Continuity of Operations: Mother Nature or Active Shooter...

Continuity of Operations in the context of business gets on the Board of Directors agenda after every tragedy. Whenever the magnitude of the business disruption involves loss of life, or major property damage the executive management goes into "Crisis Management" mode. Unfortunately for many, this may be the only time the Board and corporate executives have tested or exercised for such an incident.

So what is Continuity of Operations? What does it mean to your business? How pervasive does this Operational Risk strategy have to be? Let's think about a simple process from the time a sales person picks up the phone to schedule an appointment to the time the product or service team has delivered or installed the items that have been sold to the customer.

In the context of university higher education, the process of recruiting, admissions, housing, fund-raising, sports and alumni relations. How many touch points, steps in the process or procedures for manufacturing, integration, sourcing, learning and implementation exist? Now think about your supply chain that provides the necessary resources, energy, infrastructure and people to make it all happen. Does this business issue seem like a trivial matter?

The aftermath of any major incident will require a thorough investigation to determine what happened. Everyone will have their version of what they saw, heard, felt and remember about it. Then the finger pointing, litigation and media frenzy begins. Only then do the Board of Directors and Executive Management wish they had practiced and exercised for the eventual day that has now landed on their front door step.

Such an example is in the news again, more than two years after the tragic day in April 2007 on the campus of Virginia Tech University in Blacksburg, Virginia. In Lucinda Roy's latest book, "No Right To Remain Silent", her opinions magnify the need for effective continuity of operations planning, exercises, auditing and testing:

After tragedies like this, people clam up. They are warned that it is too dangerous to talk about the specifics of a case when lawyers are chomping at the bit, when the media is lying in wait like a lynch mob. But people also remain silent when they are worried that what they have to say could injure them somehow.

In the days and weeks that followed the tragedy at Virginia Tech I was reminded of how much silence has to say to us if we listen with care.

Sadly, the tragedy at Virginia Tech did not usher in an era of openness on the part of the administration. Questions that related to the specifics of the shootings, to Cho, or to troubled students in general were viewed in the wake of the tragedy as verbal grenades.

Many of you may remember where you were when you heard the news. Just like you will always remember where you were on the morning of September 11, 2001. Yet April 16, 2007 could very well be more significant as the analysis and the investigation continues.

Sadly, we know how this story turned out: On April 16, 2007, Seung-Hui Cho shot two people to death in a Virginia Tech dormitory, then chained the doors to a classroom building shut and methodically killed 30 more before committing suicide. It was the worst school shooting in American history.

Who knew what when? The litigation is ongoing and some still are seeking the truth. Proving the truth will require substantial analysis of tens of thousands of documents, e-mail messages, hand written notes, depositions, medical records and school work. Yet when it gets boiled down to the facts and the issues, "Continuity of Operations" protocols, practice and preparedness will be at the core of the matter.

Does your organization have facilities where an all hazards approach is talked about and is continuously aware of the threats to life and property along with the economic implications of any business disruption? If you have people and property in California the answer is yes. Earthquakes, brush fires and now even the lack of government resources are existing risk factors.

If you have people and property in or near symbolic locations such as New York City's Wall Street, Washington, DC's Capitol, or the St. Louis Arch then your organization should have heightened situational awareness and crisis management mechanisms already in place. The whole State of Florida, North & South Carolina, Louisiana, Texas and others who know the aftermath of Hurricane Katrina/Harvey are sensitized to the requirements for effective preparedness.

So what is the difference in an event such as the "Active Shooter" scenario on your campus or the catastrophe sent by "Mother Nature"?

The answer is the accuracy in predicting the event itself. All the preparedness for either event starts with the mind set that it will happen.

Only one can be prevented, preempted or neutralized before it can cause harm...

ORM: Pervasive Risk Across Disciplines...

What is the origin of the "Operational Risk Management" (ORM) discipline? Was it derived from the work within the financial services industry from the Basel II initiatives?

The definitions and the actual work towards creating standards of conduct and rule-based design has been evolving for the past few decades.

Operational Risk and the approach to risk that is not otherwise considered to be market or credit risk, is one mind set. The other mind set considers the hazards associated with the threat to our valuable assets.

Either point of view depends on the environment that you operate in and the risks associated with that environment.

To give a quick example, here are a few views into Operational Risk in the United States:

"It didn’t take long—the first attack on a U.S. government website hit on Saturday, a day after the killing of Qassem Suleimani in Baghdad. The fact there was an attack is not a surprise—speculation has been rife. And the style of the attack is consistent with the nature of the primary cyber threat we now face. Hackers claiming to be linked to Iran targeted a low-level domain—the website of the Federal Depository Library Program—defacing its home page, echoing Teheran’s threats of vengeance alongside imagery of President Trump, Ayatollah Khamenei and the Iranian flag" Forbes

"Boeing will still burn more than $1 billion a month even after halting 737 Max production, according to J.P. Morgan.  Boeing’s decision to stop suspend production of the troubled aircraft was made in light of months of cash-draining groundings worldwide, but the company’s internal overhead and labor expenses will remain and will increase cash burn, analyst Seth Seifman wrote to clients."  CNBC

These examples encompass a U.S. government agency and a private sector U.S.-based global aerospace company.  Both are operational risk scenarios that could contribute to losses that will also impact the reputation of the entity involved.

That aspect alone, could be the major factor in why Operational Risk Management is such a growing discipline in our 2020 global landscape.

Some of the earliest origins of the Operational Risk concerns come from the military. The U.S. Navy is one of the branches who has embraced it fully:

• Purpose. To establish policy, guidelines, procedures, and responsibilities per reference (a), standardize the operational risk management (ORM) process across the Navy, and establish the ORM training continuum.
• Scope. This instruction applies to all Navy activities, commands, personnel, and contractors under the direct supervision of government personnel.
• Discussion. Risk is inherent in all tasks, training, missions, operations, and in personal activities no matter how routine. The most common cause of task degradation or mission failure is human error, specifically the inability to consistently manage risk. ORM reduces or offsets risks by systematically identifying hazards and assessing and controlling the associated risks allowing decisions to be made that weigh risks against mission or task benefits. As professionals, Navy personnel are responsible for managing risk in all tasks while leaders at all levels are responsible for ensuring proper procedures are in place and that appropriate resources are available for their personnel to perform assigned tasks. The Navy vision is to develop an environment in which every officer, enlisted, or civilian person is trained and motivated to personally manage risk in everything they do.

If only our major business entities would would fully encompass the following steps with all employees and processes then more lives would be saved, corporate assets would be protected and the enterprise would be ever more resilient:

(1) Identify the hazards;

(2) Assess the hazards;

(3) Make risk decisions;

(4) Implement controls; and

(5) Supervise.

Yet the losses and the potential for loss continues across the organizations who are well equipped to make Operational Risk Management a part of every person and operating divisions daily mind set:

The places change, the numbers change, but the choice of weapon remains the same. In the United States, people who want to kill a lot of other people most often do it with guns.

