe or keep it safe from a system wide data breach that it is blind to seeing the seam in the market that would allow the business to break away from it's competitors.

So are there any lessons out there that we can learn from, in terms of organizations taking their eye off of enterprise risk management and missing a market opportunity? Having spent so much time and effort working on the other elements, that it has created a vulnerable organization in the marketplace:

By Jim Puzzanghera, Los Angeles Times

October 7, 2011, 7:55 p.m.

Reporting from Washington—

In the volatile political air ignited by the nation's economic struggles, $5 buys a lot more controversy than it used to.

The announcement by Bank of America Corp. last week that it would charge customers $5 a month to use their debit cards has rung up animosity from coast to coast.

Coming amid growing anti-Wall Street protests, BofA's new fee has become a focal point for anger and frustration about the flailing economy and Washington's attempts to help the nation recover from the financial crisis.

Industry leader Nokia held onto its No. 1 slot, but its market share continued to plummet, sinking to 24.2 percent in the second quarter from 33.8 percent a year ago. Excess inventory in regions like China and Europe apparently triggered a drop in shipments. Stung by the iPhone and Android phones, Nokia recently reported a huge loss for the second quarter.

While Bank of America and Nokia are just two companies who have seen their market share and presence become the subject of business MBA student case studies, there are plenty others to make the example for paying more attention to "Market Readiness". And then there is one of our favorites, Siemens AG. After having missed the exposure to the threat of the Foreign Corrupt Practices Act (FCPA) and paid out several billion dollars to the US Government and to business services companies to rectify the internal controls, there is this:

*Stuxnet computer virus analyzed"

By Tabassum Zakaria

IDAHO FALLS, Idaho, Sept 29 (Reuters) - Behind the doors of a nondescript red brick and gray building of the Idaho National Laboratory is the malware laboratory where government cyber experts analyzed the Stuxnet computer virus.

The malicious software targets widely used industrial control systems built by German firm Siemens (SIEGn.DE). Cyber experts have said it appeared aimed mostly at Iran's nuclear program and that its sophistication indicates involvement by a nation state, possibly the United States or Israel.

The Stuxnet virus was a "significant game changer in the cyber world, said Marty Edwards, a Department of Homeland Security official in charge of a cybersecurity program in partnership with the Idaho National Laboratory, which conducts nuclear research.

The U.S. government is concerned that cyber attacks could wreak havoc on the industrial base and cost millions of dollars. The Idaho lab programs are geared toward protecting the industrial infrastructure: chemical plants, food processing facilities, utilities, water systems and transportation.

"It is probably the most important security issue that we face today," said Greg Schaffer, a top official in the DHS National Protection and Programs Directorate. "This is a problem that continues to grow."

When any prudent risk management professional in the financial, energy or high technology sectors looks at the lessons learned on an annual basis, it should help develop the strategy for exploiting a seam in the market. If you are a late bloomer in the game of business resilience and proactive enterprise risk management, heed the lessons of the marketplace and don't under estimate the element of "Market Readiness".

operational risk

Human Psyche: Transparency of Risk Profiles...

In a July 2008 a global Economist Intelligence Unit survey; 71% of the financial services executives admitted that their Enterprise Risk Management (ERM) strategy has not been fully implemented. 59% of the 316 executives say that the current credit crisis has put a high magnification microscope on their risk management activities and strategy.

Corporate executives might think that compliance would be a driving factor behind the need to break down the silos in the enterprise and become a more holistic risk management culture. This could not be farther from the truth. People are the only factor when it comes to addressing culture. However, the failing organizations have it upside down. They have been so focused on the sophisticated mathematics, they have lost sight of what really changes the culture more rapidly and pervasively. Leadership and culture. Human behavior working towards greater transparency of risk profiles and the management of reputation will work miracles compared to the "Hedge Quants" trying to manipulate the algorithms to obtain the desired results. We want to trust the data, but can we? The credit scoring applications can't keep up with the pace of the market changes.

