Showing posts with label Violence Prevention. Show all posts
Showing posts with label Violence Prevention. Show all posts

15 September 2019

Never Forget: Beyond 9/11 & Adapting Inside the Enterprise...

"Being a patriot doesn't mean prioritizing service to government above all else.  Being a patriot means knowing when to protect your country, knowing when to protect your Constitution, knowing when to protect your countrymen, from the violations of and encroachments of adversaries.  And those adversaries don't have to be foreign countries."  Ed Snowden

One could wonder whether even just one of the individuals working with your organization internally or externally has the same or similar mindset of "Ed".  The question is, what are you doing as an Operational Risk Management(ORM) leader, to be legally proactive in your "Insider Threat" approach with employees, partners and your extended supply chain?

The adversary working with you inside your company, agency or partner, doesn't always start out to bring loss events to your enterprise.  It could take years, or months to develop a real justification in the adversaries mind, yet even when the activities and behaviors are evident, they are all to often missed, never understood or just too late to interrupt:
The National Counterintelligence and Security Center (NCSC) and the National Insider Threat Task Force (NITTF) are today partnering with federal agencies across the government to launch “National Insider Threat Awareness Month” during September 2019. Throughout September, the Office of the Director of National Intelligence, the Department of Defense, the FBI, the Department of Homeland Security, the Department of State and other federal agencies will be holding events to emphasize the importance of safeguarding our nation from insider threats and to share best practices for mitigating those risks.  
How could you and your organization improve and adapt your current practices to raise the bar of excellence?  What can you do each day to make the quality and the results of your programs even better?

First, begin to understand the process by which events can trigger new behaviors in an individuals perceived stressors and lack of personal control.  Second, expand your proactive organizational toolkit, to include such proven technologies such as sentiment analysis for marketing purposes.

These same tools with the proper legal oversight and "Acceptable Use Policy" can be effective in your early warning systems.  Enterprise Risk Management also incorprates oversight and protections for privacy and civil liberties.

Here are five steps to be proactive at your organization in the U.S. this month of September 2019:
  • Create, refine and share your organizations "Insider Threat Program "(InTP) vision.
  • Educate, clarify and communicate the authorities, roles and policies of the program.
  • Validate tools, models and sources of information.
  • Plan ahead for the utilization of automated tools and human behaviors observed.
  • Seek better solutions to a continuously changing enterprise & supply chain environment.
Never Forget.  We have all heard the thought "Never Forget," when it comes to our recent anniversary of 9/11.  Yet we must simultaneously remember, that our adversary may be hiding in plain sight...
Posted by at No comments:
Labels: , , , , , , , , ,

20 July 2019

Whole Community: OPS Risk Spectrum...

Operational Risk Management is a discipline that comprises a spectrum of "All Threats and All Hazards." A "Whole Community" approach to the nexus of national security, economic security and the entirety of our citizens.

The resilience factor in your private sector organization or the entire nation, will consistently be tied to the weak links in your preparedness:
  • Prevention
  • Protection
  • Response
  • Mitigation
  • Recovery
One of these five aspects will be your nemesis, when the next incident or catastrophic event touches your company, city, state or country. These are an increasingly interdependent ecosystem that determines your resilience factor. What business units, neighborhoods, counties or states are your weak links?

With every global event, whether it be the Active Shooter/Terrorist attack, Earthquakes, Floods, Hurricanes, Fires or Oil spills, the local community has a 72 hour window that will dictate it's destiny.

Three days that will set the tone and the direction for the remaining weeks, months and years of recovery.

Time and time again we are reminded how important an effective security posture must be, before the "Whole Community" can begin to operate effectively. So what is the most effective system that focuses on people and not necessarily just a single process?

What are the correct steps soon after the event unfolds? The answer lies with the subject matter experts (SMEs) who time and time again, have been at the zero hour or day of the incident itself:
  • Security
  • Medical
  • Water
  • Shelter
  • Food
  • Counseling
Human behavior is an unpredictable factor. It can impact everything in terms of the speed and quality of post incident response. Without security, the first responders that perform medical triage will be reluctant and in harms way to treat those who may have a greater likelihood to survive.

This cascades into several discussions that we know are hot for debate. What if the first responders are your fellow tenants on the floor above you, or the office building next door? Not the professionals from the local fire or police department.

"Citizen First Responders" (CFR) are your organizations front line Operational Risk Managers.

They are the individuals who will have the "Ground Truth" and will be required to make the hard and fast decisions on what needs to be secured, who needs to be saved and where to establish incident command.

How many CFR's are ready in your organization today? Your business park? Your neighborhood? Who is in charge of security? This list goes on...

Post Incident, it all begins from the ground up with people who want to be more active as a "Citizen First Responder" that are given the programs, tools and training. Here are just three facets of the different types of CFR's that exist:
The list of Non-Government organizations (NGO), Faith-based (FBO) organizations and others that exist is exhaustive. Like most everything, you have a pyramid where only a few rise to the top to become the most effective; because they truly understand the discipline of Operational Risk Management (ORM). 

Yet security is still the concern of any civilian-based personnel and population even today.

Where is the weak link in your Operational Risk spectrum?
Posted by at No comments:
Labels: , , , , , , , ,

16 September 2018

Crowdsourced Risk: Situational Awareness in Mass Emergency...

Real-time information and raw intelligence via mobile devices, has changed the risk management dialogue from the Emergency Operations Center (EOC) to the corporate board room.

Operational Risk Management (ORM) professionals are leveraging this information in combination with crowdsourced mapping applications, GPS, video feeds and live reporting.

Intelligence Analysts have leveraged Big Data and Digital Analytics to extract the relevance of key questions asked by their constituents.  These same ORM professionals also realize the raw data feeds from John Q. Citizen is exactly that.

Fact checking, vetting and data verification, is still the task of journalistic and intelligence experts.

Whether you are talking about risk incidents that involve whistle blowers on Wall Street, severe weather events, natural disasters, the Arab Spring or an active shooter in a Denver, CO suburb; social media is there.

Corporate Chief Information Officers are in the middle of "Bring Your Own Device" (BYOD) policy development, while National Public Radio (NPR) is using Twitter as a news room approach to reporting in the Middle East. Errors, Omissions and the operational risks associated with this "New Normal" is upon us, with the crowdsourced future of news and intelligence:

In just a single flash back to 6 years ago, we were writing about how users of Twitter and Reddit used those networks to tell a compelling story about a mass shooting in Toronto, and how the same phenomenon was playing out in real-time during another horrific incident: a shooting at a movie theater in Colorado, that had killed at least a dozen people and wounded more than 50.

Although local TV news channels and CNN had been all over the story since it broke, some of the best fact-based information gathering had been taking place on Reddit and other open source curation tools.

The information posted on Facebook, Reddit or the organizational blog is at stake. Crowdsourcing and Crowdmapping with the correct tools and trusted rule-sets, is just the beginning.

From innovation to Revolution, Patrick Meier and his blog captures even more on the vital crowdsourcing topics. For a good foundation, also be sure to visit Sarah Vieweg's dissertation on situational analysis:

Situational Awareness in Mass Emergency: A Behavioral and Linguistic Analysis of Microblogged Communications (2012)

"In times of mass emergency, users of Twitter often communicate information about the event, some of which contributes to situational awareness. Situational awareness refers to a state of understanding the “big picture” in time- and safety-critical situations. The more situational awareness people have, the better equipped they are to make informed decisions. Given that hundreds of millions of Twitter communications (known as “tweets”) are sent every day and emergency events regularly occur, automated methods are needed to identify those tweets that contain actionable, tactical information."