The number of U.S. mass shootings depends on how you count

Public mass shootings account for a tiny fraction of the country’s gun deaths, but they are uniquely terrifying because they occur without warning in the most mundane places. Most of the victims are chosen not for what they have done but simply for where they happen to be.

There is no universally accepted definition of a public mass shooting, and this piece defines it narrowly. It looks at the 172 shootings in which four or more people were killed by a lone shooter (two shooters in a few cases). It does not include shootings tied to robberies that went awry, and it does not include domestic shootings that took place exclusively in private homes. A broader definition would yield much higher numbers.

Whether it is on the deck of an aircraft carrier or within any organizations business facility, operational risk is pervasive. It is up to you and your organization to begin to make a difference...

Operational Continuity: Top Ten...

As your Board of Directors Meeting agenda is prepared for your next conference call, Operational Continuity should be near the top of the list of priorities.

Californian utility giant Pacific Gas and Electric (PG&E) has agreed a $13.5bn (£10.2bn) settlement with victims of wildfires in the state.  The company's equipment has been linked to several blazes including the deadliest and most destructive wildfire in state history, 2018's Camp Fire.

The risk of a significant business disruption is increasing and shareholders are increasingly asking for additional oversight by boards, to make sure that executive management is on top of Operational Risk Management (ORM) issues.

Catastrophic losses may be caused by natural disasters such as hurricanes, earthquakes, flooding, drought, tornados, fires and winter storms or man-made events.

Workplace Violence and/or Terrorist acts are tragic and complicated, taking an awful toll in human lives and resulting in insurance claims that run into the millions or billions of dollars and, often, litigation.

Here is a top ten list for your board to consider. If you can answer "Yes" to these items then you are well on your way to a high level of "Operational Continuity" in your organization:

__1. The Board of Directors reviews and approves company-wide contingency plans annually.

__2. Formal documented guidelines, policies, and procedures exist for the development and maintenance of business Continuity/Disaster Recovery, Emergency Response (evacuation and life safety) and Crisis Management plans (public relations and communications).

__3. An Operational Risk Assessment that categorizes potential threats (internal and external) has been performed on all corporate facilities for both information technology and work areas.

__4. There is a current (updated annually) Business Impact Analysis that determines recovery time objectives (the maximum tolerable time to recover critical business functions) and existing resources supporting each function.

__5. Recovery strategies exist for the resumption of critical business processes and support services.

__6. The Operational Continuity Plan and the recovery efforts are driven by the business requirements of the Business Impact Analysis.

__7. A Gap Analysis has been performed to identify the differences between Business Impact Analysis (business requirements) and the current environment.

__8. Business recovery strategies have been developed for all essential business functions.

__9. Manual workarounds exists for processes that could be completed in the absence of automated systems.

__10. Business Continuity and Disaster Recovery plans are exercised and tested bi-annually.

If you answered "No" or "Don't Know" to any of these ten, then your organization is at risk to a myriad of threats including shareholder legal actions...

Fusion Center: A Top Line Opportunity...

Operational Risk Management (ORM) is about managing a jigsaw puzzle of vulnerabilities and threats, that expose those weak points in community or organizational operations.

How can a U.S. community such as Las Vegas, NV, Dallas, TX, San Bernardino, CA, Dayton, OH or El Paso, TX in concert with law enforcement, public safety, emergency management and private sector entities, embrace a collaborative process to improve intelligence sharing?

Together and ultimately, to increase the ability to deter, detect, and prevent domestic terrorism while safeguarding our homeland, sometimes you have to tell a story and create a narrative.

Fusion centers bring all the relevant partners together, to maximize the ability to prevent and respond to workplace violence, terrorism and other major criminal acts. By embracing this concept, these entities are able to effectively and efficiently safeguard our homeland and maximize anti-crime efforts.

Who knew, what and when?  Even before 9/11, the private sector has embraced the idea of "Fusion Centers" and for good reason.

It has often been labeled the Security Operations Center (SOC), that includes the convergence of both the physical and information-based risk management professionals, taking place to mitigate a spectrum of risks and new opportunities.

As a Board Director or Executive Committee member of your public or private organization, the economic reasons for doing this are many and the benefits of greater insight and more rapid response are a continuous mandate.

A fusion center is an effective and efficient mechanism to exchange information and intelligence, maximize resources, streamline operations, and improve the ability to mitigate internal and external risk events, by analyzing data from a variety of internal and external sources.

When you begin to coordinate the company departments or government entities, the rules of the game calls for agreements, contracts and memorandums of understanding (MOU).  These are required to help facilitate coordination and cooperation. Here are some of the elements that should be considered:

• Involved parties
• Mission
• Governance
• Authority
• Security
• Assignment of personnel (removal/rotation)
• Funding/costs
• Civil liability/indemnification issues
• Policies and procedures
• Privacy
• Terms
• Integrity control
• Dispute resolution process
• Points of contact
• Effective date/duration/modification/termination
• Services
• De-confliction procedure
• Code of conduct for contractors
• Special conditions
• Protocols for communication and information exchange

Regardless of how much planning goes into the establishment of the corporate or the public domain fusion center, the challenges are similar. Funding, resources and attention by the power base of leadership.

One way to keep the Fusion Center at the center of the CEO's or Mayor's daily progress review comes back to economics. The top line revenue discussions here are no different than the same arguments that the head of Marketing has for the advertising budget.  The bottom line.

The Chief Marketing Officer (CMO) is consistently getting a robust piece of the budget pie because they have done an effective job of convincing everyone that advertising/branding is what generates sales leads.

Sales leads convert to top line revenue. So the question is, how many dollars produce a sales lead and what is the ratio of the number of leads generated to the number that close new revenue business.

What is the argument for the head of the Fusion Center? How does this become a top line revenue opportunity and not just a cost?

The same way advertising is justified to create leads is the same way the Fusion Center creates a different yet equally valuable risk management lead.

In either case, the data and information required to generate a lead in advertising and to generate a lead in mitigating risk begins with a hypothesis.

At today's speed of business and commerce, both are generated from raw data and information either collected internally or purchased externally to the organization. The answer lies in the Information Economics analysis exercise of generating each and the value to the community and continuous operations of the organization.

In the end, you may find that both are equally important and now it's a matter of fine tuning the ratio of budget dollars devoted to the Fusion Center vs. the Marketing Department.

If you are a Chief Risk Officer (CRO), Chief Information Security Officer (CISO), or Chief Security Officer (CSO), the answer to consistently funding your Fusion Center just might be found in how timely data and information is utilized.

What is the true value to the continuous livelihood and resilience of your community or enterprise...

OSAC: The Insider Threat...

In November 2007, the "Insider Threat" was on the minds of Global Security Executives that year as evidenced by a half day emphasis on the current trends and issues.  We wonder what will have changed over a decade later, at the 2017 OSAC Annual Briefing.

In any global enterprise doing business across multiple continents with a diversity of personnel comprised of expats and country nationals; you can bet on being consistently subjected to the operational risks instigated by people. Fraud, embezzlement, conflicts of interest, economic espionage, workplace violence and disruption of business schemes are the norm.

