TrustDecisions: Understand, Decide, Act...

From the Board Room to our modern day asymmetric battlefield, Jeffrey Ritter’s Achieving Digital Trust will open eyes. It provides us with a reference model that management and software architects have been seeking. The survival of the Internet as we know it is currently at stake. This book provides a look into the transparency of «Trust Decisions» and how ensuring digital truth will shape our global governance for decades to come.

"How do you decide to trust digital information that is intangible and cannot be lifted, opened, or flipped through?

What questions do you need to ask to conclude that trust is justified in both digital information and the sources from which you acquire the information?

How do you make trust decisions about people, associations, tools, or their value when the infor- mation upon which you will rely is increasingly digital and intangible?

In a global culture in which digital trust is under attack and degrading, how can you build and engender old-fashioned human trust with your customers, business partners, associates, and employees?

Flooded with digital information, devices, and the capacity for others to question decisions, how can you make better decisions, choose the superior alternatives, and reduce the number of decisions that “just take the risk” because of data that is missing or not proven to be reliable?

Can achieving digital trust be proven to be good business and create new wealth in a global, 24/7/365 marketplace that demands increasing velocity while also increasing the risks of living digitally?" 

  Page 21 Achieving Digital Trust:  The New Rules for Business At The Speed of Light - Jeffrey Ritter

Are you reading this on your Macbook?  iPhone?  Or on one of the dozens of variations of devices using the Android Operating System?  Why?

Think about the origin of the words you are reading.  Are they manifested from the brain of a human who is typing the words on a keyboard?  Or could it be a computer creating this digital content purely from some form of artifical intelligence?

How would you judge the trustworthiness of this digital information, if you could verify that it was written by a person vs. a machine?

All of us make split second decisions on who and what we will trust.  By the way it looks.  By the way it moves.  By the way it smells.  By the way it sounds.

Now, make a slight shift in your mind set to the mechanism we define as "Advertising".

How do you as a human, accept and process an advertisment in a cognitive way?

cog·​ni·​tive | \ ˈkäg-nə-tiv
Definition of cognitive

1 : of, relating to, being, or involving conscious intellectual activity (such as thinking, reasoning, or remembering) cognitive impairment

2 : based on or capable of being reduced to empirical factual knowledge

Why are advertisements necessary on the televsion you watch?  Do you every find yourself muting the advertisements?  Do you record all of your shows on the DVR so you can purposefully Fast Forward through the Ads?

At the same time, you may have a brand, company or person that you respect and trust.  You are loyal to that brand, company or person for several reasons.  Much of that has to do with "TrustDecisions".

When you read the words in a book by an author with their name printed on the cover, do you value and trust what they have written?  It depends on the author, right?  Who is that person and do you trust that what they have written is worth consideration.

We all have our own trusted sources of information.  Our Go-To authors.  Our news feeds.  Our verified intelligence.

Now visit this company on the Net:  Primer.ai

Now that you have reviewed the company Primer, and you see and think you understand their product solutions, the people behind the software solutions, the investors in the company, what do you think about next?

After all, a web site is just an Advertisement right?  Your Decision to Trust has all to do with words written, colors used, visual pictures and even sounds (think music).

Based upon what you have read and see, do you trust the products and services of Primer.ai?

Based upon what you have read and see or feel or hear, do you trust your Doctor, your Priest, your Lawyer, your Bank, your Airline, your Employer or your Digital VPN?

You see, most people do not even think long enough about the origins of trust or the origin of their own trust in something or someone.  Unless you are in the business of research, questioning or creating hypotheses on an hourly basis.

Unless these can also mean the life or death of another person and/or the factual truth of something not present to the naked eye, your hearing or your taste or smell.

hy·​poth·​e·​sis | \ hī-ˈpä-thə-səs
\
plural hypotheses\ hī-​ˈpä-​thə-​ˌsēz
\
Definition of hypothesis

1a : an assumption or concession made for the sake of argument
b : an interpretation of a practical situation or condition taken as the ground for action

2 : a tentative assumption made in order to draw out and test its logical or empirical consequences

3 : the antecedent clause of a conditional statement

When you encounter the conscience world before you, whether it be Face-to-Face with another human, with written words by an author, by the spoken words of an advertisement or news broadcaster, think more deeply about this.

• "Every transaction creating wealth first requires an affirmative decision to trust.
• Building trust creates new wealth. Sustaining trust creates recurring wealth.
• Achieving trust superior to your competition achieves market dominance.
• Leadership rises (or falls) based on trust (or the absence of trust)."

 Page 35-36 Achieving Digital Trust:  The New Rules for Business At The Speed of Light - Jeffrey Ritter

Now that you Understand, it is time to Decide.  Then you must Act... 

ORM: Pervasive Risk Across Disciplines...

What is the origin of the "Operational Risk Management" (ORM) discipline? Was it derived from the work within the financial services industry from the Basel II initiatives?

The definitions and the actual work towards creating standards of conduct and rule-based design has been evolving for the past few decades.

Operational Risk and the approach to risk that is not otherwise considered to be market or credit risk, is one mind set. The other mind set considers the hazards associated with the threat to our valuable assets.

Either point of view depends on the environment that you operate in and the risks associated with that environment.

To give a quick example, here are a few views into Operational Risk in the United States:

"It didn’t take long—the first attack on a U.S. government website hit on Saturday, a day after the killing of Qassem Suleimani in Baghdad. The fact there was an attack is not a surprise—speculation has been rife. And the style of the attack is consistent with the nature of the primary cyber threat we now face. Hackers claiming to be linked to Iran targeted a low-level domain—the website of the Federal Depository Library Program—defacing its home page, echoing Teheran’s threats of vengeance alongside imagery of President Trump, Ayatollah Khamenei and the Iranian flag" Forbes

"Boeing will still burn more than $1 billion a month even after halting 737 Max production, according to J.P. Morgan.  Boeing’s decision to stop suspend production of the troubled aircraft was made in light of months of cash-draining groundings worldwide, but the company’s internal overhead and labor expenses will remain and will increase cash burn, analyst Seth Seifman wrote to clients."  CNBC

These examples encompass a U.S. government agency and a private sector U.S.-based global aerospace company.  Both are operational risk scenarios that could contribute to losses that will also impact the reputation of the entity involved.

That aspect alone, could be the major factor in why Operational Risk Management is such a growing discipline in our 2020 global landscape.

Some of the earliest origins of the Operational Risk concerns come from the military. The U.S. Navy is one of the branches who has embraced it fully:

• Purpose. To establish policy, guidelines, procedures, and responsibilities per reference (a), standardize the operational risk management (ORM) process across the Navy, and establish the ORM training continuum.
• Scope. This instruction applies to all Navy activities, commands, personnel, and contractors under the direct supervision of government personnel.
• Discussion. Risk is inherent in all tasks, training, missions, operations, and in personal activities no matter how routine. The most common cause of task degradation or mission failure is human error, specifically the inability to consistently manage risk. ORM reduces or offsets risks by systematically identifying hazards and assessing and controlling the associated risks allowing decisions to be made that weigh risks against mission or task benefits. As professionals, Navy personnel are responsible for managing risk in all tasks while leaders at all levels are responsible for ensuring proper procedures are in place and that appropriate resources are available for their personnel to perform assigned tasks. The Navy vision is to develop an environment in which every officer, enlisted, or civilian person is trained and motivated to personally manage risk in everything they do.

