Security of information is critical to all corporations and is one of the many areas of competency established with Enterprise Risk Management. The weakness of traditional risk management is the focus on historical precedence rather than forward looking investigative approach. For example, the number of cases reported historically leads corporate IT to the usual suspects such as external hackers. This leads to heavy investments in systems infrastructure and many times overly burdensome security restrictions that interfere with daily business activities. Unlike traditional risk management, Enterprise Risk Management avoids this silo mentality by using a root cause approach to take a comprehensive view of risk. The root cause method looks at risks, such as information security, from all angles including processes and relationships as well as people, systems and external sources. Enterprise Risk Management recognizes that the chain is only as strong as the weakest link. Over investment in one area without the others is understood as not a good use of resources.

Leading corporations are quickly adopting Enterprise Risk Management for this reason. However, some corporations are slow to adopt Enterprise Risk Management best practices and extend their programs to line management. According to a recent survey, although 70 percent of corporations say they intend to adopt Enterprise Risk Management in the next few years, many organizations have not met their Enterprise Risk Management goals. The following true story highlights the peril of not putting urgency behind rolling out an Enterprise Risk Management program to operational areas across the enterprise.

ChoicePoint is the largest data broker that assembles personal information records on all of us. ChoicePoint, like so many corporations, make assurances on data security. They probably truly believes that they are aware of all risks facing them as they claim and also believe that their organizations are effectively addressing those risks as needed. Certainty of conviction should not be mistaken for investigative knowledge, especially if that investigation may rely on a flawed process. According to a recent New York Times article, “Keeping Your Enemies Close” for years, ChoicePoint’s top management had assured the world that it carefully protected its databases from intruders: “Our systems are bulletproof. Intruder-proof. Believe us.”

However in February 2005, according to the New York Times, ChoicePoint had to acknowledge that it had focused so intently on preventing hackers from gaining access to its computers through digital back doors that it had simply overlooked real-world con artists entering unnoticed through the front door. This year, the Federal Trade Commission hit ChoicePoint with a $10 million fine, the largest civil penalty in the agency’s history, for security and record-handling procedures that violated the rights of consumers. The ChoicePoint operations process for approving business partners was vulnerable. Fraudsters were officially becoming business partners by exploiting ChoicePoint’s business process and practices. That kind of vulnerability can best be uncovered by using risk assessments conducted by the operations team which is typical of an Enterprise Risk Management approach. The more rigorous the Enterprise Risk Management framework used to conduct this assessment the more effective and valuable the results will be. Process-driven software with embedded frameworks can help create a repeatable and sustainable process.

Lessons learned from this story:
1) Roll-out your Enterprise Risk Management charter to your line managers
2) Use root cause as part of self-assessments to understand the source of risk
3) Use best practice risk indicators that are forward looking in nature to uncover risks
4) Develop clear measures of the penetration of your Enterprise Risk Management program
5) Measure the progress of your Enterprise Risk Management program roll-out and don’t allow the timetable to slip.

Review lesson number one or your successor may be doing that for you.

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Assessment • Risk Identification | Permalink | Comments (2) | TrackBacks (0)

Amaranth Advisors lost roughly $5 billion in a week, and this is from a hedge fund that boasted of world-class risk-management systems. The result is a loss of 50% of the company’s asset base best summarized by this USAToday headline Faced with billions lost, Amaranth Advisors will shut down.

Amaranth Advisors was described as increasingly brash in their investments due to their confidence in their quantitative approach to risk management. According to this article in Business News, “The risk models employed by hedge funds use historic data, but the natural-gas markets have been more volatile this year than any year since 2001, making models less useful. They also might not predict how much selling of one’s stakes to get out of a position can cause prices to fall.” The Amaranth Advisors risk culture also had its roots in convertible-bond trading, a less-volatile market.

Enterprise Risk Management (ERM) best practices add a forward looking and scenario based approach for a more balanced and comprehensive view of risk. ERM is a process comprised of a series of iterative and sequential steps to enable continuous improvement in decision-making and performance with regards to the reduction of uncertainty within an organization. ERM helps a management team examine the markets in which it operates and formalize the acceptable risk tolerance for each segment. This process-driven approach helps a company set more appropriate controls to bring the business in alignment with the established risk appetite. This approach addresses the root cause of potential future problems rather than monitor transactions for historic symptoms.