In a converging organization with outsourced services around every corner, the enterprise becomes more disjointed and incapable of a continuous level of readiness or preparedness to the next organized plot by the insider.

So back to square one. Keep an eye on your employees, contractors and suppliers. Run those new employee awareness sessions and lock down the access to sensitive corporate assets. Now do it again with the same budget we gave you last year!

You can just see these great patriots from all over the world searching for the answer to their continuous woes as a Global Security Director. It's a thankless position and severely underfunded in a time when the threats are increasing exponentially.

In evaluating the current information security, regulatory and legal environment, consider these five key flaws with today’s ORM solution programs:

1. Dependence on inadequate and incomplete technology-based point solutions;

2. Failure to integrate people, process and systems into an effective and comprehensive operational risk program;

3. Lack of adequate decision support and an actionable understanding of the threat to the entire spectrum of corporate assets;

4. Reactive response to perceived problems rather than proactive initiatives based on sound risk management principles; and

5. Cost and shortage of properly skilled IT personnel to support the programs.

The Gartner Group has identified three major questions that executives and boards of directors need to answer when confronting significant issues:

• Is your policy enforced fairly, consistently and legally across the enterprise. 

• Would our employees, contractors and partners know if a violation was being committed? 

• Would they know what to do about it if they did recognize a violation?

If you don't know the answers to these questions, then there is much more work to do and much more strategic planning necessary before any software or system is implemented for Operational Risk Management.

Perhaps it is time for the Private Sector to get serious about the "Insider Threat."  The U.S. Department of Defense has been on point with the issue now for years:

The Defense Department is preparing to add 500,000 employees to its continuous evaluation pilot by Jan. 1 as part of DoD’s effort to add rigor to the security clearance process.

Daniel Payne, the director of the Defense Security Services, said Sept. 20 that the additional half-million employees would bring the total uniformed and civilian employees enrolled in continuous evaluation to 1 million. There are more than 4.3 million cleared employees and service members across the government, including 1.3 million at the top-secret level, according to the Office of the Director of National Intelligence’s 2015 report.

Yet, in the back of everyone's mind is still the possibility of being connected with a significant terrorist incident. What these CxO's are looking for, are the means to gain a larger budget for their departments and to be able to invest in new "Insider Threat" technologies and tools.

Human behavior will always be the center of the controversy on whether these new systems will be able to mitigate the insider threat any more efficiently or effectively...

Alternative Analysis: Intelligence-Led Methodologies...

Operational Risk Management (ORM) is about the consideration of past failures and the possibility of unknown future failures of people, processes, systems and external events. The analysis of the likelihood and implications of those loss events, requires different methodologies to assist in the mitigation strategies to prevent or avoid the risks of failure. In light of the nature and complexity of transnational asymmetric threats, this requires the use of alternative methods of analysis.

Intuitive decision making and sense-making— can be combined into a framework for categorizing the residual thought processes of intelligence analysts. This is called "intelligence sense-making".

This process involves the application of expertise, imagination, and conversation and the benefit of intuition without systematic, consideration of alternative hypotheses. Compared to traditional methods of analysis, intelligence sense-making is continuous rather than discrete, informal rather than formal, and focused more on issues that don't have normal constraints.

Employing alternative analysis means that you can't “afford getting it wrong” and then you challenge assumptions and identify alternative outcomes. However, it may be of little use in today's growing non-state transnational threats and for ongoing criminal enterprise complexities. This is because there are so many considerable outcomes, consistent and perpetual changes, and contingencies for any single risk management process to be effective all the time.

Web-logs 3.0 are the future for some effective transnational alternative analysis. Combined with such machine learning threat intelligence systems such as Recorded Future, the open source analyst can operate with increasing pace and context. Unlike more formal published papers, intelligence Web-logs are a more free flowing “unfinished” production, whereby both human intuitions and more formal arguments are posted, and then challenged by those with alternative ideas.

Indeed, Web-logs are the mechanism for a facilitated contextual dialogue— the electronic equivalent of out loud sense-making.

"On September 11th, about half of the hijackers had been flagged for scrutiny at the gate before boarding the ill-fated flights. Had the concerns of the Phoenix FBI office about flight training not only been shared broadly within the government but also integrated into a mindfulness-focused inter- agency process—featuring out loud sense-making, Web-log type forums, computer-generated references to extant scenarios for crashing airplanes into prominent targets—might at least some of the detentions been prolonged, disrupting the plan? --“Rethinking ‘Alternative Analysis’ to Address Transnational Threats,” published in Kent Center Occasional Papers, Volume 3, Number 2.

In our modern day era of Twitter, Facebook and "Crowd Sourcing" technologies perhaps the tools are already in place. Platforms such as Ushahidi are geocoding the information origin, providing ground truth situational awareness and providing context on issues that are unbounded. How often does the published press currently use these tools to get their original leads, potential sources or new ideas for a more formal story? This story then takes on the formal journalistic requirements for confirmation from trusted and vetted sources, before it makes the final deadline and is delivered on printed paper to our doorstep each morning.

The doctrine of analysis for transnational threats and homeland security intelligence, are still evolving in this accelerating digital ecosystem. The alternative methods and tools that we will utilize to examine, refute or justify our thoughts remains endless. The degree to which we are effectively operating within the legal rule-sets for our particular country, state or locality, remains the ultimate privacy and civil liberties challenge. These respective governance guidelines particularly with regard to intelligence record systems and liability issues, must remain paramount:

• Who is responsible for entering information into the Intelligence Records System?
• Who is the custodian of the Intelligence Records System that ensures all regulations, law, policy and procedures are followed?
• What types of source documents are entered into the Intelligence Records System?
• Does the retention process adhere to the guidelines of 28 CFR Part 23 in the United States?

Finally, community-based policing has developed skills in many law enforcement first responders, that directly support new domestic counterterrorism responsibilities. Intelligence-led policing (ILP) provides strategic integration of intelligence, into the overall mission of the larger "Homeland Security Intelligence" enterprise. It involves multiple jurisdictions, is threat driven and incorporates the citizens of the community to cooperate when called upon, to be aware of your surroundings and report anything suspicious.

So what types of information do street officers need from an Intelligence Unit?

1. Who poses threats?
2. Who is doing what with whom?
3. What is the modus operandi of the threat?
4. What is needed to catch offenders / threat actors?
5. What specific types of information are being sought by the intelligence unit to aid in the broader threat analysis?

Alternative analysis is designed to hedge against human behavior. Analysts, like all human beings, typically concentrates on data that confirms, rather than discredits existing hypotheses. Law enforcement is constantly focused on the key evidence to prove who committed the crime.

Alternative analysis shall remain part of the intelligence tool kit, for more formal policy level work. Imagine the use of Intelligence-led methodologies such as "intelligence sense-making" combined with secure Web 3.0 collaborative applications, at the finger tips of our Homeland Security first responders. Now think about that "lone wolf" or "sleeper cell" lying in wait.

Proactive and preventative risk management requires the right tools, with the right information in the hands of the right people.

Utility of Attack: Target Selection and Execution...