If only our major business entities would would fully encompass the following steps with all employees and processes then more lives would be saved, corporate assets would be protected and the enterprise would be ever more resilient:

(1) Identify the hazards;

(2) Assess the hazards;

(3) Make risk decisions;

(4) Implement controls; and

(5) Supervise.

Yet the losses and the potential for loss continues across the organizations who are well equipped to make Operational Risk Management a part of every person and operating divisions daily mind set:

The places change, the numbers change, but the choice of weapon remains the same. In the United States, people who want to kill a lot of other people most often do it with guns.

The number of U.S. mass shootings depends on how you count

Public mass shootings account for a tiny fraction of the country’s gun deaths, but they are uniquely terrifying because they occur without warning in the most mundane places. Most of the victims are chosen not for what they have done but simply for where they happen to be.

There is no universally accepted definition of a public mass shooting, and this piece defines it narrowly. It looks at the 172 shootings in which four or more people were killed by a lone shooter (two shooters in a few cases). It does not include shootings tied to robberies that went awry, and it does not include domestic shootings that took place exclusively in private homes. A broader definition would yield much higher numbers.

Whether it is on the deck of an aircraft carrier or within any organizations business facility, operational risk is pervasive. It is up to you and your organization to begin to make a difference...

Performance Management: Risk on the Front Line...

As a leader in your particular organization, how often during your busy day do you think about culture.  The organizational pace.  The transparency and integrity that each key leader exemplifies, as they operate each hour with employees, partners and your most important community stakeholders.

Competent leaders who model peformance management processes to make Operational Risk Management (ORM) an enabling and growth oriented mechanism, truly understand that this requires a mind-set shift.

Executing on how to enable more risk taking and catalyst innovations to achieve superior growth, requires the ability to effectively incorporate risk management into your daily work products.

When you login to your APP, create a new document, start a new e-mail or enter new data into the database in the course of your daily work, you are playing the role of an information risk manager.  When you meet with, counsel, or coach another fellow employee, you have full control of how you are achieving new levels of trust.

The degree to which you follow protocols, procedures and training involved with corporate records management, information security and work place employment policies, creates the foundation for how much risk and trust, you will generate today.

Now think about how this, will impact your continuous ability to be innovative, competitive and productive, while building a trusted culture, that employees, partners and community stakeholders will quickly recognize as trustworthy and extraordinary:

So, what is trust?  

"Trust is the affirmative output of a disciplined, analytical decision process that measures and scores the suitability of the next actions taken by you, your team, your business, or your community. Trust is the calculation of the probability of outcomes. In every interaction with the world, you are identifying, measuring, and figuring out the likelihoods. When the results are positive, you move ahead, from here to there. When the results are negative, you rarely move ahead; you stay put or you find an alternate path."   Jeffrey Ritter- Achieving Digital Trust

Turning risk management into performance management, shall begin on the front line of the enterprise, with the ideal compensation strategy and the behaviors you are seeking from your front line customer service and field-based revenue generators.

Whether it's direct or in-direct channel personnel, you have to understand how to use the right mix of compensation and incentives, to drive a revenue risk appetite, that is appropriate for your organizaition.

Performance Management could also be enabled or supressed, by the amount of power you give your 2nd Tier leadership. Do they have the ability to make a $1M decision or just $10K decisions when it comes to investing budgeted capital into their particular business unit growth?

Do they manage risk on a field or geographic level where they are the most informed and the most knowledgeable about the business, or is the "Mother Ship" back at the home office, dictating the way they spend or the way they invest?

The ability to know how to manage operational risk, at the point of creating new information is the nexus of several disciplines and requires substantial situational awareness training.

Every minute that goes by, with derailed leadership or a negative culture, puts the enterprise at greater risk to lost performance opportunities.

Your cultural trustworthiness depends on how effective you are as a leader, to communicate with those who you trust the most in your organization.

You need them to assist you, with perpetuating a culture that understands the relationship with operational risk and performance management simultaneously on the front line...

Operational Threat Matrix: The Mission Ready Many...

"Five years after the release of the Framework for Improving Critical Infrastructure Cybersecurity, organizations across all sectors of the economy are creatively deploying this voluntary approach to better management of cybersecurity-related risks. The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) issued what is now widely known simply as the “NIST Cybersecurity Framework” on February 12, 2014."

Measuring an incident first requires defining a taxonomy on what an "incident is" and what an "incident is not". In other words, how can you measure something that has not been sufficiently defined in your organization. How do you know when an incident has occurred?

Our corporate assets are under attack by a continuous barrage of new laws, new employees, new competitors and new exploits.

Business survival in the next decade will require a more effective and robust risk strategy to deter, detect and defend against a myriad of new threats to the organization.

Modern day attackers include hackers, spies, terrorists, corporate raiders, professional criminals, vandals and voyeurs. Simply said, these attackers use tools to exploit vulnerabilities. They create an action on a target that produces an unauthorized result. They do this to obtain their objective.

The Mission

The organization shall develop, implement, maintain and continually improve a documented operational risk management system:

• Identify a method of risk assessment that is suited for the organizations business assets to be protected, regulatory requirements and corporate governance guidelines. 
• Identify the assets and the owners of these assets. Identify the threats to those assets.
• Identify the vulnerabilities that might be exploited by the threats.
• Identify the impacts that losses of confidentiality, integrity and availability may have on the assets.

Assess the risks. Identify and evaluate options for the treatment of risks. Select control objectives and controls for treatment of risks. Implement and operate the system. Monitor and review the system. Maintain and improve the system.

The Take Away

While you were in the Board of Directors meeting, your Operational Risk Profile changed. When you were asleep last night it changed again. The people, processes, systems and external events are interacting to create a new and dynamic threat matrix for your organization.

Who is responsible for Operational Risk Management in your business? Everyone is. You see, if everyone in the organization was able to understand and perform the mission flawlessly, then the business could stay in constant control of how much incidents are costing the enterprise.

Only a guarded few understand the mission of operational risk management in your company. Only a guarded few can do it flawlessly.

If you want to protect your corporate assets better than you do today, then turn those guarded few into the mission ready many.

OPS Risk: Military Lesson for Wall Street...

Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it's digital cameras or satellites or just what you click on, we need to have more explicit rules - not just for governments but for private companies. Bill Ga
Read more at: https://www.brainyquote.com/quotes/bill_gates_626047?src=t_privacy

 "There is no avoiding the realities of the information age.  Its effects manifest differently in different sectors, but the drivers of speed and interdependence will impact us all.  Organizations that continue to use 20th-century tools in today's complex environment do so at their own peril."  Stanley A. McChrystal

Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it's digital cameras or satellites or just what you click on, we need to have more explicit rules - not just for governments but for private companies.
Read more at: https://www.brainyquote.com/quotes/bill_gates_626047?src=t_privacy

Almost ten years ago, Air Force Brig. Gen. Mark W. Graper, the 354th Fighter Wing commander at EIELSON AIR FORCE BASE Alaska, quoted the essence of Operational Risk Management.