The ERM strategy of the future needs to be focused on changing peoples behavior to impact "Reputation", as opposed to just another regulatory hammer to gain compliance. Therefore, Operational Risk Management and enhancing the perception of confidence in the "eye of the customer", will provide the peace of mind that is required to keep the flow of trust in the global markets. The Board of Directors policy implementation on risk management and developing a culture of ERM to better manage the implications of reputation is the top item on the upcoming meeting agendas.

Most shocking in the survey results are that financial institutions with $100B. in assets or greater; only 55% have someone in the dedicated task of "Chief Risk Officer". This means that 45% do not have a dedicated person who can see the entire ERM porfolio of risk. Institutions under $100.B in assets are in even worst shape.

In what is by far the largest bank failure in U.S. history, federal regulators seized Washington Mutual Inc. and struck a deal to sell the bulk of its operations to J.P. Morgan Chase & Co.

The collapse of the Seattle thrift, which was triggered by a wave of deposit withdrawals, marks a new low point in the country's financial crisis. But the deal, as constructed by the Federal Deposit Insurance Corp., could hold some glimmers of hope for the beleaguered banking system because it averts any hit to the bank-insurance fund.

Instead, J.P. Morgan agreed to pay $1.9 billion to the government for WaMu's banking operations and will assume the loan portfolio of the thrift, which has $307 billion in assets. The full cost to J.P. Morgan will be much higher, because it plans to write down about $31 billion of the bad loans and raise $8 billion in new capital. All WaMu depositors will have access to their cash, but holders of more than $30 billion in debt and preferred stock will likely see little if any recovery.

Walking throught the halls at the FDIC several months ago, this writer could almost smell the fear that was building. How are we going to deal with the new "tsunami of failed financial institutions" in the coming months? What will the domino effect be on customers psyche? Now, there are even fingers being pointed at the mechanisms for ensuring transparency to investors and customers:

Ultimately, those who blame fair-value accounting for the current crisis are guilty of the financial equivalent of shooting the messenger. Fair value does not make markets more volatile; it just makes the risk profile more transparent.

We should be pointing fingers at those at Lehman Brothers, AIG, Fannie Mae, Freddie Mac and other institutions who made poor investment and strategic decisions and took on dangerous risks. Blame should not be paced on the process by which the market learned about them.

operational risk

Business Survival: Anticipating Breakpoints...

"The final plunge of the most powerful and dreaded firm on Wall Street in the roaring eighties came with astonishing speed. Like the abrupt fall of the Berlin Wall thousands of miles away, the collapse suddenly confirmed what everyone in the financial world could already feel in the wind: A new era had arrived."
Business Week cover story on 2.26.90

Many excellent companies have fallen from grace, not because they ignored their customers or lacked superior management skills, but because business conditions shifted beneath them. In an environment of fluctuating markets, proliferating technologies, and changing political frontiers, the management challenge is no longer to manage only growth. Now managers must cope with breakpoints, or sudden shifts in the rules of the game.

So has this deja vu moment reminded us that the Drexel Burnham Lambert implosion could be replaced with a new corporate name in the year 2008. Junk bonds were a financial instrument that were utilized for leveraged buy out financing. Then a "Breakpoint" occurred. Paul Strebel in his 1992 book entitled "Breakpoints: How Managers Exploit Radical Business Change" explains:

"Breakpoints, or sudden radical shifts in the rules of the business game, may shape the course of an industry, or of a company, but they need not be as dramatic as the junk bond story."

If you are the Chief Risk Officer (CRO) at a major institution facing sleepless nights these days then you are not alone. Just make sure that you "Tivo" the moment so that you can replay it in another decade, around the year 2015. If the last major breakpoint took 18 years then the next one should occur in about half the time. Do you have your finger on the pulse of change and potential breakpoints in your organization? Can you anticipate the next one in time to have the correct actions and plans to mitigate the impact on your enterprise?

Certainly there will always be those incidents and crises that are unknown and sudden. And how you recover during these times could save your reputation:

ZURICH (Reuters) - Credit Suisse (CSGN.VX: Quote, Profile, Research) trimmed full-year subprime writedowns to 2.0 billion Swiss francs (932 million pounds) but its stock fell as investors took fright at the bank's remaining exposure to the credit crisis.