Welcome to Dataminr...

In each of these news worthy events, we can see how a new form of journalism and situational intelligence — one that blends traditional reporting and crowdsourced reports — has evolved.

When an era of these applications and zettabytes of pictures and videos are available to the public, the journalist/analyst has a tremendous volume of sources. This now includes the evolution of Body-Worn-Cameras (BWC).  And with those sources, comes a renewed responsibility to the integrity of the real mission before us. The truth.

What is actually the truth? What happened to whom and when?

The private sector has been leveraging Big Data Analytics for decades, including little known companies such as Acxiom, to collect and verify information on people, for the purpose of marketing. This indeed is a mature and established sector of the consumer retail industry and financial institutions for the purpose of operational risk management:
The ideal combination of vetted and proven data sources from private sector companies such as Acxiom in the U.S., along with the raw reporting of information from the social media sources is already the future of journalistic trade craft.
When journalism from trusted sources or intelligence reports from trusted analysts misuse or error in their use of these tools, the operational risk factors are magnified. This can damage reputations and even jeopardize human lives.  The mobile social media revolution has the potential to be a Pandora's Box.

Operational Risk Management discipline provides the framework and the proven methodologies to mitigate the rising likelihood, of a "Decision Disadvantage."

Whether you are the editor of a major publication or the watch commander at the local police department does not matter. Whether you are the CISO at a major corporate enterprise or the head of a government intelligence agency does not matter.

It begins long before Journalism school or high school English class. The ethics and integrity of information is at stake and it begins the first time you hand a pre-teen, their first mobile digital device.

Posted by at No comments:
Labels: , , , , , , , ,

22 October 2017

Threat Management Team: Preemptive Risk Strategy....

The Corporate Threat Management Team (TMT) has been busy this past year and your employees are consistently seeing new and startling behavior beginning to emerge. These small and versatile task forces within corporate Operational Risk committee members include the Chief Security Officer, Human Resources (EAP), Ethics & Compliance, General Counsel and Chief Information Officer or Privacy Officer.

Assessment of threats in the workplace that include violence, sabotage, financial fraud, homicide or suicide are growing in the current economic environment and the Board of Directors are on alert. The Board has a daunting responsibility to provide the enterprise stakeholders:
  • Duty to Care
  • Duty to Warn
  • Duty to Act
  • Duty to Supervise
Threat assessment is a legal responsibility by corporate management and directors but this is not anything new per se. What may be trending upwards and at an alarming rate is the litigation associated with "Insider Threats."   Just ask Dr. Larry Barton about the subject of corporate threat assessment:
"Despite sound recruitment practices, any employer may encounter situations in which colleagues are worried about their safety because of the actions or statements made by a co-worker. The person at risk could be a current employee, former associate/contractor, disgruntled customer, investor or other person who makes or constitutes a threat to your most vital resource - your human capital."
This (Threat Assessment) approach employs strategies that have been successful in a variety of situations, including:
  • an associate being stalked by a spouse or former partner
  • an employee who states that he or she is experiencing significant mental deterioration or who has thoughts of self-harm or homicide
  • altercations between co-workers and/or with a supervisor that are escalating in tone and severity
  • serious changes in attitude and performance with known or suspected substance abuse factors
  • social networking, blog and other means of electronically threatening an individual or team
Having personally witnessed Dr. Barton's methods and approaches, the science and his applications are sound. The strategy for implementation is based upon several decades of experience and encompasses the legal framework necessary to sustain the scrutiny of law enforcement and the courts.

The actions that are utilized to address a growing threat by a person in the workplace takes a dedicated team, with the right tools and information at their fingertips. Making split second decisions based upon a lack of documented evidence, protocol failure to a set of written policies or just the wrong timing can open the doors for substantial and costly plaintiff suits.

Achieving a Defensible Standard of Care in the reality of today's volatile enterprises requires a sound governance strategy execution combined with new resources and tools to properly prepare for those almost certain legal challenges. Combining effective "BioPsychoSocial" subject matter expertise, along with the right people from legal, security, investigations, internal audit or corporate risk management can produce successful outcomes for "At Risk" employees and the entire enterprise.

This brings us to the next point regarding how a particular employee was allowed to get to the point of "No Return" in the workplace. Put on your thinking caps for a few minutes.

Whenever you have a Threat Management Team assembling to interdict a serious danger to the company, you immediately start to converge on the motive or reason why the person has or is acting against company policy or behaving in a threatening manner. It's natural to do so, as most people want to know what's causing the issue. Be careful. What seems to be the cause is only known as the "Proximate Cause." Do you really understand the "Root Cause" of the failure of people, processes, systems or some external events?

The analysis, investigation, documentation and presentation on what happened and why is the hard stuff. Getting to the "Truth" and getting answers to the "Root Cause" requires another team of specialty practitioners. These independent, outside risk advisory professionals should not be from any current or existing corporate supplier, auditor or management consultant. They truly need to be the independent, unbiased and diligent entity to discover the truth and to document the root cause of the incident. The goal is to eliminate the future threat and to mitigate any risks that may still be "lying in wait."

Corporate Management and Boards of Directors must continue to move to the left of the proximate cause on the risk management spectrum to be preemptive, proactive and preventive.
Posted by at No comments:
Labels: , , , , , , , ,

11 September 2016

9/11 2016: Remembering the Fallen...

"We Will Never Forget".  On 9/11 2016 as the names are read, we remember and we reflect upon the significance of this anniversary for each of us.  Fifteen years later from that horrific start of a new generation of Violent Extremism and International Terrorism we honor those who have fallen.

The First Responders from the ranks of the New York City Fire and Police Departments on that morning to the forward deployed from the CIA and our (AFSOC) Special Operations Forces a decade and a half later.  Four years ago today in Benghazi, we were attacked again at our U.S. Diplomatic Compound, 9/11 2012.

As we talk and discuss where we were and how we felt on that day in September 2001, it is vital we analyze what has changed and how we are now different.  Even today the kinetic war persists on the ground, in places like the Hindu Kush and Shabwah province to eliminate the threat of AQAP and ISIL or IS (Islamic State).

Meanwhile, millions gather at Mount Arafat in Saudi Arabia for the Hajj ceremonies, where Muslims believe the Prophet Muhammad gave his last sermon.  Fifteen of the 19 attackers were Saudi nationals.

Fifteen years ago the attacks were planned and coordinated by a more central and organized set of leadership in al-Qa'ida.  The erosion of Middle East states after the Arab uprising has brought us an asymmetric threat commanded online through social media and more sophisticated video enabled communications strategies.  These tangents for recruitment and online command and control has created new challenges for our counter terrorism (CT) strategies.

Watching the dual beams of light shining over New York City at Ground Zero on this anniversary we must not forget.  We must seek to understand the behavioral components of "Homegrown Violent Extremism" (HVE) as the primary future weapon of al-Qa'ida leadership.  From Paris and Nice to San Bernardino and Dallas the variants of how and where HVE will erupt is unknown and even harder to detect in advance of a violent attack.
Now that women, young children and even four-wheel truck vehicles have been utilized as simple tools to perpetuate the stealth and low-tech / high-assurance approach to killing innocents, there is still no where to hide.  There is no place that is truly safe.
The primary solution for you, your company and a nation is to continue to enhance Operational Risk Management (ORM) and to seek even more robust levels of resilience.  We have learned years ago that the ability to adapt and to survive relies on this core strategic capability.