Corporate Executives and mid-level management should have this made into a poster for their office and hanging in every hallway:

"Summer is just around the corner, and many of us are planning for our favorite warm weather activities - fishing, hunting, hiking, motorcycling, camping and more. All of our summer plans can be fun if we keep in mind the basics of operational risk management: Accept risk when benefits outweigh the cost; accept no unnecessary risk; anticipate and manage risk by planning; make risk decisions at the right level; assess and mitigate risk. Stated more simply, have a (prudent) plan, have a backup plan and have a Wingman."

Whether you are focused on the safety and security of your personnel, the integrity and confidentiality of your information or the continuity of your business operations, consider this.

Effective "Operational Risk Management" will improve your organizations resilience factor.

The brilliance of Brig. Gen. Graper's emphasis on this subject away from the flight line or "The Office" is his understanding, that most of us will become more complacent the minute we hit the parking lot.

You see, OPS Risk is not just something being advocated in the Wall Street workplace. It should be just as pervasive at home or in our own leisure activities. Whether you are climbing "Denali" or entertaining friends around the backyard pool, you have to be continuously in OPS Risk mode, or it could bring harm to life, limb or your own reputation.

Operational Risk includes the risk of litigation and there is one item you can be certain that is a threat to your corporate integrity. Employees, partners and suppliers to your organization:

What most organizations the size and complexity of Facebook under estimate, are the speed of change and the socially "connected" market economy. The blur of business combined with the "Holistic Blindness" of what privacy risks are a threat today or this week, can bring an enterprise to it's knees and then to it's ultimate demise.

"Facebook Inc. (FB - Get Report) and the Federal Trade Commission currently are negotiating details of a settlement related to the Cambridge Analytica scandal, the Washington Post reported, citing people familiar with the matter.

The penalty imposed by the FTC likely would be a multi-billion dollar fine, which would easily be the largest fine ever issued to a tech company by the FTC. In 2012, Alphabet Inc.'s (GOOGL - Get Report) Google was fined $22.5 million by the agency for user privacy offenses.

The two sides are still negotiating the amount of the fine. If no agreement is reached, the FTC could take the issue to court, according to the Washington Post.

Facebook's privacy issues date back to 2012. Facebook settled a case with the FTC in August 2012, when the two parties reached an agreement that "Facebook must obtain consumers' consent before sharing their information beyond established privacy settings," according to a press release from the FTC published at the time the deal was made.

Facebook's privacy issues continued last March when news broke that Cambridge Analytica, a political research company, had harvested user data beyond what was acceptable. It later became evident that Facebook likely was aware of Cambridge's actions on the platform" 

Whether it's collecting user data to sell to your supply chain or keeping your F-22 Raptor in the air to defeat hostiles, OPS Risk is the differentiator. Your survival depends on it...

Crowdsourced Risk: Situational Awareness in Mass Emergency...

Real-time information and raw intelligence via mobile devices, has changed the risk management dialogue from the Emergency Operations Center (EOC) to the corporate board room.

Operational Risk Management (ORM) professionals are leveraging this information in combination with crowdsourced mapping applications, GPS, video feeds and live reporting.

Intelligence Analysts have leveraged Big Data and Digital Analytics to extract the relevance of key questions asked by their constituents.  These same ORM professionals also realize the raw data feeds from John Q. Citizen is exactly that.

Fact checking, vetting and data verification, is still the task of journalistic and intelligence experts.

Whether you are talking about risk incidents that involve whistle blowers on Wall Street, severe weather events, natural disasters, the Arab Spring or an active shooter in a Denver, CO suburb; social media is there.

Corporate Chief Information Officers are in the middle of "Bring Your Own Device" (BYOD) policy development, while National Public Radio (NPR) is using Twitter as a news room approach to reporting in the Middle East. Errors, Omissions and the operational risks associated with this "New Normal" is upon us, with the crowdsourced future of news and intelligence:

In just a single flash back to 6 years ago, we were writing about how users of Twitter and Reddit used those networks to tell a compelling story about a mass shooting in Toronto, and how the same phenomenon was playing out in real-time during another horrific incident: a shooting at a movie theater in Colorado, that had killed at least a dozen people and wounded more than 50.

Although local TV news channels and CNN had been all over the story since it broke, some of the best fact-based information gathering had been taking place on Reddit and other open source curation tools.

The information posted on Facebook, Reddit or the organizational blog is at stake. Crowdsourcing and Crowdmapping with the correct tools and trusted rule-sets, is just the beginning.

From innovation to Revolution, Patrick Meier and his blog captures even more on the vital crowdsourcing topics. For a good foundation, also be sure to visit Sarah Vieweg's dissertation on situational analysis:

Situational Awareness in Mass Emergency: A Behavioral and Linguistic Analysis of Microblogged Communications (2012)

"In times of mass emergency, users of Twitter often communicate information about the event, some of which contributes to situational awareness. Situational awareness refers to a state of understanding the “big picture” in time- and safety-critical situations. The more situational awareness people have, the better equipped they are to make informed decisions. Given that hundreds of millions of Twitter communications (known as “tweets”) are sent every day and emergency events regularly occur, automated methods are needed to identify those tweets that contain actionable, tactical information."

Welcome to Dataminr...

In each of these news worthy events, we can see how a new form of journalism and situational intelligence — one that blends traditional reporting and crowdsourced reports — has evolved.

When an era of these applications and zettabytes of pictures and videos are available to the public, the journalist/analyst has a tremendous volume of sources. This now includes the evolution of Body-Worn-Cameras (BWC).  And with those sources, comes a renewed responsibility to the integrity of the real mission before us. The truth.

What is actually the truth? What happened to whom and when?

The private sector has been leveraging Big Data Analytics for decades, including little known companies such as Acxiom, to collect and verify information on people, for the purpose of marketing. This indeed is a mature and established sector of the consumer retail industry and financial institutions for the purpose of operational risk management:

The ideal combination of vetted and proven data sources from private sector companies such as Acxiom in the U.S., along with the raw reporting of information from the social media sources is already the future of journalistic trade craft.

When journalism from trusted sources or intelligence reports from trusted analysts misuse or error in their use of these tools, the operational risk factors are magnified. This can damage reputations and even jeopardize human lives.  The mobile social media revolution has the potential to be a Pandora's Box.

Operational Risk Management discipline provides the framework and the proven methodologies to mitigate the rising likelihood, of a "Decision Disadvantage."

Whether you are the editor of a major publication or the watch commander at the local police department does not matter. Whether you are the CISO at a major corporate enterprise or the head of a government intelligence agency does not matter.

It begins long before Journalism school or high school English class. The ethics and integrity of information is at stake and it begins the first time you hand a pre-teen, their first mobile digital device.

Information Threat: Battle for Superiority...

What continues to be the greatest economic threat to your organization? Is it "Internal" or "External" to your institution? Could it be both?