The threat spectrum for Operational Risk Management (ORM) professionals is wide and they are constantly evaluating opportunities to learn.  Recent data breaches, terrorist attacks and the strategies utilized by adversaries online and on the ground, has surfaced another key lesson learned:

u·til·i·ty n. (pl. -ties) 1 the state of being useful, profitable, or beneficial (in game theory or economics) a measure of that which is sought to be maximized in any situation involving a choice.  The New Oxford American Dictionary

Here are two data breach examples:

1. On May 30, 2016, Omni Hotels discovered they were the victim of malware attacks on their network affecting specific point of sale systems on-site at some Omni properties. The malware was designed to collect certain payment card information, including cardholder name, credit/debit card number, security code and expiration date. They have no indication that reservation or Select Guest membership systems were affected.  50,000 records are impacted.
    
2. Prior to May 2016, identity thieves stole tax and salary data from big-three credit bureau Equifax Inc., according to a letter that grocery giant Kroger sent to all current and some former employees. The nation’s largest grocery chain by revenue appears to be one of several Equifax customers that were similarly victimized this year. Atlanta-based Equifax’s W-2 Express site makes electronic W-2 forms accessible for download for many companies, including Kroger — which employs more than 431,000 people.  According to a letter Kroger sent to employees dated May 5 2016, thieves were able to access W-2 data merely by entering at Equifax’s portal the employee’s default PIN code, which was nothing more than the last four digits of the employee’s Social Security number and their four-digit birth year.

Here are two terrorist attack examples:

In two major domestic terrorism events in the United States this past year, "Utility" was a major factor and should not be discounted, in analyzing motivations and "modus operandi" of homegrown violent extremists.  In San Bernardino, CA the adversaries were planning a major attack and had already stockpiled explosives and ammunition.  In Dallas (Mesquite), TX the adversary was planning a major attack and had already stockpiled a cache of explosives as well.

In both of these cases, the adversaries had accumulated and trained to use explosives in an attack.  Then they came upon a choice.  A utility.

1. In San Bernardino, an incident with government co-workers motivated the employee attacker to deviate from the intended plans and to capitalize on the "Utility" of a workplace holiday gathering at the county facilities.
2. In Dallas, a peaceful protest march that would attract a significant government presence of police officers, motivated the attacker to deviate from future plans and to capitalize on the "Utility" of a public gathering.

Dr. Erroll Southers is correct:

While the impetus for attack is rooted in beliefs, a terrorist’s selection of how and where to attack is based on a consideration of utility. This is the estimate of an attack’s consequences with respect to the intended target’s value as a domestic or international interest and the political impact the attack will have on the intended audience. Utility is a primary consideration for extremists during preparation for an attack, weighing desired results against the investment in activities to plan, rehearse and execute an operation. Always mindful of the aftermath, utility weighs heavily in the decision-making process of target selection, possible attack paths, methodologies and execution.  Southers, Erroll (2014-09-25). Homegrown Violent Extremism (pp. 9-10).

In both cases, the adversaries accelerated their plans.  They abandoned their use of explosives and a future planned event, to act on their emotions and motivations of the moment.  Domestic Terrorism in the United States will continue at a rapid pace without a more serious focus, on Homegrown Violent Extremism.

Whether it be online with the trust of your data systems or offline with the safety and security of your citizens, employees and facilities, beware of the changing opportunities for your adversaries, to launch their attack...

Utility, leveraged by your adversaries, is a consideration that must be continuously evaluated and analyzed in your particular threat environment. 

Domestic Terrorism: Tears for Those in Blue...

The sniper ambush on those sworn officers to protect us in Dallas, Texas USA on July 7, 2016, is yet another portrait of tragedy and sorrow in our Homeland.  Whether you are an American safe today in your home after another graveyard shift or at high risk on the front lines in the shadows of a foreign country, it does not matter.  This particular domestic event targeting our protectors, and so soon after Orlando, FL, should be a another wake up call to area code (202).

Operational Risk Management (ORM) professionals across the U.S. are unified once again, in our vigilance and our mission.  Domestic Terrorism in our world, will continue to be manifested as long as people can read, listen and be influenced by other people.  Here or abroad.  The methods used for this indoctrination, whether delivered in small groups sitting in a circle over a cup of coffee or tea, or increasingly over the Internet does not matter.  The process is the same.

The "Cues and Clues to Teach" have been detailed before in this blog.  Domestic Terrorism in the United States has been moving along a spectrum of incidents at a pace that seems to be accelerating.  Lone individuals or groups who plan, train and act in order to bring their own psychological justice to reality, is one of our greatest challenges:

The statutory definition of domestic terrorism in the United States has changed many times over the years; also, it can be argued that acts of domestic terrorism have been occurring since long before any legal definition was set forth.

Under current United States law, set forth in the USA PATRIOT Act, acts of domestic terrorism are those which: "(A) involve acts dangerous to human life that are a violation of the criminal laws of the United States or of any State; (B) appear to be intended— (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping; and (C) occur primarily within the territorial jurisdiction of the United States."[2] 

The pace and the origins of domestic terrorism in the United States are vast and metastasizing.

In order to begin or enhance your journey into understanding the root causes of this growing threat in America you should start with Eric Hoffers book: The True Believer: Thoughts on the Nature of Mass Movements.  And once you are finished with it, turn to Erroll Southers Homegrown Violent Extremism.

Developing your awareness is the beginning of any journey to solving problems and developing more effective and comprehensive preventative solutions.  Building knowledge about how people can transform from a individual working in a war zone or sequestered from society, to the front pages of the Washington Post, is a worthy goal for any Operational Risk professional.  As a human resources professional at Company or Agency USA or the retail employee in the ammunition section of Dicks Sporting Goods, you also have a role to play.

Vigilant "Employees and Citizens" must be continuously trained to be aware of the warning signals that typically occur before a threat and violent act becomes operational.  Based on the O'Toole study, these are some of the 23 "Red Flags" that employers should be monitoring and keeping their Corporate Threat Assessment Teams on high alert for:

• Low tolerance for frustration
• Poor coping skills
• Failed relationships
• Signs of depression
• Exaggerated sense of entitlement
• Attitude of superiority
• Inappropriate humor
• Seeks to manipulate others
• Lack of trust/paranoia
• Access to weapons
• Abuse of drugs and alcohol

What did you know?  When did you know it?  What have you done about it?  They will judge you on the threat assessments utilization of insider threat intelligence combined with the evidence of your overt training of employees in the workplace.  What grade would you give your organization today for these fundamentals?

Godspeed to all of those on their journey now, to better comprehend this event and to all the grieving family members across our Homeland...

The Third Offset: Seeking the Speed of Trustworthiness...

The U.S. national security "Insider Threat Score" is on it's way as a result of the aftermath of the Office of Personnel Management (OPM) hack.  The National Background Investigation Bureau (NBIB) is now standing up operations within the Pentagon umbrella.  Operational Risk Management (ORM) professionals are tracking this closely for good reason.  Social media activities such as this one, could one day be a factor in that score.

