RSA Conference: CSO Insomnia Over Insider Risk...

Next week in the U.S. there will be thousands of risk management and security professionals invading the RSA Conference in San Francisco. The myriad of topics, education and case studies are worth examining to see what is on the mind of these thought leaders and practitioners who are also designated speakers. You can even look to the popular press to see what the vibe is on what this years biggest worries will be:

1. Mobile Devices
2. Advanced Persistent Threat
3. Big Data Privacy
4. Hacktavists

However, if you spend some time to drill down on each of these topic areas and really look at the actual presentations of the presenters, some are based upon real cases and research and others are not. The one presentation that caught our eye and continues to be what some savvy CSOs would say keeps them sleeping with one eye open each night, is their insomnia over the "Insider Threat." That person or organized group of unidentified subjects that are there to recruit vulnerable people into initiating or perpetuating crimes against the organization.

Dawn Cappelli runs the Insider Threat Center at the Software Engineering Institute and highlights these areas of concern from their research and analysis of real cases:

The CERT Top 10 List for Winning the Battle Against Insider Threats

Dawn M. Cappelli Director, CERT Insider Threat Center CERT Program, Software Engineering Institute Carnegie Mellon University

• 10. Learn from past incidents
• 9. Focus on protecting the crown jewels
• 8. Use your current technologies differently
• 7. Mitigate threats from trusted business partners
• 6. Recognize concerning behaviors as a potential indicator
• 5. Educate employees regarding potential recruitment
• 4. Pay close attention at resignation / termination!
• 3. Address employee privacy issues with General Counsel
• 2. Work together across the organization
• 1. Create an insider threat program NOW!

Number Three on the list is certainly on the top third and for good reason. Employees and the policy decisions on what data is owned by the company and owned by the employee is of grave concern these days in the United States. Now after so many years it looks as if this issue is going to get more heated and see the light of day from a congressional point of view. Yet the CSO must feel that the ability for the safeguards necessary to keep the organization safe and secure are not in place yet. Catherine Dunn of ALMs Corporate Counsel sheds more light on this:

According to a new White House report on consumer data privacy protection, trust is worth a lot of money to U.S. businesses—users have to know their data will be protected if the economic engine of digital innovation is to keep roaring. Ergo, the U.S. needs a privacy framework that’s “flexible” enough to accommodate industry innovation, and comprehensive enough that consumers will feel safe—and keep clicking.

But trust between consumers and companies in the U.S. is only part of the equation. There’s another important element, too: how compatible U.S. safeguards are with those of the rest of the world, and particularly Europe. This new proposal arrives a month ahead of a conference on data protection between E.U. and U.S. officials in Washington, D.C., leading to questions about whether Europe and the U.S. are any closer to getting on the same page when it comes to data privacy.

The answer not only depends on who you ask, but also what section of the White House’s report you’re looking at. The white paper lists seven principles and stresses that these principles should form the basis of voluntary codes of conduct adopted by industry. Once adopted, the Federal Trade Commission would have the power to enforce compliance to those codes. The paper also includes a call for Congress to pass legislation based on these principles, and devotes a section to “international interoperability”—which considers how data can be sent across international borders without violating laws on either side of the transaction.

This is where we need to make sure we understand the difference between what privacy issues have to do with a company employee and the privacy associated with just a U.S. consumer, who is not an employee but perhaps a member, client or customer of the organization.

If we go back to the big worries at RSA and combine this with the employees who are operating at the "Speed of Business" in your enterprise, you begin to see the difference. Actually, if you think about it some more, every employee of the organization has a duty to care for the information inside the organization, in order to better protect the assets of the enterprise but simultaneously the assets of the consumer.

The consumer assets are their "Personal Identifiable Information" (PII) and this represents in many cases what the organized criminals are after in the first place. This is where the outside recruitment threat starts to have its nexus. However, even the highly trained and state sponsored agents who are inside the enterprise to steal corporate or national security secrets are far and few these days. That may be surprising to some, but if you look at how the exfiltration of data is taking place it's almost all automated. No human intervention is required.