Insiders rarely work alone and therefore the nexus with some outside influence, whether it be a person, life factors or some other entity are typically in play.

Is an engineer in R&D copying precious intellectual property information from within the enterprise company, that could be worth hundreds of thousands or even millions to the highest competitive global bidder? Could your small business have an accounting supervisor that has been diverting funds to a private bank account for the past two years?

Would it be possible that a supplier or 3rd party partner is capable of inflating the number of billable hours on a project?

Whether it's IP Theft, Fraud or other white collar corporate malfeasance, these Operational Risks are real and growing at a double-digit percentage rate annually. The greatest economic threat to your organization could be complacency or an apathetic staff, who works without adequate resources and little communication with the Executive "Powerbase".

The compliance and oversight mechanism's are in full swing from the federal governments around the world as highly regulated critical infrastructure organizations are implicated in a myriad of corruption, scandal, ethics and criminal matters.

Litigation is an Operational Risk that many organizations have realized the necessity for more robust internal teams to address the continuous requests for information from the government.

There is one common denominator across all of the insider threats, external forces and other vectors that seem to be attacking our institutions night and day. That common denominator is "Information".

And underlying this is the data and meta data that all to often ends up being the key or clue to finding the "Smoking Gun" and the source or person(s) associated with the scheme or attack on the organization.

Managing information in a mobile and interconnected planet is a major issue in any global company. Providing the tools and the right information faster and more accurately than the competition can be the difference in your own survival on the corporate battlefield.

So how does the CxO suite even begin to address the risks, opportunities and resilience in our demanding "Information-centric" environment?

They believe in having a strong culture of ethics, training and continuous monitoring of employees, systems and their supply chain. They understand the importance of providing the vital resources to the people on the front line of risk management and to make sure that their early warning systems and methods are not compromised.

This breed of CxO's are the new breed of organizational management, that are leveraging information to their most significant advantage:

Whether you are trading in a marketplace, analyzing assets on a map or manufacturing widgets and selling them to qualified buyers, operational risk management begins and ends with information. Managing that information effectively and more accurately than your competition is the name of the game. What have you done today to insure your survivability in the face of the next crisis?

Operational Risk: The Pursuit of Trusted Information...

Operational Risk is about Performance Management and Business Resilience.  CEO's and the Board of Directors realize the road to eliminating fear in their organization and the marketplace, is through trusted information.

Being agile, ready and capable of a quick recovery is what competitiveness is all about, on the field, on stage or around the table in the Board Room. Working towards control and protection while "fear" builds in the back of your mind makes you stiff, depletes your energy, confidence and creates doubt.

And when you are operating a business or standing on the tee of your first sudden death hole on any PGA weekend, you better have resilience.

The business equivalent to homeland security and critical infrastructure protection is Operational Risk Management (ORM)—a domain that many executives see as the most important emerging area of risk for their firms. Increasingly, failure to plan for operational resilience and crisis readiness can have “bet the firm” results.

There are numerous examples of how errors, omissions and glitches have brought down the reputations of many a Fortune 500 companies. What do they all have in common that was clearly absent and that led to their demise?

"A trusted reservoir of economic and business resilience to remain competitive in the marketplace."

Even beyond natural disasters and information security hacks, the threat of "Tort Liability" and the loss of organizational reputation is top of mind these days, with every major global company executive.

The threat is continuous and increasing at a faster rate than many other real operational risks to the enterprise. Litigation from regulators, class actions and competitors has given the term "Crisis Readiness Team" a new emphasis and meaning.

Once corporate management understands the need for a continuous "resilience" mentality in place of a "protection" mental state, a new perspective is found. Investing in the vitality, agility and competitive capabilities of the organization, sounds and is more positive.

It alleviates the fear of doom and gloom and inspires new found innovation. The future of your organizations longevity and in it's adaptability, can be achieved with a new bold perspective.  Compete or die.

Crisis Readiness could be enabled or suppressed in your enterprise by the amount of power you give your leadership. Do they have the ability to make an autonomous $1M decision or just $10K decisions when it comes to investing budgeted capital into their business unit operations?

Do they manage risk on a level where they are the most informed and the most knowledgeable about the business?  Or is the "Mother Ship" back at the home office HQ dictating the way they spend or the way they invest?

The ability to know how to manage risk at the point of creating new information, is the nexus of several disciplines and requires substantial training. Every minute that goes by with people not performing and behaving correctly, puts the enterprise at greater risk to lost performance opportunities.

All these issues can be summed up in a single concept:  Trusted Information. Simply accessing data is no longer enough.

CEOs, CFOs and knowledge-workers must be able to reliably track the information they use for decisions, back to the original source systems, in order to ensure its timeliness, accuracy and credibility.

Over the last decade, organizations have invested millions of dollars in systems to collect, store and distribute information more effectively.  Despite this, information users at all levels of the organization, are often uncomfortable with the quality, reliability and transparency of the information they receive.

Today's organizations rarely have a "single view of the truth." Executives waste time in meetings debating whose figures and policies are correct, rather than what to do about the company's issues.

Additionally, they worry about the consequences of making strategic decisions, using the wrong information, directly impacting the long-term survival of the organization.

The search for trusted information is a continuous pursuit for commanders in the "Mission Ready Room" and the "Corporate Board Room".

So how do you achieve the level of assurance that's required to make the "Bet the Firm" risk management decisions in your enterprise...

Security Governance: Rededication...

Security Governance is a discipline that all of us need to revisit and rededicate ourselves to. The policies and codes we stand by to protect our critical assets should not be compromised for any reasons. More importantly, security governance frameworks, must make sure that the management of a business or government entity, be held accountable for their respective performance.

The stakeholders must be able to intervene in the operations of management, when these security ethics or policies are violated. Security Governance, is the way that corporations or governments are directed and controlled. A new element that has only recently been discovered, is the role of risk management in "Security Governance."

Security Governance, like Corporate Governance requires the oversight of key individuals on the board of directors. In the public sector, the board of directors may come from a coalition of people from the executive, judicial and legislative branches.

The basic responsibility of management, whether in government or the corporate enterprise is to protect the assets of the organization or entity. Risk and the enterprise are inseparable. Therefore, you need a robust management system approach to Security Governance.

If a corporation is to continue to survive and prosper, it must take security risks. A nation is no different. However, when the management systems do not have the correct controls in place to monitor and audit enterprise security risk management, then we are exposing precious assets to the threats that seek to undermine, damage or destroy our livelihood.

An organization’s top management must identify, assess, decide, implement, audit and supervise their strategic risks. There should be a strategic policy at the board level to focus on managing risk for security governance.

The security governance policy should mirror the deeply felt emotions of the organization or nation, to its shareholders and citizens. It should be a positive and trusting culture capable of making certain that strategic adverse risks are identified, removed, minimized, controlled or transferred.

An enterprise is subject to a category of risk that can’t be foreseen with any degree of certainty. These risks are based upon events that “Might Happen”, but haven’t been considered by the organization. Stakeholders can’t be expected to be told about these risks because there is not enough information to validate or invalidate them.

