Thursday, February 21, 2019

OPS Risk: Military Lesson for Wall Street...

 "There is no avoiding the realities of the information age.  Its effects manifest differently in different sectors, but the drivers of speed and interdependence will impact us all.  Organizations that continue to use 20th-century tools in today's complex environment do so at their own peril."  Stanley A. McChrystal
Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it's digital cameras or satellites or just what you click on, we need to have more explicit rules - not just for governments but for private companies.
Read more at: https://www.brainyquote.com/quotes/bill_gates_626047?src=t_privacy
Almost ten years ago, Air Force Brig. Gen. Mark W. Graper, the 354th Fighter Wing commander at EIELSON AIR FORCE BASE Alaska, quoted the essence of Operational Risk Management.

Corporate Executives and mid-level management should have this made into a poster for their office and hanging in every hallway:
"Summer is just around the corner, and many of us are planning for our favorite warm weather activities - fishing, hunting, hiking, motorcycling, camping and more. All of our summer plans can be fun if we keep in mind the basics of operational risk management: Accept risk when benefits outweigh the cost; accept no unnecessary risk; anticipate and manage risk by planning; make risk decisions at the right level; assess and mitigate risk. Stated more simply, have a (prudent) plan, have a backup plan and have a Wingman."
Whether you are focused on the safety and security of your personnel, the integrity and confidentiality of your information or the continuity of your business operations, consider this.

Effective "Operational Risk Management" will improve your organizations resilience factor.

The brilliance of Brig. Gen. Graper's emphasis on this subject away from the flight line or "The Office" is his understanding, that most of us will become more complacent the minute we hit the parking lot.

You see, OPS Risk is not just something being advocated in the Wall Street workplace. It should be just as pervasive at home or in our own leisure activities. Whether you are climbing "Denali" or entertaining friends around the backyard pool, you have to be continuously in OPS Risk mode, or it could bring harm to life, limb or your own reputation.

Operational Risk includes the risk of litigation and there is one item you can be certain that is a threat to your corporate integrity. Employees, partners and suppliers to your organization:

What most organizations the size and complexity of Facebook under estimate, are the speed of change and the socially "connected" market economy. The blur of business combined with the "Holistic Blindness" of what privacy risks are a threat today or this week, can bring an enterprise to it's knees and then to it's ultimate demise.

"Facebook Inc. (FB - Get Report) and the Federal Trade Commission currently are negotiating details of a settlement related to the Cambridge Analytica scandal, the Washington Post reported, citing people familiar with the matter.

The penalty imposed by the FTC likely would be a multi-billion dollar fine, which would easily be the largest fine ever issued to a tech company by the FTC. In 2012, Alphabet Inc.'s (GOOGL - Get Report) Google was fined $22.5 million by the agency for user privacy offenses.

The two sides are still negotiating the amount of the fine. If no agreement is reached, the FTC could take the issue to court, according to the Washington Post.

Facebook's privacy issues date back to 2012. Facebook settled a case with the FTC in August 2012, when the two parties reached an agreement that "Facebook must obtain consumers' consent before sharing their information beyond established privacy settings," according to a press release from the FTC published at the time the deal was made.

Facebook's privacy issues continued last March when news broke that Cambridge Analytica, a political research company, had harvested user data beyond what was acceptable. It later became evident that Facebook likely was aware of Cambridge's actions on the platform"

Whether it's collecting user data to sell to your supply chain or keeping your F-22 Raptor in the air to defeat hostiles, OPS Risk is the differentiator. Your survival depends on it...

Sunday, February 17, 2019

Powerbase: Information Operations in the Workplace...

How robust is your organizations "Information Operations"(IO) capabilities? The degree to which the threat to your institution escalates in a war of words is going to be in direct proportion to your ability to monitor and counter the "Powerbase" within your Information-centric community.

Operational Risk within the institution, the city or the country is a factor of the likelihood of a particular threat and the ability to deter, detect, defend and document the threat.

However, the overt abilities to sensor, block or suppress your particular community from communicating freely, will be difficult if not impossible. Or will it?