If that is the case, then what is Dawn Cappelli and the Insider Threat Team at CERT so concerned about from their research insights:

Criminal enterprises mask their fraud by involving multiple insiders who often work in different areas of the organization and who know how to bypass critical processes and remain undetected. In several cases, management is involved in the fraud. Those insiders affiliated with organized crime are either selling information to these groups for further exploitation or are directly employed by them. Ties to organized crime appear in only 24 cases in the CERT insider threat database and are characterized by multiple insiders and/or outsiders committing long-term fraud.

All of the insiders involved with organized crime attacked the organization for financial gain. The insiders usually were employed in lower level positions in the organization, were motivated by financial gain, and were recruited by outsiders to commit their crimes. The average damages in these cases exceed $3M, with some cases resulting in $50M in losses.

Now you know why your CSO is headed to the RSA Conference this week and why they are sleeping with one eye open these days.

Security Governance: Rededication...

Security Governance is a discipline that all of us need to revisit and rededicate ourselves to. The policies and codes we stand by to protect our critical assets should not be compromised for any reasons. More importantly, security governance frameworks must make sure that the management of a business or government entity be held accountable for their respective performance. The stakeholders must be able to intervene in the operations of management when these security ethics or policies are violated. Security Governance is the way that corporations or governments are directed and controlled. A new element that has only recently been discovered is the role of risk management in Security Governance.

Security Governance, like Corporate Governance requires the oversight of key individuals on the board of directors. In the public sector, the board of directors may come from a coalition of people from the executive, judicial and legislative branches. The basic responsibility of management, whether in government or the corporate enterprise is to protect the assets of the organization or entity. Risk and the enterprise are inseparable. Therefore, you need a robust management system approach to Security Governance.

If a corporation is to continue to survive and prosper, it must take security risks. A nation is no different. However, when the management systems do not have the correct controls in place to monitor and audit enterprise security risk management, then we are exposing precious assets to the threats that seek to undermine, damage or destroy our livelihood.

An organization’s top management must identify, assess, decide, implement, audit and supervise their strategic risks. There should be a strategic policy at the board level to focus on managing risk for security governance. The security governance policy should mirror the deeply felt emotions of the organization or nation, to its shareholders and citizens. It should be a positive and trusting culture capable of making certain that strategic adverse risks are identified, removed, minimized, controlled or transferred.

An enterprise is subject to a category of risk that can’t be foreseen with any degree of certainty. These risks are based upon events that “Might Happen”, but haven’t been considered by the organization. Stakeholders can’t be expected to be told about these risks because there is not enough information to validate or invalidate them. However, what the stakeholders can demand, is a management system for Security Governance that is comprehensive, proactive and relevant. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes, and resources.

It is this Security Governance management system that which we all should be concerned and which we seek from our executives, board members and oversight committees to provide. There should be a top management strategic policy to focus on managing risk for security governance.

This risk management system should establish the foundation for ensuring that all strategic risks are identified and effectively managed. The policy should reflect the characteristics of the organization, enterprise or entity; it’s location, assets and purpose. The policy should:

1. Include a framework for governance and objectives
2. Take into account the legal, regulatory and contractual obligations
3. Establish the context for maintenance of the management system
4. Establish the criteria against what risk will be evaluated and risk assessment will be defined

A process should be established for risk assessment that takes into consideration:

• Impact, should the risk event be realized
• Exposure to the risk on a spectrum from rare to continuous
• Probability based upon the current state of management controls in place

The strategic security risks that the organization encounters will be dynamic. The management system is the mechanism by which the executives identify and assess these risks and the strategy for dealing with them. It is this system which we are concerned about and which we seek to provide in order to achieve our Security Governance.

Homeland Resilience: Operational Risks in the Supply Chain...

The U.S. Homeland Security Intelligence (HSI) priorities are good indicators of what the private sector can expect for government intelligence coordination, cooperation and collaboration in the next few years. Operational Risks to business operations in the United States are ever more so complex and increasingly tied to the security of the homeland.