The Amaranth Advisors outcome is a classic case that demonstrates the pitfall of an overly quantitative approach to risk management. Companies that have an over reliance on the traditional quantitative approach to risk management, namely the use of automated triggers based on data analysis to control risk, is much like the Emperor in the fabled children’s story who believed too heavily in just one approach for the source of his information.

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Assessment • Risk Identification | Permalink | Comments (0) | TrackBacks (0)

The book “Blink” by Malcolm Gladwell is a must read for risk managers. Chapter one opens with the description of the approach used by the J. Paul Getty Museum to perform due diligence on a famous statue’s authenticity prior to acquisition for their collection. This is a classic low frequency and high impact event with a price tag of $10 million for the statue. They hired a team of consultants and lawyers that did deep analysis. For example, a geologist determined the marble used for the statue was consistent with the statue’s origin and a legal team did a paper trail that validated the chain of ownership. After 14 months of investigation, the Getty Museum staff with the help of professional consultants concluded the statue was authentic, and the Getty Museum made their purchase.

However, when the statue was shown to art experts their conclusions were immediate that it was a fraud. These art historians sensed that although the statue had all the obvious telltale signs that it was genuine, their instinct told them it was a fake.

As a result, the investigations were revisited and the holes began to appear in what was previously determined a rock solid conclusion. Eventually, the statue was revealed to be a forgery dating back to Rome in the early 1980’s. How could 14 months of rigorous due diligence by highly trained and paid professional consultants be wrong? So wrong in fact, that art historians who relied on their instincts could come to the correct determination in a matter of moments?

The author, Gladwell, argues in his book, a powerful process in all of us is working subconsciously to sort through huge amounts of information gathered over a lifetime, make associations between data, and extract key indicators to arrive at rapid highly accurate conclusions.

This is also the process of Enterprise Risk Management (ERM). A few ERM best practices are illustrated in this story:

• Let your line management lead the risk management process for their areas.
• Capture this expert opinion with a framework of risk indicators and a root cause discipline to ensure the quality of capturing the expert opinion.
• Document their self-assessments of their operating processes to identify “What could go wrong?” based on their powerful expertise gathered from intimate knowledge of the subject matter.
• Evaluate the expert opinion to determine if action needs to be taken.
• Formalize the mitigation process to follow-up on these instincts to craft a plan of action that takes into account historical data and traditional analysis.
• Monitor the plan of action to make sure it actually achieves the goal rather than just appearance.

Posted by stevenminsky in Enterprise Risk Management • Risk Assessment | Permalink | Comments (2) | TrackBacks (0)

Whenever there is a disaster or event that causes losses, it is usually proven that someone or several employees in middle management or on the front lines had been forecasting the event years before but no action had been taken. The recent story of British Petroleum’s oil pipeline leak in Alaska is no different. The headline from the CNN news story, BP was warned, this week reads “Interviews with employees and a 2002 letter predicting 'catastrophe' show that BP’s problems should have come as no surprise to management”

According to the article, “One current BP employee who worked at both Prudhoe Bay and in Texas and spoke to Fortune on condition of anonymity says no one should be surprised by what eventually occurred. "The mantra was, Can we cut costs 10 percent?” he recalls.

How can such bad decision making be made by such smart people? The answer is found in the over reliance on quantitative analysis. There is a philosophy among some risk managers that all answers can be found in the deep quantitative analysis of the numbers in databases to detect patterns. This is true for high frequency risks. However, for low frequency and high impact risks (like the BP oil leak) quantitative analysis will often lead to incorrect decision making or more analysis with no decision making at all. First, there is insufficient data historically to analyze and many possible outcomes can easily and incorrectly be “fit to the data”. Second, with too little data, the patterns of correlation, dependency and therefore big picture ramifications can not be easily understood.