Whether you are preparing for that next hurricane, earthquake, cyber or explosive attack does not matter.  We must all seek to better understand Operational Risk and prepare even more than we ever have in the past.

On this fifteenth anniversary, we have learned so much and still have so far to go...Godspeed!
Posted by at No comments:
Labels: , , , , , , ,

23 July 2016

ECPA: Reality of Homegrown Violent Extremism...

In the United States, Operational Risk Management Executives in the private sector are consistently balancing the legal requirements for public safety and their customers right to privacy. The Internet Service Provider (ISP) General Counsel's duty to facilitate the rule of law within the private sector organization, has been on a collision course with protecting the homeland for over a decade since 9/11.

One of the critical tools for Homeland Security Intelligence (HSI) is the "Electronic Communications Privacy Act (ECPA) and for good reason. The law provides the tools for law enforcement and national security intelligence analysts while simultaneously protecting the privacy interests of all Americans. In a 2011 statement before the Committee on Judiciary, United States Senate, Associate Deputy Attorney General - James A. Baker outlines the basis for ECPA:
"ECPA has never been more important than it is now. Because many criminals, terrorists and spies use telephones or the Internet, electronic evidence obtained pursuant to ECPA is now critical in prosecuting cases involving terrorism, espionage, violent crime, drug trafficking, kidnappings, computer hacking, sexual exploitation of children, organized crime, gangs, and white collar offenses. In addition, because of the inherent overlap between criminal and national security investigations, ECPA’s standards affect critical national security investigations and cyber security programs."
The criminal elements and their organized syndicates are leveraging modern day technologies and capabilities of the private sector. The legal first responders for our 21st century homeland threats don't always wear a badge and drive a Crown Vic on patrol around our city streets. Many spend their hours on patrol in cyberspace or analyzing terabytes of data online with sophisticated software to determine the what, who, why and how of the current threat stream.

The US government has a fiduciary and legal duty to protect the privacy and civil liberties of all US citizens. Parallel to this task is the rapidly changing use of communications and other mobile technologies to facilitate and support the activities and operations of individuals and networks of people, who exploit the design, configuration or implementation of our countries homeland defense architecture.

Whether this architecture includes the utilization of 72 Fusion Centers or the methods for collecting "Suspicious Activity Reports" (SARS) from those first responders, the fact remains that the pursuit of national security threats is a lofty task. This is happening today, on the ground and in the digital domain. Therefore, the speed that these individuals can legally obtain the data they require to make informed decisions is at stake and so we must eliminate any new impediments put before them. From Mr. Bakers statement on "Government Perspectives on Protecting Privacy in the Digital Age" he explains further:
Addressing information associated with email is increasingly important to criminal investigations as diverse as identity theft, child pornography, and organized crime and drug organizations, as well as national security investigations. Moreover, email, instant messaging, and social networking are now more common than telephone calls, and it makes sense to examine whether there is a reasoned basis for distinguishing between the processes used to obtain addressing information associated with wire and electronic communications. In addition, it is important to recognize that addressing information is an essential building block used early in criminal and national security investigations to help establish probable cause for further investigative techniques. Congress could consider whether this is an appropriate area for clarifying legislation.
Any changes to the ECPA laws should be considered carefully with not only the government but the private sector. The combination shall work together to find the correct balance between national security requirements and the privacy of the customers of mobile communications, e-mail, and social networking entities. The time that it takes our first responders to rule-in or rule-out a person of interest in an ongoing investigation can mean the difference between a failed or successful attack on the homeland. The private sector shall determine the prudent cost to the government for providing the legally obtained information of non-telephone records such as a name, address and other metadata. By the way, has anyone noticed that the criminals, terrorists, spies and other malicious actors have decided to use Telegram, or WhatsApp instead of their mobile telephone?

Homeland Security Intelligence (HSI) first responders will be the first to tell you that the crime syndicates and non-state actors have gone underground and have stopped using the tools that leave the data more easily accessible by law enforcement. Now, they are creating and operating their own private and secure infrastructures within the confines of private sector companies. These clandestine groups have organized hierarchy and specialized skills and therefore, the US government must continue to step up the pace, legally.

What does this all mean? It means that there will be a lower chance of under cover law enforcement officers becoming members of the these organized crime syndicates that in many cases are the genesis for homegrown violent extremism (HVE).

Homegrown extremists can be individuals who become violently radicalized, perhaps after exposure to jihadi videos, sermons and training manuals available on the Internet, security officials say. Such plotters are harder for counterterrorism officials to spot because they have few links with known terrorist operatives and often don’t travel overseas for training.

Another implication is that there is a higher chance that private sector researchers will understand the new trade craft of HVE actors, long before law enforcement and national security intelligence analysts. This is because the standard approach to the "Seven Signs of Terrorism" have been focused on the physical infrastructure. Organizations in the private sector have been researching, tracking and profiling since the late 1990's on the methods and modus operandi of the digital extremists who have plagued our banks and other financial institutions with cyber crime.

The time is now for these two distinct disciplines and professionals to converge. The public as eyes and ears combined with the legal tools to extract the timely information from technology providers is part one. Part two is the integration of intelligence analytic training with the curriculum of the police and fire academies for new recruits. Providing these first responders with the methods, tools and capabilities to be more effective collectors on the street level, will provide the fusion centers with a more robust set of relevant information streams. Here is an example from a graduate certificate class in criminal intelligence analysis from AMU:

The graduate certificate in Intelligence Analysis provides you with a fundamental understanding of the issues, problems, and threats faced by the intelligence community. This online graduate program helps you develop a comprehensive knowledge of how intelligence agencies in the U.S. assess and counter international threats in order to guard U.S. global interests and protect U.S. national security from adversaries. Knowledge from this certificate program is applicable to many career fields within the military, security companies, government contractors, or federal agencies.

We have a choice to provide our first responders with the correct training and OPS Risk education for today's Homeland Security Intelligence (HSI) mission. Our national policy makers have a choice to assist them in getting the information they need to do their jobs quickly, efficiently and while protecting civil liberties. The choices that we make fifteen years after 9/11, will define the landscape for homegrown extremism and the legal framework for ensuring the safety and security of all Americans for years to come.
Posted by at No comments:
Labels: , , , , , , , , ,

20 February 2016

Predictive Intelligence: Data or Precogs...

The use of the term "Predictive Intelligence" has been around for a few years in the Operational Risk Management (ORM) community.  Born from the marketing collateral of the Business Intel (BI) vendors, it essentially requires hundreds of gigabytes or even terabytes of historical data and then is analyzed or data mined for so called insight.  The question is, why is this "Predictive Intelligence" and not just more "Information" in a different context?

Now introduce the nexus of our own "Trust Decisions" and the "Human Factors" associated with the science of cognitive decision making.  How do we as humans make our decisions to trust vs. how computers make their decisions to trust?  Are they not executing rules written by humans?  When is it information in a different format as opposed to true intelligence?