The bank also reported a 49 percent fall in fourth-quarter profit from continuing operations to 1.33 billion francs, slightly below analysts' expectations, as losses in its huge asset management business eroded results.

Subprime writedowns in the fourth quarter were 1.26 billion francs, Credit Suisse said, though hedging earlier in the year had helped it lower its full-year charges for bad credits from an estimate of 2.2 billion francs made earlier.

The Blackberry mobile e-mail service has returned to normal after a breakdown on Monday afternoon wiped out the service across the US and Canada.

The Blackberry device, owned by Canadian firm Research in Motion, is popular among business people who rely on it to keep in touch with the office.

The service began to fail at about 1530 EST (2030 GMT) and users struggled to retrieve information for three hours.

The firm said no messages were lost and apologised for the problems.

Whether the CRO encounters the wrath of financial instruments at a breakpoint in the martetplace or hours of downtime on the corporate lifeblood of information exchange does not matter. Operational Risk is pervasive and creates discontinuity that impacts employees, customers and shareholders. The only answer is a resilient framework for anticipating and addressing "Change" or in other words, incidents.

Having a taxonomy for change in your organization is imperative to gaining insight on potential incidents whether they be [high frequency-low consequence] or [low frequency high consequence] events. So what is the potential aftermath without this taxonomy:

• Companies have myopia in viewing the actual breakpoint in front of them
• The company fails to capture the opportunity and exploit the breakpoint
• A rare company actually creates a competitive breakpoint

The analysis with your organization begins with the understanding of what your adversaries are utilizing as tools, to exploit your vulnerabilities. Your future Business Survival depends on it.

operational risk

ECM Security: Trusted Information...

When it comes to Enterprise Content Management (ECM), security is an issue that continues to challenge most vendors. John Newton is in search of topics this week at AIIM that address the security needs of the market place:
Content Log

• Common identity. There needs to be a common way of addressing identity between different services whether those services are in the enterprise or outside.
• Common Models for Rights Management. The big, looming problem in content is the fact that huge numbers of users are adding, accessing or updating an even larger number of pieces of content.
• Distributed Directory Services. Identity is not sufficient for determining roles or entitlements.
• Mashup Frameworks for Security. Mashups, the integration of different systems at the browser level, represent the fastest-growing and easiest mechanism to weld systems together. Almost all mashups have no notion of security and only work on public systems.
• Search and Security. As search becomes increasingly federated, such as through the OpenSearch API, managing identity and entitlements on content becomes very problematic.

Whether John will find the answers is questionable. And that is exactly the issue when it comes to hosting or managing enterprise information. Almost a year ago before Stellant (Sealed Media) was purchased by Oracle, their survey of 29 CIO's who had invested more than $1M. in ECM had these as their top priorities:
The concerns were ranked on a scale of one to eight, eight being the most important.

1. Guarantee ISO 17799 compliance: 6.03
2. Protection of intellectual property during offshoring or outsourcing: 5.52
3. Protection of high- and executive-level communications: 4.79
4. Improvement of workflow-process automation: 4.41

So what?

If you are an ECM vendor and you only have so many bucks to spend on development of the next generation of your software, what are you going to add and what are you going to fix? So why is number one and two so important to CIO's who have invested so much money in their platforms?

Some of the answers can be found in the root cause of their concerns. We found some relevant discussion in a position paper entitled:

W3C Workshop on Transparency and Usability of Web Authentication by Jeffrey Ritter & Said Tabet

Statement of Issues: The conflict between the potential of Web Services and the inadequacy of web authentication is potentially best described as “a failure to communicate”. As enterprises extend and evolve into more dynamic, real-time facilities, central operations require the ability to express their security requirements in greater detail than can be currently enabled. Corporations must define and adhere to increasingly large directories of requirements in the management of their internal security controls; requiring compliance with those controls by participants in the extended enterprise is becoming essential.