In many cases, the private sector has the answers that can pave the way for improved relevancy and accuracy of information for the government. This translates to greater operational risk management insight that would not previously be known or enhances the clarity of the insights already known by the Homeland Security Intelligence mechanisms. Here are a few of the top of mind categories that the private sector and the public sector could be forging new partnerships together:

• Global Maritime Shipping
• International Banking & Finance
• New and Developing E-Commerce Technologies
• Application and Use of Social Media - Charting Cultural Topography
• Modeling Human Behavior - Patterns and Applications of Usage
• Nanotechnology
• Robotics and Automation - New and Developing Technologies and Uses
• Drug Flow Modeling - Legitimate North and Southbound Shipping Routes and Vulnerabilities along the SW Border

Why should the private sector be working on these and sharing what they know with the appropriate channels in the U.S. Government? For one, to reduce your own Operational Risks, as you run your business operations across the country and as you operate on a more global basis. Overall, Homeland Security is reliant on a resilient "Global Supply Chain".

International trade has been and continues to be a powerful engine of United States and global economic growth. In recent years, communications technology advances and trade barrier and production cost reductions have contributed to global capital market expansion and new economic opportunity. The global supply chain system that supports this trade is essential to the United States’ economy and is a critical global asset.

Through the National Strategy for Global Supply Chain Security (the Strategy), we articulate the United States Government’s policy to strengthen the global supply chain in order to protect the welfare and interests of the American people and secure our Nation’s economic prosperity. Our focus in this Strategy is the worldwide network of transportation, postal, and shipping pathways, assets, and infrastructures by which goods are moved from the point of manufacture until they reach an end consumer, as well as supporting communications infrastructure and systems. The Strategy includes two goals:

• Goal 1: Promote the Efficient and Secure Movement of Goods – The first goal of the Strategy is to promote the timely, efficient flow of legitimate commerce while protecting and securing the supply chain from exploitation, and reducing its vulnerability to disruption.
• Goal 2: Foster a Resilient Supply Chain – The second goal of the Strategy is to foster a global supply chain system that is prepared for, and can withstand, evolving threats and hazards and can recover rapidly from disruptions.

One of the vital linchpins for these goals to occur will be a converged and globally accepted management system for supply chain resilience. This blog has discussed ISO 28000 in the past and now that the White House has published the policy direction we need to revisit why this is a private sector imperative:

ISO 28002 Standard for Resilience in the Supply Chain approved by ISO

The latest member of the ISO 28000 series, the ISO 28002 Standard for Resilience in the Supply Chain, has been unanimously approved for publication by the International Organization for Standardization (ISO).

Based on the ANSI/ASIS Organizational Resilience Standard (ANSI/ASIS.SPC.1), the ISO 28002 provides a basis for an organization to evaluate both its organizational and supply chain risks and to develop a comprehensive strategy to manage the risks that may disrupt its operations.

The ISO 28000 series of standards seamlessly integrate with the ISO 31000 risk management standard, thereby allowing organizations to develop a cost effective holistic approach to managing risk.

With ratification of the ISO 28002, the ASIS/ANSI.SPC.1 Standard becomes the only US Department of Homeland Security Private Sector Preparedness (PS-Prep) standard with a ratified ISO counterpart.

For those private sector organizations that are for some reason not familiar with the DHS PS-Prep program, you should be. It is the path towards creating a more resilient private sector that will have the lions share of responsibility for keeping the supply chain operating after any significant disruption, whether physical, cyber or both.

So what? So what does all of this mean for the Operational Risk Management Professional of a U.S. business? It means that you have to take it up a notch. Gather the heads of your risk silos from finance, IT, corporate security, human resources and your crisis or continuity of operations section. Look at ISO 28002 as a team and begin the process of digesting what it means to your organization. How could you internalize and even operationalize together to increase your level of resilience from 36 hours to 72 hours?

What does DP World understand about its importance that you might not?

Tarragona, Spain / Dubai, United Arab Emirates, January 15, 2012:- Global marine terminal operator DP World has achieved a major security milestone with DP World Tarragona achieving ISO 28000 certification – the 40th DP World facility to receive the independently audited award.

Irregular Warfare: 21st Century Corporate Battlefield...

The safety and security of your corporate assets is a Board of Directors level issue. The loss events including adversarial litigation for errors, omissions, or just plain ignorance of regulatory compliance are gaining momentum. These Operational Risks associated with human behavior and the daily tasks performed on the job remain a vast vulnerability within the corporate enterprise. Why?

The discipline of effective Operational Risk Management requires a tone from the top that speaks to the core issue:

Historically, financial institutions that have experienced security breaches or costly exposure to operational and other kinds of risks have tended to keep these incidents under wraps.