However, what the stakeholders can demand, is a management system for Security Governance that is comprehensive, proactive and relevant. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes, and resources.

It is this Security Governance management system that which we all should be concerned and which we seek from our executives, board members and oversight committees to provide. There should be a top management strategic policy to focus on managing risk for security governance.

This risk management system should establish the foundation for ensuring that all strategic risks are identified and effectively managed. The policy should reflect the characteristics of the organization, enterprise or entity; it’s location, assets and purpose. The policy should:

1. Include a framework for governance and objectives
2. Take into account the legal, regulatory and contractual obligations
3. Establish the context for maintenance of the management system
4. Establish the criteria against what risk will be evaluated and risk assessment will be defined

A process should be established for risk assessment that takes into consideration:

• Impact, should the risk event be realized
• Exposure to the risk on a spectrum from rare to continuous
• Probability based upon the current state of management controls in place

The strategic security risks that the organization encounters will be dynamic. The management system is the mechanism by which the executives identify and assess these risks and the strategy for dealing with them.

It is this system which we are concerned about and which we seek to provide in order to achieve our Security Governance.

Innovation: Investing in the Linchpins...

There are new innovation initiatives that have been launched across America and internationally over the past few years.  Each has a vertical or horizontal focus to attract a particular set of entrepreneurs, coders, researchers and founders or data scientists.

You may have seen the accelerators, the incubators, training boot camps or even the H4D class being offered in your particular U.S. city or university lately.  Behind these initiatives are leaders, executives and fellow startup founders/practitioners who have developed a combination of methodologies and strategies, to produce new products and problem-solving business platforms.

After several years of practicing and mentoring in this category and recently devoting 30+ hours of first hand observation, there are several insights that were discovered.

First off, the quality and experience of instructors, mentors and the support ecosystem is vital.  You must create a robust program to recruit, train and continuously facilitate the actual people who surround the accelerator, incubator or university class and are devoting their time and resources to volunteer.

The ecosystem itself requires tested and proven processes, business rules and significant buy-in by all contributors.  The volunteers need a set of program prerequisites, a framework and the coaching along the way, to make their experience just as valuable as the participants in the innovation entities program.  Many of the mature innovation programs do this already.

Second, the founders, subject matter experts, linchpins, content providers or problem-set sponsors should have their own meetings and live interactions before and after each iteration of the participants program.  As an example, if the incubator has a cohort that is in-residence over the course of 10 weeks, on Tuesday's from 4:30-7:30PM, then the volunteers should meet for 30 minutes before and 30 minutes afterwards.

Why?

During those 3 hours there are plenty of live interactions, new learning, comments and ideas generated with the actual program participants.  It is just as valuable for the volunteers to share and interact after each iteration or cohort meeting to prepare and to debrief.  Certainly some of the follow-up learning could be captured using Slack or other online tools, yet having those linchpins face-to-face and interacting live is ever so valuable.

So What?

The maturity of the systems and processes associated with the innovation initiative, will be a key factor in the long term success and longevity of a particular program.  Yet even a set of solid systems can be influenced and characterized simply by the combination and quality of people, who are interacting and supporting these systems.  The parallel effort and devotion of one-to-one development, training and post program-metrics of these instructors, mentors, problem-sponsors and facilities or resources donors is paramount.

If you are an innovation engine producing new entrepreneurs and business startups that utilizes an ecosystem of volunteers, your future success will be directly linked to these vital linchpins...

Inspired Outcomes: A Culture of Why...

Why does your organization exist?  Most people answer this question with the kinds of products or services provided.  This is "What you do".  Some people talk about how they provide the service or how the product works.  This is "How you do it".  This does not answer the question.

Most organizations have it backwards.  What >> How >> Why.  Now think, Why >> How >> What.

Why your organization exists, is paramount to understanding the real purpose and DNA of your culture.  It is vital to the people who show up every day, the core reason they perform their role or contribute to the measurable outcomes of the team.  True Operational Risk Management (ORM) professionals discover the "Why" at the beginning.  Without the truth behind "The Why", nothing after it, has enough context.

When you begin the journey to build a better product, or invent a new process you better know the answer to "Why".  Discovering this first, will provide the inspiration, the creativity and the fortitude to get you and your team out of bed the next day, to do it all over again.  Without the "Why", we as humans lose sight of our destined purpose.

Over seven years ago, Simon Sinek was advocating for "Why" in his book and on Ted Talks.  A few years later, he was helping the Air Force hone new leadership skills in it's pilots:

"I told the guys, it's not enough any more to be ace of the base," said Col. Richard "Tex" Coe, commandant of the United States Air Force Weapons School. "We have to bring others with us.

Coe believes the school's new leadership curriculum will translate to success in the global war on terrorism, particularly in the fight in Afghanistan.

"What we're going to be doing is purposely developing these innovative and creative leaders that will go out there and face problems," Coe said.
"We don't even know our problems yet, and we'll be able to put our pieces together and use resources and other people around us to get the mission accomplished."

Coe, a master navigator with more than 3,000 flight hours including 460 combat hours, left Afghanistan in 2002. Today, the country "is a new and different place" he said.

"It's a completely different problem than it was back then. It's ever changing, and we're preparing them for that ever-changing problem."

"What we believe" is not the same as "Why We Exist".  It is different and it could mean the difference to owners, employees, partners and external customers or clients.  Here is just one example from Palantir:

Why
We’re Here

"We believe in augmenting human intelligence, not replacing it.

With good data and the right technology, people and institutions today can still solve hard problems and change the world for the better."

How could you make this even more compelling?  More inspiring and motivating, so that you want to jump out of bed each day at the sound of the morning alarm.

Behind every process, product and service there are humans who must see, feel and smell the "Why".  If and when they do, now they are ready to endure the journey, the quest and the challenges ahead.  They are there for a purpose they can internalize and outcomes that they can pursue vigorously, each day.

Discover the "Why" from your clients and customers, if you have not already done so.  Understand deeply the reason why they are doing business with you.  You may be surprised to know that your clients are paying you more than your competitors, for the same product or service.  You may soon find out the real value of "Trust."

Making the "Decision to Trust" one product or service over another, can not be under estimated.  Yet so many organizations and companies fail to find the truth about "Why" in their ecosystems of followers.  Is it the location, the price, the ease of use, the color, the feel, the endurance, the speed, the intelligence?

Once you have discovered the truth on "Why", you must know "How".  Then the "What" will follow, with the name of your product or brand.  Isn't it interesting that when you are attending a networking or convention event, that when you meet someone new, they may ask:  "What do you do?"

What if you answered the question like this.  "I work with "X" and we exist to "Y".  The cause and reason for your organizations existence transcends everything.  It provides the foundation for why this person is going to trust you and your organization.  Now if they would only start the conversation with:  "Why does your organization exist?"

Once you have a solid foundation for "Why", then you must know "The How" and then "The What".  Here is another example:

SpaceX designs, manufactures and launches advanced rockets and spacecraft. The company was founded in 2002 to revolutionize space technology, with the ultimate goal of enabling people to live on other planets.

