Saturday, August 27, 2016

Human Capital Risk: Know Your Company...

Operational Risk Management (ORM) is about continuous innovation.  It requires a steadfast momentum towards a future spectrum of dynamic resilience.  The shift in thinking is that your ability to survive the impact of any adverse incident to your people, process, systems or other external factor is commensurate with your current-state of resiliency.

You must establish and cultivate the creative and innovating environment in your organization at the core.  Then wrapped around this ecosystem of core human potential, the culture evolves into a ripe entity of new possibility.  New hope.  Simultaneously the visions of what contributes to a healthy environment and the attributes of what creates a deterioration, starts to become more clear to you.

You see, when most people think about risk management they are immediately drawn to threats and vulnerabilities external to the organization.  Protect against known external threats and remediate known vulnerabilities.

How much time is devoted to understanding the maturity and the resilience of your core internal ecosystem of human capital.  From the inside out.  The same human capital that will either achieve survival after any known or unknown incident, could also contribute to it's inevitable demise.

So what are we talking about it?  How well do you know your company?  Jason Fried, CEO of 37signals.com explains:
  • As CEO, maintaining a healthy culture isn’t someone else’s job — it’s my job. I had to take responsibility for knowing my people and knowing my company. That buck starts and stops with me.
  • Answers only come when you ask questions, so the tool had to be built around questions. People generally don’t volunteer information re: morale, mood, motivation unless they’re directly asked about it.
  • The entire system had to be optional. No one at the company should be forced to use it. Forcing people to give you feedback is ineffective and builds resentment.
  • This couldn't be a burden on my employees. Employees would never have to sign up for something or log into anything.
  • Information had to come in frequently and regularly. Huge information dumps once or twice a year are paralyzing and lead to inaction.
  • I had to follow-through. If someone (or a group of people) suggested an important change, and it made sense, I had to do everything I could to make it happen. I wasn't creating this system to gather information and do nothing about it.
  • It had to be automated, super easy (for me and my employees), non-irritating, and regular like clockwork. This had to eventually become habit for everyone involved. If it ever felt like something that was in the way or annoying, it wouldn’t work. It had to be something people looked forward to every week.
  • Feedback had to be attached to real people - it couldn’t be anonymous. You need to know your people individually, not ambiguously. If someone has a problem, you need to know who it is so you can talk to them about it. This requires trust on everyone’s part.
  • Success depended on a combination of automated, and face-to-face, back-and-forth with my team. The unique combination of automated and face-to-face communication play off each other in really positive ways.
Quantity vs. Quality.  If you have read any of Jason's books such as "Rework" you know what we are talking about.  37 Signals has been in business now about 16 years and has just surpassed xx people. Congratulations Jason.

Managing Operational Risks with an organization begins with the clairvoyance and the insight gained from knowing your human capital.  Knowing your people when they come on board and knowing how they change over time.  Do you think that the person you hired two years ago is still the same person? What about ten years ago or 20?  People change for a myriad of reasons impacted by the environment on the home front and certainly their work place environment.

The resilience of your organization begins and ends with knowing your company.  In order to know your company, you need to know your people.  Your ecosystem of innovation possibility and the longevity of your organization depends on it.   As a recent example,  commentary by George Bamford:
In the summer of 1972, state-of-the-art campaign spying consisted of amateur burglars, armed with duct tape and microphones, penetrating the headquarters of the Democratic National Committee. Today, amateur burglars have been replaced by cyberspies, who penetrated the DNC armed with computers and sophisticated hacking tools.

Where the Watergate burglars came away empty-handed and in handcuffs, the modern- day cyber thieves walked away with tens of thousands of sensitive political documents and are still unidentified.

Now, in the latest twist, hacking tools themselves, likely stolen from the National Security Agency, are on the digital auction block. Once again, the usual suspects start with Russia – though there seems little evidence backing up the accusation.

Saturday, August 20, 2016

Strategic Foresight: Risk Leadership into the Future...