Christian Bonilla may be on to something here:
"Professionals in the foreign intelligence community take pains to distinguish between information and bona fide intelligence. Any piece of knowledge, no matter how trivial or irrelevant, is information. Intelligence, by contrast, is the subset of information valued for its relevance rather than simply its level of detail. That distinction is often lost in sector of the enterprise technology industry that is somewhat loosely referred to as Business Intelligence, or BI. This has become a bit of a catchall term for many different software applications and platforms that have widely different intended uses. I would argue that many BI tools that aggregate and organize a company’s information, such as transaction history or customer lists, more often provide information than intelligence. The lexicon is what it is, but calling something “intelligence” does not give it any more value. In order to sustainably outperform the competition, a company needs more than a meticulously organized and well-structured view of its history. Decision makers at all levels need a boost when making decisions amidst uncertainty and where many variables are exerting influence. They need what I would call predictive intelligence, or PI – the ability to narrow down the relevant variables for analysis and accurately measure their impact on the probability of a range of outcomes."
What does the fusion of human factors have to do with predictive intelligence?  That depends on how much you value the kind of innuendo and messages in the Tom Cruise movie, Minority Report.  Many aspects of the original Philip K. Dick story were adapted in its transition to film that was filmed in Washington, DC and Northern Virginia.  Is it possible to predict someone's future behavior even before they commit a crime or even become violent?
Set in the year 2054, where "Precrime", a specialized police department, apprehends criminals based on foreknowledge provided by three psychics called "precogs".
Cruise plays the role of John Anderton who is part of the experimental police force known as "Precrime."  These aspects of clairvoyance and precognition has many skeptics and their use for predicting future events or a related term, presentiment, refers to information about future events which is said to be perceived as emotions.
Regardless of terms, beliefs or whether the software analytics are using historical data, the science of "Predictive Intelligence" is about forecasting the future.  Based upon the recent global events that missed the forecast of economic implosion based upon historical data, maybe it's time to start introducing more human factors to the equation.

The interviews with people who have gone on record to predict a future historical event will probably be right at some point in time. How long will you be around to wait?  The demise of the banking sector and the extinction of Lehman Brothers, Bear Stearns and maybe even AIG were most likely predicted by someone, somewhere in 2007/2008 time frame.  The point is that you have to have context and relevance to the problem being solved or the question being asked.
The real story of the crash began in bizarre feeder markets where the sun doesn't shine and the SEC doesn't dare, or bother, to tread: the bond and real estate derivative markets where geeks invent impenetrable securities to profit from the misery of lower--and middle--class Americans who can't pay their debts. The smart people who understood what was or might be happening were paralyzed by hope and fear; in any case, they weren't talking.
Predictive analytics extracts relevant information from data and attempts to forecast the future. It relies on capturing relationships between explanatory variables and the predicted variables from past occurrences, and exploiting it to predict future outcomes.  Is it possible that there was and is too much reliance on the numbers and not enough on people's cognitive intuition?

This blog has documented the "11 Elements of Prediction" in the past.  Now it's time to utilize the combination of these human factors in close collaboration with the data analytics and raw numbers. Effective execution of both will provide corporate management the situational awareness they seek within the time line they wish.

The future state of Predictive Intelligence will combine the science of "Trust Decisions" with the art of "Data Analytics" to achieve our desired outcomes.
Posted by at No comments:
Labels: , , , , , , , , , ,

14 February 2016

Workplace Violence: Cues and Clues to Teach...

Operational Risk Management (ORM) is your foundation for crisis leadership. It will also prepare the enterprise for the potential for Homegrown Violent Extremism (HVE).  Is there a nexus with the cues and clues of traditional workplace violence and domestic terrorism? A domestic terrorist differs from a homegrown violent extremist in that the former is not inspired by, and does not take direction from, a foreign terrorist group or other foreign power.

All work locations have distinct categories of threats that are relevant to the site, people and type of business. Assessing the violent factors is the role of Senior FBI profiler (retired) Mary Ellen O'Toole and there are four categories according to a study entitled: "The School Shooter: A Threat Assessment Perspective:"
  1. A Direct Threat
  2. An Indirect Threat
  3. A Veiled Threat
  4. A Conditional Threat
Employees must be trained to be aware of the warning signals that typically occur before a threat and violent act becomes operational. Based on the O'Toole study these are some of the 23 "Red Flags" that employers should be monitoring and keeping their Corporate Threat Assessment Teams on high alert for:
  • Low tolerance for frustration
  • Poor coping skills
  • Failed relationships
  • Signs of depression
  • Exaggerated sense of entitlement
  • Attitude of superiority
  • Inappropriate humor
  • Seeks to manipulate others
  • Lack of trust/paranoia
  • Access to weapons
  • Abuse of drugs and alcohol
Source: O'Toole, Mary Ellen, "The School Shooter: A Threat Assessment Perspective," by the Critical Incident Response Group (CIRG), the National Center for the Analysis of Violent Crime (NCAVC) and the FBI Academy.
The court and the jury will look upon your employers ability to apply the basics of workplace violence and threat assessment. What did you know? When did you know it? What have you done about it? They will judge you on the threat assessments utilization of insider threat intelligence combined with the evidence of your overt training of employees in the workplace. What grade would you give your company today for these fundamentals?

Let's take it to the next step in terms of your ability to even meet the requirement by the Occupational Safety and Health Administration (OSHA) in the United States. Awareness programs are expected on the four primary types of workplace crimes:
  1. Those crimes committed by people not connected to the workplace.
  2. Aggression by third parties including customers, clients, patients, students, or any others for whom you provide a service or product.
  3. Employee-to-Employee violence or a former employee who returns to the workplace with the intention to injure a former supervisor.
  4. Aggression related to a personal relationship inside or outside the workplace.
The organization who understands the foundation for creating a proactive and preventive team for incidents in the workplace should not stop there. Once you have developed the framework for Incident Command, Emergency Operations Center, Shelter in Place, Medical Triage and Evacuation you have a good baseline to extend to a complete "Continuity of Intelligence Operations" strategy. This requires a deeper analysis into the threats inside your organization that may put you out of business entirely:
The ISIS assault on Paris and the ISIS-inspired massacre in San Bernardino, California, share a disturbing fact, no one saw them coming. Today, the biggest terrorist threat to the United States is not like al Qaeda. ISIS is wealthy, agile, sophisticated online, and operates freely in a vast territory of its own. It prefers to be called the Islamic State. The U.S. government calls it ISIL. Reporters tend to call it ISIS for the Islamic State in Iraq and Syria. But whatever the name, it has the manpower, means and ruthlessness to attack the U.S. The man who is supposed to stop that attack is John Brennan, the director of the CIA. And tonight, in a rare interview, we talk to Brennan about a world of trouble and we start with the most pressing danger.
Once the organization has adopted the "All Threats - All Hazards" intelligence mentality then it is well on it's way to becoming a survivable business.  Operational Risk Management (ORM) is a discipline that incorporates this approach and enables owners, operators and business suppliers with the tools, methods and strategy to handle workplace violence incidents or a catastrophic act of mother nature.
Posted by at No comments:
Labels: , , , , , , ,

27 December 2015

Executive Security: Personal Protection Specialist...

Operational Risk Management (ORM) extends beyond the perimeter with some of your most valuable assets.  The Fortune 500 Chief Executive Officer and their staff team of subject matter experts are continually at risk.  Even if you are the co-founder of a new start-up with that new "Killer App" ready for testing with SOCOM, you may now require several full-time security risk professionals at your side.

 In the corporate Protective Security environment, the "Advance Work" being executed by your ORM team will ensure your success or contribute to the embarrassment or injury of your client/principal. Professionals in Protective Security Detail's (PSD) realize that your site or lead advance agent can make or break the entire operational risk strategy, for your proactive and preventive security measures.