Simultaneously, the NIST Special Publication 800-160 2nd Draft has been released.  This document entitled:  Systems Security Engineering "Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems" addresses a key component in the national security mosaic.

So if the goal of creating the "Insider Threat Score" is to help automate and maintain the process for better understanding trustworthiness, then the NIST publication should be at the center of the table at the National Background Investigation Bureau.  Why?  Definitions in Appendix B of the SP 800-160 Second Draft:

Trustworthiness: An attribute associated with an entity that reflects confidence that the entity will meet its requirements.

Note: Trustworthiness, from the security perspective, reflects confidence that an entity will meet its security requirements while subjected to disruptions, human errors, and purposeful attacks that may occur in the environments of operation.

Trust: A belief that an entity will behave in a predictable manner in specified circumstances.

The degree to which the user of a system component depends upon the trustworthiness of another component.

Note 1: The entity may be a person, process, object, or any combination thereof and can be of any size from a single hardware component or software module, to a piece of equipment identified by make and model, to a site or location, to an organization, to a nation-state.

Note 2: Trust, from the security perspective, is the belief that a security- relevant entity will behave in a predictable manner while enforcing security policy. Trust is also the degree to which a user or a component depends on the trustworthiness of another component (e.g., component A trusts component B, or component B is trusted by component A).

Note 3: Trust is typically expressed as a range (e.g., levels or degrees) that reflects the measure of trustworthiness associated with the entity.

The future of the automation of the clearance process, continuous monitoring of "Insider Threat Scores" and the trustworthy secure systems software engineering for accomplishing this remains mission critical.  The "Cleared Community" of private sector "Defense Industrial Base" (DIB) contractors will also be impacted by the convergence of both.

So who are the personnel who could be impacted by these two converging initiatives:

• Individuals with systems engineering, architecture, design, development, and integration responsibilities; 
• Individuals with software engineering, architecture, design, development, integration, and software maintenance responsibilities; 
• Individuals with security governance, risk management, and oversight responsibilities;
• Individuals with independent security verification, validation, testing, evaluation, auditing, assessment, inspection, and monitoring responsibilities;
• Individuals with system security administration, operations, maintenance, sustainment, logistics, and support responsibilities;
• Individuals with acquisition, budgeting, and project management responsibilities;
• Providers of technology products, systems, or services; and
• Academic institutions offering systems security engineering and related programs.

As the government moves towards more trustworthy secure computing systems the private sector will be there to assist.  Yet the future of our trusted environments will depend on how often we perform and how well we perform without error.

Software is continuously changing and the fear of changing it too often, has been one of our greatest downfalls.  That fear of change has created our largest exposures to continued exploits and attacks, by our most sophisticated adversaries.  Remember, Edward Snowden worked for a private sector contractor.

There are a few trustworthy organizations that have realized this fact and are now on an accelerating path for reaching a higher level of trust.  With their software systems and their people.  However, they did this with a leap of faith and the understanding that the speed to reach more trusted computing environments, was absolutely vital.

Look around the Nations Capital beltway and you will find a few examples of the ideal innovation architecture strategy that will propel us into that next level of trustworthiness.  An affirmative decision to trust is now before us and the time we take to make that trust decision is our greatest challenge.  Will it be hours, minutes, seconds or nanoseconds?  Marcel Lettre, undersecretary of Defense for Intelligence has this perspective:

"The intelligence community’s role in what Pentagon planners call “the third offset”—the search for continuing technological advantage over enemies—will feature robotics, artificial intelligence, machine learning and miniaturization. They will be applied in the areas of “pressing for global coverage capabilities, anti-access/area denial, counterterrorism and counter-proliferation, cybersecurity and countering insider threats,” Lettre said.

He said Defense is reaching out to obtain the expertise of its industrial partners, including Silicon Valley, while workforce planners are focused on “bringing in another generation skilled at innovating in the technology sector.”

New Horizons: Commitment to the Long War...

What new technology invention or planetary event will change our way of life forever?  As the sun rises over the water, or the high rise buildings or the dew filled rolling meadows, one can only wonder.  The "New Horizons" streaked past Pluto after nine years from it's launch and 3 billion miles from Earth this week.  What other possible achievement is mankind capable of obtaining, that provides new knowledge and insight about our origins and our future.

Operational Risk Management (ORM) has been at the core of the New Horizons mission from its Genesis, until the day the space probe stops sending us more information.  Over these past nine years the observation and collection of data across our solar system, has provided answers to so many questions as we continue our quest for discovery.

Think about that timeline for a minute.  What has your organization accomplished that requires that kind of commitment to ongoing exploration and data analysis?  How would you keep people focused on continuous learning and problem solving, to gain new understanding and perhaps more empathy in your company.  Patience is often hard to find, when the boss is asking you what you have produced since yesterday.

There are tremendous challenges to keeping the mission focus in mind, even for nine years and beyond.  Maybe that is why there are term limits on some roles in public offices and as a result elections are necessary every two or four years.  Term limits puts priorities in perspective and clarifies what should be accomplished first and foremost.

What if you knew when you were going to die.  You knew exactly what would happen when your life ends.  It is written.  How would your thinking change, about what is important and what needs to be accomplished tomorrow.

How would you change your way of living and the vision to accomplish the promise of the future, if you did believe the stories of how it would all turn out.  Would you change the way you live your life, while you had the confidence that you would reach that promised place.  What if you had been taught this by trusted colleagues, read about it in sacred books or on the Internet and was assured that it was attainable.  If you would only believe:

Chattanooga, Tennessee (CNN)  A day after gunman Mohammad Youssuf Abdulazeez ended the lives of four Marines and wounded three other people, hundreds in Chattanooga gathered in prayer to mourn their deaths.

There were Christians. There were Muslims. A cross-section of the Tennessee community packed Olivet Baptist Church for the Friday night vigil.

Authorities are trying to figure out why Abdulazeez -- an accomplished student, well-liked peer, mixed martial arts fighter and devout Muslim -- went on the killing spree.

U.S. Attorney Bill Killian said the shootings are being investigated as an "act of domestic terrorism," but he noted the incident has not yet been classified as terrorism.

Reinhold said there is nothing to connect the attacker to ISIS or other international terror groups. Abdulazeez was not on any U.S. databases of suspected terrorists.

He was not known to have been in trouble with the law except for a DUI arrest in April. He apparently was not active on social media -- one of the common ways police investigate terrorism.

Ones mind has to flashback to the Boston Marathon bombing and the aftermath of that act of domestic terrorism in the United States.  Was this act of jihad on our U.S. citizens, the promise to the future, painted by people these terrorists trusted and respected?  Was this horrific act in Chattanooga against our military, just another blueprint for what our future holds for homegrown violent extremism (HVE) in America?  More on this from the New York Times:

Officials said there was no indication so far of any links to terrorist groups, leaving them to wonder how a young man with no known history of violence or radicalism turned up Thursday with several weapons, spraying bullets at Americans in uniform. Some “lone wolf” attacks have been carried out by people who had no direct contact with extremist groups, but they were influenced by messages online, like those from the Islamic State urging Muslims to take up arms and attack American military sites.