The conventional wisdom was that it was bad for the brand and bad for the business to talk about these situations. But times have changed –- the developments of the past couple of years in the financial services industry have served to demystify risk management in many ways. At the same time, with e-crimes and other kinds of online security breaches becoming more sophisticated and prevalent, some industry players are calling for more openness and collaboration as a way to try to identify and prevent attacks before they compromise critical customer information.

The growth of more sophisticated attacks on our critical infrastructure, exploits that compromise our "Personal Identifiable Information" (PII) and the risks associated with wrong, invalid or corrupted information will continue to accelerate. The loss events are directly tied to the speed and sophistication of the systems associated with people doing their daily tasks, whether it be a person operating a vehicle with computers on board or sensors designed to collect specific information, the systems are faster and more complex.

Sharing information to address the threats from transnational non-state actors who are organized and operating with the intent of exploiting vulnerabilities in the fabric of business have three places to focus their efforts on your systems and controls:

• Design
• Implementation
• Configuration

If business understands that these are three areas that the attackers are focused on, then perhaps they will realize that resources and manpower must be allocated to these key components of the enterprise defense. If you think about each loss you have incurred over the past year, the odds are that your attacker was able to exploit one of these three attributes. Think about it for a minute.

Even if your design is flawless in theory, overtime you may come to find that the wall is not tall enough, the fence not long enough or the door not strong enough. Even if your implementation follows the designers instructions you may find that the environment you operate in is too hot, too isolated or overwhelmed with chaos. Even if your configuration today is a one-to-one match for all known exploits the adversary is watching and monitoring your design and implementation. They are changing their tactics and "Modus Operandi" (MO) to fool you, scare you or to operate in complete stealth mode, until it is too late. This is known as irregular warfare:

When we say irregular warfare, what we're really talking about is a not so new, but newly formalized approach to dealing with challenges. It is a concept and philosophy properly considered in the strategic context that allows us to apply capabilities holistically to achieve desired effects. It's most unique characteristics are the focus on the relevant populations, support to sovereign partners and a linkage to our shared interests. It is a DoD activity not limited to SOF or dependent on a state of war.

Irregular Warfare “the concept” equips us intellectually to deal with a global environment that is characterized by broad ambiguities. These ambiguities are seen in the apolar nature of a world with multiple competitors; both state and non-state. Challenge causations that include crime, extremism and accelerating migration patterns and finally the interdependencies and interconnectivity of economies, communications and media systems and social networks. This is, without question, a highly complex challenge set and we, must be a more capable and sophisticated actor ourselves if we expect to protect our national interests.

In order to better understand how to mitigate operational risks in our institutions, you also have to study the complexity of modern warfare. The speed and complexity of new adversaries, (fraudsters, hackers, spies, terrorists, vandals, corporate raiders) that exploit your Design, Implementation or Configuration can be applied easily to both your accounting controls or security measures. Those organizations that learn how to apply modern day irregular warfare to the 21st century corporate battlefield will not only beat the competition, they will minimize their losses. Operational Risk Management discipline is an essential element that begins with the tone at the top and one enlightened CEO.

Fear: The Elements of Prediction...

"Just as some things must be seen to be believed, some must be believed to be seen." "...so one way to reduce risk is to learn what risk looks like." --Gavin De Becker

These words from his book The Gift of Fear reminds us of how many people talk about risk management, mitigation and implementing risk controls and don't have any context. In order to truly understand something, you actually have to come face-to-face with it, experience it and feel it.

For every 100 people in your organization, how many are a risk? By that we mean, the factors are high that an individual will do something or be the target of an incident that causes irreversible harm to themselves and or the institution during their tenure as an employee. The actuaries behind the insurance you purchase for different kinds of hazards or incidents in the workplace could give you some answers here. How likely is it that this kind of event occurs in this industry over the course of one year as an example? Certainly the ratios are known, otherwise the insurance product would not exist to protect you.

Predictive analytics and processing of information to predict what has a high chance of actual occurrence is a whole other matter. In order to be predictive, you have to have actual experience and it has to be so innate that it now becomes more than just an intuition. Some call it "Self-talk" and others a gut feeling but whatever it is, it got there because of your past experience. If it's more powerful than that, now you may just be experiencing something we all know as "Real Fear". You have to realize that when you get that tingle sensation up the back of your neck, you are way beyond self-talk and into a whole new dimension of emotion.

