The
safety and security of your corporate assets are a Board of Directors
level issue. The loss events including adversarial litigation for
errors, omissions, or just plain ignorance of regulatory compliance are
gaining momentum. These Operational Risks associated with human behavior
and the daily tasks performed on the job remain a vast vulnerability
within the corporate enterprise. Why?
The discipline of effective Operational Risk Management (ORM) requires a tone from the top that speaks to the core issue:
The discipline of effective Operational Risk Management (ORM) requires a tone from the top that speaks to the core issue:
The growth of more sophisticated attacks on our critical infrastructure, exploits that compromise our "Personal Identifiable Information" (PII) and the risks associated with wrong, invalid or corrupted information will continue to accelerate. The loss events are directly tied to the speed and sophistication of the systems associated with people doing their daily tasks, whether it be a person operating a vehicle with computers on board or sensors designed to collect specific information, the systems are faster and more complex.Historically, financial institutions that have experienced security breaches or costly exposure to operational and other kinds of risks have tended to keep these incidents under wraps. The conventional wisdom was that it was bad for the brand and bad for the business to talk about these situations. But times have changed –- the developments of the past couple of years in the financial services industry have served to demystify risk management in many ways. At the same time, with e-crimes and other kinds of online security breaches becoming more sophisticated and prevalent, some industry players are calling for more openness and collaboration as a way to try to identify and prevent attacks before they compromise critical customer information.
Sharing information to address the threats from transnational non-state actors who are organized and operating with the intent of exploiting vulnerabilities in the fabric of business have three places to focus their efforts on your systems and controls:
- Design
- Implementation
- Configuration
Even if your design is flawless in theory, overtime you may come to find that the wall is not tall enough, the fence not long enough or the door not strong enough. Even if your implementation follows the designers instructions you may find that the environment you operate in is too hot, too isolated or overwhelmed with chaos. Even if your configuration today is a one-to-one match for all known exploits the adversary is watching and monitoring your design and implementation. They are changing their tactics and "Modus Operandi" (MO) to fool you, scare you or to operate in complete stealth mode, until it is too late. This is known as irregular warfare:
In order to better understand how to mitigate operational risks in our institutions, you also have to study the complexity of modern warfare. The speed and complexity of new adversaries, (fraudsters, hackers, spies, terrorists, vandals, corporate raiders) that exploit your Design, Implementation or Configuration can be applied easily to both your accounting controls or security measures. Those organizations that learn how to apply modern day irregular warfare to the 21st century corporate battlefield will not only beat the competition, they will minimize their losses.When we say irregular warfare, what we're really talking about is a not so new, but newly formalized approach to dealing with challenges. It is a concept and philosophy properly considered in the strategic context that allows us to apply capabilities holistically to achieve desired effects. It's most unique characteristics are the focus on the relevant populations, support to sovereign partners and a linkage to our shared interests. It is a DoD activity not limited to SOF or dependent on a state of war.
Irregular Warfare “the concept” equips us intellectually to deal with a global environment that is characterized by broad ambiguities. These ambiguities are seen in the apolar nature of a world with multiple competitors; both state and non-state. Challenge causations that include crime, extremism and accelerating migration patterns and finally the interdependencies and interconnectivity of economies, communications and media systems and social networks. This is, without question, a highly complex challenge set and we, must be a more capable and sophisticated actor ourselves if we expect to protect our national interests.
Operational Risk Management (ORM) discipline is an essential element that begins with the tone at the top and one enlightened CEO.