Thinking like the DEVGRU attacker and possessing a "Red Cell" mentality, is a valid approach for several aspects of the advance work necessary to ensure an effective "protective envelope". What ends up being the greatest threat to your operation, may be technology itself. Too much reliance on pervasive high tech tools such as "Google Maps" or even the standard-issue Garmin GPS, will create a vulnerability just at the point in time when your principal says, "Let's change the itinerary or the location of the next meeting".  A "15 Minute Map" comprised from a good old fashioned road atlas, can be the low tech tool that saves lives and potential chaos.

21st Century Executive Security and modern day Personal Protection Specialist's (PPS), who understand the value of the "Advance" and apply it effectively, will continue to keep their principal's safe and secure and with a high degree of professional client service. Corporations operating in countries where executives are required to visit critical infrastructure plants, manufacturing facilities or meet with government officials, have been incorporating more protective intelligence and advance work for good reason. The global business environment is increasingly more volatile and subject to rapidly changing political risks and subjective "Rule of Law" in many emerging democracies.

Whether it is weapons in close range or a distance, explosive IED's or kidnapping plots, today's global and mobile executive is ever more at risk.  Effective "Advance Work" is the most important and critical aspect of the security operation.  Site and route surveys, "eyes on" residences, airports and hotels, hospitals, police stations, restaurants and convention centers, are a mandatory component of the advance operations.

Surveillance Detection (SD) remains a vital facet of the advance work, including the ongoing SD as the Protective Security Detail agents run the operation. The Principal is potentially aware of such activity, yet is shielded from any lethal imminent threats as the days agenda unfolds.

What may be more obvious is the PSD's use of "Coopers Colors:":

"By using a well-practiced, concrete, formulaic train of thought, it prevents the hesitation normally experienced when one is under threat of attack or actual attack, and this is the purpose of the code, to prevent unnecessary hesitation, and to apply only that force which is necessary to defend yourself." "The way Jeff Cooper explains it is:"
  • White - relaxed and fairly oblivious of your surroundings, you should only be in this condition if you are at home or another secure setting behind locked doors.
  • Yellow - the state of not only constant awareness, but the constant recognition of possible threats. In this state, you are observant of your surroundings, allowing you to recognize threats if they present themselves.
  • Orange - in this state, you have recognized a potential threat, and are ready to defend yourself against this threat if necessary.
  • Red - you are actively defending yourself or others against a threat that has presented itself to you.
It's not just about general awareness, it's about positively identifying potential and actual threats, as you go about your daily life. It is this threat identification and acquisition process that is so valuable, that reduces your response time to those threats, if they present themselves.

Executive Security and the Personal Protection Specialist (PPS) becomes an even more vital asset in the OPS Risk portfolio, where the Board of Director's has authorized significant premiums for an executive's kidnap and ransom (K&R) insurance. Why?

Like many aspects of our society today regarding information privacy, one only wonders how information gets leaked from the confines of the corporate enterprise. Operational Risks involving people in your organization exist everyday.  Insuring against losses and protecting against personnel loss events is imperative. Utilizing the correct strategy, tools and professional human assets to comprise the entire security envelope including the effective use of Protective Security Details, can make all the difference in your organizations resilience factor.
Posted by at No comments:
Labels: , , , , , , , ,

22 February 2015

Fear: The Elements of Prediction...

"Just as some things must be seen to be believed, some must be believed to be seen." "...so one way to reduce risk is to learn what risk looks like." --Gavin De Becker

These words from his book The Gift of Fear reminds us of how many people talk about Operational Risk Management (ORM), mitigation and implementing risk controls and don't have any context. In order to truly understand something, you actually have to come face-to-face with it, experience it and feel it.

For every 100 people in your organization, how many are a risk?  By that we mean, the factors are high that an individual will do something or be the target of an incident that causes irreversible harm to themselves and or the institution during their tenure as an employee.

The actuaries behind the insurance you purchase for different kinds of hazards or incidents in the workplace could give you some answers here. How likely is it that this kind of event occurs in this industry over the course of one year as an example? Certainly the ratios are known, otherwise the insurance product would not exist to protect you.

Predictive Analytics and processing of information to predict what has a high chance of actual occurrence is a whole other matter. In order to be predictive, you have to have actual experience and it has to be so innate that it now becomes more than just an intuition.

Some call it "Self-talk" and others a gut feeling but whatever it is, it got there because of your past experience. If it's more powerful than that, now you may just be experiencing something we all know as "Real Fear". You have to realize that when you get that tingle sensation up the back of your neck, you are way beyond self-talk and into a whole new dimension of emotion.

DeBecker's elements of prediction can help us figure out the likelihood of a prediction actually occurring:

1. Measurability - How measurable is the outcome you seek to predict?

2. Vantage - Is the person making the prediction in a position to observe the pre-incident indicators and context?

3. Imminence - Are you predicting an outcome that might occur soon, as opposed to some remote time in the future?

4. Context - Is the context of the situation clear to the person making the prediction?

5. Pre-Incident Indicators - Are there detectable pre-incident indicators that will reliably occur before the outcome being predicted?

6. Experience - Does the person making the prediction have experience with the specific topic involved?

7. Comparable Events - Can you study or consider outcomes that are comparable- though not necessarily identical- to the one being predicted?

8. Objectivity - Is the person making the prediction objective enough to believe that either outcome is possible?

9. Investment - To what degree is the person making the prediction invested in the outcome?

10. Replicability - Is it practical to test the exact issue being predicted by trying it first elsewhere?

11. Knowledge - Does the person making the prediction have accurate knowledge about the topic?
This OPS Risk professional has realized that these 11 elements exist in many of the risk management methodologies and systems experienced over the years. What is remarkable is the degree that we see time and time again, these elements being left out, avoided or just plain not utilized in organizations of all sizes and industry sectors.

It's time that CxO's revisit all of these elements in each of the Operational Risk Management (ORM) systems that are in place in their enterprise. From the front door to the intrusion prevention system, in the HR process from interview to termination and from the training room to the board room.

Predictive Analytics is a science that comes in the form of an art. Make sure you have the people who are masters of the art and experts in implementing the science.
Posted by at No comments:
Labels: , , , , , , , , ,

01 December 2014

Courage: Risk of Physical & Moral Fear...

The effective implementation of Operational Risk Management (ORM) requires two types of courage; both physical and moral.  What are some examples?  "Physical Courage" is the act by an individual to run into the burning building to save those caught on the upper floors.  "Moral Courage" is the decision to finally expose the multi-year fraud scheme executed by the company controller, who happens to be your boss and is a former college class mate.

The courage component is different, yet the same.  The existence of fear in a "physical sense" may be harder to overcome since it will expose you to bodily harm and potential death.  The fear associated in a "moral sense" will impact your reputation or standing in the community that you live in, or the profession you operate within.  This fear could be greater for some than even risking ones own life.

Is it possible to learn and improve your skills for both physical and moral courage?  The answer is yes and it has been a factor of education and training for hundreds of years.  The goal is to ensure that your organization, enterprise, team or community is learning both and creating effective habits.  The continuous and repetitive exercises to deal with the fear of bodily harm or blowing-the-whistle on your best friend is the bottom line here.
"What are you doing to overcome your fear to save a life?  What are you doing to overcome your fear of reputation loss?  The ratio of learning both and exercising them in the field or when needed inside the institution, enterprise or government is what is at stake."
Once the education and training programs are in place to learn new skills then the fear of action will diminish, when the time comes.  Who do you have coming to work each day who has the balanced ability to carry an adult out of the burning building or simultaneously detect a multi-layered accounts payable scheme?