DeBecker's elements of prediction can help us figure out the likelihood of a prediction actually occuring:

1. Measurability - How measureable is the outcome you seek to predict?

2. Vantage - Is the person making the prediction in a position to observe the preincident indicators and context?

3. Imminence - Are you predicting an outcome that might occur soon, as opposed to some remote time in the future?

4. Context - Is the context of the situation clear to the person making the prediction?

5. Pre-Incident Indicators - Are there detectable pre-incident indicators that will reliably occur before the outcome being predicted?

6. Experience - Does the person making the prediction have experience with the specific topic involved?

7. Comparable Events - Can you study or consider outcomes that are compareable- though not necessarily identical- to the one being predicted?

8. Objectivity - Is the person making the prediction objective enough to believe that either outcome is possible?

9. Investment - To what degree is the person making the prediction invested in the outcome?

10. Replicability - Is it practical to test the exact issue being predicted by trying it first elsewhere?

11. Knowledge - Does the person making the prediction have accurate knowledge about the topic?

This OPS Risk professional has realized that these 11 elements exist in many of the risk management methodologies and systems experienced over the years. What is remarkable is the degree that we see time and time again, these elements being left out, avoided or just plain not utilized in organizations of all sizes and industry sectors.


It's time that CxO's revisit all of these elements in each of the risk management systems that are in place in their enterprise. From the front door to the intrusion prevention system, in the HR process from interview to termination and from the training room to the board room.

Predictive analytics is a science that comes in the form of an art. Make sure you have the people who are masters of the art and experts in implementing the science.

Executive Security: Personal Protection Specialist...

In the corporate Protective Security environment, the "Advance Work" will ensure your success or contribute to the embarrassment or injury of your client/principal. Professionals in Protective Security Detail's (PSD) realize that your site or lead advance agent can make or break the entire operational risk strategy for your proactive and preventive security measures.

Thinking like the DEVGRU attacker and possessing a "Red Cell" mentality is a valid approach for several aspects of the advance work necessary to ensure an effective "protective envelope". What ends up being the greatest threat to your operation may be technology itself. Too much reliance on new high tech tools such as "Google Maps" or even the Garmin GPS will create a vulnerability during the point in time when your principal says, let's change the itinerary or the location of the next meeting. A "15 Minute Map" comprised from a good old fashioned road atlas can be the low tech tool that saves lives and chaos.

21st Century Executive Security and modern day Personal Protection Specialist's (PPS) who understand the value of the "Advance" and apply it effectively will continue to keep their principal's safe and secure and with a high degree of professional client service. Corporations operating in countries where executives are required to visit critical infrastructure plants, manufacturing facilities or meet with government officials have been incorporating more protective intelligence and advance work for good reason. The global business environment is increasingly more volatile and subject to the political risks and subjective "Rule of Law" in many emerging economic countries.

Whether it is weapons in close range or a distance, explosive IED's or kidnapping plots, today's global and mobile executive is more at risk. Advance Work is the most important and critical aspect of the security operation. Site and route surveys, "eyes on" residences, airports and buildings including hotels, hospitals, police stations, restaurants and convention centers are a mandatory component of the advance operations.

Surveillance Detection (SD) remains a vital facet of the advance work including the ongoing SD as the Protective Security Detail agents run the operation. The Principal is potentially aware of such activity yet is shielded from any less than lethal imminent threats as the days agenda unfolds.

What may be more obvious is the PSD's use of "Coopers Colors:":

By using a well-practiced, concrete, formulaic train of thought, it prevents the hesitation normally experienced when one is under threat of attack or actual attack, and this is the purpose of the code, to prevent unnecessary hesitation, and to apply only that force which is necessary to defend yourself. The way Jeff Cooper explains it is:

• White - relaxed and fairly oblivious of your surroundings, you should only be in this condition if you are at home or another secure setting behind locked doors.
• Yellow - the state of not only constant awareness, but the constant recognition of possible threats. In this state, you are observant of your surroundings, allowing you to recognize threats if they present themselves.
• Orange - in this state, you have recognized a potential threat, and are ready to defend yourself against this threat if necessary.
• Red - you are actively defending yourself or others against a threat that has presented itself to you.