Or how about:

"SpaceX exists to enable people to live on other planets.  We manufacture rockets and launch them so that our customers can supply other spacecraft or travel to other destinations beyond Earth."

Now think about your organization.  Take a deep look at your culture.  What is the fuel that will propel it into the future to achieve extraordinary outcomes?  Exponential results...

Intelligence-led Enterprise: CIU Success Factors...

Intelligence-led processes applied within the corporate global enterprise, continues its relevance for reasons being published in the popular press. "Operational Risk Management (ORM) Specialists" utilize these processes, to mitigate a growing spectrum of domestic and transnational threats:

•  How Hackers Make Money from DDOS Attacks
• China’s plan to organize its society relies on ‘big data’ to rate everyone 
• Government alleges former NSA contractor stole ‘astonishing quantity’ of classified data over 20 years
• Banks preparing to leave UK over Brexit, says banking body chief executive

Developing relevant intelligence to run daily business decisions in your institution may seem like an important task day to day. The question is, how embedded is the "Corporate Intelligence Unit" in developing the relevant intelligence your decision makers need every few minutes or hours to steer the organization away from significant losses? Is your internal web-enabled "Corporate Daily News" or "ABC Company Post" being updated in real-time by the employees in each department or business unit?

Do you have an organized, synchronized media and communications function working within your Corporate Intelligence Unit (CIU), to continuously post the correct content and manage the RSS feeds from each global business unit? Why not?

The "Information Operations" (IO) of your company are the lifeblood of how your employees will make relevant decisions on where to steer clear of significant risk.  Based upon what other business units are doing or what is going on in the external environment of your state, sector or geography, consider these scenarios:

If the internal RSS Feed for the IT department reported that there was a Distributed Denial of Service  (DDos) Attack going on at the moment, how might that impact the decision by the marketing department to delay the posting of the new product release information to the Twitter site? The synchronization of intelligence-led processes is lead by the head of the Corporate Intelligence Unit. The CIU is staffed with people who have a tremendous understanding of the corporate enterprise architecture and have the skills and talents to operate as effective operational risk management professionals.

If the internal RSS Feed for the Facilities Security department reported the presence of a "White Truck Van" with blacked-out windows trolling the perimeter of the corporate parking lot, how might this change the decision for the CEO to leave that minute for her scheduled trip to the airport? Skilled CIU staff within would quickly notify the CEO via the "Corporate 9-1-1 Alert" App embedded in every employees iPhone. Under cover corporate security personnel would then be immediately approaching the vehicle for a recon drive by.

If the internal RSS Feed reported the recent change in industry legislation that would change the way the Federal Trade Commission defined the elements regarding consumer privacy, how might this affect the latest strategy on how the institution was going to encrypt it's data in servers and on laptops? The CIU staff would advise the Chief Information Officer and other Information Security Risk staff to step up the roll-out for the latest version of PGP for the enterprise.

And the list goes on. The modern day intelligence-led Corporate Intelligence Unit (CIU), in concert with other highly specialized Operational Risk Management professionals in the enterprise can keep you safe, secure and keenly aware of new threats to your corporate assets. The degree to which you provide the right resources, funding and continuous testing/exercising of your capabilities will determine your likelihood for loss outcomes.

If your organization has been impacted by loss outcomes that continuously put your employees, stakeholders or assets at risk, then look hard and deep at your "Operational Risk" quotient, to determine if you are the best you can be...

Leadership in Crisis: Building Trust with Continuous Training...

How often have you ever heard the leadership management philosophy that you must "Train Like You Fight"?  Here is another way to look at it:

The more you sweat in peace, the less you bleed in war.

Norman Schwarzkopf

The theme is all too familiar with Operational Risk Management (ORM) teams that operate on the front lines of asymmetric threats, internal corruption, natural disasters and continuous adversaries in achieving a "Defensible Standard of Care."

As the senior leader in your unit, department or subsidiary the responsibility remains high for preparedness, readiness and contingency planning.  Your personnel and company assets are at stake and so what have you done this month or quarter to train, sweat and prepare?  How much of your annual budget do you devote to the improvement of key skills for your people in a moment of crisis or chaos?

What will the crisis environment look like?  Will it develop with clouds, water and wind or the significant shift in tectonic plates?  Will it begin with the insider employee copying the most sensitive merger and acquisition strategy to sell to the highest bidder?  Will it start with a single IT server displaying a warning to pay a ransom or lose all possibility of retrieving it's data and operational capacity to serve your business?  Will it end up being another example of domestic terrorism or workplace violence like San Bernadino, Paris or Ft. Hood?

Leaders across our globe understand the waves of risk and the possible issues that they may encounter each year.  Many travel to Davos to the World Economic Forum where the world tackles these disruptive events, with the best minds and exchange of information.  Why?  They understand that vulnerability is what they fear the most.

Yet what can you do in your own community, at your own branch office to address the Operational Risks you face?  How can you wake up each day with the confidence as a leader, that you have trained and prepared for the future events that will surprise you?  It begins with leadership and a will to lead your team into the places no one really likes to talk about.  The scenarios that people fear to train for, because they think they will never happen.

Achieving any level of trust with your employees, your customers and your supply chain revolves around your leadership.  The discipline of "Operational Risk Management" is focused on looking at all of the interdependent pieces of your business mosaic.  The environment you operate in, even the building that houses your most precious assets.  All of these factors are considered in developing and executing your specific plan for training and readiness.

So what?  The question is "Why Don't Employees Trust Their Bosses"?

Why this lack of trust?

There is a disparity, the survey revealed, between areas that employees said were important for trust, and the performance of company leaders in these areas.

For example, half of respondents said it was important for the CEO to be ethical, take responsible actions in the wake of a crisis and behave in a transparent way. However, a much lower number of respondents actually felt their CEO was exhibiting these qualities.

This disparity is in part responsible for trust decreasing as you move down an organization’s hierarchy. So, while two-thirds of executives trust the company, less than half of rank-and-file employees do. Equally, peers were rated as much more credible than CEOs.

As a leader your roles are multi-faceted and there is never enough time or money in the budget.  The leaders who excel in the next decade, will find a way.  They will invest in their teams training and the systems to increase trust, by addressing Operational Risk Management (ORM) as a key component of the interdependent enterprise.

The "TrustDecisions" you require and the understanding developed to insure effective "Trust Decisions" by all of your stakeholders will remain your most lofty goal as a leader.  How you train to fight and how you sweat now will make all the difference in your next war.  From the boardroom to the battlefield your leadership is all that is needed.  Your leadership will make a difference.

Fifth Discipline: The Evolution of Digital Intelligence...

"Learning organizations themselves may be a form of leverage on the complex system of human endeavors.  Building learning organizations involves developing people who learn to see as systems thinkers see, who develop their own personal mastery, and who learn how to surface and restructure mental models, collaboratively.  Given the influence of organizations in today's world, this may be one of the most powerful steps towards helping us "rewrite the code," altering not just what we think but our predominant ways of thinking.  In this sense, learning organizations may be a tool not just for evolution of organizations, but for the evolution of intelligence."  --Peter M. Senge -The Fifth Discipline - 1990

Many senior executives and a cadre of experienced Ops Risk professionals who are waking up across the globe today, keep this text book within arms reach.  Why?  All 413 pages of wisdom and knowledge transfer, is applicable this moment, even though it was written and practiced several years before the commercial Internet was born.