Nations states have for years been subjected to the technology innovation of proxy servers and other methods for obtaining blocked Internet content.

The human element of the insatiable pursuit of information will continuously provide for the innovation to obtain that information that has been withheld from the community.

Whether that community is a corporation or a country, the employees or the citizens will find a way to gain the access and obtain the information they seek.

The ability to utilize ubiquitous devices such as camera enabled wireless smart phones has changed the landscape for "Information Operations" within your company and your local community.

Operational Risk professionals are keenly aware of the requirements to monitor and detect the use of rogue communications devices in the workplace, including unauthorized broadband hot spots (simple and effective).

Yet the state of business and politics precludes these individuals from truly understanding what their real role should be in this fight for zero's and one's. The fight is not about learning who has unauthorized access, it is about understanding human behavior and the "Powerbases" within a particular community.

Even the use of more sophisticated wireless mesh networks has been pervasive for years within the context of the USIC and where U.S. defense forces need to operate in areas with little or no telecommunications infrastructure.

The questions begs then, to what degree are these same kinds of capabilities being utilized within the context of industrial espionage and foreign intelligence services within the skyscrapers of downtown Washington, DC, Chicago, New York or Los Angeles?

"Having a better understanding of the powerbase of each actor, the number and types of dimensions of that power, which elements of the powerbase are inherent or inferred, and whether it is growing or shrinking through cooperation or conflict, are all essential elements of information in stability operations and prerequisites for effective influence operations. Understanding Local Actor Bases of Power" - Col. Patrick D. Allen, USA (Ret.)

So how easy or difficult would it be to set up a relatively effective mesh network? Look to one of the leaders in the technology itself for guidance.

If the City of Houston or the country of Singapore can utilize these capabilities to create their own information networks for voice, video and data applications, then so too could any private enterprise with the right funding and the people to operate these systems.

Your organizations "Information Operations" capabilities go far beyond the IT department and their ability to sweep for rogue "Wi-Fi Hotspots" in the workplace. It could mean the difference between the safety and security of your municipality or the entire academic R&D campus.

In either case, the Powerbase of information will still have to be analyzed and understood. Without this Powerbase insight your organizational "Operational Risks" will remain unknown and your ability to mitigate these risks unknowable.

Saturday, February 09, 2019

Givers: The Master Plan for Grit...

"Of course, natural talent also matters, but once you have a pool of candidates above the threshold of necessary potential, grit is a major factor that predicts how close they get to achieving their potential. This is why givers focus on gritty people: it’s where givers have the greatest return on their investment, the most meaningful and lasting impact."  Grant Ph.D., Adam M.. Give and Take (p. 106). Penguin Publishing Group. Kindle Edition.
This quote is in chapter 4, Finding the Diamond in the Rough - The Fact and Fiction of Recognizing Potential.

Having passion and perseverance in any endeavor is worthwhile.  In this chapter of Adam Grant's book, he is talking about "Givers".  You will have to read the book to better understand the research of 30,000 people behind who you are and the difference between "Givers and Takers".

Flashback to your early years as a kid in elementary school.  Now think about all of the activities and endeavors your parent(s) had you involved with, in or outside the classroom.  Were you involved in the scouting or other after school activities?  What about your local church or synagogue?  Maybe your parents were even Boy or Girl Scouts themselves?  Did they achieve "Eagle" or the "Gold Award"?

Flashback to your years in Middle and High School.  Were you involved in Sports Teams or maybe the Marching Band?  Or perhaps the more academic or creative teams like "Debate" or the "Thespian Club".

What about in University or College?  Did your passion and perseverance for sports or other skill-building endeavors, keep you gaining more of what is called "Grit", a firmness of mind or spirit, unyielding courage in the face of hardship or danger.  Were you able to graduate within 4 years and then obtain a decent job or commission to start your career?

If you accomplished all of this and are now well on your way to discovering and building a life full of rewarding experiences, you probably need to say "Thank You".  To your Mother, Father, Teacher, Boy/Girl Scout Leader, Coach, Commander or Professor.  They are the ones that got you to where you are today.