When you really start to think long and deep on the discipline of the agile startup community,  you keep coming back to a single word.  Improvise.  The more you analyze what it takes to get an idea from "Zero to One" to a Minimum Viable Product (MVP), the more you need Operational Risk Management (ORM).  At the same time, this thought might question the notion of previous planning or preparedness:
im·pro·vise [im-pruh-vahyz] Show IPA verb, im·pro·vised, im·pro·vis·ing.
verb (used with object) 
1.  to compose and perform or deliver without previous preparation; extemporize: to improvise an acceptance speech.
2.  to compose, play, recite, or sing (verse, music, etc.) on the spur of the moment.
3.  to make, provide, or arrange from whatever materials are readily available.
Yet what the true startup and ORM professional understands is the origin of the word:
Origin:

1820–30; French improviser, or its source, Italian improvisare (later improvvisare ), verbal derivative of improviso improvised; Latini mprōvīsus, equivalent to im- im-2 + prōvīsus past participle of prōvidēre to see before hand, prepare, provide for (a future circumstance). See proviso
And so this brings us to the importance today of utilizing the power of "Strategic Foresight."
Strategic foresight is a fairly recent attempt to differentiate "futurology" from "futures studies". It arises from the premise that:
  • The future is not predictable;
  • The future is not predetermined; and
Future outcomes can be influenced by our choices in the present. [1]  Strategic foresight may be used as part of the corporate foresight in large companies.[2] It is also used within various levels of Government and Not for Profit organizations. Many concepts and tools are also suited to 'personal futures' thinking.
The "Asymmetric Attributes" of enterprise risk and "Big Picture Security" today is making predictability a major task going forward.  So what do improvising and strategic foresight have to do with startups and Operational Risk Management?  Everything.  Let's go back in the "Time Machine" for a minute:
The 2010 eruption of Eyjafjallajökull were volcanic events at Eyjafjallajökull in Iceland which, although relatively small for volcanic eruptions, caused enormous disruption to air travel across western and northern Europe over an initial period of six days in April 2010. Additional localised disruption continued into May 2010. The eruption was declared officially over in October 2010, when snow on the glacier did not melt. From 14–20 April, ash covered large areas of northern Europe when the volcano erupted. About 20 countries closed their airspace (a condition known as ATC Zero) and it affected more than 100,000 travellers.
"As the crisis ran its course it went on to paralyze or seriously limit air traffic in 23 countries around the EU and its periphery bringing 300 airports to a standstill and cancelling 100,000 flights, representing three-quarters of all European traffic. Ten million individuals were affected and had to cancel their trips or find alternative travel arrangements at serious economic cost for the passengers, carriers, and insurers involved."
So what?  So the future state of a High Risk X Low Frequency event is unlikely to get the attention it requires.  The 1-in-100 year probability of an event occurrence, has been so integrated with insurance industry underwriting group think, it often falls on deaf ears.  Resources and attention are increasingly directed towards potential crisis events, that are considered High Risk X High Frequency.

Could the EU have imagined the impact of volcanic ash from an erupting volcano in Iceland?  Most certainly.  Did the EU have the strategic foresight to know what to do when and if this happened?  The point is that sometimes improvising and the success of improvisation is a result of having devoted resources and time towards the planning and behavioral prediction of future outcomes.  Influenced by our choices in the present.  The impact to the organization, enterprise, nation state or individual is going to be a factor of how much is devoted to strategic foresight initiatives.

It is also imperative that we discern the risk of natural incidents caused by mother nature, to human threat actors. We must continue to evaluate the characteristics of other threat vectors related to our daily Operational Risk spectrum.  Using only the imagination of low-tech, less sophisticated and tried-and-true methods, our human adversary has a "Modus Operandi" with a continued low-risk of failure.  That low tech lower risk of failure, is still one of our greatest vulnerabilities:
The Joint Improvised Explosive Device Defeat Organization (JIEDDO, pronounced like "ji-dough") is a jointly operated organization of the U.S. Department of Defense established to reduce or eliminate the effects of all forms of improvised explosive devices used against U.S. and coalition forces.[4]
  • Formed February 14, 2006
  • Headquarters The Pentagon
  • Employees 435 government civilians and military personnel; ~1,900 contract personnel
  • Annual budget $1.6 billion for fiscal year 2013 [1]
JIEDDO is making a difference and the metrics prove that our Operational Risk Management professionals here, need to continue the course.  Not just for what has happened overseas on foreign soil, but for the surging wave on our own U.S. Homeland:  Boston, MA is one recent and relevant example.