Unfortunately, these are only two examples of a wide spectrum of courage that is required each day. In New York City or the SahelBoard Room to the Break Room, from the Class Room to the Conference Room both physical and moral courage will be required.  In seconds.  The courageous decision you make may cause bodily harm or the end of a career.  What are you going to do to learn and train to deal with the fear that you will encounter?  What kind of courage will you be called upon to utilize in order to act, to behave correctly and expeditiously?

Operational Risk Management (ORM) is a vital factor in your city, your business and your virtual community.  It spans the spectrum of courage from physical to moral.  The question remains,  will you act when the time and moment arises?

Posted by at No comments:
Labels: , , , , , , , , ,

10 August 2014

4th Paradigm: Predictive Risk Innovation...

21st century innovation requires new thinking, new tools and the application of a creative mind.  When it comes to innovating Operational Risk Management (ORM), take a leap towards "Predictive Intelligence".  What has been holding you back?  Is it the right combination of new thinking, new tools and the applications you haven't even thought of yet?

How could we apply the use of a High Computing Cluster (HPC) using Amazons Elastic Compute Cloud (EC2) with the right haystack of data to get the answers we seek?  Without building a new data center and for under $5K.  Think about the possibility of 10,000 plus server instances running across five data centers, with the results we seek in hours.  Utility Super Computing is here today for white hats and also even the "Black Hats."

Predictive Analytics is an art and a science, that is thriving with the use of "Fusion Infrastructure" by the hour. Why do we need to spend tens of millions of dollars on our own data center anymore, to get the rapid answers we require to run our business or to defend our nation?

Now the debate has gone beyond the infrastructure, to look at the other bottle necks.  What about the database architecture itself?  Is the traditional implementation of the disk intensive real-time Relational Database Management System (RDBMS) paradigm over?  Hadoop is here, yet requires new language learning curves and is a batch solution.  This could be one of the answers to predictive risk innovation:
MemSQL is the distributed in-memory database that provides real-time analytics on Big Data, empowering organizations to make data-driven decisions, better engage customers, and discover competitive advantages. MemSQL was built from the ground up for modern hardware to leverage dozens of cores per machine and terabytes of memory. We are entering an era that will be defined by distributed systems that scale as you need capacity and compute, all on commodity hardware.
How long will it take you to stand-up your own "Operational Risk Intelligence Center"?  One or two days or a week, with the right people and skill-sets in place.  What kinds of questions and answers will allow you to predict the future, faster than your competitor or your latest cyber adversary?
If you throw enough money at a problem there’s bound to be a solution, some think. That’s the logic of security expert Dan Geer, who this week told the Black Hat conference in Las Vegas that the U.S. government should throw a heck of a lot of greenbacks at people who discover vulnerabilities. 
How much? Ten times more than anyone else, he said in a keynote address.
Geer, chief information and security officer at In-Q-Tel, a not-for-profit venture capital company that invests in early stage companies making products aimed at U.S. intelligence agencies, maintained the U.S. should corner the market on vulnerabilities.
“Then we make them public and reduce to zero the inventory of cyber weapons that others have,” he was Geer said. “I believe that exploitable software vulnerabilities are scarce enough that if we corner the market, we can make a difference.” including eSecurity Planet and ThreatPost.com.
A number of companies have so-called bug bounty programs, including Microsoft and Google. Nor is Geer the first to say governments should open their wallets. In January, researchers at NSS Labs issued a report arguing that only drastic measures can bring cyber threats under control.
Innovation in the Operational Risk Management spectrum is on the verge of massive change. Operations Security, Fraud Analytics and Supply Chain Management are just the beginning.  The Board of Directors of the commercial enterprise, Military Strategic Commands and virtual chat rooms on the deep web, are debating these very subjects.  Application of "Utility High Performance Computing" in combination with 4th Paradigm databases, puts innovation back at the forefront of the creative mind.

Posted by at No comments:
Labels: , , , , , ,

11 May 2013

Invisible Wounds: Risk to the One Percent...

There is an alarm bell ringing within the ranks of Operational Risk Management executives in the United States.  As brave, experienced and motivated veterans enter the U.S. civilian work force, it is growing louder by the hour.  Our "One Percent" who serve in the military, leaders returning from over a decade of war and those who have earned the Global War on Terrorism Expeditionary Medal (GWOTEM), now have a new adversary.  Does your organization hire veterans or spouses of vets?  How are you taking an active role in the veterans hiring, career goals, aspirations and training?  What are the potential indicators of an employee at risk?
Melanie Haiken, Contributor - Forbes
Almost once an hour – every 65 minutes to be precise – a military veteran commits suicide, says a new investigation by the Department of Veterans Affairs. By far the most extensive study of veteran suicides ever conducted, the report, issued Friday, examined suicide data from 1999 to 2010.
The fact is that about 31% are vets, who are under 50 years old and in the prime of their lives and careers.  The Operational Risks associated with a growing workplace with veterans comes in different areas of concern and opportunity.  The awareness building program within a workplace, that is focused on mitigating risks to the enterprise, should be focused on behaviors and pre-incident indicators.  Especially when it comes to humans.  "Invisible wounds" are just that.  They are hard to see.

Has your organization been faced with an employee, who was a veteran and took their own life?  The cues and clues may not be so obvious.  Human Resources departments, Organizational Development management, senior executives are starting to hear that alarm.

There are people walking around your organization at this very moment, who are at risk and you may be naive to the indicators.  Begin the process today to change this growing epidemic.  Create a mechanism for awareness building, of the potential pre-incident indicators.  More importantly, what are you doing to proactively evaluate and monitor employees who are veterans?
60 Minutes - Invisible wounds of war by David Martin
An estimated quarter million servicemen and women have suffered concussions over the past decade of war. Tens of thousands -- no one knows the precise number -- are dealing with lasting brain damage. The Pentagon, which did not recognize the problem until the war in Iraq was almost over, is now scrambling to treat these invisible wounds. And soldiers suffering from them sometimes end up wishing they had a wound people could see.
There are programs for building awareness with employees and even a growing number of non-profit organizations that are making a difference.  The point is, what is management doing to proactively engage fellow executives to be more proactive on multiple fronts?  Here is one example that you should be investigating immediately.  Pretend for a moment that you as a CEO, are a veteran that is applying for a job at your company.  Go to your own career web site page and apply for a job at your company.  Why?  See how easy it is.  See what happens next.

The reason is clear.  You don't have any idea what a veteran goes through to first apply for a position with your company.  Second, you do not fully understand, how your own HR and recruiters follow-up and provide any feedback to the applicant, once they have navigated the vast maze of your latest outsourced online job platform.

We would also request, that you investigate your organizations process for doing periodic assessments of employee performance?  How is this the same or different for a veteran?  Has it been modified or is it done with a trained professional, who may be able to use substantial experience to provide an early warning system for vets, who may be at risk in your workplace.

Whether you are in the military ranks now as a commander or you are an executive in the government, business or part of a non-profit, you think you know the stakes.  You think you understand the Operational Risks associated with the hiring and employment of veterans.  You do not, because no one does completely.  This complex mosaic of laws, health care and human psychology issues may very well be, one of the greatest operational risk challenges before us as a nation.

Begin your journey to better understanding this, by visiting this U.S. Department of Veteran Affairs web site:  http://www.veteranscrisisline.net

This Memorial Day, we will remember all those heroes who have fallen, especially here at home.  In our own town.  We can and must do better...