The solution is Enterprise Risk Management (ERM). ERM is an iterative and sequential series of steps that utilizes risk self-assessment (the process of identifying and evaluating risk with regard to their potential impact and likelihood, as well as related controls) as well as the subsequent risk management process of control evaluation, action plan definition, monitoring of risk- and implementation development. Enterprise Risk Management starts with a holistic and qualitative approach to first identify all the possible root causes of an issue and then systematically help quantify the total risk consequence taking all the possibilities into consideration with scenario analysis and if needed quantitative analysis.

Quantitative analysis is expensive and very focused in applicability. Enterprise Risk Management is all about best practices of performing a self-assessment and scenario analysis before deciding where, when and how to invest in an deeper quantitative analysis like loss database approaches. With ERM, management can prioritize the full costs versus the benefits to make a better decision. You can download a whitepaper on Risk Event Classification. Click here to download.

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Assessment • Risk Identification • Risk Mitigation | Permalink | Comments (1) | TrackBacks (0)

One of the key challenges within the risk, performance, compliance and business continuity areas of the corporation is the management of data in spreadsheets and other office files, often referred to as unstructured data. Spreadsheet control issues for accounting processes have also surfaced in response to Sarbanes-Oxley. Not only do spreadsheets lack the authentication, audit trail, and integrity, but they also lack accessibility to roll-up information into an enterprise wide picture. This is a critical barrier to systematically identify dependencies and track change. Information within spreadsheets is largely inaccessible to infrastructure tools like business intelligence, content management and business process management functionality and the cost of maintenance of this data is unreasonable. The presence of spreadsheets is a symptom of manual processes which are also typically both expensive and error prone.

One of the core value propositions of an Enterprise Risk Management (ERM) solution is to effectively solve this problem of collecting and managing unstructured risk and performance data. A robust ERM solution should provide a schema or organizational hierarchy for risk data so that ERM can bring together unstructured and structured data across the enterprise with the goal to improve decision making. This framework for organizing data provides the foundation for increased quality and efficiency for assessments as well as a process for aggregation and analysis of the information for dependencies. You can download a business architecture that illustrates how problems with spreadsheets are solved within an ERM solution. Click here to download.

Posted by stevenminsky in Compliance • Enterprise Risk Management • Software | Permalink | Comments (0) | TrackBacks (0)

In every emerging market the question of build versus buy arises. Enterprise Risk Management (ERM) is no different. Why a purpose-built application in this space? What is the role of enterprise content, workflow and process management technologies? What is the value proposition for a specific purpose-built application in the ERM software space? Should content and process technologies be built into a vendor application or should the vendor application leverage existing Enterprise Content Management (ECM) and Business Process Management (BPM) technologies in the enterprise?

The ERM platform core value is measured by the degree of delivery of best practices content like key risk indicator libraries and the business process practices as outlined in the Australian Risk Management Standard and COSO ERM framework. Enterprise content, workflow and process management technologies are infrastructure technologies that belong to the realm of corporate technology architecture and not a purpose built ERM platform. Best of class purpose built ERM software will leverage industry standards in these areas to ensure their solutions are as compatible and configurable as possible across the various infrastructure tools that mainstream vendors offer in these areas. The job of the corporate IT organization is to design and manage the architecture, IT processes, security and standards of their corporation. As such, the enterprise should select the infrastructure tools that are appropriate for their company’s needs, not the ERM application vendor.

Business and Risk Management should select the ERM application. ERM vendor solutions should leverage the corporate infrastructure and technology standards. For example, ERM platforms should be role based with hooks to be managed easily by Business Process Management technology in the enterprise. ERM software vendors should provide within their solution the option to reference data and documents within the corporation's document management/content management infrastructure. Only if the company’s technology is absent should the ERM vendor solution provide basic content repository or workflow capabilities as options.

Posted by stevenminsky in Enterprise Risk Management • Software | Permalink | Comments (0) | TrackBacks (0)

Below are four poll questions recently asked to Chief Risk Officers at organizations across North America. Take the survey yourself below and then compare your results by downloading their poll results along with a write-up explanation. Click here to download.

Posted by stevenminsky in Compliance • Enterprise Risk Management • Risk Assessment • Risk Maturity Model • Risk Mitigation | Permalink | Comments (0) | TrackBacks (0)

Based on the opinion poll within my last blog, interest was highest for the question: How to surface common knowledge security issues that management doesn't know about?