Be Vigilant America!  Use Strategic Foresight to imagine such interdependent, unpredictable scenarios.  These growing interdependencies, are becoming ever more so prevalent:

• Rapid global economic growth
• Industrial development of non-OECD nations
• Interlinked global supply chains
• Increased worldwide awareness
• Increased media reach and individual power

These five interdependencies will be the catalyst of our future High Risk X Low Frequency incidents.
The future success ratio of agile startups and the ability for new innovation to pivot effectively, will be determined by an Operational Risk Management maturity factor. 

Saturday, August 13, 2016

CityNext: Trust in a New Age Public Sector...

What if you had the opportunity to establish and design a new city in the United States?  Where would you decide to put it and how would you do it differently than it has ever been done before?

This would be a Public Sector project worth doing differently than we ever have imagined.  After all, how much have we learned by 2016 about critical infrastructure, including electrical grids, solar energy, water resources and waste management?  What about the latest inventions with 5G wireless and how broadband information systems have evolved to satisfy our insatiable appetites for data, entertainment and knowledge working professionals?

How would you design the transportation systems and how would you put the economic and governance factors of the new city into place?  The Urban Planning and CityNext initiatives today are trying to apply many new ideas and thinking to established cities, not just starting from a clean slate if you will.  There might be many discussions on what U.S. State was most suited for the city,  what the size in population and square miles that would encompass housing, commercial development and the social support systems to include health care, public safety and public works.

There are several global livability indexes that exist today and ranking cities by criteria on being the most livable.  Each may put cities such as Melbourne or Zurich,  Boulder or Santa Barbara, Rochester or Bellevue at the top.  This depends on the geographic scope and other criteria to rank cities by all of these particular index factors.

Realizing that there are also so many subjective reasons for wanting to live in an environment near the ocean or the mountains, let us just focus for a minute on all the factors that make the city operate effectively and produce positive economic and governance outcomes for its citizens.  Now how would you design this ideal ecosystem for the future?

If we could do it in such a way that you could replicate the model and the support systems then is it possible that you could put a new city in the middle of some U.S. state and have it flourish over the next 2 decades and beyond?  What factors would we focus on when it comes to how people make a living and sustain their families with a decent standard of living?

All of these considerations and questions are similar whenever you are talking about putting tens, hundreds or thousands of humans together to live, work and play together.  The anthropologists, economists, architects, scientists and doctors would all have their thoughts on what to avoid and how to do it correctly.

So what?  What does any of this have to do with Operational Risk Management (ORM)?

The truth is, that the design of the ideal city, the ideal business, the ideal product or the ideal operations plan, can't evolve and survive without Operational Risk Management:
Operational risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. These risks are further defined as follows:

* Process risk – breakdown in established processes, failure to follow processes or inadequate process mapping within business lines.

* People risk – management failure, organizational structure or other human failures, which may be exacerbated by poor training, inadequate controls, poor staffing resources, or other factors.

* Systems risk – disruption and outright system failures in both internal and outsourced operations.

* External event risk – natural disasters, terrorism, and vandalism.

The definition includes Legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes the exposure to litigation from all aspects of an institution’s activities.
 
It really does not matter whether it is a single household, an enterprise business or the ideal city.  How much you focus on the "TrustDecisions" that are made each moment of every day, will determine the outcomes of your vision?

Now consider this:
Every transaction creating wealth first requires an affirmative decision to trust.

Building trust creates new wealth. Sustaining trust creates recurring wealth.

Achieving trust superior to your competition achieves market dominance.

Leadership rises (or falls) based on trust (or the absence of trust).


Take a moment and think about each of these with respect to what you do in your business or in your job. How does the organization acquire wealth? Where does new wealth originate? How are customers retained? What provokes them to keep coming back and paying for your goods or services? Why does the leader in your market succeed? If you are not the market leader, why not? How is the loyalty of your team maintained?  Source:  "Achieving Digital Trust" - Jeffrey Ritter
 "Trust is achieved by making decisions that produce favorable outcomes."  These words and more from Jeffrey Ritter should give us pause, as we advance or society and we design new cities.

