Sunday, June 24, 2018

SOC: Statement of Truth...

Global transnational organizations who provide 24x7 Business Resilience Intelligence and executive security protective details are on the rise. Corporate personnel who must travel to high risk regions of the globe, realize the requirement for a minimal, yet comprehensive security envelope.

Back at the Business Resilience or "Security Operations Center" (SOC), you will find a team of subject matter experts working in concert, to continuously enhance the Operational Risk Management matrix. One set of analysts are tasked with the media review and real-time intelligence collection from Open Sources. One example could be CNN or even more regional sources such as Alhurra:
Alhurra (Arabic for “The Free One”) is a commercial-free Arabic language satellite television network for the Middle East devoted primarily to news and information. In addition to reporting on regional and international events, the channel broadcasts discussion programs, current affairs magazines and features on a variety of subjects including health and personal fitness, entertainment, sports, fashion, and science and technology. The channel is dedicated to presenting accurate, balanced and comprehensive news. Alhurra endeavors to broaden its viewers' perspectives, enabling them to make more informed decisions.
Another set of analysts are sifting through online intelligence portals such as Opensource.gov or Data.gov . However, when you have a specific executive who is traveling to a specific country, there are more detailed plans and substantial advance work that takes place.

These facets of corporate enterprise risk and operational risk management (ORM) are vital to protect human assets and the ongoing continuity of business operations. Situational awareness enhancement is a 24/7 x 365 day process.

Whether your business takes you to Pakistan, Paris, Toronto or London the risk of bombing, or criminal elements are a real potential threat:
LONDON — An 18-year-old Iraqi asylum seeker was sentenced on Friday to life in prison in Britain after he was convicted of attempted murder in the botched bombing last September of a rush-hour train on the London Underground, which injured 30 people.

Ahmed Hassan was convicted last week after he left the bomb that partially exploded one stop after he had disembarked. The explosion triggered a stampede that injured tens of passengers.
Executive Protection details have been utilizing the compendium of wisdom and research that is found in Gavin De Becker's publication, "Just 2 Seconds" and for good reason:
"Think of every assassination you've ever heard about. For most people, a few of these major ones come to mind: Caesar, Abraham Lincoln, John Kennedy, Martin Luther King, Mahatma Gandhi, Indira Gandhi, Anwar Sadat, John Lennon, Israel’s Prime Minister Rabin, Pakistan’s Benazir Bhutto.
From start to finish, all of these attacks — combined — took place in less than one minute. And the hundreds of attacks studied for this book, all of them combined, took place in less than a half-hour. Those thirty minutes, surely the most influential in world history, offer important insights that can help today’s protectors defeat tomorrow’s attackers."
Operational Risk is far more pervasive than just the detection of fraud, mitigating the loss events from internal information theft or the "All Threats, All Hazards" approach to the "Continuity of Business Operations."  It's been said here before and it's worth repeating again this statement of truth:

"Attackers use tools to exploit a vulnerability to create an action on a target that produces an unauthorized result to obtain their objective."

Whether you utilize this statement within the context of your digital domains, physical domains or the vast set of processes within the enterprise, it does not matter.

What does matter, is that those individuals responsible for the survivability and the defensible standard of care of the organization,  "Never Forget"...

Saturday, June 09, 2018

Crisis Readiness: Future of Risk Response...

One of the key components of effective Operational Risk Management (ORM) is a robust Crisis and Incident Readiness Response Team. This team shall have practiced and exercised multiple scenarios over the course of their training together. Why?

The ability to adapt on the fly regardless of the kind or type of incident is the core of what OPS Risk professionals are able to do, time and time again. The more unknowns that are encountered in any space of time, requires the ability to Observe, Orient, Decide and Act.

Yet this is not so much about the use of the OODA Loop or any other process in effectively adapting to your new and rapidly changing environment. It is about having the right sensors and early warning capabilities in place to detect and to deter the potential for new threats and new vulnerabilities, that may disrupt your mission.

Why do you read about Global 500 organizations that have seen their stock price erode in a day, week or month due to the ineffective response to a crisis incident? In many cases, it is a simple fact. The Crisis and Incident Response Team was caught in a scenario that they had never imagined.

An unfolding situation that they had never thought of and simply didn't plan for because it's likelihood was just too low. This author has talked about this before and it deserves repeating that exercising for the low likelihood and high impact events is where you need to spend most of your time.

The 1-in-100 year events are no longer the case. They are 1-in-50 or less. Just ask your property and casualty insurance carrier about how their actuarial Quants are thinking about this very topic. Whether is it global climate change or unregulated nuclear power industries in emerging nations, the low likelihood and high impact events are becoming more of a risk.

So what is the answer? To begin, you must first start the culture change and mind set shift to the future and to your own Strategic Foresight Initiative. Looking into the future is not exactly the exercise. Pick a point in time, five years, ten or twenty-five years into the future. Select a scenario that you can't even fathom is a possibility of actually coming true that will impact your organization. Then start your own "Backwards from Perfect" strategic foresight initiative.

What this process will do, is to get all the focus on what you still need to accomplish between now and then to get yourself into a position so that your people, systems and organization will be able to withstand the scenario incident. Welcome to Global Enterprise Business Resilience.