Corporate operations increasingly distribute their computing and data processing requirements across a network of third party services, some of which are engaged and employed for controlled, finite sessions. But those third parties, for so long as they are processing data and functioning as part of the operating whole of the primary corporation, are being pressured to demonstrate their adherence to the security controls of their customers. This requirement is an expression of a requirement for trustworthiness—to be engaged as a part of the extended enterprise is to be trusted to perform in compliance with the applicable controls.

The enterprise who has exposure to continuous litigation is evaluating new ways to look at 3rd Parties who manage their information and this includes law firms. When you hand over management of critical and legally binding information to a 3rd party, trust is a key component of that decision. So how do you know if your law firm(s) and database marketing companies such as Merkle, Inc. or other outsourced service providers have the trustworthiness to be part of your extended enterprise? The fact is you don't unless you require the new and existing parts of the information supply chain in your organization to operate as one seamless trusted entity.

The greatest economic risk companies face with electronic discovery is choosing the wrong law firm. Under the new Federal Rules of Civil Procedure, the amounts at stake are not just legal fees or settlement costs; searching for and recovering electronic business records causes productivity losses and threatens revenue. Bottom line, selecting a law firm that is ill-prepared to effectively manage electronic discovery can cost enormously - internal records preservation and production costs are considered one of the largest uncontrolled expenses in corporate America.

So how do you select the right firm?

For corporations, Evaluating the Electronic Discovery Capabilities of Outside Law Firms: A Model Request for Information and Analysis provides corporate law departments, records management and IT departments an invaluable tool to ensure that the legal risks of e-discovery are competently addressed by their outside law firms.

Here is a peek at the line up so far this year by just one government regulator, the SEC.

operational risk

ORM: Automation Revolution...

There are many organizations out there evaluating the now more mature Operational Risk platforms for their institutions. Just as the dawn of Enterprise Resource Management (ERM) such as Peoplesoft, SAP and others; there will be a fight for maket share and end users will look to their trusted advisors for expert resources. How do you know what application is right for your organization?

The question remains, are you ready? Is your department and staff up to speed on what this means for the process changes necessary in your enterprise for an ORM application to succeed?

OpenPages ORM automates the process of identifying, measuring and monitoring operational risk, integrating all risk data – risk and control self assessments, loss events and key risk indicators – in a single solution. OpenPages ORM combines powerful document and process management with a monitoring and decision support system that enables organizations to analyze, manage and mitigate risk in a simple and efficient manner.

Risk self-assessment capabilities enable organizations to document and evaluate their risk frameworks, including processes, risks, events, key risk indicators and controls. Executive-level dashboard and reports provide visibility into key risk metrics and policy compliance, while business process automation capabilities provide for real-time event escalation; automated risk processes, such as loss event root-cause analysis; and, streamlined remediation of issues and action items.

With loss event tracking, risk managers can track loss incidents and near misses, recording amounts, determine root causes and ownership. OpenPages ORM provides statistical and trend analysis capabilities and enables end-users to track remedies and action plans. Key risk indicators provide capabilities for tracking risk metrics and thresholds, with automated notification when thresholds are breached. OpenPages ORM provides facilities for both manual and automatic data inputs from internal and external data sources.

With OpenPages ORM, organizations can embed operational risk management and governance into the corporate culture, making procedures more effective and efficient while providing management with peace-of-mind that the corporate brand is protected.

How do you make a decision on OpenPages, SunGard or SAS? Like the implemention of ERM platforms you end up with new challenges, both technical and human oriented. Making a choice requires at some point a consensus of the end user, the departments impacted by the decision and the costs of customization or configuration. The total project will also require:

• Choosing the correct technology solutions with your specific business challenges.
• Rapidly integrating new technology with the remainder of your IT infrastructure.
• Effectively fine-tuning business processes to address your organization.
  
• Continuously re-evaluating the deployment to ensure maximum ROI.
  

As with most large IT projects it's important to have Program Management Office (PMO) functions up and running prior to making a final purchase. And if you are a true Operational Risk Management professional, you have already performed your analysis of the threats and hazards to the successful implementation, training and launch of your new ORM system.

operational risk