Yet if someone ever calls you a "Diamond in the Rough" you should consider that a complement.

And you should also consider what they meant by that reference.  It means that they as a "Giver" who focus on gritty people, have found what they are always searching for.  They have recognized that you too are someone that stands out, that has the knowledge and the skills and that extra perseverance they are always in search of.

You may be wondering when your time will come.  When you will finally feel like you have "Made It" in life.  That you are truly happy.  Guess what, you are not there yet...

Why?

It is because you have not reached all of your potential, designed just for you.  The "Master Plan" for you is unique and you must realize that there is no visible finish line.  There are only more opportunities, tests, more challenges, significant success and substantial road blocks.

Being a "Giver" in your life means that you seek a path that puts you in pursuit of others just like you.  You know when you have found your Tribe, your calling and you know that they will be there to help you through the tough times and to persevere.

Now it is time, for you to contribute.  Your knowledge.  Your skills.  Your passion...yet do not fear asking for help.  The "Givers" in your community are searching for you now...

Godspeed!

Saturday, February 02, 2019

Transparency: "Square One" in ORM...

Operational Risk Management (ORM) has been evolving for over a decade. There are new insights into why effective business process management coupled with Operational Risk architecture makes sense, through the lens of the Board of Directors. Transparency.

Still to this day, the questions remain:
  • What can my organization do about the risk of loss resulting from inadequate processes, people, or systems?
  • To what extent should my organization link employee compensation or job performance with operational risk management?
  • How is operational risk taken into consideration when new products or technology solutions are designed or acquired, deployed, and executed?
  • Does my organization have an inventory of its key business processes with documented controls and designated senior managers responsible?
Can these questions be answered in a book of 308 pages from 2008? It was a good start, to say the least. The authors understood, that to really embed a culture of (ORM) into the enterprise, you have to begin at the architecture level, the business process level.

This is far in advance of the governance of information and the business rules coded into software systems, even for such mundane corporate tasks as expense report or travel request review and sign-off.

You see, some companies still think that they are just doing fine with their Safety and Security Team, Continuity of Operations and Crisis Team, Chief Information Officer (CIO), General Counsel (GC), Chief Financial Officer (CFO) and in limited cases the Travel Risk Management department all working autonomously. They think that having a few dedicated investigators to look into corporate malfeasance, is all they require in a corporate population of tens of thousands.

What do we mean by autonomous? Not what you may think. There is no doubt that the leaders of these organizational departments are cooperating and coordinating functionally. They have each other on speed dial. They share high level red alert Intel with each other.

The question is, what is being done at the metadata level of the Operational Risk Enterprise Architecture (OREA)?

How are they designing Operational Risk Management systems to answer key questions at the speed of business? To continuously adapt to an organization’s changing global environment, executives must know about, keep in balance, and communicate several vital components:
  • What are the organizational strategies (Strategic Intent) and how these should be implemented (Strategy Development and Organizational Change)
  • What organizational processes are executed and why, how they are integrated, and how they contribute to the strategy of the organization (Business Process Management)
  • How human resource utilization is working and whether there is optimum use of skills and resources available across processes and functions (Human Resource Management)
  • To what extent the enterprise organizational chart is cognizant of appropriate roles and responsibilities, in order to effectively and efficiently carry out all work (Organization Management)
  • What IT applications exist and how they interface with what processes and functions they support (IT Portfolio Management)
  • How the performance of each process, each function and each individual adds up to the organization’s performance (Performance Management)
  • What projects are currently underway, how they effect and impact change, what processes and IT applications they change and how this contributes to the strategy of the organization (Project & Program Management) 
Is Operational Risk Management (ORM) about "Big Data Analytics"?

Only if your organization values better transparency, governance and regulatory compliance. Ask the Board of Directors their answer on this question to determine whether ORM is a "Big Data Analytics" issue. How big is big?

The momentum for transparency is now at the U.S. government level of commitment.   It is the law. Big Data Analytics will mean nothing, without increased transparency. Now we can ask the questions that we all want answers to.

The Operational Risk Management (ORM) architecture of your enterprise will now begin with transparency, as the fundamental "Square One".