Across every sector of society, decision-makers are struggling with the complexity and velocity of change in an increasingly interdependent world. The context for decision-making has evolved, and in many cases has been altered in revolutionary ways. In the decade ahead, our lives will be more intensely shaped by transformative forces, including economic, environmental, geopolitical, societal and technological seismic shifts.

The signals are already apparent with the re-balancing of the global economy, the presence of over seven billion people and the societal and environmental challenges linked to both. The resulting complexity threatens to overwhelm countries, companies, cultures and communities.

FLASHBACK TO THE:  Global Risks 2012 Seventh Edition

What if you happen to be a Non Governmental Organization (NGO)? What are some of the risks that may impact you from a "Geopolitical" perspective that today have a high likelihood?
  • Global Governance Failure
  • Terrorism
  • Failure of Diplomatic Conflict Resolution
  • Pervasive Entrenched Corruption
  • Critical Fragile States
  • Entrenched Organized Crime
  • Widespread Illicit Trade
Crisis impact will be specific to your particular stakeholder group. These will be higher or lower depending on whether you are a:
  • NGO
  • Business
  • Government
  • International Organization
  • Academia
There are however, three main cross cutting observations by all of the these stakeholders from the Global Risks 2012 report and even to present day:
  • Decision-makers need to improve understanding of incentives that will improve collaboration in response to global risks
  • Trust, or lack of trust, is perceived to be a crucial factor in how risks may manifest themselves. In particular, this refers to confidence, or lack thereof, in leaders, in the systems which ensure public safety and in the tools of communication that are revolutionizing how we share and digest information 
  • Communication and information sharing on risks must be improved by introducing greater transparency about uncertainty and conveying it to the public in a meaningful way.
The way that the global citizen decides to digest information in five or twenty years will be different than it is today. The world has already started to see this with the proliferation of mobile smart phone technologies, GPS, cameras, and other Twitter-like knowledge systems networks such as FrontlineSMS and Ushahidi.

Do you really believe that CNN and AlJazeera will be the source of truth in the next two decades? Social Media is here to stay and the only reason that formal news organizations will exist, is to try to validate and verify.

Operational Risk Management (ORM) and Crisis Readiness shall continue to be one of the most dynamic and challenging places for global enterprises for years to come...

Sunday, June 03, 2018

Black Swan: Strategy Execution for the "Outlier"...

The Black Swan is a surprise event and the idea that a catastrophe can strike without warning. What does your organization plan for within the Operational Risk Management(ORM) discipline? The low consequence high frequency incident or the high consequence low frequency incident?

The ratio can tell you what your "Resilience" factor is to Operational Risk loss events. Key Performance Indicators (KPI's) can give you some forward looking view into the risk portfolio, yet what about the resilience to the "Black Swan"?

A black swan is a highly improbable event with three principal characteristics: It is unpredictable; it carries a massive impact; and, after the fact, we concoct an explanation that makes it appear less random, and more predictable, than it was.

The astonishing success of Google was a black swan; so was 9/11.  For Nassim Nicholas Taleb, black swans underlie almost everything about our world, from the rise of religions to events in our own personal lives.
"Why do we not acknowledge the phenomenon of black swans until after they occur? Part of the answer, according to Taleb, is that humans are hardwired to learn specifics when they should be focused on generalities. We concentrate on things we already know and time and time again fail to take into consideration what we don’t know. We are, therefore, unable to truly estimate opportunities, too vulnerable to the impulse to simplify, narrate, and categorize, and not open enough to rewarding those who can imagine the “impossible.”
Your organization is no doubt spending time on the Operational Risk Management (ORM) events, that consistently are in the high frequency "In Your Face" category. In a highly regulated industry sector such as finance, health care or energy the oversight mechanisms require a continuous analysis of risk based upon the criticality of these sectors to the overall resilience of the economy.

Yet it is the "Outlier" incident, that comes at the most unexpected time that is the real threat and the incident catalyst, that could be your "Black Swan". You never know when it is going to be coming, so you must plan, prepare and imagine that someday, it will happen.

Enabling Global Operational Risk Management (ORM) requires thinking beyond models and outside the box analysis of the "Resilience Factor," should an outlier impact the organization, the state or the country. The resources, personnel and systems focused on these areas of risk are small today. But not for long.

Just ask those people who had been working 24/7 since on any major incident.  It could have been the "Fukushima" or "Lehman Brothers" crisis. Or more importantly, the plaintiff lawyers preparing their briefs for the inevitable aftermath of litigation over, who knew what, when.

Remember Target Corporation:

Is Target to Blame for Its Data Breach? Let the Lawsuits Begin

By Joshua Brustein December 26, 2013

The lawsuits started almost immediately after Target’s (TGT) admission that hackers had stolen information related to the credit-card accounts of 40 million shoppers. At least 11 customers are now pursuing class-action suits against the retailer, claiming it was negligent in protecting their data.

Another lesson learned from Supply Chain Risk.  Losing control of sensitive customer data is a fact of life for American companies. They’re collecting more of it, and they are often outgunned by hackers, who are highly motivated to get at it.  Perhaps through your most trusted supply chain vendors and partners.

One prediction into the future could be that litigation will follow all "Black Swan" incidents. If you are in a highly vulnerable industry sector, because it's part of the critical infrastructure of the global grid, then you already know you are in the middle of the target zone.

What is amazing to many in the after-action reporting is still how much we continue to under estimate the magnitude of a lack of planning and resources devoted, to these low frequency high consequence events.