It's not just about general awareness, it's about positively identifying potential and actual threats as you go about your daily life. It's this threat identification and acquisition process that is so valuable, and that reduces your response time to those threats if they present themselves.

Executive Security and the Personal Protection Specialist (PPS) becomes an even more vital asset in the OPS Risk portfolio, where the Board of Director's has authorized significant premiums for an executive's kidnap and ransom (K & R) insurance. Why? Like many aspects of our society today regarding information privacy, one only wonders how information gets leaked from the confines of the corporate enterprise. Operational Risks to and from people in your organization exist everyday. Insuring against losses and protecting against loss events is imperative. Utilizing the correct strategy, tools and human assets to comprise the entire security envelope including the effective use of Protective Security Details can make all the difference in your organizations deterrence factor.

Risk Culture: The Root Cause of Business Assurance...

There is a scarcity of enlightened organizations who truly understand the root cause of risk in their enterprise. The business assurance they seek and the Operational Risk Management outcomes they receive, are in direct proportion to the "Risk Culture Maturity" within the company. This risk cultures maturity is at the root cause of why certain kinds of risks exist and what ability the organization has to accept, mitigate or transfer that risk.

A risk culture begins and ends with a human ability to communicate effectively with other humans. The human behaviors associated with communicating risk has all to do with the ability of one person to know the truth and to effectively tell the other accurately and effectively what the risk is and how it could impact the business. The trouble is, most organizations fail to spend enough time doing exactly that and doing it with out fear.

What kind of fear? The fear that by telling your supervisor you might offend them. The fear that by questioning the co-worker about their decision that you will alienate them. The fear that by uncovering a fellow workers risky behaviors to the rest of the team that you will jeopardize the overall mission.

Guess what people; the ability or lack of ability by a human to communicate risk factors to each other with the truth and without the fear of judgement or retribution is why you either live or die. This is the reason why your organization continues to flourish or rots from the inside out. You see, the risk management environment in your team, unit, office location or FOB has all to do with communicating the truth in an effective way.

The risk culture problem is one that continues to rear its ugly head time and time again and exemplifies itself in the published press, or the digital eDiscovery process of modern day litigation. Look back on most any loss event like this and you will see that it could have been addressed or contained, if only humans would have communicated effectively about risk(s) to them personally or to the unit. Whether it be a family, a branch office or entire agency of government.

The organizations that survive and are able to out perform their competition are those that understand this reality. Leadership who magnifies the requirement for people to strip away the fear of judgement, retribution, or long term bias and to communicate the reality of what they truly sense as humans will be superior. The risk culture that is understood, truly, and simultaneously monitors peoples ability to learn from their mistakes will continue to outperform and survive in whatever environment it lives in.

Leadership is charged with the state of their organizations culture. The fundamental risk to any organization, is that leadership does not recognize this and pays little or no attention to maturity of their culture to deal with risk and human factors. This begins with the person across the table, by your side in bed or next to you in control of a vehicle, on land in the air or in the ocean.

It doesn't matter who the leader is. The Founder, CEO or Chief Risk Officer. The Branch Manager, Area Supervisor or Vice-President. The Element Leader, Master Chief or C.O.. Mother or Father. Managing the culture of communicating the truth, reality and without judgement begins the process of a risk management entity that will not only survive; it will outperform the perceived opposition.

The Quiet Professionals of the Operational Risk Management discipline are enlightened individuals who are multi-dimensional and that requires a brain trust of diverse people who have different life experiences. These courageous people must then be engaged in the correct setting and risk culture with the right combination of business objectives, resources and mission outcomes. Only then will the environment they operate in determine who survives the continuous performance evolution. The root cause of Business Assurance is the Risk Culture.

PPD-8: Resilience of the Whole Community...

Business Resilience in 2012 will continue to be a factor of the private sectors ability to withstand the Operational Risks that it encounters. The strategy for business assurance will be cognizant of the environments developed for preparedness and sustainability set forth by local and federal governments.

This bottom up approach to achieving a "Whole Community" resilience depends upon the cooperation, coordination and communication at the citizen, city and county level. In the United States, Presidential Preparedness Directive 8 (PPD-8) has been put forth as the future baseline for both private and public entities to adopt and implement going forward:

National Preparedness is aimed at strengthening the security and resilience of the Nation by preparing for the full range of 21st century risks that threaten national security, including weapons of mass destruction, cyber attacks, terrorism, pandemics, transnational threats and catastrophic natural disasters.