The truth is, the "Public Sector" needs to create more trusted environments, more trusted transportation, more trusted water supplies, more trusted communications, more trusted safety and security.  The public sector needs systems that use trusted data to fuel all of this and provides continuous Confidentiality, Integrity and Assurance for all of its citizens.

If the public sector can attain these levels of performance, the vast spectrum of knowledge workers will flourish and data driven business models of the future will thrive and they will have new levels of trust.  Trust in their choice on where to live, to work, to raise a family and:
We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.

Sunday, August 07, 2016

IT Transformation: Change Agent Journey into the Unknown...

The era of cloud computing is upon us and business innovation is rapidly adopting a new Information Technology strategy.  Planning for the business to be more adaptive, requires that the IT organization become more embedded with the functional leaders who are tasked with guiding the people, process and technology of the enterprise into the future.

Operational Risk Management (ORM) is about building an effective framework for business transformation executives at the CxO level to effectively coordinate and collaborate with the IT leadership.  Together, business and IT executives shall provide the organization and its customers with a seamless and almost undetectable transformation.

True "IT Transformation" has a trajectory to an unknown destination that is constantly adapting and becoming more agile.  It is a non-linear project plan, that is evolving towards a "Future State" where people and culture must change with it.  As a result, true "IT Transformation" requires experts in managing Operational Risks that encompass far more than just new cloud infrastructure for compute, storage, database and networking.

A culture transformation from an "As is" to a "Future State" is a professional services initiative that senior leaders are co-designing.  It is recognized that the vision of the future is still unknown as the business adapts to its environment and marketplace.  If you were an organization that had made the decision to move the business into international locations, how would you do that effectively?

An "IT Transformation" initiative to a new international marketplace requires far more time and resources.  The change mindset and culture shift for the employees will be imperative in order for the IT mechanisms to perform effectively and successfully.  How will this shift in business strategy impact the coding, architecture, inventory and customer service processes in the enterprise?
Let us be clear.  Transformation is different.  It is not "Developmental Change".  It is not "Transitional Change".  It requires a mindset, culture and systems change that operates in the unknown and where peoples emotions and behaviors are exaggerated.  It can't follow a linear project plan and that is why some organizations never attempt true transformation.
So what?  The decision for true "IT Transformation" requires a journey into the unknown yes, just as any explorer. This however also requires a mindset shift to that of the explorer, to prepare for the unknown and to plan for the contingencies to survive the trip.  Whether the journey is weeks or months does not matter.  There is always an opportunity to prepare before the launch.

 Consider these ORM categories as you begin the preparation for your true "IT Transformation":
  • Governance of Accounting (International pricing/regulatory compliance)
  • Access and Security Controls (Data privacy or legal considerations)
  • Asset Management
  • Application Risk (Availability, Disaster Recovery and backup)
  • Incident Triage and Continuous Monitoring
  • Configuration Change Management
  • Release and Deployment Management
 Now consider this:

Who will you embark on the journey with?  Who are the people in your organization that are ready, in condition and have the time to devote to your exploration journey?  What is each person currently working on and what is their particular "Powerbase" in the enterprise?

Now, who is the partner outside the organization that you will utilize as your "Change Agent"?  That change agent who is currently external to your company and enterprise is a vital choice.  How will the firm or company you choose to assist you in your transformation work with you side-by-side to endure the hardships, the emotions and the outcomes of the work ahead?

As your change agent team embarks on your "IT Transformation" journey, remember that the unknown is the reason that you were chosen.  You were chosen because your experience and skill sets add overall strength and resilience to the entire team.  The resilience of the team requires that you endure the journey until the objectives for innovation have been achieved.

Achieving the future state of your journey, puts you in a place you never imagined, because you have never been there before.  Yet the experience of getting there and the knowledge gained during the preparation, the team interaction and the accomplishments along the way, have made you a better person.  A trusted team member.

An "IT Transformation" professional...