Our respective cadre of "Intelligence Analysts" spans the organization continuously seeking the truth, analyzing the growing mosaic, applying new context and taking relevant actions.

In an environment now vastly more virtual, far beyond the paper pages of Senge's book, lies the contemporary intelligence of "IBM's Watson."  At the finger tips of Dragos operators or the Palantir Forward Deployed Engineer, we have new insights almost in real-time.

The "Learning Organizations" are no longer in a traditional hierarchy.  They are flat, agile and capable of tremendous autonomy at light speed.

So what is the opportunity now?  How can we potentially move towards more collaborative systems thinking and "rewrite the code" even in the 2nd decade of the 21st century?  It starts with rewriting the new digital code.

It continues as we reengineer our "Learning Organizations" for a digital environment that operates 24 x 7 and is ever more so fragile where trust is so inherent.  We can still create and deploy systems thinkers to question the truth and learn from the speed and capabilities of our new intelligent machines.

Peter Senge outlines five learning disciplines in his book on three levels:

• Practices:  What you do
• Principles:  Guiding ideas and insights
• Essences:  The state of being of those with high levels of mastery in the discipline

The five disciplines are:

• Systems Thinking
• Personal Mastery
• Mental Models
• Building Shared Vision
• Team Learning

The enterprise architecture for our modern day learning organization is in it's infancy.  You see, the technologies and the software has outpaced our human ability to apply it effectively, with the five disciplines.  One of our continued vulnerabilities is the ignorance of information governance as it pertains to the truth of data provenance and how as humans, we apply the disciplines of learning in our digital organizations.
 
Our organizations are a "plume of digital exhaust" that is invisible to many and crystal clear to some.  As you begin to capture and document the digital footprint of today's knowledge worker, the trail is long and deep.  Even for those shadow planners, logistics experts and operators, they can not escape the digital encounters they have each day.  However, the apparent threat is that they will continuously become more aware and more disciplined.

The art and practice of gaining and preserving "Digital Trust" is at stake for all of us.  The vast and consistent application of understanding "trust decisions" in our digital lives, will forever provide us new found challenges and new discoveries.  How we consistently apply our digital disciplines going forward, will make all of the difference in our prosperity or our future peril.  How we reengineer our learning organizations for 2025 and beyond, is now at our doorstep.

Today, privacy, information security, cyber defenses—all revolve around the same target: achieving trust to sustain electronic commerce and create new wealth. Digital trust is not only required; achieving digital trust will prove to be the competitive differential for the winners of the next generation.  --Jeffrey Ritter

Think about your digital footprints as you interact, communicate, travel and read the news today.  Activity-based Intelligence (ABI) is a business and you are the product.  The question is, how can you and your learning organization move from the "Fifth Discipline" to the next one?

What cognitive strategies and new disciplines will you and your organization deploy this year to attain new levels of prosperity and insight?

The journey will be long and the opportunities will be explored.  It's time that more learning organizations start the reengineering with the right tools and talent.  Yes, this is the next evolution of intelligence...

Duty of Care: Board of Directors OPS Risk...

The Board Rooms across America are in full tilt mode working hard on risk oversight. The Chairman of the Board (COB), is wrestling with divergent personalities and competing agendas as the organization races towards its next phase of growth.

Operational Risks are being presented from all facets of the business and the Board of Directors has a fiduciary responsibility to address them, without creating new risk in the process. Leadership is in short supply and collaboration among the entire board is dwindling. In terms of Operational Risk Management (ORM), what risk is the most dangerous to the enterprise at this point in time?

The risk that the Chairman of Board has lost their ability to forge trust and a favorable relationship with the Directors themselves becomes a significant threat. The trust and the relationship that a Chairman has with the Board of Directors is paramount. When this is no longer present, and the "Independent Directors" realize they can no longer trust the performance of the Chairman, significant risk factors begin to quickly evolve that puts the entire organization into a vulnerable state.

Once the Independent Directors see and hear or feel that the Chairman has lost credibility and respect from the Board, then it is time to act. The jeopardy of the organization is at stake and each day or week that goes by without action to change leadership, will increase the long term risk to the brand, confidence in the entire leadership and finally the people charged with making the organization compliant with all legal and ethical policies. A failure in people is an Operational Risk that far too often becomes overlooked or just plain ignored, due to the power base that may exist by the Chairman's role.

The Board of Directors are charged with the duties that involve the governance, regulatory, compliance, legal and ethical components of the organization. When any one of these starts to fail, then the faith in the entire leadership of the organization becomes a question mark. How many times do we hear the story that brought down the leaders with the words "Failure to Act"? Today and in the future, “serving on a Board of Directors means living in a fishbowl” according to Chief Justice Myron Steele of the Supreme Court of Delaware:

Once a difficult situation arises with the potential for litigation and its accompanying damage to the company’s reputation, the media will descend on the company, and directors must show 1) that they had a plan in place to deal with such situations in accordance with their oversight or compliance duties, 2) that the plan was reasonable and adequate, and 3) that the plan was followed. It is worth noting here some of the recent trends in corporation litigation. Two major categories of corporate litigation that a director might face include the traditional class actions based on breach of fiduciary duty, and derivative actions which are filed on behalf of the corporation due to wrong doing on the part of the board, either for its actions that resulted in a loss or its failure to act which also resulted in a loss through missed opportunity.

One of the major trends going on these days is to keep the Chairman separate from the CEO or President of the organization. The benefits are great especially if you have a CEO who will allow their ego to accept the other person as an ally and not competition:

In the public company arena, more and more companies are separating the Chairman of the Board position from the CEO. It turns out that this trend has benefits for earlier stage companies too. We believe that all CEOs – regardless of their experience – benefit from having a lead director on the board. In general, it has been our experience that boards (and the board meetings) work better when there is a Chairman in charge other then the CEO.

This strategy in overall Board Governance is a sound one. As a result of the "The Duty of Care" by the Board of Directors, at some stage it may require that the Chairman recommend to the Board that a CEO resign or be fired from running the day to day operations of the organization.

The Board of Directors and their behavior within the Board Room and in the functions outside in public are at stake. The governance of the Board of Directors begins with the Chairman but ends with each individual on the Board itself. If the Independent Board Director remains silent on any legal duty of the Board, they are putting all in jeopardy of a failure of the Duty of Care:

In tort law, a duty of care is a legal obligation imposed on an individual requiring that they adhere to a standard of reasonable care while performing any acts that could foreseeably harm others. It is the first element that must be established to proceed with an action in negligence. The claimant must be able to show a duty of care imposed by law which the defendant has breached. In turn, breaching a duty may subject an individual to liability. The duty of care may be imposed by operation of law between individuals with no current direct relationship (familial or contractual or otherwise), but eventually become related in some manner, as defined by common law (meaning case law).