Posted by at 1 comment:
Labels: , , , , ,

16 June 2012

London: Olympic Games Risk Management...

As the summer approaches the world is gearing up for the 2012 Olympic Games in London in about 41 days.  The athletes are making their respective rounds on television and other media to discuss their thoughts.  The U.K. Home Office is on high alert and has been preparing the "Operational Risk Strategy Execution" for years.

The private sector is finalizing plans for the millions of dollars in advertising and promotions on television.  The rest of the world will be watching from their easy chairs in Kansas City USA, the mountain villages of Switzerland, the outback of Australia to the most remote locations in the Sahel.

Every two years the humanity of the Olympic Games comes alive and we all realize that it is possible to get along, to cooperate and to coordinate.  For the historical and cultural reasons the world comes together to compete.  And in every venue and each sport the rules change.  The distance, the accuracy, the time.  They are all measured and the rule-sets have been determined in advance.  The competitor knows and understands the measures by which they will be judged.  In the swimming pool, on the track  mat or field or in front of the target.

The collaboration across the planet somehow brings us all to the point of a temporary "Time Out."  Where it almost seems calm and peaceful for those days and weeks.  A time when humanity can say to themselves that it really is possible to all get along.  A time to show ourselves what really is possible if we have the will and the heart to make it all happen, on time and without incident.

The social media buzz on a daily basis will be coming live from millions of Twitter and Blog posts.  The use of Crowdmap will be utilized to assist in the event of a crisis.  The mobile device will continue to be a valuable way for the authorities to have continuous opportunity for situational awareness.  Applications from companies such as RealityMobile provide real-time streaming video from any camera enabled PDA device.  All of the communications equipment to collect, view and analyze information will remain a part of the layered defense in depth to deter, detect and prevent an adverse incident.  The London Olympics in 2012 will have the same challenges and the identical set of risks as Beijing or Greece in 2008 or 2004.  What is different this time?

This summer 2012 Olympic Games may be one of the most technology enabled risk management projects ever.  At the same time, the social scientists have been working on the analysis of the organizational risk facets of such a gathering in London.  Human factors and social demographics of the people attending have a major consideration in operational risk management planning:

"It is necessary for most of us these days to have some insight into the motives and responses of the true believer. For though ours is a godless age, it is the very opposite of irreligious. The true believer is everywhere on the march, and both by converting and antagonizing he is shaping the world in his own image. And whether we are to line up with him or against him, it is well that we should know all we can concerning his nature and potentialities."
Hoffer, Eric (2011-05-10). The True Believer: Thoughts on the Nature of Mass Movements (Perennial Classics) . Harper Collins, Inc..

The 1951 classic by Eric Hoffer is already Operational Risk reading 101 and the modern day Arab Spring is a perfect example of what messages Hoffer has reminded us to consider over 60 years later.  Yet those who continue to study the social science of mass movements, realize that our greatest risk mitigation tool will continue to be one of the least technical and most effective.  Education and Awareness.

We encourage all of our Operational Risk professionals to educate and increase the awareness of your employees and friends and family who will be attending the London Olympic Games 2012:

Official London 2012 Join In App

In the summer of 2012 London and the UK will come alive with events, celebrations and activities during the Olympic and Paralympic Games.
The Official London 2012 Join In app is a mobile guide to help you plan, enjoy and share your Games experience.
This free app is an essential planning tool for everyone, whether you have tickets for a sporting event or not. From the start of the Olympic Torch Relay to the Olympics and Paralympics, the Opening and Closing Ceremonies, plus all the cultural, city and community celebrations happening across the UK, Join In is your essential companion.

Official London 2012 Results App

The Official London 2012 Results app provides all the latest news, schedules and results, allowing users to keep up-to-date with the latest action live across all Olympic sports and Paralympic sports.
Key features include results, live updates, calendar schedule, details of sports, medal tables and athlete profiles. Users can also follow specific countries, receiving official news and updates tailored to them all in one app.
It’s the essential app for all sports fans to share the excitement of London 2012!
Posted by at No comments:
Labels: , , , , , , , ,

31 December 2010

Denial: Resolution for a New Year...

On the eve of the New Year, 2011 approaches with new perspectives and new found learning on the risks before us. Operational Risk is about managing "All Hazards" and "All Crimes" whether you are working within the ranks of the largest global 500 organization, or managing self as J. Q. Citizen. OPS Risk is just not about a government or corporate perspective any longer and is becoming more personal for many professionals in their daily lives. Managing their families, their households and the risks associated with spouses, parents, siblings and even those who you don't even know. But they know you.

In Dr. Jessica Stern's latest book "Denial: A Memoir of Terror" you will find that her story is very much about your own personal operational risk management. It will transport you into thoughts about all of the ways that people can learn about you and your personal life through good old fashioned surveillance or today on Facebook or Twitter. Yet this isn't about this new age phenomenon of digital stalkers or voyeurs. This story is about "Denial" and the risk of denial in the context of observation or your own behavior and the others who surround you.

"Denial is almost irresistibly seductive, not only for victims who seek to forget the traumatic event but also for those who observe the pain of others and find it easier to ignore or "forget." In the long run, denial corrodes integrity--both of individuals and of society. We impose a terrible cost on the psychically wounded by colluding in their denial."
In this skillfully wrought, powerful study, a terrorism expert, national security adviser (The Ultimate Terrorists), and lecturer at Harvard, returns to a definitive episode of terror in her own early life and traces its grim, damaging ramifications. Having grown up in Concord, Mass., in 1973, Stern, then 15, and her sister, a year younger, were forcibly raped at gunpoint by an unknown intruder; when the police reopened the case in 2006, Stern was compelled to confront the devastating experience. The police initially tied the case to a local serial rapist, who served 18 years in prison before hanging himself. Stern's painful journey takes her back to the traumatic aftershocks of the rape, when she began to affect a stern, hard veneer not unlike the stiff-upper-lip approach to survival her own German-born Jewish father had assumed after his childhood years living through Nazi persecution. Covering up her deep-seated sense of shame with entrenched silence, Stern had a classic post-traumatic stress disorder—which she was only able to recognize after her own work interviewing terrorists. Stern's work is a strong, clear-eyed, elucidating study of the profound reverberations of trauma.

Dr. Stern brought to light in her process of interviewing people, that "Denial" can be a true "Operational Risk" in itself. How many times have you observed someone's behavior and thought to yourself, that doesn't feel right. How many times have you said to yourself, this behavior is not good for my own well-being? This self-talk is something that all of us need to pay more attention to, as we embark on this New Year and the next decade of the 21st century.

What behavior have you witnessed lately that you are in denial about? Make a New Year's eve wish, pledge or resolution that this has to end. What ever the behavior that has occurred or will soon occur, the risks are too great to remain in denial. The trauma that exists in your mind or the potential impact that a future trauma may have, can be managed from a risk management point of view. What is the likelihood and the impact to you, your organization or your friends and family?

As we all watch the ball drop tonight at 12:00 midnight in the USA in Times Square New York City, reflect on the 2010 risks that you took by continuing to be in denial. Think about all of those people you encounter everyday at work, in the local grocery store and even in your own neighborhood. Open your eyes and your mind to the behaviors that just don't seem right. Manage your risk exposure when it comes to the people you associate with and the people who are watching you, without your knowledge.

The contributor(s) to this Operational Risk Management blog wish you a Happy and Prosperous New Year!