The National Preparedness System Description is the second deliverable required under Presidential Policy Directive (PPD) 8: National Preparedness. The National Preparedness System Description concisely describes current efforts and how we will build on those efforts, many of which are established in the Post-Katrina Emergency Management Reform Act and other statutes, to build, sustain and deliver the core capabilities needed to achieve the National Preparedness Goal.

Specifically, it identifies six components to improve national preparedness for a wide range of threats and hazards, such as acts of terrorism, cyber attacks, pandemics and catastrophic natural disasters. The system description explains how as a nation we will build on current efforts, many of which are already established in the law and have been in use for many years. These six components include:

• Identifying and assessing risks;
• Estimating capability requirements;
• Building or sustaining capabilities;
• Developing and implementing plans to deliver those capabilities;
• Validating and monitoring progress made towards achieving the National Preparedness Goal; and
• Reviewing and updating efforts to promote continuous improvement.

The six components can be internalized for the citizen, community and private sector to encompass into their own respective operational risk management strategy. The mechanisms for elevating situational awareness have improved dramatically over the years since 9/11. Citizens have prepared their own personal 72 hour kits, business organizations have created awareness programs for their members to heighten planning activities and local city and counties have trained thousands of volunteers for the Community Emergency Response Team (CERT).

This continues to get us so close to the goal and yet so far from really understanding the reality of where we are weak and where the single points of failure still remain. Think about it. How often has your household, community or business actually tested and exercised your ability to withstand a 72 hour crisis? The odds are you haven't and therefore all your planning and preparedness will never know where to improve and what resource investment is required to achieve greater degrees of safety, security and overall resilience.

Ten years after the 9/11 attacks, are our first responders prepared? A new report conducted by Capella University seeks to answer this question.

"To assess our preparedness for another disaster, Capella University partnered with leading national public service and public safety organizations, including the U.S. Council of the International Association of Emergency Managers, the American Public Health Association, the American Society for Public Administration, the Comprehensive Emergency Management Research Foundation, and the FBI National Academy Associates to conduct a nationwide survey of more than 1,000 public service and public safety professionals. We wanted to hear directly from those who would be on the front lines of the next crisis."

Key findings include:

• 71% believe the United States is better prepared for a terrorist attack today than we were in the days before September 11, 2001.
• 67% think the federal government and our leaders in Washington, DC, are not giving this issue enough attention.
• 66% say their governor and state government leaders are not giving this issue enough attention.
• 69% are worried that the United States will experience another major terrorist attack.

Regardless of the outcomes of this study, each community, state and region will be at a different degree of readiness. Your job, should you choose to accept it, is to figure out where your community is today and how to get to the next level:

1. No Awareness
2. Denial / Resistance
3. Vague Awareness
4. Preplanning
5. Preparation
6. Initiation
7. Stabilization
8. Confirmation / Expansion
9. High Level of Community Ownership

Do you think that Houston is more prepared than Denver? Why or why not. Do you think Los Angeles is more prepared than Las Vegas? The degree to which an area has an ongoing perceived threat and vulnerability will in most cases dictate where they are on the 1-9 scale above.

Ultimately, the United States National Preparedness System’s ability to succeed, is based upon ensuring the whole community has the opportunity to contribute to its implementation to achieve the goal of a secure and resilient Nation. How often is the private sector the catalyst or the citizens community asking government to participate in their exercise, as opposed to the other way around?

OPS Risk 2011: A Year of Living Dangerously...

2011 has been a year of living dangerously. Operational Risks have plagued governments, private sector companies and the citizens of local communities across the globe. The continuous threats from people, processes, systems and external events will become substantially more asymmetric in 2012 and volatility will become the new normal.

As professionals plan and budget for the next annual cycle there will be tremendous debate on where to invest in new mitigation and remediation strategies. The economics of austerity programs will now become another threat to consider as infrastructures continue to decay. People are leveraging the power of mobile devices to perpetuate their situational awareness and to wage "Information Warfare" on the brand equity of Fortune 500 companies. Verizon has followed the foot steps of Bank of America. Ylan Mui and the Washington Post explain:

Verizon backed away on Friday from plans to charge customers a $2 fee to pay their bills online or over the phone after receiving thousands of complaints, the latest victory in a wave of consumer activism that has roiled some of the nation’s largest companies.