“This attack raises several questions about whether he was directed by someone or whether there’s enough propaganda out there to motivate him to do this,” said a senior American intelligence official, who spoke on the condition of anonymity because the investigation was still underway.

The Charlie Hebdo attack in Paris again was a location with meaning to the actual terrorism act itself by these two brothers inspired by Al-Qaeda in the Arabian Peninsula (AQAP).  It was a target put on a list by people who have a long-term focus and are able to accomplish their goals, even without a nation states resources.  The priority for any nation is to continue a long-term view, on what domestic terrorism and homegrown violent extremism really means, for a local community, in any country.

What is one of the most rewarding ways to connect with the local First Responder community in your U.S. county?  Look no further than your Community Emergency Response Team (CERT) and also your nearest Infragard chapter.  As a new "Citizen Soldier" you will need to learn new skills.  You also have to keep yourself aware of the latest natural or asymmetric threats to your particular community, whether it is a geographical city or a virtual domain in cyberspace.  You can, make a difference.

"Compassion will cure more sins than condemnation”

-Henry Ward Beecher-

It means a renewed commitment to building more resilience into your community.  From the bottom up, at every family household and small business in the town, city or Metroplex.  Operational Risk Management (ORM) doesn't end when you leave your role at the workplace in the warehouse, the cubicle or the executive office of the CSO, CISO or Chief Risk Officer.

Do you remember how you felt on September 12, 2001?  That uncertainty and the feeling you had, about the welfare of your closest loved ones or neighbors.  This was the catalyst for a 14+ year battle.  Just as the "New Horizons" hurtles millions of miles past Pluto, this commitment to the "Long War" is not over, and probably never will be.

Fear: The Elements of Prediction...

"Just as some things must be seen to be believed, some must be believed to be seen." "...so one way to reduce risk is to learn what risk looks like." --Gavin De Becker

These words from his book The Gift of Fear reminds us of how many people talk about Operational Risk Management (ORM), mitigation and implementing risk controls and don't have any context. In order to truly understand something, you actually have to come face-to-face with it, experience it and feel it.

For every 100 people in your organization, how many are a risk?  By that we mean, the factors are high that an individual will do something or be the target of an incident that causes irreversible harm to themselves and or the institution during their tenure as an employee.

The actuaries behind the insurance you purchase for different kinds of hazards or incidents in the workplace could give you some answers here. How likely is it that this kind of event occurs in this industry over the course of one year as an example? Certainly the ratios are known, otherwise the insurance product would not exist to protect you.

Predictive Analytics and processing of information to predict what has a high chance of actual occurrence is a whole other matter. In order to be predictive, you have to have actual experience and it has to be so innate that it now becomes more than just an intuition.

Some call it "Self-talk" and others a gut feeling but whatever it is, it got there because of your past experience. If it's more powerful than that, now you may just be experiencing something we all know as "Real Fear". You have to realize that when you get that tingle sensation up the back of your neck, you are way beyond self-talk and into a whole new dimension of emotion.

DeBecker's elements of prediction can help us figure out the likelihood of a prediction actually occurring:

1. Measurability - How measurable is the outcome you seek to predict?

2. Vantage - Is the person making the prediction in a position to observe the pre-incident indicators and context?

3. Imminence - Are you predicting an outcome that might occur soon, as opposed to some remote time in the future?

4. Context - Is the context of the situation clear to the person making the prediction?

5. Pre-Incident Indicators - Are there detectable pre-incident indicators that will reliably occur before the outcome being predicted?

6. Experience - Does the person making the prediction have experience with the specific topic involved?

7. Comparable Events - Can you study or consider outcomes that are comparable- though not necessarily identical- to the one being predicted?

8. Objectivity - Is the person making the prediction objective enough to believe that either outcome is possible?

9. Investment - To what degree is the person making the prediction invested in the outcome?

10. Replicability - Is it practical to test the exact issue being predicted by trying it first elsewhere?

11. Knowledge - Does the person making the prediction have accurate knowledge about the topic?

This OPS Risk professional has realized that these 11 elements exist in many of the risk management methodologies and systems experienced over the years. What is remarkable is the degree that we see time and time again, these elements being left out, avoided or just plain not utilized in organizations of all sizes and industry sectors.

It's time that CxO's revisit all of these elements in each of the Operational Risk Management (ORM) systems that are in place in their enterprise. From the front door to the intrusion prevention system, in the HR process from interview to termination and from the training room to the board room.

Predictive Analytics is a science that comes in the form of an art. Make sure you have the people who are masters of the art and experts in implementing the science.

Risk Leadership: From the Inside Out...

The "Leadership of Security Risk Professionals" continues to be an executive management priority in light of the asymmetric threat spectrum unfolding across the globe.  Operational Risk Management (ORM) provides the umbrella for the diverse and yet interdependent processes that pulse throughout the information rich enterprise.  As a leader reflects on this dynamic ecosystem, the vulnerability that still remains most prominent is the failure to effectively integrate risk mitigation tasks by the risk professionals themselves.

How often is your Facility Security Officer (FSO) part of the strategic briefings after a Board of Directors meeting?  Explain the amount of information exchange and substance of the daily dialogue between your head of Human Resources (HR) and the Chief Security Officer (CSO).  What new strategies have been developed this week between your outside counsel and General Counsel (GC) that have also been communicated to the Tier II management in the organization?  How do your customers get educated by your Chief Financial Officer (CFO) in concert with the Chief Information Security Officer (CISO).   What metrics are in place to gauge the risk awareness of new industrial espionage schemes being utilized by Transnational Organized Crime (TOC) syndicates or nation states, to prey on Critical Infrastructure owners and operators?

The risk professionals in your organization are operating each day in the fog of unvalidated intel and exploits. What have you done to update, adapt, renew and change the way you will operate since yesterday?  It is this level of situational awareness and predictive sense-making that is necessary, if you aspire to become even more resilient tomorrow.  Knowing what has changed on each others "Risk Watch" is only one part of the daily real-time analysis.  The knowledge most time-sensitive, may be the understanding of the behavioral implications of your people, processes, systems and external events as they unfold before you:

According to counterintelligence presented by the Federal Bureau of Investigation's Insider Threat Program, employees, former employees or contractors -- those who joined the organization with no intent of wrongdoing -- pose the biggest threat. 

These findings a few years ago, which are based on 20 years of espionage case investigations, indicate that contrary to popular belief, when it comes to data loss and spying, the real-world insider threat is not a stereotypical hacker who covertly siphons off sensitive information on internal systems and networks. 

Authorized users with a level of organizational trust, who are doing legitimate activities with malicious intent, pose the biggest threat, according to Patrick Reidy, the FBI's chief information security officer heading up the Insider Threat Program. 

Reidy said the FBI spends about 35% of its response time on these types of incidents. Focusing on education can help minimize these problems; he said these incidents have dropped 7% at the FBI in the past year. 