You are in good company. At the SIA risk conference I had the opportunity to meet with Richard G. Ketchum, Chief Executive Officer of the New York Stock Exchange Regulation. One of the major themes he spoke about was the need for Technology Assessments to review governance, risk and compliance issues. He commented that adoption of new technology combined with changes due to mergers and acquisitions have left corporate systems frail and patched 3-4 levels below the senior management level where they are "common knowledge" by operational staff members. He mentioned that these high risk field issues however are frequently not known or understood by leadership and audit committees. He further spoke of the need for best practices to be implemented to identify reporting and control gaps.

When asked about methods to approach this problem, Mr. Ketchum commented “Precision in an imprecise area is dangerous” and suggested to look at the qualitative risk assessment approach of Enterprise Risk Management tools. He further commented that high risk subjects include processes with deficiencies, that have been triaged, areas not well connected, and legacy systems. Issues to focus on include operations and control practices.

COBIT 4.0 is just such a set of operational and control best practices that can help in this endeavor. According to ISACA, the publisher, COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. Craig Symons at Forrester research, comments that "COBIT 4.0 Is A Strong Governance Platform"

You can download a complementary copy of the new COBIT 4.0 best practices document on my website. I also recommend reading my article on Risk Maturity Models to best understand how to use the COBIT 4.0 framework, "The Elephant at the Enterprise Risk Management Party"

My next blog will address the number two voted issue in the opinion poll of my last blog "How to draw the line between acceptable and unacceptable risks?"

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Identification • Risk Maturity Model | Permalink | Comments (1) | TrackBacks (0)

At the SIA’s 2nd Annual Risk Management Conference for financial services firms held on June 27th in New York City, overall, the maturity of enterprise risk management in the past year has definitely moved up one notch. Uncertainty about how to define enterprise risk management and the debate about the value of risk management have been replaced with more practical concerns on how to best implement a risk management program and how to measure the performance.

For those of you who could not attend, the following are the hot topics to think about: 1) setting of risk tolerance or thresholds, 2) convergence of assessment work within risk, compliance, IT, and finance and audit functions, 3) centralization or decentralization of the risk management function, 4) bird flu impact on business continuity, 5) The need for technology audits, and 6) accelerated adoption of Enterprise Risk Management as a business necessity by credit rating agencies.

According to Julian Fry, Global Head of Operational Risk at Merrill Lynch & Co., Inc., who was a panelist at the conference, the top 10 risk management business issues within Financial Services and Investment Management companies are:
1) Proper business practices, 2) Internal fraud, 3) Knowing your client, 4) Transaction execution, 5) Client selection exposure, 6) Business disruption, 7) Product complexity/pricing, 8) Employment practices, 9) Accounting evaluation (sox), and 10) Back office operations.

You can find downloads for a few of the presentations from the conference at:
risk conference presentations for download.

Posted by stevenminsky in Compliance • Enterprise Risk Management • Risk Identification | Permalink | Comments (0) | TrackBacks (0)

In my last Blog I referenced the article History of Intelligence Failures illustrating the most spectacular military intelligence failures over the course of history. I also presented my adapted list of the 6 most important root cause reasons resulting in business risk failures, Looking for Risks in all the wrong places?

Jacob commented on my Blog "You mean to say all above mentioned business challenges can be handled by Enterprise Risk Management Software?" My Blog below will provide a definitive yes. Below is an outline on how Enterprise Risk Management together with the right software can effect the impact and/or likelihood of these failures showing up on your watch.

First of all, let's define Enterprise Risk Management. According the Australian Risk Standard it is the culture, processes and structures that are directed towards realizing potential opportunities while managing adverse effects".

Now let's look at those 6 risk coverage vulnerabilities:
Overestimation - a determination to overemphasize information, leading to a false conclusion.

Enterprise Risk Management establishes a standard and easy to understand methodology to systematically identify, qualify and quantify risk. The hard part is getting started. Software facilitates the identification and assessment process and offers three criteria, Impact, Likelihood and Effectiveness of Controls for you to score risk in order to prioritize and balance all the aspects of risk and performance to get a more objective estimation. Establishing objective criteria is the first defense against overemphasizing or becoming blinded by your own or convictions or those of others.