The announcement came a day after the fee was made public. Consumer advocacy groups derided the charge as “pay-to-pay.” The fee also caught the eye of Verizon’s regulator, the Federal Communications Commission, which had said it would look into the issue. But it was individual consumers — amped up after battles this year with corporate giants such as Bank of America and Target — that the company said tipped the scale.

Corporate brand managers and CEO's have little tolerance to an erosion in brand equity. This is counter to the politicians who are continuously operating at an approval rating hovering at 50%. How different the behavior remains in the public vs. private sector. Look for this to change in 2012 as an election year takes hold in the United States.

The systemic impacts from failed banking institutions and nation states will not be under estimated any longer. Will the rise of democratic states in the Middle East increase the risk to your organization? Think about the new risks that are yet to be discovered as a result of the death of Usama bin Laden. al-Qa'ida's so called new American recruits suggests a pattern to be debated and includes:

• Omar Hammami
• Daniel Boyd
• Carlos Bledsoe
• David Headley
• Michael Finton
• Hosam Smadi
• Betim Kaziu
• Terek Mehanna
• Jaime Paulin-Ramirez

Today's radicalization process is domestic to the U.S. and can take only months. It is decentralized and is taking place on the Internet, not in churches, synagogues, mosques or other locations of religious worship. The face of terrorism has morphed to people born in the USA, educated here and who have never left the homeland. They are invisible.

The number of supply-chain disruptions that have occurred over the course of 2011 is undetermined due to the sensitivity of the information and the implications to a business market share or stock price. Suffice it to say that the multi-headed hydra unleashed from the Macondo Gulf Oil Disaster is still being calculated even as new criminal charges are being considered by the Justice Department. Consider the possibility of some of the insuranceindustries scariest risks from Willis:

In the energy industry, the unthinkable has perhaps already happened: the $40 billion in losses associated with the Macondo well that blew out last year were utterly unprecedented. Most of that risk was uninsured, so the energy market got off relatively lightly in this case. But as the drive to drill wells similar to Macondo continues, the nightmare scenario for the energy market is the “perfect storm” of another blowout of a similar nature combined with a Gulf of Mexico windstorm on the scale of a Katrina, Rita or Ike. That would almost certainly lead to underwriting losses that would be sufficient to prompt a potential capacity crisis.

The point is that the attacks will continue and the defenses will never be high enough or wide enough to protect your assets from loss and harm. Then if this is the case, what have you planned for 2012 that will encompass the business resiliency doctrine? Who is your Chief Continuity Officer and how will they be investing in your continuous survival next year?

Operational Risks in 2012 will trend higher for organizations because there are decision makers who will continue to ignore the factors of resiliency. The mind set associated with resiliency takes the point of view that you will be attacked by cyber marauders, that your supply chain will suffer a catastrophe of epic proportions from a natural phenomenon, that you will suffer the consequences of a significant employee-based litigation. And the list goes on...

Which risk is scariest for your business?

• Terrorism (14%)
• Environmental Unknowns (8%)
• Death of Innovation (8%)
• Data Breach (8%)
• Supply Chain Disruption (8%)
• Not Understanding Risk (8%)
• Italian Default (7%)
• Chinese Pandemic (5%)
• Exploding Health Care Costs (5%)
• Macondo Mach II (5%)
• Mass Real Estate Disruption (5%)
• Systemic Risk (3%)
• Coal-tastrophe (3%)
• New Frontiers in Renewables (2%)
• D&O Insolvency (2%)
• Middle East Oil Prices (2%)
• Blackout Britain (2%)
• Aerospace Fuel Prices (2%)
• Credit Price Hikes (0%)
• Solvency II (0%)
• Obstetrics (3%)

Finally, we want to thank you for raising this blog to the #2 link on Google when searching for Operational Risk and Operational Risk Management. We agree that Wikipedia should remain #1. In 2012, look for more topics and expanded investigative reporting. And one of these days, perhaps it will be time to create the best of our over 1,000+ posts to create an e-book for your Kindle.