It is the Chairman of Board who has the responsibility to keep the Independent Directors informed and aware of any persons behavior or actions that could put the entire board at risk. And even more importantly, it is the duty of each Independent Director to insure that they are constantly monitoring for any possible failure of the Duty of Care to their organization and their fellow Board Directors.

Privacy Engineering: Mobile Standards for Digital Trust...

The landscape for software engineering standards within corporate organizations, is now on the radar of Operational Risk Management (ORM) experts.  What are the privacy and security related engineering design standards, that are being utilized at JP Morgan Chase, Citibank or Paypal for mobile App development?

Effective and standardized "Privacy Engineering" of mobile applications at organizations in Critical Infrastructure sectors such as Finance and Banking is just one example.  It is soon to be a greater focus of the Federal Trade Commission (FTC) and other U.S. regulators.  Why?

"Trust Decisions" are being made by consumers each day, as millions of of mobile banking customers download an application to their Android or iOS smart phones.  The consumer then has immediate exposure to the quality of the software engineering, by the UX/design and developer of the software App.  The standards being utilized by each organization for designing and engineering those Apps with privacy and security, may vary by who developed the application and for what particular operating system.

So what?  U.S. financial institutions software engineering departments and other highly regulated industries will be a continued and concentrated focus by the Federal Trade Commission (FTC).  Standards for privacy software engineering and disclosure of the rules will become even more of a critical factor.  Why?

As a result, to act within the time constraints of deadlines, the presence of fiercer competition, and the looming threat of higher lost-opportunity costs, you have no choice—you must presume the trustworthiness of the information you acquire to make decisions. Deciding now requires you to acquire the information you need from the most accessible source, with zero time to ask the important questions: “Where did this information come from? Who put this report together? Has the data been confirmed to be accurate? Who actually authored the analysis? Does this bank statement reflect all of our deposits?”

Answering these types of questions is inherent to how we make good decisions. You seek information that serves as fuel for your decision. You work hard to validate that the information can be trusted. You calculate toward your decision, constantly evaluating whether the information holds up its reliability. But in today’s 24/7/365, wired decision-making landscape, there is no time to ask those questions. Those controlling the information you need understand that pressure and require you to presume their digital information is trustworthy and reliable for making your decisions. Thus, to gain control of digital information is to succeed in imposing an enormous handicap—removing your ability to challenge its trustworthiness by asking the right questions.  Source:  Achieving Digital Trust by Jeffrey Ritter.

Is it possible to redesign mobile banking Apps, so that all Android or iOS software engineers must adhere to privacy and security engineering standards of practice?  The human-based "Trust Decisions" about whether to trust an application with personal identifiable information (PII) is currently buried in legal disclosures.  The privacy disclosures are written by lawyers, all different and in most cases never read, by the consumer prior to downloading the App.  Opt-in or Opt-out?

The future of mobile App Privacy and Security Trust engineering for consumers will be in the hands of government regulators soon and in concert with other laws associated with information security, such as the GLBA Safeguards Rule.  "Cyber Trust" indicators or other vital warning systems may be in the works.  Buyer Beware is the theme.

For years consumers have been looking at FDA Nutrition Labels and other Federal oriented tools, to provide more visible and rapidly effective disclosure.  Since the human being is making "Trust Decisions" on whether to download a software application to their computing device, they also may desire a method to quickly ascertain if the App is "Trustworthy."

Can they trust the application according to their particular appetite for risk?  What information will be shared with 3rd parties?  How will your information be used and collected while you are using or not using the application?  Here is one example of how a future warning "Privacy Label" may look before a consumer is permitted to download an application to their computing device.

What does the consumer experience today?  As one example, currently when you visit the App Store on an iOS mobile device such as the iPad, and then search for "Chase", the top choice is an App named Chase Mobile.  When you click on the "Get" button, it changes to "Install".  When you click on "Install" it prompts you to Sign In to iTunes Store.  Once you sign-in, the Chase Mobile App downloads to your device, the button then changes to "Open."

When you open the Chase Mobile App, it opens the first screen to "Log On".  There is a small "Privacy" button in the top left corner of the screen, however there is not an easy to understand Privacy Label that is visible before you actually "Log On" to Chase.  In the case of selecting the Privacy button in the upper left corner, it then reveals dozens of pages of legal documents explaining online privacy policy and U.S. consumer privacy notices.  There is however one easier to view grid, under the privacy notice that is helpful in understanding whether Chase shares personal information and whether as a consumer, you can limit this sharing.

The Critical Infrastructure sectors of the U.S. economy, that has a daily interface with consumers through mobile software Apps are now on notice.  Chief Legal Counsels, Chief Information Officers, Chief Privacy Officers and Software Engineering personnel, must address the reality of human behavior and how "Trust Decisions" impact legal risk and the ultimate perception of the corporate brand.

Beware of the Cowboy: Risk Driven by Fear...

Beware of the cowboy.  Operational Risk Management (ORM) spans the hazards on the flight deck on the USS Ronald Reagan (CVN 76) or behind enemy lines or even to employee behavior on the front lines of the private sector on Wall Street:

"The recent conviction of Michael Coscia in the Federal District Court in Chicago in the first prosecution for “spoofing” provides more clarity to high-frequency trading firms about how they can operate. The message is to tread carefully when a strategy depends on using orders that will be quickly canceled because the government may claim they are an effort to manipulate the market by fooling others into trading.

Spoofing was made illegal in the Dodd-Frank Act, which prohibits “bidding or offering with the intent to cancel the bid or offer before execution.”

Believe it when we say that people who try to be cowboys in your organization are operating without regard to risk. Now multiply the number of cowboys by the number of people that they surround on their team, who think that this is the way to operate. It doesn't take long to find out that these are the root causes of many of the operational risks in your organization. And it starts out with the basics even in the vast private sector beyond Wall Street:

• Revenue is not booked according to the rules. Products sit in the warehouse yet revenue ends up on the sales reps commission report because (s)he had a signed order.
• Assets are not valued correctly. Bank accounts are not validated to make sure they actually exist and accounts receivables are inflated.

These are just two of the many facets of occupational fraud that starts with a few cowboys who have little regard for managing risk and all the incentives to line their pockets with new found cash or bonuses.

From Leadership Lessons of the Navy SEALS

The Cowboy

"Neither of us knows if such a thing has ever been tolerated in modern commando teams. Yes, sometimes you need to charge forward. But, there are simply too many potential casualties and too much political currency resting on commando missions to entrust one to a cowboy. Authorization for an operation depends on the accurate calculation of operational risk. This requires an assessment of proven forces ability to perform a task. All this is contrary to the cowboy philosophy of depending on experimentation, pluck, and luck in order to succeed."

"The problem with being a cowboy is that your bosses won't employ you if they can't trust you, and they can't trust you if they don't know what you'll do. And then you're stuck with the reputation."
        --LT. CMDR. Jon Cannon

You might think that the reason is ego or just plain greed. However, the real motive may not be so clear. More than likely, the motive is fear. And that fear is something that grows until it gets to the point of creating harm, loss and destruction. You have to find the cowboys in your organization and you have to follow the mantra of quality gurus from years past, "Drive out Fear".