Posted by at No comments:
Labels: , , , , , , , , ,

22 March 2010

Legal Risk: Forensic Intel for Investigations...

A wide spectrum of Operational Risk incidents are in the news. Executive Management in the private sector, law enforcement and the military are investigating cases of identity fraud, cyber hacking and insider digital sabotage, transnational economic crime, intellectual property theft, ACH cyber robbery, counterfeiting, workplace violence and industrial espionage. Government agencies and regulatory authorities are increasing oversight, compliance and reporting requirements with the private sector and federal contractors. Inspector Generals and Internal Affairs are addressing whistleblower claims and internal corruption. Homeland security and "Connecting the Dots" are on almost every Americans mind.

All of these Operational Risk Management (ORM) challenges require comprehensive, efficient and legally compliant intelligence-led investigations to establish the ground truth and then to enable a "DecisionAdvantage." The legal framework that establishes your organizations ability to provide a "Duty to Care", "Duty to Warn", "Duty to Act" and "Duty to Supervise" is imperative.

When does information that is collected become a violation of a persons privacy or legal rights? At the point it is collected from a source or how and when it is analyzed by a human? These questions and more will be discussed as the dialogue pursues the latest challenges in Forensic Intelligence, a fast and forensically sound data acquisition, analysis and review solution for front line officers from the corporate investigations, law enforcement and government communities.

These Intelligence-led investigations also leverage the use of new forensically sound methods and proven legal procedures for collection of digital data from a myriad of technology platforms including laptops, PDA's and cell phones and more. These methods have been tested and certified in the forensic sciences for decades and follow many of the legally bound and court tested rules associated with evidence collection, preservation and presentation. Digital Forensic tools and 21st century capabilities enable global enterprises, law enforcement and governments to not only discover what they are looking for and when to use this in a court of law to find the truth.

Posted by at No comments:
Labels: , , , , , , , , ,

10 December 2009

Legal Doctrine: Intelligence - led Threat Assessment...

Corporate Threat Assessment is gaining new momentum as "Operational Risk Management" professionals utilize new business processes and tools to preempt human malfeasance. Whether it is the disgruntled employee who has just been separated from the company or the college student who acts against his math teacher for grades; the question remains: How could this have been prevented?
The Washington Post reports:

A disgruntled 20-year-old student walked into a classroom at the Northern Virginia Community College campus in Woodbridge on Tuesday afternoon and fired at least two shots from a high-powered rifle at his math teacher, authorities said.

The teacher saw the gun, yelled for her 25 students to duck and then hit the floor.

"We heard a boom," one of the students said later. "I thought to myself, did a computer explode?"

The student's shots missed. He put the gun down, sat on a chair in a fourth-floor hallway and calmly waited for police.

Jason M. Hamilton of Baneberry Circle in the Manassas area was charged with attempted murder and discharging a firearm in school zone. He was being held without bail, and police officers said they wanted to question him about a motive.

The legal machine is at work to determine the multitude of reasons why this incident occurred and to collect the evidence in the case. The investigation into "Who Knew What When" will be spinning up almost simultaneously as the plaintiff lawyers determine what opportunities might exist for a law suit. Several areas of questioning for Northern Virginia Community College (NOVA) will include:

1. What evidence is there of a Duty to Care: Did NOVA provide training for professors to alert an internal "Threat Assessment Team" whenever they witnessed or found evidence of specific pre-incident indicators?

2. What evidence is there of a Duty to Warn: Did NOVA warn fellow employees to keep an eye out for any students carrying long slender bags into campus buildings or to monitor parking lots for suspicious activity?

3. What evidence is there of a Duty to Act: Did NOVA provide notice to security employees on the student who was absent during the term for over three weeks ?

4. What evidence is there of a Duty to Supervise: Did NOVA professors report any strange behavior, statements, or even the fact that the student had been absent almost a month?

Human behavioral studies regarding workplace safety suggest, that one in five people come to the institution every day with a serious problem going on in their personal life. This has a dramatic effect not only on workplace performance but also the potential for bad behavior. This bad behavior could be acted out physically or quietly and in stealth mode. In either case, the company, it's employees and the reputation of the institution are at stake. What is your Corporate Threat Assessment Team working on today to preempt the next incident?

As the investigators evaluate the digital evidence in the case such as e-mails, Facebook Wall postings or other information found on a PDA, laptop or home computer the "Smoking Gun" may be uncovered. And when it becomes public, the game changing events will begin to unfold. Many companies feel that having a formal internal "Threat Assessment Team" sends the wrong message to the employees that "Big Brother" is watching. This could not be further from the true state of mind by many employees today. Knowing that a team is proactively addressing the one in five employees everyday in the workplace should provide more peace of mind than the thought of an invasion of privacy.

So what are the typical channels that an employee will use to communicate their grievance or threat?

  • Letter - 2%
  • Phone message - 5%
  • Social Networking site - 7%
  • Text message - 9%
  • e-Mail - 22%
  • Verbal threat - 46%

Source: Laurence Barton, Ph.D. - Current Study to be completed in February, 2010

If this trend continues then over half of the communicated threat will be via a digitally based medium. What is your organization doing today to monitor communications for specific threats to your employees, suppliers or partners? The modification of Acceptable Use Policy and the other legal policy regarding the workplace monitoring of e-mail is not a new phenomenon in many organizations, notably those in the Defense Industrial Base (DIB.)

Recent changes in the privacy settings of Facebook makes much of the information placed in these 350 million profiles public information and therefore, capable of being viewed and analyzed by a proactive threat management team. Here is the analysis from the EFF:

The Ugly: Information That You Used to Control Is Now Treated as "Publicly Available," and You Can't Opt Out of The "Sharing" of Your Information with Facebook Apps

Looking even closer at the new Facebook privacy changes, things get downright ugly when it comes to controlling who gets to see personal information such as your list of friends. Under the new regime, Facebook treats that information — along with your name, profile picture, current city, gender, networks, and the pages that you are a "fan" of — as "publicly available information" or "PAI." Before, users were allowed to restrict access to much of that information. Now, however, those privacy options have been eliminated. For example, although you used to have the ability to prevent everyone but your friends from seeing your friends list, that old privacy setting — shown below — has now been removed completely from the privacy settings page.


There are legal cases pending and there will be more to come about whether the mining of public data for profiling people is against the law. In most cases, it will be dependent on who is doing the collecting and for what reasons. Yet the most sophisticated systems for doing analytics or the latest matrix or mosaic methodology will not be able to provide a fail safe for the corporate enterprise. This is precisely why the earlier mentioned employer "Duties" are so vital to day to day operational risk management. The actions you take before, during and after an incident will be the most vital to your legal and reputations survival.

TWO computer programmers who worked for convicted fraudster Bernie Madoff were charged with bribery by the US Securities and Exchange Commission today.

Jerome O'Hara and George Perez allegedly took bribes to create false documents and trading records for Bernard L Madoff Investment Securities LLC for more than 15 years, according to the SEC's complaint.

"Without the help of O'Hara and Perez, the Madoff fraud would not have been possible," George S Canellos, director of the SEC's New York regional office, said.

"They used their special computer skills to create sophisticated, credible and entirely phony trading records that were critical to the success of Madoff's scheme for so many years."

Operational Risk Management requires a vigilance of monitoring digital information inside and outside the workplace. Those institutions who combine the correct legal doctrine, business processes and technology will prevail in the vast chaos of litigation and human threats within the workplace.

Posted by at No comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)