Underestimation - business analysts or leadership completely misreads a competitor's intentions, market event or regulators guidance or intentions.

Key risk indicators help prompt thinking about how risk can effect your organization in different ways and a variety of different angles. Further, strategic key risk indicators are designed to help uncover disruptive threats that are difficult to address with traditional risk approaches. A quality ERM software package should come with a robust library of key risk indicators organized by industry, function and core process.

Over-confidence - bad assumptions based on our own certainty on how we would handle the situation.

These embedded best practice risk indicator libraries together with the software framework help us to do gap analysis on how our organization is looking a issues versus the lessons learned by peers in our industries. A framework should incorporate best practices from leading industry organizations such as Standard & Poor's, Australian Risk Management Standard, COBIT for IT Governance and Security, COSO for Financial Controls and other frameworks.

Complacency - something is going to happen, though not sure what or when, and yet no action is taken.

You do not have to take action on every risk, but you do need to quantify and measure your current risk and compare it with your thresholds of acceptable risk to decide to monitor, take action or if the risk is adequate. Using software to standardize the process and capture risk issues helps formalize the process and escalate issues for follow-up. Software helps manage the workflow of assigning roles and responsibilities as well as follow-up notifications and tracking.

Ignorance - When there is virtually no intelligence, we are at the mercy of events.

Much like TurboTax for personal taxation, we don't have to be experts on everything. The software can prompt us for the relevant information and walk us through the process to successful compliance and even tax savings. The Enterprise Risk Management software embeds best practice risk methodology which is all about embedding risk management in the existing culture of an organization. That means everything from planning and analysis process, capital allocations, performance evaluation, strategic planning, internal audit, IT business continuity and security assessments, etc.

Failure to join the dots - failure to make connections between bits of intelligence to make a coherent whole.

Ad hoc Risk Management done with home grown tools lends itself to having information buried in spreadsheets and word documents all throughout the corporation. Many times there is a dependency between a risk in one business area with a risk in another business area or a compound risk of two separate but identical risks in separate areas occurring at the same time that can be worse than either risk individually. Aggregating this information up to interactive dashboards and flexible reporting that can filter and present risk segmented by risk or by risk dependencies is invaluable in seeing the big picture.

Now that we have walked through the concepts, you may be interested to read a real life company's story in InformationWeek's article last month, Software makes risk management easier to swallow.

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Identification | Permalink | Comments (1) | TrackBacks (0)

IBM announced today their newest Risk Management service offering, Contingency Planning Assessment in their press release, IBM TO HELP COMPANIES DETERMINE PANDEMIC PREPAREDNESS. I had the opportunity to speak with Rich Cocchiara, IBM Distinguished Engineer & CTO for Business Resilience at IBM prior to their announcement. Rich made the point that business continuity and disaster recovery and crisis management is constantly evolving and that new threats need new strategies. Rich outlined a few of the differences to consider in planning for a Bird Flu Pandemic versus a traditional business continuity and disaster recovery issue.

1) People vs. Infrastructure Resources - Bird Flu scenarios can affect up to 40% of employees where traditional business continuity has been all about the physical property infrastructure of buildings, transportation, data and communications.
2) Global vs. Local Geographies - a Pandemic is forecast to affect multiple cities, regions and entire countries simultaneously where traditional business continuity planning has been focused on reactions to single localized events.
3) Long term vs. Temporary Impacts - Avian Flu may have several waves lasting several years and may change the way business is conducted on the long term, where traditional business continuity has been thought of as a few days to a few weeks in duration.

Rich posed the question on corporate preparedness "Does your organization know how operations will be impacted due to a health Pandemic? What business areas will need to be shut down or functions, locations or processes abandoned?” Rich also pointed out that all organizations are impacted, including small and medium sized businesses, not just the largest enterprises and government agencies.

Rich also commented on the importance of risk management software tools to support an Enterprise Risk Management program for identifying and assessing scenarios, evaluating options as well as planning and tracking results. Further, having Corporate Objectives and a Performance Management view in mind can also help address current business operations issues to help make your business better today. For example, enabling business processes for greater effectiveness in telecommuting or shifting operational capabilities for work between offices and regions can help business reduce costs and increase productivity today even if a bird flu pandemic does not materialize.