Insider threats are not numerous, according to Reidy, but in terms of damages they are the most costly. Of more than 1,900 incidents reported during a 10-year period, Reidy said about 19% were malicious insider threats. Based on information from multiple, "open source" data breach reports and data loss surveys, the average cost per incident is $412 thousand, and the average loss per industry is $15 million. In several instances, damages reached more than $1 billion.

The "Speed of the Connected Enterprise" can be your best ally, or your greatest adversary.  How you integrate, explain, orient, exchange and adapt in real-time, is now the name of the game.  Leadership of Security Risk Professionals operating each day on the front lines to the back office of your organization, require Operational Risk Management excellence.

Without it, they will continue to operate in the haze of that invisible adversary we call, complacency.  Complacent employees, suppliers and customers will remain your most lofty vulnerability.  Your leadership effectiveness of the Security Risk Professionals operating in your organization, partner business and client facilities are continuously at stake.

HSI: Homeland Security Intelligence...

What is the modern definition of U.S. Homeland Security Intelligence (HSI)? Many would differ on the jurisdiction, sources and nexus with specific intelligence that falls outside U.S. borders. The future of sharing relevant pieces of the vast mosaic of information may well lie with the definition and the interpretation of Homeland Security Intelligence.

One thing is certain about this topic of debate. If the information is being utilized to determine the nature of a threat within the confines of the U.S. Homeland, then that information will be treated according to the laws of the United States. This brings us to the next question. Are the current laws an impediment to more effective Homeland Security Intelligence (HSI) processes, methods and outcomes?  The following areas must be addressed in order to get closer to the truth.

• Governance
• Policies
• Regulatory and Statutory Concerns
• Civil rights and Liberties

Yet the question begs the discussion on the structure and the purpose of the Intelligence Community (IC) itself. Is a policeman or fireman on the ground in every major city in the country part of the IC? Are they not collectors of Homeland Security Intelligence as they fill out their manual or electronic "Suspicious Activity Reports" (SARS)? If they are then as much a part of the greater HSI mechanism that is deemed collection and not analysis, so too will they be subjected to the laws of the land regarding privacy and information governance.

Getting to the point where we are spending even more than half of the time doing actual human analysis is a long way off in to the future. Software systems are getting automated crawlers to pull more relevant OSINT into the data bases for unstructured query yet what about the front line observer who is the witness to an incident. They must process this by interfacing with a paper based report that is filled in with a #2 pencil or an electronic form on a PDA to check boxes and select categories that best describe the observed event that risk managers, watch commanders and operations directors need for more effective decision support.

Regardless of how the collector gets the information it still remains a matter of relevance with other data that already exists in a repository or the addition of a future data set that suddenly creates a "Red Flag." It isn't until that "Red Flag" indicator goes off that the human analyst can then put grey matter on the issue to determine the relevance at that point in time and the implication of the law, policies and governance. This topic has been addressed in previous posts to this blog:

There are some that would say that the reason why the "Dots are not Connected" sooner, faster or more efficiently is because we are drowning in too much information to analyze. The automation of collection is the easy part. The filtering and pushing relevancy through the digital cheese cloth to get the most vital intelligence assets is a bit harder to accomplish. The human analysis and applying "Gray Matter" to the problem set and understanding the current "State-of-Play" is the ultimate challenge.

Beyond this, the average "John Q" citizen has probably never heard of 28CFR Part 23. The privacy assurance mechanism put into place in the 90's pertaining to the fusion of criminal intelligence. Perhaps this is the single greatest impediment we face to insuring our safety, security and threats from transnational eCrime syndicates, non-state actors and even the most sophisticated Nation States.

The topic of Homeland Security Intelligence is really about the Information Risk Governance and Consumer Privacy laws that protect us as U.S. citizens. At the same time, these same legal statutes might be the exact balance between what law enforcement and the intelligence community need to do their jobs without infringing on the rights of "John Q. Jihadist."  Here is a great example:

By LOGAN G. CARVER

AVALANCHE-JOURNAL

A Saudi student appeared to smile Friday morning as U.S. marshals escorted him to his first federal court appearance on a terror charge.

Khalid Ali-M Aldawsari, 20, stood before U.S. Magistrate Nancy Koenig charged with attempted use of a weapon of mass destruction.

The former Texas Tech student was suspected of purchasing chemicals and supplies to build a bomb and of researching possible targets in the United States before his arrest by federal officials late Wednesday.

Aldawsari came to federal attention after trying to have a large quantity of a suspicious chemical, which has both benign and nefarious uses, shipped to a Lubbock freight address, according to a sworn affidavit by an FBI agent filed in support of the warrant for Aldawsari’s arrest.

Subsequent electronic surveillance led to two secret searches of Aldawsari’s Lubbock apartment, where authorities found a makeshift lab that could be used to make explosives, as well as some of the ingredients and supplies necessary to build and detonate a bomb, according to the affidavit.

E-mails and his personal journal indicated an interest in planning attacks, ranging from an initial desire to start a local al-Qaida-type organization to researching nightclubs as a potential target, according to the FBI investigation.

Homeland Security Intelligence collected from a U.S. domestic chemical company, freight trucking line and as a result of legal searches of the suspects apartment all were utilized to interdict this potential plot of terrorism in the United States. Effective HSI will determine whether we continue to be as effective in the future. Gods Speed to us all....

operational risk

London: Olympic Games Risk Management...

As the summer approaches the world is gearing up for the 2012 Olympic Games in London in about 41 days.  The athletes are making their respective rounds on television and other media to discuss their thoughts.  The U.K. Home Office is on high alert and has been preparing the "Operational Risk Strategy Execution" for years.

The private sector is finalizing plans for the millions of dollars in advertising and promotions on television.  The rest of the world will be watching from their easy chairs in Kansas City USA, the mountain villages of Switzerland, the outback of Australia to the most remote locations in the Sahel.

Every two years the humanity of the Olympic Games comes alive and we all realize that it is possible to get along, to cooperate and to coordinate.  For the historical and cultural reasons the world comes together to compete.  And in every venue and each sport the rules change.  The distance, the accuracy, the time.  They are all measured and the rule-sets have been determined in advance.  The competitor knows and understands the measures by which they will be judged.  In the swimming pool, on the track  mat or field or in front of the target.

The collaboration across the planet somehow brings us all to the point of a temporary "Time Out."  Where it almost seems calm and peaceful for those days and weeks.  A time when humanity can say to themselves that it really is possible to all get along.  A time to show ourselves what really is possible if we have the will and the heart to make it all happen, on time and without incident.

The social media buzz on a daily basis will be coming live from millions of Twitter and Blog posts.  The use of Crowdmap will be utilized to assist in the event of a crisis.  The mobile device will continue to be a valuable way for the authorities to have continuous opportunity for situational awareness.  Applications from companies such as RealityMobile provide real-time streaming video from any camera enabled PDA device.  All of the communications equipment to collect, view and analyze information will remain a part of the layered defense in depth to deter, detect and prevent an adverse incident.  The London Olympics in 2012 will have the same challenges and the identical set of risks as Beijing or Greece in 2008 or 2004.  What is different this time?

This summer 2012 Olympic Games may be one of the most technology enabled risk management projects ever.  At the same time, the social scientists have been working on the analysis of the organizational risk facets of such a gathering in London.  Human factors and social demographics of the people attending have a major consideration in operational risk management planning:

"It is necessary for most of us these days to have some insight into the motives and responses of the true believer. For though ours is a godless age, it is the very opposite of irreligious. The true believer is everywhere on the march, and both by converting and antagonizing he is shaping the world in his own image. And whether we are to line up with him or against him, it is well that we should know all we can concerning his nature and potentialities."

Hoffer, Eric (2011-05-10). The True Believer: Thoughts on the Nature of Mass Movements (Perennial Classics) . Harper Collins, Inc..

The 1951 classic by Eric Hoffer is already Operational Risk reading 101 and the modern day Arab Spring is a perfect example of what messages Hoffer has reminded us to consider over 60 years later.  Yet those who continue to study the social science of mass movements, realize that our greatest risk mitigation tool will continue to be one of the least technical and most effective.  Education and Awareness.

We encourage all of our Operational Risk professionals to educate and increase the awareness of your employees and friends and family who will be attending the London Olympic Games 2012:

Official London 2012 Join In App

In the summer of 2012 London and the UK will come alive with events, celebrations and activities during the Olympic and Paralympic Games.

The Official London 2012 Join In app is a mobile guide to help you plan, enjoy and share your Games experience.

This free app is an essential planning tool for everyone, whether you have tickets for a sporting event or not. From the start of the Olympic Torch Relay to the Olympics and Paralympics, the Opening and Closing Ceremonies, plus all the cultural, city and community celebrations happening across the UK, Join In is your essential companion.

Download the Official London 2012 Join In App

Official London 2012 Results App

The Official London 2012 Results app provides all the latest news, schedules and results, allowing users to keep up-to-date with the latest action live across all Olympic sports and Paralympic sports.

Key features include results, live updates, calendar schedule, details of sports, medal tables and athlete profiles. Users can also follow specific countries, receiving official news and updates tailored to them all in one app.

It’s the essential app for all sports fans to share the excitement of London 2012!

operational risk

A Decade of Risk: 9/11 Memory Endures...

Tomorrow is the ten year anniversary of the 9/11 attack on the United States. For those people who were put in harms way that day and survived, their lives have changed forever. Have you ever had a near death experience? If you have, then you know what we mean.

A near death experience is everything that you have heard people say about it. That visions of their loved ones flashed into their thoughts and other physical implications, as a result of the adrenaline that was released into their system. Regardless of the experience, many say that they realize that "life is too short" and that they now have a new outlook on life and the relationships that surround them.

When you think back to your particular near death experience, what changed in the way you have now managed "Risk" in your life? Did you become more risk-oriented or less? Were you more cautious in the way that you managed your work or personal pursuits to avoid risks? Once someone has a near death experience or is very close to someone who does, the odds are that they quickly become "Risk Aware" and more cautious in taking future risks to their well being.

When you are building a team within your particular organization to manage risks; dig deep to find out what each team members life experiences have been with past risk events. The goal is to make sure that you have a balanced portfolio of people, who are risk aware and who have a broad spectrum of risk experiences so far in their life. The more diverse your team is from a risk management perspective, the more successful you will be in your ability to persevere as new risk events confront you on a daily basis.

Over the course of the past ten years the whole planet Earth has a heightened sense of "Operational Risks" and "Asymmetric Warfare" that span the incidents from mother nature to the man-made impacts of poor decisions and judgement, from New York and Washington to Kabul, Cairo and Tripoli. At this junction of the anniversary of 9/11 and the mixed emotions of how much risk we still need to mitigate and how much risk we are willing to accept, it's important to look in the rear view mirror and to simultaneously consider what lies ahead.

The considerations underway for the United States and the Intelligence Community (IC) are going to have significant implications to the man-made set of risks that we experience in the second decade of the new millenium. It's imperative that we take stock of the last ten years looking through the lens of "Homeland Security Intelligence" in order to determine the amount of risk that we are willing to take going forward, perhaps even at the peril of our own privacy and civil liberties:

In the aftermath of the tragic events of 9/11, Americans slowly came to the realization that while the country had spent considerable national treasure on intelligence capabilities over the years to protect the nation and had prevailed in the Cold War for which the U.S. Intelligence Community (IC) had largely been designed, this IC was not designed, equipped, or ever primarily intended to detect significant national security threats originating or residing within our nation’s own borders. Instead, it had been a longstanding and unique set of circumstances that had allowed Americans the good fortune of feeling safe within those borders. This sense of security was facilitated by two oceans and the Gulf of Mexico; two friendly neighbors to the north and south along relatively peaceful land borders; and a long history wherein immigrants, who are the lifeblood of this nation, came for opportunity and a hopeful future for their children, not to try to destroy the nation.

Whether it is the safety and security of your organization or of your own country, there will always be a process for risk mitigation that is subject to peril. There have been several near misses from a rising domestic threat from U.S. citizens that are inspired by others who leverage the "Information and Communication Technology" (ICT) platforms and mobile situational awareness. These ICT capabilities allow your adversaries to reach within your borders through the Internet, to disseminate their operational training to "Homegrown Violent Extremists".

Turning the lens back inside the U.S. will not be an easy path for many Americans. One only has to revisit the latest domestic incident in Oslo, Norway to see why it will be a priority:

The 2011 Norway attacks were two sequential terrorist attacks against the government, the civilian population and a summer camp in Norway on 22 July 2011.

The first was a car bomb explosion in Oslo within Regjeringskvartalet, the executive government quarter of Norway, at 15:25:22 (CEST).^[8] The car bomb was placed outside the office of Prime Minister Jens Stoltenberg and other government buildings.^[9] The explosion killed eight people and wounded several others, with more than 10 people critically injured.

The second attack occurred less than two hours later at a summer camp on the island of Utøya in Tyrifjorden, Buskerud. The camp was organized by AUF, the youth division of the ruling Norwegian Labour Party (AP). A gunman dressed in an authentic looking police uniform and showing false identification^[10] gained access to the island and subsequently opened fire at the participants, killing 69 attendees,^[4][5] including personal friends of Prime Minister Jens Stoltenberg and the stepbrother of Norway's crown princess Mette-Marit.^[11]

The Norwegian Police Service arrested Anders Behring Breivik, a 32-year-old Norwegian^[12] right-wing extremist^[13] for the mass shootings on Utøya^[14] and subsequently charged him with both attacks.^[15]

On the eve of remembering all of those people who have sacrificed so much, we remain vigilant. We remain committed to the continuous monitoring and operational risk measures that are required, to keep our homeland safe and secure.

Read more:

The two cities that were at the heart of the Sept. 11 terrorist attacks are on high alert this weekend after the government received a “credible” tip that Al Qaeda plans to launch an attack on Washington or New York as the nation marks the 10th anniversary of 9/11. Extra security is clearly visible on subways in both cities as officials are taking seriously a joint FBI, Homeland Security Intelligence Bulletin, first obtained by Fox News that states the timing and method of the potential terror plot.

operational risk