This announcement by IBM validates the critical need to put an enterprise framework in place with both a methodology and process to constantly reevaluate thinking and planning on how risk can impact your business and what actions need to be taken.

What is keeping you up at night and what are you doing about it?

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Assessment • Risk Mitigation • Software | Permalink | Comments (0) | TrackBacks (0)

Risk Management is all about unidentified risks that can pose a major threat to your organization or result in significant opportunities being missed. Frequently just after a failure, loss, blunder or catastrophe we discover in hindsight that the facts have been staring us all along in the face, but they have been either ignored or overlooked. Why is that?

A great article, Long history of intelligence failures responds to this question based on the military intelligence blunders from the wooden horse in Troy to the Yom Kipur war, Pearl Harbor, 9/11 and the Iraq War. I have adapted the article's categorization of these risk failures in a way that I think we can all easily apply to our own business challenges:

1) Overestimation - a determination to overemphasize information, leading to a false conclusion.
2) Underestimation - business analysts or leadership completely misreads a competitor's intentions or market event.
3) Over-confidence - bad assumptions based on our own certainty on how we would handle the situation.
4) Complacency - something is going to happen, though not sure what or when, and yet no action is taken.
5) Ignorance - When there is virtually no intelligence, we are at the mercy of events.
6) Failure to join the dots - failure to make connections between bits of intelligence to make a coherent whole.

Enterprise Risk Management is a proven framework to systematically address these six categories of weakness. My next Blog entry outlines the parallels in the enterprise business world and articulates how Enterprise Risk Management can be effectively used to protect us from these risk process pitfalls.

Posted by stevenminsky in Enterprise Risk Management • Risk Assessment • Risk Identification | Permalink | Comments (2) | TrackBacks (0)

The article by Evan Busman Handling Twin Takes of ERM is a great overview of evaluating technology for Enterprise Risk Management, especially in highlighting the pitfalls of compliance software not addressing the more strategic business risk and performance management objectives of the firm. Risk Management has traditionally been associated with risk elimination, insurance and compliance. Most software vendors have predictably added some risk features onto their existing compliance packages because it is easier from them to sell. You can put lipstick on a pig, but it's still very much a pig.

The true Enterprise Risk Management approach is best described by Dan Borge in his The Book of Risk, as "Risk Management means taking deliberate action to shift the odds in your favor - increasing the odds of good outcomes and reducing the odds of bad outcomes". Enterprise Risk Management is about building business value in support of better decision making rather than only providing oversight of major compliance issues or satisfying the requirements imposed by external auditors. New software built from the ground-up to meet the very different needs of true Enterprise Risk Management is required.

Enterprise Risk Management software must manage the complexity for an ERM program. Based on my research, I have identified the following key characteristics:

1) Root Cause: A framework that gets to the cause of issues makes follow-up straight forward and logical.

2) Motivation: Performance Management functionality that makes it easy to help line managers achieve process improvements to reduce costs, bottlenecks, and unnecessary risk translates into their embracing risk management.

3) Process Driven: Selecting the most relevant 30 to 50 key risk indicators for each core business process from thousands of possibilities.

4) Cross Functional Risk: Features to deliver a portfolio view with interactive dashboards to drill down or cut across silos to identify dependencies between risks.

5) Operational Controls: Go beyond financial controls to also quantify the effect of controls on business goal achievement while maintaining accountability throughout the process.

6) Risk Tolerance: Embedding risk management processes within the existing corporate culture from enterprise-wide board room strategy to tactical planning and analysis.

7) Maturity Model: Enable the risk management department itself to accelerate adoption of best practices, to set program objectives and measures and to manage ERM program activities.

With this criteria you can evaluate new software coming to the market from true ERM vendors and use risk tolerance to achieve the strategy and performance targets for your organization. There is more on the evaluation criteria for selection of Enterprise Risk Management technology in my ebizQ column, The Dos and Don’ts of Enterprise Risk Management

Posted by stevenminsky in Compliance • Enterprise Risk Management • Software | Permalink | Comments (1) | TrackBacks (0)